You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2018/01/12 10:09:07 UTC
[1/2] directory-kerby git commit: DIRKRB-682 Fix checksum verify in
TgsRequest.
Repository: directory-kerby
Updated Branches:
refs/heads/1.1.x-fixes [created] 1296f52d8
DIRKRB-682 Fix checksum verify in TgsRequest.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/83c29335
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/83c29335
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/83c29335
Branch: refs/heads/1.1.x-fixes
Commit: 83c293359bc127583c1367cf4f1db294527eed56
Parents: c22be36
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed Dec 27 15:40:21 2017 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jan 12 10:01:50 2018 +0000
----------------------------------------------------------------------
.../kerb/server/request/KdcRequest.java | 7 +++-
.../kerb/server/request/TgsRequest.java | 34 +++++++++++++-------
2 files changed, 29 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/83c29335/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index a88fb22..86f47e7 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -170,7 +170,6 @@ public abstract class KdcRequest {
public void process() throws KrbException {
checkVersion();
checkTgsEntry();
- kdcFindFast();
if (isPreauthRequired()) {
kdcFindFast();
}
@@ -232,11 +231,15 @@ public abstract class KdcRequest {
throw new KrbException(errMessage);
}
fastArmoredReq = paFxFastRequest.getFastArmoredReq();
+ if (fastArmoredReq == null) {
+ return;
+ }
KrbFastArmor fastArmor = fastArmoredReq.getArmor();
if (fastArmor == null) {
return;
}
+
try {
armorApRequest(fastArmor);
} catch (KrbException e) {
@@ -293,6 +296,7 @@ public abstract class KdcRequest {
throw new KrbException(errMessage);
}
if (!success) {
+ LOG.error("Verify the KdcReqBody failed.");
throw new KrbException("Verify the KdcReqBody failed. ");
}
}
@@ -321,6 +325,7 @@ public abstract class KdcRequest {
EncryptionType encType = ticket.getEncryptedEncPart().getEType();
EncryptionKey tgsKey = getTgsEntry().getKeys().get(encType);
if (ticket.getTktvno() != KrbConstant.KRB_V5) {
+ LOG.error(KrbErrorCode.KRB_AP_ERR_BADVERSION.getMessage());
throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/83c29335/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
index 24b53a8..7324b88 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
@@ -232,21 +232,33 @@ public class TgsRequest extends KdcRequest {
throw new KrbException(errMessage);
}
boolean success;
- try {
- if (authenticator.getSubKey() != null) {
+
+ switch (checkSum.getCksumtype()) {
+ case RSA_MD5_DES:
+ case RSA_MD4_DES:
+ case DES_MAC:
+ case DES_CBC:
+ case HMAC_SHA1_DES3:
+ case HMAC_SHA1_96_AES256:
+ case HMAC_SHA1_96_AES128:
+ case CMAC_CAMELLIA128:
+ case CMAC_CAMELLIA256:
+ case MD5_HMAC_ARCFOUR:
+ case HMAC_MD5_ARCFOUR:
success = CheckSumHandler.verifyWithKey(checkSum, reqBody,
- authenticator.getSubKey().getKeyData(), KeyUsage.TGS_REQ_AUTH_CKSUM);
- } else {
+ getTgtSessionKey().getKeyData(), KeyUsage.TGS_REQ_AUTH_CKSUM);
+ break;
+ case RSA_MD5:
+ case NIST_SHA:
+ case CRC32:
+ case RSA_MD4:
+ default:
success = CheckSumHandler.verify(checkSum, reqBody);
- }
-
- } catch (KrbException e) {
- String errMessage = "Verify the KdcReqBody failed. " + e.getMessage();
- LOG.error(errMessage);
- throw new KrbException(errMessage);
}
+
if (!success) {
- throw new KrbException("Verify the KdcReqBody failed. ");
+ LOG.error("Verify the KdcReqBody failed.");
+ throw new KrbException("Verify the KdcReqBody failed.");
}
}
}
[2/2] directory-kerby git commit: DIRKRB-683 - Support "-q" (query)
option for the Kadmin script
Posted by co...@apache.org.
DIRKRB-683 - Support "-q" (query) option for the Kadmin script
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/1296f52d
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/1296f52d
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/1296f52d
Branch: refs/heads/1.1.x-fixes
Commit: 1296f52d81a291418b8dc1892e40ee26008b8f32
Parents: 83c2933
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Jan 8 14:34:42 2018 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jan 12 10:03:40 2018 +0000
----------------------------------------------------------------------
kerby-dist/kdc-dist/bin/kadmin.sh | 5 +----
.../kerb/admin/kadmin/KadminOption.java | 1 +
.../kerby/kerberos/tool/kadmin/KadminTool.java | 22 +++++++++++++-------
3 files changed, 16 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/1296f52d/kerby-dist/kdc-dist/bin/kadmin.sh
----------------------------------------------------------------------
diff --git a/kerby-dist/kdc-dist/bin/kadmin.sh b/kerby-dist/kdc-dist/bin/kadmin.sh
index 5769c2e..8e54b2b 100644
--- a/kerby-dist/kdc-dist/bin/kadmin.sh
+++ b/kerby-dist/kdc-dist/bin/kadmin.sh
@@ -17,16 +17,13 @@
# limitations under the License.
DEBUG=
-args=
for var in $*; do
if [ X"$var" = X"-D" ]; then
DEBUG="-Xdebug -Xrunjdwp:transport=dt_socket,address=8001,server=y,suspend=y"
- else
- args="$args $var"
fi
done
java $DEBUG \
-classpath target/lib/*:. \
-DKERBY_LOGFILE=kadmin \
-org.apache.kerby.kerberos.tool.kadmin.KadminTool $args
+org.apache.kerby.kerberos.tool.kadmin.KadminTool "$@"
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/1296f52d/kerby-kerb/kerb-admin/src/main/java/org/apache/kerby/kerberos/kerb/admin/kadmin/KadminOption.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-admin/src/main/java/org/apache/kerby/kerberos/kerb/admin/kadmin/KadminOption.java b/kerby-kerb/kerb-admin/src/main/java/org/apache/kerby/kerberos/kerb/admin/kadmin/KadminOption.java
index f6caa87..b414436 100644
--- a/kerby-kerb/kerb-admin/src/main/java/org/apache/kerby/kerberos/kerb/admin/kadmin/KadminOption.java
+++ b/kerby-kerb/kerb-admin/src/main/java/org/apache/kerby/kerberos/kerb/admin/kadmin/KadminOption.java
@@ -37,6 +37,7 @@ public enum KadminOption implements KOption {
KEYSALTLIST(new KOptionInfo("-e", "key saltlist", KOptionType.STR)),
K(new KOptionInfo("-k", "keytab file path", KOptionType.STR)),
KEYTAB(new KOptionInfo("-keytab", "keytab file path", KOptionType.STR)),
+ QUERY(new KOptionInfo("-q", "query", KOptionType.STR)),
CCACHE(new KOptionInfo("-c", "credentials cache", KOptionType.FILE));
private final KOptionInfo optionInfo;
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/1296f52d/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/KadminTool.java
----------------------------------------------------------------------
diff --git a/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/KadminTool.java b/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/KadminTool.java
index 72f6491..bc3b2e1 100644
--- a/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/KadminTool.java
+++ b/kerby-tool/kdc-tool/src/main/java/org/apache/kerby/kerberos/tool/kadmin/KadminTool.java
@@ -244,16 +244,22 @@ public class KadminTool {
printUsage("No credentials cache file or keytab file for authentication.");
}
- System.out.print(PROMPT + ": ");
+ // Execute any query that was specified and exit
+ if (kOptions.contains(KadminOption.QUERY)) {
+ String query = kOptions.getStringOption(KadminOption.QUERY);
+ execute(kadmin, query);
+ } else {
+ System.out.print(PROMPT + ": ");
- try (Scanner scanner = new Scanner(System.in, "UTF-8")) {
- String input = scanner.nextLine();
+ try (Scanner scanner = new Scanner(System.in, "UTF-8")) {
+ String input = scanner.nextLine();
- while (!(input.equals("quit") || input.equals("exit")
- || input.equals("q"))) {
- execute(kadmin, input);
- System.out.print(PROMPT + ": ");
- input = scanner.nextLine();
+ while (!(input.equals("quit") || input.equals("exit")
+ || input.equals("q"))) {
+ execute(kadmin, input);
+ System.out.print(PROMPT + ": ");
+ input = scanner.nextLine();
+ }
}
}
}