krb5 commit: Fix PAC handling of authtimes after y2038
Greg Hudson
ghudson at mit.edu
Sun Dec 5 18:46:07 EST 2021
https://github.com/krb5/krb5/commit/149df661ad76ea4b5fff0de28e77a767f9355fdc
commit 149df661ad76ea4b5fff0de28e77a767f9355fdc
Author: Greg Hudson <ghudson at mit.edu>
Date: Wed Dec 1 19:35:32 2021 -0500
Fix PAC handling of authtimes after y2038
Remove the unnecessary handling of negative inputs in
k5_time_to_seconds_since_1970() and k5_seconds_since_1970_to_time(),
and cast the krb5_timestamp input to uint32_t to properly handle
values after y2038.
ticket: 9039 (new)
src/lib/krb5/krb/pac.c | 20 +++++---------------
1 files changed, 5 insertions(+), 15 deletions(-)
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 46705d2..5118bf7 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -370,32 +370,22 @@ krb5_pac_parse(krb5_context context,
}
static krb5_error_code
-k5_time_to_seconds_since_1970(int64_t ntTime, krb5_timestamp *elapsedSeconds)
+k5_time_to_seconds_since_1970(uint64_t ntTime, krb5_timestamp *elapsedSeconds)
{
- uint64_t abstime;
-
- ntTime /= 10000000;
-
- abstime = ntTime > 0 ? ntTime - NT_TIME_EPOCH : -ntTime;
+ uint64_t abstime = ntTime / 10000000 - NT_TIME_EPOCH;
if (abstime > UINT32_MAX)
return ERANGE;
-
*elapsedSeconds = abstime;
-
return 0;
}
krb5_error_code
k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds, uint64_t *ntTime)
{
- *ntTime = elapsedSeconds;
-
- if (elapsedSeconds > 0)
- *ntTime += NT_TIME_EPOCH;
-
+ *ntTime = (uint32_t)elapsedSeconds;
+ *ntTime += NT_TIME_EPOCH;
*ntTime *= 10000000;
-
return 0;
}
@@ -411,7 +401,7 @@ krb5_pac_get_client_info(krb5_context context,
unsigned char *p;
krb5_timestamp pac_authtime;
krb5_ui_2 pac_princname_length;
- int64_t pac_nt_authtime;
+ uint64_t pac_nt_authtime;
if (authtime_out != NULL)
*authtime_out = 0;
More information about the cvs-krb5
mailing list