Don't allow renewable_ok to be set if the renew liftime is greater

than the ticket lifetime.

Ticket: 1576
Tags: pullup
Status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15590 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index c554cea8256c110eb8480bac5a429ce53ff84a4d..a0106c0d98028983f2f11823d66366582637274e 100644 (file)
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,8 @@
+2003-06-06  Sam Hartman  <hartmans@mit.edu>
+
+       * get_in_tkt.c (krb5_get_init_creds): Mask out renewable_ok if the
+       request is for a renewable ticket with rtime greater than till 
+
 2003-06-06  Ezra Peisach  <epeisach@mit.edu>
 
        * mk_req_ext.c (krb5_generate_authenticator): Sequence numbers are

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 2f6c257a2516157c6b870352ea07e235c2dca35c..df5ebaf7110b19d9e0448129fcbc829ae7f9314f 100644 (file)
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -877,6 +877,8 @@ krb5_get_init_creds(krb5_context context,
     if (renew_life > 0) {
        request.rtime = request.from;
        request.rtime += renew_life;
+       if (request.rtime >= request.till)
+           request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK);
     } else {
        request.rtime = 0;
     }