[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

kerberos5.c check_tgs_flags problem

>From RFC1510 section 3.3.3. Generation of KRB_TGS_REP message
   If the request specifies an endtime, then the endtime of the new
   ticket is set to the minimum of (a) that request, (b) the endtime
   from the TGT, and (c) the starttime of the TGT plus the minimum of
   the maximum life for the application server and the maximum life for
   the local realm (the maximum life for the requesting principal was
   already applied when the TGT was issued).  If the new ticket is to be
   a renewal, then the endtime above is replaced by the minimum of (a)
   the value of the renew_till field of the ticket and (b) the starttime
   for the new ticket plus the life (endtimestarttime) of the old

In check_tgs_flags:
        time_t old_life;
        if(!tgt->flags.renewable || tgt->renew_till == NULL){
            kdc_log(0, "Request to renew non-renewable ticket");
            return KRB5KDC_ERR_BADOPTION;
        old_life = tgt->endtime;
            old_life -= *tgt->starttime;
            old_life -= tgt->authtime;
        et->endtime = min(*b->till, *et->starttime + old_life);

I think that last line should read:
et->endtime = min(*et->renew_till, *et->starttime + old_life);

(e.g. be pulled from *b->rtime)