Commit
b0661f9176f5eb2644ba459e1b1e87d3dd502174 removed the starttime
hack in the EncTicketPart decoder. Take this into account when
computing the old lifetime of a ticket we are renewing. Without this
fix, we compute an old lifetime equal to the ticket end time, add that
to the current KDC time, and issue a ticket with a negative end time
due to wraparound. Add a simple test to t_renew.py to detect this by
making sure that a renewed ticket is usable.
This bug appeared only on master and not as part of any release, so
there is no associated ticket.
}
if (isflagset(request->kdc_options, KDC_OPT_RENEW)) {
+ krb5_timestamp old_starttime;
krb5_deltat old_life;
assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
enc_tkt_reply = *(header_ticket->enc_part2);
enc_tkt_reply.authorization_data = NULL;
- old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
+ old_starttime = enc_tkt_reply.times.starttime ?
+ enc_tkt_reply.times.starttime : enc_tkt_reply.times.authtime;
+ old_life = enc_tkt_reply.times.endtime - old_starttime;
enc_tkt_reply.times.starttime = kdc_time;
enc_tkt_reply.times.endtime =
realm.kinit(realm.user_princ, flags=['-R'])
realm.klist(realm.user_princ)
+# Make sure we can use a renewed ticket.
+realm.run([kvno, realm.user_princ])
+
# Make sure we can't renew non-renewable tickets.
test('non-renewable', '1h', '1h', False)
out = realm.kinit(realm.user_princ, flags=['-R'], expected_code=1)
projects / thirdparty / krb5.git / commitdiff
