if (decryption_error() or (req.cname != resp.cname) or (req.realm != resp.crealm) or (req.sname != resp.sname) or (req.realm != resp.realm) or (req.nonce != resp.nonce) or (req.addresses != resp.caddr)) then destroy resp.key; return KRB_AP_ERR_MODIFIED; endif /* make sure no flags are set that shouldn't be, and that */ /* all that should be are set */ if (!check_flags_for_compatability(req.kdc-options,resp.flags)) then destroy resp.key; return KRB_AP_ERR_MODIFIED; endif if ((req.from = 0) and (resp.starttime is not within allowable skew)) then destroy resp.key; return KRB_AP_ERR_SKEW; endif if ((req.from != 0) and (req.from != resp.starttime)) then destroy resp.key; return KRB_AP_ERR_MODIFIED; endif if ((req.till != 0) and (resp.endtime > req.till)) then destroy resp.key; return KRB_AP_ERR_MODIFIED; endif if ((req.kdc-options.RENEWABLE is set) and (req.rtime != 0) and (resp.renew-till > req.rtime)) then destroy resp.key; return KRB_AP_ERR_MODIFIED; endif if ((req.kdc-options.RENEWABLE-OK is set) and (resp.flags.RENEWABLE) and (req.till != 0) and (resp.renew-till > req.till)) then destroy resp.key; return KRB_AP_ERR_MODIFIED; endif