diff options
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb.h | 2 | ||||
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_common.c | 27 | ||||
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_passwords.c | 5 | ||||
| -rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 26 | ||||
| -rw-r--r-- | util/ipa_pwd.h | 3 |
5 files changed, 50 insertions, 13 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index 0a179dbcf..beff8b208 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -140,6 +140,8 @@ int ipadb_ldap_attr_to_bool(LDAP *lcontext, LDAPMessage *le, char *attrname, bool *result); int ipadb_ldap_attr_to_time_t(LDAP *lcontext, LDAPMessage *le, char *attrname, time_t *result); +int ipadb_ldap_attr_to_krb5_timestamp(LDAP *lcontext, LDAPMessage *le, + char *attrname, krb5_timestamp *result); int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le, char *attrname, char *value); diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c index 71df9634c..18e159090 100644 --- a/daemons/ipa-kdb/ipa_kdb_common.c +++ b/daemons/ipa-kdb/ipa_kdb_common.c @@ -480,6 +480,33 @@ int ipadb_ldap_attr_to_time_t(LDAP *lcontext, LDAPMessage *le, return ret; } +int ipadb_ldap_attr_to_krb5_timestamp(LDAP *lcontext, LDAPMessage *le, + char *attrname, krb5_timestamp *result) +{ + time_t res_time; + long long res_long; + + int ret = ipadb_ldap_attr_to_time_t(lcontext, le, + attrname, &res_time); + if (ret) return ret; + + /* this will cast correctly maintaing sign to a 64bit variable */ + res_long = res_time; + + /* For dates beyond IPAPWD_END_OF_TIME, rest_time might oveflow + * on 32-bit platforms. This does not apply for 64-bit platforms. + * However, since krb5 uses 32-bit time representation, we need + * to limit the result.*/ + + if (res_long < 0 || res_long > IPAPWD_END_OF_TIME) { + *result = IPAPWD_END_OF_TIME; // 1 Jan 2038, 00:00 GMT + } else { + *result = (krb5_timestamp)res_long; + } + + return 0; +} + int ipadb_ldap_attr_has_value(LDAP *lcontext, LDAPMessage *le, char *attrname, char *value) { diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c index b6520ea75..974ae8fc8 100644 --- a/daemons/ipa-kdb/ipa_kdb_passwords.c +++ b/daemons/ipa-kdb/ipa_kdb_passwords.c @@ -246,6 +246,11 @@ krb5_error_code ipadb_get_pwd_expiration(krb5_context context, *expire_time = mod_time; } + /* in the case of integer owerflow, set expiration to IPAPWD_END_OF_TIME */ + if ((*expire_time) < 0 || (*expire_time) > IPAPWD_END_OF_TIME) { + *expire_time = IPAPWD_END_OF_TIME; // 1 Jan 2038, 00:00 GMT + } + kerr = 0; done: diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 621558162..bb2074bf9 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -237,7 +237,7 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, krb5_kvno mkvno = 0; char **restrlist; char *restring; - time_t restime; + krb5_timestamp restime; bool resbool; int result; int ret; @@ -286,8 +286,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, *polmask |= MAXRENEWABLEAGE_BIT; } - ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, - "krbPrincipalexpiration", &restime); + ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry, + "krbPrincipalexpiration", &restime); switch (ret) { case 0: entry->expiration = restime; @@ -298,8 +298,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, goto done; } - ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, - "krbPasswordExpiration", &restime); + ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry, + "krbPasswordExpiration", &restime); switch (ret) { case 0: entry->pw_expiration = restime; @@ -310,8 +310,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, goto done; } - ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, - "krbLastSuccessfulAuth", &restime); + ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry, + "krbLastSuccessfulAuth", &restime); switch (ret) { case 0: entry->last_success = restime; @@ -322,8 +322,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, goto done; } - ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, - "krbLastFailedAuth", &restime); + ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry, + "krbLastFailedAuth", &restime); switch (ret) { case 0: entry->last_failed = restime; @@ -471,8 +471,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, ied->pw_history = restrlist; } - ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, - "krbLastPwdChange", &restime); + ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry, + "krbLastPwdChange", &restime); if (ret == 0) { krb5_int32 time32le = htole32((krb5_int32)restime); @@ -487,8 +487,8 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, ied->last_pwd_change = restime; } - ret = ipadb_ldap_attr_to_time_t(lcontext, lentry, - "krbLastAdminUnlock", &restime); + ret = ipadb_ldap_attr_to_krb5_timestamp(lcontext, lentry, + "krbLastAdminUnlock", &restime); if (ret == 0) { krb5_int32 time32le = htole32((krb5_int32)restime); diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h index 00de889ff..a6990cac6 100644 --- a/util/ipa_pwd.h +++ b/util/ipa_pwd.h @@ -27,6 +27,9 @@ #define IPAPWD_DEFAULT_PWDLIFE (90 * 24 *3600) #define IPAPWD_DEFAULT_MINLEN 0 +/* 1 Jan 2038, 00:00 GMT */ +#define IPAPWD_END_OF_TIME 2145916800 + /* * IMPORTANT: please update error string table in ipa_pwd.c if you change this * error code table. |