58 if ( 59 ((req.reqBody.addresses != null && rep.encKDCRepPart.caddr != null) && 60 !req.reqBody.addresses.equals(rep.encKDCRepPart.caddr))) { 61 rep.encKDCRepPart.key.destroy(); 62 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); 63 } 64 65 // We allow KDC to return a non-forwardable ticket if request has -f 66 for (int i = 2; i < 6; i++) { 67 if (req.reqBody.kdcOptions.get(i) != 68 rep.encKDCRepPart.flags.get(i)) { 69 if (Krb5.DEBUG) { 70 System.out.println("> KrbKdcRep.check: at #" + i 71 + ". request for " + req.reqBody.kdcOptions.get(i) 72 + ", received " + rep.encKDCRepPart.flags.get(i)); 73 } 74 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); 75 } 76 } 77 78 // XXX Can renew a ticket but not ask for a renewable renewed ticket 79 // See impl of Credentials.renew(). 80 if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) != 81 rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) { 82 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); 83 } 84 if ((req.reqBody.from == null) || req.reqBody.from.isZero()) 85 // verify this is allowed 86 if ((rep.encKDCRepPart.starttime != null) && 87 !rep.encKDCRepPart.starttime.inClockSkew()) { 88 rep.encKDCRepPart.key.destroy(); 89 throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW); 90 } 91 92 if ((req.reqBody.from != null) && !req.reqBody.from.isZero()) 93 // verify this is allowed 94 if ((rep.encKDCRepPart.starttime != null) && 95 !req.reqBody.from.equals(rep.encKDCRepPart.starttime)) { 96 rep.encKDCRepPart.key.destroy(); 97 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); 98 } 99 100 if (!req.reqBody.till.isZero() && 101 rep.encKDCRepPart.endtime.greaterThan(req.reqBody.till)) { | 58 if ( 59 ((req.reqBody.addresses != null && rep.encKDCRepPart.caddr != null) && 60 !req.reqBody.addresses.equals(rep.encKDCRepPart.caddr))) { 61 rep.encKDCRepPart.key.destroy(); 62 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); 63 } 64 65 // We allow KDC to return a non-forwardable ticket if request has -f 66 for (int i = 2; i < 6; i++) { 67 if (req.reqBody.kdcOptions.get(i) != 68 rep.encKDCRepPart.flags.get(i)) { 69 if (Krb5.DEBUG) { 70 System.out.println("> KrbKdcRep.check: at #" + i 71 + ". request for " + req.reqBody.kdcOptions.get(i) 72 + ", received " + rep.encKDCRepPart.flags.get(i)); 73 } 74 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); 75 } 76 } 77 78 // Reply to a renewable request should be renewable, but if request does 79 // not contain renewable, KDC is free to issue a renewable ticket (for 80 // example, if ticket_lifetime is too big). 81 if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) && 82 !rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) { 83 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); 84 } 85 if ((req.reqBody.from == null) || req.reqBody.from.isZero()) 86 // verify this is allowed 87 if ((rep.encKDCRepPart.starttime != null) && 88 !rep.encKDCRepPart.starttime.inClockSkew()) { 89 rep.encKDCRepPart.key.destroy(); 90 throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW); 91 } 92 93 if ((req.reqBody.from != null) && !req.reqBody.from.isZero()) 94 // verify this is allowed 95 if ((rep.encKDCRepPart.starttime != null) && 96 !req.reqBody.from.equals(rep.encKDCRepPart.starttime)) { 97 rep.encKDCRepPart.key.destroy(); 98 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); 99 } 100 101 if (!req.reqBody.till.isZero() && 102 rep.encKDCRepPart.endtime.greaterThan(req.reqBody.till)) { |