58 if (
59 ((req.reqBody.addresses != null && rep.encKDCRepPart.caddr != null) &&
60 !req.reqBody.addresses.equals(rep.encKDCRepPart.caddr))) {
61 rep.encKDCRepPart.key.destroy();
62 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
63 }
64
65 // We allow KDC to return a non-forwardable ticket if request has -f
66 for (int i = 2; i < 6; i++) {
67 if (req.reqBody.kdcOptions.get(i) !=
68 rep.encKDCRepPart.flags.get(i)) {
69 if (Krb5.DEBUG) {
70 System.out.println("> KrbKdcRep.check: at #" + i
71 + ". request for " + req.reqBody.kdcOptions.get(i)
72 + ", received " + rep.encKDCRepPart.flags.get(i));
73 }
74 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
75 }
76 }
77
78 // XXX Can renew a ticket but not ask for a renewable renewed ticket
79 // See impl of Credentials.renew().
80 if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) !=
81 rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) {
82 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
83 }
84 if ((req.reqBody.from == null) || req.reqBody.from.isZero())
85 // verify this is allowed
86 if ((rep.encKDCRepPart.starttime != null) &&
87 !rep.encKDCRepPart.starttime.inClockSkew()) {
88 rep.encKDCRepPart.key.destroy();
89 throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW);
90 }
91
92 if ((req.reqBody.from != null) && !req.reqBody.from.isZero())
93 // verify this is allowed
94 if ((rep.encKDCRepPart.starttime != null) &&
95 !req.reqBody.from.equals(rep.encKDCRepPart.starttime)) {
96 rep.encKDCRepPart.key.destroy();
97 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
98 }
99
100 if (!req.reqBody.till.isZero() &&
101 rep.encKDCRepPart.endtime.greaterThan(req.reqBody.till)) {
|
58 if (
59 ((req.reqBody.addresses != null && rep.encKDCRepPart.caddr != null) &&
60 !req.reqBody.addresses.equals(rep.encKDCRepPart.caddr))) {
61 rep.encKDCRepPart.key.destroy();
62 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
63 }
64
65 // We allow KDC to return a non-forwardable ticket if request has -f
66 for (int i = 2; i < 6; i++) {
67 if (req.reqBody.kdcOptions.get(i) !=
68 rep.encKDCRepPart.flags.get(i)) {
69 if (Krb5.DEBUG) {
70 System.out.println("> KrbKdcRep.check: at #" + i
71 + ". request for " + req.reqBody.kdcOptions.get(i)
72 + ", received " + rep.encKDCRepPart.flags.get(i));
73 }
74 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
75 }
76 }
77
78 // Reply to a renewable request should be renewable, but if request does
79 // not contain renewable, KDC is free to issue a renewable ticket (for
80 // example, if ticket_lifetime is too big).
81 if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) &&
82 !rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) {
83 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
84 }
85 if ((req.reqBody.from == null) || req.reqBody.from.isZero())
86 // verify this is allowed
87 if ((rep.encKDCRepPart.starttime != null) &&
88 !rep.encKDCRepPart.starttime.inClockSkew()) {
89 rep.encKDCRepPart.key.destroy();
90 throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW);
91 }
92
93 if ((req.reqBody.from != null) && !req.reqBody.from.isZero())
94 // verify this is allowed
95 if ((rep.encKDCRepPart.starttime != null) &&
96 !req.reqBody.from.equals(rep.encKDCRepPart.starttime)) {
97 rep.encKDCRepPart.key.destroy();
98 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
99 }
100
101 if (!req.reqBody.till.isZero() &&
102 rep.encKDCRepPart.endtime.greaterThan(req.reqBody.till)) {
|