79 *
80 * The new style has a hash:
81 *
82 * LC of ""
83 * LC of "HASH:%s %lu:%s %lu:%s" of (hash, clientlen, client, serverlen,
84 * server) where msghash is 32 char (lower case) text mode md5sum
85 * of the ciphertext of authenticator.
86 * i32 cusec of Authenticator
87 * i32 ctime of Authenticator
88 *
89 * where LC of a string means
90 *
91 * i32 strlen(string) + 1
92 * octets of string, with the \0x00 ending
93 *
94 * The old style block is always created by MIT krb5 used even if a new style
95 * is available, which means there can be 2 entries for a single Authenticator.
96 * Java also does this way.
97 *
98 * See src/lib/krb5/rcache/rc_io.c and src/lib/krb5/rcache/rc_dfl.c.
99 */
100 public class DflCache extends ReplayCache {
101
102 private static final int KRB5_RV_VNO = 0x501;
103 private static final int EXCESSREPS = 30; // if missed-hit>this, recreate
104
105 private final String source;
106
107 private static long uid;
108 static {
109 // Available on Solaris, Linux and Mac. Otherwise, -1 and no _euid suffix
110 uid = jdk.internal.misc.VM.geteuid();
111 }
112
113 public DflCache (String source) {
114 this.source = source;
115 }
116
117 private static String defaultPath() {
118 return AccessController.doPrivileged(
283 throw new IOException("Accessible by someone else");
284 }
285 } catch (UnsupportedOperationException uoe) {
286 // No POSIX permissions? Ignore it.
287 }
288 chan = Files.newByteChannel(p, StandardOpenOption.WRITE,
289 StandardOpenOption.READ);
290
291 long timeLimit = currTime.getSeconds() - readHeader(chan);
292
293 long pos = 0;
294 boolean seeNewButNotSame = false;
295 while (true) {
296 try {
297 pos = chan.position();
298 AuthTime a = AuthTime.readFrom(chan);
299 if (a instanceof AuthTimeWithHash) {
300 if (time.equals(a)) {
301 // Exact match, must be a replay
302 throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT);
303 } else if (time.isSameIgnoresHash(a)) {
304 // Two different authenticators in the same second.
305 // Remember it
306 seeNewButNotSame = true;
307 }
308 } else {
309 if (time.isSameIgnoresHash(a)) {
310 // Two authenticators in the same second. Considered
311 // same if we haven't seen a new style version of it
312 if (!seeNewButNotSame) {
313 throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT);
314 }
315 }
316 }
317 if (a.ctime < timeLimit) {
318 missed++;
319 } else {
320 missed--;
321 }
322 } catch (BufferUnderflowException e) {
323 // Half-written file?
|
79 *
80 * The new style has a hash:
81 *
82 * LC of ""
83 * LC of "HASH:%s %lu:%s %lu:%s" of (hash, clientlen, client, serverlen,
84 * server) where msghash is 32 char (lower case) text mode md5sum
85 * of the ciphertext of authenticator.
86 * i32 cusec of Authenticator
87 * i32 ctime of Authenticator
88 *
89 * where LC of a string means
90 *
91 * i32 strlen(string) + 1
92 * octets of string, with the \0x00 ending
93 *
94 * The old style block is always created by MIT krb5 used even if a new style
95 * is available, which means there can be 2 entries for a single Authenticator.
96 * Java also does this way.
97 *
98 * See src/lib/krb5/rcache/rc_io.c and src/lib/krb5/rcache/rc_dfl.c.
99 *
100 * Update: New version can use other hash algorithms.
101 */
102 public class DflCache extends ReplayCache {
103
104 private static final int KRB5_RV_VNO = 0x501;
105 private static final int EXCESSREPS = 30; // if missed-hit>this, recreate
106
107 private final String source;
108
109 private static long uid;
110 static {
111 // Available on Solaris, Linux and Mac. Otherwise, -1 and no _euid suffix
112 uid = jdk.internal.misc.VM.geteuid();
113 }
114
115 public DflCache (String source) {
116 this.source = source;
117 }
118
119 private static String defaultPath() {
120 return AccessController.doPrivileged(
285 throw new IOException("Accessible by someone else");
286 }
287 } catch (UnsupportedOperationException uoe) {
288 // No POSIX permissions? Ignore it.
289 }
290 chan = Files.newByteChannel(p, StandardOpenOption.WRITE,
291 StandardOpenOption.READ);
292
293 long timeLimit = currTime.getSeconds() - readHeader(chan);
294
295 long pos = 0;
296 boolean seeNewButNotSame = false;
297 while (true) {
298 try {
299 pos = chan.position();
300 AuthTime a = AuthTime.readFrom(chan);
301 if (a instanceof AuthTimeWithHash) {
302 if (time.equals(a)) {
303 // Exact match, must be a replay
304 throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT);
305 } else if (time.sameTimeDiffHash((AuthTimeWithHash)a)) {
306 // Two different authenticators in the same second.
307 // Remember it
308 seeNewButNotSame = true;
309 }
310 } else {
311 if (time.isSameIgnoresHash(a)) {
312 // Two authenticators in the same second. Considered
313 // same if we haven't seen a new style version of it
314 if (!seeNewButNotSame) {
315 throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT);
316 }
317 }
318 }
319 if (a.ctime < timeLimit) {
320 missed++;
321 } else {
322 missed--;
323 }
324 } catch (BufferUnderflowException e) {
325 // Half-written file?
|