From: Greg Hudson Date: Tue, 17 Mar 2015 18:07:38 +0000 (-0400) Subject: Fix renewable ticket lifetimes X-Git-Tag: krb5-1.14-alpha1~149 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d9de684ea933c4887a7aebabc71287cbf5a3f3c;p=thirdparty%2Fkrb5.git Fix renewable ticket lifetimes Commit b0661f9176f5eb2644ba459e1b1e87d3dd502174 removed the starttime hack in the EncTicketPart decoder. Take this into account when computing the old lifetime of a ticket we are renewing. Without this fix, we compute an old lifetime equal to the ticket end time, add that to the current KDC time, and issue a ticket with a negative end time due to wraparound. Add a simple test to t_renew.py to detect this by making sure that a renewed ticket is usable. This bug appeared only on master and not as part of any release, so there is no associated ticket. --- diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index a40654f35c..fa88623ec4 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -461,6 +461,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, } if (isflagset(request->kdc_options, KDC_OPT_RENEW)) { + krb5_timestamp old_starttime; krb5_deltat old_life; assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0); @@ -470,7 +471,9 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, enc_tkt_reply = *(header_ticket->enc_part2); enc_tkt_reply.authorization_data = NULL; - old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime; + old_starttime = enc_tkt_reply.times.starttime ? + enc_tkt_reply.times.starttime : enc_tkt_reply.times.authtime; + old_life = enc_tkt_reply.times.endtime - old_starttime; enc_tkt_reply.times.starttime = kdc_time; enc_tkt_reply.times.endtime = diff --git a/src/tests/t_renew.py b/src/tests/t_renew.py index cb32d1a7b7..a5f0d4bc14 100644 --- a/src/tests/t_renew.py +++ b/src/tests/t_renew.py @@ -27,6 +27,9 @@ realm.kinit(realm.user_princ, flags=['-R']) realm.kinit(realm.user_princ, flags=['-R']) realm.klist(realm.user_princ) +# Make sure we can use a renewed ticket. +realm.run([kvno, realm.user_princ]) + # Make sure we can't renew non-renewable tickets. test('non-renewable', '1h', '1h', False) out = realm.kinit(realm.user_princ, flags=['-R'], expected_code=1)