[OpenAFS] klog.krb creates invalid K4 ticket files on x86_64 Linuxes

Rainer Toebbicke rtb@pclella.cern.ch
Thu, 09 Aug 2007 11:46:32 +0200


This is a multi-part message in MIME format.
--------------010607040009070101080405
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

At the danger of being considered back-level:

on x86_64 the klog.krb program (and in fact the whole libauth library) 
creates "invalid" Kerberos 4 ticket files.

[the word "invalid" may be contentious - some consider krb4 support in 
MIT kerberos 5 buggy... nevertheless:]

AFS defines the "issue-date" in the ticket file alike the token 
"startTime" to be an afs_int32, whereas krb4 in MIT Kerberos 5 
considers it a "long". Problems hence arise on platforms where long != 
afs_int32 - krb4-aware applications such as cvs fail because of 
invalid tickets.

This is of course an issue only for very conservative installations - 
replacing klog.krb by Heimdal kinit or a MIT-kinit+aklog+krb524init 
script is a reasonable bypass.

Could something break? KTH Kerberos and hence Heimdal with Krb4 used 
to consider this field a hard 32 bit as well, Debian sarge users 
*could* run into problems but AFAIK there is no sarge for amd64 and 
anyway they would use "kinit" and not klog.krb.

Patch attached and Bcc'ed to openafs-bugs.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rainer Toebbicke
European Laboratory for Particle Physics(CERN) - Geneva, Switzerland
Phone: +41 22 767 8985       Fax: +41 22 767 7155

--------------010607040009070101080405
Content-Type: text/plain;
 name="p_klog_tf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="p_klog_tf"

--- openafs/src/kauth/krb_tf.c.o144	2003-07-16 01:15:17.000000000 +0200
+++ openafs/src/kauth/krb_tf.c	2007-08-03 11:42:44.000000000 +0200
@@ -84,6 +84,7 @@
     char *tf_name;
     struct ktc_principal client, server;
     struct ktc_token token;
+    long mit_compat;	/* MIT Kerberos 5 with Krb4 uses a "long" for issue_date */
 
     if ((strlen(realm) >= sizeof(client.cell)))
 	return KABADNAME;
@@ -149,8 +150,9 @@
     if (write(fd, (char *)(token.ticket), count) != count)
 	goto bad;
     /* Issue date */
-    if (write(fd, (char *)&token.startTime, sizeof(afs_int32))
-	!= sizeof(afs_int32))
+    mit_compat = token.startTime;
+    if (write(fd, (char *)&mit_compat, sizeof(mit_compat))
+	!= sizeof(mit_compat))
 	goto bad;
     close(fd);
     return 0;
--- openafs/src/auth/ktc.c.o144	2007-08-03 14:22:59.000000000 +0200
+++ openafs/src/auth/ktc.c	2007-08-03 14:27:54.000000000 +0200
@@ -1163,6 +1163,7 @@
 {
     int k_errno;
     int kvno, lifetime;
+    long mit_compat;		/* MIT Kerberos 5 with Krb4 uses a "long" for issue_date */
 
     if (fd < 0) {
 	return TKT_FIL_INI;
@@ -1199,10 +1200,10 @@
 	/* don't try to read a silly amount into ticket->dat */
 	token->ticketLen > MAXKTCTICKETLEN
 	|| tf_read((char *)(token->ticket), token->ticketLen) < 1
-	|| tf_read((char *)&(token->startTime),
-		   sizeof(token->startTime)) < 1) {
+	|| tf_read((char *)&mit_compat, sizeof(mit_compat)) < 1) {
 	return TKT_FIL_FMT;
     }
+    token->startTime = mit_compat;
     token->endTime = life_to_time(token->startTime, lifetime);
     token->kvno = kvno;
     return 0;
@@ -1330,6 +1331,7 @@
     off_t start;
     int lifetime, kvno;
     int count;			/* count for write */
+    long mit_compat;		/* MIT Kerberos 5 with Krb4 uses a "long" for issue_date */
 
     if (fd < 0) {		/* fd is ticket file as set by afs_tf_init */
 	return TKT_FIL_INI;
@@ -1399,8 +1401,9 @@
     if (write(fd, atoken->ticket, count) != count)
 	goto bad;
     /* Issue date */
-    if (write(fd, (char *)&atoken->startTime, sizeof(afs_int32))
-	!= sizeof(afs_int32))
+    mit_compat = atoken->startTime;
+    if (write(fd, (char *)&mit_compat, sizeof(mit_compat))
+	!= sizeof(mit_compat))
 	goto bad;
 
     /* Actually, we should check each write for success */

--------------010607040009070101080405--