author | weijun |
Tue, 20 Mar 2012 19:12:21 +0800 | |
changeset 12199 | 3de38eedde69 |
parent 11107 | fc8efc57da08 |
child 12867 | 5492127ab0a8 |
permissions | -rw-r--r-- |
1454 | 1 |
/* |
9035
1255eb81cc2f
7033660: Update copyright year to 2011 on any files changed in 2011
ohair
parents:
7977
diff
changeset
|
2 |
* Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved. |
1454 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. |
|
8 |
* |
|
9 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
10 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
11 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
12 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
13 |
* accompanied this code). |
|
14 |
* |
|
15 |
* You should have received a copy of the GNU General Public License version |
|
16 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
17 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
18 |
* |
|
5506 | 19 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
20 |
* or visit www.oracle.com if you need additional information or have any |
|
21 |
* questions. |
|
1454 | 22 |
*/ |
23 |
||
24 |
import java.lang.reflect.Constructor; |
|
25 |
import java.lang.reflect.Field; |
|
26 |
import java.lang.reflect.InvocationTargetException; |
|
27 |
import java.net.*; |
|
28 |
import java.io.*; |
|
29 |
import java.lang.reflect.Method; |
|
30 |
import java.security.SecureRandom; |
|
31 |
import java.util.*; |
|
32 |
import java.util.concurrent.*; |
|
3046 | 33 |
import sun.net.spi.nameservice.NameService; |
34 |
import sun.net.spi.nameservice.NameServiceDescriptor; |
|
1454 | 35 |
import sun.security.krb5.*; |
36 |
import sun.security.krb5.internal.*; |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
37 |
import sun.security.krb5.internal.ccache.CredentialsCache; |
1454 | 38 |
import sun.security.krb5.internal.crypto.KeyUsage; |
39 |
import sun.security.krb5.internal.ktab.KeyTab; |
|
40 |
import sun.security.util.DerInputStream; |
|
41 |
import sun.security.util.DerOutputStream; |
|
42 |
import sun.security.util.DerValue; |
|
43 |
||
44 |
/** |
|
45 |
* A KDC server. |
|
46 |
* <p> |
|
47 |
* Features: |
|
48 |
* <ol> |
|
49 |
* <li> Supports TCP and UDP |
|
50 |
* <li> Supports AS-REQ and TGS-REQ |
|
51 |
* <li> Principal db and other settings hard coded in application |
|
52 |
* <li> Options, say, request preauth or not |
|
53 |
* </ol> |
|
54 |
* Side effects: |
|
55 |
* <ol> |
|
56 |
* <li> The Sun-internal class <code>sun.security.krb5.Config</code> is a |
|
57 |
* singleton and initialized according to Kerberos settings (krb5.conf and |
|
58 |
* java.security.krb5.* system properties). This means once it's initialized |
|
59 |
* it will not automatically notice any changes to these settings (or file |
|
60 |
* changes of krb5.conf). The KDC class normally does not touch these |
|
61 |
* settings (except for the <code>writeKtab()</code> method). However, to make |
|
62 |
* sure nothing ever goes wrong, if you want to make any changes to these |
|
63 |
* settings after calling a KDC method, call <code>Config.refresh()</code> to |
|
64 |
* make sure your changes are reflected in the <code>Config</code> object. |
|
65 |
* </ol> |
|
4336 | 66 |
* System properties recognized: |
67 |
* <ul> |
|
68 |
* <li>test.kdc.save.ccache |
|
69 |
* </ul> |
|
70 |
* Support policies: |
|
71 |
* <ul> |
|
72 |
* <li>ok-as-delegate |
|
73 |
* </ul> |
|
1454 | 74 |
* Issues and TODOs: |
75 |
* <ol> |
|
76 |
* <li> Generates krb5.conf to be used on another machine, currently the kdc is |
|
77 |
* always localhost |
|
78 |
* <li> More options to KDC, say, error output, say, response nonce != |
|
79 |
* request nonce |
|
80 |
* </ol> |
|
81 |
* Note: This program uses internal krb5 classes (including reflection to |
|
82 |
* access private fields and methods). |
|
83 |
* <p> |
|
84 |
* Usages: |
|
85 |
* <p> |
|
86 |
* 1. Init and start the KDC: |
|
87 |
* <pre> |
|
88 |
* KDC kdc = KDC.create("REALM.NAME", port, isDaemon); |
|
89 |
* KDC kdc = KDC.create("REALM.NAME"); |
|
90 |
* </pre> |
|
91 |
* Here, <code>port</code> is the UDP and TCP port number the KDC server |
|
92 |
* listens on. If zero, a random port is chosen, which you can use getPort() |
|
93 |
* later to retrieve the value. |
|
94 |
* <p> |
|
95 |
* If <code>isDaemon</code> is true, the KDC worker threads will be daemons. |
|
96 |
* <p> |
|
97 |
* The shortcut <code>KDC.create("REALM.NAME")</code> has port=0 and |
|
98 |
* isDaemon=false, and is commonly used in an embedded KDC. |
|
99 |
* <p> |
|
100 |
* 2. Adding users: |
|
101 |
* <pre> |
|
102 |
* kdc.addPrincipal(String principal_name, char[] password); |
|
103 |
* kdc.addPrincipalRandKey(String principal_name); |
|
104 |
* </pre> |
|
105 |
* A service principal's name should look like "host/f.q.d.n". The second form |
|
106 |
* generates a random key. To expose this key, call <code>writeKtab()</code> to |
|
107 |
* save the keys into a keytab file. |
|
108 |
* <p> |
|
109 |
* Note that you need to add the principal name krbtgt/REALM.NAME yourself. |
|
110 |
* <p> |
|
111 |
* Note that you can safely add a principal at any time after the KDC is |
|
112 |
* started and before a user requests info on this principal. |
|
113 |
* <p> |
|
114 |
* 3. Other public methods: |
|
115 |
* <ul> |
|
116 |
* <li> <code>getPort</code>: Returns the port number the KDC uses |
|
117 |
* <li> <code>getRealm</code>: Returns the realm name |
|
118 |
* <li> <code>writeKtab</code>: Writes all principals' keys into a keytab file |
|
119 |
* <li> <code>saveConfig</code>: Saves a krb5.conf file to access this KDC |
|
120 |
* <li> <code>setOption</code>: Sets various options |
|
121 |
* </ul> |
|
122 |
* Read the javadoc for details. Lazy developer can use <code>OneKDC</code> |
|
123 |
* directly. |
|
124 |
*/ |
|
125 |
public class KDC { |
|
126 |
||
127 |
// Under the hood. |
|
128 |
||
129 |
// The random generator to generate random keys (including session keys) |
|
130 |
private static SecureRandom secureRandom = new SecureRandom(); |
|
7183 | 131 |
|
132 |
// Principal db. principal -> pass. A case-insensitive TreeMap is used |
|
133 |
// so that even if the client provides a name with different case, the KDC |
|
134 |
// can still locate the principal and give back correct salt. |
|
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7183
diff
changeset
|
135 |
private TreeMap<String,char[]> passwords = new TreeMap<> |
7183 | 136 |
(String.CASE_INSENSITIVE_ORDER); |
137 |
||
1454 | 138 |
// Realm name |
139 |
private String realm; |
|
3046 | 140 |
// KDC |
141 |
private String kdc; |
|
142 |
// Service port number |
|
143 |
private int port; |
|
1454 | 144 |
// The request/response job queue |
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7183
diff
changeset
|
145 |
private BlockingQueue<Job> q = new ArrayBlockingQueue<>(100); |
1454 | 146 |
// Options |
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7183
diff
changeset
|
147 |
private Map<Option,Object> options = new HashMap<>(); |
1454 | 148 |
|
4531
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
149 |
private Thread thread1, thread2, thread3; |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
150 |
DatagramSocket u1 = null; |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
151 |
ServerSocket t1 = null; |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
152 |
|
1454 | 153 |
/** |
154 |
* Option names, to be expanded forever. |
|
155 |
*/ |
|
156 |
public static enum Option { |
|
157 |
/** |
|
158 |
* Whether pre-authentication is required. Default Boolean.TRUE |
|
159 |
*/ |
|
160 |
PREAUTH_REQUIRED, |
|
5774
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
161 |
/** |
5802
ea99d72d3c19
6959292: regression: cannot login if session key and preauth does not use the same etype
weijun
parents:
5774
diff
changeset
|
162 |
* Only issue TGT in RC4 |
5774
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
163 |
*/ |
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
164 |
ONLY_RC4_TGT, |
5802
ea99d72d3c19
6959292: regression: cannot login if session key and preauth does not use the same etype
weijun
parents:
5774
diff
changeset
|
165 |
/** |
7183 | 166 |
* Use RC4 as the first in preauth |
5802
ea99d72d3c19
6959292: regression: cannot login if session key and preauth does not use the same etype
weijun
parents:
5774
diff
changeset
|
167 |
*/ |
7183 | 168 |
RC4_FIRST_PREAUTH, |
169 |
/** |
|
170 |
* Use only one preauth, so that some keys are not easy to generate |
|
171 |
*/ |
|
172 |
ONLY_ONE_PREAUTH, |
|
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
173 |
/** |
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
174 |
* Set all name-type to a value in response |
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
175 |
*/ |
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
176 |
RESP_NT, |
10432
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
177 |
/** |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
178 |
* Multiple ETYPE-INFO-ENTRY with same etype but different salt |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
179 |
*/ |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
180 |
DUP_ETYPE, |
1454 | 181 |
}; |
182 |
||
3046 | 183 |
static { |
184 |
System.setProperty("sun.net.spi.nameservice.provider.1", "ns,mock"); |
|
185 |
} |
|
186 |
||
1454 | 187 |
/** |
188 |
* A standalone KDC server. |
|
189 |
*/ |
|
190 |
public static void main(String[] args) throws Exception { |
|
4336 | 191 |
KDC kdc = create("RABBIT.HOLE", "kdc.rabbit.hole", 0, false); |
1454 | 192 |
kdc.addPrincipal("dummy", "bogus".toCharArray()); |
193 |
kdc.addPrincipal("foo", "bar".toCharArray()); |
|
3046 | 194 |
kdc.addPrincipalRandKey("krbtgt/RABBIT.HOLE"); |
195 |
kdc.addPrincipalRandKey("server/host.rabbit.hole"); |
|
196 |
kdc.addPrincipalRandKey("backend/host.rabbit.hole"); |
|
197 |
KDC.saveConfig("krb5.conf", kdc, "forwardable = true"); |
|
1454 | 198 |
} |
199 |
||
200 |
/** |
|
201 |
* Creates and starts a KDC running as a daemon on a random port. |
|
202 |
* @param realm the realm name |
|
203 |
* @return the running KDC instance |
|
204 |
* @throws java.io.IOException for any socket creation error |
|
205 |
*/ |
|
206 |
public static KDC create(String realm) throws IOException { |
|
3046 | 207 |
return create(realm, "kdc." + realm.toLowerCase(), 0, true); |
1454 | 208 |
} |
209 |
||
7183 | 210 |
public static KDC existing(String realm, String kdc, int port) { |
211 |
KDC k = new KDC(realm, kdc); |
|
212 |
k.port = port; |
|
213 |
return k; |
|
214 |
} |
|
215 |
||
1454 | 216 |
/** |
217 |
* Creates and starts a KDC server. |
|
218 |
* @param realm the realm name |
|
219 |
* @param port the TCP and UDP port to listen to. A random port will to |
|
220 |
* chosen if zero. |
|
221 |
* @param asDaemon if true, KDC threads will be daemons. Otherwise, not. |
|
222 |
* @return the running KDC instance |
|
223 |
* @throws java.io.IOException for any socket creation error |
|
224 |
*/ |
|
3046 | 225 |
public static KDC create(String realm, String kdc, int port, boolean asDaemon) throws IOException { |
226 |
return new KDC(realm, kdc, port, asDaemon); |
|
1454 | 227 |
} |
228 |
||
229 |
/** |
|
230 |
* Sets an option |
|
231 |
* @param key the option name |
|
232 |
* @param obj the value |
|
233 |
*/ |
|
234 |
public void setOption(Option key, Object value) { |
|
235 |
options.put(key, value); |
|
236 |
} |
|
237 |
||
238 |
/** |
|
12199 | 239 |
* Writes or appends keys into a keytab. |
240 |
* <p> |
|
241 |
* Attention: This is the most basic one of a series of methods below on |
|
242 |
* keytab creation or modification. All these methods reference krb5.conf |
|
243 |
* settings. If you need to modify krb5.conf or switch to another krb5.conf |
|
244 |
* later, please call <code>Config.refresh()</code> again. For example: |
|
245 |
* <pre> |
|
246 |
* kdc.writeKtab("/etc/kdc/ktab", true); // Config is initialized, |
|
247 |
* System.setProperty("java.security.krb5.conf", "/home/mykrb5.conf"); |
|
248 |
* Config.refresh(); |
|
249 |
* </pre> |
|
250 |
* Inside this method there are 2 places krb5.conf is used: |
|
251 |
* <ol> |
|
252 |
* <li> (Fatal) Generating keys: EncryptionKey.acquireSecretKeys |
|
253 |
* <li> (Has workaround) Creating PrincipalName |
|
254 |
* </ol> |
|
255 |
* @param tab the keytab file name |
|
9499 | 256 |
* @param append true if append, otherwise, overwrite. |
12199 | 257 |
* @param names the names to write into, write all if names is empty |
9499 | 258 |
*/ |
12199 | 259 |
public void writeKtab(String tab, boolean append, String... names) |
9499 | 260 |
throws IOException, KrbException { |
261 |
KeyTab ktab = append ? KeyTab.getInstance(tab) : KeyTab.create(tab); |
|
12199 | 262 |
Iterable<String> entries = |
263 |
(names.length != 0) ? Arrays.asList(names): passwords.keySet(); |
|
264 |
for (String name : entries) { |
|
265 |
char[] pass = passwords.get(name); |
|
266 |
int kvno = 0; |
|
267 |
if (Character.isDigit(pass[pass.length-1])) { |
|
268 |
kvno = pass[pass.length-1] - '0'; |
|
9499 | 269 |
} |
12199 | 270 |
ktab.addEntry(new PrincipalName(name, |
271 |
name.indexOf('/') < 0 ? |
|
272 |
PrincipalName.KRB_NT_UNKNOWN : |
|
273 |
PrincipalName.KRB_NT_SRV_HST), |
|
274 |
pass, |
|
275 |
kvno, |
|
276 |
true); |
|
9499 | 277 |
} |
278 |
ktab.save(); |
|
279 |
} |
|
280 |
||
281 |
/** |
|
282 |
* Writes all principals' keys from multiple KDCs into one keytab file. |
|
1454 | 283 |
* @throws java.io.IOException for any file output error |
284 |
* @throws sun.security.krb5.KrbException for any realm and/or principal |
|
285 |
* name error. |
|
286 |
*/ |
|
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
1575
diff
changeset
|
287 |
public static void writeMultiKtab(String tab, KDC... kdcs) |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
1575
diff
changeset
|
288 |
throws IOException, KrbException { |
12199 | 289 |
KeyTab.create(tab).save(); // Empty the old keytab |
290 |
appendMultiKtab(tab, kdcs); |
|
9499 | 291 |
} |
292 |
||
293 |
/** |
|
294 |
* Appends all principals' keys from multiple KDCs to one keytab file. |
|
295 |
*/ |
|
296 |
public static void appendMultiKtab(String tab, KDC... kdcs) |
|
297 |
throws IOException, KrbException { |
|
12199 | 298 |
for (KDC kdc: kdcs) { |
299 |
kdc.writeKtab(tab, true); |
|
300 |
} |
|
1454 | 301 |
} |
302 |
||
303 |
/** |
|
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
1575
diff
changeset
|
304 |
* Write a ktab for this KDC. |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
1575
diff
changeset
|
305 |
*/ |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
1575
diff
changeset
|
306 |
public void writeKtab(String tab) throws IOException, KrbException { |
12199 | 307 |
writeKtab(tab, false); |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
1575
diff
changeset
|
308 |
} |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
1575
diff
changeset
|
309 |
|
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
1575
diff
changeset
|
310 |
/** |
9499 | 311 |
* Appends keys in this KDC to a ktab. |
312 |
*/ |
|
313 |
public void appendKtab(String tab) throws IOException, KrbException { |
|
12199 | 314 |
writeKtab(tab, true); |
9499 | 315 |
} |
316 |
||
317 |
/** |
|
1454 | 318 |
* Adds a new principal to this realm with a given password. |
319 |
* @param user the principal's name. For a service principal, use the |
|
320 |
* form of host/f.q.d.n |
|
321 |
* @param pass the password for the principal |
|
322 |
*/ |
|
323 |
public void addPrincipal(String user, char[] pass) { |
|
3046 | 324 |
if (user.indexOf('@') < 0) { |
325 |
user = user + "@" + realm; |
|
326 |
} |
|
1454 | 327 |
passwords.put(user, pass); |
328 |
} |
|
329 |
||
330 |
/** |
|
331 |
* Adds a new principal to this realm with a random password |
|
332 |
* @param user the principal's name. For a service principal, use the |
|
333 |
* form of host/f.q.d.n |
|
334 |
*/ |
|
335 |
public void addPrincipalRandKey(String user) { |
|
3046 | 336 |
addPrincipal(user, randomPassword()); |
1454 | 337 |
} |
338 |
||
339 |
/** |
|
340 |
* Returns the name of this realm |
|
341 |
* @return the name of this realm |
|
342 |
*/ |
|
343 |
public String getRealm() { |
|
344 |
return realm; |
|
345 |
} |
|
346 |
||
347 |
/** |
|
3046 | 348 |
* Returns the name of kdc |
349 |
* @return the name of kdc |
|
350 |
*/ |
|
351 |
public String getKDC() { |
|
352 |
return kdc; |
|
353 |
} |
|
354 |
||
355 |
/** |
|
1454 | 356 |
* Writes a krb5.conf for one or more KDC that includes KDC locations for |
357 |
* each realm and the default realm name. You can also add extra strings |
|
358 |
* into the file. The method should be called like: |
|
359 |
* <pre> |
|
360 |
* KDC.saveConfig("krb5.conf", kdc1, kdc2, ..., line1, line2, ...); |
|
361 |
* </pre> |
|
362 |
* Here you can provide one or more kdc# and zero or more line# arguments. |
|
363 |
* The line# will be put after [libdefaults] and before [realms]. Therefore |
|
364 |
* you can append new lines into [libdefaults] and/or create your new |
|
365 |
* stanzas as well. Note that a newline character will be appended to |
|
366 |
* each line# argument. |
|
367 |
* <p> |
|
368 |
* For example: |
|
369 |
* <pre> |
|
370 |
* KDC.saveConfig("krb5.conf", this); |
|
371 |
* </pre> |
|
372 |
* generates: |
|
373 |
* <pre> |
|
374 |
* [libdefaults] |
|
375 |
* default_realm = REALM.NAME |
|
376 |
* |
|
377 |
* [realms] |
|
378 |
* REALM.NAME = { |
|
3046 | 379 |
* kdc = host:port_number |
1454 | 380 |
* } |
381 |
* </pre> |
|
382 |
* |
|
383 |
* Another example: |
|
384 |
* <pre> |
|
385 |
* KDC.saveConfig("krb5.conf", kdc1, kdc2, "forwardable = true", "", |
|
386 |
* "[domain_realm]", |
|
387 |
* ".kdc1.com = KDC1.NAME"); |
|
388 |
* </pre> |
|
389 |
* generates: |
|
390 |
* <pre> |
|
391 |
* [libdefaults] |
|
392 |
* default_realm = KDC1.NAME |
|
393 |
* forwardable = true |
|
394 |
* |
|
395 |
* [domain_realm] |
|
396 |
* .kdc1.com = KDC1.NAME |
|
397 |
* |
|
398 |
* [realms] |
|
399 |
* KDC1.NAME = { |
|
3046 | 400 |
* kdc = host:port1 |
1454 | 401 |
* } |
402 |
* KDC2.NAME = { |
|
3046 | 403 |
* kdc = host:port2 |
1454 | 404 |
* } |
405 |
* </pre> |
|
406 |
* @param file the name of the file to write into |
|
407 |
* @param kdc the first (and default) KDC |
|
408 |
* @param more more KDCs or extra lines (in their appearing order) to |
|
409 |
* insert into the krb5.conf file. This method reads each argument's type |
|
410 |
* to determine what it's for. This argument can be empty. |
|
411 |
* @throws java.io.IOException for any file output error |
|
412 |
*/ |
|
413 |
public static void saveConfig(String file, KDC kdc, Object... more) |
|
414 |
throws IOException { |
|
415 |
File f = new File(file); |
|
416 |
StringBuffer sb = new StringBuffer(); |
|
417 |
sb.append("[libdefaults]\ndefault_realm = "); |
|
418 |
sb.append(kdc.realm); |
|
419 |
sb.append("\n"); |
|
420 |
for (Object o: more) { |
|
421 |
if (o instanceof String) { |
|
422 |
sb.append(o); |
|
423 |
sb.append("\n"); |
|
424 |
} |
|
425 |
} |
|
426 |
sb.append("\n[realms]\n"); |
|
427 |
sb.append(realmLineForKDC(kdc)); |
|
428 |
for (Object o: more) { |
|
429 |
if (o instanceof KDC) { |
|
430 |
sb.append(realmLineForKDC((KDC)o)); |
|
431 |
} |
|
432 |
} |
|
433 |
FileOutputStream fos = new FileOutputStream(f); |
|
434 |
fos.write(sb.toString().getBytes()); |
|
435 |
fos.close(); |
|
436 |
} |
|
437 |
||
438 |
/** |
|
439 |
* Returns the service port of the KDC server. |
|
440 |
* @return the KDC service port |
|
441 |
*/ |
|
442 |
public int getPort() { |
|
443 |
return port; |
|
444 |
} |
|
445 |
||
446 |
// Private helper methods |
|
447 |
||
448 |
/** |
|
449 |
* Private constructor, cannot be called outside. |
|
450 |
* @param realm |
|
451 |
*/ |
|
3046 | 452 |
private KDC(String realm, String kdc) { |
1454 | 453 |
this.realm = realm; |
3046 | 454 |
this.kdc = kdc; |
1454 | 455 |
} |
456 |
||
457 |
/** |
|
458 |
* A constructor that starts the KDC service also. |
|
459 |
*/ |
|
3046 | 460 |
protected KDC(String realm, String kdc, int port, boolean asDaemon) |
1454 | 461 |
throws IOException { |
3046 | 462 |
this(realm, kdc); |
1454 | 463 |
startServer(port, asDaemon); |
464 |
} |
|
465 |
/** |
|
466 |
* Generates a 32-char random password |
|
467 |
* @return the password |
|
468 |
*/ |
|
469 |
private static char[] randomPassword() { |
|
470 |
char[] pass = new char[32]; |
|
5622 | 471 |
for (int i=0; i<31; i++) |
1454 | 472 |
pass[i] = (char)secureRandom.nextInt(); |
5622 | 473 |
// The last char cannot be a number, otherwise, keyForUser() |
474 |
// believes it's a sign of kvno |
|
475 |
pass[31] = 'Z'; |
|
1454 | 476 |
return pass; |
477 |
} |
|
478 |
||
479 |
/** |
|
480 |
* Generates a random key for the given encryption type. |
|
481 |
* @param eType the encryption type |
|
482 |
* @return the generated key |
|
483 |
* @throws sun.security.krb5.KrbException for unknown/unsupported etype |
|
484 |
*/ |
|
485 |
private static EncryptionKey generateRandomKey(int eType) |
|
486 |
throws KrbException { |
|
487 |
// Is 32 enough for AES256? I should have generated the keys directly |
|
488 |
// but different cryptos have different rules on what keys are valid. |
|
489 |
char[] pass = randomPassword(); |
|
490 |
String algo; |
|
491 |
switch (eType) { |
|
492 |
case EncryptedData.ETYPE_DES_CBC_MD5: algo = "DES"; break; |
|
493 |
case EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD: algo = "DESede"; break; |
|
494 |
case EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96: algo = "AES128"; break; |
|
495 |
case EncryptedData.ETYPE_ARCFOUR_HMAC: algo = "ArcFourHMAC"; break; |
|
496 |
case EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96: algo = "AES256"; break; |
|
497 |
default: algo = "DES"; break; |
|
498 |
} |
|
499 |
return new EncryptionKey(pass, "NOTHING", algo); // Silly |
|
500 |
} |
|
501 |
||
502 |
/** |
|
503 |
* Returns the password for a given principal |
|
504 |
* @param p principal |
|
505 |
* @return the password |
|
506 |
* @throws sun.security.krb5.KrbException when the principal is not inside |
|
507 |
* the database. |
|
508 |
*/ |
|
4336 | 509 |
private char[] getPassword(PrincipalName p, boolean server) |
510 |
throws KrbException { |
|
3046 | 511 |
String pn = p.toString(); |
512 |
if (p.getRealmString() == null) { |
|
513 |
pn = pn + "@" + getRealm(); |
|
514 |
} |
|
515 |
char[] pass = passwords.get(pn); |
|
1454 | 516 |
if (pass == null) { |
4336 | 517 |
throw new KrbException(server? |
518 |
Krb5.KDC_ERR_S_PRINCIPAL_UNKNOWN: |
|
519 |
Krb5.KDC_ERR_C_PRINCIPAL_UNKNOWN); |
|
1454 | 520 |
} |
521 |
return pass; |
|
522 |
} |
|
523 |
||
524 |
/** |
|
3046 | 525 |
* Returns the salt string for the principal. |
1454 | 526 |
* @param p principal |
527 |
* @return the salt |
|
528 |
*/ |
|
529 |
private String getSalt(PrincipalName p) { |
|
7183 | 530 |
String pn = p.toString(); |
531 |
if (p.getRealmString() == null) { |
|
532 |
pn = pn + "@" + getRealm(); |
|
533 |
} |
|
534 |
if (passwords.containsKey(pn)) { |
|
535 |
try { |
|
536 |
// Find the principal name with correct case. |
|
537 |
p = new PrincipalName(passwords.ceilingEntry(pn).getKey()); |
|
538 |
} catch (RealmException re) { |
|
539 |
// Won't happen |
|
540 |
} |
|
541 |
} |
|
3046 | 542 |
String s = p.getRealmString(); |
543 |
if (s == null) s = getRealm(); |
|
544 |
for (String n: p.getNameStrings()) { |
|
545 |
s += n; |
|
1454 | 546 |
} |
3046 | 547 |
return s; |
1454 | 548 |
} |
549 |
||
550 |
/** |
|
551 |
* Returns the key for a given principal of the given encryption type |
|
552 |
* @param p the principal |
|
553 |
* @param etype the encryption type |
|
4336 | 554 |
* @param server looking for a server principal? |
1454 | 555 |
* @return the key |
556 |
* @throws sun.security.krb5.KrbException for unknown/unsupported etype |
|
557 |
*/ |
|
4336 | 558 |
private EncryptionKey keyForUser(PrincipalName p, int etype, boolean server) |
559 |
throws KrbException { |
|
1454 | 560 |
try { |
561 |
// Do not call EncryptionKey.acquireSecretKeys(), otherwise |
|
562 |
// the krb5.conf config file would be loaded. |
|
4168
1a8d21bb898c
6893158: AP_REQ check should use key version number
weijun
parents:
3046
diff
changeset
|
563 |
Integer kvno = null; |
4532 | 564 |
// For service whose password ending with a number, use it as kvno. |
565 |
// Kvno must be postive. |
|
566 |
if (p.toString().indexOf('/') > 0) { |
|
4336 | 567 |
char[] pass = getPassword(p, server); |
4168
1a8d21bb898c
6893158: AP_REQ check should use key version number
weijun
parents:
3046
diff
changeset
|
568 |
if (Character.isDigit(pass[pass.length-1])) { |
1a8d21bb898c
6893158: AP_REQ check should use key version number
weijun
parents:
3046
diff
changeset
|
569 |
kvno = pass[pass.length-1] - '0'; |
1a8d21bb898c
6893158: AP_REQ check should use key version number
weijun
parents:
3046
diff
changeset
|
570 |
} |
1a8d21bb898c
6893158: AP_REQ check should use key version number
weijun
parents:
3046
diff
changeset
|
571 |
} |
7183 | 572 |
return new EncryptionKey(EncryptionKeyDotStringToKey( |
573 |
getPassword(p, server), getSalt(p), null, etype), |
|
4168
1a8d21bb898c
6893158: AP_REQ check should use key version number
weijun
parents:
3046
diff
changeset
|
574 |
etype, kvno); |
4336 | 575 |
} catch (KrbException ke) { |
576 |
throw ke; |
|
1454 | 577 |
} catch (Exception e) { |
578 |
throw new RuntimeException(e); // should not happen |
|
579 |
} |
|
580 |
} |
|
581 |
||
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7183
diff
changeset
|
582 |
private Map<String,String> policies = new HashMap<>(); |
4336 | 583 |
|
584 |
public void setPolicy(String rule, String value) { |
|
585 |
if (value == null) { |
|
586 |
policies.remove(rule); |
|
587 |
} else { |
|
588 |
policies.put(rule, value); |
|
589 |
} |
|
590 |
} |
|
591 |
/** |
|
592 |
* If the provided client/server pair matches a rule |
|
593 |
* |
|
594 |
* A system property named test.kdc.policy.RULE will be consulted. |
|
595 |
* If it's unset, returns false. If its value is "", any pair is |
|
596 |
* matched. Otherwise, it should contains the server name matched. |
|
597 |
* |
|
598 |
* TODO: client name is not used currently. |
|
599 |
* |
|
600 |
* @param c client name |
|
601 |
* @param s server name |
|
602 |
* @param rule rule name |
|
603 |
* @return if a match is found |
|
604 |
*/ |
|
605 |
private boolean configMatch(String c, String s, String rule) { |
|
606 |
String policy = policies.get(rule); |
|
607 |
boolean result = false; |
|
608 |
if (policy == null) { |
|
609 |
result = false; |
|
610 |
} else if (policy.length() == 0) { |
|
611 |
result = true; |
|
612 |
} else { |
|
613 |
String[] names = policy.split("\\s+"); |
|
614 |
for (String name: names) { |
|
615 |
if (name.equals(s)) { |
|
616 |
result = true; |
|
617 |
break; |
|
618 |
} |
|
619 |
} |
|
620 |
} |
|
621 |
if (result) { |
|
622 |
System.out.printf(">>>> Policy match result (%s vs %s on %s) %b\n", |
|
623 |
c, s, rule, result); |
|
624 |
} |
|
625 |
return result; |
|
626 |
} |
|
627 |
||
628 |
||
1454 | 629 |
/** |
630 |
* Processes an incoming request and generates a response. |
|
631 |
* @param in the request |
|
632 |
* @return the response |
|
633 |
* @throws java.lang.Exception for various errors |
|
634 |
*/ |
|
635 |
private byte[] processMessage(byte[] in) throws Exception { |
|
636 |
if ((in[0] & 0x1f) == Krb5.KRB_AS_REQ) |
|
637 |
return processAsReq(in); |
|
638 |
else |
|
639 |
return processTgsReq(in); |
|
640 |
} |
|
641 |
||
642 |
/** |
|
643 |
* Processes a TGS_REQ and generates a TGS_REP (or KRB_ERROR) |
|
644 |
* @param in the request |
|
645 |
* @return the response |
|
646 |
* @throws java.lang.Exception for various errors |
|
647 |
*/ |
|
648 |
private byte[] processTgsReq(byte[] in) throws Exception { |
|
649 |
TGSReq tgsReq = new TGSReq(in); |
|
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
650 |
PrincipalName service = tgsReq.reqBody.sname; |
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
651 |
if (options.containsKey(KDC.Option.RESP_NT)) { |
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
652 |
service = new PrincipalName(service.getNameStrings(), |
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
653 |
(int)options.get(KDC.Option.RESP_NT)); |
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
654 |
service.setRealm(service.getRealm()); |
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
655 |
} |
1454 | 656 |
try { |
657 |
System.out.println(realm + "> " + tgsReq.reqBody.cname + |
|
658 |
" sends TGS-REQ for " + |
|
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
659 |
service); |
1454 | 660 |
KDCReqBody body = tgsReq.reqBody; |
7183 | 661 |
int[] eTypes = KDCReqBodyDotEType(body); |
662 |
int e2 = eTypes[0]; // etype for outgoing session key |
|
663 |
int e3 = eTypes[0]; // etype for outgoing ticket |
|
1454 | 664 |
|
7183 | 665 |
PAData[] pas = kDCReqDotPAData(tgsReq); |
1454 | 666 |
|
667 |
Ticket tkt = null; |
|
668 |
EncTicketPart etp = null; |
|
669 |
if (pas == null || pas.length == 0) { |
|
670 |
throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP); |
|
671 |
} else { |
|
672 |
for (PAData pa: pas) { |
|
673 |
if (pa.getType() == Krb5.PA_TGS_REQ) { |
|
674 |
APReq apReq = new APReq(pa.getValue()); |
|
675 |
EncryptedData ed = apReq.authenticator; |
|
676 |
tkt = apReq.ticket; |
|
7183 | 677 |
int te = tkt.encPart.getEType(); |
3046 | 678 |
tkt.sname.setRealm(tkt.realm); |
7183 | 679 |
EncryptionKey kkey = keyForUser(tkt.sname, te, true); |
1454 | 680 |
byte[] bb = tkt.encPart.decrypt(kkey, KeyUsage.KU_TICKET); |
681 |
DerInputStream derIn = new DerInputStream(bb); |
|
682 |
DerValue der = derIn.getDerValue(); |
|
683 |
etp = new EncTicketPart(der.toByteArray()); |
|
684 |
} |
|
685 |
} |
|
686 |
if (tkt == null) { |
|
687 |
throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP); |
|
688 |
} |
|
689 |
} |
|
690 |
||
691 |
// Session key for original ticket, TGT |
|
692 |
EncryptionKey ckey = etp.key; |
|
693 |
||
694 |
// Session key for session with the service |
|
7183 | 695 |
EncryptionKey key = generateRandomKey(e2); |
1454 | 696 |
|
697 |
// Check time, TODO |
|
698 |
KerberosTime till = body.till; |
|
699 |
if (till == null) { |
|
700 |
throw new KrbException(Krb5.KDC_ERR_NEVER_VALID); // TODO |
|
701 |
} else if (till.isZero()) { |
|
702 |
till = new KerberosTime(new Date().getTime() + 1000 * 3600 * 11); |
|
703 |
} |
|
704 |
||
705 |
boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX+1]; |
|
706 |
if (body.kdcOptions.get(KDCOptions.FORWARDABLE)) { |
|
707 |
bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true; |
|
708 |
} |
|
709 |
if (body.kdcOptions.get(KDCOptions.FORWARDED) || |
|
710 |
etp.flags.get(Krb5.TKT_OPTS_FORWARDED)) { |
|
711 |
bFlags[Krb5.TKT_OPTS_FORWARDED] = true; |
|
712 |
} |
|
713 |
if (body.kdcOptions.get(KDCOptions.RENEWABLE)) { |
|
714 |
bFlags[Krb5.TKT_OPTS_RENEWABLE] = true; |
|
715 |
//renew = new KerberosTime(new Date().getTime() + 1000 * 3600 * 24 * 7); |
|
716 |
} |
|
717 |
if (body.kdcOptions.get(KDCOptions.PROXIABLE)) { |
|
718 |
bFlags[Krb5.TKT_OPTS_PROXIABLE] = true; |
|
719 |
} |
|
720 |
if (body.kdcOptions.get(KDCOptions.POSTDATED)) { |
|
721 |
bFlags[Krb5.TKT_OPTS_POSTDATED] = true; |
|
722 |
} |
|
723 |
if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) { |
|
724 |
bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true; |
|
725 |
} |
|
4336 | 726 |
|
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
727 |
if (configMatch("", service.getNameString(), "ok-as-delegate")) { |
4336 | 728 |
bFlags[Krb5.TKT_OPTS_DELEGATE] = true; |
729 |
} |
|
1454 | 730 |
bFlags[Krb5.TKT_OPTS_INITIAL] = true; |
731 |
||
732 |
TicketFlags tFlags = new TicketFlags(bFlags); |
|
733 |
EncTicketPart enc = new EncTicketPart( |
|
734 |
tFlags, |
|
735 |
key, |
|
736 |
etp.crealm, |
|
737 |
etp.cname, |
|
738 |
new TransitedEncoding(1, new byte[0]), // TODO |
|
739 |
new KerberosTime(new Date()), |
|
740 |
body.from, |
|
741 |
till, body.rtime, |
|
9240
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
7977
diff
changeset
|
742 |
body.addresses != null // always set caddr |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
7977
diff
changeset
|
743 |
? body.addresses |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
7977
diff
changeset
|
744 |
: new HostAddresses( |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
7977
diff
changeset
|
745 |
new InetAddress[]{InetAddress.getLocalHost()}), |
1454 | 746 |
null); |
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
747 |
EncryptionKey skey = keyForUser(service, e3, true); |
7183 | 748 |
if (skey == null) { |
749 |
throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO |
|
750 |
} |
|
1454 | 751 |
Ticket t = new Ticket( |
752 |
body.crealm, |
|
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
753 |
service, |
1454 | 754 |
new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET) |
755 |
); |
|
756 |
EncTGSRepPart enc_part = new EncTGSRepPart( |
|
757 |
key, |
|
758 |
new LastReq(new LastReqEntry[]{ |
|
759 |
new LastReqEntry(0, new KerberosTime(new Date().getTime() - 10000)) |
|
760 |
}), |
|
761 |
body.getNonce(), // TODO: detect replay |
|
762 |
new KerberosTime(new Date().getTime() + 1000 * 3600 * 24), |
|
763 |
// Next 5 and last MUST be same with ticket |
|
764 |
tFlags, |
|
765 |
new KerberosTime(new Date()), |
|
766 |
body.from, |
|
767 |
till, body.rtime, |
|
768 |
body.crealm, |
|
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
769 |
service, |
9240
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
7977
diff
changeset
|
770 |
body.addresses != null // always set caddr |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
7977
diff
changeset
|
771 |
? body.addresses |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
7977
diff
changeset
|
772 |
: new HostAddresses( |
56e01f64958e
7032354: no-addresses should not be used on acceptor side
weijun
parents:
7977
diff
changeset
|
773 |
new InetAddress[]{InetAddress.getLocalHost()}) |
1454 | 774 |
); |
775 |
EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_TGS_REP_PART_SESSKEY); |
|
776 |
TGSRep tgsRep = new TGSRep(null, |
|
777 |
etp.crealm, |
|
778 |
etp.cname, |
|
779 |
t, |
|
780 |
edata); |
|
781 |
System.out.println(" Return " + tgsRep.cname |
|
782 |
+ " ticket for " + tgsRep.ticket.sname); |
|
783 |
||
784 |
DerOutputStream out = new DerOutputStream(); |
|
785 |
out.write(DerValue.createTag(DerValue.TAG_APPLICATION, |
|
786 |
true, (byte)Krb5.KRB_TGS_REP), tgsRep.asn1Encode()); |
|
787 |
return out.toByteArray(); |
|
788 |
} catch (KrbException ke) { |
|
789 |
ke.printStackTrace(System.out); |
|
790 |
KRBError kerr = ke.getError(); |
|
791 |
KDCReqBody body = tgsReq.reqBody; |
|
792 |
System.out.println(" Error " + ke.returnCode() |
|
793 |
+ " " +ke.returnCodeMessage()); |
|
794 |
if (kerr == null) { |
|
795 |
kerr = new KRBError(null, null, null, |
|
796 |
new KerberosTime(new Date()), |
|
797 |
0, |
|
798 |
ke.returnCode(), |
|
799 |
body.crealm, body.cname, |
|
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
800 |
new Realm(getRealm()), service, |
1454 | 801 |
KrbException.errorMessage(ke.returnCode()), |
802 |
null); |
|
803 |
} |
|
804 |
return kerr.asn1Encode(); |
|
805 |
} |
|
806 |
} |
|
807 |
||
808 |
/** |
|
809 |
* Processes a AS_REQ and generates a AS_REP (or KRB_ERROR) |
|
810 |
* @param in the request |
|
811 |
* @return the response |
|
812 |
* @throws java.lang.Exception for various errors |
|
813 |
*/ |
|
814 |
private byte[] processAsReq(byte[] in) throws Exception { |
|
815 |
ASReq asReq = new ASReq(in); |
|
816 |
int[] eTypes = null; |
|
7977
f47f211cd627
7008713: diamond conversion of kerberos5 and security tools
smarks
parents:
7183
diff
changeset
|
817 |
List<PAData> outPAs = new ArrayList<>(); |
7183 | 818 |
|
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
819 |
PrincipalName service = asReq.reqBody.sname; |
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
820 |
if (options.containsKey(KDC.Option.RESP_NT)) { |
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
821 |
service = new PrincipalName(service.getNameStrings(), |
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
822 |
(int)options.get(KDC.Option.RESP_NT)); |
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
823 |
service.setRealm(service.getRealm()); |
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
824 |
} |
1454 | 825 |
try { |
826 |
System.out.println(realm + "> " + asReq.reqBody.cname + |
|
827 |
" sends AS-REQ for " + |
|
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
828 |
service); |
1454 | 829 |
|
830 |
KDCReqBody body = asReq.reqBody; |
|
7183 | 831 |
body.cname.setRealm(getRealm()); |
1454 | 832 |
|
7183 | 833 |
eTypes = KDCReqBodyDotEType(body); |
1454 | 834 |
int eType = eTypes[0]; |
835 |
||
4336 | 836 |
EncryptionKey ckey = keyForUser(body.cname, eType, false); |
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
837 |
EncryptionKey skey = keyForUser(service, eType, true); |
5774
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
838 |
|
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
839 |
if (options.containsKey(KDC.Option.ONLY_RC4_TGT)) { |
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
840 |
int tgtEType = EncryptedData.ETYPE_ARCFOUR_HMAC; |
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
841 |
boolean found = false; |
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
842 |
for (int i=0; i<eTypes.length; i++) { |
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
843 |
if (eTypes[i] == tgtEType) { |
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
844 |
found = true; |
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
845 |
break; |
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
846 |
} |
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
847 |
} |
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
848 |
if (!found) { |
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
849 |
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP); |
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
850 |
} |
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
851 |
skey = keyForUser(service, tgtEType, true); |
5774
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
852 |
} |
1454 | 853 |
if (ckey == null) { |
854 |
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP); |
|
855 |
} |
|
856 |
if (skey == null) { |
|
857 |
throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO |
|
858 |
} |
|
859 |
||
860 |
// Session key |
|
861 |
EncryptionKey key = generateRandomKey(eType); |
|
862 |
// Check time, TODO |
|
863 |
KerberosTime till = body.till; |
|
864 |
if (till == null) { |
|
865 |
throw new KrbException(Krb5.KDC_ERR_NEVER_VALID); // TODO |
|
866 |
} else if (till.isZero()) { |
|
867 |
till = new KerberosTime(new Date().getTime() + 1000 * 3600 * 11); |
|
868 |
} |
|
869 |
//body.from |
|
870 |
boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX+1]; |
|
871 |
if (body.kdcOptions.get(KDCOptions.FORWARDABLE)) { |
|
872 |
bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true; |
|
873 |
} |
|
874 |
if (body.kdcOptions.get(KDCOptions.RENEWABLE)) { |
|
875 |
bFlags[Krb5.TKT_OPTS_RENEWABLE] = true; |
|
876 |
//renew = new KerberosTime(new Date().getTime() + 1000 * 3600 * 24 * 7); |
|
877 |
} |
|
878 |
if (body.kdcOptions.get(KDCOptions.PROXIABLE)) { |
|
879 |
bFlags[Krb5.TKT_OPTS_PROXIABLE] = true; |
|
880 |
} |
|
881 |
if (body.kdcOptions.get(KDCOptions.POSTDATED)) { |
|
882 |
bFlags[Krb5.TKT_OPTS_POSTDATED] = true; |
|
883 |
} |
|
884 |
if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) { |
|
885 |
bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true; |
|
886 |
} |
|
887 |
bFlags[Krb5.TKT_OPTS_INITIAL] = true; |
|
888 |
||
7183 | 889 |
// Creating PA-DATA |
10432
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
890 |
DerValue[] pas2 = null, pas = null; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
891 |
if (options.containsKey(KDC.Option.DUP_ETYPE)) { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
892 |
int n = (Integer)options.get(KDC.Option.DUP_ETYPE); |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
893 |
switch (n) { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
894 |
case 1: // customer's case in 7067974 |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
895 |
pas2 = new DerValue[] { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
896 |
new DerValue(new ETypeInfo2(1, null, null).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
897 |
new DerValue(new ETypeInfo2(1, "", null).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
898 |
new DerValue(new ETypeInfo2(1, OneKDC.REALM, new byte[]{1}).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
899 |
}; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
900 |
pas = new DerValue[] { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
901 |
new DerValue(new ETypeInfo(1, null).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
902 |
new DerValue(new ETypeInfo(1, "").asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
903 |
new DerValue(new ETypeInfo(1, OneKDC.REALM).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
904 |
}; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
905 |
break; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
906 |
case 2: // we still reject non-null s2kparams and prefer E2 over E |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
907 |
pas2 = new DerValue[] { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
908 |
new DerValue(new ETypeInfo2(1, OneKDC.REALM, new byte[]{1}).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
909 |
new DerValue(new ETypeInfo2(1, null, null).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
910 |
new DerValue(new ETypeInfo2(1, "", null).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
911 |
}; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
912 |
pas = new DerValue[] { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
913 |
new DerValue(new ETypeInfo(1, OneKDC.REALM).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
914 |
new DerValue(new ETypeInfo(1, null).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
915 |
new DerValue(new ETypeInfo(1, "").asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
916 |
}; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
917 |
break; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
918 |
case 3: // but only E is wrong |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
919 |
pas = new DerValue[] { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
920 |
new DerValue(new ETypeInfo(1, OneKDC.REALM).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
921 |
new DerValue(new ETypeInfo(1, null).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
922 |
new DerValue(new ETypeInfo(1, "").asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
923 |
}; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
924 |
break; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
925 |
case 4: // we also ignore rc4-hmac |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
926 |
pas = new DerValue[] { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
927 |
new DerValue(new ETypeInfo(23, "ANYTHING").asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
928 |
new DerValue(new ETypeInfo(1, null).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
929 |
new DerValue(new ETypeInfo(1, "").asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
930 |
}; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
931 |
break; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
932 |
case 5: // "" should be wrong, but we accept it now |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
933 |
// See s.s.k.internal.PAData$SaltAndParams |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
934 |
pas = new DerValue[] { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
935 |
new DerValue(new ETypeInfo(1, "").asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
936 |
new DerValue(new ETypeInfo(1, null).asn1Encode()), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
937 |
}; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
938 |
break; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
939 |
} |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
940 |
} else { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
941 |
int[] epas = eTypes; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
942 |
if (options.containsKey(KDC.Option.RC4_FIRST_PREAUTH)) { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
943 |
for (int i=1; i<epas.length; i++) { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
944 |
if (epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC) { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
945 |
epas[i] = epas[0]; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
946 |
epas[0] = EncryptedData.ETYPE_ARCFOUR_HMAC; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
947 |
break; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
948 |
} |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
949 |
}; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
950 |
} else if (options.containsKey(KDC.Option.ONLY_ONE_PREAUTH)) { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
951 |
epas = new int[] { eTypes[0] }; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
952 |
} |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
953 |
pas2 = new DerValue[epas.length]; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
954 |
for (int i=0; i<epas.length; i++) { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
955 |
pas2[i] = new DerValue(new ETypeInfo2( |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
956 |
epas[i], |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
957 |
epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ? |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
958 |
null : getSalt(body.cname), |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
959 |
null).asn1Encode()); |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
960 |
} |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
961 |
boolean allOld = true; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
962 |
for (int i: eTypes) { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
963 |
if (i == EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96 || |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
964 |
i == EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96) { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
965 |
allOld = false; |
7183 | 966 |
break; |
967 |
} |
|
10432
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
968 |
} |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
969 |
if (allOld) { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
970 |
pas = new DerValue[epas.length]; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
971 |
for (int i=0; i<epas.length; i++) { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
972 |
pas[i] = new DerValue(new ETypeInfo( |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
973 |
epas[i], |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
974 |
epas[i] == EncryptedData.ETYPE_ARCFOUR_HMAC ? |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
975 |
null : getSalt(body.cname) |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
976 |
).asn1Encode()); |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
977 |
} |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
978 |
} |
7183 | 979 |
} |
980 |
||
10432
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
981 |
DerOutputStream eid; |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
982 |
if (pas2 != null) { |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
983 |
eid = new DerOutputStream(); |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
984 |
eid.putSequence(pas2); |
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
985 |
outPAs.add(new PAData(Krb5.PA_ETYPE_INFO2, eid.toByteArray())); |
7183 | 986 |
} |
10432
ef33e56c55a9
7067974: multiple ETYPE-INFO-ENTRY with same etype and different salt
weijun
parents:
10141
diff
changeset
|
987 |
if (pas != null) { |
7183 | 988 |
eid = new DerOutputStream(); |
989 |
eid.putSequence(pas); |
|
990 |
outPAs.add(new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray())); |
|
991 |
} |
|
992 |
||
993 |
PAData[] inPAs = kDCReqDotPAData(asReq); |
|
994 |
if (inPAs == null || inPAs.length == 0) { |
|
1454 | 995 |
Object preauth = options.get(Option.PREAUTH_REQUIRED); |
996 |
if (preauth == null || preauth.equals(Boolean.TRUE)) { |
|
997 |
throw new KrbException(Krb5.KDC_ERR_PREAUTH_REQUIRED); |
|
998 |
} |
|
999 |
} else { |
|
1000 |
try { |
|
7183 | 1001 |
EncryptedData data = newEncryptedData(new DerValue(inPAs[0].getValue())); |
5774
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
1002 |
EncryptionKey pakey = keyForUser(body.cname, data.getEType(), false); |
4b9857e483c1
6951366: kerberos login failure on win2008 with AD set to win2000 compat mode
weijun
parents:
5627
diff
changeset
|
1003 |
data.decrypt(pakey, KeyUsage.KU_PA_ENC_TS); |
1454 | 1004 |
} catch (Exception e) { |
1005 |
throw new KrbException(Krb5.KDC_ERR_PREAUTH_FAILED); |
|
1006 |
} |
|
1007 |
bFlags[Krb5.TKT_OPTS_PRE_AUTHENT] = true; |
|
1008 |
} |
|
1009 |
||
1010 |
TicketFlags tFlags = new TicketFlags(bFlags); |
|
1011 |
EncTicketPart enc = new EncTicketPart( |
|
1012 |
tFlags, |
|
1013 |
key, |
|
1014 |
body.crealm, |
|
1015 |
body.cname, |
|
1016 |
new TransitedEncoding(1, new byte[0]), |
|
1017 |
new KerberosTime(new Date()), |
|
1018 |
body.from, |
|
1019 |
till, body.rtime, |
|
1020 |
body.addresses, |
|
1021 |
null); |
|
1022 |
Ticket t = new Ticket( |
|
1023 |
body.crealm, |
|
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
1024 |
service, |
1454 | 1025 |
new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET) |
1026 |
); |
|
1027 |
EncASRepPart enc_part = new EncASRepPart( |
|
1028 |
key, |
|
1029 |
new LastReq(new LastReqEntry[]{ |
|
1030 |
new LastReqEntry(0, new KerberosTime(new Date().getTime() - 10000)) |
|
1031 |
}), |
|
1032 |
body.getNonce(), // TODO: detect replay? |
|
1033 |
new KerberosTime(new Date().getTime() + 1000 * 3600 * 24), |
|
1034 |
// Next 5 and last MUST be same with ticket |
|
1035 |
tFlags, |
|
1036 |
new KerberosTime(new Date()), |
|
1037 |
body.from, |
|
1038 |
till, body.rtime, |
|
1039 |
body.crealm, |
|
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
1040 |
service, |
1454 | 1041 |
body.addresses |
1042 |
); |
|
1043 |
EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_AS_REP_PART); |
|
7183 | 1044 |
ASRep asRep = new ASRep( |
1045 |
outPAs.toArray(new PAData[outPAs.size()]), |
|
1454 | 1046 |
body.crealm, |
1047 |
body.cname, |
|
1048 |
t, |
|
1049 |
edata); |
|
1050 |
||
1051 |
System.out.println(" Return " + asRep.cname |
|
1052 |
+ " ticket for " + asRep.ticket.sname); |
|
1053 |
||
1054 |
DerOutputStream out = new DerOutputStream(); |
|
1055 |
out.write(DerValue.createTag(DerValue.TAG_APPLICATION, |
|
1056 |
true, (byte)Krb5.KRB_AS_REP), asRep.asn1Encode()); |
|
1575
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1057 |
byte[] result = out.toByteArray(); |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1058 |
|
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1059 |
// Added feature: |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1060 |
// Write the current issuing TGT into a ccache file specified |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1061 |
// by the system property below. |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1062 |
String ccache = System.getProperty("test.kdc.save.ccache"); |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1063 |
if (ccache != null) { |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1064 |
asRep.encKDCRepPart = enc_part; |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1065 |
sun.security.krb5.internal.ccache.Credentials credentials = |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1066 |
new sun.security.krb5.internal.ccache.Credentials(asRep); |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1067 |
asReq.reqBody.cname.setRealm(getRealm()); |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1068 |
CredentialsCache cache = |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1069 |
CredentialsCache.create(asReq.reqBody.cname, ccache); |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1070 |
if (cache == null) { |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1071 |
throw new IOException("Unable to create the cache file " + |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1072 |
ccache); |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1073 |
} |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1074 |
cache.update(credentials); |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1075 |
cache.save(); |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1076 |
} |
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1077 |
|
e0f1979051b5
6765491: Krb5LoginModule a little too restrictive, and the doc is not clear.
weijun
parents:
1456
diff
changeset
|
1078 |
return result; |
1454 | 1079 |
} catch (KrbException ke) { |
1080 |
ke.printStackTrace(System.out); |
|
1081 |
KRBError kerr = ke.getError(); |
|
1082 |
KDCReqBody body = asReq.reqBody; |
|
1083 |
System.out.println(" Error " + ke.returnCode() |
|
1084 |
+ " " +ke.returnCodeMessage()); |
|
1085 |
byte[] eData = null; |
|
1086 |
if (kerr == null) { |
|
1087 |
if (ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED || |
|
1088 |
ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED) { |
|
1089 |
DerOutputStream bytes = new DerOutputStream(); |
|
1090 |
bytes.write(new PAData(Krb5.PA_ENC_TIMESTAMP, new byte[0]).asn1Encode()); |
|
7183 | 1091 |
for (PAData p: outPAs) { |
1092 |
bytes.write(p.asn1Encode()); |
|
1454 | 1093 |
} |
1094 |
DerOutputStream temp = new DerOutputStream(); |
|
1095 |
temp.write(DerValue.tag_Sequence, bytes); |
|
1096 |
eData = temp.toByteArray(); |
|
1097 |
} |
|
1098 |
kerr = new KRBError(null, null, null, |
|
1099 |
new KerberosTime(new Date()), |
|
1100 |
0, |
|
1101 |
ke.returnCode(), |
|
1102 |
body.crealm, body.cname, |
|
10141
664ba64d2472
7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem
weijun
parents:
9499
diff
changeset
|
1103 |
new Realm(getRealm()), service, |
1454 | 1104 |
KrbException.errorMessage(ke.returnCode()), |
1105 |
eData); |
|
1106 |
} |
|
1107 |
return kerr.asn1Encode(); |
|
1108 |
} |
|
1109 |
} |
|
1110 |
||
1111 |
/** |
|
1112 |
* Generates a line for a KDC to put inside [realms] of krb5.conf |
|
1113 |
* @param kdc the KDC |
|
3046 | 1114 |
* @return REALM.NAME = { kdc = host:port } |
1454 | 1115 |
*/ |
1116 |
private static String realmLineForKDC(KDC kdc) { |
|
3046 | 1117 |
return String.format(" %s = {\n kdc = %s:%d\n }\n", |
1118 |
kdc.realm, |
|
1119 |
kdc.kdc, |
|
1120 |
kdc.port); |
|
1454 | 1121 |
} |
1122 |
||
1123 |
/** |
|
1124 |
* Start the KDC service. This server listens on both UDP and TCP using |
|
1125 |
* the same port number. It uses three threads to deal with requests. |
|
1126 |
* They can be set to daemon threads if requested. |
|
1127 |
* @param port the port number to listen to. If zero, a random available |
|
1128 |
* port no less than 8000 will be chosen and used. |
|
1129 |
* @param asDaemon true if the KDC threads should be daemons |
|
1130 |
* @throws java.io.IOException for any communication error |
|
1131 |
*/ |
|
1132 |
protected void startServer(int port, boolean asDaemon) throws IOException { |
|
1133 |
if (port > 0) { |
|
1134 |
u1 = new DatagramSocket(port, InetAddress.getByName("127.0.0.1")); |
|
1135 |
t1 = new ServerSocket(port); |
|
1136 |
} else { |
|
1137 |
while (true) { |
|
1138 |
// Try to find a port number that's both TCP and UDP free |
|
1139 |
try { |
|
1140 |
port = 8000 + new java.util.Random().nextInt(10000); |
|
1141 |
u1 = null; |
|
1142 |
u1 = new DatagramSocket(port, InetAddress.getByName("127.0.0.1")); |
|
1143 |
t1 = new ServerSocket(port); |
|
1144 |
break; |
|
1145 |
} catch (Exception e) { |
|
1146 |
if (u1 != null) u1.close(); |
|
1147 |
} |
|
1148 |
} |
|
1149 |
} |
|
1150 |
final DatagramSocket udp = u1; |
|
1151 |
final ServerSocket tcp = t1; |
|
1152 |
System.out.println("Start KDC on " + port); |
|
1153 |
||
1154 |
this.port = port; |
|
1155 |
||
1156 |
// The UDP consumer |
|
4531
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1157 |
thread1 = new Thread() { |
1454 | 1158 |
public void run() { |
1159 |
while (true) { |
|
1160 |
try { |
|
1161 |
byte[] inbuf = new byte[8192]; |
|
1162 |
DatagramPacket p = new DatagramPacket(inbuf, inbuf.length); |
|
1163 |
udp.receive(p); |
|
1164 |
System.out.println("-----------------------------------------------"); |
|
1165 |
System.out.println(">>>>> UDP packet received"); |
|
1166 |
q.put(new Job(processMessage(Arrays.copyOf(inbuf, p.getLength())), udp, p)); |
|
1167 |
} catch (Exception e) { |
|
1168 |
e.printStackTrace(); |
|
1169 |
} |
|
1170 |
} |
|
1171 |
} |
|
1172 |
}; |
|
4531
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1173 |
thread1.setDaemon(asDaemon); |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1174 |
thread1.start(); |
1454 | 1175 |
|
1176 |
// The TCP consumer |
|
4531
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1177 |
thread2 = new Thread() { |
1454 | 1178 |
public void run() { |
1179 |
while (true) { |
|
1180 |
try { |
|
1181 |
Socket socket = tcp.accept(); |
|
1182 |
System.out.println("-----------------------------------------------"); |
|
1183 |
System.out.println(">>>>> TCP connection established"); |
|
1184 |
DataInputStream in = new DataInputStream(socket.getInputStream()); |
|
1185 |
DataOutputStream out = new DataOutputStream(socket.getOutputStream()); |
|
1186 |
byte[] token = new byte[in.readInt()]; |
|
1187 |
in.readFully(token); |
|
1188 |
q.put(new Job(processMessage(token), socket, out)); |
|
1189 |
} catch (Exception e) { |
|
1190 |
e.printStackTrace(); |
|
1191 |
} |
|
1192 |
} |
|
1193 |
} |
|
1194 |
}; |
|
4531
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1195 |
thread2.setDaemon(asDaemon); |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1196 |
thread2.start(); |
1454 | 1197 |
|
1198 |
// The dispatcher |
|
4531
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1199 |
thread3 = new Thread() { |
1454 | 1200 |
public void run() { |
1201 |
while (true) { |
|
1202 |
try { |
|
1203 |
q.take().send(); |
|
1204 |
} catch (Exception e) { |
|
1205 |
} |
|
1206 |
} |
|
1207 |
} |
|
1208 |
}; |
|
4531
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1209 |
thread3.setDaemon(true); |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1210 |
thread3.start(); |
1454 | 1211 |
} |
1212 |
||
4531
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1213 |
public void terminate() { |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1214 |
try { |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1215 |
thread1.stop(); |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1216 |
thread2.stop(); |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1217 |
thread3.stop(); |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1218 |
u1.close(); |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1219 |
t1.close(); |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1220 |
} catch (Exception e) { |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1221 |
// OK |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1222 |
} |
3a9206343ab2
6843127: krb5 should not try to access unavailable kdc too often
weijun
parents:
4336
diff
changeset
|
1223 |
} |
1454 | 1224 |
/** |
1225 |
* Helper class to encapsulate a job in a KDC. |
|
1226 |
*/ |
|
1227 |
private static class Job { |
|
1228 |
byte[] token; // The received request at creation time and |
|
1229 |
// the response at send time |
|
1230 |
Socket s; // The TCP socket from where the request comes |
|
1231 |
DataOutputStream out; // The OutputStream of the TCP socket |
|
1232 |
DatagramSocket s2; // The UDP socket from where the request comes |
|
1233 |
DatagramPacket dp; // The incoming UDP datagram packet |
|
1234 |
boolean useTCP; // Whether TCP or UDP is used |
|
1235 |
||
1236 |
// Creates a job object for TCP |
|
1237 |
Job(byte[] token, Socket s, DataOutputStream out) { |
|
1238 |
useTCP = true; |
|
1239 |
this.token = token; |
|
1240 |
this.s = s; |
|
1241 |
this.out = out; |
|
1242 |
} |
|
1243 |
||
1244 |
// Creates a job object for UDP |
|
1245 |
Job(byte[] token, DatagramSocket s2, DatagramPacket dp) { |
|
1246 |
useTCP = false; |
|
1247 |
this.token = token; |
|
1248 |
this.s2 = s2; |
|
1249 |
this.dp = dp; |
|
1250 |
} |
|
1251 |
||
1252 |
// Sends the output back to the client |
|
1253 |
void send() { |
|
1254 |
try { |
|
1255 |
if (useTCP) { |
|
1256 |
System.out.println(">>>>> TCP request honored"); |
|
1257 |
out.writeInt(token.length); |
|
1258 |
out.write(token); |
|
1259 |
s.close(); |
|
1260 |
} else { |
|
1261 |
System.out.println(">>>>> UDP request honored"); |
|
1262 |
s2.send(new DatagramPacket(token, token.length, dp.getAddress(), dp.getPort())); |
|
1263 |
} |
|
1264 |
} catch (Exception e) { |
|
1265 |
e.printStackTrace(); |
|
1266 |
} |
|
1267 |
} |
|
1268 |
} |
|
3046 | 1269 |
|
1270 |
public static class KDCNameService implements NameServiceDescriptor { |
|
1271 |
@Override |
|
1272 |
public NameService createNameService() throws Exception { |
|
1273 |
NameService ns = new NameService() { |
|
1274 |
@Override |
|
1275 |
public InetAddress[] lookupAllHostAddr(String host) |
|
1276 |
throws UnknownHostException { |
|
1277 |
// Everything is localhost |
|
1278 |
return new InetAddress[]{ |
|
1279 |
InetAddress.getByAddress(host, new byte[]{127,0,0,1}) |
|
1280 |
}; |
|
1281 |
} |
|
1282 |
@Override |
|
1283 |
public String getHostByAddr(byte[] addr) |
|
1284 |
throws UnknownHostException { |
|
1285 |
// No reverse lookup, PrincipalName use original string |
|
1286 |
throw new UnknownHostException(); |
|
1287 |
} |
|
1288 |
}; |
|
1289 |
return ns; |
|
1290 |
} |
|
1291 |
||
1292 |
@Override |
|
1293 |
public String getProviderName() { |
|
1294 |
return "mock"; |
|
1295 |
} |
|
1296 |
||
1297 |
@Override |
|
1298 |
public String getType() { |
|
1299 |
return "ns"; |
|
1300 |
} |
|
1301 |
} |
|
7183 | 1302 |
|
1303 |
// Calling private methods thru reflections |
|
1304 |
private static final Field getPADataField; |
|
1305 |
private static final Field getEType; |
|
1306 |
private static final Constructor<EncryptedData> ctorEncryptedData; |
|
1307 |
private static final Method stringToKey; |
|
1308 |
||
1309 |
static { |
|
1310 |
try { |
|
1311 |
ctorEncryptedData = EncryptedData.class.getDeclaredConstructor(DerValue.class); |
|
1312 |
ctorEncryptedData.setAccessible(true); |
|
1313 |
getPADataField = KDCReq.class.getDeclaredField("pAData"); |
|
1314 |
getPADataField.setAccessible(true); |
|
1315 |
getEType = KDCReqBody.class.getDeclaredField("eType"); |
|
1316 |
getEType.setAccessible(true); |
|
1317 |
stringToKey = EncryptionKey.class.getDeclaredMethod( |
|
1318 |
"stringToKey", |
|
1319 |
char[].class, String.class, byte[].class, Integer.TYPE); |
|
1320 |
stringToKey.setAccessible(true); |
|
1321 |
} catch (NoSuchFieldException nsfe) { |
|
1322 |
throw new AssertionError(nsfe); |
|
1323 |
} catch (NoSuchMethodException nsme) { |
|
1324 |
throw new AssertionError(nsme); |
|
1325 |
} |
|
1326 |
} |
|
1327 |
private EncryptedData newEncryptedData(DerValue der) { |
|
1328 |
try { |
|
1329 |
return ctorEncryptedData.newInstance(der); |
|
1330 |
} catch (Exception e) { |
|
1331 |
throw new AssertionError(e); |
|
1332 |
} |
|
1333 |
} |
|
1334 |
private static PAData[] kDCReqDotPAData(KDCReq req) { |
|
1335 |
try { |
|
1336 |
return (PAData[])getPADataField.get(req); |
|
1337 |
} catch (Exception e) { |
|
1338 |
throw new AssertionError(e); |
|
1339 |
} |
|
1340 |
} |
|
1341 |
private static int[] KDCReqBodyDotEType(KDCReqBody body) { |
|
1342 |
try { |
|
1343 |
return (int[]) getEType.get(body); |
|
1344 |
} catch (Exception e) { |
|
1345 |
throw new AssertionError(e); |
|
1346 |
} |
|
1347 |
} |
|
1348 |
private static byte[] EncryptionKeyDotStringToKey(char[] password, String salt, |
|
1349 |
byte[] s2kparams, int keyType) throws KrbCryptoException { |
|
1350 |
try { |
|
1351 |
return (byte[])stringToKey.invoke( |
|
1352 |
null, password, salt, s2kparams, keyType); |
|
1353 |
} catch (InvocationTargetException ex) { |
|
1354 |
throw (KrbCryptoException)ex.getCause(); |
|
1355 |
} catch (Exception e) { |
|
1356 |
throw new AssertionError(e); |
|
1357 |
} |
|
1358 |
} |
|
1454 | 1359 |
} |