Hye everyone, I'm playing around with afs libs (v 1.4.11) and I noticed a strange behavior when trying to forge token from scratch.
My program is as simple as:
* Call tkt_MakeTicket
* Call tkt_DecodeTicket on this very token
The ticket I forged is valid and correct, it works perfectly, excpect
for the timestamps...
I tried to forge a token with a lifetime of 500 seconds.
Both startTime and endTime are of type Date (afs_uint32)
# Time code manipulation is below:
Date startTime, endTime;
startTime = time(NULL);
endTime = startTime + 500;
I added some debug messages in rxkad/ticket.c to trace timestamps
encoded in the token.
Here is my output:
[libAFS::tkt_MakeTicket] start: 1282823804
[libAFS::tkt_MakeTicket] end: 1282824304 (OK, 500 seconds)
[libAFS::assemble_athena_ticket] start: 1282823804
[libAFS::assemble_athena_ticket] end: 1282824304 (OK, 500 seconds)
// Decode token
[libAFS::decode_athena_ticket] start: 1282823804
[libAFS::decode_athena_ticket] end: 1282824404 (NOT OK, 600 seconds)
[libAFS::tkt_DecodeTicket] start: 1282823804
[libAFS::tkt_DecodeTicket] end: 1282824404 (NOT OK, 600 seconds)
Encrypted info::
name: admin
instance:
cell: test.fr
host: 0
startTime: 1282823804
endTime: 1282824404
Lifetime encrypted: 600 sec
Lifetime clear: 500 sec
As you can see, endTime retrieved with tkt_DecodeTicket (which calls
decode_athena_ticket) is incorrect.
Athena ticket only stores the token startTime and lifetime and endTime
is deduced from those two values.
I don't really know what's happening here, but if I tried to forge a
token with a very large lifetime (86400 seconds for instance), i.e
endTime = startTime + 86400
[libAFS::tkt_MakeTicket] start: 1282824973
[libAFS::tkt_MakeTicket] end: 1282911373
[libAFS::assemble_athena_ticket] start: 1282824973
[libAFS::assemble_athena_ticket] end: 1282911373
[libAFS::decode_athena_ticket] start: 1282824973
[libAFS::decode_athena_ticket] end: 1282916554
[libAFS::tkt_DecodeTicket] start: 1282824973
[libAFS::tkt_DecodeTicket] end: 1282916554
Encrypted info::
name: admin
instance:
cell: test.fr
host: 0
startTime: 1282824973
endTime: 1282916554
Lifetime encrypted: 91581 sec
Lifetime clear: 86400 sec
The gap between real lifetime (clear one before token is dropped from
token cache) and encrypted lifetime increases.
This is very very strange and I'm totally lost here...
Note: When running tkt_DecodeTicket on a token obtained from "klog",
encrypted and clear lifetime match.
Has anyone already have this problem ?
Where am I wrong ?
If you need my code, I can send it to you, just ask :)
Thanks in advance.
R.
--
Remi Ferrand | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
smime.p7s
Description: S/MIME Cryptographic Signature
