Hi,

Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.

This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).

https://fedorahosted.org/freeipa/ticket/3312
https://fedorahosted.org/freeipa/ticket/3114

Tomas
>From 58e10e269b2cf1b789094d09207844cbc4f56f99 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Mon, 14 Jan 2013 10:19:44 -0500
Subject: [PATCH] Prevent integer overflow when setting krbPasswordExpiration

Since in Kerberos V5 are used 32-bit unix timestamps, setting
maxlife in pwpolicy to values such as 9999 days would cause
integer overflow in krbPasswordExpiration attribute.

This would result into unpredictable behaviour such as users
not being able to log in after password expiration if password
policy was changed (#3114) or new users not being able to log
in at all (#3312).

https://fedorahosted.org/freeipa/ticket/3312
https://fedorahosted.org/freeipa/ticket/3114
---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c  |  7 +++++++
 daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c | 15 +++++++++++++++
 util/ipa_pwd.h                                           |  3 +++
 3 files changed, 25 insertions(+)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index bb1d96ade8c22bf60138a78957e409cf1b0de055..be9533d1d328000b96605a980078525a99fe950a 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -847,6 +847,13 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
 			slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
                               "krbLastPwdChange", timestr);
 
+                       /* in the case of integer owerflow,
+                        * set expiration to IPAPWD_END_OF_TIME */
+                       if ((data->expireTime+86400) < data->timeNow) {
+                           // 1 Jan 2038, 00:00 GMT
+                           data->expireTime = IPAPWD_END_OF_TIME;
+                        }
+
 			/* set Password Expiration date */
 			if (!gmtime_r(&(data->expireTime), &utctime)) {
 				LOG_FATAL("failed to convert expiration date\n");
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index 3b512a4744d3edddc52e224c11aaa93388d06b75..0bdada21456381f3f7681469d89755e85aa6d035 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -1085,6 +1085,21 @@ static int ipapwd_post_op(Slapi_PBlock *pb)
         slapi_value_free(&ipahost);
     }
 
+    /* in the case of integer owerflow, set expiration to IPAPWD_END_OF_TIME */
+    if ((pwdop->pwdata.expireTime+86400) < pwdop->pwdata.timeNow) {
+        pwdop->pwdata.expireTime = IPAPWD_END_OF_TIME; // 1 Jan 2038, 00:00 GMT
+
+        if (!gmtime_r(&(pwdop->pwdata.expireTime), &utctime)) {
+            LOG_FATAL("failed to parse expiration date (buggy gmtime_r ?)\n");
+            goto done;
+        }
+
+        strftime(timestr, GENERALIZED_TIME_LENGTH+1, "%Y%m%d%H%M%SZ", &utctime);
+
+        slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
+                              "krbPasswordExpiration", timestr);
+    }
+
     ret = ipapwd_apply_mods(pwdop->pwdata.dn, smods);
     if (ret)
         LOG("Failed to set additional password attributes in the post-op!\n");
diff --git a/util/ipa_pwd.h b/util/ipa_pwd.h
index 00de889ff53cdc113a6c926e35c87e7b08238e4a..a6990cac6333bf2582fb071a507001b10145df6d 100644
--- a/util/ipa_pwd.h
+++ b/util/ipa_pwd.h
@@ -27,6 +27,9 @@
 #define IPAPWD_DEFAULT_PWDLIFE (90 * 24 *3600)
 #define IPAPWD_DEFAULT_MINLEN 0
 
+/* 1 Jan 2038, 00:00 GMT */
+#define IPAPWD_END_OF_TIME 2145916800
+
 /*
  * IMPORTANT: please update error string table in ipa_pwd.c if you change this
  * error code table.
-- 
1.8.0.1


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to