diff options
| author | Tomas Babej <tbabej@redhat.com> | 2013-01-14 10:19:44 -0500 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-02-08 15:54:21 +0100 |
| commit | 0e8a329048629f639ae64ff32e01e12a495e7763 (patch) | |
| tree | 0ad4e0cba576a25639785809bf9f30776adde1d7 /daemons/ipa-kdb/ipa_kdb_principals.c | |
| parent | 1d35043e466dfca22cdaf463b6623c10a9ff2d39 (diff) | |
| download | freeipa-0e8a329048629f639ae64ff32e01e12a495e7763.tar.gz freeipa-0e8a329048629f639ae64ff32e01e12a495e7763.tar.xz freeipa-0e8a329048629f639ae64ff32e01e12a495e7763.zip | |
Prevent integer overflow when setting krbPasswordExpiration
Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.
This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).
The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.
https://fedorahosted.org/freeipa/ticket/3312
https://fedorahosted.org/freeipa/ticket/3114
Diffstat (limited to 'daemons/ipa-kdb/ipa_kdb_principals.c')
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 621558162..bb2074bf9 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -237,7 +237,7 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, krb5_kvno mkvno = 0; char **restrlist; char *restring; - time_t restime; + krb5_timestamp restime; bool resbool; int result; int ret; @@ -286,8 +286,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, *polmask |= MAXRENEWABLEAGE_BIT; } - ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, - "krbPrincipalexpiration", &restime); + ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry, + "krbPrincipalexpiration", &restime); switch (ret) { case 0: entry->expiration = restime; @@ -298,8 +298,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, goto done; } - ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, - "krbPasswordExpiration", &restime); + ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry, + "krbPasswordExpiration", &restime); switch (ret) { case 0: entry->pw_expiration = restime; @@ -310,8 +310,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, goto done; } - ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, - "krbLastSuccessfulAuth", &restime); + ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry, + "krbLastSuccessfulAuth", &restime); switch (ret) { case 0: entry->last_success = restime; @@ -322,8 +322,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, goto done; } - ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, - "krbLastFailedAuth", &restime); + ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry, + "krbLastFailedAuth", &restime); switch (ret) { case 0: entry->last_failed = restime; @@ -471,8 +471,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, ied->pw_history = restrlist; } - ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, - "krbLastPwdChange", &restime); + ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry, + "krbLastPwdChange", &restime); if (ret == 0) { krb5_int32 time32le = htole32((krb5_int32)restime); @@ -487,8 +487,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, ied->last_pwd_change = restime; } - ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, - "krbLastAdminUnlock", &restime); + ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry, + "krbLastAdminUnlock", &restime); if (ret == 0) { krb5_int32 time32le = htole32((krb5_int32)restime); |