directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [04/50] [abbrv] directory-kerby git commit: DIRKRB-559 Validataion of ApReq and ApRep message in peer node. Contributed by Wei.
Date Fri, 21 Jul 2017 11:26:51 GMT
DIRKRB-559 Validataion of ApReq and ApRep message in peer node. Contributed by Wei.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/e41fb489
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/e41fb489
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/e41fb489

Branch: refs/heads/gssapi
Commit: e41fb489f2bfdbfcf3a43f077dd4e28f1035be17
Parents: aa1bd31
Author: plusplusjiajia <jiajia.li@intel.com>
Authored: Wed Apr 27 10:37:47 2016 +0800
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Jul 21 12:25:02 2017 +0100

----------------------------------------------------------------------
 .../kerby/kerberos/kerb/request/ApRequest.java  | 37 +++++++++++++++++
 .../kerberos/kerb/response/ApResponse.java      | 42 ++++++++++++++++----
 .../kerby/kerberos/kerb/type/KerberosTime.java  | 22 ++++++++++
 3 files changed, 94 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e41fb489/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
index 82666a6..096b0de 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/request/ApRequest.java
@@ -29,12 +29,15 @@ import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
 import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
 import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
 import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
+import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
 import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
 import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
 import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
 import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
 import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
 
+import java.net.InetAddress;
+
 /**
  * A wrapper for ApReq request
  * The client principal and sgt ticket are needed to create ApReq message.
@@ -118,6 +121,40 @@ public class ApRequest {
     }
 
     /*
+     * Validate the ApReq with channel binding and time
+     */
+    public static void validate(EncryptionKey encKey, ApReq apReq,
+                                InetAddress initiator,
+                                long timeSkew) throws KrbException {
+        validate(encKey, apReq);
+        Ticket ticket = apReq.getTicket();
+        EncTicketPart tktEncPart = ticket.getEncPart();
+        Authenticator authenticator = apReq.getAuthenticator();
+        if (initiator != null) {
+            HostAddresses clientAddrs = tktEncPart.getClientAddresses();
+            if (clientAddrs != null && !clientAddrs.contains(initiator)) {
+                throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
+            }
+        }
+
+        if (timeSkew != 0) {
+            if (authenticator.getCtime().isInClockSkew(timeSkew)) {
+                throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
+            }
+
+            KerberosTime now = KerberosTime.now();
+            KerberosTime startTime = tktEncPart.getStartTime();
+            if (startTime != null && startTime.greaterThanWithSkew(now, timeSkew))
{
+                throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
+            }
+
+            if (tktEncPart.getEndTime().lessThanWithSkew(now, timeSkew)) {
+                throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED);
+            }
+        }
+    }
+
+    /*
      *  Unseal the authenticator through the encryption key from ticket
      */
     public static void unsealAuthenticator(EncryptionKey encKey, ApReq apReq) throws KrbException
{

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e41fb489/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
index 2d01004..344fe83 100644
--- a/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
+++ b/kerby-kerb/kerb-common/src/main/java/org/apache/kerby/kerberos/kerb/response/ApResponse.java
@@ -19,12 +19,13 @@
  */
 package org.apache.kerby.kerberos.kerb.response;
 
+import org.apache.kerby.kerberos.kerb.KrbErrorCode;
 import org.apache.kerby.kerberos.kerb.KrbException;
 import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
 import org.apache.kerby.kerberos.kerb.request.ApRequest;
-import org.apache.kerby.kerberos.kerb.type.KerberosTime;
 import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
 import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
+import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
 import org.apache.kerby.kerberos.kerb.type.ap.EncAPRepPart;
 import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
 import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
@@ -43,8 +44,14 @@ public class ApResponse {
         this.encryptionKey = encryptionKey;
     }
 
+    public ApResponse(ApReq apReq) {
+        this.apReq = apReq;
+    }
+
     public ApRep getApRep() throws KrbException {
-        ApRequest.validate(encryptionKey, apReq);
+        if (encryptionKey != null) {
+            ApRequest.validate(encryptionKey, apReq);
+        }
 
         if (apRep == null) {
             apRep = makeApRep();
@@ -64,17 +71,38 @@ public class ApResponse {
 
         ApRep apRep = new ApRep();
         EncAPRepPart encAPRepPart = new EncAPRepPart();
+
+        Authenticator auth = apReq.getAuthenticator();
         // This field contains the current time on the client's host.
-        encAPRepPart.setCtime(KerberosTime.now());
+        encAPRepPart.setCtime(auth.getCtime());
         // This field contains the microsecond part of the client's timestamp.
-        encAPRepPart.setCusec((int) KerberosTime.now().getTimeInSeconds());
-        encAPRepPart.setSubkey(apReq.getAuthenticator().getSubKey());
+        encAPRepPart.setCusec(auth.getCusec());
+        encAPRepPart.setSubkey(auth.getSubKey());
         encAPRepPart.setSeqNumber(0);
         apRep.setEncRepPart(encAPRepPart);
-        EncryptedData encPart = EncryptionUtil.seal(encAPRepPart,
-                apReq.getAuthenticator().getSubKey(), KeyUsage.AP_REP_ENCPART);
+        EncryptedData encPart = EncryptionUtil.seal(encAPRepPart, auth.getSubKey(), KeyUsage.AP_REP_ENCPART);
         apRep.setEncryptedEncPart(encPart);
 
         return apRep;
     }
+
+    /**
+     * Validation for KRB_AP_REP message
+     * @param encKey key used to encrypt encrypted part of KRB_AP_REP message
+     * @param apRep KRB_AP_REP message received
+     * @param apReqSent the KRB_AP_REQ message that caused the KRB_AP_REP message from server
+     * @throws KrbException
+     */
+    public static void validate(EncryptionKey encKey, ApRep apRep, ApReq apReqSent) throws
KrbException {
+        EncAPRepPart encPart = EncryptionUtil.unseal(apRep.getEncryptedEncPart(),
+                encKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class);
+        apRep.setEncRepPart(encPart);
+        if (apReqSent != null) {
+            Authenticator auth = apReqSent.getAuthenticator();
+            if (!encPart.getCtime().equals(auth.getCtime())
+                    || encPart.getCusec() != auth.getCusec()) {
+                throw new KrbException(KrbErrorCode.KRB_AP_ERR_MUT_FAIL);
+            }
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/e41fb489/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
index c89b0cc..e3da3b1 100644
--- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
+++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/kerberos/kerb/type/KerberosTime.java
@@ -107,6 +107,17 @@ public class KerberosTime extends Asn1GeneralizedTime {
 
     /**
      * Compare the KerberosTime with another one, and return <tt>true</tt>
+     * if it's lesser than the provided one with time skew
+     * @param ktime
+     * @param skew Maximum time skew in milliseconds
+     * @return <tt>true</tt> if less
+     */
+    public boolean lessThanWithSkew(KerberosTime ktime, long skew) {
+        return diff(ktime) - skew <= 0;
+    }
+
+    /**
+     * Compare the KerberosTime with another one, and return <tt>true</tt>
      * if it's greater than the provided one
      * 
      * @param ktime compare with milliseconds
@@ -117,6 +128,17 @@ public class KerberosTime extends Asn1GeneralizedTime {
     }
 
     /**
+     * Compare the KerberosTime with another one, and return <tt>true</tt>
+     * if it's greater than the provided one with time skew
+     * @param ktime
+     * @param skew Maximum time skew in milliseconds
+     * @return <tt>true</tt> if greater
+     */
+    public boolean greaterThanWithSkew(KerberosTime ktime, long skew) {
+        return diff(ktime) + skew >= 0;
+    }
+
+    /**
      * Check if the KerberosTime is within the provided clock skew
      * 
      * @param clockSkew The clock skew


Mime
View raw message