RFR 8078495: End time checking for native TGT is wrong

Xuelei Fan xuelei.fan at oracle.com
Mon May 4 09:51:21 UTC 2015


Looks fine to me.

Xuelei

On 5/4/2015 5:21 PM, Weijun Wang wrote:
> Ping again.
> 
> On 4/24/2015 11:29 AM, Weijun Wang wrote:
>> Hi All
>>
>> Please review a fix at
>>
>>     http://cr.openjdk.java.net/~weijun/8078495/webrev.00
>>
>> which is essentially
>>
>>               GetSystemTimeAsFileTime(&Now);
>>               EndTime.dwLowDateTime = msticket->EndTime.LowPart;
>>               EndTime.dwHighDateTime = msticket->EndTime.HighPart;
>> -            FileTimeToLocalFileTime(&EndTime, &LocalEndTime);
>> -            if (CompareFileTime(&Now, &LocalEndTime) < 0) {
>> +            if (CompareFileTime(&Now, &EndTime) < 0) {
>>
>> MSDN explicitly specifies that GetSystemTimeAsFileTime() [1] returns a
>> UTC time. It is not very clear about KERB_EXTERNAL_TICKET [2], but
>> according to my observation and the fact that it is directly converted
>> to a KerberosTime string in the BuildKerberosTime() function, I believe
>> it's also UTC.
>>
>> Anyway, the FILETIME structure is a little confusing, its spec [3] says
>> it's an elapsed time from an MS epoch, so it should be timezone
>> independent. But then there is FileTimeToLocalFileTime function which
>> means it can be dependent.
>>
>> I believe the bug was not spotted earlier because when Java sees an
>> expired ticket, it always tries to reacquire one, and returns a valid
>> ticket anyway. (Fortunately it has not tried to validate the new ticket
>> again).
>>
>> Thanks
>> Max
>>
>> [1]
>> https://msdn.microsoft.com/en-us/library/windows/desktop/ms724397%28v=vs.85%29.aspx
>>
>>
>> [2]
>> https://msdn.microsoft.com/en-us/library/windows/desktop/aa378073%28v=vs.85%29.aspx
>>
>>
>> [3]
>> https://msdn.microsoft.com/en-us/library/windows/desktop/ms724284%28v=vs.85%29.aspx
>>
>>



More information about the security-dev mailing list