From 0e8a329048629f639ae64ff32e01e12a495e7763 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Mon, 14 Jan 2013 10:19:44 -0500
Subject: Prevent integer overflow when setting krbPasswordExpiration

Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.

This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).

The timestamp value is truncated to Jan 1, 2038 in ipa-kdc driver.

https://fedorahosted.org/freeipa/ticket/3312
https://fedorahosted.org/freeipa/ticket/3114
---
 util/ipa_pwd.h | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'util')

diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index 00de889ff..a6990cac6 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -27,6 +27,9 @@
 #define IPAPWD_DEFAULT_PWDLIFE (90 * 24 *3600)
 #define IPAPWD_DEFAULT_MINLEN 0
 
+/* 1 Jan 2038, 00:00 GMT */
+#define IPAPWD_END_OF_TIME 2145916800
+
 /*
  * IMPORTANT: please update error string table in ipa_pwd.c if you change this
  * error code table.
-- 
cgit