directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject directory-kerby git commit: [DIRKRB-236] - Ensure encryption types list is correctly sent by client and processed by kdc. Thanks to Jiajia Li for the patch
Date Wed, 22 Apr 2015 13:43:41 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/master 41df0299e -> 8d9a4f9c8


[DIRKRB-236] - Ensure encryption types list is correctly sent by client and processed by kdc.
Thanks to Jiajia Li for the patch


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/8d9a4f9c
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/8d9a4f9c
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/8d9a4f9c

Branch: refs/heads/master
Commit: 8d9a4f9c810109a0d0e140a8c2076ecc109d1511
Parents: 41df029
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Apr 22 14:42:28 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Apr 22 14:42:28 2015 +0100

----------------------------------------------------------------------
 .../kerb/client/request/KdcRequest.java         |  3 +-
 .../kerberos/kerb/common/EncryptionUtil.java    | 52 +++++++++++++++++++-
 .../kerby/kerberos/kerb/server/KdcTestBase.java |  8 ++-
 .../kerb/server/request/KdcRequest.java         | 10 ++--
 4 files changed, 67 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8d9a4f9c/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
index bab4e67..a7c6c3f 100644
--- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
+++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
@@ -25,6 +25,7 @@ import org.apache.kerby.kerberos.kerb.client.KrbContext;
 import org.apache.kerby.kerberos.kerb.client.preauth.KrbFastContext;
 import org.apache.kerby.kerberos.kerb.client.preauth.PreauthContext;
 import org.apache.kerby.kerberos.kerb.client.preauth.PreauthHandler;
+import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
 import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
 import org.apache.kerby.kerberos.kerb.spec.KerberosTime;
 import org.apache.kerby.kerberos.kerb.spec.base.*;
@@ -219,7 +220,7 @@ public abstract class KdcRequest {
         if (encryptionTypes == null) {
             encryptionTypes = context.getConfig().getEncryptionTypes();
         }
-        return encryptionTypes;
+        return EncryptionUtil.orderEtypesByStrength(encryptionTypes);
     }
 
     public void setEncryptionTypes(List<EncryptionType> encryptionTypes) {

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8d9a4f9c/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/EncryptionUtil.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/EncryptionUtil.java
b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/EncryptionUtil.java
index fc987e9..06e2bea 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/EncryptionUtil.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/common/EncryptionUtil.java
@@ -22,19 +22,69 @@ package org.apache.kerby.kerberos.kerb.common;
 import org.apache.kerby.asn1.type.AbstractAsn1Type;
 import org.apache.kerby.asn1.type.Asn1Type;
 import org.apache.kerby.kerberos.kerb.KrbCodec;
+import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.crypto.EncTypeHandler;
 import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
-import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.spec.base.EncryptedData;
 import org.apache.kerby.kerberos.kerb.spec.base.EncryptionKey;
 import org.apache.kerby.kerberos.kerb.spec.base.EncryptionType;
 import org.apache.kerby.kerberos.kerb.spec.base.KeyUsage;
 
 import java.util.ArrayList;
+import java.util.LinkedHashMap;
 import java.util.List;
+import java.util.Map;
 
 public class EncryptionUtil {
 
+    /**
+     * an order preserved map containing cipher names to the corresponding algorithm
+     * names in the descending order of strength
+     */
+    private static final Map<String, String> cipherAlgoMap = new LinkedHashMap<String,
String>();
+
+    static {
+        cipherAlgoMap.put("rc4", "ArcFourHmac");
+        cipherAlgoMap.put("aes256", "AES256");
+        cipherAlgoMap.put("aes128", "AES128");
+        cipherAlgoMap.put("des3", "DESede");
+        cipherAlgoMap.put("des", "DES");
+    }
+
+    public static String getAlgoNameFromEncType(EncryptionType encType) {
+        String cipherName = encType.getName().toLowerCase();
+
+        for (String c : cipherAlgoMap.keySet()) {
+            if (cipherName.startsWith(c)) {
+                return cipherAlgoMap.get(c);
+            }
+        }
+
+        throw new IllegalArgumentException("Unknown algorithm name for the encryption type
" + encType);
+    }
+
+    /**
+     * Order a list of EncryptionType in a decreasing strength order
+     *
+     * @param etypes The ETypes to order
+     * @return A list of ordered ETypes. The strongest is on the left.
+     */
+    public static List<EncryptionType> orderEtypesByStrength(List<EncryptionType>
etypes) {
+        List<EncryptionType> ordered = new ArrayList<>(etypes.size());
+
+        for (String algo : cipherAlgoMap.values()) {
+            for (EncryptionType encType : etypes) {
+                String foundAlgo = getAlgoNameFromEncType(encType);
+
+                if (algo.equals(foundAlgo)) {
+                    ordered.add(encType);
+                }
+            }
+        }
+
+        return ordered;
+    }
+
     public static List<EncryptionKey> generateKeys(
             List<EncryptionType> encryptionTypes) throws KrbException {
         List<EncryptionKey> results =

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8d9a4f9c/kerby-kerb/kerb-kdc-test/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
b/kerby-kerb/kerb-kdc-test/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
index 9f0fa6f..a959b49 100644
--- a/kerby-kerb/kerb-kdc-test/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
+++ b/kerby-kerb/kerb-kdc-test/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcTestBase.java
@@ -20,6 +20,8 @@
 package org.apache.kerby.kerberos.kerb.server;
 
 import org.apache.kerby.kerberos.kerb.client.KrbClient;
+import org.apache.kerby.kerberos.kerb.client.KrbConfig;
+import org.apache.kerby.kerberos.kerb.client.KrbConfigKey;
 import org.junit.After;
 import org.junit.Before;
 
@@ -125,7 +127,11 @@ public abstract class KdcTestBase {
     }
 
     protected void setUpClient() throws Exception {
-        krbClnt = new KrbClient();
+        KrbConfig krbConfig = new KrbConfig();
+        krbConfig.setString(KrbConfigKey.PERMITTED_ENCTYPES,
+            "aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5 des3-cbc-sha1");
+
+        krbClnt = new KrbClient(krbConfig);
         prepareKrbClient();
 
         krbClnt.setKdcHost(hostname);

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/8d9a4f9c/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index df36ce2..f893fea 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -425,9 +425,13 @@ public abstract class KdcRequest {
         KrbIdentity serverEntry = getEntry(principal.getName());
         setServerEntry(serverEntry);
 
-        EncryptionType encType = request.getReqBody().getEtypes().listIterator().next();
-        EncryptionKey serverKey = serverEntry.getKeys().get(encType);
-        setServerKey(serverKey);
+        for (EncryptionType encType : request.getReqBody().getEtypes()) {
+            if (serverEntry.getKeys().containsKey(encType)) {
+                EncryptionKey serverKey = serverEntry.getKeys().get(encType);
+                setServerKey(serverKey);
+                break;
+            }
+        }
     }
 
     protected KrbError makePreAuthenticationError(KdcContext kdcContext) throws KrbException
{


Mime
View raw message