You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "spark shen (JIRA)" <ji...@apache.org> on 2007/12/07 06:38:43 UTC
[jira] Created: (DIRSERVER-1108)
[kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption
decryption function is not complete
[kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption decryption function is not complete
------------------------------------------------------------------------------------------------------------------------------------
Key: DIRSERVER-1108
URL: https://issues.apache.org/jira/browse/DIRSERVER-1108
Project: Directory ApacheDS
Issue Type: Bug
Components: kerberos
Reporter: spark shen
According RFC 4757, ArcFourHmacMd5Encryption has the decryption algorithm as below:
+++++ cite +++++
DECRYPT (K, export, T, edata)
{
// edata looks like
struct EDATA {
struct HEADER {
OCTET Checksum[16];
OCTET Confounder[8];
} Header;
OCTET Data[0];
} edata;
if (export){
*((DWORD *)(L40+10)) = T;
HMAC (K, L40, 14, K1);
}
else
{
HMAC (K, &T, 4, K1);
}
memcpy (K2, K1, 16);
if (export) memset (K1+7, 0xAB, 9);
K3 = HMAC (K1, edata.Checksum);
RC4 (K3, edata.Confounder);
RC4 (K3, edata.Data);
// verify generated and received checksums
checksum = HMAC (K2, concat(edata.Confounder, edata.Data));
if (checksum != edata.Checksum)
printf("CHECKSUM ERROR !!!!!!\n");
}
+++++ cite +++++
Current implementation is apparently not complete:
+++++ cite from bigbang +++++
public byte[] getDecryptedData( EncryptionKey key, EncryptedData data, KeyUsage usage ) throws KerberosException
{
return data.getCipher();
}
+++++ cite from bigbang +++++
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Created: (DIRSERVER-1108) [kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption decryption function is not complete
Posted by Enrique Rodriguez <en...@gmail.com>.
FYI, I marked this issue as duplicating the much-earlier
DIRSERVER-156, which we had been using to track RC4-HMAC encryption
support.
https://issues.apache.org/jira/browse/DIRSERVER-156
"ArcFour" is aka RC4.
Enrique
On Dec 6, 2007 9:38 PM, spark shen (JIRA) <ji...@apache.org> wrote:
> [kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption decryption function is not complete
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-1108
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1108
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: kerberos
> Reporter: spark shen
>
[jira] Updated: (DIRSERVER-1108)
[kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption
decryption function is not complete
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRSERVER-1108:
-----------------------------------------
Attachment: (was: rc4_hmac_decrypt.diff)
> [kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption decryption function is not complete
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-1108
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1108
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: kerberos
> Reporter: spark shen
> Assignee: Emmanuel Lecharny
>
> According RFC 4757, ArcFourHmacMd5Encryption has the decryption algorithm as below:
> +++++ cite +++++
> DECRYPT (K, export, T, edata)
> {
> // edata looks like
> struct EDATA {
> struct HEADER {
> OCTET Checksum[16];
> OCTET Confounder[8];
> } Header;
> OCTET Data[0];
> } edata;
> if (export){
> *((DWORD *)(L40+10)) = T;
> HMAC (K, L40, 14, K1);
> }
> else
> {
> HMAC (K, &T, 4, K1);
> }
> memcpy (K2, K1, 16);
> if (export) memset (K1+7, 0xAB, 9);
> K3 = HMAC (K1, edata.Checksum);
> RC4 (K3, edata.Confounder);
> RC4 (K3, edata.Data);
> // verify generated and received checksums
> checksum = HMAC (K2, concat(edata.Confounder, edata.Data));
> if (checksum != edata.Checksum)
> printf("CHECKSUM ERROR !!!!!!\n");
> }
> +++++ cite +++++
> Current implementation is apparently not complete:
> +++++ cite from bigbang +++++
> public byte[] getDecryptedData( EncryptionKey key, EncryptedData data, KeyUsage usage ) throws KerberosException
> {
> return data.getCipher();
> }
> +++++ cite from bigbang +++++
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-1108)
[kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption
decryption function is not complete
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRSERVER-1108:
-----------------------------------------
Fix Version/s: 2.0.0
I don't know if the emoved patch has been reworked by the Geronimo team. Until then postponed to 2.0
> [kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption decryption function is not complete
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-1108
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1108
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: kerberos
> Reporter: spark shen
> Assignee: Emmanuel Lecharny
> Fix For: 2.0.0
>
>
> According RFC 4757, ArcFourHmacMd5Encryption has the decryption algorithm as below:
> +++++ cite +++++
> DECRYPT (K, export, T, edata)
> {
> // edata looks like
> struct EDATA {
> struct HEADER {
> OCTET Checksum[16];
> OCTET Confounder[8];
> } Header;
> OCTET Data[0];
> } edata;
> if (export){
> *((DWORD *)(L40+10)) = T;
> HMAC (K, L40, 14, K1);
> }
> else
> {
> HMAC (K, &T, 4, K1);
> }
> memcpy (K2, K1, 16);
> if (export) memset (K1+7, 0xAB, 9);
> K3 = HMAC (K1, edata.Checksum);
> RC4 (K3, edata.Confounder);
> RC4 (K3, edata.Data);
> // verify generated and received checksums
> checksum = HMAC (K2, concat(edata.Confounder, edata.Data));
> if (checksum != edata.Checksum)
> printf("CHECKSUM ERROR !!!!!!\n");
> }
> +++++ cite +++++
> Current implementation is apparently not complete:
> +++++ cite from bigbang +++++
> public byte[] getDecryptedData( EncryptionKey key, EncryptedData data, KeyUsage usage ) throws KerberosException
> {
> return data.getCipher();
> }
> +++++ cite from bigbang +++++
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DIRSERVER-1108)
[kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption
decryption function is not complete
Posted by "spark shen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
spark shen updated DIRSERVER-1108:
----------------------------------
Attachment: rc4_hmac_decrypt.diff
This patch tries to provide a complete implementation for rc4-hmac decrypt function. I will provide a stand alone test case later. I generated client request using SUN's jdk - JGSS framework - as below:
byte[] rc4_hmac = new byte[] {
// 96, -126, 1, -59, 6, 9, 42, -122, 72,
// -122, -9, 18, 1, 2, 2, 1, 0,
110, -126, 1, -76, 48, -126, 1,
-80, -96, 3, 2, 1, 5, -95, 3, 2, 1, 14, -94, 7, 3, 5, 0, 32, 0,
0, 0, -93, -127, -23, 97, -127, -26, 48, -127, -29, -96, 3, 2,
1, 5, -95, 13, 27, 11, 69, 88, 65, 77, 80, 76, 69, 46, 67, 79,
77, -94, 39, 48, 37, -96, 3, 2, 1, 0, -95, 30, 48, 28, 27, 11,
115, 101, 114, 118, 105, 99, 101, 116, 101, 115, 116, 27, 13,
57, 46, 49, 56, 49, 46, 49, 48, 54, 46, 50, 51, 54, -93, -127,
-93, 48, -127, -96, -96, 3, 2, 1, 23, -95, 3, 2, 1, 1, -94,
-127, -109, 4, -127, -112, -79, 89, -128, 91, 41, -62, -39, 90,
-102, 77, 48, -103, 70, -1, -46, -77, 98, 31, -89, -35, 76,
-93, 10, -117, 80, 85, -117, 26, -109, 24, 60, -23, 106, 0, 19,
-39, -9, -6, 87, -62, 91, -112, 87, 93, 98, 112, 79, -56, -26,
-106, 28, 39, -39, -86, -93, -113, 87, -11, -51, -58, 119, 95,
-113, 102, 32, 80, 118, -85, 20, -123, 2, 53, 20, 62, -75, 66,
-31, -105, 71, 121, -67, 48, 37, 86, 43, -52, -112, -87, -28,
31, -49, 44, -67, -37, 125, 75, -127, -46, 81, 117, -85, -93,
22, -64, 3, -121, -70, 84, -102, 123, -54, 126, 5, -69, -69,
62, -19, -106, 1, -117, -25, 26, 113, -97, -30, 125, 25, -40,
124, -45, -81, 20, -5, 44, -100, 0, 73, 1, 120, -29, 65, 7,
-86, -85, -92, -127, -82, 48, -127, -85, -96, 3, 2, 1, 1, -94,
-127, -93, 4, -127, -96, 127, -91, -38, -60, -111, -18, -49,
-35, -80, 32, 59, 83, 125, -50, 15, -4, 96, -11, -13, -12, 43,
-73, -16, 38, -37, 24, -89, 33, -29, 15, 11, -94, 16, -51, 16,
-16, -78, 57, 95, -118, -21, 64, -79, -7, 15, 23, -97, 115,
-13, -127, -6, 33, 33, 48, -10, -97, -95, -45, 28, -10, -112,
-85, -68, -40, -43, -35, 3, 13, -118, -23, -42, -103, 54, -3,
98, -91, 1, 81, -33, 41, 116, 33, 45, 56, 13, -54, 111, 16, -1,
65, -23, 124, -7, 32, -112, 112, -90, -66, -3, -38, 113, -24,
126, -117, -74, -70, -91, 58, 48, -88, -112, 28, 56, -6, 59,
119, -3, 50, 41, 74, 114, -30, -67, 5, 89, -60, -37, -70, 121,
2, 120, -71, 3, 124, 88, 32, -6, 67, -77, 109, 114, -100, 11,
-27, -91, -36, -109, -19, 37, 110, 42, -70, 31, 12, -9, -30,
-32, -103, 91, -58 };
And using this implementation, kerberos module can now decode this request successfully.
Would any committer take a look? BTW this patch is against
https://svn.apache.org/repos/asf/directory/apacheds/branches/bigbang/kerberos-shared/src/main/java/org/apache/directory/
Thanks in advance.
> [kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption decryption function is not complete
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-1108
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1108
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: kerberos
> Reporter: spark shen
> Attachments: rc4_hmac_decrypt.diff
>
>
> According RFC 4757, ArcFourHmacMd5Encryption has the decryption algorithm as below:
> +++++ cite +++++
> DECRYPT (K, export, T, edata)
> {
> // edata looks like
> struct EDATA {
> struct HEADER {
> OCTET Checksum[16];
> OCTET Confounder[8];
> } Header;
> OCTET Data[0];
> } edata;
> if (export){
> *((DWORD *)(L40+10)) = T;
> HMAC (K, L40, 14, K1);
> }
> else
> {
> HMAC (K, &T, 4, K1);
> }
> memcpy (K2, K1, 16);
> if (export) memset (K1+7, 0xAB, 9);
> K3 = HMAC (K1, edata.Checksum);
> RC4 (K3, edata.Confounder);
> RC4 (K3, edata.Data);
> // verify generated and received checksums
> checksum = HMAC (K2, concat(edata.Confounder, edata.Data));
> if (checksum != edata.Checksum)
> printf("CHECKSUM ERROR !!!!!!\n");
> }
> +++++ cite +++++
> Current implementation is apparently not complete:
> +++++ cite from bigbang +++++
> public byte[] getDecryptedData( EncryptionKey key, EncryptedData data, KeyUsage usage ) throws KerberosException
> {
> return data.getCipher();
> }
> +++++ cite from bigbang +++++
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (DIRSERVER-1108)
[kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption
decryption function is not complete
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny reassigned DIRSERVER-1108:
--------------------------------------------
Assignee: Emmanuel Lecharny
> [kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption decryption function is not complete
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-1108
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1108
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: kerberos
> Reporter: spark shen
> Assignee: Emmanuel Lecharny
>
> According RFC 4757, ArcFourHmacMd5Encryption has the decryption algorithm as below:
> +++++ cite +++++
> DECRYPT (K, export, T, edata)
> {
> // edata looks like
> struct EDATA {
> struct HEADER {
> OCTET Checksum[16];
> OCTET Confounder[8];
> } Header;
> OCTET Data[0];
> } edata;
> if (export){
> *((DWORD *)(L40+10)) = T;
> HMAC (K, L40, 14, K1);
> }
> else
> {
> HMAC (K, &T, 4, K1);
> }
> memcpy (K2, K1, 16);
> if (export) memset (K1+7, 0xAB, 9);
> K3 = HMAC (K1, edata.Checksum);
> RC4 (K3, edata.Confounder);
> RC4 (K3, edata.Data);
> // verify generated and received checksums
> checksum = HMAC (K2, concat(edata.Confounder, edata.Data));
> if (checksum != edata.Checksum)
> printf("CHECKSUM ERROR !!!!!!\n");
> }
> +++++ cite +++++
> Current implementation is apparently not complete:
> +++++ cite from bigbang +++++
> public byte[] getDecryptedData( EncryptionKey key, EncryptedData data, KeyUsage usage ) throws KerberosException
> {
> return data.getCipher();
> }
> +++++ cite from bigbang +++++
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DIRSERVER-1108)
[kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption
decryption function is not complete
Posted by "Emmanuel Lecharny (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRSERVER-1108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12550664 ]
Emmanuel Lecharny commented on DIRSERVER-1108:
----------------------------------------------
Removed the attachement, which seems too close to some Sun code. The issue remains, but we are expecting some genuine code.
> [kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption decryption function is not complete
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DIRSERVER-1108
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1108
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: kerberos
> Reporter: spark shen
> Assignee: Emmanuel Lecharny
>
> According RFC 4757, ArcFourHmacMd5Encryption has the decryption algorithm as below:
> +++++ cite +++++
> DECRYPT (K, export, T, edata)
> {
> // edata looks like
> struct EDATA {
> struct HEADER {
> OCTET Checksum[16];
> OCTET Confounder[8];
> } Header;
> OCTET Data[0];
> } edata;
> if (export){
> *((DWORD *)(L40+10)) = T;
> HMAC (K, L40, 14, K1);
> }
> else
> {
> HMAC (K, &T, 4, K1);
> }
> memcpy (K2, K1, 16);
> if (export) memset (K1+7, 0xAB, 9);
> K3 = HMAC (K1, edata.Checksum);
> RC4 (K3, edata.Confounder);
> RC4 (K3, edata.Data);
> // verify generated and received checksums
> checksum = HMAC (K2, concat(edata.Confounder, edata.Data));
> if (checksum != edata.Checksum)
> printf("CHECKSUM ERROR !!!!!!\n");
> }
> +++++ cite +++++
> Current implementation is apparently not complete:
> +++++ cite from bigbang +++++
> public byte[] getDecryptedData( EncryptionKey key, EncryptedData data, KeyUsage usage ) throws KerberosException
> {
> return data.getCipher();
> }
> +++++ cite from bigbang +++++
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.