RFR 8078495: End time checking for native TGT is wrong

Weijun Wang weijun.wang at oracle.com
Mon May 4 09:21:49 UTC 2015


Ping again.

On 4/24/2015 11:29 AM, Weijun Wang wrote:
> Hi All
>
> Please review a fix at
>
>     http://cr.openjdk.java.net/~weijun/8078495/webrev.00
>
> which is essentially
>
>               GetSystemTimeAsFileTime(&Now);
>               EndTime.dwLowDateTime = msticket->EndTime.LowPart;
>               EndTime.dwHighDateTime = msticket->EndTime.HighPart;
> -            FileTimeToLocalFileTime(&EndTime, &LocalEndTime);
> -            if (CompareFileTime(&Now, &LocalEndTime) < 0) {
> +            if (CompareFileTime(&Now, &EndTime) < 0) {
>
> MSDN explicitly specifies that GetSystemTimeAsFileTime() [1] returns a
> UTC time. It is not very clear about KERB_EXTERNAL_TICKET [2], but
> according to my observation and the fact that it is directly converted
> to a KerberosTime string in the BuildKerberosTime() function, I believe
> it's also UTC.
>
> Anyway, the FILETIME structure is a little confusing, its spec [3] says
> it's an elapsed time from an MS epoch, so it should be timezone
> independent. But then there is FileTimeToLocalFileTime function which
> means it can be dependent.
>
> I believe the bug was not spotted earlier because when Java sees an
> expired ticket, it always tries to reacquire one, and returns a valid
> ticket anyway. (Fortunately it has not tried to validate the new ticket
> again).
>
> Thanks
> Max
>
> [1]
> https://msdn.microsoft.com/en-us/library/windows/desktop/ms724397%28v=vs.85%29.aspx
>
> [2]
> https://msdn.microsoft.com/en-us/library/windows/desktop/aa378073%28v=vs.85%29.aspx
>
> [3]
> https://msdn.microsoft.com/en-us/library/windows/desktop/ms724284%28v=vs.85%29.aspx
>


More information about the security-dev mailing list