From: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date: Mon, 8 Jul 2019 12:36:46 +0000 (+0200)
Subject: ticket: properly verify exactly 5min old tickets
X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=commitdiff_plain;h=c4e2bd9c9e1c07529ec12d475b54bff7b4abacc5

ticket: properly verify exactly 5min old tickets

to fix an issue where valid tickets could be rejected 5 minutes after a
key rotation, where the minimum age is exactly 0 seconds.

thanks Dominik for triaging!

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit 5bb966fe5d6f3f6a30e86724c024f80ebebacfba)
---

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index fc519f1..908cccb 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -294,7 +294,7 @@ sub verify_ticket {
 	return undef if !$rsa_pub;
 
 	my ($min, $max) = $get_ticket_age_range->($now, $rsa_mtime, $old);
-	return undef if !$min;
+	return undef if !defined($min);
 
 	return PVE::Ticket::verify_rsa_ticket(
 	    $rsa_pub, 'PVE', $ticket, undef, $min, $max, 1);