You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2017/11/14 07:23:18 UTC
directory-kerby git commit: DIRKRB-670 Add checksum verification in
TgsRequest.
Repository: directory-kerby
Updated Branches:
refs/heads/trunk c64cdefc9 -> 1e6d36497
DIRKRB-670 Add checksum verification in TgsRequest.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/1e6d3649
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/1e6d3649
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/1e6d3649
Branch: refs/heads/trunk
Commit: 1e6d36497a9509294f30c60a214f1a13f81957b1
Parents: c64cdef
Author: plusplusjiajia <ji...@intel.com>
Authored: Tue Nov 14 15:23:40 2017 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Tue Nov 14 15:23:40 2017 +0800
----------------------------------------------------------------------
.../kerb/client/request/ArmoredRequest.java | 2 +-
.../kerb/server/request/KdcRequest.java | 8 +++--
.../kerb/server/request/TgsRequest.java | 31 ++++++++++++++++++++
3 files changed, 38 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/1e6d3649/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
index b7113a5..7a2c25b 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
@@ -72,7 +72,7 @@ public class ArmoredRequest {
KrbFastRequestState state = kdcRequest.getFastRequestState();
fastAsArmor(state, kdcRequest.getArmorKey(), subKey, credential, kdcReq);
kdcRequest.setFastRequestState(state);
- kdcRequest.setOuterRequestBody(KrbCodec.encode(state.getFastOuterRequest()));
+ kdcRequest.setOuterRequestBody(KrbCodec.encode(state.getFastOuterRequest().getReqBody()));
kdcReq.getPaData().addElement(makeFastEntry(state, kdcReq,
kdcRequest.getOuterRequestBody()));
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/1e6d3649/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index 56e8c62..88bbbbf 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -283,14 +283,18 @@ public abstract class KdcRequest {
LOG.error(errMessage);
throw new KrbException(errMessage);
}
+ boolean success;
try {
- CheckSumHandler.verifyWithKey(checkSum, reqBody,
+ success = CheckSumHandler.verifyWithKey(checkSum, reqBody,
getArmorKey().getKeyData(), KeyUsage.FAST_REQ_CHKSUM);
} catch (KrbException e) {
- String errMessage = "Verify the ReqBody failed. " + e.getMessage();
+ String errMessage = "Verify the KdcReqBody failed. " + e.getMessage();
LOG.error(errMessage);
throw new KrbException(errMessage);
}
+ if (!success) {
+ throw new KrbException("Verify the KdcReqBody failed. ");
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/1e6d3649/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
index 2d7ead1..870cf88 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
@@ -24,12 +24,14 @@ import org.apache.kerby.kerberos.kerb.KrbConstant;
import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
+import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
import org.apache.kerby.kerberos.kerb.identity.KrbIdentity;
import org.apache.kerby.kerberos.kerb.server.KdcContext;
import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.ap.ApOption;
import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
+import org.apache.kerby.kerberos.kerb.type.base.CheckSum;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
@@ -218,6 +220,35 @@ public class TgsRequest extends KdcRequest {
apReq.getApOptions().setFlag(ApOption.MUTUAL_REQUIRED);
setTgtSessionKey(tgtTicket.getEncPart().getKey());
+
+ CheckSum checkSum = authenticator.getCksum();
+ if (checkSum != null) {
+ byte[] reqBody;
+ try {
+ reqBody = KrbCodec.encode(getKdcReq().getReqBody());
+ } catch (KrbException e) {
+ String errMessage = "Encode the ReqBody failed. " + e.getMessage();
+ LOG.error(errMessage);
+ throw new KrbException(errMessage);
+ }
+ boolean success;
+ try {
+ if (authenticator.getSubKey() != null) {
+ success = CheckSumHandler.verifyWithKey(checkSum, reqBody,
+ authenticator.getSubKey().getKeyData(), KeyUsage.TGS_REQ_AUTH_CKSUM);
+ } else {
+ success = CheckSumHandler.verify(checkSum, reqBody);
+ }
+
+ } catch (KrbException e) {
+ String errMessage = "Verify the KdcReqBody failed. " + e.getMessage();
+ LOG.error(errMessage);
+ throw new KrbException(errMessage);
+ }
+ if (!success) {
+ throw new KrbException("Verify the KdcReqBody failed. ");
+ }
+ }
}
/**