directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRKRB-91) Problems decrypting the TGT in KerberosConnection
Date Thu, 18 Apr 2013 07:23:17 GMT

    [ https://issues.apache.org/jira/browse/DIRKRB-91?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13634933#comment-13634933
] 

Emmanuel Lecharny commented on DIRKRB-91:
-----------------------------------------

The patch works, but I wonder if something slightly different wouldn't be better :

            if ( decryptedEncAsRepPart != null )
             {

                switch ( decryptedEncAsRepPart[0] )
                {
                    case KerberosConstants.ENC_AS_REP_PART_TAG:
                        EncAsRepPart encAsRepPart = KerberosDecoder.decodeEncAsRepPart( decryptedEncAsRepPart
);

                        if ( currentNonce != encAsRepPart.getEncKdcRepPart().getNonce() )
                        {
                            throw new KerberosException( ErrorType.KRB_ERR_GENERIC,
                                "received nonce didn't match with the nonce sent in the request"
);
                        }

                        encKdcRepPart = encAsRepPart.getEncKdcRepPart();
                        break;

                    case KerberosConstants.ENC_TGS_REP_PART_TAG:
                        EncTgsRepPart encTgsRepPart = KerberosDecoder.decodeEncTgsRepPart(
decryptedEncAsRepPart );

                        if ( currentNonce != encTgsRepPart.getEncKdcRepPart().getNonce() )
                        {
                            throw new KerberosException( ErrorType.KRB_ERR_GENERIC,
                                "received nonce didn't match with the nonce sent in the request"
);
                        }

                        encKdcRepPart = encTgsRepPart.getEncKdcRepPart();
                        break;

                }
             }


By reading the very fist byte of the decoded part, we ca tell if it's an AS or a TGS encPart,
which will spare an exception.

wdyt ?
                
> Problems decrypting the TGT in KerberosConnection
> -------------------------------------------------
>
>                 Key: DIRKRB-91
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-91
>             Project: Directory Kerberos
>          Issue Type: Bug
>            Reporter: Steve Moyer
>            Assignee: Emmanuel Lecharny
>         Attachments: AuthReqAndRep, DIRKRB-91-TGT-patch.txt
>
>
> See attached packet dumps (libpcap) of the request and response.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message