directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: rev 57142 - in incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos: changepw kdc
Date Wed, 10 Nov 2004 05:33:37 GMT
Author: erodriguez
Date: Tue Nov  9 21:33:35 2004
New Revision: 57142

Modified:
   incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
   incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KdcDispatcher.java
   incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
   incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
Log:
Moved authentication header verification and replay cache protection to service base class.

Modified: incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
==============================================================================
--- incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
(original)
+++ incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/changepw/ChangePasswordService.java
Tue Nov  9 21:33:35 2004
@@ -24,22 +24,20 @@
 import org.apache.kerberos.changepw.value.ChangePasswordData;
 import org.apache.kerberos.changepw.value.ChangePasswordDataModifier;
 import org.apache.kerberos.crypto.encryption.EncryptionEngine;
-import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
 import org.apache.kerberos.io.decoder.EncKrbPrivPartDecoder;
-import org.apache.kerberos.io.decoder.EncTicketPartDecoder;
 import org.apache.kerberos.io.encoder.EncApRepPartEncoder;
 import org.apache.kerberos.io.encoder.EncKrbPrivPartEncoder;
 import org.apache.kerberos.kdc.KdcConfiguration;
 import org.apache.kerberos.kdc.KerberosException;
 import org.apache.kerberos.kdc.KerberosService;
 import org.apache.kerberos.kdc.store.PrincipalStore;
-import org.apache.kerberos.kdc.store.PrincipalStoreEntry;
 import org.apache.kerberos.messages.ApplicationRequest;
-import org.apache.kerberos.messages.MessageType;
 import org.apache.kerberos.messages.application.ApplicationReply;
 import org.apache.kerberos.messages.application.PrivateMessage;
 import org.apache.kerberos.messages.components.*;
-import org.apache.kerberos.messages.value.*;
+import org.apache.kerberos.messages.value.EncryptedData;
+import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.HostAddress;
 
 import javax.security.auth.kerberos.KerberosKey;
 import javax.security.auth.kerberos.KerberosPrincipal;
@@ -49,10 +47,9 @@
 /**
  * Kerberos Change Password and Set Password Protocols (RFC 3244)
  */
-public class ChangePasswordService extends KerberosService {
-	
+public class ChangePasswordService extends KerberosService
+{
 	private PasswordStore    store;
-	private PrincipalStore   bootstrap;
 	private KdcConfiguration config;
 	
 	public ChangePasswordService(PasswordStore store, PrincipalStore bootstrap, KdcConfiguration
config)
@@ -60,13 +57,12 @@
 		super(config, bootstrap, null);
 
 		this.store     = store;
-		this.bootstrap = bootstrap;
 		this.config    = config;
 	}
 
 	public ChangePasswordReply getReplyFor(ChangePasswordRequest request)
-			throws KerberosException, IOException {
-		
+			throws KerberosException, IOException
+    {
 		ApplicationRequest authHeader = request.getAuthHeader();
 		
 		Ticket ticket = authHeader.getTicket();
@@ -175,106 +171,6 @@
 		replyModifier.setPrivateMessage(privateMessage);
 		
 		return replyModifier.getChangePasswordReply();
-		
-	}
-	
-	// TODO - this is a duplicate from the TGS service, with the ReplayCache disabled and ...
-	// TODO - ... changepw doesn't have the same LDAP store access
-	// RFC 1510 A.10.  KRB_AP_REQ verification
-	private Authenticator verifyAuthHeader(ApplicationRequest authHeader, Ticket ticket)
-			throws KerberosException, IOException {
-		
-		if (authHeader.getProtocolVersionNumber() != 5)
-			throw KerberosException.KRB_AP_ERR_BADVERSION;
-		if (authHeader.getMessageType() != MessageType.KRB_AP_REQ)
-			throw KerberosException.KRB_AP_ERR_MSG_TYPE;
-		if (authHeader.getTicket().getTicketVersionNumber() != 5)
-			throw KerberosException.KRB_AP_ERR_BADVERSION;
-		
-		EncryptionKey serverKey = null;
-		if (authHeader.getOption(ApOptions.USE_SESSION_KEY)) {
-			serverKey = authHeader.getTicket().getSessionKey();
-		} else {
-			KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
-			PrincipalStoreEntry serverEntry = bootstrap.getEntry(serverPrincipal);
-			
-			if (serverEntry != null) {
-				serverKey = serverEntry.getEncryptionKey();
-			}/*
-			 else {
-				serverKey = store.getEntry(serverPrincipal).getEncryptionKey();
-			}
-			*/
-		}
-		if (serverKey == null) {
-			// TODO - check server key version number, skvno; requires store
-			if (false)
-				throw KerberosException.KRB_AP_ERR_BADKEYVER;
-			
-			throw KerberosException.KRB_AP_ERR_NOKEY;
-		}
-		
-		try {
-            EncryptionEngine engine = getEncryptionEngine(serverKey);
-
-			byte[] decTicketPart = engine.getDecryptedData(serverKey, ticket.getEncPart());
-
-			EncTicketPartDecoder ticketPartDecoder = new EncTicketPartDecoder();
-			EncTicketPart encPart = ticketPartDecoder.decode(decTicketPart);
-			ticket.setEncTicketPart(encPart);
-		} catch (KerberosException ke) {
-			throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
-		}
-		
-		Authenticator authenticator;
-		
-		try {
-            EncryptionEngine engine = getEncryptionEngine(ticket.getSessionKey());
-
-			byte[] decAuthenticator = engine.getDecryptedData(ticket.getSessionKey(), authHeader.getEncPart());
-			AuthenticatorDecoder authDecoder = new AuthenticatorDecoder();
-			authenticator = authDecoder.decode(decAuthenticator);
-		} catch (KerberosException ke) {
-			throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
-		}
-		
-		if (!authenticator.getClientPrincipal().getName().equals(ticket.getClientPrincipal().getName()))
{
-			throw KerberosException.KRB_AP_ERR_BADMATCH;
-		}
-		
-		// TODO - need to get at IP Address for sender
-		if (ticket.getClientAddresses() != null) {
-			// if (sender_address(packet) is not in decr_ticket.caddr)
-            //    then error_out(KRB_AP_ERR_BADADDR);
-		}
-        else {
-        	// if (application requires addresses) then
-            //    error_out(KRB_AP_ERR_BADADDR);
-        }
-		
-		/*
-		if(_replayCache.isReplay(authenticator.getClientTime(), authenticator.getClientPrincipal()))
{
-			throw KerberosException.KRB_AP_ERR_REPEAT;
-		}
-        
-		_replayCache.save(authenticator.getClientTime(), authenticator.getClientPrincipal());
-		*/
-		
-		if (!authenticator.getClientTime().isInClockSkew(config.getClockSkew()))
-			throw KerberosException.KRB_AP_ERR_SKEW;
-		
-		if (ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew(config.getClockSkew())
||
-				ticket.getFlag(TicketFlags.INVALID))
-				// it hasn't yet become valid
-                throw KerberosException.KRB_AP_ERR_TKT_NYV;
-		
-		// TODO - doesn't take into account skew
-		if (!ticket.getEndTime().greaterThan(new KerberosTime()))
-            throw KerberosException.KRB_AP_ERR_TKT_EXPIRED;
-		
-		authHeader.setOption(ApOptions.MUTUAL_REQUIRED);
-		
-		return authenticator;
 	}
 }
 

Modified: incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KdcDispatcher.java
==============================================================================
--- incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KdcDispatcher.java
(original)
+++ incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KdcDispatcher.java
Tue Nov  9 21:33:35 2004
@@ -19,8 +19,6 @@
 import org.apache.kerberos.io.decoder.KdcRequestDecoder;
 import org.apache.kerberos.io.encoder.ErrorMessageEncoder;
 import org.apache.kerberos.io.encoder.KdcReplyEncoder;
-import org.apache.kerberos.kdc.replay.InMemoryReplayCache;
-import org.apache.kerberos.kdc.replay.ReplayCache;
 import org.apache.kerberos.kdc.store.BootstrapStore;
 import org.apache.kerberos.kdc.store.PrincipalStore;
 import org.apache.kerberos.messages.AuthenticationReply;
@@ -39,10 +37,8 @@
 	private static final byte TGS_REQ = (byte) 0x6C;
 	private static final byte TGS_REP = (byte) 0x6D;
 	
-	private ReplayCache _replay = new InMemoryReplayCache();
-	
-	private KdcRequestDecoder _decoder        = new KdcRequestDecoder();
-	private KdcReplyEncoder   _encoder        = new KdcReplyEncoder();
+	private KdcRequestDecoder   _decoder      = new KdcRequestDecoder();
+	private KdcReplyEncoder     _encoder      = new KdcReplyEncoder();
 	private ErrorMessageEncoder _errorEncoder = new ErrorMessageEncoder();
 	
 	private PrincipalStore   _bootstrap;
@@ -60,7 +56,7 @@
 		
 		_errorService  = new ErrorService(_config);
 		_authService   = new AuthenticationService(_store, _bootstrap, _config);
-		_tgsService    = new TicketGrantingService(_store, _bootstrap, _config, _replay);
+		_tgsService    = new TicketGrantingService(_store, _bootstrap, _config);
 	}
 	
 	public byte[] dispatch(byte[] requestBytes) throws IOException {

Modified: incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
==============================================================================
--- incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
(original)
+++ incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/KerberosService.java
Tue Nov  9 21:33:35 2004
@@ -22,12 +22,24 @@
 import org.apache.kerberos.crypto.encryption.EncryptionType;
 import org.apache.kerberos.kdc.store.PrincipalStore;
 import org.apache.kerberos.kdc.store.PrincipalStoreEntry;
+import org.apache.kerberos.kdc.replay.ReplayCache;
+import org.apache.kerberos.kdc.replay.InMemoryReplayCache;
 import org.apache.kerberos.messages.components.Ticket;
+import org.apache.kerberos.messages.components.Authenticator;
+import org.apache.kerberos.messages.components.EncTicketPart;
 import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.ApOptions;
+import org.apache.kerberos.messages.value.TicketFlags;
+import org.apache.kerberos.messages.value.KerberosTime;
+import org.apache.kerberos.messages.ApplicationRequest;
+import org.apache.kerberos.messages.MessageType;
+import org.apache.kerberos.io.decoder.EncTicketPartDecoder;
+import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
 
 import javax.security.auth.kerberos.KerberosPrincipal;
 import java.util.HashMap;
 import java.util.Map;
+import java.io.IOException;
 
 public class KerberosService
 {
@@ -35,6 +47,8 @@
     private PrincipalStore   bootstrap;
     private PrincipalStore   store;
 
+    private ReplayCache replayCache = new InMemoryReplayCache();
+
     private Map checksumEngines = new HashMap();
 
     public KerberosService(KdcConfiguration config, PrincipalStore bootstrap, PrincipalStore
store)
@@ -103,6 +117,100 @@
 		if (!ticket.getRealm().equals(config.getPrimaryRealm())
 				&& !ticket.getServerPrincipal().equals(serverPrincipal))
 			throw KerberosException.KRB_AP_ERR_NOT_US;
+	}
+
+    // RFC 1510 A.10.  KRB_AP_REQ verification
+	protected Authenticator verifyAuthHeader(ApplicationRequest authHeader, Ticket ticket)
+			throws KerberosException, IOException {
+
+		if (authHeader.getProtocolVersionNumber() != 5)
+			throw KerberosException.KRB_AP_ERR_BADVERSION;
+		if (authHeader.getMessageType() != MessageType.KRB_AP_REQ)
+			throw KerberosException.KRB_AP_ERR_MSG_TYPE;
+		if (authHeader.getTicket().getTicketVersionNumber() != 5)
+			throw KerberosException.KRB_AP_ERR_BADVERSION;
+
+        KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
+
+		EncryptionKey serverKey = null;
+
+		if (authHeader.getOption(ApOptions.USE_SESSION_KEY))
+        {
+			serverKey = authHeader.getTicket().getSessionKey();
+		}
+        else
+        {
+			serverKey = getKeyForPrincipal(serverPrincipal);
+		}
+
+		if (serverKey == null)
+        {
+			// TODO - check server key version number, skvno; requires store
+			if (false)
+				throw KerberosException.KRB_AP_ERR_BADKEYVER;
+
+			throw KerberosException.KRB_AP_ERR_NOKEY;
+		}
+
+		try {
+            EncryptionEngine engine = getEncryptionEngine(serverKey);
+
+			byte[] decTicketPart = engine.getDecryptedData(serverKey, ticket.getEncPart());
+
+			EncTicketPartDecoder ticketPartDecoder = new EncTicketPartDecoder();
+			EncTicketPart encPart = ticketPartDecoder.decode(decTicketPart);
+			ticket.setEncTicketPart(encPart);
+		} catch (KerberosException ke) {
+			throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
+		}
+
+		Authenticator authenticator;
+
+		try {
+            EncryptionEngine engine = getEncryptionEngine(ticket.getSessionKey());
+
+			byte[] decAuthenticator = engine.getDecryptedData(ticket.getSessionKey(), authHeader.getEncPart());
+			AuthenticatorDecoder authDecoder = new AuthenticatorDecoder();
+			authenticator = authDecoder.decode(decAuthenticator);
+		} catch (KerberosException ke) {
+			throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
+		}
+
+		if (!authenticator.getClientPrincipal().getName().equals(ticket.getClientPrincipal().getName()))
{
+			throw KerberosException.KRB_AP_ERR_BADMATCH;
+		}
+
+		// TODO - need to get at IP Address for sender
+		if (ticket.getClientAddresses() != null) {
+			// if (sender_address(packet) is not in decr_ticket.caddr)
+            //    then error_out(KRB_AP_ERR_BADADDR);
+		}
+        else {
+        	// if (application requires addresses) then
+            //    error_out(KRB_AP_ERR_BADADDR);
+        }
+
+		if(replayCache.isReplay(authenticator.getClientTime(), authenticator.getClientPrincipal()))
{
+			throw KerberosException.KRB_AP_ERR_REPEAT;
+		}
+
+		replayCache.save(authenticator.getClientTime(), authenticator.getClientPrincipal());
+
+		if (!authenticator.getClientTime().isInClockSkew(config.getClockSkew()))
+			throw KerberosException.KRB_AP_ERR_SKEW;
+
+		if (ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew(config.getClockSkew())
||
+				ticket.getFlag(TicketFlags.INVALID))
+				// it hasn't yet become valid
+                throw KerberosException.KRB_AP_ERR_TKT_NYV;
+
+		// TODO - doesn't take into account skew
+		if (!ticket.getEndTime().greaterThan(new KerberosTime()))
+            throw KerberosException.KRB_AP_ERR_TKT_EXPIRED;
+
+		authHeader.setOption(ApOptions.MUTUAL_REQUIRED);
+
+		return authenticator;
 	}
 }
 

Modified: incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
==============================================================================
--- incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
(original)
+++ incubator/directory/kerberos/trunk/kerberos/src/java/org/apache/kerberos/kdc/TicketGrantingService.java
Tue Nov  9 21:33:35 2004
@@ -22,17 +22,13 @@
 import org.apache.kerberos.crypto.encryption.EncryptionEngine;
 import org.apache.kerberos.crypto.encryption.EncryptionType;
 import org.apache.kerberos.io.decoder.ApplicationRequestDecoder;
-import org.apache.kerberos.io.decoder.AuthenticatorDecoder;
 import org.apache.kerberos.io.decoder.AuthorizationDataDecoder;
-import org.apache.kerberos.io.decoder.EncTicketPartDecoder;
 import org.apache.kerberos.io.encoder.EncTgsRepPartEncoder;
 import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
 import org.apache.kerberos.io.encoder.KdcReqBodyEncoder;
-import org.apache.kerberos.kdc.replay.ReplayCache;
 import org.apache.kerberos.kdc.store.PrincipalStore;
 import org.apache.kerberos.messages.ApplicationRequest;
 import org.apache.kerberos.messages.KdcRequest;
-import org.apache.kerberos.messages.MessageType;
 import org.apache.kerberos.messages.TicketGrantReply;
 import org.apache.kerberos.messages.components.Authenticator;
 import org.apache.kerberos.messages.components.EncTicketPart;
@@ -52,15 +48,13 @@
 public class TicketGrantingService extends KerberosService {
 	
 	private KdcConfiguration config;
-	private ReplayCache      replayCache;
 
 	public TicketGrantingService(PrincipalStore store, PrincipalStore bootstrap,
-			KdcConfiguration config, ReplayCache replay)
+			KdcConfiguration config)
     {
         super(config, bootstrap, store);
 
 		this.config    = config;
-		replayCache    = replay;
 	}
 	
 	public TicketGrantReply getReplyFor(KdcRequest request) throws KerberosException, IOException
{
@@ -105,99 +99,7 @@
 		return authHeader;
 	}
 	
-	// RFC 1510 A.10.  KRB_AP_REQ verification
-	private Authenticator verifyAuthHeader(ApplicationRequest authHeader, Ticket ticket)
-			throws KerberosException, IOException {
-		
-		if (authHeader.getProtocolVersionNumber() != 5)
-			throw KerberosException.KRB_AP_ERR_BADVERSION;
-		if (authHeader.getMessageType() != MessageType.KRB_AP_REQ)
-			throw KerberosException.KRB_AP_ERR_MSG_TYPE;
-		if (authHeader.getTicket().getTicketVersionNumber() != 5)
-			throw KerberosException.KRB_AP_ERR_BADVERSION;
 
-        KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
-
-		EncryptionKey serverKey = null;
-
-		if (authHeader.getOption(ApOptions.USE_SESSION_KEY))
-        {
-			serverKey = authHeader.getTicket().getSessionKey();
-		}
-        else
-        {
-			serverKey = getKeyForPrincipal(serverPrincipal);
-		}
-
-		if (serverKey == null)
-        {
-			// TODO - check server key version number, skvno; requires store
-			if (false)
-				throw KerberosException.KRB_AP_ERR_BADKEYVER;
-			
-			throw KerberosException.KRB_AP_ERR_NOKEY;
-		}
-		
-		try {
-            EncryptionEngine engine = getEncryptionEngine(serverKey);
-
-			byte[] decTicketPart = engine.getDecryptedData(serverKey, ticket.getEncPart());
-
-			EncTicketPartDecoder ticketPartDecoder = new EncTicketPartDecoder();
-			EncTicketPart encPart = ticketPartDecoder.decode(decTicketPart);
-			ticket.setEncTicketPart(encPart);
-		} catch (KerberosException ke) {
-			throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
-		}
-		
-		Authenticator authenticator;
-		
-		try {
-            EncryptionEngine engine = getEncryptionEngine(ticket.getSessionKey());
-
-			byte[] decAuthenticator = engine.getDecryptedData(ticket.getSessionKey(), authHeader.getEncPart());
-			AuthenticatorDecoder authDecoder = new AuthenticatorDecoder();
-			authenticator = authDecoder.decode(decAuthenticator);
-		} catch (KerberosException ke) {
-			throw KerberosException.KRB_AP_ERR_BAD_INTEGRITY;
-		}
-		
-		if (!authenticator.getClientPrincipal().getName().equals(ticket.getClientPrincipal().getName()))
{
-			throw KerberosException.KRB_AP_ERR_BADMATCH;
-		}
-		
-		// TODO - need to get at IP Address for sender
-		if (ticket.getClientAddresses() != null) {
-			// if (sender_address(packet) is not in decr_ticket.caddr)
-            //    then error_out(KRB_AP_ERR_BADADDR);
-		}
-        else {
-        	// if (application requires addresses) then
-            //    error_out(KRB_AP_ERR_BADADDR);
-        }
-		
-		if(replayCache.isReplay(authenticator.getClientTime(), authenticator.getClientPrincipal()))
{
-			throw KerberosException.KRB_AP_ERR_REPEAT;
-		}
-        
-		replayCache.save(authenticator.getClientTime(), authenticator.getClientPrincipal());
-		
-		if (!authenticator.getClientTime().isInClockSkew(config.getClockSkew()))
-			throw KerberosException.KRB_AP_ERR_SKEW;
-		
-		if (ticket.getStartTime() != null && !ticket.getStartTime().isInClockSkew(config.getClockSkew())
||
-				ticket.getFlag(TicketFlags.INVALID))
-				// it hasn't yet become valid
-                throw KerberosException.KRB_AP_ERR_TKT_NYV;
-		
-		// TODO - doesn't take into account skew
-		if (!ticket.getEndTime().greaterThan(new KerberosTime()))
-            throw KerberosException.KRB_AP_ERR_TKT_EXPIRED;
-		
-		authHeader.setOption(ApOptions.MUTUAL_REQUIRED);
-		
-		return authenticator;
-	}
 	
 	// TODO - configurable checksum
 	private void verifyBodyChecksum(Checksum authChecksum, KdcRequest request)

Mime
View raw message