directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] directory-kerby git commit: DIRKRB-682 Fix checksum verify in TgsRequest.
Date Fri, 12 Jan 2018 10:09:07 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/1.1.x-fixes [created] 1296f52d8


DIRKRB-682 Fix checksum verify in TgsRequest.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/83c29335
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/83c29335
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/83c29335

Branch: refs/heads/1.1.x-fixes
Commit: 83c293359bc127583c1367cf4f1db294527eed56
Parents: c22be36
Author: plusplusjiajia <jiajia.li@intel.com>
Authored: Wed Dec 27 15:40:21 2017 +0800
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Jan 12 10:01:50 2018 +0000

----------------------------------------------------------------------
 .../kerb/server/request/KdcRequest.java         |  7 +++-
 .../kerb/server/request/TgsRequest.java         | 34 +++++++++++++-------
 2 files changed, 29 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/83c29335/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index a88fb22..86f47e7 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -170,7 +170,6 @@ public abstract class KdcRequest {
     public void process() throws KrbException {
         checkVersion();
         checkTgsEntry();
-        kdcFindFast();
         if (isPreauthRequired()) {
             kdcFindFast();
         }
@@ -232,11 +231,15 @@ public abstract class KdcRequest {
                         throw new KrbException(errMessage);
                     }
                     fastArmoredReq = paFxFastRequest.getFastArmoredReq();
+                    if (fastArmoredReq == null) {
+                        return;
+                    }
 
                     KrbFastArmor fastArmor = fastArmoredReq.getArmor();
                     if (fastArmor == null) {
                         return;
                     }
+
                     try {
                         armorApRequest(fastArmor);
                     } catch (KrbException e) {
@@ -293,6 +296,7 @@ public abstract class KdcRequest {
                         throw new KrbException(errMessage);
                     }
                     if (!success) {
+                        LOG.error("Verify the KdcReqBody failed.");
                         throw new KrbException("Verify the KdcReqBody failed. ");
                     }
                 }
@@ -321,6 +325,7 @@ public abstract class KdcRequest {
             EncryptionType encType = ticket.getEncryptedEncPart().getEType();
             EncryptionKey tgsKey = getTgsEntry().getKeys().get(encType);
             if (ticket.getTktvno() != KrbConstant.KRB_V5) {
+                LOG.error(KrbErrorCode.KRB_AP_ERR_BADVERSION.getMessage());
                 throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
             }
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/83c29335/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
index 24b53a8..7324b88 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
@@ -232,21 +232,33 @@ public class TgsRequest extends KdcRequest {
                 throw new KrbException(errMessage);
             }
             boolean success;
-            try {
-                if (authenticator.getSubKey() != null) {
+
+            switch (checkSum.getCksumtype()) {
+                case RSA_MD5_DES:
+                case RSA_MD4_DES:
+                case DES_MAC:
+                case DES_CBC:
+                case HMAC_SHA1_DES3:
+                case HMAC_SHA1_96_AES256:
+                case HMAC_SHA1_96_AES128:
+                case CMAC_CAMELLIA128:
+                case CMAC_CAMELLIA256:
+                case MD5_HMAC_ARCFOUR:
+                case HMAC_MD5_ARCFOUR:
                     success = CheckSumHandler.verifyWithKey(checkSum, reqBody,
-                    authenticator.getSubKey().getKeyData(), KeyUsage.TGS_REQ_AUTH_CKSUM);
-                } else {
+                        getTgtSessionKey().getKeyData(), KeyUsage.TGS_REQ_AUTH_CKSUM);
+                    break;
+                case RSA_MD5:
+                case NIST_SHA:
+                case CRC32:
+                case RSA_MD4:
+                default:
                     success = CheckSumHandler.verify(checkSum, reqBody);
-                }
-
-            } catch (KrbException e) {
-                String errMessage = "Verify the KdcReqBody failed. " + e.getMessage();
-                LOG.error(errMessage);
-                throw new KrbException(errMessage);
             }
+
             if (!success) {
-                throw new KrbException("Verify the KdcReqBody failed. ");
+                LOG.error("Verify the KdcReqBody failed.");
+                throw new KrbException("Verify the KdcReqBody failed.");
             }
         }
     }


Mime
View raw message