RFR 8078495: End time checking for native TGT is wrong

Weijun Wang weijun.wang at oracle.com
Fri Apr 24 03:29:26 UTC 2015


Hi All

Please review a fix at

    http://cr.openjdk.java.net/~weijun/8078495/webrev.00

which is essentially

              GetSystemTimeAsFileTime(&Now);
              EndTime.dwLowDateTime = msticket->EndTime.LowPart;
              EndTime.dwHighDateTime = msticket->EndTime.HighPart;
-            FileTimeToLocalFileTime(&EndTime, &LocalEndTime);
-            if (CompareFileTime(&Now, &LocalEndTime) < 0) {
+            if (CompareFileTime(&Now, &EndTime) < 0) {

MSDN explicitly specifies that GetSystemTimeAsFileTime() [1] returns a 
UTC time. It is not very clear about KERB_EXTERNAL_TICKET [2], but 
according to my observation and the fact that it is directly converted 
to a KerberosTime string in the BuildKerberosTime() function, I believe 
it's also UTC.

Anyway, the FILETIME structure is a little confusing, its spec [3] says 
it's an elapsed time from an MS epoch, so it should be timezone 
independent. But then there is FileTimeToLocalFileTime function which 
means it can be dependent.

I believe the bug was not spotted earlier because when Java sees an 
expired ticket, it always tries to reacquire one, and returns a valid 
ticket anyway. (Fortunately it has not tried to validate the new ticket 
again).

Thanks
Max

[1] 
https://msdn.microsoft.com/en-us/library/windows/desktop/ms724397%28v=vs.85%29.aspx
[2] 
https://msdn.microsoft.com/en-us/library/windows/desktop/aa378073%28v=vs.85%29.aspx
[3] 
https://msdn.microsoft.com/en-us/library/windows/desktop/ms724284%28v=vs.85%29.aspx


More information about the security-dev mailing list