aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorweijun <unknown>2020-01-12 06:09:15 +0000
committerbell-sw <liberica@bell-sw.com>2020-01-19 09:13:20 +0300
commitf57375e50070b88fb6c80ea3ca84f0870292e496 (patch)
treecec24575668bfa97d0cff14fd5d7e20a0687cfb2
parentb81b2489fe7083314008dc0c939439cc125fe5d2 (diff)
downloadjdk8u_jdk-f57375e50070b88fb6c80ea3ca84f0870292e496.tar.gz
8226352: Improve Kerberos interop capabilities
Reviewed-by: ahgross, mullan, valeriep
Diffstat
-rw-r--r--src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java24
-rw-r--r--src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java6
-rw-r--r--src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java6
-rw-r--r--test/sun/security/krb5/auto/SaslGSS.java137
4 files changed, 30 insertions, 143 deletions
diff --git a/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java b/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java
index 30461e25f7..baa836efe5 100644
--- a/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java
+++ b/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -73,8 +73,12 @@ abstract class GssKrb5Base extends AbstractSaslImpl {
}
try {
- MessageProp msgProp = new MessageProp(JGSS_QOP, privacy);
+ MessageProp msgProp = new MessageProp(JGSS_QOP, false);
byte[] answer = secCtx.unwrap(incoming, start, len, msgProp);
+ if (privacy && !msgProp.getPrivacy()) {
+ throw new SaslException("Privacy not protected");
+ }
+ checkMessageProp("", msgProp);
if (logger.isLoggable(Level.FINEST)) {
traceOutput(myClassName, "KRB501:Unwrap", "incoming: ",
incoming, start, len);
@@ -128,4 +132,20 @@ abstract class GssKrb5Base extends AbstractSaslImpl {
protected void finalize() throws Throwable {
dispose();
}
+
+ void checkMessageProp(String label, MessageProp msgProp)
+ throws SaslException {
+ if (msgProp.isDuplicateToken()) {
+ throw new SaslException(label + "Duplicate token");
+ }
+ if (msgProp.isGapToken()) {
+ throw new SaslException(label + "Gap token");
+ }
+ if (msgProp.isOldToken()) {
+ throw new SaslException(label + "Old token");
+ }
+ if (msgProp.isUnseqToken()) {
+ throw new SaslException(label + "Token not in sequence");
+ }
+ }
}
diff --git a/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java b/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java
index e8d9a4cc86..34a879ab65 100644
--- a/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java
+++ b/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -230,8 +230,10 @@ final class GssKrb5Client extends GssKrb5Base implements SaslClient {
// Received S1 (security layer, server max recv size)
+ MessageProp msgProp = new MessageProp(false);
byte[] gssOutToken = secCtx.unwrap(challengeData, 0,
- challengeData.length, new MessageProp(0, false));
+ challengeData.length, msgProp);
+ checkMessageProp("Handshake failure: ", msgProp);
// First octet is a bit-mask specifying the protections
// supported by the server
diff --git a/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java b/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java
index 94ce39c0ad..10c429aca5 100644
--- a/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java
+++ b/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -250,8 +250,10 @@ final class GssKrb5Server extends GssKrb5Base implements SaslServer {
try {
// Expecting 4 octets from client selected protection
// and client's receive buffer size
+ MessageProp msgProp = new MessageProp(false);
byte[] gssOutToken = secCtx.unwrap(responseData, 0,
- responseData.length, new MessageProp(0, false));
+ responseData.length, msgProp);
+ checkMessageProp("Handshake failure: ", msgProp);
if (logger.isLoggable(Level.FINER)) {
traceOutput(MY_CLASS_NAME, "doHandshake2",
diff --git a/test/sun/security/krb5/auto/SaslGSS.java b/test/sun/security/krb5/auto/SaslGSS.java
deleted file mode 100644
index d21cfebb19..0000000000
--- a/test/sun/security/krb5/auto/SaslGSS.java
+++ /dev/null
@@ -1,137 +0,0 @@
-/*
- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * @test
- * @bug 8012082 8019267
- * @summary SASL: auth-conf negotiated, but unencrypted data is accepted,
- * reset to unencrypt
- * @compile -XDignore.symbol.file SaslGSS.java
- * @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock SaslGSS
- */
-
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.security.sasl.AuthorizeCallback;
-import javax.security.sasl.RealmCallback;
-import javax.security.sasl.Sasl;
-import javax.security.sasl.SaslServer;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.PrintStream;
-import java.util.HashMap;
-import java.util.Locale;
-import java.util.logging.ConsoleHandler;
-import java.util.logging.Handler;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-import org.ietf.jgss.*;
-import sun.security.jgss.GSSUtil;
-
-public class SaslGSS {
-
- public static void main(String[] args) throws Exception {
-
- String name = "host." + OneKDC.REALM.toLowerCase(Locale.US);
-
- new OneKDC(null).writeJAASConf();
- System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
-
- // Client in JGSS so that it can control wrap privacy mode
- GSSManager m = GSSManager.getInstance();
- GSSContext sc = m.createContext(
- m.createName(OneKDC.SERVER, GSSUtil.NT_GSS_KRB5_PRINCIPAL),
- GSSUtil.GSS_KRB5_MECH_OID,
- null,
- GSSContext.DEFAULT_LIFETIME);
- sc.requestMutualAuth(false);
-
- // Server in SASL
- final HashMap props = new HashMap();
- props.put(Sasl.QOP, "auth-conf");
- SaslServer ss = Sasl.createSaslServer("GSSAPI", "server",
- name, props,
- new CallbackHandler() {
- public void handle(Callback[] callbacks)
- throws IOException, UnsupportedCallbackException {
- for (Callback cb : callbacks) {
- if (cb instanceof RealmCallback) {
- ((RealmCallback) cb).setText(OneKDC.REALM);
- } else if (cb instanceof AuthorizeCallback) {
- ((AuthorizeCallback) cb).setAuthorized(true);
- }
- }
- }
- });
-
- ByteArrayOutputStream bout = new ByteArrayOutputStream();
- PrintStream oldErr = System.err;
- System.setErr(new PrintStream(bout));
-
- Logger.getLogger("javax.security.sasl").setLevel(Level.ALL);
- Handler h = new ConsoleHandler();
- h.setLevel(Level.ALL);
- Logger.getLogger("javax.security.sasl").addHandler(h);
-
- byte[] token = new byte[0];
-
- try {
- // Handshake
- token = sc.initSecContext(token, 0, token.length);
- token = ss.evaluateResponse(token);
- token = sc.unwrap(token, 0, token.length, new MessageProp(0, false));
- token[0] = (byte)(((token[0] & 4) != 0) ? 4 : 2);
- token = sc.wrap(token, 0, token.length, new MessageProp(0, false));
- ss.evaluateResponse(token);
- } finally {
- System.setErr(oldErr);
- }
-
- // Talk
- // 1. Client sends a auth-int message
- byte[] hello = "hello".getBytes();
- MessageProp qop = new MessageProp(0, false);
- token = sc.wrap(hello, 0, hello.length, qop);
- // 2. Server accepts it anyway
- ss.unwrap(token, 0, token.length);
- // 3. Server sends a message
- token = ss.wrap(hello, 0, hello.length);
- // 4. Client accepts, should be auth-conf
- sc.unwrap(token, 0, token.length, qop);
- if (!qop.getPrivacy()) {
- throw new Exception();
- }
-
- for (String s: bout.toString().split("\\n")) {
- if (s.contains("KRB5SRV04") && s.contains("NULL")) {
- return;
- }
- }
- System.out.println("=======================");
- System.out.println(bout.toString());
- System.out.println("=======================");
- throw new Exception("Haven't seen KRB5SRV04 with NULL");
- }
-}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-04 20:06:40 +0000