directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From seelm...@apache.org
Subject svn commit: r1150951 - in /directory/apacheds/trunk: kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/ protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/
Date Mon, 25 Jul 2011 23:02:07 GMT
Author: seelmann
Date: Mon Jul 25 23:02:06 2011
New Revision: 1150951

URL: http://svn.apache.org/viewvc?rev=1150951&view=rev
Log:
Fix for DIRSERVER-1635: Use the session key and right key usage to verify the checksum. Reworked
the tests to be able to set the checksum to use. Note that the tests are highly coupled to
the Sun Java implementation, as fields in internal classes are modified using reflection.

Modified:
    directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java
    directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java
    directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java
    directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java

Modified: directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java?rev=1150951&r1=1150950&r2=1150951&view=diff
==============================================================================
--- directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java
(original)
+++ directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java
Mon Jul 25 23:02:06 2011
@@ -24,6 +24,7 @@ import static org.junit.Assert.assertEqu
 
 import java.io.File;
 import java.io.IOException;
+import java.lang.reflect.Field;
 import java.util.Collections;
 
 import javax.security.auth.Subject;
@@ -33,7 +34,10 @@ import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang.SystemUtils;
 import org.apache.directory.server.core.LdapCoreSessionConnection;
 import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.protocol.shared.transport.TcpTransport;
+import org.apache.directory.server.protocol.shared.transport.Transport;
 import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
+import org.apache.directory.shared.kerberos.crypto.checksum.ChecksumType;
 import org.apache.directory.shared.ldap.model.entry.DefaultEntry;
 import org.apache.directory.shared.ldap.model.entry.DefaultModification;
 import org.apache.directory.shared.ldap.model.entry.Entry;
@@ -80,6 +84,24 @@ public class AbstractKerberosITest exten
         conn.close();
     }
 
+    class ObtainTicketParameters
+    {
+        Class<? extends Transport> transport;
+        EncryptionType encryptionType;
+        ChecksumType checksumType;
+        Integer oldUdpPrefLimit;
+        Integer oldCksumtypeDefault;
+
+
+        public ObtainTicketParameters( Class<? extends Transport> transport, EncryptionType
encryptionType,
+            ChecksumType checksumType )
+        {
+            this.transport = transport;
+            this.encryptionType = encryptionType;
+            this.checksumType = checksumType;
+        }
+    }
+
 
     /**
      * Obtains a TGT and service tickets for the user. 
@@ -88,27 +110,35 @@ public class AbstractKerberosITest exten
      * @param encryptionType the encryption type to use
      * @throws Exception
      */
-    protected void testObtainTickets( EncryptionType encryptionType ) throws Exception
+    protected void testObtainTickets( ObtainTicketParameters parameters ) throws Exception
     {
-        Subject subject = new Subject();
-
-        KerberosTestUtils.obtainTGT( subject, USER_UID, USER_PASSWORD );
-        
-        assertEquals( 1, subject.getPrivateCredentials().size() );
-        assertEquals( 0, subject.getPublicCredentials().size() );
-
-        KerberosTestUtils.obtainServiceTickets( subject, USER_UID, LDAP_SERVICE_NAME, HOSTNAME
);
-
-        assertEquals( 2, subject.getPrivateCredentials().size() );
-        assertEquals( 0, subject.getPublicCredentials().size() );
-        for ( KerberosTicket kt : subject.getPrivateCredentials( KerberosTicket.class ) )
+        setupEnv(parameters);
+        try
+        {
+            Subject subject = new Subject();
+    
+            KerberosTestUtils.obtainTGT( subject, USER_UID, USER_PASSWORD );
+            
+            assertEquals( 1, subject.getPrivateCredentials().size() );
+            assertEquals( 0, subject.getPublicCredentials().size() );
+    
+            KerberosTestUtils.obtainServiceTickets( subject, USER_UID, LDAP_SERVICE_NAME,
HOSTNAME );
+    
+            assertEquals( 2, subject.getPrivateCredentials().size() );
+            assertEquals( 0, subject.getPublicCredentials().size() );
+            for ( KerberosTicket kt : subject.getPrivateCredentials( KerberosTicket.class
) )
+            {
+                // System.out.println( kt.getClient() );
+                // System.out.println( kt.getServer() );
+                // System.out.println( kt.getSessionKeyType() );
+                assertEquals( parameters.encryptionType.getValue(), kt.getSessionKeyType()
);
+            }
+            // System.out.println( subject );
+        }
+        finally
         {
-            // System.out.println( kt.getClient() );
-            // System.out.println( kt.getServer() );
-            // System.out.println( kt.getSessionKeyType() );
-            assertEquals( encryptionType.getValue(), kt.getSessionKeyType() );
+            resetEnv( parameters );
         }
-        // sSystem.out.println( subject );
     }
 
 
@@ -120,14 +150,25 @@ public class AbstractKerberosITest exten
     }
 
 
-    protected void setupEnv( EncryptionType encryptionType ) throws LdapException, IOException
+    protected void setupEnv( ObtainTicketParameters parameters ) 
+        throws Exception
     {
+        // Save current value of sun.security.krb5.KrbKdcReq.udpPrefLimit field.
+        // Then set it to -1/1 to force UDP/TCP.
+        parameters.oldUdpPrefLimit = getUdpPrefLimit();
+        setUdpPrefLimit( parameters.transport == TcpTransport.class ? 1 : -1 );
+        
+        // Save current value of sun.security.krb5.Checksum.CKSUMTYPE_DEFAULT field.
+        // Then set it to the required checksum value
+        parameters.oldCksumtypeDefault = getCksumtypeDefault();
+        setCksumtypeDefault( parameters.checksumType.getValue() );
+        
         // create krb5.conf with proper encryption type
-        String krb5confPath = createKrb5Conf( encryptionType );
+        String krb5confPath = createKrb5Conf( parameters.encryptionType );
         System.setProperty( "java.security.krb5.conf", krb5confPath );
 
         // change encryption type in KDC
-        kdcServer.setEncryptionTypes( Collections.singleton( encryptionType ) );
+        kdcServer.setEncryptionTypes( Collections.singleton( parameters.encryptionType )
);
 
         // create principals
         createPrincipal( "uid=" + USER_UID, "Last", "First Last",
@@ -140,7 +181,63 @@ public class AbstractKerberosITest exten
         createPrincipal( "uid=ldap", "Service", "LDAP Service",
             "ldap", "randall", servicePrincipal );
     }
+    
+    protected void resetEnv( ObtainTicketParameters parameters ) 
+        throws Exception
+    {
+        setUdpPrefLimit( parameters.oldUdpPrefLimit );
+        setCksumtypeDefault( parameters.oldCksumtypeDefault );
+    }
 
+    private static Integer getUdpPrefLimit() throws Exception
+    {
+        Field udpPrefLimitField = getUdpPrefLimitField();
+        Object value = udpPrefLimitField.get( null );
+        return ( Integer ) value;
+    }
+
+
+    private static void setUdpPrefLimit( int limit ) throws Exception
+    {
+        Field udpPrefLimitField = getUdpPrefLimitField();
+        udpPrefLimitField.setAccessible( true );
+        udpPrefLimitField.set( null, limit );
+    }
+
+
+    private static Field getUdpPrefLimitField() throws ClassNotFoundException, NoSuchFieldException
+    {
+        String clazz = "sun.security.krb5.KrbKdcReq";
+        Class<?> krbKdcReqClass = Class.forName( clazz );
+        Field udpPrefLimitField = krbKdcReqClass.getDeclaredField( "udpPrefLimit" );
+        udpPrefLimitField.setAccessible( true );
+        return udpPrefLimitField;
+    }
+    
+    private static Integer getCksumtypeDefault() throws Exception
+    {
+        Field cksumtypeDefaultField = getCksumtypeDefaultField();
+        Object value = cksumtypeDefaultField.get( null );
+        return ( Integer ) value;
+    }
+    
+    
+    private static void setCksumtypeDefault( int limit ) throws Exception
+    {
+        Field cksumtypeDefaultField = getCksumtypeDefaultField();
+        cksumtypeDefaultField.setAccessible( true );
+        cksumtypeDefaultField.set( null, limit );
+    }
+    
+    
+    private static Field getCksumtypeDefaultField() throws ClassNotFoundException, NoSuchFieldException
+    {
+        String clazz = "sun.security.krb5.Checksum";
+        Class<?> checksumClass = Class.forName( clazz );
+        Field cksumtypeDefaultField = checksumClass.getDeclaredField( "CKSUMTYPE_DEFAULT"
);
+        cksumtypeDefaultField.setAccessible( true );
+        return cksumtypeDefaultField;
+    }
 
     /**
      * Creates the krb5.conf file for the test.
@@ -165,6 +262,7 @@ public class AbstractKerberosITest exten
      * </pre>
      *
      * @param encryptionType
+     * @param checksumType 
      * @return the path to the krb5.conf file
      * @throws IOException
      */
@@ -179,6 +277,9 @@ public class AbstractKerberosITest exten
         data += "default_tkt_enctypes = " + encryptionType.getName() + SystemUtils.LINE_SEPARATOR;
         data += "default_tgs_enctypes = " + encryptionType.getName() + SystemUtils.LINE_SEPARATOR;
         data += "permitted_enctypes = " + encryptionType.getName() + SystemUtils.LINE_SEPARATOR;
+//        data += "default_checksum = " + checksumType.getName() + SystemUtils.LINE_SEPARATOR;
+//        data += "ap_req_checksum_type = " + checksumType.getName() + SystemUtils.LINE_SEPARATOR;
+//        data += "checksum_type = " + checksumType.getName() + SystemUtils.LINE_SEPARATOR;
         
         data += "[realms]" + SystemUtils.LINE_SEPARATOR;
         data += REALM + " = {" + SystemUtils.LINE_SEPARATOR;

Modified: directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java?rev=1150951&r1=1150950&r2=1150951&view=diff
==============================================================================
--- directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java
(original)
+++ directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java
Mon Jul 25 23:02:06 2011
@@ -20,8 +20,6 @@
 package org.apache.directory.server.kerberos.kdc;
 
 
-import java.lang.reflect.Field;
-
 import org.apache.directory.server.annotations.CreateKdcServer;
 import org.apache.directory.server.annotations.CreateLdapServer;
 import org.apache.directory.server.annotations.CreateTransport;
@@ -30,20 +28,23 @@ import org.apache.directory.server.core.
 import org.apache.directory.server.core.annotations.CreatePartition;
 import org.apache.directory.server.core.integ.FrameworkRunner;
 import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
+import org.apache.directory.server.protocol.shared.transport.TcpTransport;
 import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
+import org.apache.directory.shared.kerberos.crypto.checksum.ChecksumType;
 import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
 
 /**
- * Test to obtain TGTs and Service Tickets from KDCs via TCP.
+ * Tests to obtain TGTs and Service Tickets from KDCs via TCP.
  * 
  * We use some internal knowledge of the Sun/Oracle implementation here to force
- * the usage of TCP: In sun.security.krb5.KrbKdcReq the static field udpPrefLimit 
- * is set to 1 which means that TCP is always used.
+ * the usage of TCP and checksum: 
+ * <li>In sun.security.krb5.KrbKdcReq the static field udpPrefLimit is set to 1 
+ * which means that TCP is always used.
+ * <li>In sun.security.krb5.Checksum the static field CKSUMTYPE_DEFAULT is set
+ * to the appropriate checksum value.
  * 
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory
 Project</a>
@@ -73,54 +74,6 @@ Project</a>
 @ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif")
 public class KerberosTcpITest extends AbstractKerberosITest
 {
-    private static Integer udpPrefLimit;
-
-
-    @BeforeClass
-    public static void setUdpPrefLimit() throws Exception
-    {
-        // System.setProperty( "sun.security.krb5.debug", "true" );
-
-        // Save current value of sun.security.krb5.KrbKdcReq.udpPrefLimit field.
-        // Then set it to 1 to force TCP.
-        udpPrefLimit = getUdpPrefLimit();
-        setUdpPrefLimit( 1 );
-    }
-
-
-    @AfterClass
-    public static void resetUdpPrefLimit() throws Exception
-    {
-        // Reset sun.security.krb5.KrbKdcReq.udpPrefLimit field
-        setUdpPrefLimit( udpPrefLimit );
-    }
-
-
-    private static Integer getUdpPrefLimit() throws Exception
-    {
-        Field udpPrefLimitField = getUdpPrefLimitField();
-        Object value = udpPrefLimitField.get( null );
-        return ( Integer ) value;
-    }
-
-
-    private static void setUdpPrefLimit( int limit ) throws Exception
-    {
-        Field udpPrefLimitField = getUdpPrefLimitField();
-        udpPrefLimitField.setAccessible( true );
-        udpPrefLimitField.set( null, limit );
-    }
-
-
-    private static Field getUdpPrefLimitField() throws ClassNotFoundException, NoSuchFieldException
-    {
-        String clazz = "sun.security.krb5.KrbKdcReq";
-        Class<?> krbKdcReqClass = Class.forName( clazz );
-        Field udpPrefLimitField = krbKdcReqClass.getDeclaredField( "udpPrefLimit" );
-        udpPrefLimitField.setAccessible( true );
-        return udpPrefLimitField;
-    }
-
 
     // TODO: fix failing tests
     // TODO: add tests for other encryption types
@@ -129,16 +82,21 @@ public class KerberosTcpITest extends Ab
     @Test
     public void testObtainTickets_DES_CBC_MD5() throws Exception
     {
-        setupEnv( EncryptionType.DES_CBC_MD5 );
-        testObtainTickets( EncryptionType.DES_CBC_MD5 );
+        // TODO: rsa-md5-des 
+        // RFC3961, Section 6.2.1: des-cbc-md5 + rsa-md5-des
+        ObtainTicketParameters parameters = new ObtainTicketParameters( TcpTransport.class,
+            EncryptionType.DES_CBC_MD5, ChecksumType.RSA_MD5 );
+        testObtainTickets( parameters );
     }
 
 
     @Test
     public void testObtainTickets_DES3_CBC_SHA1_KD() throws Exception
     {
-        setupEnv( EncryptionType.DES3_CBC_SHA1_KD );
-        testObtainTickets( EncryptionType.DES3_CBC_SHA1_KD );
+        // RFC3961, Section 6.3: des3-cbc-hmac-sha1-kd + hmac-sha1-des3-kd
+        ObtainTicketParameters parameters = new ObtainTicketParameters( TcpTransport.class,
+            EncryptionType.DES3_CBC_SHA1_KD, ChecksumType.HMAC_SHA1_DES3_KD );
+        testObtainTickets( parameters );
     }
 
 
@@ -146,24 +104,30 @@ public class KerberosTcpITest extends Ab
     @Ignore("Fails with KrbException: Integrity check on decrypted field failed (31) - Integrity
check on decrypted field failed")
     public void testObtainTickets_RC4_HMAC() throws Exception
     {
-        setupEnv( EncryptionType.RC4_HMAC );
-        testObtainTickets( EncryptionType.RC4_HMAC );
+        // TODO: RFC4757: rc4-hmac + hmac-md5
+        ObtainTicketParameters parameters = new ObtainTicketParameters( TcpTransport.class,
+            EncryptionType.RC4_HMAC, ChecksumType.HMAC_MD5 );
+        testObtainTickets( parameters );
     }
 
 
     @Test
     public void testObtainTickets_AES128() throws Exception
     {
-        setupEnv( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
-        testObtainTickets( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+        // RFC3962, Section 7: aes128-cts-hmac-sha1-96 + hmac-sha1-96-aes128
+        ObtainTicketParameters parameters = new ObtainTicketParameters( TcpTransport.class,
+            EncryptionType.AES128_CTS_HMAC_SHA1_96, ChecksumType.HMAC_SHA1_96_AES128 );
+        testObtainTickets( parameters );
     }
 
 
     @Test
     public void testObtainTickets_AES256() throws Exception
     {
-        setupEnv( EncryptionType.AES256_CTS_HMAC_SHA1_96 );
-        testObtainTickets( EncryptionType.AES256_CTS_HMAC_SHA1_96 );
+        // RFC3962, Section 7: aes256-cts-hmac-sha1-96 + hmac-sha1-96-aes256
+        ObtainTicketParameters parameters = new ObtainTicketParameters( TcpTransport.class,
+            EncryptionType.AES256_CTS_HMAC_SHA1_96, ChecksumType.HMAC_SHA1_96_AES256 );
+        testObtainTickets( parameters );
     }
 
 }

Modified: directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java?rev=1150951&r1=1150950&r2=1150951&view=diff
==============================================================================
--- directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java
(original)
+++ directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java
Mon Jul 25 23:02:06 2011
@@ -28,19 +28,23 @@ import org.apache.directory.server.core.
 import org.apache.directory.server.core.annotations.CreatePartition;
 import org.apache.directory.server.core.integ.FrameworkRunner;
 import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
+import org.apache.directory.server.protocol.shared.transport.UdpTransport;
 import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
+import org.apache.directory.shared.kerberos.crypto.checksum.ChecksumType;
 import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
 
 /**
- * Test to obtain TGTs and Service Tickets from KDCs via UDP.
+ * Tests to obtain TGTs and Service Tickets from KDCs via UDP.
  * 
  * We use some internal knowledge of the Sun/Oracle implementation here:
- * In sun.security.krb5.KrbKdcReq the field udpPrefLimit is set to -1 which means
+ * <li>In sun.security.krb5.KrbKdcReq the field udpPrefLimit is set to -1 which means
  * that UDP is always used first. Only if the KDC replies with RB_ERR_RESPONSE_TOO_BIG
  * TCP is used.
+ * <li>In sun.security.krb5.Checksum the static field CKSUMTYPE_DEFAULT is set
+ * to the appropriate checksum value.
  * 
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  */
@@ -75,36 +79,22 @@ public class KerberosUdpITest extends Ab
     // TODO: add tests for different options
 
     @Test
-    @Ignore("Fails")
-    public void testObtainTickets_DES_CBC_CRC() throws Exception
-    {
-        setupEnv( EncryptionType.DES_CBC_CRC );
-        testObtainTickets( EncryptionType.DES_CBC_CRC );
-    }
-
-
-    @Test
-    @Ignore("Fails")
-    public void testObtainTickets_DES_CBC_MD4() throws Exception
-    {
-        setupEnv( EncryptionType.DES_CBC_MD4 );
-        testObtainTickets( EncryptionType.DES_CBC_MD4 );
-    }
-
-
-    @Test
     public void testObtainTickets_DES_CBC_MD5() throws Exception
     {
-        setupEnv( EncryptionType.DES_CBC_MD5 );
-        testObtainTickets( EncryptionType.DES_CBC_MD5 );
+        // TODO: RFC3961, Section 6.2.1: des-cbc-md5 + rsa-md5-des
+        ObtainTicketParameters parameters = new ObtainTicketParameters( UdpTransport.class,

+            EncryptionType.DES_CBC_MD5, ChecksumType.RSA_MD5 );
+        testObtainTickets( parameters );
     }
 
 
     @Test
     public void testObtainTickets_DES3_CBC_SHA1_KD() throws Exception
     {
-        setupEnv( EncryptionType.DES3_CBC_SHA1_KD );
-        testObtainTickets( EncryptionType.DES3_CBC_SHA1_KD );
+        // RFC3961, Section 6.3: des3-cbc-hmac-sha1-kd + hmac-sha1-des3-kd
+        ObtainTicketParameters parameters = new ObtainTicketParameters( UdpTransport.class,
+            EncryptionType.DES3_CBC_SHA1_KD, ChecksumType.HMAC_SHA1_DES3_KD );
+        testObtainTickets( parameters );
     }
 
 
@@ -112,24 +102,30 @@ public class KerberosUdpITest extends Ab
     @Ignore("Fails with KrbException: Integrity check on decrypted field failed (31) - Integrity
check on decrypted field failed")
     public void testObtainTickets_RC4_HMAC() throws Exception
     {
-        setupEnv( EncryptionType.RC4_HMAC );
-        testObtainTickets( EncryptionType.RC4_HMAC );
+        // TODO: RFC4757: rc4-hmac + hmac-md5
+        ObtainTicketParameters parameters = new ObtainTicketParameters( UdpTransport.class,
+            EncryptionType.RC4_HMAC, ChecksumType.HMAC_MD5 );
+        testObtainTickets( parameters );
     }
 
 
     @Test
     public void testObtainTickets_AES128() throws Exception
     {
-        setupEnv( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
-        testObtainTickets( EncryptionType.AES128_CTS_HMAC_SHA1_96 );
+        // RFC3962, Section 7: aes128-cts-hmac-sha1-96 + hmac-sha1-96-aes128
+        ObtainTicketParameters parameters = new ObtainTicketParameters( UdpTransport.class,
+            EncryptionType.AES128_CTS_HMAC_SHA1_96, ChecksumType.HMAC_SHA1_96_AES128 );
+        testObtainTickets( parameters );
     }
 
 
     @Test
     public void testObtainTickets_AES256() throws Exception
     {
-        setupEnv( EncryptionType.AES256_CTS_HMAC_SHA1_96 );
-        testObtainTickets( EncryptionType.AES256_CTS_HMAC_SHA1_96 );
+        // RFC3962, Section 7: aes256-cts-hmac-sha1-96 + hmac-sha1-96-aes256
+        ObtainTicketParameters parameters = new ObtainTicketParameters( UdpTransport.class,
+            EncryptionType.AES256_CTS_HMAC_SHA1_96, ChecksumType.HMAC_SHA1_96_AES256 );
+        testObtainTickets( parameters );
     }
 
 }

Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java?rev=1150951&r1=1150950&r2=1150951&view=diff
==============================================================================
--- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java
(original)
+++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java
Mon Jul 25 23:02:06 2011
@@ -271,6 +271,11 @@ public class TicketGrantingService
     }
     
     
+    /**
+     * RFC4120
+     * <li>Section 3.3.2. Receipt of KRB_TGS_REQ Message -> 2nd paragraph
+     * <li>Section 5.5.1. KRB_AP_REQ Definition -> Authenticator -> cksum
+     */
     private static void verifyBodyChecksum( TicketGrantingContext tgsContext ) throws KerberosException
     {
         KdcServer config = tgsContext.getConfig();
@@ -290,10 +295,15 @@ public class TicketGrantingService
             {
                 throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM );
             }
-            
+
             byte[] bodyBytes = buf.array();
             Checksum authenticatorChecksum = tgsContext.getAuthenticator().getCksum();
 
+            // we need the session key
+            Ticket tgt = tgsContext.getTgt();
+            EncTicketPart encTicketPart = tgt.getEncTicketPart();
+            EncryptionKey sessionKey = encTicketPart.getKey();
+
             if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType()
== null
                 || authenticatorChecksum.getChecksumValue() == null || bodyBytes == null
)
             {
@@ -302,7 +312,8 @@ public class TicketGrantingService
 
             LOG.debug( "Verifying body checksum type '{}'.", authenticatorChecksum.getChecksumType()
);
 
-            checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, null, KeyUsage.TGS_REP_ENC_PART_TGS_SESS_KEY
);
+            checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, sessionKey.getKeyValue(),
+                KeyUsage.TGS_REQ_PA_TGS_REQ_PADATA_AP_REQ_AUTHNT_CKSUM_TGS_SESS_KEY );
         }
     }
     



Mime
View raw message