From 1c0791bb201ff274dbbf8aa644bfffc200f15f08 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Thu, 12 Aug 2010 17:39:09 +0000 Subject: [PATCH] In AS replies, set the key-expiration field to the minimum of account and password expiration time as specified in RFC 4120. Reported by Mary Cushion . ticket: 2032 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24240 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/do_as_req.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 48a55e4c7..fa98ae3a0 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -88,6 +88,17 @@ prepare_error_as(struct kdc_request_state *, krb5_kdc_req *, int, krb5_data *, krb5_principal, krb5_data **, const char *); +/* Determine the key-expiration value according to RFC 4120 section 5.4.2. */ +static krb5_timestamp +get_key_exp(krb5_db_entry *entry) +{ + if (entry->expiration == 0) + return entry->pw_expiration; + if (entry->pw_expiration == 0) + return entry->expiration; + return min(entry->expiration, entry->pw_expiration); +} + /*ARGSUSED*/ krb5_error_code process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, @@ -541,7 +552,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } reply_encpart.nonce = request->nonce; - reply_encpart.key_exp = client->expiration; + reply_encpart.key_exp = get_key_exp(client); reply_encpart.flags = enc_tkt_reply.flags; reply_encpart.server = ticket_reply.server; -- 2.26.2