Prevent integer overflow when setting krbPasswordExpiration

Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.

This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).

The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.

https://fedorahosted.org/freeipa/ticket/3312
https://fedorahosted.org/freeipa/ticket/3114

1 files changed, 27 insertions, 0 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c
index 71df9634c..18e159090 100644
--- a/daemons/ipa-kdb/ipa_kdb_common.c
+++ b/daemons/ipa-kdb/ipa_kdb_common.c
@@ -480,6 +480,33 @@ int ipadb_ldap_attr_to_time_t(LDAP *lcontext, LDAPMessage *le,
     return ret;
 }
 
+int ipadb_ldap_attr_to_krb5_timestamp(LDAP *lcontext, LDAPMessage *le,
+                                      char *attrname, krb5_timestamp *result)
+{
+    time_t res_time;
+    long long res_long;
+
+    int ret = ipadb_ldap_attr_to_time_t(lcontext, le,
+                                        attrname, &res_time);
+    if (ret) return ret;
+
+    /* this will cast correctly maintaing sign to a 64bit variable */
+    res_long = res_time;
+
+    /* For dates beyond IPAPWD_END_OF_TIME, rest_time might oveflow
+     * on 32-bit platforms. This does not apply for 64-bit platforms.
+     * However, since krb5 uses 32-bit time representation, we need
+     * to limit the result.*/
+
+    if (res_long < 0 || res_long > IPAPWD_END_OF_TIME)  {
+        *result = IPAPWD_END_OF_TIME; // 1 Jan 2038, 00:00 GMT
+    } else {
+        *result = (krb5_timestamp)res_long;
+    }
+
+    return 0;
+}
+
 int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le,
                               char *attrname, char *value)
 {