From c9038861a1610a78c6800ea15253f2e991d15091 Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartmans@mit.edu>
Date: Fri, 6 Jun 2003 19:30:40 +0000
Subject: [PATCH] Don't allow renewable_ok to be set if the renew liftime is
 greater than the ticket lifetime.

Ticket: 1576
Tags: pullup
Status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15590 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/krb5/krb/ChangeLog    | 5 +++++
 src/lib/krb5/krb/get_in_tkt.c | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index c554cea82..a0106c0d9 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,8 @@
+2003-06-06  Sam Hartman  <hartmans@mit.edu>
+
+	* get_in_tkt.c (krb5_get_init_creds): Mask out renewable_ok if the
+	request is for a renewable ticket with rtime greater than till 
+
 2003-06-06  Ezra Peisach  <epeisach@mit.edu>
 
 	* mk_req_ext.c (krb5_generate_authenticator): Sequence numbers are
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 2f6c257a2..df5ebaf71 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -877,6 +877,8 @@ krb5_get_init_creds(krb5_context context,
     if (renew_life > 0) {
 	request.rtime = request.from;
 	request.rtime += renew_life;
+	if (request.rtime >= request.till)
+	    request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK);
     } else {
 	request.rtime = 0;
     }
-- 
2.26.2