You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2017/07/24 11:50:57 UTC
[16/18] directory-kerby git commit: Revert "DIRKRB-559 - Validataion
of ApReq and ApRep message in peer node. Thanks to Wei Zhou."
Revert "DIRKRB-559 - Validataion of ApReq and ApRep message in peer node. Thanks to Wei Zhou."
This reverts commit 2c1f222f3c062ec9a628e8956eef950f58864fc7.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/a3509602
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/a3509602
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/a3509602
Branch: refs/heads/1.0.x-fixes
Commit: a350960228b850384b72a1dad98e195d1f6b891a
Parents: ed46b2d
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Jul 24 12:46:40 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jul 24 12:46:40 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kerb/request/ApRequest.java | 37 -----------------
.../kerberos/kerb/response/ApResponse.java | 42 ++++----------------
.../kerby/kerberos/kerb/type/KerberosTime.java | 22 ----------
3 files changed, 7 insertions(+), 94 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a3509602/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
index 096b0de..82666a6 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
@@ -29,15 +29,12 @@ import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
-import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
-import java.net.InetAddress;
-
/**
* A wrapper for ApReq request
* The client principal and sgt ticket are needed to create ApReq message.
@@ -121,40 +118,6 @@ public class ApRequest {
}
/*
- * Validate the ApReq with channel binding and time
- */
- public static void validate(EncryptionKey encKey, ApReq apReq,
- InetAddress initiator,
- long timeSkew) throws KrbException {
- validate(encKey, apReq);
- Ticket ticket = apReq.getTicket();
- EncTicketPart tktEncPart = ticket.getEncPart();
- Authenticator authenticator = apReq.getAuthenticator();
- if (initiator != null) {
- HostAddresses clientAddrs = tktEncPart.getClientAddresses();
- if (clientAddrs != null && !clientAddrs.contains(initiator)) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
- }
- }
-
- if (timeSkew != 0) {
- if (authenticator.getCtime().isInClockSkew(timeSkew)) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
- }
-
- KerberosTime now = KerberosTime.now();
- KerberosTime startTime = tktEncPart.getStartTime();
- if (startTime != null && startTime.greaterThanWithSkew(now, timeSkew)) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
- }
-
- if (tktEncPart.getEndTime().lessThanWithSkew(now, timeSkew)) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED);
- }
- }
- }
-
- /*
* Unseal the authenticator through the encryption key from ticket
*/
public static void unsealAuthenticator(EncryptionKey encKey, ApReq apReq) throws KrbException {
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a3509602/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
index 344fe83..2d01004 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
@@ -19,13 +19,12 @@
*/
package org.apache.kerby.kerberos.kerb.response;
-import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.kerby.kerberos.kerb.request.ApRequest;
+import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
-import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
import org.apache.kerby.kerberos.kerb.type.ap.EncAPRepPart;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
@@ -44,14 +43,8 @@ public class ApResponse {
this.encryptionKey = encryptionKey;
}
- public ApResponse(ApReq apReq) {
- this.apReq = apReq;
- }
-
public ApRep getApRep() throws KrbException {
- if (encryptionKey != null) {
- ApRequest.validate(encryptionKey, apReq);
- }
+ ApRequest.validate(encryptionKey, apReq);
if (apRep == null) {
apRep = makeApRep();
@@ -71,38 +64,17 @@ public class ApResponse {
ApRep apRep = new ApRep();
EncAPRepPart encAPRepPart = new EncAPRepPart();
-
- Authenticator auth = apReq.getAuthenticator();
// This field contains the current time on the client's host.
- encAPRepPart.setCtime(auth.getCtime());
+ encAPRepPart.setCtime(KerberosTime.now());
// This field contains the microsecond part of the client's timestamp.
- encAPRepPart.setCusec(auth.getCusec());
- encAPRepPart.setSubkey(auth.getSubKey());
+ encAPRepPart.setCusec((int) KerberosTime.now().getTimeInSeconds());
+ encAPRepPart.setSubkey(apReq.getAuthenticator().getSubKey());
encAPRepPart.setSeqNumber(0);
apRep.setEncRepPart(encAPRepPart);
- EncryptedData encPart = EncryptionUtil.seal(encAPRepPart, auth.getSubKey(), KeyUsage.AP_REP_ENCPART);
+ EncryptedData encPart = EncryptionUtil.seal(encAPRepPart,
+ apReq.getAuthenticator().getSubKey(), KeyUsage.AP_REP_ENCPART);
apRep.setEncryptedEncPart(encPart);
return apRep;
}
-
- /**
- * Validation for KRB_AP_REP message
- * @param encKey key used to encrypt encrypted part of KRB_AP_REP message
- * @param apRep KRB_AP_REP message received
- * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server
- * @throws KrbException
- */
- public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException {
- EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(),
- encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class);
- apRep.setEncRepPart(encPart);
- if (apReqSent != null) {
- Authenticator auth = apReqSent.getAuthenticator();
- if (!encPart.getCtime().equals(auth.getCtime())
- || encPart.getCusec() != auth.getCusec()) {
- throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL);
- }
- }
- }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/a3509602/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
index e3da3b1..c89b0cc 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
@@ -107,17 +107,6 @@ public class KerberosTime extends Asn1GeneralizedTime {
/**
* Compare the KerberosTime with another one, and return <tt>true</tt>
- * if it's lesser than the provided one with time skew
- * @param ktime
- * @param skew Maximum time skew in milliseconds
- * @return <tt>true</tt> if less
- */
- public boolean lessThanWithSkew(KerberosTime ktime, long skew) {
- return diff(ktime) - skew <= 0;
- }
-
- /**
- * Compare the KerberosTime with another one, and return <tt>true</tt>
* if it's greater than the provided one
*
* @param ktime compare with milliseconds
@@ -128,17 +117,6 @@ public class KerberosTime extends Asn1GeneralizedTime {
}
/**
- * Compare the KerberosTime with another one, and return <tt>true</tt>
- * if it's greater than the provided one with time skew
- * @param ktime
- * @param skew Maximum time skew in milliseconds
- * @return <tt>true</tt> if greater
- */
- public boolean greaterThanWithSkew(KerberosTime ktime, long skew) {
- return diff(ktime) + skew >= 0;
- }
-
- /**
* Check if the KerberosTime is within the provided clock skew
*
* @param clockSkew The clock skew