* get_in_tkt.c: (verify_as_reply) Only check the renewable lifetime of tickets whose...

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15524 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 531a378d4c6d1b5a90333f504de9e9001f669b33..23ea952092fe57ba48ffdbf10c58c0d72a5b7bef 100644 (file)
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,10 @@
+2003-05-30  Alexandra Ellwood <lxs@mit.edu>
+
+       * get_in_tkt.c: (verify_as_reply) Only check the renewable lifetime
+       of tickets whose request options included KDC_OPT_RENEWABLE_OK
+       if those options did not also include KDC_OPT_RENEWABLE.   Otherwise 
+       verify_as_reply() will fail for all renewable tickets.
+
 2003-05-27  Ken Raeburn  <raeburn@mit.edu>
 
        * conv_creds.c: Enable support on Windows always.

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 44f887afdd76bffdf20a5da51cae883ab6cad159..c49752c952cdb0049d006b3274bffcdc6388ada1 100644 (file)
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -262,6 +262,7 @@ verify_as_reply(krb5_context                context,
            (request->rtime != 0) &&
            (as_reply->enc_part2->times.renew_till > request->rtime))
        || ((request->kdc_options & KDC_OPT_RENEWABLE_OK) &&
+           !(request->kdc_options & KDC_OPT_RENEWABLE) &&
            (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) &&
            (request->till != 0) &&
            (as_reply->enc_part2->times.renew_till > request->till))