directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "spark shen (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DIRSERVER-1108) [kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption decryption function is not complete
Date Fri, 07 Dec 2007 05:55:43 GMT

     [ https://issues.apache.org/jira/browse/DIRSERVER-1108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

spark shen updated DIRSERVER-1108:
----------------------------------

    Attachment: rc4_hmac_decrypt.diff

This patch tries to provide a complete implementation for rc4-hmac decrypt function. I will
provide a stand alone test case later. I generated client request using SUN's jdk - JGSS framework
- as below:
byte[] rc4_hmac = new byte[] { 
//                96, -126, 1, -59, 6, 9, 42, -122, 72,
//                -122, -9, 18, 1, 2, 2, 1, 0, 
                110, -126, 1, -76, 48, -126, 1,
                -80, -96, 3, 2, 1, 5, -95, 3, 2, 1, 14, -94, 7, 3, 5, 0, 32, 0,
                0, 0, -93, -127, -23, 97, -127, -26, 48, -127, -29, -96, 3, 2,
                1, 5, -95, 13, 27, 11, 69, 88, 65, 77, 80, 76, 69, 46, 67, 79,
                77, -94, 39, 48, 37, -96, 3, 2, 1, 0, -95, 30, 48, 28, 27, 11,
                115, 101, 114, 118, 105, 99, 101, 116, 101, 115, 116, 27, 13,
                57, 46, 49, 56, 49, 46, 49, 48, 54, 46, 50, 51, 54, -93, -127,
                -93, 48, -127, -96, -96, 3, 2, 1, 23, -95, 3, 2, 1, 1, -94,
                -127, -109, 4, -127, -112, -79, 89, -128, 91, 41, -62, -39, 90,
                -102, 77, 48, -103, 70, -1, -46, -77, 98, 31, -89, -35, 76,
                -93, 10, -117, 80, 85, -117, 26, -109, 24, 60, -23, 106, 0, 19,
                -39, -9, -6, 87, -62, 91, -112, 87, 93, 98, 112, 79, -56, -26,
                -106, 28, 39, -39, -86, -93, -113, 87, -11, -51, -58, 119, 95,
                -113, 102, 32, 80, 118, -85, 20, -123, 2, 53, 20, 62, -75, 66,
                -31, -105, 71, 121, -67, 48, 37, 86, 43, -52, -112, -87, -28,
                31, -49, 44, -67, -37, 125, 75, -127, -46, 81, 117, -85, -93,
                22, -64, 3, -121, -70, 84, -102, 123, -54, 126, 5, -69, -69,
                62, -19, -106, 1, -117, -25, 26, 113, -97, -30, 125, 25, -40,
                124, -45, -81, 20, -5, 44, -100, 0, 73, 1, 120, -29, 65, 7,
                -86, -85, -92, -127, -82, 48, -127, -85, -96, 3, 2, 1, 1, -94,
                -127, -93, 4, -127, -96, 127, -91, -38, -60, -111, -18, -49,
                -35, -80, 32, 59, 83, 125, -50, 15, -4, 96, -11, -13, -12, 43,
                -73, -16, 38, -37, 24, -89, 33, -29, 15, 11, -94, 16, -51, 16,
                -16, -78, 57, 95, -118, -21, 64, -79, -7, 15, 23, -97, 115,
                -13, -127, -6, 33, 33, 48, -10, -97, -95, -45, 28, -10, -112,
                -85, -68, -40, -43, -35, 3, 13, -118, -23, -42, -103, 54, -3,
                98, -91, 1, 81, -33, 41, 116, 33, 45, 56, 13, -54, 111, 16, -1,
                65, -23, 124, -7, 32, -112, 112, -90, -66, -3, -38, 113, -24,
                126, -117, -74, -70, -91, 58, 48, -88, -112, 28, 56, -6, 59,
                119, -3, 50, 41, 74, 114, -30, -67, 5, 89, -60, -37, -70, 121,
                2, 120, -71, 3, 124, 88, 32, -6, 67, -77, 109, 114, -100, 11,
                -27, -91, -36, -109, -19, 37, 110, 42, -70, 31, 12, -9, -30,
                -32, -103, 91, -58 };

And using this implementation, kerberos module can now decode this request successfully.
Would any committer take a look? BTW this patch is against 
https://svn.apache.org/repos/asf/directory/apacheds/branches/bigbang/kerberos-shared/src/main/java/org/apache/directory/
Thanks in advance.

> [kerberos]org.apache.directory.server.kerberos.shared.crypto.encryption.ArcFourHmacMd5Encryption
decryption function is not complete
> ------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DIRSERVER-1108
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1108
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: kerberos
>            Reporter: spark shen
>         Attachments: rc4_hmac_decrypt.diff
>
>
> According RFC 4757, ArcFourHmacMd5Encryption has the decryption algorithm as below:
> +++++ cite +++++
> DECRYPT (K, export, T, edata)
> {
>   // edata looks like
>   struct EDATA {
>     struct HEADER {
>       OCTET Checksum[16];
>       OCTET Confounder[8];
>     } Header;
>     OCTET Data[0];
>   } edata;
>   if (export){
>     *((DWORD *)(L40+10)) = T;
>     HMAC (K, L40, 14, K1);
>   }
>   else
>   {
>     HMAC (K, &T, 4, K1);
>   }
>   memcpy (K2, K1, 16);
>   if (export) memset (K1+7, 0xAB, 9);
>   K3 = HMAC (K1, edata.Checksum);
>   RC4 (K3, edata.Confounder);
>   RC4 (K3, edata.Data);
>   // verify generated and received checksums
>   checksum = HMAC (K2, concat(edata.Confounder, edata.Data));
>   if (checksum != edata.Checksum)
>   printf("CHECKSUM ERROR !!!!!!\n");
> }
> +++++ cite +++++
> Current implementation is apparently not complete:
> +++++ cite from bigbang +++++
> public byte[] getDecryptedData( EncryptionKey key, EncryptedData data, KeyUsage usage
) throws KerberosException
> {
>     return data.getCipher();
> }
> +++++ cite from bigbang +++++

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message