From: Tom Yu Date: Sat, 7 Oct 2000 02:25:24 +0000 (+0000) Subject: * conv_creds.c (krb524_convert_creds_plain): Use time_to_life() X-Git-Tag: krb5-1.3-alpha1~1852 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=eecc72999417642f6654222a49ddc9f3d1bbf13b;p=krb5.git * conv_creds.c (krb524_convert_creds_plain): Use time_to_life() and life_to_time() to do lifetime calculations, including the adjustment of start time, to match server-side calculations. * cnv_tkt_skey.c (krb524_convert_tkt_skey): Use time_to_life() and life_to_time() to do lifetime calculations. Adjust start time backwards to deal with roundup so ticket expires at correct time. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12728 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog index d8a7a6ab3..9ef4dbd1a 100644 --- a/src/krb524/ChangeLog +++ b/src/krb524/ChangeLog @@ -1,3 +1,13 @@ +2000-10-06 Tom Yu + + * conv_creds.c (krb524_convert_creds_plain): Use time_to_life() + and life_to_time() to do lifetime calculations, including the + adjustment of start time, to match server-side calculations. + + * cnv_tkt_skey.c (krb524_convert_tkt_skey): Use time_to_life() and + life_to_time() to do lifetime calculations. Adjust start time + backwards to deal with roundup so ticket expires at correct time. + 2000-10-06 Ezra Peisach * krb524d.c (do_connection): Do not assume that sizeof(int) == 4. diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c index deb2f2e20..01a68e834 100644 --- a/src/krb524/cnv_tkt_skey.c +++ b/src/krb524/cnv_tkt_skey.c @@ -46,28 +46,6 @@ krb524int_krb_cr_tkt_int(KTEXT, unsigned int, char *, char *, char *, long, char *, int, long, char *, char *, C_Block, krb5_keyblock *); -/* rather than copying the cmu code, these values are derived from - a calculation based on the table and comments found there. - the expression (in elisp) is: - (defun cmu-to-secs2 (j) - (if (< j 128) (* j 5 60) - (round (* 38400 (expt 1.06914489 (- j 128)))))) - and is low by one for 16 values but is exact for the others. - */ - -static long cmu_seconds[] = -{ - 38400, 41055, 43894, 46929, 50174, 53643, 57352, 61318, - 65558, 70091, 74937, 80119, 85658, 91581, 97914, 104684, - 111922, 119661, 127935, 136781, 146239, 156350, 167161, 178720, - 191077, 204289, 218415, 233517, 249663, 266926, 285383, 305116, - 326213, 348769, 372885, 398668, 426233, 455705, 487215, 520903, - 556921, 595430, 636600, 680618, 727679, 777995, 831789, 889303, - 950794, 1016536, 1086825, 1161973, 1242317, 1328217, 1420057, 1518246, - 1623225, 1735463, 1855462, 1983757, 2120924, 2267575, 2424366, 2591999, - 0 -}; - /* * Convert a v5 ticket for server to a v4 ticket, using service key * skey for both. @@ -83,7 +61,7 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; char sname[ANAME_SZ], sinst[INST_SZ]; krb5_enc_tkt_part *v5etkt; - int ret, lifetime, deltatime; + int ret, lifetime, v4endtime; krb5_timestamp server_time; struct sockaddr_in *sinp = (struct sockaddr_in *)saddr; krb5_address kaddr; @@ -116,7 +94,6 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, } /* V4 has no concept of authtime or renew_till, so ignore them */ - /* V4 lifetime is 1 byte, in 5 minute increments */ if (v5etkt->times.starttime == 0) v5etkt->times.starttime = v5etkt->times.authtime; /* rather than apply fit an extended v5 lifetime into a v4 range, @@ -129,17 +106,17 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, v5tkt->enc_part2 = NULL; return ret; } - if ( (server_time+context->clockskew >= v5etkt->times.starttime) - && (server_time-context->clockskew <= v5etkt->times.endtime)) { - deltatime = v5etkt->times.endtime - (server_time-context->clockskew); - lifetime = deltatime / 300; - /* if (lifetime > 255) lifetime = 255; */ - if (lifetime > 127) { - /* use the CMU algorithm instead: */ - long *clist = cmu_seconds; - while(*clist && *clist < deltatime) clist++; - lifetime = 128 + (clist - cmu_seconds); - } + if ((server_time + context->clockskew >= v5etkt->times.starttime) + && (server_time - context->clockskew <= v5etkt->times.endtime)) { + lifetime = krb_time_to_life(server_time, v5etkt->times.endtime); + v4endtime = krb_life_to_time(v5etkt->times.starttime, lifetime); + /* + * Adjust start time backwards if the lifetime value + * returned by krb_time_to_life() maps to a longer lifetime + * than that of the original krb5 ticket. + */ + if (v4endtime > v5etkt->times.endtime) + server_time -= v4endtime - v5etkt->times.endtime; } else { if (krb524_debug) fprintf(stderr, "v5 ticket time out of bounds\n"); diff --git a/src/krb524/conv_creds.c b/src/krb524/conv_creds.c index 68a80200f..2d031ea57 100644 --- a/src/krb524/conv_creds.c +++ b/src/krb524/conv_creds.c @@ -127,7 +127,7 @@ krb524_convert_creds_plain(context, v5creds, v4creds) krb5_ui_4 addr; #endif int ret; - krb5_timestamp lifetime; + krb5_timestamp endtime; memset((char *) v4creds, 0, sizeof(CREDENTIALS)); @@ -150,12 +150,17 @@ krb524_convert_creds_plain(context, v5creds, v4creds) sizeof(C_Block)); /* V4 has no concept of authtime or renew_till, so ignore them */ - /* V4 lifetime is 1 byte, in 5 minute increments */ - lifetime = - ((v5creds->times.endtime - v5creds->times.starttime) / 300); - v4creds->lifetime = - ((lifetime > 0xff) ? 0xff : lifetime); v4creds->issue_date = v5creds->times.starttime; + v4creds->lifetime = krb_time_to_life(v5creds->times.starttime, + v5creds->times.endtime); + endtime = krb_life_to_time(v5creds->times.starttime, + v4creds->lifetime); + /* + * Adjust start time backwards to deal with rounding up in + * krb_time_to_life(), to match code on server side. + */ + if (endtime > v5creds->times.endtime) + v4creds->issue_date -= endtime - v5creds->times.endtime; #if 0 /* XXX perhaps we should use the addr of the client host if */