You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2017/07/21 15:03:24 UTC

[07/18] directory-kerby git commit: DIRKRB-568 - Using RFC 4121 tokens in KerbyContext. Thanks to Wei Zhou.

DIRKRB-568 - Using RFC 4121 tokens in KerbyContext. Thanks to Wei Zhou.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/706b85e3
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/706b85e3
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/706b85e3

Branch: refs/heads/trunk
Commit: 706b85e3dd943b8832815828534210b2c4a70789
Parents: 8618cae
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Jul 21 14:55:32 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 14:55:32 2017 +0100

----------------------------------------------------------------------
 .../apache/kerby/kerberos/kerb/request/ApRequest.java    | 11 +++++++----
 .../kerby/kerberos/kerb/gssapi/KerbyMechFactory.java     |  9 ++++-----
 2 files changed, 11 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/706b85e3/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
index 096b0de..44f5b47 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
@@ -89,8 +89,11 @@ public class ApRequest {
         authenticator.setAuthenticatorVno(5);
         authenticator.setCname(clientPrincipal);
         authenticator.setCrealm(sgtTicket.getRealm());
-        authenticator.setCtime(KerberosTime.now());
-        authenticator.setCusec(0);
+        long millis = System.currentTimeMillis();
+        int usec = (int) (millis % 1000) * 1000;
+        millis -= millis % 1000;
+        authenticator.setCtime(new KerberosTime(millis));
+        authenticator.setCusec(usec);
         authenticator.setSubKey(sgtTicket.getSessionKey());
 
         return authenticator;
@@ -138,13 +141,13 @@ public class ApRequest {
         }
 
         if (timeSkew != 0) {
-            if (authenticator.getCtime().isInClockSkew(timeSkew)) {
+            if (!authenticator.getCtime().isInClockSkew(timeSkew)) {
                 throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
             }
 
             KerberosTime now = KerberosTime.now();
             KerberosTime startTime = tktEncPart.getStartTime();
-            if (startTime != null && startTime.greaterThanWithSkew(now, timeSkew)) {
+            if (startTime != null && !startTime.lessThanWithSkew(now, timeSkew)) {
                 throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
             }
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/706b85e3/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
index a897c29..adacb27 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/KerbyMechFactory.java
@@ -20,6 +20,7 @@
 package org.apache.kerby.kerberos.kerb.gssapi;
 
 import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyAcceptCred;
+import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyContext;
 import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyCredElement;
 import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyInitCred;
 import org.apache.kerby.kerberos.kerb.gssapi.krb5.KerbyNameElement;
@@ -90,9 +91,7 @@ public class KerbyMechFactory implements MechanismFactory {
         if (myInitiatorCred == null) {
             myInitiatorCred = getCredentialElement(null, lifetime, 0, GSSCredential.INITIATE_ONLY);
         }
-        return null;
-        //For convenience of making patch, return null instead of introduce in KerbyContext
-        //return new KerbyContext(caller, (KerbyNameElement)peer, (KerbyInitCred)myInitiatorCred, lifetime);
+        return new KerbyContext(caller, (KerbyNameElement) peer, (KerbyInitCred) myInitiatorCred, lifetime);
     }
 
     public GSSContextSpi getMechanismContext(GSSCredentialSpi myAcceptorCred)
@@ -101,13 +100,13 @@ public class KerbyMechFactory implements MechanismFactory {
             myAcceptorCred = getCredentialElement(null, 0,
                     GSSCredential.INDEFINITE_LIFETIME, GSSCredential.ACCEPT_ONLY);
         }
-        return null; //return new KerbyContext(caller, (KerbyAcceptCred)myAcceptorCred);
+        return new KerbyContext(caller, (KerbyAcceptCred) myAcceptorCred);
     }
 
     // Reconstruct from previously exported context
     public GSSContextSpi getMechanismContext(byte[] exportedContext)
             throws GSSException {
-        return null; //return new KerbyContext(caller, exportedContext);
+       return new KerbyContext(caller, exportedContext);
     }
 
     public GSSCredentialSpi getCredentialElement(GSSNameSpi name,