diff options
author | Greg Hudson <ghudson@mit.edu> | 2010-08-12 17:39:09 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2010-08-12 17:39:09 +0000 |
commit | 1c0791bb201ff274dbbf8aa644bfffc200f15f08 (patch) | |
tree | 83e2b940cd83844017638940a38b8a39cc596b70 /src/kdc/do_as_req.c | |
parent | 041f97cd56890b3d12945eb0cce6b126a9940e8c (diff) | |
download | krb5-1c0791bb201ff274dbbf8aa644bfffc200f15f08.tar.gz krb5-1c0791bb201ff274dbbf8aa644bfffc200f15f08.tar.xz krb5-1c0791bb201ff274dbbf8aa644bfffc200f15f08.zip |
In AS replies, set the key-expiration field to the minimum of account
and password expiration time as specified in RFC 4120. Reported by
Mary Cushion <mary@eiger.demon.co.uk>.
ticket: 2032
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24240 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc/do_as_req.c')
-rw-r--r-- | src/kdc/do_as_req.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 48a55e4c71..fa98ae3a0d 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -88,6 +88,17 @@ prepare_error_as(struct kdc_request_state *, krb5_kdc_req *, int, krb5_data *, krb5_principal, krb5_data **, const char *); +/* Determine the key-expiration value according to RFC 4120 section 5.4.2. */ +static krb5_timestamp +get_key_exp(krb5_db_entry *entry) +{ + if (entry->expiration == 0) + return entry->pw_expiration; + if (entry->pw_expiration == 0) + return entry->expiration; + return min(entry->expiration, entry->pw_expiration); +} + /*ARGSUSED*/ krb5_error_code process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, @@ -541,7 +552,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } reply_encpart.nonce = request->nonce; - reply_encpart.key_exp = client->expiration; + reply_encpart.key_exp = get_key_exp(client); reply_encpart.flags = enc_tkt_reply.flags; reply_encpart.server = ticket_reply.server; |