kdc: Return NEVER_VALID error code if ticket will never be valid

This matches the error generated by Windows. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-14 11:47:08 +12:00
parent baf1930b6a
commit 597b59dfb7
1 changed files with 7 additions and 0 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2536,6 +2536,13 @@ _kdc_as_rep(astgs_request_t r)
 	t = min(t, rk_time_add(start, realm->max_life));
 #endif
 	r->et.endtime = t;
+
+	if (start > r->et.endtime) {
+	    _kdc_set_e_text(r, "Requested effective lifetime is negative or too short");
+	    ret = KRB5KDC_ERR_NEVER_VALID;
+	    goto out;
+	}
+
 	if(f.renewable_ok && r->et.endtime < *b->till){
 	    f.renewable = 1;
 	    if(b->rtime == NULL){