[OpenAFS] Re: Strange behavior of tkt_MakeTicket / tkt_DecodeTicket
Remi Ferrand
remi.ferrand@cc.in2p3.fr
Thu, 26 Aug 2010 14:59:17 +0200
This is a cryptographically signed message in MIME format.
--------------ms070808020906070005070604
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Sorry for the spam fellows ...
I now understand how lifetime is retrieved using rxkad/lifetimes.h conten=
t.
I didn't take a look a life_to_time and time_to_life, for I was thinking
it was an obvious subtraction... sorry.
Have a nice day :)
R.
Le 26/08/2010 14:20, Remi Ferrand a =E9crit :
> Hye everyone,
>=20
> I'm playing around with afs libs (v 1.4.11) and I noticed a strange
> behavior when trying to forge token from scratch.
>=20
> My program is as simple as:
>=20
> * Call tkt_MakeTicket
> * Call tkt_DecodeTicket on this very token
>=20
> The ticket I forged is valid and correct, it works perfectly, excpect
> for the timestamps...
>=20
> I tried to forge a token with a lifetime of 500 seconds.
> Both startTime and endTime are of type Date (afs_uint32)
>=20
> # Time code manipulation is below:
> Date startTime, endTime;
> startTime =3D time(NULL);
> endTime =3D startTime + 500;
>=20
> I added some debug messages in rxkad/ticket.c to trace timestamps
> encoded in the token.
>=20
> Here is my output:
>=20
> [libAFS::tkt_MakeTicket] start: 1282823804
> [libAFS::tkt_MakeTicket] end: 1282824304 (OK, 500 seconds)
>=20
> [libAFS::assemble_athena_ticket] start: 1282823804
> [libAFS::assemble_athena_ticket] end: 1282824304 (OK, 500 seconds)
>=20
> // Decode token
> [libAFS::decode_athena_ticket] start: 1282823804
> [libAFS::decode_athena_ticket] end: 1282824404 (NOT OK, 600 seconds)
> [libAFS::tkt_DecodeTicket] start: 1282823804
> [libAFS::tkt_DecodeTicket] end: 1282824404 (NOT OK, 600 seconds)
>=20
> Encrypted info::
> name: admin
> instance:
> cell: test.fr
> host: 0
> startTime: 1282823804
> endTime: 1282824404
>=20
> Lifetime encrypted: 600 sec
> Lifetime clear: 500 sec
>=20
> As you can see, endTime retrieved with tkt_DecodeTicket (which calls
> decode_athena_ticket) is incorrect.
>=20
> Athena ticket only stores the token startTime and lifetime and endTime
> is deduced from those two values.
>=20
>=20
> I don't really know what's happening here, but if I tried to forge a
> token with a very large lifetime (86400 seconds for instance), i.e
>=20
> endTime =3D startTime + 86400
>=20
>=20
> [libAFS::tkt_MakeTicket] start: 1282824973
> [libAFS::tkt_MakeTicket] end: 1282911373
> [libAFS::assemble_athena_ticket] start: 1282824973
> [libAFS::assemble_athena_ticket] end: 1282911373
>=20
> [libAFS::decode_athena_ticket] start: 1282824973
> [libAFS::decode_athena_ticket] end: 1282916554
> [libAFS::tkt_DecodeTicket] start: 1282824973
> [libAFS::tkt_DecodeTicket] end: 1282916554
>=20
> Encrypted info::
> name: admin
> instance:
> cell: test.fr
> host: 0
> startTime: 1282824973
> endTime: 1282916554
>=20
> Lifetime encrypted: 91581 sec
> Lifetime clear: 86400 sec
>=20
> The gap between real lifetime (clear one before token is dropped from
> token cache) and encrypted lifetime increases.
>=20
>=20
> This is very very strange and I'm totally lost here...
>=20
> Note: When running tkt_DecodeTicket on a token obtained from "klog",
> encrypted and clear lifetime match.
>=20
> Has anyone already have this problem ?
> Where am I wrong ?
>=20
> If you need my code, I can send it to you, just ask :)
>=20
> Thanks in advance.
>=20
> R.
>=20
--=20
Remi Ferrand | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
--------------ms070808020906070005070604
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIM2zCC
A20wggJVoAMCAQICAQIwDQYJKoZIhvcNAQEEBQAwKzELMAkGA1UEBhMCRlIxDTALBgNVBAoT
BENOUlMxDTALBgNVBAMTBENOUlMwHhcNMDEwNDI3MDU0NjQ5WhcNMTEwNDI1MDU0NjQ5WjA0
MQswCQYDVQQGEwJGUjENMAsGA1UEChMEQ05SUzEWMBQGA1UEAxMNQ05SUy1TdGFuZGFyZDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANzhHiE9BovqvV60iNsPk5e0bQc9hmIA
Lcr/tUqO51akj2Es8aAqq/Yq3Xwsv+91VQusCU7nTmHA5wzwkBVFEgLCjOvDEmTiYxAYLssH
MdmB5dwpgpsxVuKBHopvp+ipWBFEVoNds054cC3ftv1ygUXV8e5Nzu++1T0MkCBFmgmArw9M
2iAOgL86s+sngMC5D8ChTkDcOv1qKr9A1SxxgPn4umvk6ioAqy++mvCndm2YKZwPL/BC8hiX
W8n2zBlfusK+EtJcsJCUwLfLBgTvjzDtMi16SveTu6AJpLTuM8vQg5u1tbOQ3o6QHlmcINVL
Hu3XTE+G+hw6KqHprAWgnb8CAwEAAaOBkjCBjzAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRn
WaXlB3RJA+8Fz8wupBjVEMiePDBTBgNVHSMETDBKgBRW62i50lx+mLWlU8ORb2NYxPlrt6Ev
pC0wKzELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENOUlMxDTALBgNVBAMTBENOUlOCAQAwCwYD
VR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4IBAQAGA0eDckWQwk7hIderF6kBVQbKQG1Voh1e
6+IUI1nkCeKQ9jyNNgYPS6cmI2XC6gaacru4jMuKX+95NiV+ANfzBpT7g0QpJjfH7umHzmyG
gBtxPdJir/bNYmxTD+Z6kwCMey4z4EEdqr5lmHbxlQd0s+Y/U3XVSwY2SynE9tyOE4BAEHOC
rRV7BHFQtTcz8shku6EQfjbGra9vcFKm0a7MzLqw6FkSj2INrQPdSyroiTmIUS/tYei3MIfb
J1VtZoejUQmAYXFRBb4THdlBMPx1XwqWmxj/vpCBtBPAchEI/Wqaage99IMstGA2ZAf6PWqn
sJAEdoPdM8s04heYBAuhMIIEsTCCA5mgAwIBAgIDAJceMA0GCSqGSIb3DQEBBQUAMDQxCzAJ
BgNVBAYTAkZSMQ0wCwYDVQQKEwRDTlJTMRYwFAYDVQQDEw1DTlJTLVN0YW5kYXJkMB4XDTA5
MDIwNjA4MTA1MVoXDTExMDIwNjA4MTA1MVowbjELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENO
UlMxEDAOBgNVBAsTB1VTUjY0MDIxFTATBgNVBAMTDFJlbWkgRmVycmFuZDEnMCUGCSqGSIb3
DQEJARYYcmVtaS5mZXJyYW5kQGNjLmluMnAzLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAxBuDf5CGn1V0n2nqQQnVO2pPfHQ3E57a7jHNmZNYD3aOF9WVJjXwQfPpbwcE
m10vP/MURe/QjlN8ImcRCGNXybAsQyDV839HFuvUCN92Qju9B2IoQx/kUlmu7Gtcnzt2aTVb
jexZHdGkiv5GkWseqTOBXmDRfCOSDiowUX8YeSqEs+s0M0Urva5jLhyGIQRUBGvp7U0z0wug
XzUBufJS9i2fO4OvwZBqyCigOBfDfY/18Jx3haJadKaeG23pAJkeGPMit7L/gMfWIVYQ8kQa
F6ddd7D4axoGIYpy26DV1f+5WFV6yogegzH7Z2TP/zc9/ATOctSW9RLD9VBHpk1MawIDAQAB
o4IBkDCCAYwwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBLAwDgYDVR0PAQH/BAQD
AgXgMHgGCWCGSAGG+EIBDQRrFmlDZXJ0aWZpY2F0IENOUlMtU3RhbmRhcmQuIFBvdXIgdG91
dGUgaW5mb3JtYXRpb24gc2UgcmVwb3J0ZXIg4CBodHRwOi8vaWdjLnNlcnZpY2VzLmNucnMu
ZnIvQ05SUy1TdGFuZGFyZC8wHQYDVR0OBBYEFHuV0UmWU13s1WE1Vedp53drFMYoMFMGA1Ud
IwRMMEqAFGdZpeUHdEkD7wXPzC6kGNUQyJ48oS+kLTArMQswCQYDVQQGEwJGUjENMAsGA1UE
ChMEQ05SUzENMAsGA1UEAxMEQ05SU4IBAjAjBgNVHREEHDAagRhyZW1pLmZlcnJhbmRAY2Mu
aW4ycDMuZnIwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NybHMuc2VydmljZXMuY25ycy5m
ci9DTlJTLVN0YW5kYXJkL2dldGRlci5jcmwwDQYJKoZIhvcNAQEFBQADggEBACdZ1ociRxMY
oWWBFZmDMT5Aa5rLvuSzKax8bb3WXqWOmk8D5LlSO17F3mkR5TekcDFSJ8/jXeFG4Q+toHxR
AyV3L3LCL6cUd29L0zJNj2E1QcRIzuuug/GCWszQP+VsatGn1TT/1najETgbAdolWdCByX9A
tRL0lo7G5Kz7TB31e08ZPus9k7fOPhClIAKxY4m6kxf2O73pkHu7kXbbgWjxFkF3rEq4qcYq
XsC9F2pUkCxKiKBI727aknODrvW0keb57kZldafCD/kBYcp32Vm68TBhzq844stfc1LPZXCc
XWW8PiToRxlgyopZ1e5bCzsVEdLiofRa8F9muSmjK+gwggSxMIIDmaADAgECAgMAlx4wDQYJ
KoZIhvcNAQEFBQAwNDELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENOUlMxFjAUBgNVBAMTDUNO
UlMtU3RhbmRhcmQwHhcNMDkwMjA2MDgxMDUxWhcNMTEwMjA2MDgxMDUxWjBuMQswCQYDVQQG
EwJGUjENMAsGA1UEChMEQ05SUzEQMA4GA1UECxMHVVNSNjQwMjEVMBMGA1UEAxMMUmVtaSBG
ZXJyYW5kMScwJQYJKoZIhvcNAQkBFhhyZW1pLmZlcnJhbmRAY2MuaW4ycDMuZnIwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEG4N/kIafVXSfaepBCdU7ak98dDcTntruMc2Z
k1gPdo4X1ZUmNfBB8+lvBwSbXS8/8xRF79COU3wiZxEIY1fJsCxDINXzf0cW69QI33ZCO70H
YihDH+RSWa7sa1yfO3ZpNVuN7Fkd0aSK/kaRax6pM4FeYNF8I5IOKjBRfxh5KoSz6zQzRSu9
rmMuHIYhBFQEa+ntTTPTC6BfNQG58lL2LZ87g6/BkGrIKKA4F8N9j/XwnHeFolp0pp4bbekA
mR4Y8yK3sv+Ax9YhVhDyRBoXp113sPhrGgYhinLboNXV/7lYVXrKiB6DMftnZM//Nz38BM5y
1Jb1EsP1UEemTUxrAgMBAAGjggGQMIIBjDAMBgNVHRMBAf8EAjAAMBEGCWCGSAGG+EIBAQQE
AwIEsDAOBgNVHQ8BAf8EBAMCBeAweAYJYIZIAYb4QgENBGsWaUNlcnRpZmljYXQgQ05SUy1T
dGFuZGFyZC4gUG91ciB0b3V0ZSBpbmZvcm1hdGlvbiBzZSByZXBvcnRlciDgIGh0dHA6Ly9p
Z2Muc2VydmljZXMuY25ycy5mci9DTlJTLVN0YW5kYXJkLzAdBgNVHQ4EFgQUe5XRSZZTXezV
YTVV52nnd2sUxigwUwYDVR0jBEwwSoAUZ1ml5Qd0SQPvBc/MLqQY1RDInjyhL6QtMCsxCzAJ
BgNVBAYTAkZSMQ0wCwYDVQQKEwRDTlJTMQ0wCwYDVQQDEwRDTlJTggECMCMGA1UdEQQcMBqB
GHJlbWkuZmVycmFuZEBjYy5pbjJwMy5mcjBGBgNVHR8EPzA9MDugOaA3hjVodHRwOi8vY3Js
cy5zZXJ2aWNlcy5jbnJzLmZyL0NOUlMtU3RhbmRhcmQvZ2V0ZGVyLmNybDANBgkqhkiG9w0B
AQUFAAOCAQEAJ1nWhyJHExihZYEVmYMxPkBrmsu+5LMprHxtvdZepY6aTwPkuVI7XsXeaRHl
N6RwMVInz+Nd4UbhD62gfFEDJXcvcsIvpxR3b0vTMk2PYTVBxEjO666D8YJazNA/5Wxq0afV
NP/WdqMROBsB2iVZ0IHJf0C1EvSWjsbkrPtMHfV7Txk+6z2Tt84+EKUgArFjibqTF/Y7vemQ
e7uRdtuBaPEWQXesSripxipewL0XalSQLEqIoEjvbtqSc4Ou9bSR5vnuRmV1p8IP+QFhynfZ
WbrxMGHOrzjiy19zUs9lcJxdZbw+JOhHGWDKilnV7lsLOxUR0uKh9FrwX2a5KaMr6DGCAr4w
ggK6AgEBMDswNDELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENOUlMxFjAUBgNVBAMTDUNOUlMt
U3RhbmRhcmQCAwCXHjAJBgUrDgMCGgUAoIIBWDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB
MBwGCSqGSIb3DQEJBTEPFw0xMDA4MjYxMjU5MTdaMCMGCSqGSIb3DQEJBDEWBBTi6CMd1Ux0
feif/1DCnCsoFaO2IzBKBgkrBgEEAYI3EAQxPTA7MDQxCzAJBgNVBAYTAkZSMQ0wCwYDVQQK
EwRDTlJTMRYwFAYDVQQDEw1DTlJTLVN0YW5kYXJkAgMAlx4wTAYLKoZIhvcNAQkQAgsxPaA7
MDQxCzAJBgNVBAYTAkZSMQ0wCwYDVQQKEwRDTlJTMRYwFAYDVQQDEw1DTlJTLVN0YW5kYXJk
AgMAlx4wXwYJKoZIhvcNAQkPMVIwUDALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI
hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqG
SIb3DQEBAQUABIIBALwSxVEcqs1Yg0xMzDXmWl+J0jsrbyx5pVTF3/HfzB2k+EeKIbxcCocf
oz1l7pXJzRIKJkMElJO+Wf10PqcOuHT5nkxWINnUa4P8xGxf4tCp9k6A9tFe4NFUvpdXUdq3
tbELEZzEHJxIYNipP4zzid/uvbFyyvInbgJd06Y0bDIBEWQRoGeRl+xrgxNPwOShm9WIbOWW
vwE9qkJfmZjwbCBnU4HNwXGbJ9dvWhuswjd/MYOiK/X9zzJGPZ5Yszt4UAPy61mqJsi4fG29
Fw0lmKDR9ezokRjDEW8kLPBId9mKO09MeIAcmA994n4Gs9aQiyWeY3ksg1izKl+PpheOOtIA
AAAAAAA=
--------------ms070808020906070005070604--