From eb228eca766910f6f005d7d6701ae33845d02541 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 16 May 2023 17:07:07 +1200 Subject: [PATCH 1/3] hdb: Make maximum ticket lifetime and renew time signed integers This allows for negative lifetimes to be encoded, and fits in better with our use elsewhere of time_t, which in POSIX is a signed integer type. Signed-off-by: Joseph Sutton --- lib/hdb/hdb.asn1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/hdb/hdb.asn1 b/lib/hdb/hdb.asn1 index abc75f742c..fcc836c1b4 100644 --- a/lib/hdb/hdb.asn1 +++ b/lib/hdb/hdb.asn1 @@ -232,8 +232,8 @@ HDB_entry ::= SEQUENCE { valid-start[5] KerberosTime OPTIONAL, valid-end[6] KerberosTime OPTIONAL, pw-end[7] KerberosTime OPTIONAL, - max-life[8] INTEGER (0..4294967295) OPTIONAL, - max-renew[9] INTEGER (0..4294967295) OPTIONAL, + max-life[8] INTEGER (-2147483648..2147483647) OPTIONAL, + max-renew[9] INTEGER (-2147483648..2147483647) OPTIONAL, flags[10] HDBFlags, etypes[11] HDB-EncTypeList OPTIONAL, generation[12] GENERATION OPTIONAL, From 157dd63be5b7c254c7382e231fff011c8fd94395 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 16 May 2023 17:10:09 +1200 Subject: [PATCH 2/3] kdc: Always apply maximum ticket lifetime and renew time when non-NULL This allows a lifetime of zero to work. Signed-off-by: Joseph Sutton --- kdc/kerberos5.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index a11823c217..cccd1d85f0 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -2512,11 +2512,11 @@ _kdc_as_rep(astgs_request_t r) */ if (r->pa_max_life > 0) t = rk_time_add(start, min(rk_time_sub(t, start), r->pa_max_life)); - else if (r->client->max_life && *r->client->max_life) + else if (r->client->max_life) t = rk_time_add(start, min(rk_time_sub(t, start), *r->client->max_life)); - if (r->server->max_life && *r->server->max_life) + if (r->server->max_life) t = rk_time_add(start, min(rk_time_sub(t, start), *r->server->max_life)); @@ -2540,10 +2540,10 @@ _kdc_as_rep(astgs_request_t r) t = *b->rtime; if(t == 0) t = MAX_TIME; - if(r->client->max_renew && *r->client->max_renew) + if(r->client->max_renew) t = rk_time_add(start, min(rk_time_sub(t, start), *r->client->max_renew)); - if(r->server->max_renew && *r->server->max_renew) + if(r->server->max_renew) t = rk_time_add(start, min(rk_time_sub(t, start), *r->server->max_renew)); #if 0 From a593248e9e9ff7920439100e0133fb3f49bec5eb Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 14 Apr 2023 11:47:08 +1200 Subject: [PATCH 3/3] kdc: Return NEVER_VALID error code if ticket will never be valid This matches the error generated by Windows. Signed-off-by: Joseph Sutton --- kdc/kerberos5.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index cccd1d85f0..d8c56bfb26 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -2527,6 +2527,13 @@ _kdc_as_rep(astgs_request_t r) t = min(t, rk_time_add(start, realm->max_life)); #endif r->et.endtime = t; + + if (start > r->et.endtime) { + _kdc_set_e_text(r, "Requested effective lifetime is negative or too short"); + ret = KRB5KDC_ERR_NEVER_VALID; + goto out; + } + if(f.renewable_ok && r->et.endtime < *b->till){ f.renewable = 1; if(b->rtime == NULL){