* get_in_tkt.c: (verify_as_reply) Only check the renewable lifetime of tickets whose request options included KDC_OPT_RENEWABLE_OK if those options did not also include KDC_OPT_RENEWABLE. Otherwise verify_as_reply() will fail for all renewable tickets

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15524 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 8 insertions, 0 deletions

diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 531a378d4..23ea95209 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,10 @@
+2003-05-30  Alexandra Ellwood <lxs@mit.edu>
+
+	* get_in_tkt.c: (verify_as_reply) Only check the renewable lifetime
+	of tickets whose request options included KDC_OPT_RENEWABLE_OK
+	if those options did not also include KDC_OPT_RENEWABLE.   Otherwise 
+	verify_as_reply() will fail for all renewable tickets.
+
 2003-05-27  Ken Raeburn  <raeburn@mit.edu>
 
 	* conv_creds.c: Enable support on Windows always.
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 44f887afd..c49752c95 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -262,6 +262,7 @@ verify_as_reply(krb5_context 		context,
 	    (request->rtime != 0) &&
 	    (as_reply->enc_part2->times.renew_till > request->rtime))
 	|| ((request->kdc_options & KDC_OPT_RENEWABLE_OK) &&
+	    !(request->kdc_options & KDC_OPT_RENEWABLE) &&
 	    (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) &&
 	    (request->till != 0) &&
 	    (as_reply->enc_part2->times.renew_till > request->till))