receive packet; if (packet.pvno != 5) then either process using other protocol spec or error_out(KRB_AP_ERR_BADVERSION); endif if (packet.msg-type != KRB_AP_REQ) then error_out(KRB_AP_ERR_MSG_TYPE); endif if (packet.ticket.tkt_vno != 5) then either process using other protocol spec or error_out(KRB_AP_ERR_BADVERSION); endif if (packet.ap_options.USE-SESSION-KEY is set) then retrieve session key from ticket-granting ticket for packet.ticket.{sname,srealm,enc-part.etype}; else retrieve service key for packet.ticket.{sname,srealm,enc-part.etype,enc-part.skvno}; endif if (no_key_available) then if (cannot_find_specified_skvno) then error_out(KRB_AP_ERR_BADKEYVER); else error_out(KRB_AP_ERR_NOKEY); endif endif decrypt packet.ticket.enc-part into decr_ticket using retrieved key; if (decryption_error()) then error_out(KRB_AP_ERR_BAD_INTEGRITY); endif decrypt packet.authenticator into decr_authenticator using decr_ticket.key; if (decryption_error()) then error_out(KRB_AP_ERR_BAD_INTEGRITY); endif if (decr_authenticator.{cname,crealm} != decr_ticket.{cname,crealm}) then error_out(KRB_AP_ERR_BADMATCH); endif if (decr_ticket.caddr is present) then if (sender_address(packet) is not in decr_ticket.caddr) then error_out(KRB_AP_ERR_BADADDR); endif elseif (application requires addresses) then error_out(KRB_AP_ERR_BADADDR); endif if (not in_clock_skew(decr_authenticator.ctime, decr_authenticator.cusec)) then error_out(KRB_AP_ERR_SKEW); endif if (repeated(decr_authenticator.{ctime,cusec,cname,crealm})) then error_out(KRB_AP_ERR_REPEAT); endif save_identifier(decr_authenticator.{ctime,cusec,cname,crealm}); get system_time; if ((decr_ticket.starttime-system_time > CLOCK_SKEW) or (decr_ticket.flags.INVALID is set)) then /* it hasn't yet become valid */ error_out(KRB_AP_ERR_TKT_NYV); endif if (system_time-decr_ticket.endtime > CLOCK_SKEW) then error_out(KRB_AP_ERR_TKT_EXPIRED); endif /* caller must check decr_ticket.flags for any pertinent */ /* details */ return(OK, decr_ticket, packet.ap_options.MUTUAL-REQUIRED);