284 EncTicketPart enc_ticketPart = new EncTicketPart(temp);
285
286 checkPermittedEType(enc_ticketPart.key.getEType());
287
288 byte[] bytes2 = apReqMessg.authenticator.decrypt(enc_ticketPart.key,
289 KeyUsage.KU_AP_REQ_AUTHENTICATOR);
290 byte[] temp2 = apReqMessg.authenticator.reset(bytes2);
291 authenticator = new Authenticator(temp2);
292 ctime = authenticator.ctime;
293 cusec = authenticator.cusec;
294 authenticator.ctime =
295 authenticator.ctime.withMicroSeconds(authenticator.cusec);
296
297 if (!authenticator.cname.equals(enc_ticketPart.cname)) {
298 throw new KrbApErrException(Krb5.KRB_AP_ERR_BADMATCH);
299 }
300
301 if (!authenticator.ctime.inClockSkew())
302 throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW);
303
304 byte[] hash;
305 try {
306 hash = MessageDigest.getInstance("MD5")
307 .digest(apReqMessg.authenticator.cipher);
308 } catch (NoSuchAlgorithmException ex) {
309 throw new AssertionError("Impossible");
310 }
311
312 char[] h = new char[hash.length * 2];
313 for (int i=0; i<hash.length; i++) {
314 h[2*i] = hexConst[(hash[i]&0xff)>>4];
315 h[2*i+1] = hexConst[hash[i]&0xf];
316 }
317 AuthTimeWithHash time = new AuthTimeWithHash(
318 authenticator.cname.toString(),
319 apReqMessg.ticket.sname.toString(),
320 authenticator.ctime.getSeconds(),
321 authenticator.cusec,
322 new String(h));
323 rcache.checkAndStore(KerberosTime.now(), time);
324
325 if (initiator != null) {
326 // sender host address
327 HostAddress sender = new HostAddress(initiator);
328 if (enc_ticketPart.caddr != null
329 && !enc_ticketPart.caddr.inList(sender)) {
330 if (DEBUG) {
331 System.out.println(">>> KrbApReq: initiator is "
332 + sender.getInetAddress()
333 + ", but caddr is "
334 + Arrays.toString(
335 enc_ticketPart.caddr.getInetAddresses()));
336 }
337 throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
338 }
339 }
340
341 // XXX check for repeated authenticator
|
284 EncTicketPart enc_ticketPart = new EncTicketPart(temp);
285
286 checkPermittedEType(enc_ticketPart.key.getEType());
287
288 byte[] bytes2 = apReqMessg.authenticator.decrypt(enc_ticketPart.key,
289 KeyUsage.KU_AP_REQ_AUTHENTICATOR);
290 byte[] temp2 = apReqMessg.authenticator.reset(bytes2);
291 authenticator = new Authenticator(temp2);
292 ctime = authenticator.ctime;
293 cusec = authenticator.cusec;
294 authenticator.ctime =
295 authenticator.ctime.withMicroSeconds(authenticator.cusec);
296
297 if (!authenticator.cname.equals(enc_ticketPart.cname)) {
298 throw new KrbApErrException(Krb5.KRB_AP_ERR_BADMATCH);
299 }
300
301 if (!authenticator.ctime.inClockSkew())
302 throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW);
303
304 String alg = AuthTimeWithHash.DEFAULT_HASH_ALG;
305 byte[] hash;
306 try {
307 hash = MessageDigest.getInstance(AuthTimeWithHash.realAlg(alg))
308 .digest(apReqMessg.authenticator.cipher);
309 } catch (NoSuchAlgorithmException ex) {
310 throw new AssertionError("Impossible " + alg);
311 }
312
313 char[] h = new char[hash.length * 2];
314 for (int i=0; i<hash.length; i++) {
315 h[2*i] = hexConst[(hash[i]&0xff)>>4];
316 h[2*i+1] = hexConst[hash[i]&0xf];
317 }
318 AuthTimeWithHash time = new AuthTimeWithHash(
319 authenticator.cname.toString(),
320 apReqMessg.ticket.sname.toString(),
321 authenticator.ctime.getSeconds(),
322 authenticator.cusec,
323 alg,
324 new String(h));
325 rcache.checkAndStore(KerberosTime.now(), time);
326
327 if (initiator != null) {
328 // sender host address
329 HostAddress sender = new HostAddress(initiator);
330 if (enc_ticketPart.caddr != null
331 && !enc_ticketPart.caddr.inList(sender)) {
332 if (DEBUG) {
333 System.out.println(">>> KrbApReq: initiator is "
334 + sender.getInetAddress()
335 + ", but caddr is "
336 + Arrays.toString(
337 enc_ticketPart.caddr.getInetAddresses()));
338 }
339 throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
340 }
341 }
342
343 // XXX check for repeated authenticator
|