From b6d830c1c9306220b86f35965ec859da82be6820 Mon Sep 17 00:00:00 2001
From: Russ Allbery <eagle@eyrie.org>
Date: Wed, 25 Nov 2015 14:42:24 -0800
Subject: [PATCH] Correctly honor WebKdcTokenMaxTTL for request tokens

---
 modules/webkdc/mod_webkdc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/webkdc/mod_webkdc.c b/modules/webkdc/mod_webkdc.c
index e570961d..0ecde8fe 100644
--- a/modules/webkdc/mod_webkdc.c
+++ b/modules/webkdc/mod_webkdc.c
@@ -990,9 +990,11 @@ parse_request_token(MWK_REQ_CTXT *rc, const char *token,
     /* Copy the token and do some additional checks. */
     *rt = &data->token.request;
     expiration = (*rt)->creation + rc->sconf->token_max_ttl;
-    if (expiration < time(NULL))
+    if (expiration < time(NULL)) {
         set_errorResponse(rc, WA_PEC_REQUEST_TOKEN_STALE,
                           "request token was stale", mwk_func, false);
+        return MWK_ERROR;
+    }
     return MWK_OK;
 }