You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2005/09/04 17:06:43 UTC
svn commit: r278597 -
/directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java
Author: erodriguez
Date: Sun Sep 4 08:06:39 2005
New Revision: 278597
URL: http://svn.apache.org/viewcvs?rev=278597&view=rev
Log:
Added ticket host addresses check to auth header verification.
Modified:
directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java
Modified: directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java
URL: http://svn.apache.org/viewcvs/directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java?rev=278597&r1=278596&r2=278597&view=diff
==============================================================================
--- directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java (original)
+++ directory/shared/kerberos/trunk/common/src/java/org/apache/kerberos/service/VerifyAuthHeader.java Sun Sep 4 08:06:39 2005
@@ -17,6 +17,7 @@
package org.apache.kerberos.service;
import java.io.IOException;
+import java.net.InetAddress;
import org.apache.kerberos.chain.impl.CommandBase;
import org.apache.kerberos.crypto.encryption.EncryptionEngine;
@@ -32,6 +33,7 @@
import org.apache.kerberos.messages.components.Ticket;
import org.apache.kerberos.messages.value.ApOptions;
import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.HostAddress;
import org.apache.kerberos.messages.value.KerberosTime;
import org.apache.kerberos.messages.value.TicketFlags;
import org.apache.kerberos.replay.ReplayCache;
@@ -42,8 +44,8 @@
public abstract class VerifyAuthHeader extends CommandBase
{
// RFC 1510 A.10. KRB_AP_REQ verification
- public Authenticator verifyAuthHeader( ApplicationRequest authHeader, Ticket ticket,
- EncryptionKey serverKey, long clockSkew, ReplayCache replayCache )
+ public Authenticator verifyAuthHeader( ApplicationRequest authHeader, Ticket ticket, EncryptionKey serverKey,
+ long clockSkew, ReplayCache replayCache, boolean emptyAddressesAllowed, InetAddress clientAddress )
throws KerberosException, IOException
{
if ( authHeader.getProtocolVersionNumber() != 5 )
@@ -113,22 +115,24 @@
throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
}
- if ( !authenticator.getClientPrincipal().getName().equals(
- ticket.getClientPrincipal().getName() ) )
+ if ( !authenticator.getClientPrincipal().getName().equals( ticket.getClientPrincipal().getName() ) )
{
throw new KerberosException( ErrorType.KRB_AP_ERR_BADMATCH );
}
- // TODO - need to get at IP Address for sender
if ( ticket.getClientAddresses() != null )
{
- // if (sender_address(packet) is not in decr_ticket.caddr)
- // then error_out(KRB_AP_ERR_BADADDR);
+ if ( !ticket.getClientAddresses().contains( new HostAddress( clientAddress ) ) )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_BADADDR );
+ }
}
else
{
- // if (application requires addresses) then
- // error_out(KRB_AP_ERR_BADADDR);
+ if ( !emptyAddressesAllowed )
+ {
+ throw new KerberosException( ErrorType.KRB_AP_ERR_BADADDR );
+ }
}
if ( replayCache.isReplay( authenticator.getClientTime(), authenticator.getClientPrincipal() ) )
@@ -143,8 +147,7 @@
throw new KerberosException( ErrorType.KRB_AP_ERR_SKEW );
}
- if ( ticket.getStartTime() != null
- && !ticket.getStartTime().isInClockSkew( clockSkew )
+ if ( ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew( clockSkew )
|| ticket.getFlag( TicketFlags.INVALID ) )
{
// it hasn't yet become valid