001: /*
002: * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
003: *
004: * This code is free software; you can redistribute it and/or modify it
005: * under the terms of the GNU General Public License version 2 only, as
006: * published by the Free Software Foundation. Sun designates this
007: * particular file as subject to the "Classpath" exception as provided
008: * by Sun in the LICENSE file that accompanied this code.
009: *
010: * This code is distributed in the hope that it will be useful, but WITHOUT
011: * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
012: * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
013: * version 2 for more details (a copy is included in the LICENSE file that
014: * accompanied this code).
015: *
016: * You should have received a copy of the GNU General Public License version
017: * 2 along with this work; if not, write to the Free Software Foundation,
018: * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
019: *
020: * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
021: * CA 95054 USA or visit www.sun.com if you need additional information or
022: * have any questions.
023: */
024:
025: /*
026: * @(#)KrbAppMessage.java 1.16 07/04/27
027: *
028: * (C) Copyright IBM Corp. 1999 All Rights Reserved.
029: * Copyright 1997 The Open Group Research Institute. All rights reserved.
030: */
031:
032: package sun.security.krb5;
033:
034: import sun.security.krb5.internal.*;
035:
036: abstract class KrbAppMessage {
037:
038: private static boolean DEBUG = Krb5.DEBUG;
039:
040: /**
041: * Common checks for KRB-PRIV and KRB-SAFE
042: */
043: void check(KerberosTime packetTimestamp, Integer packetUsec,
044: Integer packetSeqNumber, HostAddress packetSAddress,
045: HostAddress packetRAddress, SeqNumber seqNumber,
046: HostAddress sAddress, HostAddress rAddress,
047: boolean timestampRequired, boolean seqNumberRequired,
048: PrincipalName packetPrincipal, Realm packetRealm)
049: throws KrbApErrException {
050:
051: if (!Krb5.AP_EMPTY_ADDRESSES_ALLOWED || sAddress != null) {
052: if (packetSAddress == null || sAddress == null
053: || !packetSAddress.equals(sAddress)) {
054: if (DEBUG && packetSAddress == null) {
055: System.out.println("packetSAddress is null");
056: }
057: if (DEBUG && sAddress == null) {
058: System.out.println("sAddress is null");
059: }
060: throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
061: }
062: }
063:
064: if (!Krb5.AP_EMPTY_ADDRESSES_ALLOWED || rAddress != null) {
065: if (packetRAddress == null || rAddress == null
066: || !packetRAddress.equals(rAddress))
067: throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
068: }
069:
070: if (packetTimestamp != null) {
071: packetTimestamp.setMicroSeconds(packetUsec);
072: if (!packetTimestamp.inClockSkew())
073: throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW);
074: } else if (timestampRequired)
075: throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW);
076:
077: // XXX check replay cache
078: // if (rcache.repeated(packetTimestamp, packetUsec, packetSAddress))
079: // throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT);
080:
081: // XXX consider moving up to api level
082: if (seqNumber == null && seqNumberRequired == true)
083: throw new KrbApErrException(Krb5.API_INVALID_ARG);
084:
085: if (packetSeqNumber != null && seqNumber != null) {
086: if (packetSeqNumber.intValue() != seqNumber.current())
087: throw new KrbApErrException(Krb5.KRB_AP_ERR_BADORDER);
088: // should be done only when no more exceptions are possible
089: seqNumber.step();
090: } else {
091: if (seqNumberRequired) {
092: throw new KrbApErrException(Krb5.KRB_AP_ERR_BADORDER);
093: }
094: }
095:
096: // Must not be relaxed, per RFC 4120
097: if (packetTimestamp == null && packetSeqNumber == null)
098: throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
099:
100: // XXX check replay cache
101: // rcache.save_identifier(packetTimestamp, packetUsec, packetSAddress,
102: // packetPrincipal, pcaketRealm);
103: }
104:
105: }
|