From e7358d93fa1cbe5db52e217d466894b1af96d95c Mon Sep 17 00:00:00 2001

From: Greg Hudson <ghudson@mit.edu>

Date: Sat, 22 Apr 2017 12:52:17 -0400

Subject: [PATCH] Make timestamp manipulations y2038-safe

Wherever we manipulate krb5_timestamp values using arithmetic,

comparison operations, or conversion to time_t, use the new helper

functions in k5-int.h to ensure that the operations work after y2038

and do not exhibit undefined behavior.  (Relying on

implementation-defined conversion to signed values is okay as we test

that in configure.in.)

In printf format strings, use %u instead of signed types.  When

exporting creds with k5_json_array_fmt(), use a long long so that

timestamps after y2038 aren't marshalled as negative numbers.  When

parsing timestamps in test programs, use atoll() instead of atol() so

that positive timestamps after y2038 can be used as input.

In ksu and klist, make printtime() take a krb5_timestamp parameter to

avoid an unnecessary conversion to time_t and back.

As Leash does not use k5-int.h, use time_t values internally and

safely convert from libkrb5 timestamp values.

ticket: 8352

(cherry picked from commit a9cbbf0899f270fbb14f63ffbed1b6d542333641)

---

 src/clients/kinit/kinit.c                     |  2 +-

 src/clients/klist/klist.c                     | 20 ++++------

 src/clients/ksu/ccache.c                      | 20 +++-------

 src/clients/ksu/ksu.h                         |  2 +-

 src/kadmin/cli/getdate.y                      |  2 +-

 src/kadmin/cli/kadmin.c                       |  5 +--

 src/kadmin/dbutil/dump.c                      | 27 +++++++------

 src/kadmin/dbutil/kdb5_mkey.c                 |  6 +--

 src/kadmin/dbutil/tabdump.c                   |  2 +-

 src/kadmin/testing/util/tcl_kadm5.c           | 12 +++---

 src/kdc/do_as_req.c                           |  2 +-

 src/kdc/do_tgs_req.c                          |  6 +--

 src/kdc/extern.c                              |  4 +-

 src/kdc/fast_util.c                           |  4 +-

 src/kdc/kdc_log.c                             | 14 +++----

 src/kdc/kdc_util.c                            | 20 +++++-----

 src/kdc/kdc_util.h                            |  2 +

 src/kdc/replay.c                              |  2 +-

 src/kdc/tgs_policy.c                          |  7 ++--

 src/lib/gssapi/krb5/accept_sec_context.c      |  8 ++--

 src/lib/gssapi/krb5/acquire_cred.c            | 13 +++---

 src/lib/gssapi/krb5/context_time.c            |  2 +-

 src/lib/gssapi/krb5/export_cred.c             |  5 ++-

 src/lib/gssapi/krb5/iakerb.c                  |  4 +-

 src/lib/gssapi/krb5/init_sec_context.c        |  9 +++--

 src/lib/gssapi/krb5/inq_context.c             |  2 +-

 src/lib/gssapi/krb5/inq_cred.c                |  5 ++-

 src/lib/gssapi/krb5/s4u_gss_glue.c            |  2 +-

 src/lib/kadm5/chpass_util.c                   |  8 +---

 src/lib/kadm5/srv/server_acl.c                |  5 ++-

 src/lib/kadm5/srv/svr_principal.c             | 12 +++---

 src/lib/kdb/kdb5.c                            |  2 +-

 src/lib/krb5/asn.1/asn1_k_encode.c            |  3 +-

 src/lib/krb5/ccache/cc_keyring.c              | 14 ++++---

 src/lib/krb5/ccache/cc_memory.c               |  4 +-

 src/lib/krb5/ccache/cc_retr.c                 |  4 +-

 src/lib/krb5/ccache/ccapi/stdcc_util.c        | 40 +++++++++----------

 src/lib/krb5/ccache/cccursor.c                |  2 +-

 src/lib/krb5/keytab/kt_file.c                 |  6 ++-

 src/lib/krb5/krb/gc_via_tkt.c                 |  7 ++--

 src/lib/krb5/krb/get_creds.c                  |  2 +-

 src/lib/krb5/krb/get_in_tkt.c                 | 38 +++++-------------

 src/lib/krb5/krb/gic_pwd.c                    |  4 +-

 src/lib/krb5/krb/int-proto.h                  |  2 +-

 src/lib/krb5/krb/pac.c                        |  2 +-

 src/lib/krb5/krb/str_conv.c                   |  4 +-

 src/lib/krb5/krb/t_kerb.c                     | 12 +-----

 src/lib/krb5/krb/valid_times.c                |  4 +-

 src/lib/krb5/krb/vfy_increds.c                |  2 +-

 src/lib/krb5/os/timeofday.c                   |  2 +-

 src/lib/krb5/os/toffset.c                     |  2 +-

 src/lib/krb5/os/ustime.c                      |  6 +--

 src/lib/krb5/rcache/rc_dfl.c                  |  3 +-

 src/lib/krb5/rcache/t_replay.c                |  8 ++--

 src/plugins/kdb/db2/lockout.c                 |  8 ++--

 .../kdb/ldap/libkdb_ldap/ldap_principal2.c    |  2 +-

 src/plugins/kdb/ldap/libkdb_ldap/lockout.c    |  8 ++--

 src/windows/cns/tktlist.c                     | 10 +++--

 src/windows/include/leashwin.h                | 12 +++---

 src/windows/leash/KrbListTickets.cpp          | 12 +++---

 src/windows/leash/LeashView.cpp               | 22 +++++-----

 src/windows/leashdll/lshfunc.c                |  2 +-

 src/windows/ms2mit/ms2mit.c                   |  2 +-

 63 files changed, 230 insertions(+), 255 deletions(-)

diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c

index f1cd1b73d..50065e32e 100644

--- a/src/clients/kinit/kinit.c

+++ b/src/clients/kinit/kinit.c

@@ -318,7 +318,7 @@ parse_options(argc, argv, opts)

                     fprintf(stderr, _("Bad start time value %s\n"), optarg);

                     errflg++;

                 } else {

-                    opts->starttime = abs_starttime - time(0);

+                    opts->starttime = ts_delta(abs_starttime, time(NULL));

                 }

             }

             break;

diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c

index ba19788a2..ffeecc394 100644

--- a/src/clients/klist/klist.c

+++ b/src/clients/klist/klist.c

@@ -72,7 +72,7 @@ void do_ccache_name (char *);

 int show_ccache (krb5_ccache);

 int check_ccache (krb5_ccache);

 void do_keytab (char *);

-void printtime (time_t);

+void printtime (krb5_timestamp);

 void one_addr (krb5_address *);

 void fillit (FILE *, unsigned int, int);

@@ -538,10 +538,10 @@ check_ccache(krb5_ccache cache)

     while (!(ret = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) {

         if (is_local_tgt(creds.server, &princ->realm)) {

             found_tgt = TRUE;

-            if (creds.times.endtime > now)

+            if (ts_after(creds.times.endtime, now))

                 found_current_tgt = TRUE;

         } else if (!krb5_is_config_principal(kcontext, creds.server) &&

-                   creds.times.endtime > now) {

+                   ts_after(creds.times.endtime, now)) {

             found_current_cred = TRUE;

         }

         krb5_free_cred_contents(kcontext, &creds);

@@ -623,19 +623,13 @@ flags_string(cred)

 }

 void

-printtime(tv)

-    time_t tv;

+printtime(krb5_timestamp ts)

 {

-    char timestring[BUFSIZ];

-    char fill;

+    char timestring[BUFSIZ], fill = ' ';

-    fill = ' ';

-    if (!krb5_timestamp_to_sfstring((krb5_timestamp) tv,

-                                    timestring,

-                                    timestamp_width+1,

-                                    &fill)) {

+    if (!krb5_timestamp_to_sfstring(ts, timestring, timestamp_width + 1,

+                                    &fill))

         printf("%s", timestring);

-    }

 }

 static void

diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c

index a0736f2da..236313b7b 100644

--- a/src/clients/ksu/ccache.c

+++ b/src/clients/ksu/ccache.c

@@ -278,11 +278,11 @@ krb5_error_code krb5_check_exp(context, tkt_time)

                 context->clockskew);

         fprintf(stderr,"krb5_check_exp: currenttime - endtime %d \n",

-                (currenttime - tkt_time.endtime ));

+                ts_delta(currenttime, tkt_time.endtime));

     }

-    if (currenttime - tkt_time.endtime > context->clockskew){

+    if (ts_delta(currenttime, tkt_time.endtime) > context->clockskew) {

         retval = KRB5KRB_AP_ERR_TKT_EXPIRED ;

         return retval;

     }

@@ -323,21 +323,11 @@ char *flags_string(cred)

     return(buf);

 }

-void printtime(tv)

-    time_t tv;

+void printtime(krb5_timestamp ts)

 {

-    char fmtbuf[18];

-    char fill;

-    krb5_timestamp tstamp;

+    char fmtbuf[18], fill = ' ';

-    /* XXXX ASSUMES sizeof(krb5_timestamp) >= sizeof(time_t) */

-    (void) localtime((time_t *)&tv;;

-    tstamp = tv;

-    fill = ' ';

-    if (!krb5_timestamp_to_sfstring(tstamp,

-                                    fmtbuf,

-                                    sizeof(fmtbuf),

-                                    &fill))

+    if (!krb5_timestamp_to_sfstring(ts, fmtbuf, sizeof(fmtbuf), &fill))

         printf("%s", fmtbuf);

 }

diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h

index ee8e9d6a0..3bf0bd438 100644

--- a/src/clients/ksu/ksu.h

+++ b/src/clients/ksu/ksu.h

@@ -150,7 +150,7 @@ extern krb5_boolean krb5_find_princ_in_cred_list

 extern krb5_error_code krb5_find_princ_in_cache

 (krb5_context, krb5_ccache, krb5_principal, krb5_boolean *);

-extern void printtime (time_t);

+extern void printtime (krb5_timestamp);

 /* authorization.c */

 extern krb5_boolean fowner (FILE *, uid_t);

diff --git a/src/kadmin/cli/getdate.y b/src/kadmin/cli/getdate.y

index 4f0c56f7e..0a19c5648 100644

--- a/src/kadmin/cli/getdate.y

+++ b/src/kadmin/cli/getdate.y

@@ -118,7 +118,7 @@ static int getdate_yyerror (char *);

 #define EPOCH		1970

-#define EPOCH_END	2038 /* assumes 32 bits */

+#define EPOCH_END	2106 /* assumes unsigned 32-bit range */

 #define HOUR(x)		((time_t)(x) * 60)

 #define SECSPERDAY	(24L * 60L * 60L)

diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c

index c53c677a8..aee5c83b9 100644

--- a/src/kadmin/cli/kadmin.c

+++ b/src/kadmin/cli/kadmin.c

@@ -31,8 +31,7 @@

  * library */

 /* for "_" macro */

-#include "k5-platform.h"

-#include <krb5.h>

+#include "k5-int.h"

 #include <kadm5/admin.h>

 #include <adm_proto.h>

 #include <errno.h>

@@ -144,8 +143,8 @@ strdate(krb5_timestamp when)

 {

     struct tm *tm;

     static char out[40];

+    time_t lcltim = ts2tt(when);

-    time_t lcltim = when;

     tm = localtime(&lcltim);

     strftime(out, sizeof(out), "%a %b %d %H:%M:%S %Z %Y", tm);

     return out;

diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c

index cad53cfbf..a6fc4ea77 100644

--- a/src/kadmin/dbutil/dump.c

+++ b/src/kadmin/dbutil/dump.c

@@ -379,11 +379,12 @@ k5beta7_common(krb5_context context, krb5_db_entry *entry,

     fprintf(fp, "princ\t%d\t%lu\t%d\t%d\t%d\t%s\t", (int)entry->len,

             (unsigned long)strlen(name), counter, (int)entry->n_key_data,

             (int)entry->e_length, name);

-    fprintf(fp, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d", entry->attributes,

-            entry->max_life, entry->max_renewable_life, entry->expiration,

-            entry->pw_expiration,

-            omit_nra ? 0 : entry->last_success,

-            omit_nra ? 0 : entry->last_failed,

+    fprintf(fp, "%d\t%d\t%d\t%u\t%u\t%u\t%u\t%d", entry->attributes,

+            entry->max_life, entry->max_renewable_life,

+            (unsigned int)entry->expiration,

+            (unsigned int)entry->pw_expiration,

+            (unsigned int)(omit_nra ? 0 : entry->last_success),

+            (unsigned int)(omit_nra ? 0 : entry->last_failed),

             omit_nra ? 0 : entry->fail_auth_count);

     /* Write out tagged data. */

@@ -717,7 +718,7 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,

 {

     int retval, nread, i, j;

     krb5_db_entry *dbentry;

-    int t1, t2, t3, t4, t5, t6, t7;

+    int t1, t2, t3, t4;

     unsigned int u1, u2, u3, u4, u5;

     char *name = NULL;

     krb5_key_data *kp = NULL, *kd;

@@ -773,8 +774,8 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,

     }

     /* Get the fixed principal attributes */

-    nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t",

-                   &t1, &t2, &t3, &t4, &t5, &t6, &t7, &u1;;

+    nread = fscanf(filep, "%d\t%d\t%d\t%u\t%u\t%d\t%d\t%d\t",

+                   &t1, &t2, &t3, &u1, &u2, &u3, &u4, &u5;;

     if (nread != 8) {

         load_err(fname, *linenop, _("cannot read principal attributes"));

         goto fail;

@@ -782,11 +783,11 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep,

     dbentry->attributes = t1;

     dbentry->max_life = t2;

     dbentry->max_renewable_life = t3;

-    dbentry->expiration = t4;

-    dbentry->pw_expiration = t5;

-    dbentry->last_success = t6;

-    dbentry->last_failed = t7;

-    dbentry->fail_auth_count = u1;

+    dbentry->expiration = u1;

+    dbentry->pw_expiration = u2;

+    dbentry->last_success = u3;

+    dbentry->last_failed = u4;

+    dbentry->fail_auth_count = u5;

     dbentry->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES |

         KADM5_MAX_LIFE | KADM5_MAX_RLIFE |

         KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS |

diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c

index 7df8cbc83..2efe3176e 100644

--- a/src/kadmin/dbutil/kdb5_mkey.c

+++ b/src/kadmin/dbutil/kdb5_mkey.c

@@ -44,8 +44,8 @@ static char *strdate(krb5_timestamp when)

 {

     struct tm *tm;

     static char out[40];

+    time_t lcltim = ts2tt(when);

-    time_t lcltim = when;

     tm = localtime(&lcltim);

     strftime(out, sizeof(out), "%a %b %d %H:%M:%S %Z %Y", tm);

     return out;

@@ -481,7 +481,7 @@ kdb5_use_mkey(int argc, char *argv[])

                  cur_actkvno != NULL;

                  prev_actkvno = cur_actkvno, cur_actkvno = cur_actkvno->next) {

-                if (new_actkvno->act_time < cur_actkvno->act_time) {

+                if (ts_after(cur_actkvno->act_time, new_actkvno->act_time)) {

                     if (prev_actkvno) {

                         prev_actkvno->next = new_actkvno;

                         new_actkvno->next = cur_actkvno;

@@ -499,7 +499,7 @@ kdb5_use_mkey(int argc, char *argv[])

         }

     }

-    if (actkvno_list->act_time > now) {

+    if (ts_after(actkvno_list->act_time, now)) {

         com_err(progname, EINVAL,

                 _("there must be one master key currently active"));

         exit_status++;

diff --git a/src/kadmin/dbutil/tabdump.c b/src/kadmin/dbutil/tabdump.c

index 69a3482ec..fb36b060a 100644

--- a/src/kadmin/dbutil/tabdump.c

+++ b/src/kadmin/dbutil/tabdump.c

@@ -148,7 +148,7 @@ write_date_iso(struct rec_args *args, krb5_timestamp when)

     struct tm *tm = NULL;

     struct rechandle *h = args->rh;

-    t = when;

+    t = ts2tt(when);

     tm = gmtime(&t);

     if (tm == NULL) {

         errno = EINVAL;

diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c

index a4997c60c..9dde579ef 100644

--- a/src/kadmin/testing/util/tcl_kadm5.c

+++ b/src/kadmin/testing/util/tcl_kadm5.c

@@ -697,13 +697,13 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ,

     } else

         Tcl_DStringAppendElement(str, "null");

-    sprintf(buf, "%d", princ->princ_expire_time);

+    sprintf(buf, "%u", (unsigned int)princ->princ_expire_time);

     Tcl_DStringAppendElement(str, buf);

-    sprintf(buf, "%d", princ->last_pwd_change);

+    sprintf(buf, "%u", (unsigned int)princ->last_pwd_change);

     Tcl_DStringAppendElement(str, buf);

-    sprintf(buf, "%d", princ->pw_expiration);

+    sprintf(buf, "%u", (unsigned int)princ->pw_expiration);

     Tcl_DStringAppendElement(str, buf);

     sprintf(buf, "%d", princ->max_life);

@@ -722,7 +722,7 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ,

     } else

         Tcl_DStringAppendElement(str, "null");

-    sprintf(buf, "%d", princ->mod_date);

+    sprintf(buf, "%u", (unsigned int)princ->mod_date);

     Tcl_DStringAppendElement(str, buf);

     if (mask & KADM5_ATTRIBUTES) {

@@ -758,10 +758,10 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ,

     sprintf(buf, "%d", princ->max_renewable_life);

     Tcl_DStringAppendElement(str, buf);

-    sprintf(buf, "%d", princ->last_success);

+    sprintf(buf, "%u", (unsigned int)princ->last_success);

     Tcl_DStringAppendElement(str, buf);

-    sprintf(buf, "%d", princ->last_failed);

+    sprintf(buf, "%u", (unsigned int)princ->last_failed);

     Tcl_DStringAppendElement(str, buf);

     sprintf(buf, "%d", princ->fail_auth_count);

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c

index 712ccb794..59a39cd30 100644

--- a/src/kdc/do_as_req.c

+++ b/src/kdc/do_as_req.c

@@ -87,7 +87,7 @@ get_key_exp(krb5_db_entry *entry)

         return entry->pw_expiration;

     if (entry->pw_expiration == 0)

         return entry->expiration;

-    return min(entry->expiration, entry->pw_expiration);

+    return ts_min(entry->expiration, entry->pw_expiration);

 }

 /*

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c

index 547a41441..aacd2f20d 100644

--- a/src/kdc/do_tgs_req.c

+++ b/src/kdc/do_tgs_req.c

@@ -500,12 +500,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,

         old_starttime = enc_tkt_reply.times.starttime ?

             enc_tkt_reply.times.starttime : enc_tkt_reply.times.authtime;

-        old_life = enc_tkt_reply.times.endtime - old_starttime;

+        old_life = ts_delta(enc_tkt_reply.times.endtime, old_starttime);

         enc_tkt_reply.times.starttime = kdc_time;

         enc_tkt_reply.times.endtime =

-            min(header_ticket->enc_part2->times.renew_till,

-                kdc_time + old_life);

+            ts_min(header_ticket->enc_part2->times.renew_till,

+                   ts_incr(kdc_time, old_life));

     } else {

         /* not a renew request */

         enc_tkt_reply.times.starttime = kdc_time;

diff --git a/src/kdc/extern.c b/src/kdc/extern.c

index fe627494b..84b5c6ad5 100644

--- a/src/kdc/extern.c

+++ b/src/kdc/extern.c

@@ -37,6 +37,8 @@

 kdc_realm_t     **kdc_realmlist = (kdc_realm_t **) NULL;

 int             kdc_numrealms = 0;

 krb5_data empty_string = {0, 0, ""};

-krb5_timestamp kdc_infinity = KRB5_INT32_MAX; /* XXX */

 krb5_keyblock   psr_key;

 krb5_int32      max_dgram_reply_size = MAX_DGRAM_SIZE;

+

+/* With ts_after(), this is the largest timestamp value. */

+krb5_timestamp kdc_infinity = -1;

diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c

index 9df940219..e05107ef3 100644

--- a/src/kdc/fast_util.c

+++ b/src/kdc/fast_util.c

@@ -607,7 +607,7 @@ kdc_fast_read_cookie(krb5_context context, struct kdc_request_state *state,

     ret = krb5_timeofday(context, &now;;

     if (ret)

         goto cleanup;

-    if (now - COOKIE_LIFETIME > cookie->time) {

+    if (ts2tt(now) > cookie->time + COOKIE_LIFETIME) {

         /* Don't accept the cookie contents.  Only return an error if the

          * cookie is relevant to the request. */

         if (is_relevant(cookie->data, req->padata))

@@ -700,7 +700,7 @@ kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state,

     ret = krb5_timeofday(context, &now;;

     if (ret)

         goto cleanup;

-    cookie.time = now;

+    cookie.time = ts2tt(now);

     cookie.data = contents;

     ret = encode_krb5_secure_cookie(&cookie, &der_cookie);

     if (ret)

diff --git a/src/kdc/kdc_log.c b/src/kdc/kdc_log.c

index 94a2a1c87..c044a3553 100644

--- a/src/kdc/kdc_log.c

+++ b/src/kdc/kdc_log.c

@@ -79,9 +79,9 @@ log_as_req(krb5_context context, const krb5_fulladdr *from,

         /* success */

         char rep_etypestr[128];

         rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply);

-        krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %d, %s, "

+        krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %u, %s, "

                                      "%s for %s"),

-                         ktypestr, fromstring, authtime,

+                         ktypestr, fromstring, (unsigned int)authtime,

                          rep_etypestr, cname2, sname2);

     } else {

         /* fail */

@@ -156,10 +156,10 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,

        name (useful), and doesn't log ktypestr (probably not

        important).  */

     if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) {

-        krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %d, %s%s "

+        krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %u, %s%s "

                                      "%s for %s%s%s"),

-                         ktypestr, fromstring, status, authtime, rep_etypestr,

-                         !errcode ? "," : "", logcname, logsname,

+                         ktypestr, fromstring, status, (unsigned int)authtime,

+                         rep_etypestr, !errcode ? "," : "", logcname, logsname,

                          errcode ? ", " : "", errcode ? emsg : "");

         if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION))

             krb5_klog_syslog(LOG_INFO,

@@ -171,9 +171,9 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from,

                              logaltcname);

     } else

-        krb5_klog_syslog(LOG_INFO, _("TGS_REQ %s: %s: authtime %d, %s for %s, "

+        krb5_klog_syslog(LOG_INFO, _("TGS_REQ %s: %s: authtime %u, %s for %s, "

                                      "2nd tkt client %s"),

-                         fromstring, status, authtime,

+                         fromstring, status, (unsigned int)authtime,

                          logcname, logsname, logaltcname);

     /* OpenSolaris: audit_krb5kdc_tgs_req(...)  or

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c

index 29f9dbbf0..778a629e5 100644

--- a/src/kdc/kdc_util.c

+++ b/src/kdc/kdc_util.c

@@ -654,7 +654,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,

     }

     /* The client must not be expired */

-    if (client.expiration && client.expiration < kdc_time) {

+    if (client.expiration && ts_after(kdc_time, client.expiration)) {

         *status = "CLIENT EXPIRED";

         if (vague_errors)

             return(KRB_ERR_GENERIC);

@@ -664,7 +664,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,

     /* The client's password must not be expired, unless the server is

        a KRB5_KDC_PWCHANGE_SERVICE. */

-    if (client.pw_expiration && client.pw_expiration < kdc_time &&

+    if (client.pw_expiration && ts_after(kdc_time, client.pw_expiration) &&

         !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {

         *status = "CLIENT KEY EXPIRED";

         if (vague_errors)

@@ -674,7 +674,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,

     }

     /* The server must not be expired */

-    if (server.expiration && server.expiration < kdc_time) {

+    if (server.expiration && ts_after(kdc_time, server.expiration)) {

         *status = "SERVICE EXPIRED";

         return(KDC_ERR_SERVICE_EXP);

     }

@@ -1765,9 +1765,9 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,

     if (till == 0)

         till = kdc_infinity;

-    until = min(till, endtime);

+    until = ts_min(till, endtime);

-    life = until - starttime;

+    life = ts_delta(until, starttime);

     if (client != NULL && client->max_life != 0)

         life = min(life, client->max_life);

@@ -1776,7 +1776,7 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,

     if (kdc_active_realm->realm_maxlife != 0)

         life = min(life, kdc_active_realm->realm_maxlife);

-    *out_endtime = starttime + life;

+    *out_endtime = ts_incr(starttime, life);

 }

 /*

@@ -1806,22 +1806,22 @@ kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request,

     if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE))

         rtime = request->rtime ? request->rtime : kdc_infinity;

     else if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&

-             tkt->times.endtime < request->till)

+             ts_after(request->till, tkt->times.endtime))

         rtime = request->till;

     else

         return;

     /* Truncate it to the allowable renewable time. */

     if (tgt != NULL)

-        rtime = min(rtime, tgt->times.renew_till);

+        rtime = ts_min(rtime, tgt->times.renew_till);

     max_rlife = min(server->max_renewable_life, realm->realm_maxrlife);

     if (client != NULL)

         max_rlife = min(max_rlife, client->max_renewable_life);

-    rtime = min(rtime, tkt->times.starttime + max_rlife);

+    rtime = ts_min(rtime, ts_incr(tkt->times.starttime, max_rlife));

     /* Make the ticket renewable if the truncated requested time is larger than

      * the ticket end time. */

-    if (rtime > tkt->times.endtime) {

+    if (ts_after(rtime, tkt->times.endtime)) {

         setflag(tkt->flags, TKT_FLG_RENEWABLE);

         tkt->times.renew_till = rtime;

     }

diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h

index bcf05fc27..672f94380 100644

--- a/src/kdc/kdc_util.h

+++ b/src/kdc/kdc_util.h

@@ -452,6 +452,8 @@ struct krb5_kdcpreauth_rock_st {

 #define max(a, b)       ((a) > (b) ? (a) : (b))

 #endif

+#define ts_min(a, b) (ts_after(a, b) ? (b) : (a))

+

 #define ADDRTYPE2FAMILY(X)                                              \

     ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1)

diff --git a/src/kdc/replay.c b/src/kdc/replay.c

index 8da7ac19a..fab39cf88 100644

--- a/src/kdc/replay.c

+++ b/src/kdc/replay.c

@@ -61,7 +61,7 @@ static size_t total_size = 0;

 static krb5_ui_4 seed;

 #define STALE_TIME      (2*60)            /* two minutes */

-#define STALE(ptr, now) (abs((ptr)->timein - (now)) >= STALE_TIME)

+#define STALE(ptr, now) (labs(ts_delta((ptr)->timein, now)) >= STALE_TIME)

 /* Return x rotated to the left by r bits. */

 static inline krb5_ui_4

diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c

index a30cacc66..d0f25d1b7 100644

--- a/src/kdc/tgs_policy.c

+++ b/src/kdc/tgs_policy.c

@@ -186,7 +186,7 @@ static int

 check_tgs_svc_time(krb5_kdc_req *req, krb5_db_entry server, krb5_ticket *tkt,

                    krb5_timestamp kdc_time, const char **status)

 {

-    if (server.expiration && server.expiration < kdc_time) {

+    if (server.expiration && ts_after(kdc_time, server.expiration)) {

         *status = "SERVICE EXPIRED";

         return KDC_ERR_SERVICE_EXP;

     }

@@ -222,7 +222,7 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times,

        KDC time. */

     if (req->kdc_options & KDC_OPT_VALIDATE) {

         starttime = times->starttime ? times->starttime : times->authtime;

-        if (starttime > kdc_time) {

+        if (ts_after(starttime, kdc_time)) {

             *status = "NOT_YET_VALID";

             return KRB_AP_ERR_TKT_NYV;

         }

@@ -231,7 +231,8 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times,

      * Check the renew_till time.  The endtime was already

      * been checked in the initial authentication check.

      */

-    if ((req->kdc_options & KDC_OPT_RENEW) && times->renew_till < kdc_time) {

+    if ((req->kdc_options & KDC_OPT_RENEW) &&

+        ts_after(kdc_time, times->renew_till)) {

         *status = "TKT_EXPIRED";

         return KRB_AP_ERR_TKT_EXPIRED;

     }

diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c

index 580d08cbf..06967aa27 100644

--- a/src/lib/gssapi/krb5/accept_sec_context.c

+++ b/src/lib/gssapi/krb5/accept_sec_context.c

@@ -351,8 +351,10 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle,

     if (mech_type)

         *mech_type = ctx->mech_used;

-    if (time_rec)

-        *time_rec = ctx->krb_times.endtime + ctx->k5_context->clockskew - now;

+    if (time_rec) {

+        *time_rec = ts_delta(ctx->krb_times.endtime, now) +

+            ctx->k5_context->clockskew;

+    }

     /* Never return GSS_C_DELEG_FLAG since we don't support DCE credential

      * delegation yet. */

@@ -1146,7 +1148,7 @@ kg_accept_krb5(minor_status, context_handle,

     /* Add the maximum allowable clock skew as a grace period for context

      * expiration, just as we do for the ticket. */

     if (time_rec)

-        *time_rec = ctx->krb_times.endtime + context->clockskew - now;

+        *time_rec = ts_delta(ctx->krb_times.endtime, now) + context->clockskew;

     if (ret_flags)

         *ret_flags = ctx->gss_flags;

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c

index 03ee25ec1..362ba9d86 100644

--- a/src/lib/gssapi/krb5/acquire_cred.c

+++ b/src/lib/gssapi/krb5/acquire_cred.c

@@ -550,7 +550,7 @@ set_refresh_time(krb5_context context, krb5_ccache ccache,

     char buf[128];

     krb5_data d;

-    snprintf(buf, sizeof(buf), "%ld", (long)refresh_time);

+    snprintf(buf, sizeof(buf), "%u", (unsigned int)ts2tt(refresh_time));

     d = string2data(buf);

     (void)krb5_cc_set_config(context, ccache, NULL, KRB5_CC_CONF_REFRESH_TIME,

                              &d);

@@ -566,8 +566,9 @@ kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)

     if (krb5_timeofday(context, &now))

         return FALSE;

-    if (cred->refresh_time != 0 && now >= cred->refresh_time) {

-        set_refresh_time(context, cred->ccache, cred->refresh_time + 30);

+    if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) {

+        set_refresh_time(context, cred->ccache,

+                         ts_incr(cred->refresh_time, 30));

         return TRUE;

     }

     return FALSE;

@@ -586,7 +587,8 @@ kg_cred_set_initial_refresh(krb5_context context, krb5_gss_cred_id_rec *cred,

         return;

     /* Make a note to refresh these when they are halfway to expired. */

-    refresh = times->starttime + (times->endtime - times->starttime) / 2;

+    refresh = ts_incr(times->starttime,

+                      ts_delta(times->endtime, times->starttime) / 2);

     set_refresh_time(context, cred->ccache, refresh);

 }

@@ -848,7 +850,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,

                                   GSS_C_NO_NAME);

             if (GSS_ERROR(ret))

                 goto error_out;

-            *time_rec = (cred->expire > now) ? (cred->expire - now) : 0;

+            *time_rec = ts_after(cred->expire, now) ?

+                ts_delta(cred->expire, now) : 0;

             k5_mutex_unlock(&cred->lock);

         }

     }

diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c

index 450593288..1fdb5a16f 100644

--- a/src/lib/gssapi/krb5/context_time.c

+++ b/src/lib/gssapi/krb5/context_time.c

@@ -51,7 +51,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec)