Don't allow renewable_ok to be set if the renew liftime is greater

than the ticket lifetime.

Ticket: 1576
Tags: pullup
Status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15590 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 7 insertions, 0 deletions

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index c554cea825..a0106c0d98 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,8 @@
+2003-06-06  Sam Hartman  <hartmans@mit.edu>
+
+	* get_in_tkt.c (krb5_get_init_creds): Mask out renewable_ok if the
+	request is for a renewable ticket with rtime greater than till 
+
 2003-06-06  Ezra Peisach  <epeisach@mit.edu>
 
 	* mk_req_ext.c (krb5_generate_authenticator): Sequence numbers are
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 2f6c257a25..df5ebaf711 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -877,6 +877,8 @@ krb5_get_init_creds(krb5_context context,
     if (renew_life > 0) {
 	request.rtime = request.from;
 	request.rtime += renew_life;
+	if (request.rtime >= request.till)
+	    request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK);
     } else {
 	request.rtime = 0;
     }