Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/mobile
 Path: blob/master/src/java.security.jgss/share/classes/sun/security/krb5/KrbKdcRep.java
41159 views
1
/*

2
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

3
 *

4
 * This code is free software; you can redistribute it and/or modify it

5
 * under the terms of the GNU General Public License version 2 only, as

6
 * published by the Free Software Foundation.  Oracle designates this

7
 * particular file as subject to the "Classpath" exception as provided

8
 * by Oracle in the LICENSE file that accompanied this code.

9
 *

10
 * This code is distributed in the hope that it will be useful, but WITHOUT

11
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

12
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

13
 * version 2 for more details (a copy is included in the LICENSE file that

14
 * accompanied this code).

15
 *

16
 * You should have received a copy of the GNU General Public License version

17
 * 2 along with this work; if not, write to the Free Software Foundation,

18
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

19
 *

20
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

21
 * or visit www.oracle.com if you need additional information or have any

22
 * questions.

23
 */

24


25
/*

26
 *

27
 *  (C) Copyright IBM Corp. 1999 All Rights Reserved.

28
 *  Copyright 1997 The Open Group Research Institute.  All rights reserved.

29
 */

30


31
package sun.security.krb5;

32


33
import sun.security.krb5.internal.*;

34
import sun.security.krb5.internal.crypto.KeyUsage;

35
import sun.security.util.DerInputStream;

36


37
abstract class KrbKdcRep {

38


39
    static void check(

40
                      boolean isAsReq,

41
                      KDCReq req,

42
                      KDCRep rep,

43
                      EncryptionKey replyKey

44
                      ) throws KrbApErrException {

45


46
        // cname change in AS-REP is allowed only if the client

47
        // sent CANONICALIZE or an NT-ENTERPRISE cname in the request, and the

48
        // server supports RFC 6806 - Section 11 FAST scheme (ENC-PA-REP flag).

49
        if (isAsReq && !req.reqBody.cname.equals(rep.cname) &&

50
                ((!req.reqBody.kdcOptions.get(KDCOptions.CANONICALIZE) &&

51
                req.reqBody.cname.getNameType() !=

52
                PrincipalName.KRB_NT_ENTERPRISE) ||

53
                !rep.encKDCRepPart.flags.get(Krb5.TKT_OPTS_ENC_PA_REP))) {

54
            rep.encKDCRepPart.key.destroy();

55
            throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);

56
        }

57


58
        // sname change in TGS-REP is allowed only if client

59
        // sent CANONICALIZE and new sname is a referral of

60
        // the form krbtgt/[email protected].

61
        if (!req.reqBody.sname.equals(rep.encKDCRepPart.sname)) {

62
            String[] snameStrings = rep.encKDCRepPart.sname.getNameStrings();

63
            if (isAsReq || !req.reqBody.kdcOptions.get(KDCOptions.CANONICALIZE) ||

64
                    snameStrings == null || snameStrings.length != 2 ||

65
                    !snameStrings[0].equals(PrincipalName.TGS_DEFAULT_SRV_NAME) ||

66
                    !rep.encKDCRepPart.sname.getRealmString().equals(

67
                            req.reqBody.sname.getRealmString())) {

68
                rep.encKDCRepPart.key.destroy();

69
                throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);

70
            }

71
        }

72


73
        if (req.reqBody.getNonce() != rep.encKDCRepPart.nonce) {

74
            rep.encKDCRepPart.key.destroy();

75
            throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);

76
        }

77


78
        if (

79
            ((req.reqBody.addresses != null && rep.encKDCRepPart.caddr != null) &&

80
             !req.reqBody.addresses.equals(rep.encKDCRepPart.caddr))) {

81
            rep.encKDCRepPart.key.destroy();

82
            throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);

83
        }

84


85
        // We allow KDC to return a non-forwardable ticket if request has -f

86
        for (int i = 2; i < 6; i++) {

87
            if (req.reqBody.kdcOptions.get(i) !=

88
                   rep.encKDCRepPart.flags.get(i)) {

89
                if (Krb5.DEBUG) {

90
                    System.out.println("> KrbKdcRep.check: at #" + i

91
                            + ". request for " + req.reqBody.kdcOptions.get(i)

92
                            + ", received " + rep.encKDCRepPart.flags.get(i));

93
                }

94
                throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);

95
            }

96
        }

97


98
        // Reply to a renewable request should be renewable, but if request does

99
        // not contain renewable, KDC is free to issue a renewable ticket (for

100
        // example, if ticket_lifetime is too big).

101
        if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) &&

102
                !rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) {

103
            throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);

104
        }

105


106
        if ((req.reqBody.from == null) || req.reqBody.from.isZero()) {

107
            // verify this is allowed

108
            if ((rep.encKDCRepPart.starttime != null) &&

109
                    !rep.encKDCRepPart.starttime.inClockSkew()) {

110
                rep.encKDCRepPart.key.destroy();

111
                throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW);

112
            }

113
        }

114


115
        if ((req.reqBody.from != null) && !req.reqBody.from.isZero()) {

116
            // verify this is allowed

117
            if ((rep.encKDCRepPart.starttime != null) &&

118
                    !req.reqBody.from.equals(rep.encKDCRepPart.starttime)) {

119
                rep.encKDCRepPart.key.destroy();

120
                throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);

121
            }

122
        }

123


124
        if (!req.reqBody.till.isZero() &&

125
                rep.encKDCRepPart.endtime.greaterThan(req.reqBody.till)) {

126
            rep.encKDCRepPart.key.destroy();

127
            throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);

128
        }

129


130
        if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE)) {

131
            if (req.reqBody.rtime != null && !req.reqBody.rtime.isZero()) {

132
                // verify this is required

133
                if ((rep.encKDCRepPart.renewTill == null) ||

134
                        rep.encKDCRepPart.renewTill.greaterThan(req.reqBody.rtime)

135
                        ) {

136
                    rep.encKDCRepPart.key.destroy();

137
                    throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);

138
                }

139
            }

140
        }

141


142
        // RFC 6806 - Section 11 mechanism check

143
        // The availability of the ENC-PA-REP flag in the KDC response is

144
        // mandatory on some cases (see Krb5.TKT_OPTS_ENC_PA_REP check above).

145
        if (rep.encKDCRepPart.flags.get(Krb5.TKT_OPTS_ENC_PA_REP)) {

146
            boolean reqPaReqEncPaRep = false;

147
            boolean repPaReqEncPaRepValid = false;

148


149
            if (req.pAData != null) {

150
                for (PAData pa : req.pAData) {

151
                    if (pa.getType() == Krb5.PA_REQ_ENC_PA_REP) {

152
                        // The KDC supports RFC 6806 and ENC-PA-REP was sent in

153
                        // the request (AS-REQ). A valid checksum is now required.

154
                        reqPaReqEncPaRep = true;

155
                        break;

156
                    }

157
                }

158
            }

159


160
            if (rep.encKDCRepPart.pAData != null) {

161
                for (PAData pa : rep.encKDCRepPart.pAData) {

162
                    if (pa.getType() == Krb5.PA_REQ_ENC_PA_REP) {

163
                        try {

164
                            Checksum repCksum = new Checksum(

165
                                    new DerInputStream(

166
                                            pa.getValue()).getDerValue());

167
                            // The checksum is inside encKDCRepPart so we don't

168
                            // care if it's keyed or not.

169
                            repPaReqEncPaRepValid =

170
                                    repCksum.verifyAnyChecksum(

171
                                            req.asn1Encode(), replyKey,

172
                                            KeyUsage.KU_AS_REQ);

173
                        } catch (Exception e) {

174
                            if (Krb5.DEBUG) {

175
                                e.printStackTrace();

176
                            }

177
                        }

178
                        break;

179
                    }

180
                }

181
            }

182


183
            if (reqPaReqEncPaRep && !repPaReqEncPaRepValid) {

184
                throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);

185
            }

186
        }

187
    }

188
}

189


190