Return-Path: X-Original-To: apmail-directory-commits-archive@www.apache.org Delivered-To: apmail-directory-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8C90F6D1B for ; Mon, 25 Jul 2011 23:02:31 +0000 (UTC) Received: (qmail 75202 invoked by uid 500); 25 Jul 2011 23:02:31 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 75165 invoked by uid 500); 25 Jul 2011 23:02:30 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 75158 invoked by uid 99); 25 Jul 2011 23:02:30 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Jul 2011 23:02:30 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Jul 2011 23:02:28 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id F3B0A23888C2 for ; Mon, 25 Jul 2011 23:02:07 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1150951 - in /directory/apacheds/trunk: kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/ protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/ Date: Mon, 25 Jul 2011 23:02:07 -0000 To: commits@directory.apache.org From: seelmann@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20110725230207.F3B0A23888C2@eris.apache.org> Author: seelmann Date: Mon Jul 25 23:02:06 2011 New Revision: 1150951 URL: http://svn.apache.org/viewvc?rev=1150951&view=rev Log: Fix for DIRSERVER-1635: Use the session key and right key usage to verify the checksum. Reworked the tests to be able to set the checksum to use. Note that the tests are highly coupled to the Sun Java implementation, as fields in internal classes are modified using reflection. Modified: directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java Modified: directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java?rev=1150951&r1=1150950&r2=1150951&view=diff ============================================================================== --- directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java (original) +++ directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java Mon Jul 25 23:02:06 2011 @@ -24,6 +24,7 @@ import static org.junit.Assert.assertEqu import java.io.File; import java.io.IOException; +import java.lang.reflect.Field; import java.util.Collections; import javax.security.auth.Subject; @@ -33,7 +34,10 @@ import org.apache.commons.io.FileUtils; import org.apache.commons.lang.SystemUtils; import org.apache.directory.server.core.LdapCoreSessionConnection; import org.apache.directory.server.core.integ.AbstractLdapTestUnit; +import org.apache.directory.server.protocol.shared.transport.TcpTransport; +import org.apache.directory.server.protocol.shared.transport.Transport; import org.apache.directory.shared.kerberos.codec.types.EncryptionType; +import org.apache.directory.shared.kerberos.crypto.checksum.ChecksumType; import org.apache.directory.shared.ldap.model.entry.DefaultEntry; import org.apache.directory.shared.ldap.model.entry.DefaultModification; import org.apache.directory.shared.ldap.model.entry.Entry; @@ -80,6 +84,24 @@ public class AbstractKerberosITest exten conn.close(); } + class ObtainTicketParameters + { + Class transport; + EncryptionType encryptionType; + ChecksumType checksumType; + Integer oldUdpPrefLimit; + Integer oldCksumtypeDefault; + + + public ObtainTicketParameters( Class transport, EncryptionType encryptionType, + ChecksumType checksumType ) + { + this.transport = transport; + this.encryptionType = encryptionType; + this.checksumType = checksumType; + } + } + /** * Obtains a TGT and service tickets for the user. @@ -88,27 +110,35 @@ public class AbstractKerberosITest exten * @param encryptionType the encryption type to use * @throws Exception */ - protected void testObtainTickets( EncryptionType encryptionType ) throws Exception + protected void testObtainTickets( ObtainTicketParameters parameters ) throws Exception { - Subject subject = new Subject(); - - KerberosTestUtils.obtainTGT( subject, USER_UID, USER_PASSWORD ); - - assertEquals( 1, subject.getPrivateCredentials().size() ); - assertEquals( 0, subject.getPublicCredentials().size() ); - - KerberosTestUtils.obtainServiceTickets( subject, USER_UID, LDAP_SERVICE_NAME, HOSTNAME ); - - assertEquals( 2, subject.getPrivateCredentials().size() ); - assertEquals( 0, subject.getPublicCredentials().size() ); - for ( KerberosTicket kt : subject.getPrivateCredentials( KerberosTicket.class ) ) + setupEnv(parameters); + try + { + Subject subject = new Subject(); + + KerberosTestUtils.obtainTGT( subject, USER_UID, USER_PASSWORD ); + + assertEquals( 1, subject.getPrivateCredentials().size() ); + assertEquals( 0, subject.getPublicCredentials().size() ); + + KerberosTestUtils.obtainServiceTickets( subject, USER_UID, LDAP_SERVICE_NAME, HOSTNAME ); + + assertEquals( 2, subject.getPrivateCredentials().size() ); + assertEquals( 0, subject.getPublicCredentials().size() ); + for ( KerberosTicket kt : subject.getPrivateCredentials( KerberosTicket.class ) ) + { + // System.out.println( kt.getClient() ); + // System.out.println( kt.getServer() ); + // System.out.println( kt.getSessionKeyType() ); + assertEquals( parameters.encryptionType.getValue(), kt.getSessionKeyType() ); + } + // System.out.println( subject ); + } + finally { - // System.out.println( kt.getClient() ); - // System.out.println( kt.getServer() ); - // System.out.println( kt.getSessionKeyType() ); - assertEquals( encryptionType.getValue(), kt.getSessionKeyType() ); + resetEnv( parameters ); } - // sSystem.out.println( subject ); } @@ -120,14 +150,25 @@ public class AbstractKerberosITest exten } - protected void setupEnv( EncryptionType encryptionType ) throws LdapException, IOException + protected void setupEnv( ObtainTicketParameters parameters ) + throws Exception { + // Save current value of sun.security.krb5.KrbKdcReq.udpPrefLimit field. + // Then set it to -1/1 to force UDP/TCP. + parameters.oldUdpPrefLimit = getUdpPrefLimit(); + setUdpPrefLimit( parameters.transport == TcpTransport.class ? 1 : -1 ); + + // Save current value of sun.security.krb5.Checksum.CKSUMTYPE_DEFAULT field. + // Then set it to the required checksum value + parameters.oldCksumtypeDefault = getCksumtypeDefault(); + setCksumtypeDefault( parameters.checksumType.getValue() ); + // create krb5.conf with proper encryption type - String krb5confPath = createKrb5Conf( encryptionType ); + String krb5confPath = createKrb5Conf( parameters.encryptionType ); System.setProperty( "java.security.krb5.conf", krb5confPath ); // change encryption type in KDC - kdcServer.setEncryptionTypes( Collections.singleton( encryptionType ) ); + kdcServer.setEncryptionTypes( Collections.singleton( parameters.encryptionType ) ); // create principals createPrincipal( "uid=" + USER_UID, "Last", "First Last", @@ -140,7 +181,63 @@ public class AbstractKerberosITest exten createPrincipal( "uid=ldap", "Service", "LDAP Service", "ldap", "randall", servicePrincipal ); } + + protected void resetEnv( ObtainTicketParameters parameters ) + throws Exception + { + setUdpPrefLimit( parameters.oldUdpPrefLimit ); + setCksumtypeDefault( parameters.oldCksumtypeDefault ); + } + private static Integer getUdpPrefLimit() throws Exception + { + Field udpPrefLimitField = getUdpPrefLimitField(); + Object value = udpPrefLimitField.get( null ); + return ( Integer ) value; + } + + + private static void setUdpPrefLimit( int limit ) throws Exception + { + Field udpPrefLimitField = getUdpPrefLimitField(); + udpPrefLimitField.setAccessible( true ); + udpPrefLimitField.set( null, limit ); + } + + + private static Field getUdpPrefLimitField() throws ClassNotFoundException, NoSuchFieldException + { + String clazz = "sun.security.krb5.KrbKdcReq"; + Class krbKdcReqClass = Class.forName( clazz ); + Field udpPrefLimitField = krbKdcReqClass.getDeclaredField( "udpPrefLimit" ); + udpPrefLimitField.setAccessible( true ); + return udpPrefLimitField; + } + + private static Integer getCksumtypeDefault() throws Exception + { + Field cksumtypeDefaultField = getCksumtypeDefaultField(); + Object value = cksumtypeDefaultField.get( null ); + return ( Integer ) value; + } + + + private static void setCksumtypeDefault( int limit ) throws Exception + { + Field cksumtypeDefaultField = getCksumtypeDefaultField(); + cksumtypeDefaultField.setAccessible( true ); + cksumtypeDefaultField.set( null, limit ); + } + + + private static Field getCksumtypeDefaultField() throws ClassNotFoundException, NoSuchFieldException + { + String clazz = "sun.security.krb5.Checksum"; + Class checksumClass = Class.forName( clazz ); + Field cksumtypeDefaultField = checksumClass.getDeclaredField( "CKSUMTYPE_DEFAULT" ); + cksumtypeDefaultField.setAccessible( true ); + return cksumtypeDefaultField; + } /** * Creates the krb5.conf file for the test. @@ -165,6 +262,7 @@ public class AbstractKerberosITest exten * * * @param encryptionType + * @param checksumType * @return the path to the krb5.conf file * @throws IOException */ @@ -179,6 +277,9 @@ public class AbstractKerberosITest exten data += "default_tkt_enctypes = " + encryptionType.getName() + SystemUtils.LINE_SEPARATOR; data += "default_tgs_enctypes = " + encryptionType.getName() + SystemUtils.LINE_SEPARATOR; data += "permitted_enctypes = " + encryptionType.getName() + SystemUtils.LINE_SEPARATOR; +// data += "default_checksum = " + checksumType.getName() + SystemUtils.LINE_SEPARATOR; +// data += "ap_req_checksum_type = " + checksumType.getName() + SystemUtils.LINE_SEPARATOR; +// data += "checksum_type = " + checksumType.getName() + SystemUtils.LINE_SEPARATOR; data += "[realms]" + SystemUtils.LINE_SEPARATOR; data += REALM + " = {" + SystemUtils.LINE_SEPARATOR; Modified: directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java?rev=1150951&r1=1150950&r2=1150951&view=diff ============================================================================== --- directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java (original) +++ directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosTcpITest.java Mon Jul 25 23:02:06 2011 @@ -20,8 +20,6 @@ package org.apache.directory.server.kerberos.kdc; -import java.lang.reflect.Field; - import org.apache.directory.server.annotations.CreateKdcServer; import org.apache.directory.server.annotations.CreateLdapServer; import org.apache.directory.server.annotations.CreateTransport; @@ -30,20 +28,23 @@ import org.apache.directory.server.core. import org.apache.directory.server.core.annotations.CreatePartition; import org.apache.directory.server.core.integ.FrameworkRunner; import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor; +import org.apache.directory.server.protocol.shared.transport.TcpTransport; import org.apache.directory.shared.kerberos.codec.types.EncryptionType; -import org.junit.AfterClass; -import org.junit.BeforeClass; +import org.apache.directory.shared.kerberos.crypto.checksum.ChecksumType; import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; /** - * Test to obtain TGTs and Service Tickets from KDCs via TCP. + * Tests to obtain TGTs and Service Tickets from KDCs via TCP. * * We use some internal knowledge of the Sun/Oracle implementation here to force - * the usage of TCP: In sun.security.krb5.KrbKdcReq the static field udpPrefLimit - * is set to 1 which means that TCP is always used. + * the usage of TCP and checksum: + *
  • In sun.security.krb5.KrbKdcReq the static field udpPrefLimit is set to 1 + * which means that TCP is always used. + *
  • In sun.security.krb5.Checksum the static field CKSUMTYPE_DEFAULT is set + * to the appropriate checksum value. * * @author Apache Directory Project @@ -73,54 +74,6 @@ Project @ApplyLdifFiles("org/apache/directory/server/kerberos/kdc/KerberosIT.ldif") public class KerberosTcpITest extends AbstractKerberosITest { - private static Integer udpPrefLimit; - - - @BeforeClass - public static void setUdpPrefLimit() throws Exception - { - // System.setProperty( "sun.security.krb5.debug", "true" ); - - // Save current value of sun.security.krb5.KrbKdcReq.udpPrefLimit field. - // Then set it to 1 to force TCP. - udpPrefLimit = getUdpPrefLimit(); - setUdpPrefLimit( 1 ); - } - - - @AfterClass - public static void resetUdpPrefLimit() throws Exception - { - // Reset sun.security.krb5.KrbKdcReq.udpPrefLimit field - setUdpPrefLimit( udpPrefLimit ); - } - - - private static Integer getUdpPrefLimit() throws Exception - { - Field udpPrefLimitField = getUdpPrefLimitField(); - Object value = udpPrefLimitField.get( null ); - return ( Integer ) value; - } - - - private static void setUdpPrefLimit( int limit ) throws Exception - { - Field udpPrefLimitField = getUdpPrefLimitField(); - udpPrefLimitField.setAccessible( true ); - udpPrefLimitField.set( null, limit ); - } - - - private static Field getUdpPrefLimitField() throws ClassNotFoundException, NoSuchFieldException - { - String clazz = "sun.security.krb5.KrbKdcReq"; - Class krbKdcReqClass = Class.forName( clazz ); - Field udpPrefLimitField = krbKdcReqClass.getDeclaredField( "udpPrefLimit" ); - udpPrefLimitField.setAccessible( true ); - return udpPrefLimitField; - } - // TODO: fix failing tests // TODO: add tests for other encryption types @@ -129,16 +82,21 @@ public class KerberosTcpITest extends Ab @Test public void testObtainTickets_DES_CBC_MD5() throws Exception { - setupEnv( EncryptionType.DES_CBC_MD5 ); - testObtainTickets( EncryptionType.DES_CBC_MD5 ); + // TODO: rsa-md5-des + // RFC3961, Section 6.2.1: des-cbc-md5 + rsa-md5-des + ObtainTicketParameters parameters = new ObtainTicketParameters( TcpTransport.class, + EncryptionType.DES_CBC_MD5, ChecksumType.RSA_MD5 ); + testObtainTickets( parameters ); } @Test public void testObtainTickets_DES3_CBC_SHA1_KD() throws Exception { - setupEnv( EncryptionType.DES3_CBC_SHA1_KD ); - testObtainTickets( EncryptionType.DES3_CBC_SHA1_KD ); + // RFC3961, Section 6.3: des3-cbc-hmac-sha1-kd + hmac-sha1-des3-kd + ObtainTicketParameters parameters = new ObtainTicketParameters( TcpTransport.class, + EncryptionType.DES3_CBC_SHA1_KD, ChecksumType.HMAC_SHA1_DES3_KD ); + testObtainTickets( parameters ); } @@ -146,24 +104,30 @@ public class KerberosTcpITest extends Ab @Ignore("Fails with KrbException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed") public void testObtainTickets_RC4_HMAC() throws Exception { - setupEnv( EncryptionType.RC4_HMAC ); - testObtainTickets( EncryptionType.RC4_HMAC ); + // TODO: RFC4757: rc4-hmac + hmac-md5 + ObtainTicketParameters parameters = new ObtainTicketParameters( TcpTransport.class, + EncryptionType.RC4_HMAC, ChecksumType.HMAC_MD5 ); + testObtainTickets( parameters ); } @Test public void testObtainTickets_AES128() throws Exception { - setupEnv( EncryptionType.AES128_CTS_HMAC_SHA1_96 ); - testObtainTickets( EncryptionType.AES128_CTS_HMAC_SHA1_96 ); + // RFC3962, Section 7: aes128-cts-hmac-sha1-96 + hmac-sha1-96-aes128 + ObtainTicketParameters parameters = new ObtainTicketParameters( TcpTransport.class, + EncryptionType.AES128_CTS_HMAC_SHA1_96, ChecksumType.HMAC_SHA1_96_AES128 ); + testObtainTickets( parameters ); } @Test public void testObtainTickets_AES256() throws Exception { - setupEnv( EncryptionType.AES256_CTS_HMAC_SHA1_96 ); - testObtainTickets( EncryptionType.AES256_CTS_HMAC_SHA1_96 ); + // RFC3962, Section 7: aes256-cts-hmac-sha1-96 + hmac-sha1-96-aes256 + ObtainTicketParameters parameters = new ObtainTicketParameters( TcpTransport.class, + EncryptionType.AES256_CTS_HMAC_SHA1_96, ChecksumType.HMAC_SHA1_96_AES256 ); + testObtainTickets( parameters ); } } Modified: directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java?rev=1150951&r1=1150950&r2=1150951&view=diff ============================================================================== --- directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java (original) +++ directory/apacheds/trunk/kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/KerberosUdpITest.java Mon Jul 25 23:02:06 2011 @@ -28,19 +28,23 @@ import org.apache.directory.server.core. import org.apache.directory.server.core.annotations.CreatePartition; import org.apache.directory.server.core.integ.FrameworkRunner; import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor; +import org.apache.directory.server.protocol.shared.transport.UdpTransport; import org.apache.directory.shared.kerberos.codec.types.EncryptionType; +import org.apache.directory.shared.kerberos.crypto.checksum.ChecksumType; import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; /** - * Test to obtain TGTs and Service Tickets from KDCs via UDP. + * Tests to obtain TGTs and Service Tickets from KDCs via UDP. * * We use some internal knowledge of the Sun/Oracle implementation here: - * In sun.security.krb5.KrbKdcReq the field udpPrefLimit is set to -1 which means + *
  • In sun.security.krb5.KrbKdcReq the field udpPrefLimit is set to -1 which means * that UDP is always used first. Only if the KDC replies with RB_ERR_RESPONSE_TOO_BIG * TCP is used. + *
  • In sun.security.krb5.Checksum the static field CKSUMTYPE_DEFAULT is set + * to the appropriate checksum value. * * @author Apache Directory Project */ @@ -75,36 +79,22 @@ public class KerberosUdpITest extends Ab // TODO: add tests for different options @Test - @Ignore("Fails") - public void testObtainTickets_DES_CBC_CRC() throws Exception - { - setupEnv( EncryptionType.DES_CBC_CRC ); - testObtainTickets( EncryptionType.DES_CBC_CRC ); - } - - - @Test - @Ignore("Fails") - public void testObtainTickets_DES_CBC_MD4() throws Exception - { - setupEnv( EncryptionType.DES_CBC_MD4 ); - testObtainTickets( EncryptionType.DES_CBC_MD4 ); - } - - - @Test public void testObtainTickets_DES_CBC_MD5() throws Exception { - setupEnv( EncryptionType.DES_CBC_MD5 ); - testObtainTickets( EncryptionType.DES_CBC_MD5 ); + // TODO: RFC3961, Section 6.2.1: des-cbc-md5 + rsa-md5-des + ObtainTicketParameters parameters = new ObtainTicketParameters( UdpTransport.class, + EncryptionType.DES_CBC_MD5, ChecksumType.RSA_MD5 ); + testObtainTickets( parameters ); } @Test public void testObtainTickets_DES3_CBC_SHA1_KD() throws Exception { - setupEnv( EncryptionType.DES3_CBC_SHA1_KD ); - testObtainTickets( EncryptionType.DES3_CBC_SHA1_KD ); + // RFC3961, Section 6.3: des3-cbc-hmac-sha1-kd + hmac-sha1-des3-kd + ObtainTicketParameters parameters = new ObtainTicketParameters( UdpTransport.class, + EncryptionType.DES3_CBC_SHA1_KD, ChecksumType.HMAC_SHA1_DES3_KD ); + testObtainTickets( parameters ); } @@ -112,24 +102,30 @@ public class KerberosUdpITest extends Ab @Ignore("Fails with KrbException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed") public void testObtainTickets_RC4_HMAC() throws Exception { - setupEnv( EncryptionType.RC4_HMAC ); - testObtainTickets( EncryptionType.RC4_HMAC ); + // TODO: RFC4757: rc4-hmac + hmac-md5 + ObtainTicketParameters parameters = new ObtainTicketParameters( UdpTransport.class, + EncryptionType.RC4_HMAC, ChecksumType.HMAC_MD5 ); + testObtainTickets( parameters ); } @Test public void testObtainTickets_AES128() throws Exception { - setupEnv( EncryptionType.AES128_CTS_HMAC_SHA1_96 ); - testObtainTickets( EncryptionType.AES128_CTS_HMAC_SHA1_96 ); + // RFC3962, Section 7: aes128-cts-hmac-sha1-96 + hmac-sha1-96-aes128 + ObtainTicketParameters parameters = new ObtainTicketParameters( UdpTransport.class, + EncryptionType.AES128_CTS_HMAC_SHA1_96, ChecksumType.HMAC_SHA1_96_AES128 ); + testObtainTickets( parameters ); } @Test public void testObtainTickets_AES256() throws Exception { - setupEnv( EncryptionType.AES256_CTS_HMAC_SHA1_96 ); - testObtainTickets( EncryptionType.AES256_CTS_HMAC_SHA1_96 ); + // RFC3962, Section 7: aes256-cts-hmac-sha1-96 + hmac-sha1-96-aes256 + ObtainTicketParameters parameters = new ObtainTicketParameters( UdpTransport.class, + EncryptionType.AES256_CTS_HMAC_SHA1_96, ChecksumType.HMAC_SHA1_96_AES256 ); + testObtainTickets( parameters ); } } Modified: directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java?rev=1150951&r1=1150950&r2=1150951&view=diff ============================================================================== --- directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java (original) +++ directory/apacheds/trunk/protocol-kerberos/src/main/java/org/apache/directory/server/kerberos/kdc/ticketgrant/TicketGrantingService.java Mon Jul 25 23:02:06 2011 @@ -271,6 +271,11 @@ public class TicketGrantingService } + /** + * RFC4120 + *
  • Section 3.3.2. Receipt of KRB_TGS_REQ Message -> 2nd paragraph + *
  • Section 5.5.1. KRB_AP_REQ Definition -> Authenticator -> cksum + */ private static void verifyBodyChecksum( TicketGrantingContext tgsContext ) throws KerberosException { KdcServer config = tgsContext.getConfig(); @@ -290,10 +295,15 @@ public class TicketGrantingService { throw new KerberosException( ErrorType.KRB_AP_ERR_INAPP_CKSUM ); } - + byte[] bodyBytes = buf.array(); Checksum authenticatorChecksum = tgsContext.getAuthenticator().getCksum(); + // we need the session key + Ticket tgt = tgsContext.getTgt(); + EncTicketPart encTicketPart = tgt.getEncTicketPart(); + EncryptionKey sessionKey = encTicketPart.getKey(); + if ( authenticatorChecksum == null || authenticatorChecksum.getChecksumType() == null || authenticatorChecksum.getChecksumValue() == null || bodyBytes == null ) { @@ -302,7 +312,8 @@ public class TicketGrantingService LOG.debug( "Verifying body checksum type '{}'.", authenticatorChecksum.getChecksumType() ); - checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, null, KeyUsage.TGS_REP_ENC_PART_TGS_SESS_KEY ); + checksumHandler.verifyChecksum( authenticatorChecksum, bodyBytes, sessionKey.getKeyValue(), + KeyUsage.TGS_REQ_PA_TGS_REQ_PADATA_AP_REQ_AUTHNT_CKSUM_TGS_SESS_KEY ); } }