directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [44/50] [abbrv] directory-kerby git commit: DIRKRB-581 Imcompatible token header in init context against JDK GssApi. Contributed by Wei.
Date Fri, 21 Jul 2017 11:27:31 GMT
DIRKRB-581 Imcompatible token header in init context against JDK GssApi. Contributed by Wei.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/34edd99a
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/34edd99a
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/34edd99a

Branch: refs/heads/gssapi
Commit: 34edd99a5b79588d5ff418524dbad51c89e76196
Parents: 42dc865
Author: plusplusjiajia <jiajia.li@intel.com>
Authored: Sun Jun 12 10:13:17 2016 +0800
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Jul 21 12:25:51 2017 +0100

----------------------------------------------------------------------
 .../kerberos/kerb/gssapi/krb5/KerbyContext.java | 31 ++++++++++++++++----
 1 file changed, 26 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/34edd99a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
index 0bdd360..e8bcc77 100644
--- a/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
+++ b/kerby-kerb/kerb-gssapi/src/main/java/org/apache/kerby/kerberos/kerb/gssapi/krb5/KerbyContext.java
@@ -48,6 +48,7 @@ import javax.security.auth.kerberos.KerberosTicket;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.ByteBuffer;
 import java.security.Provider;
 
 @SuppressWarnings("PMD")
@@ -58,6 +59,9 @@ public class KerbyContext implements GSSContextSpi {
     private static final int STATE_ESTABLISHED = 2;
     private static final int STATE_DESTROYED = 3;
 
+    private static final byte[] MSG_AP_REQ = {(byte) 0x1, (byte) 0};
+    private static final byte[] MSG_AP_REP = {(byte) 0x2, (byte) 0};
+
     private int ctxState = STATE_NONE;
 
     private final GSSCaller caller;
@@ -289,7 +293,11 @@ public class KerbyContext implements GSSContextSpi {
             }
             setupInitiatorContext(sgtTicket, apRequest);
             try {
-                ret = outApReq.encode();
+                ByteBuffer outBuffer = ByteBuffer.allocate(outApReq.encodingLength() + 2);
+                outBuffer.put(MSG_AP_REQ);
+                outApReq.encode(outBuffer);
+                outBuffer.flip();
+                ret = outBuffer.array();
             } catch (IOException e) {
                 throw new GSSException(GSSException.FAILURE, -1, "Generate ApReq bytes failed:
" + e.getMessage());
             }
@@ -346,9 +354,13 @@ public class KerbyContext implements GSSContextSpi {
      */
     private void verifyServerToken(InputStream is, int mechTokenSize)
             throws GSSException {
-        byte[] token = new byte[mechTokenSize];
+        byte[] token;
         ApRep apRep;
         try {
+            if (!(is.read() == MSG_AP_REP[0] && is.read() == MSG_AP_REP[1])) {
+                throw new GSSException(GSSException.FAILURE, -1, "Invalid ApRep message ID");
+            }
+            token = new byte[mechTokenSize - MSG_AP_REP.length];
             is.read(token);
             apRep = new ApRep();
             apRep.decode(token);
@@ -404,14 +416,19 @@ public class KerbyContext implements GSSContextSpi {
 
     private byte[] verifyClientToken(KerbyAcceptCred acceptCred, InputStream is, int mechTokenSize)
             throws GSSException {
-        byte[] token = new byte[mechTokenSize];
+        byte[] token;
         ApReq apReq;
         try {
+            if (!(is.read() == MSG_AP_REQ[0] && is.read() == MSG_AP_REQ[1])) {
+                throw new GSSException(GSSException.FAILURE, -1, "Invalid ApReq message ID");
+            }
+
+            token = new byte[mechTokenSize - MSG_AP_REQ.length];
             is.read(token);
             apReq = new ApReq();
             apReq.decode(token);
         } catch (IOException e) {
-            throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq invalid" + e.getMessage());
+            throw new GSSException(GSSException.UNAUTHORIZED, -1, "ApReq invalid:" + e.getMessage());
         }
 
         int kvno = apReq.getTicket().getEncryptedEncPart().getKvno();
@@ -460,7 +477,11 @@ public class KerbyContext implements GSSContextSpi {
 
         byte[] ret = null;
         try {
-            ret = apRep.encode();
+            ByteBuffer outBuffer = ByteBuffer.allocate(apRep.encodingLength() + 2);
+            outBuffer.put(MSG_AP_REP);
+            apRep.encode(outBuffer);
+            outBuffer.flip();
+            ret = outBuffer.array();
         } catch (IOException e) {
             throw new GSSException(GSSException.FAILURE, -1, "Generate ApRep bytes failed:"
+ e.getMessage());
         }


Mime
View raw message