14 * accompanied this code).
15 *
16 * You should have received a copy of the GNU General Public License version
17 * 2 along with this work; if not, write to the Free Software Foundation,
18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
19 *
20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
21 * or visit www.oracle.com if you need additional information or have any
22 * questions.
23 */
24
25 /*
26 *
27 * (C) Copyright IBM Corp. 1999 All Rights Reserved.
28 * Copyright 1997 The Open Group Research Institute. All rights reserved.
29 */
30
31 package sun.security.krb5;
32
33 import sun.security.krb5.internal.*;
34
35 abstract class KrbKdcRep {
36
37 static void check(
38 boolean isAsReq,
39 KDCReq req,
40 KDCRep rep
41 ) throws KrbApErrException {
42
43 if (isAsReq && !req.reqBody.cname.equals(rep.cname)) {
44 rep.encKDCRepPart.key.destroy();
45 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
46 }
47
48 if (!req.reqBody.sname.equals(rep.encKDCRepPart.sname)) {
49 rep.encKDCRepPart.key.destroy();
50 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
51 }
52
53 if (req.reqBody.getNonce() != rep.encKDCRepPart.nonce) {
54 rep.encKDCRepPart.key.destroy();
55 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
56 }
57
58 if (
59 ((req.reqBody.addresses != null && rep.encKDCRepPart.caddr != null) &&
60 !req.reqBody.addresses.equals(rep.encKDCRepPart.caddr))) {
61 rep.encKDCRepPart.key.destroy();
62 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
63 }
64
65 // We allow KDC to return a non-forwardable ticket if request has -f
66 for (int i = 2; i < 6; i++) {
67 if (req.reqBody.kdcOptions.get(i) !=
68 rep.encKDCRepPart.flags.get(i)) {
69 if (Krb5.DEBUG) {
70 System.out.println("> KrbKdcRep.check: at #" + i
71 + ". request for " + req.reqBody.kdcOptions.get(i)
99 rep.encKDCRepPart.key.destroy();
100 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
101 }
102 }
103
104 if (!req.reqBody.till.isZero() &&
105 rep.encKDCRepPart.endtime.greaterThan(req.reqBody.till)) {
106 rep.encKDCRepPart.key.destroy();
107 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
108 }
109
110 if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE)) {
111 if (req.reqBody.rtime != null && !req.reqBody.rtime.isZero()) {
112 // verify this is required
113 if ((rep.encKDCRepPart.renewTill == null) ||
114 rep.encKDCRepPart.renewTill.greaterThan(req.reqBody.rtime)
115 ) {
116 rep.encKDCRepPart.key.destroy();
117 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
118 }
119 }
120 }
121 }
122 }
|
14 * accompanied this code).
15 *
16 * You should have received a copy of the GNU General Public License version
17 * 2 along with this work; if not, write to the Free Software Foundation,
18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
19 *
20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
21 * or visit www.oracle.com if you need additional information or have any
22 * questions.
23 */
24
25 /*
26 *
27 * (C) Copyright IBM Corp. 1999 All Rights Reserved.
28 * Copyright 1997 The Open Group Research Institute. All rights reserved.
29 */
30
31 package sun.security.krb5;
32
33 import sun.security.krb5.internal.*;
34 import sun.security.krb5.internal.crypto.KeyUsage;
35 import sun.security.util.DerInputStream;
36
37 abstract class KrbKdcRep {
38
39 static void check(
40 boolean isAsReq,
41 KDCReq req,
42 KDCRep rep,
43 EncryptionKey replyKey
44 ) throws KrbApErrException {
45
46 // cname change in AS-REP is allowed only if the client
47 // sent CANONICALIZE and the server supports RFC 6806 - Section 11
48 // FAST scheme (ENC-PA-REP flag).
49 if (isAsReq && !req.reqBody.cname.equals(rep.cname) &&
50 (!req.reqBody.kdcOptions.get(KDCOptions.CANONICALIZE) ||
51 !rep.encKDCRepPart.flags.get(Krb5.TKT_OPTS_ENC_PA_REP))) {
52 rep.encKDCRepPart.key.destroy();
53 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
54 }
55
56 // sname change in TGS-REP is allowed only if client
57 // sent CANONICALIZE and new sname is a referral of
58 // the form krbtgt/TO-REALM.COM@FROM-REALM.COM.
59 if (!req.reqBody.sname.equals(rep.encKDCRepPart.sname)) {
60 String[] snameStrings = rep.encKDCRepPart.sname.getNameStrings();
61 if (isAsReq || !req.reqBody.kdcOptions.get(KDCOptions.CANONICALIZE) ||
62 snameStrings == null || snameStrings.length != 2 ||
63 !snameStrings[0].equals(PrincipalName.TGS_DEFAULT_SRV_NAME) ||
64 !rep.encKDCRepPart.sname.getRealmString().equals(
65 req.reqBody.sname.getRealmString())) {
66 rep.encKDCRepPart.key.destroy();
67 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
68 }
69 }
70
71 if (req.reqBody.getNonce() != rep.encKDCRepPart.nonce) {
72 rep.encKDCRepPart.key.destroy();
73 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
74 }
75
76 if (
77 ((req.reqBody.addresses != null && rep.encKDCRepPart.caddr != null) &&
78 !req.reqBody.addresses.equals(rep.encKDCRepPart.caddr))) {
79 rep.encKDCRepPart.key.destroy();
80 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
81 }
82
83 // We allow KDC to return a non-forwardable ticket if request has -f
84 for (int i = 2; i < 6; i++) {
85 if (req.reqBody.kdcOptions.get(i) !=
86 rep.encKDCRepPart.flags.get(i)) {
87 if (Krb5.DEBUG) {
88 System.out.println("> KrbKdcRep.check: at #" + i
89 + ". request for " + req.reqBody.kdcOptions.get(i)
117 rep.encKDCRepPart.key.destroy();
118 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
119 }
120 }
121
122 if (!req.reqBody.till.isZero() &&
123 rep.encKDCRepPart.endtime.greaterThan(req.reqBody.till)) {
124 rep.encKDCRepPart.key.destroy();
125 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
126 }
127
128 if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE)) {
129 if (req.reqBody.rtime != null && !req.reqBody.rtime.isZero()) {
130 // verify this is required
131 if ((rep.encKDCRepPart.renewTill == null) ||
132 rep.encKDCRepPart.renewTill.greaterThan(req.reqBody.rtime)
133 ) {
134 rep.encKDCRepPart.key.destroy();
135 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
136 }
137 }
138 }
139
140 // RFC 6806 - Section 11 mechanism check
141 if (rep.encKDCRepPart.flags.get(Krb5.TKT_OPTS_ENC_PA_REP) &&
142 req.reqBody.kdcOptions.get(KDCOptions.CANONICALIZE)) {
143 boolean reqPaReqEncPaRep = false;
144 boolean repPaReqEncPaRepValid = false;
145
146 // PA_REQ_ENC_PA_REP only required for AS requests
147 for (PAData pa : req.pAData) {
148 if (pa.getType() == Krb5.PA_REQ_ENC_PA_REP) {
149 reqPaReqEncPaRep = true;
150 break;
151 }
152 }
153
154 if (rep.encKDCRepPart.pAData != null) {
155 for (PAData pa : rep.encKDCRepPart.pAData) {
156 if (pa.getType() == Krb5.PA_REQ_ENC_PA_REP) {
157 try {
158 Checksum repCksum = new Checksum(
159 new DerInputStream(
160 pa.getValue()).getDerValue());
161 repPaReqEncPaRepValid =
162 repCksum.verifyKeyedChecksum(
163 req.asn1Encode(), replyKey,
164 KeyUsage.KU_AS_REQ);
165 } catch (Exception e) {
166 if (Krb5.DEBUG) {
167 e.printStackTrace();
168 }
169 }
170 break;
171 }
172 }
173 }
174
175 if (reqPaReqEncPaRep && !repPaReqEncPaRepValid) {
176 throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
177 }
178 }
179 }
180 }
|