You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by co...@apache.org on 2017/07/21 11:26:51 UTC
[04/50] [abbrv] directory-kerby git commit: DIRKRB-559 Validataion of
ApReq and ApRep message in peer node. Contributed by Wei.
DIRKRB-559 Validataion of ApReq and ApRep message in peer node. Contributed by Wei.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/e41fb489
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/e41fb489
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/e41fb489
Branch: refs/heads/gssapi
Commit: e41fb489f2bfdbfcf3a43f077dd4e28f1035be17
Parents: aa1bd31
Author: plusplusjiajia <ji...@intel.com>
Authored: Wed Apr 27 10:37:47 2016 +0800
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100
----------------------------------------------------------------------
.../kerby/kerberos/kerb/request/ApRequest.java | 37 +++++++++++++++++
.../kerberos/kerb/response/ApResponse.java | 42 ++++++++++++++++----
.../kerby/kerberos/kerb/type/KerberosTime.java | 22 ++++++++++
3 files changed, 94 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e41fb489/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
index 82666a6..096b0de 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
@@ -29,12 +29,15 @@ import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
+import java.net.InetAddress;
+
/**
* A wrapper for ApReq request
* The client principal and sgt ticket are needed to create ApReq message.
@@ -118,6 +121,40 @@ public class ApRequest {
}
/*
+ * Validate the ApReq with channel binding and time
+ */
+ public static void validate(EncryptionKey encKey, ApReq apReq,
+ InetAddress initiator,
+ long timeSkew) throws KrbException {
+ validate(encKey, apReq);
+ Ticket ticket = apReq.getTicket();
+ EncTicketPart tktEncPart = ticket.getEncPart();
+ Authenticator authenticator = apReq.getAuthenticator();
+ if (initiator != null) {
+ HostAddresses clientAddrs = tktEncPart.getClientAddresses();
+ if (clientAddrs != null && !clientAddrs.contains(initiator)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
+ }
+ }
+
+ if (timeSkew != 0) {
+ if (authenticator.getCtime().isInClockSkew(timeSkew)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
+ }
+
+ KerberosTime now = KerberosTime.now();
+ KerberosTime startTime = tktEncPart.getStartTime();
+ if (startTime != null && startTime.greaterThanWithSkew(now, timeSkew)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
+ }
+
+ if (tktEncPart.getEndTime().lessThanWithSkew(now, timeSkew)) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED);
+ }
+ }
+ }
+
+ /*
* Unseal the authenticator through the encryption key from ticket
*/
public static void unsealAuthenticator(EncryptionKey encKey, ApReq apReq) throws KrbException {
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e41fb489/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
index 2d01004..344fe83 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
@@ -19,12 +19,13 @@
*/
package org.apache.kerby.kerberos.kerb.response;
+import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.kerby.kerberos.kerb.request.ApRequest;
-import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
import org.apache.kerby.kerberos.kerb.type.ap.EncAPRepPart;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
@@ -43,8 +44,14 @@ public class ApResponse {
this.encryptionKey = encryptionKey;
}
+ public ApResponse(ApReq apReq) {
+ this.apReq = apReq;
+ }
+
public ApRep getApRep() throws KrbException {
- ApRequest.validate(encryptionKey, apReq);
+ if (encryptionKey != null) {
+ ApRequest.validate(encryptionKey, apReq);
+ }
if (apRep == null) {
apRep = makeApRep();
@@ -64,17 +71,38 @@ public class ApResponse {
ApRep apRep = new ApRep();
EncAPRepPart encAPRepPart = new EncAPRepPart();
+
+ Authenticator auth = apReq.getAuthenticator();
// This field contains the current time on the client's host.
- encAPRepPart.setCtime(KerberosTime.now());
+ encAPRepPart.setCtime(auth.getCtime());
// This field contains the microsecond part of the client's timestamp.
- encAPRepPart.setCusec((int) KerberosTime.now().getTimeInSeconds());
- encAPRepPart.setSubkey(apReq.getAuthenticator().getSubKey());
+ encAPRepPart.setCusec(auth.getCusec());
+ encAPRepPart.setSubkey(auth.getSubKey());
encAPRepPart.setSeqNumber(0);
apRep.setEncRepPart(encAPRepPart);
- EncryptedData encPart = EncryptionUtil.seal(encAPRepPart,
- apReq.getAuthenticator().getSubKey(), KeyUsage.AP_REP_ENCPART);
+ EncryptedData encPart = EncryptionUtil.seal(encAPRepPart, auth.getSubKey(), KeyUsage.AP_REP_ENCPART);
apRep.setEncryptedEncPart(encPart);
return apRep;
}
+
+ /**
+ * Validation for KRB_AP_REP message
+ * @param encKey key used to encrypt encrypted part of KRB_AP_REP message
+ * @param apRep KRB_AP_REP message received
+ * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server
+ * @throws KrbException
+ */
+ public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws KrbException {
+ EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(),
+ encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class);
+ apRep.setEncRepPart(encPart);
+ if (apReqSent != null) {
+ Authenticator auth = apReqSent.getAuthenticator();
+ if (!encPart.getCtime().equals(auth.getCtime())
+ || encPart.getCusec() != auth.getCusec()) {
+ throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL);
+ }
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e41fb489/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
index c89b0cc..e3da3b1 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
@@ -107,6 +107,17 @@ public class KerberosTime extends Asn1GeneralizedTime {
/**
* Compare the KerberosTime with another one, and return <tt>true</tt>
+ * if it's lesser than the provided one with time skew
+ * @param ktime
+ * @param skew Maximum time skew in milliseconds
+ * @return <tt>true</tt> if less
+ */
+ public boolean lessThanWithSkew(KerberosTime ktime, long skew) {
+ return diff(ktime) - skew <= 0;
+ }
+
+ /**
+ * Compare the KerberosTime with another one, and return <tt>true</tt>
* if it's greater than the provided one
*
* @param ktime compare with milliseconds
@@ -117,6 +128,17 @@ public class KerberosTime extends Asn1GeneralizedTime {
}
/**
+ * Compare the KerberosTime with another one, and return <tt>true</tt>
+ * if it's greater than the provided one with time skew
+ * @param ktime
+ * @param skew Maximum time skew in milliseconds
+ * @return <tt>true</tt> if greater
+ */
+ public boolean greaterThanWithSkew(KerberosTime ktime, long skew) {
+ return diff(ktime) + skew >= 0;
+ }
+
+ /**
* Check if the KerberosTime is within the provided clock skew
*
* @param clockSkew The clock skew