You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2017/07/24 11:50:54 UTC
[13/18] directory-kerby git commit: Revert "DIRKRB-566 - Implement
Gss tokens defined in RFC 1964. Thanks to Wei Zhou."
Revert "DIRKRB-566 - Implement Gss tokens defined in RFC 1964. Thanks to Wei Zhou."
This reverts commit 8618caeb7ac2a3a87c6576bf7be0eaacf11fb736.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/863f66d7
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/863f66d7
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/863f66d7
Branch: refs/heads/1.0.x-fixes
Commit: 863f66d77ac25b29f6ca066aaad35f5b8e1199dc
Parents: 05bf04e
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Jul 24 12:46:19 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jul 24 12:46:19 2017 +0100
----------------------------------------------------------------------
.../kerberos/kerb/gssapi/krb5/CredUtils.java | 8 +-
.../kerberos/kerb/gssapi/krb5/KerbyContext.java | 42 +--
.../kerb/gssapi/krb5/KerbyGssEncryptor.java | 300 ++---------------
.../kerb/gssapi/krb5/KerbyGssTokenV1.java | 319 -------------------
.../kerberos/kerb/gssapi/krb5/MicTokenV1.java | 92 ------
.../kerberos/kerb/gssapi/krb5/WrapTokenV1.java | 196 ------------
.../kerberos/kerb/gssapi/krb5/WrapTokenV2.java | 9 +-
7 files changed, 37 insertions(+), 929 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/863f66d7/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
index f7ddc31..6d066db 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/CredUtils.java
@@ -4,7 +4,10 @@ import org.ietf.jgss.GSSException;
import sun.security.jgss.GSSCaller;
import javax.security.auth.Subject;
-import javax.security.auth.kerberos.*;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KerberosTicket;
+import javax.security.auth.kerberos.KeyTab;
+import javax.security.auth.kerberos.ServicePermission;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.PrivilegedActionException;
@@ -52,8 +55,7 @@ public class CredUtils {
public static KeyTab getKeyTabFromContext(KerberosPrincipal principal) throws GSSException {
Set<KeyTab> tabs = getContextCredentials(KeyTab.class);
for (KeyTab tab : tabs) {
- KerberosKey[] keys = tab.getKeys(principal);
- if (keys != null && keys.length > 0) {
+ if (tab.getPrincipal().equals(principal)) {
return tab;
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/863f66d7/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
index eba2a26..b450cc9 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -468,11 +468,7 @@ public class KerbyContext implements GSSContextSpi {
public int getWrapSizeLimit(int qop, boolean confReq, int maxTokSize)
throws GSSException {
- if (gssEncryptor.isV2()) {
- return WrapTokenV2.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
- } else {
- return WrapTokenV1.getMsgSizeLimit(qop, confReq, maxTokSize, gssEncryptor);
- }
+ return 65536; // TODO: to be implemented
}
public void wrap(InputStream is, OutputStream os, MessageProp msgProp)
@@ -480,13 +476,7 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
}
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, inBuf, 0, len, msgProp);
- token.wrap(os);
- } else {
- WrapTokenV1 token = new WrapTokenV1(this, inBuf, 0, len, msgProp);
- token.wrap(os);
- }
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
}
public byte[] wrap(byte[] inBuf, int offset, int len,
@@ -494,26 +484,12 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for wrap");
}
- byte[] ret;
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, inBuf, offset, len, msgProp);
- ret = token.wrap();
- } else {
- WrapTokenV1 token = new WrapTokenV1(this, inBuf, offset, len, msgProp);
- ret = token.wrap();
- }
- return ret;
+ return null; // TODO: to be implemented
}
public void unwrap(InputStream is, OutputStream os,
MessageProp msgProp) throws GSSException {
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, msgProp, is);
- token.unwrap(os);
- } else {
- WrapTokenV1 token = new WrapTokenV1(this, msgProp, is);
- token.unwrap(os);
- }
+ throw new GSSException(GSSException.UNAVAILABLE, -1, "Unsupported method"); // TODO: to be implemented
}
public byte[] unwrap(byte[] inBuf, int offset, int len,
@@ -521,15 +497,7 @@ public class KerbyContext implements GSSContextSpi {
if (ctxState != STATE_ESTABLISHED) {
throw new GSSException(GSSException.NO_CONTEXT, -1, "Context invalid for unwrap");
}
- byte[] ret;
- if (gssEncryptor.isV2()) {
- WrapTokenV2 token = new WrapTokenV2(this, msgProp, inBuf, offset, len);
- ret = token.unwrap();
- } else {
- WrapTokenV1 token = new WrapTokenV1(this, msgProp, inBuf, offset, len);
- ret = token.unwrap();
- }
- return ret;
+ return null; // TODO: to be implemented
}
public void getMIC(InputStream is, OutputStream os,
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/863f66d7/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
index 9aff63e..d65346b 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssEncryptor.java
@@ -25,66 +25,29 @@ import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
import org.apache.kerby.kerberos.kerb.crypto.CheckSumTypeHandler;
import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
-import org.apache.kerby.kerberos.kerb.crypto.cksum.provider.Md5Provider;
-import org.apache.kerby.kerberos.kerb.crypto.enc.provider.DesProvider;
-import org.apache.kerby.kerberos.kerb.crypto.enc.provider.Rc4Provider;
import org.apache.kerby.kerberos.kerb.type.base.CheckSumType;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.ietf.jgss.GSSException;
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-
/**
* This class implements encryption related function used in GSS tokens
*/
public class KerbyGssEncryptor {
- private final EncryptionKey encKey;
- private final EncryptionType encKeyType; // The following two variables used for convenience
- private final byte[] encKeyBytes;
-
- private CheckSumType checkSumTypeDef;
- private int checkSumSize;
-
+ private EncryptionKey encKey;
private boolean isV2 = false;
- private int sgnAlg = 0xFFFF;
- private int sealAlg = 0xFFFF;
- private boolean isArcFourHmac = false;
-
- private static final byte[] IV_ZEROR_8B = new byte[8];
public KerbyGssEncryptor(EncryptionKey key) throws GSSException {
encKey = key;
- encKeyBytes = encKey.getKeyData();
- encKeyType = key.getKeyType();
-
- if (encKeyType == EncryptionType.AES128_CTS_HMAC_SHA1_96) {
- checkSumSize = 12;
- checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES128;
+ EncryptionType keyType = key.getKeyType();
+ // TODO: add support for other algorithms
+ if (keyType == EncryptionType.AES128_CTS_HMAC_SHA1_96
+ || keyType == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
isV2 = true;
- } else if (encKeyType == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
- checkSumSize = 12;
- checkSumTypeDef = CheckSumType.HMAC_SHA1_96_AES256;
- isV2 = true;
- } else if (encKeyType == EncryptionType.DES_CBC_CRC || encKeyType == EncryptionType.DES_CBC_MD5) {
- sgnAlg = KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5;
- sealAlg = KerbyGssTokenV1.SEAL_ALG_DES;
- checkSumSize = 8;
- } else if (encKeyType == EncryptionType.DES3_CBC_SHA1) {
- sgnAlg = KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD;
- sealAlg = KerbyGssTokenV1.SEAL_ALG_DES3_KD;
- checkSumSize = 20;
- } else if (encKeyType == EncryptionType.ARCFOUR_HMAC) {
- sgnAlg = KerbyGssTokenV1.SGN_ALG_RC4_HMAC;
- sealAlg = KerbyGssTokenV1.SEAL_ALG_RC4_HMAC;
- checkSumSize = 16;
- isArcFourHmac = true;
} else {
throw new GSSException(GSSException.FAILURE, -1,
- "Invalid encryption type: " + encKeyType.getDisplayName());
+ "Invalid encryption type: " + key.getKeyType().getDisplayName());
}
}
@@ -96,18 +59,6 @@ public class KerbyGssEncryptor {
return isV2;
}
- public int getSgnAlg() {
- return sgnAlg;
- }
-
- public int getSealAlg() {
- return sealAlg;
- }
-
- public boolean isArcFourHmac() {
- return isArcFourHmac;
- }
-
public byte[] encryptData(byte[] tokenHeader, byte[] data,
int offset, int len, int keyUsage) throws GSSException {
byte[] ret;
@@ -151,238 +102,37 @@ public class KerbyGssEncryptor {
}
try {
- return CheckSumHandler.getCheckSumHandler(checkSumTypeDef)
- .checksumWithKey(buffer, encKey.getKeyData(), keyUsage);
+ return getCheckSumHandler().checksumWithKey(buffer, encKey.getKeyData(), keyUsage);
} catch (KrbException e) {
throw new GSSException(GSSException.FAILURE, -1,
- "Exception in checksum calculation:" + e.getMessage());
- }
- }
-
- /**
- * Get the size of the corresponding checksum algorithm
- * @return
- * @throws GSSException
- */
- public int getCheckSumSize() throws GSSException {
- return checkSumSize;
- }
-
-
- private void addPadding(int paddingLen, byte[] outBuf, int offset) {
- for (int i = 0; i < paddingLen; i++) {
- outBuf[offset + i] = (byte) paddingLen;
- }
- }
-
- private byte[] getFirstBytes(byte[] src, int len) {
- if (len < src.length) {
- byte[] ret = new byte[len];
- System.arraycopy(src, 0, ret, 0, len);
- return ret;
+ "Exception in checksum calculation:" + encKey.getKeyType().getName());
}
- return src;
}
- private byte[] getKeyBytesWithLength(int len) {
- return getFirstBytes(encKeyBytes, len);
- }
-
- public byte[] calculateCheckSum(byte[] confounder, byte[] header,
- byte[] data, int offset, int len, int paddingLen, boolean isMic)
- throws GSSException {
- byte[] ret;
- int keyUsage = KerbyGssTokenV1.KG_USAGE_SIGN;
- CheckSumTypeHandler handler;
-
- int keySize;
- byte[] key;
- byte[] toProc;
- int toOffset;
- int toLen = (confounder == null ? 0 : confounder.length)
- + (header == null ? 0 : header.length) + len + paddingLen;
- if (toLen == len) {
- toProc = data;
- toOffset = offset;
+ private CheckSumTypeHandler getCheckSumHandler() throws GSSException {
+ CheckSumType checkSumType;
+ if (encKey.getKeyType() == EncryptionType.AES128_CTS_HMAC_SHA1_96) {
+ checkSumType = CheckSumType.HMAC_SHA1_96_AES128;
+ } else if (encKey.getKeyType() == EncryptionType.AES256_CTS_HMAC_SHA1_96) {
+ checkSumType = CheckSumType.HMAC_SHA1_96_AES256;
} else {
- toOffset = 0;
- int idx = 0;
- toProc = new byte[toLen];
-
- if (header != null) {
- System.arraycopy(header, 0, toProc, idx, header.length);
- idx += header.length;
- }
-
- if (confounder != null) {
- System.arraycopy(confounder, 0, toProc, idx, confounder.length);
- idx += confounder.length;
- }
-
- System.arraycopy(data, offset, toProc, idx, len);
- addPadding(paddingLen, toProc, len + idx);
- }
-
- CheckSumType chksumType;
- try {
- switch (sgnAlg) {
- case KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5:
- Md5Provider md5Provider = new Md5Provider();
- md5Provider.hash(toProc);
- toProc = md5Provider.output();
-
- case KerbyGssTokenV1.SGN_ALG_DES_MAC:
- DesProvider desProvider = new DesProvider();
- return desProvider.cbcMac(encKeyBytes, IV_ZEROR_8B, toProc);
-
- case KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
- chksumType = CheckSumType.HMAC_SHA1_DES3_KD;
- break;
- case KerbyGssTokenV1.SGN_ALG_RC4_HMAC:
- chksumType = CheckSumType.MD5_HMAC_ARCFOUR;
- if (isMic) {
- keyUsage = KerbyGssTokenV1.KG_USAGE_MS_SIGN;
- }
- break;
- case KerbyGssTokenV1.SGN_ALG_MD25:
- throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for SGN_ALG_MD25");
- default:
- throw new GSSException(GSSException.FAILURE, -1, "CheckSum not implemented for sgnAlg=" + sgnAlg);
- }
- handler = CheckSumHandler.getCheckSumHandler(chksumType);
- keySize = handler.keySize();
- key = getKeyBytesWithLength(keySize);
- ret = handler.checksumWithKey(toProc, toOffset, toLen, key, keyUsage);
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Exception in checksum calculation sgnAlg = " + sgnAlg + " : " + e.getMessage());
- }
- return ret;
- }
-
- public byte[] encryptSequenceNumber(byte[] seqBytes, byte[] ivSrc, boolean encrypt)
- throws GSSException {
- EncTypeHandler handler;
- try {
- switch (sgnAlg) {
- case KerbyGssTokenV1.SGN_ALG_DES_MAC_MD5:
- case KerbyGssTokenV1.SGN_ALG_DES_MAC:
- DesProvider desProvider = new DesProvider();
- byte[] data = seqBytes.clone();
- if (encrypt) {
- desProvider.encrypt(encKeyBytes, ivSrc, data);
- } else {
- desProvider.decrypt(encKeyBytes, ivSrc, data);
- }
- return data;
- case KerbyGssTokenV1.SGN_ALG_HMAC_SHA1_DES3_KD:
- handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
- break;
- case KerbyGssTokenV1.SGN_ALG_RC4_HMAC:
- return encryptArcFourHmac(seqBytes, getKeyBytesWithLength(16), getFirstBytes(ivSrc, 8), encrypt);
- case KerbyGssTokenV1.SGN_ALG_MD25:
- throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for SGN_ALG_MD25");
- default:
- throw new GSSException(GSSException.FAILURE, -1, "EncSeq not implemented for sgnAlg=" + sgnAlg);
- }
- int keySize = handler.keySize();
- byte[] key = getKeyBytesWithLength(keySize);
- int ivLen = handler.encProvider().blockSize();
- byte[] iv = getFirstBytes(ivSrc, ivLen);
- if (encrypt) {
- return handler.encryptRaw(seqBytes, key, iv, KerbyGssTokenV1.KG_USAGE_SEQ);
- } else {
- return handler.decryptRaw(seqBytes, key, iv, KerbyGssTokenV1.KG_USAGE_SEQ);
- }
- } catch (KrbException e) {
throw new GSSException(GSSException.FAILURE, -1,
- "Exception in encrypt seq number sgnAlg = " + sgnAlg + " : " + e.getMessage());
+ "Unsupported checksum encryption type:" + encKey.getKeyType().getName());
}
- }
-
- private byte[] getHmacMd5(byte[] key, byte[] salt) throws GSSException {
- try {
- SecretKey secretKey = new SecretKeySpec(key, "HmacMD5");
- Mac mac = Mac.getInstance("HmacMD5");
- mac.init(secretKey);
- return mac.doFinal(salt);
- } catch (Exception e) {
- throw new GSSException(GSSException.FAILURE, -1, "Get HmacMD5 failed: " + e.getMessage());
- }
- }
-
- private byte[] encryptArcFourHmac(byte[] data, byte[] key, byte[] iv, boolean encrypt)
- throws GSSException {
- byte[] sk1 = getHmacMd5(key, new byte[4]);
- byte[] sk2 = getHmacMd5(sk1, iv);
- Rc4Provider provider = new Rc4Provider();
try {
- byte[] ret = data.clone();
- if (encrypt) {
- provider.encrypt(sk2, ret);
- } else {
- provider.decrypt(sk2, ret);
- }
- return ret;
+ return CheckSumHandler.getCheckSumHandler(checkSumType);
} catch (KrbException e) {
throw new GSSException(GSSException.FAILURE, -1,
- "En/Decrypt sequence failed for ArcFourHmac: " + e.getMessage());
- }
- }
-
- private byte[] encryptDataArcFourHmac(byte[] data, byte[] key, byte[] seqNum, boolean encrypt) throws GSSException {
- byte[] dataKey = new byte[key.length];
- for (int i = 0; i <= 15; i++) {
- dataKey[i] = (byte) (key[i] ^ 0xF0);
+ "Unsupported checksum type:" + checkSumType.getName());
}
- return encryptArcFourHmac(data, dataKey, seqNum, encrypt);
}
- public byte[] encryptTokenV1(byte[] confounder, byte[] data, int offset, int len,
- int paddingLen, byte[] seqNumber, boolean encrypt) throws GSSException {
- byte[] toProc;
- if (encrypt) {
- int toLen = (confounder == null ? 0 : confounder.length) + len + paddingLen;
- int index = 0;
- toProc = new byte[toLen];
- if (confounder != null) {
- System.arraycopy(confounder, 0, toProc, 0, confounder.length);
- index += confounder.length;
- }
- System.arraycopy(data, offset, toProc, index, len);
- addPadding(paddingLen, toProc, index + len);
- } else {
- toProc = data;
- if (data.length != len) {
- toProc = new byte[len];
- System.arraycopy(data, offset, toProc, 0, len);
- }
- }
- EncTypeHandler handler;
- try {
- switch (sealAlg) {
- case KerbyGssTokenV1.SEAL_ALG_DES:
- handler = EncryptionHandler.getEncHandler(EncryptionType.DES_CBC_MD5);
- break;
- case KerbyGssTokenV1.SEAL_ALG_DES3_KD:
- handler = EncryptionHandler.getEncHandler(EncryptionType.DES3_CBC_SHA1_KD);
- break;
- case KerbyGssTokenV1.SEAL_ALG_RC4_HMAC:
- return encryptDataArcFourHmac(toProc, getKeyBytesWithLength(16), seqNumber, encrypt);
- default:
- throw new GSSException(GSSException.FAILURE, -1, "Unknown encryption type sealAlg = " + sealAlg);
- }
-
- int keySize = handler.keySize();
- byte[] key = getKeyBytesWithLength(keySize);
- if (encrypt) {
- return handler.encryptRaw(toProc, key, KerbyGssTokenV1.KG_USAGE_SEAL);
- } else {
- return handler.decryptRaw(toProc, key, KerbyGssTokenV1.KG_USAGE_SEAL);
- }
- } catch (KrbException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Exception in encrypt data sealAlg = " + sealAlg + " : " + e.getMessage());
- }
+ /**
+ * Get the size of the corresponding checksum algorithm
+ * @return
+ * @throws GSSException
+ */
+ public int getCheckSumSize() throws GSSException {
+ return getCheckSumHandler().cksumSize();
}
-}
\ No newline at end of file
+}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/863f66d7/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
deleted file mode 100644
index 6b1a2c7..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyGssTokenV1.java
+++ /dev/null
@@ -1,319 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-import sun.security.jgss.GSSHeader;
-import sun.security.util.ObjectIdentifier;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.security.MessageDigest;
-
-/**
- * This class implements the token formats defined in RFC 1964 and its updates
- *
- * The GSS Wrap token has the following format:
- *
- * Byte no Name Description
- * 0..1 TOK_ID 0201
- *
- * 2..3 SGN_ALG Checksum algorithm indicator.
- * 00 00 DES MAC MD5
- * 01 00 MD2.5
- * 02 00 DES MAC
- * 04 00 HMAC SHA1 DES3-KD
- * 11 00 RC4-HMAC used by Microsoft Windows, RFC 4757
- * 4..5 SEAL_ALG ff ff none
- * 00 00 DES
- * 02 00 DES3-KD
- * 10 00 RC4-HMAC
- * 6..7 Filler FF FF
- * 8..15 SND_SEQ Encrypted sequence number field.
- * 16..23 SNG_CKSUM Checksum of plaintext padded data,
- * calculated according to algorithm
- * specified in SGN_ALG field.
- * 24.. Data Encrypted or plaintext padded data
- *
- *
- *
- * Use of the GSS MIC token has the following format:
-
- * Byte no Name Description
- * 0..1 TOK_ID 0101
- * 2..3 SGN_ALG Integrity algorithm indicator.
- * 4..7 Filler Contains ff ff ff ff
- * 8..15 SND_SEQ Sequence number field.
- * 16..23 SGN_CKSUM Checksum of "to-be-signed data",
- * calculated according to algorithm
- * specified in SGN_ALG field.
- *
- */
-abstract class KerbyGssTokenV1 extends KerbyGssTokenBase {
- // SGN ALG
- public static final int SGN_ALG_DES_MAC_MD5 = 0;
- public static final int SGN_ALG_MD25 = 0x0100;
- public static final int SGN_ALG_DES_MAC = 0x0200;
- public static final int SGN_ALG_HMAC_SHA1_DES3_KD = 0x0400;
- public static final int SGN_ALG_RC4_HMAC = 0x1100;
-
- // SEAL ALG
- public static final int SEAL_ALG_NONE = 0xFFFF;
- public static final int SEAL_ALG_DES = 0x0; // "DES/CBC/NoPadding"
- public static final int SEAL_ALG_DES3_KD = 0x0200;
- public static final int SEAL_ALG_RC4_HMAC = 0x1000;
-
- public static final int KG_USAGE_SEAL = 22;
- public static final int KG_USAGE_SIGN = 23;
- public static final int KG_USAGE_SEQ = 24;
- public static final int KG_USAGE_MS_SIGN = 15;
-
- private boolean isInitiator;
- private boolean confState;
- private int sequenceNumber;
-
- protected KerbyGssEncryptor encryptor;
-
- private GSSHeader gssHeader;
-
- public static final int TOKEN_HEADER_COMM_SIZE = 8;
- public static final int TOKEN_HEADER_SEQ_SIZE = 8;
-
- // Token commHeader data
- private int tokenType;
- private byte[] commHeader = new byte[TOKEN_HEADER_COMM_SIZE];
- private int sgnAlg;
- private int sealAlg;
-
- private byte[] plainSequenceBytes;
- private byte[] encryptedSequenceNumber = new byte[TOKEN_HEADER_SEQ_SIZE];
- private byte[] checkSum;
- private int checkSumSize;
-
- protected int reconHeaderLen; // only used for certain reason
-
- public static ObjectIdentifier objId;
-
- static {
- try {
- objId = new ObjectIdentifier("1.2.840.113554.1.2.2");
- } catch (IOException ioe) { // NOPMD
- }
- }
-
- protected int getTokenHeaderSize() {
- return TOKEN_HEADER_COMM_SIZE + TOKEN_HEADER_SEQ_SIZE + checkSumSize;
- }
-
- protected byte[] getPlainSequenceBytes() {
- byte[] ret = new byte[4];
- ret[0] = plainSequenceBytes[0];
- ret[1] = plainSequenceBytes[1];
- ret[2] = plainSequenceBytes[2];
- ret[3] = plainSequenceBytes[3];
- return ret;
- }
-
- // Generate a new token
- KerbyGssTokenV1(int tokenType, KerbyContext context) throws GSSException {
- initialize(tokenType, context, false);
- createTokenHeader();
- }
-
- // Reconstruct a token
- KerbyGssTokenV1(int tokenType, KerbyContext context, MessageProp prop,
- byte[] token, int offset, int size) throws GSSException {
- int proxLen = size > 64 ? 64 : size;
- InputStream is = new ByteArrayInputStream(token, offset, proxLen);
- reconstructInitializaion(tokenType, context, prop, is);
- reconHeaderLen = gssHeader.getLength() + getTokenHeaderSize();
- }
-
- // Reconstruct a token
- KerbyGssTokenV1(int tokenType, KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
- reconstructInitializaion(tokenType, context, prop, is);
- }
-
- private void reconstructInitializaion(int tokenType, KerbyContext context, MessageProp prop, InputStream is)
- throws GSSException {
- initialize(tokenType, context, true);
- if (!confState) {
- prop.setPrivacy(false);
- }
-
- try {
- gssHeader = new GSSHeader(is);
- } catch (IOException e) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token:" + e.getMessage());
- }
-
- if (!gssHeader.getOid().equals((Object) objId)) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token OID");
- }
-
- reconstructTokenHeader(is, prop);
- }
-
- private void initialize(int tokenType,
- KerbyContext context,
- boolean reconstruct) throws GSSException {
- this.tokenType = tokenType;
- this.isInitiator = context.isInitiator();
- this.confState = context.getConfState();
- this.encryptor = context.getGssEncryptor();
- this.checkSumSize = encryptor.getCheckSumSize();
- if (!reconstruct) {
- this.sequenceNumber = context.incMySequenceNumber();
- } else {
- checkSum = new byte[checkSumSize];
- }
- }
-
- protected void calcPrivacyInfo(MessageProp prop, byte[] confounder, byte[] data,
- int dataOffset, int dataLength, int paddingLen) throws GSSException {
- prop.setQOP(0);
- if (!confState) {
- prop.setPrivacy(false);
- }
-
- checkSum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
- encryptSequenceNumber();
- }
-
- protected void verifyToken(byte[] confounder, byte[] data, int dataOffset, int dataLength, int paddingLen)
- throws GSSException {
- byte[] sum = calcCheckSum(confounder, commHeader, data, dataOffset, dataLength, paddingLen);
- if (!MessageDigest.isEqual(checkSum, sum)) {
- throw new GSSException(GSSException.BAD_MIC, -1,
- "Corrupt token checksum for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
- }
- }
-
- private byte[] calcCheckSum(byte[] confounder, byte[] header, byte[] data,
- int dataOffset, int dataLength, int paddingLen) throws GSSException {
- return encryptor.calculateCheckSum(confounder, header, data, dataOffset, dataLength, paddingLen,
- tokenType == TOKEN_MIC_V1);
- }
-
- private void encryptSequenceNumber() throws GSSException {
- plainSequenceBytes = new byte[8];
- if (encryptor.isArcFourHmac()) {
- writeBigEndian(plainSequenceBytes, 0, sequenceNumber);
- } else {
- plainSequenceBytes[0] = (byte) sequenceNumber;
- plainSequenceBytes[1] = (byte) (sequenceNumber >>> 8);
- plainSequenceBytes[2] = (byte) (sequenceNumber >>> 16);
- plainSequenceBytes[3] = (byte) (sequenceNumber >>> 24);
- }
-
- // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
- if (!isInitiator) {
- plainSequenceBytes[4] = (byte) 0xFF;
- plainSequenceBytes[5] = (byte) 0xFF;
- plainSequenceBytes[6] = (byte) 0xFF;
- plainSequenceBytes[7] = (byte) 0xFF;
- }
-
- encryptedSequenceNumber = encryptor.encryptSequenceNumber(plainSequenceBytes, checkSum, true);
- }
-
- public void encodeHeader(OutputStream os) throws GSSException, IOException {
- // | GSSHeader | TokenHeader |
- GSSHeader gssHeader = new GSSHeader(objId, getTokenSizeWithoutGssHeader());
- gssHeader.encode(os);
- os.write(commHeader);
- os.write(encryptedSequenceNumber);
- os.write(checkSum);
- }
-
- private void createTokenHeader() {
- commHeader[0] = (byte) (tokenType >>> 8);
- commHeader[1] = (byte) tokenType;
-
- sgnAlg = encryptor.getSgnAlg();
- commHeader[2] = (byte) (sgnAlg >>> 8);
- commHeader[3] = (byte) sgnAlg;
-
- if (tokenType == TOKEN_WRAP_V1) {
- sealAlg = encryptor.getSealAlg();
- commHeader[4] = (byte) (sealAlg >>> 8);
- commHeader[5] = (byte) sealAlg;
- } else {
- commHeader[4] = (byte) 0xFF;
- commHeader[5] = (byte) 0xFF;
- }
-
- commHeader[6] = (byte) 0xFF;
- commHeader[7] = (byte) 0xFF;
- }
-
- // Re-construct token commHeader
- private void reconstructTokenHeader(InputStream is, MessageProp prop) throws GSSException {
- try {
- if (is.read(commHeader) != commHeader.length
- || is.read(encryptedSequenceNumber) != encryptedSequenceNumber.length
- || is.read(checkSum) != checkSum.length) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Insufficient in reconstruct token header");
- }
- initTokenHeader(commHeader, prop);
-
- plainSequenceBytes = encryptor.encryptSequenceNumber(encryptedSequenceNumber, checkSum, false);
- byte dirc = isInitiator ? (byte) 0xFF : 0;
- // Hex 0 - sender is the context initiator, Hex FF - sender is the context acceptor
- if (!(plainSequenceBytes[4] == dirc && plainSequenceBytes[5] == dirc
- && plainSequenceBytes[6] == dirc && plainSequenceBytes[7] == dirc)) {
- throw new GSSException(GSSException.BAD_MIC, -1,
- "Corrupt token sequence for " + (tokenType == TOKEN_MIC_V1 ? "Mic" : "Wrap") + "TokenV1");
- }
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Error in reconstruct token header:" + e.getMessage());
- }
- }
-
- private void initTokenHeader(byte[] tokenBytes, MessageProp prop) throws GSSException {
- int tokenIDRecv = (((int) tokenBytes[0]) << 8) + tokenBytes[1];
- if (tokenType != tokenIDRecv) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,
- "Token ID should be " + tokenType + " instead of " + tokenIDRecv);
- }
-
- sgnAlg = (((int) tokenBytes[2]) << 8) + tokenBytes[3];
- sealAlg = (((int) tokenBytes[4]) << 8) + tokenBytes[5];
-
- if (tokenBytes[6] != (byte) 0xFF || tokenBytes[7] != (byte) 0xFF) {
- throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, "Invalid token head filler");
- }
-
- prop.setQOP(0);
- prop.setPrivacy(sealAlg != SEAL_ALG_NONE);
- }
-
- protected GSSHeader getGssHeader() {
- return gssHeader;
- }
-
- abstract int getTokenSizeWithoutGssHeader();
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/863f66d7/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
deleted file mode 100644
index 6a76e4c..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/MicTokenV1.java
+++ /dev/null
@@ -1,92 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-public class MicTokenV1 extends KerbyGssTokenV1 {
- public MicTokenV1(KerbyContext context,
- byte[] inMsg,
- int msgOffset,
- int msgLength,
- MessageProp messageProp) throws GSSException {
- super(TOKEN_MIC_V1, context);
- calcPrivacyInfo(messageProp, null, inMsg, msgOffset, msgLength, 0);
- }
-
- // This is called to construct MicToken from MicToken bytes
- MicTokenV1(KerbyContext context,
- MessageProp messageProp,
- byte[] inToken,
- int tokenOffset,
- int tokenLength) throws GSSException {
- super(TOKEN_MIC_V1, context, messageProp, inToken, tokenOffset, tokenLength);
- }
-
- public int getMic(byte[] outToken, int offset) throws GSSException, IOException {
- byte[] data = getMic();
- System.arraycopy(data, 0, outToken, offset, data.length);
- return data.length;
- }
-
- /**
- * Get bytes for this Mic token
- * @return
- */
- public byte[] getMic() throws GSSException {
- ByteArrayOutputStream os = new ByteArrayOutputStream(64);
- getMic(os);
- return os.toByteArray();
- }
-
- public void getMic(OutputStream os) throws GSSException {
- try {
- encodeHeader(os);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Error in output MicTokenV1 bytes:" + e.getMessage());
- }
- }
-
- public void verify(InputStream is) throws GSSException {
- byte[] data;
- try {
- data = new byte[is.available()];
- is.read(data);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Read plain data for MicTokenV1 error:" + e.getMessage());
- }
- verify(data, 0, data.length);
- }
-
- public void verify(byte[] data, int offset, int len) throws GSSException {
- verifyToken(null, data, offset, len, 0);
- }
-
- protected int getTokenSizeWithoutGssHeader() {
- return getTokenHeaderSize();
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/863f66d7/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
deleted file mode 100644
index 8ecdae4..0000000
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV1.java
+++ /dev/null
@@ -1,196 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.kerby.kerberos.kerb.gssapi.krb5;
-
-import org.apache.kerby.kerberos.kerb.crypto.util.Random;
-import org.ietf.jgss.GSSException;
-import org.ietf.jgss.MessageProp;
-import sun.security.jgss.GSSHeader;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-
-public class WrapTokenV1 extends KerbyGssTokenV1 {
- public static final int CONFOUNDER_SIZE = 8;
-
- private boolean privacy;
-
- private byte[] inData;
- private int inOffset;
- private int inLen;
-
- private int paddingLen;
- private byte[] confounder;
- private int tokenBodyLen;
-
- private byte[] bodyData;
- private int bodyOffset;
- private int bodyLen;
-
- // for reconstruct
- private int rawDataLength;
- private byte[] rawData;
- private int rawDataOffset;
-
-
- // Generate wrap token according user data
- public WrapTokenV1(KerbyContext context,
- byte[] inMsg,
- int msgOffset,
- int msgLength,
- MessageProp prop) throws GSSException {
- super(TOKEN_WRAP_V1, context);
-
- paddingLen = getPaddingLength(msgLength);
- confounder = Random.makeBytes(CONFOUNDER_SIZE);
- tokenBodyLen = CONFOUNDER_SIZE + msgLength + paddingLen;
-
- calcPrivacyInfo(prop, confounder, inMsg, msgOffset, msgLength, paddingLen);
-
- if (!context.getConfState()) {
- prop.setPrivacy(false);
- }
- privacy = prop.getPrivacy();
- inData = inMsg;
- inOffset = msgOffset;
- inLen = msgLength;
- }
-
- // Reconstruct a token from token bytes
- public WrapTokenV1(KerbyContext context, MessageProp prop,
- byte[] token, int offset, int len) throws GSSException {
- super(TOKEN_WRAP_V1, context, prop, token, offset, len);
- // adjust the offset to the beginning of the body
- bodyData = token;
- bodyOffset = offset + reconHeaderLen;
- bodyLen = len - reconHeaderLen;
- getRawData(prop);
- }
-
- // Reconstruct a token from token bytes stream
- public WrapTokenV1(KerbyContext context, MessageProp prop, InputStream is) throws GSSException {
- super(TOKEN_WRAP_V1, context, prop, is);
- byte[] token;
- int len;
- try {
- len = is.available();
- token = new byte[len];
- is.read(token);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Read wrap token V1 error:" + e.getMessage());
- }
- bodyData = token;
- bodyOffset = 0;
- bodyLen = len;
- getRawData(prop);
- }
-
- private void getRawData(MessageProp prop) throws GSSException {
- privacy = prop.getPrivacy();
- tokenBodyLen = getGssHeader().getMechTokenLength() - getTokenHeaderSize();
-
- if (bodyLen < tokenBodyLen) {
- throw new GSSException(GSSException.FAILURE, -1, "Insufficient data for Wrap token V1");
- }
-
- if (privacy) {
- rawData = encryptor.encryptTokenV1(null, bodyData, bodyOffset, tokenBodyLen, 0,
- encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, false);
- paddingLen = rawData[rawData.length - 1];
- rawDataOffset = CONFOUNDER_SIZE;
- } else {
- rawData = bodyData;
- paddingLen = bodyData[bodyOffset + tokenBodyLen - 1];
- rawDataOffset = bodyOffset + CONFOUNDER_SIZE;
- }
- rawDataLength = tokenBodyLen - CONFOUNDER_SIZE - paddingLen;
-
- verifyToken(null, rawData, rawDataOffset - CONFOUNDER_SIZE, tokenBodyLen, 0);
- }
-
- // Get plain text data from token data bytes
- public byte[] unwrap() throws GSSException {
- byte[] ret = new byte[rawDataLength];
- System.arraycopy(rawData, rawDataOffset, ret, 0, rawDataLength);
- return ret;
- }
-
- public void unwrap(OutputStream os) throws GSSException {
- try {
- os.write(rawData, rawDataOffset, rawDataLength);
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1,
- "Error in output wrap token v1 data bytes:" + e.getMessage());
- }
- }
-
- public byte[] wrap() throws GSSException {
- ByteArrayOutputStream os = new ByteArrayOutputStream(getTokenSizeWithoutGssHeader() + inLen + 64);
- wrap(os);
- return os.toByteArray();
- }
-
- public void wrap(OutputStream os) throws GSSException {
- try {
- encodeHeader(os);
- if (privacy) {
- byte[] enc = encryptor.encryptTokenV1(confounder, inData, inOffset, inLen, paddingLen,
- encryptor.isArcFourHmac() ? getPlainSequenceBytes() : null, true);
- os.write(enc);
- } else {
- os.write(confounder);
- os.write(inData, inOffset, inLen);
- os.write(getPaddingBytes(paddingLen));
- }
- } catch (IOException e) {
- throw new GSSException(GSSException.FAILURE, -1, "Error in output wrap token v1 bytes:" + e.getMessage());
- }
- }
-
- protected int getTokenSizeWithoutGssHeader() {
- return tokenBodyLen + getTokenHeaderSize();
- }
-
- private int getPaddingLength(int dataLen) {
- if (encryptor.isArcFourHmac()) {
- return 1;
- }
- return 8 - (dataLen % 8);
- }
-
- private byte[] getPaddingBytes(int len) {
- byte[] ret = new byte[len];
- int i = 0;
- while (i < len) {
- ret[i++] = (byte) len;
- }
- return ret;
- }
-
- public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, KerbyGssEncryptor encryptor)
- throws GSSException {
- return GSSHeader.getMaxMechTokenSize(objId, maxTokSize)
- - encryptor.getCheckSumSize()
- - TOKEN_HEADER_COMM_SIZE - TOKEN_HEADER_SEQ_SIZE
- - CONFOUNDER_SIZE - 8;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/863f66d7/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
index 3b2f1a0..6d78304 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/WrapTokenV2.java
@@ -148,12 +148,7 @@ public class WrapTokenV2 extends KerbyGssTokenV2 {
}
}
- public static int getMsgSizeLimit(int qop, boolean confReq, int maxTokSize, KerbyGssEncryptor encryptor)
- throws GSSException {
- if (confReq) {
- return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE * 2 - CONFOUNDER_SIZE;
- } else {
- return maxTokSize - encryptor.getCheckSumSize() - TOKEN_HEADER_SIZE;
- }
+ static int getSizeLimit(int qop, boolean confReq, int maxTokSize) {
+ return maxTokSize; // TODO: to be implemented
}
}