You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2015/07/08 05:41:35 UTC
directory-kerby git commit: [DIRKRB-344]-Encrypton type negotiation
issue between client and KDC.
Repository: directory-kerby
Updated Branches:
refs/heads/master 6404ce584 -> 9af3d5884
[DIRKRB-344]-Encrypton type negotiation issue between client and KDC.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/9af3d588
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/9af3d588
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/9af3d588
Branch: refs/heads/master
Commit: 9af3d58844c9d07023bfa2c3ff72d790b9344dcd
Parents: 6404ce5
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed Jul 8 11:46:40 2015 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Wed Jul 8 11:46:40 2015 +0800
----------------------------------------------------------------------
.../apache/kerby/asn1/type/Asn1SequenceOf.java | 2 +-
.../kerberos/kerb/server/KdcConfigKey.java | 6 ++--
.../server/preauth/builtin/EncTsPreauth.java | 3 ++
.../kerb/server/request/KdcRequest.java | 32 ++++++++++++--------
4 files changed, 25 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/9af3d588/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1SequenceOf.java
----------------------------------------------------------------------
diff --git a/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1SequenceOf.java b/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1SequenceOf.java
index d337fa2..e4d46a6 100644
--- a/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1SequenceOf.java
+++ b/kerby-asn1/src/main/java/org/apache/kerby/asn1/type/Asn1SequenceOf.java
@@ -33,6 +33,6 @@ public class Asn1SequenceOf<T extends Asn1Type> extends Asn1CollectionOf<T>
}
public void add(T element) {
- getElements().add(element);
+ addElement(element);
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/9af3d588/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
index 9d27304..48c79d6 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
@@ -20,7 +20,6 @@
package org.apache.kerby.kerberos.kerb.server;
import org.apache.kerby.kerberos.kerb.common.SectionConfigKey;
-import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
public enum KdcConfigKey implements SectionConfigKey {
KRB_DEBUG(true),
@@ -47,9 +46,8 @@ public enum KdcConfigKey implements SectionConfigKey {
PROXIABLE_ALLOWED(true),
RENEWABLE_ALLOWED(true),
VERIFY_BODY_CHECKSUM(true),
- ENCRYPTION_TYPES(EncryptionHandler.isAES256Enabled() ?
- new String[] { "aes128-cts-hmac-sha1-96", "des3-cbc-sha1-kd", "aes256-cts-hmac-sha1-96"} :
- new String[] { "aes128-cts-hmac-sha1-96", "des3-cbc-sha1-kd"}
+ ENCRYPTION_TYPES(
+ new String[] { "aes128-cts-hmac-sha1-96", "des3-cbc-sha1-kd"}
),
RESTRICT_ANONYMOUS_TO_TGT(false, "kdcdefaults"),
KDC_MAX_DGRAM_REPLY_SIZE(4096, "kdcdefaults");
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/9af3d588/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/builtin/EncTsPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/builtin/EncTsPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/builtin/EncTsPreauth.java
index b408103..26e0127 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/builtin/EncTsPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/builtin/EncTsPreauth.java
@@ -45,6 +45,9 @@ public class EncTsPreauth extends AbstractPreauthPlugin {
PaDataEntry paData) throws KrbException {
EncryptedData encData = KrbCodec.decode(paData.getPaDataValue(), EncryptedData.class);
EncryptionKey clientKey = kdcRequest.getClientKey(encData.getEType());
+ if(clientKey == null) {
+ throw new KrbException(KrbErrorCode.KDC_ERR_ETYPE_NOSUPP);
+ }
PaEncTsEnc timestamp = EncryptionUtil.unseal(encData, clientKey,
KeyUsage.AS_REQ_PA_ENC_TS, PaEncTsEnc.class);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/9af3d588/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index 8b26082..af75163 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -324,7 +324,8 @@ public abstract class KdcRequest {
if (preauthContext.isPreauthRequired()) {
if (preAuthData == null || preAuthData.isEmpty()) {
- KrbError krbError = makePreAuthenticationError(kdcContext);
+ KrbError krbError = makePreAuthenticationError(kdcContext, request,
+ KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED);
throw new KdcRecoverableException(krbError);
} else {
getPreauthHandler().verify(this, preAuthData);
@@ -387,8 +388,11 @@ public abstract class KdcRequest {
}
}
- protected KrbError makePreAuthenticationError(KdcContext kdcContext) throws KrbException {
+ protected KrbError makePreAuthenticationError(KdcContext kdcContext, KdcReq request,
+ KrbErrorCode errorCode)
+ throws KrbException {
List<EncryptionType> encryptionTypes = kdcContext.getConfig().getEncryptionTypes();
+ List<EncryptionType> clientEtypes = request.getReqBody().getEtypes();
boolean isNewEtype = true;
EtypeInfo2 eTypeInfo2 = new EtypeInfo2();
@@ -396,16 +400,18 @@ public abstract class KdcRequest {
EtypeInfo eTypeInfo = new EtypeInfo();
for (EncryptionType encryptionType : encryptionTypes) {
- if (!isNewEtype) {
- EtypeInfoEntry etypeInfoEntry = new EtypeInfoEntry();
- etypeInfoEntry.setEtype(encryptionType);
- etypeInfoEntry.setSalt(null);
- eTypeInfo.add(etypeInfoEntry);
- }
+ if (clientEtypes.contains(encryptionType)) {
+ if (!isNewEtype) {
+ EtypeInfoEntry etypeInfoEntry = new EtypeInfoEntry();
+ etypeInfoEntry.setEtype(encryptionType);
+ etypeInfoEntry.setSalt(null);
+ eTypeInfo.add(etypeInfoEntry);
+ }
- EtypeInfo2Entry etypeInfo2Entry = new EtypeInfo2Entry();
- etypeInfo2Entry.setEtype(encryptionType);
- eTypeInfo2.add(etypeInfo2Entry);
+ EtypeInfo2Entry etypeInfo2Entry = new EtypeInfo2Entry();
+ etypeInfo2Entry.setEtype(encryptionType);
+ eTypeInfo2.add(etypeInfo2Entry);
+ }
}
byte[] encTypeInfo = null;
@@ -416,14 +422,14 @@ public abstract class KdcRequest {
encTypeInfo2 = KrbCodec.encode(eTypeInfo2);
MethodData methodData = new MethodData();
- methodData.add(new PaDataEntry(PaDataType.ENC_TIMESTAMP, null));
+ //methodData.add(new PaDataEntry(PaDataType.ENC_TIMESTAMP, null));
if (!isNewEtype) {
methodData.add(new PaDataEntry(PaDataType.ETYPE_INFO, encTypeInfo));
}
methodData.add(new PaDataEntry(PaDataType.ETYPE_INFO2, encTypeInfo2));
KrbError krbError = new KrbError();
- krbError.setErrorCode(KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED);
+ krbError.setErrorCode(errorCode);
byte[] encodedData = KrbCodec.encode(methodData);
krbError.setEdata(encodedData);