You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2012/01/27 01:41:39 UTC
svn commit: r1236474 - in /directory/apacheds/trunk: kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/ protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/

Author: elecharny
Date: Fri Jan 27 00:41:39 2012
New Revision: 1236474

URL: http://svn.apache.org/viewvc?rev=1236474&view=rev
Log:
Fixed DIRKRB-84 : We now use a List instead of a Set to store the EncryptionTypes, and the selection of the valid EType has been modified.

Modified:
    directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java
    directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java

Modified: directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java?rev=1236474&r1=1236473&r2=1236474&view=diff
==============================================================================
--- directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java (original)
+++ directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/SaslGssapiBindITest.java Fri Jan 27 00:41:39 2012
@@ -6,16 +6,16 @@
  *  to you under the Apache License, Version 2.0 (the
  *  "License"); you may not use this file except in compliance
  *  with the License.  You may obtain a copy of the License at
- *  
+ * 
  *    http://www.apache.org/licenses/LICENSE-2.0
- *  
+ * 
  *  Unless required by applicable law or agreed to in writing,
  *  software distributed under the License is distributed on an
  *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *  KIND, either express or implied.  See the License for the
  *  specific language governing permissions and limitations
- *  under the License. 
- *  
+ *  under the License.
+ * 
  */
 package org.apache.directory.server.kerberos.kdc;
 
@@ -171,6 +171,7 @@ public class SaslGssapiBindITest extends
         // isn't resolved to localhost by default. In that case we need
         // to use the IP address for the service principal.
         String hostName;
+        
         try
         {
             InetAddress loopback = InetAddress.getByName( "127.0.0.1" );
@@ -181,6 +182,7 @@ public class SaslGssapiBindITest extends
             System.err.println( "Can't find loopback address '127.0.0.1', using hostname 'localhost'" );
             hostName = "localhost";
         }
+        
         String servicePrincipal = "ldap/" + hostName + "@EXAMPLE.COM";
         getLdapServer().setSaslPrincipal( servicePrincipal );
 
@@ -195,6 +197,7 @@ public class SaslGssapiBindITest extends
         // check if krb5kdc is disabled
         Attributes krb5kdcAttrs = schemaRoot.getAttributes( "cn=Krb5kdc" );
         boolean isKrb5KdcDisabled = false;
+        
         if ( krb5kdcAttrs.get( "m-disabled" ) != null )
         {
             isKrb5KdcDisabled = ( ( String ) krb5kdcAttrs.get( "m-disabled" ).get() ).equalsIgnoreCase( "TRUE" );
@@ -396,7 +399,7 @@ public class SaslGssapiBindITest extends
 
     /**
      * Sets the contexts of this class taking into account the extras and overrides
-     * properties.  
+     * properties.
      *
      * @param env an environment to use while setting up the system root.
      * @throws NamingException if there is a failure of any kind

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java?rev=1236474&r1=1236473&r2=1236474&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java (original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/authentication/AuthenticationService.java Fri Jan 27 00:41:39 2012
@@ -24,8 +24,6 @@ import java.net.InetAddress;
 import java.nio.ByteBuffer;
 import java.util.Date;
 import java.util.List;
-import java.util.Set;
-
 import javax.security.auth.kerberos.KerberosKey;
 import javax.security.auth.kerberos.KerberosPrincipal;
 
@@ -207,8 +205,8 @@ public class AuthenticationService
 
             if ( preAuthData == null || preAuthData.size() == 0 )
             {
-                throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError( config
-                    .getEncryptionTypes() ) );
+                throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED, preparePreAuthenticationError(
+                    request.getKdcReqBody().getEType(), config.getEncryptionTypes() ) );
             }
 
             try
@@ -277,7 +275,8 @@ public class AuthenticationService
                 if ( preAuthData == null )
                 {
                     throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
-                        preparePreAuthenticationError( config.getEncryptionTypes() ) );
+                        preparePreAuthenticationError( authContext.getRequest().getKdcReqBody().getEType(),
+                            config.getEncryptionTypes() ) );
                 }
 
                 PaEncTsEnc timestamp = null;
@@ -287,6 +286,7 @@ public class AuthenticationService
                     if ( paData.getPaDataType().equals( PaDataType.PA_ENC_TIMESTAMP ) )
                     {
                         EncryptedData dataValue = KerberosDecoder.decodeEncryptedData( paData.getPaDataValue() );
+                        paData.getPaDataType();
                         byte[] decryptedData = cipherTextHandler.decrypt( clientKey, dataValue,
                             KeyUsage.AS_REQ_PA_ENC_TIMESTAMP_WITH_CKEY );
                         timestamp = KerberosDecoder.decodePaEncTsEnc( decryptedData );
@@ -301,7 +301,7 @@ public class AuthenticationService
                 if ( timestamp == null )
                 {
                     throw new KerberosException( ErrorType.KDC_ERR_PREAUTH_REQUIRED,
-                        preparePreAuthenticationError( config.getEncryptionTypes() ) );
+                        preparePreAuthenticationError( authContext.getRequest().getKdcReqBody().getEType(), config.getEncryptionTypes() ) );
                 }
 
                 if ( !timestamp.getPaTimestamp().isInClockSkew( config.getAllowableClockSkew() ) )
@@ -788,7 +788,7 @@ public class AuthenticationService
      * @param encryptionTypes
      * @return The error message as bytes.
      */
-    private static byte[] preparePreAuthenticationError( List<EncryptionType> encryptionTypes )
+    private static byte[] preparePreAuthenticationError( List<EncryptionType> clientEncryptionTypes, List<EncryptionType> serverEncryptionTypes )
     {
         PaData[] paDataSequence = new PaData[2];
 
@@ -800,10 +800,13 @@ public class AuthenticationService
 
         ETypeInfo eTypeInfo = new ETypeInfo();
 
-        for ( EncryptionType encryptionType : encryptionTypes )
+        for ( EncryptionType encryptionType : clientEncryptionTypes )
         {
-            ETypeInfoEntry etypeInfoEntry = new ETypeInfoEntry( encryptionType, null );
-            eTypeInfo.addETypeInfoEntry( etypeInfoEntry );
+            if ( serverEncryptionTypes.contains( encryptionType ) )
+            {
+                ETypeInfoEntry etypeInfoEntry = new ETypeInfoEntry( encryptionType, null );
+                eTypeInfo.addETypeInfoEntry( etypeInfoEntry );
+            }
         }
 
         byte[] encTypeInfo = null;