directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dran...@apache.org
Subject directory-kerby git commit: Fixed an issue in four passes negotiation case between client and kdc
Date Thu, 25 Jun 2015 08:36:32 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/master df5a46188 -> 17ac6fd78


Fixed an issue in four passes negotiation case between client and kdc


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/17ac6fd7
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/17ac6fd7
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/17ac6fd7

Branch: refs/heads/master
Commit: 17ac6fd78b65ec411717f3e74a60c30867360ba3
Parents: df5a461
Author: Drankye <drankye@gmail.com>
Authored: Thu Jun 25 16:35:55 2015 +0800
Committer: Drankye <drankye@gmail.com>
Committed: Thu Jun 25 16:35:55 2015 +0800

----------------------------------------------------------------------
 kerby-kdc-test/src/test/resources/krb5-udp.conf |  9 ++++----
 kerby-kdc-test/src/test/resources/krb5.conf     | 11 +++++-----
 .../kerberos/kerb/server/GssInteropTest.java    |  3 ++-
 .../kerberos/kerb/server/KdcConfigKey.java      |  6 +++++-
 .../kerb/server/request/KdcRequest.java         | 22 ++++++++------------
 5 files changed, 27 insertions(+), 24 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/17ac6fd7/kerby-kdc-test/src/test/resources/krb5-udp.conf
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/resources/krb5-udp.conf b/kerby-kdc-test/src/test/resources/krb5-udp.conf
index d8deffc..1e878bd 100644
--- a/kerby-kdc-test/src/test/resources/krb5-udp.conf
+++ b/kerby-kdc-test/src/test/resources/krb5-udp.conf
@@ -1,7 +1,8 @@
 [libdefaults]
-	default_realm = TEST.COM
+    default_realm = TEST.COM
+    permitted_enctypes = des-cbc-crc aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd
 
 [realms]
-	TEST.COM = {
-		kdc = localhost:port
-	}
\ No newline at end of file
+    TEST.COM = {
+        kdc = localhost:port
+    }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/17ac6fd7/kerby-kdc-test/src/test/resources/krb5.conf
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/resources/krb5.conf b/kerby-kdc-test/src/test/resources/krb5.conf
index e2fa16a..d1361d9 100644
--- a/kerby-kdc-test/src/test/resources/krb5.conf
+++ b/kerby-kdc-test/src/test/resources/krb5.conf
@@ -1,8 +1,9 @@
 [libdefaults]
-	default_realm = TEST.COM
-	udp_preference_limit = 1
+    default_realm = TEST.COM
+    udp_preference_limit = 1
+    permitted_enctypes = des-cbc-crc aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1-kd
 
 [realms]
-	TEST.COM = {
-		kdc = localhost:port
-	}
\ No newline at end of file
+    TEST.COM = {
+        kdc = localhost:port
+    }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/17ac6fd7/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GssInteropTest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GssInteropTest.java
b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GssInteropTest.java
index 8885787..3652fea 100644
--- a/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GssInteropTest.java
+++ b/kerby-kerb/kerb-kdc-test/src/test/java/org/apache/kerby/kerberos/kerb/server/GssInteropTest.java
@@ -58,7 +58,8 @@ public class GssInteropTest extends KdcTest {
         kdcServer.init();
 
         // Must disable pre-auth
-        kdcServer.getSetting().getKdcConfig().setBoolean(KdcConfigKey.PREAUTH_REQUIRED, false);
+        kdcServer.getKdcConfig().setBoolean(
+                KdcConfigKey.PREAUTH_REQUIRED, true);
 
         kdcRealm = kdcServer.getKdcRealm();
         clientPrincipal = "drankye@" + kdcRealm;

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/17ac6fd7/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
index a2a3ed6..02116e7 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/KdcConfigKey.java
@@ -20,6 +20,7 @@
 package org.apache.kerby.kerberos.kerb.server;
 
 import org.apache.kerby.kerberos.kerb.common.SectionConfigKey;
+import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
 
 public enum KdcConfigKey implements SectionConfigKey {
     KRB_DEBUG(true),
@@ -45,7 +46,10 @@ public enum KdcConfigKey implements SectionConfigKey {
     PROXIABLE_ALLOWED(true),
     RENEWABLE_ALLOWED(true),
     VERIFY_BODY_CHECKSUM(true),
-    ENCRYPTION_TYPES(new String[] { "aes128-cts-hmac-sha1-96", "des3-cbc-sha1-kd" }),
+    ENCRYPTION_TYPES(EncryptionHandler.isAES256Enabled() ?
+            new String[] { "aes128-cts-hmac-sha1-96", "des3-cbc-sha1-kd", "aes256-cts-hmac-sha1-96"}
:
+            new String[] { "aes128-cts-hmac-sha1-96", "des3-cbc-sha1-kd"}
+    ),
     RESTRICT_ANONYMOUS_TO_TGT(false, "kdcdefaults"),
     KDC_MAX_DGRAM_REPLY_SIZE(4096, "kdcdefaults"),
 

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/17ac6fd7/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
index a6498dd..1d879e2 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
@@ -27,6 +27,7 @@ import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
 import org.apache.kerby.kerberos.kerb.crypto.fast.FastUtil;
 import org.apache.kerby.kerberos.kerb.identity.KrbIdentity;
 import org.apache.kerby.kerberos.kerb.server.KdcContext;
+import org.apache.kerby.kerberos.kerb.server.KdcRecoverableException;
 import org.apache.kerby.kerberos.kerb.server.preauth.KdcFastContext;
 import org.apache.kerby.kerberos.kerb.server.preauth.PreauthContext;
 import org.apache.kerby.kerberos.kerb.server.preauth.PreauthHandler;
@@ -321,7 +322,7 @@ public abstract class KdcRequest {
         if (preauthContext.isPreauthRequired()) {
             if (preAuthData == null || preAuthData.isEmpty()) {
                 KrbError krbError = makePreAuthenticationError(kdcContext);
-                throw new KrbErrorException(krbError);
+                throw new KdcRecoverableException(krbError);
             } else {
                 getPreauthHandler().verify(this, preAuthData);
             }
@@ -427,14 +428,9 @@ public abstract class KdcRequest {
     }
 
     protected KrbIdentity getEntry(String principal) throws KrbException {
-        KrbIdentity entry = null;
+        KrbIdentity entry;
         KrbErrorCode krbErrorCode = KrbErrorCode.KDC_ERR_C_PRINCIPAL_UNKNOWN;
-
-        try {
-            entry = kdcContext.getIdentityService().getIdentity(principal);
-        } catch (Exception e) {
-            throw new KrbException(krbErrorCode, e);
-        }
+        entry = kdcContext.getIdentityService().getIdentity(principal);
 
         if (entry == null) {
             // Maybe it is the token preauth, now we ignore check client entry.
@@ -443,7 +439,7 @@ public abstract class KdcRequest {
         return entry;
     }
 
-    public ByteBuffer getRequestBody() throws KrbException {
+    protected ByteBuffer getRequestBody() throws KrbException {
         return null;
     }
 
@@ -451,7 +447,7 @@ public abstract class KdcRequest {
         return fastContext.getArmorKey();
     }
 
-    public void setArmorKey(EncryptionKey armorKey) {
+    protected void setArmorKey(EncryptionKey armorKey) {
         fastContext.setArmorKey(armorKey);
     }
 
@@ -463,11 +459,11 @@ public abstract class KdcRequest {
         this.serverPrincipal = serverPrincipal;
     }
 
-    public byte[] getInnerBodyout() {
+    protected byte[] getInnerBodyout() {
         return innerBodyout;
     }
 
-    public boolean isToken() {
+    protected boolean isToken() {
         return isToken;
     }
 
@@ -475,7 +471,7 @@ public abstract class KdcRequest {
         this.token = authToken;
     }
 
-    public AuthToken getToken() {
+    protected AuthToken getToken() {
         return token;
     }
 }


Mime
View raw message