Connected: An Internet Encyclopedia
A.3. KRB_AS_REP verification

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 1510
Up: A. Pseudo-code for protocol processing
Prev: A.2. KRB_AS_REQ verification and KRB_AS_REP generation
Next: A.4. KRB_AS_REP and KRB_TGS_REP common checks

A.3. KRB_AS_REP verification

A.3. KRB_AS_REP verification

        decode response into resp;

        if (resp.msg-type = KRB_ERROR) then
                if(error = KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP))
                        then set pa_enc_timestamp_required;
                        goto KRB_AS_REQ;
                endif
                process_error(resp);
                return;
        endif

        /* On error, discard the response, and zero the session key */
        /* from the response immediately */

        key = get_decryption_key(resp.enc-part.kvno, resp.enc-part.etype,
                                 resp.padata);
        unencrypted part of resp := decode of decrypt of resp.enc-part
                                using resp.enc-part.etype and key;
        zero(key);

        if (common_as_rep_tgs_rep_checks fail) then
                destroy resp.key;
                return error;
        endif

        if near(resp.princ_exp) then
                print(warning message);
        endif
        save_for_later(ticket,session,client,server,times,flags);


Next: A.4. KRB_AS_REP and KRB_TGS_REP common checks

Connected: An Internet Encyclopedia
A.3. KRB_AS_REP verification