提交 11688187 编写于 作者: W weijun

7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY

Reviewed-by: valeriep
上级 a7010730
...@@ -94,7 +94,7 @@ class AcceptSecContextToken extends InitialToken { ...@@ -94,7 +94,7 @@ class AcceptSecContextToken extends InitialToken {
*/ */
EncryptionKey subKey = apRep.getSubKey(); EncryptionKey subKey = apRep.getSubKey();
if (subKey != null) { if (subKey != null) {
context.setKey(subKey); context.setKey(Krb5Context.ACCEPTOR_SUBKEY, subKey);
/* /*
System.out.println("\n\nSub-Session key from AP-REP is: " + System.out.println("\n\nSub-Session key from AP-REP is: " +
getHexBytes(subKey.getBytes()) + "\n"); getHexBytes(subKey.getBytes()) + "\n");
......
...@@ -74,9 +74,9 @@ class InitSecContextToken extends InitialToken { ...@@ -74,9 +74,9 @@ class InitSecContextToken extends InitialToken {
EncryptionKey subKey = apReq.getSubKey(); EncryptionKey subKey = apReq.getSubKey();
if (subKey != null) if (subKey != null)
context.setKey(subKey); context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey);
else else
context.setKey(serviceTicket.getSessionKey()); context.setKey(Krb5Context.SESSION_KEY, serviceTicket.getSessionKey());
if (!mutualRequired) if (!mutualRequired)
context.resetPeerSequenceNumber(0); context.resetPeerSequenceNumber(0);
...@@ -117,13 +117,13 @@ class InitSecContextToken extends InitialToken { ...@@ -117,13 +117,13 @@ class InitSecContextToken extends InitialToken {
EncryptionKey subKey = apReq.getSubKey(); EncryptionKey subKey = apReq.getSubKey();
if (subKey != null) { if (subKey != null) {
context.setKey(subKey); context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey);
/* /*
System.out.println("Sub-Session key from authenticator is: " + System.out.println("Sub-Session key from authenticator is: " +
getHexBytes(subKey.getBytes()) + "\n"); getHexBytes(subKey.getBytes()) + "\n");
*/ */
} else { } else {
context.setKey(sessionKey); context.setKey(Krb5Context.SESSION_KEY, sessionKey);
//System.out.println("Sub-Session Key Missing in Authenticator.\n"); //System.out.println("Sub-Session Key Missing in Authenticator.\n");
} }
......
...@@ -67,6 +67,10 @@ class Krb5Context implements GSSContextSpi { ...@@ -67,6 +67,10 @@ class Krb5Context implements GSSContextSpi {
private int state = STATE_NEW; private int state = STATE_NEW;
public static final int SESSION_KEY = 0;
public static final int INITIATOR_SUBKEY = 1;
public static final int ACCEPTOR_SUBKEY = 2;
/* /*
* Optional features that the application can set and their default * Optional features that the application can set and their default
* values. * values.
...@@ -82,6 +86,7 @@ class Krb5Context implements GSSContextSpi { ...@@ -82,6 +86,7 @@ class Krb5Context implements GSSContextSpi {
private int mySeqNumber; private int mySeqNumber;
private int peerSeqNumber; private int peerSeqNumber;
private int keySrc;
private TokenTracker peerTokenTracker; private TokenTracker peerTokenTracker;
private CipherHelper cipherHelper = null; private CipherHelper cipherHelper = null;
...@@ -384,12 +389,17 @@ class Krb5Context implements GSSContextSpi { ...@@ -384,12 +389,17 @@ class Krb5Context implements GSSContextSpi {
} }
} }
final void setKey(EncryptionKey key) throws GSSException { final void setKey(int keySrc, EncryptionKey key) throws GSSException {
this.key = key; this.key = key;
this.keySrc = keySrc;
// %%% to do: should clear old cipherHelper first // %%% to do: should clear old cipherHelper first
cipherHelper = new CipherHelper(key); // Need to use new key cipherHelper = new CipherHelper(key); // Need to use new key
} }
public final int getKeySrc() {
return keySrc;
}
private final EncryptionKey getKey() { private final EncryptionKey getKey() {
return key; return key;
} }
......
...@@ -141,6 +141,7 @@ abstract class MessageToken_v2 extends Krb5Token { ...@@ -141,6 +141,7 @@ abstract class MessageToken_v2 extends Krb5Token {
// Context properties // Context properties
private boolean confState = true; private boolean confState = true;
private boolean initiator = true; private boolean initiator = true;
private boolean have_acceptor_subkey = false;
/* cipher instance used by the corresponding GSSContext */ /* cipher instance used by the corresponding GSSContext */
CipherHelper cipherHelper = null; CipherHelper cipherHelper = null;
...@@ -311,8 +312,7 @@ abstract class MessageToken_v2 extends Krb5Token { ...@@ -311,8 +312,7 @@ abstract class MessageToken_v2 extends Krb5Token {
} }
// Create a new gss token header as defined in RFC 4121 // Create a new gss token header as defined in RFC 4121
tokenHeader = new MessageTokenHeader(tokenId, tokenHeader = new MessageTokenHeader(tokenId, prop.getPrivacy());
prop.getPrivacy(), true);
// debug("\n\t Message Header = " + // debug("\n\t Message Header = " +
// getHexBytes(tokenHeader.getBytes(), tokenHeader.getBytes().length)); // getHexBytes(tokenHeader.getBytes(), tokenHeader.getBytes().length));
...@@ -461,6 +461,8 @@ abstract class MessageToken_v2 extends Krb5Token { ...@@ -461,6 +461,8 @@ abstract class MessageToken_v2 extends Krb5Token {
this.initiator = context.isInitiator(); this.initiator = context.isInitiator();
this.have_acceptor_subkey = context.getKeySrc() == Krb5Context.ACCEPTOR_SUBKEY;
this.cipherHelper = context.getCipherHelper(null); this.cipherHelper = context.getCipherHelper(null);
// debug("In MessageToken.Cons"); // debug("In MessageToken.Cons");
} }
...@@ -501,8 +503,7 @@ abstract class MessageToken_v2 extends Krb5Token { ...@@ -501,8 +503,7 @@ abstract class MessageToken_v2 extends Krb5Token {
private byte[] bytes = new byte[TOKEN_HEADER_SIZE]; private byte[] bytes = new byte[TOKEN_HEADER_SIZE];
// Writes a new token header // Writes a new token header
public MessageTokenHeader(int tokenId, boolean conf, public MessageTokenHeader(int tokenId, boolean conf) throws GSSException {
boolean have_acceptor_subkey) throws GSSException {
this.tokenId = tokenId; this.tokenId = tokenId;
......
/*
* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 7077646
* @summary gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
* @compile -XDignore.symbol.file AcceptorSubKey.java
* @run main/othervm AcceptorSubKey
*/
import java.util.Arrays;
import sun.security.jgss.GSSUtil;
// The basic krb5 test skeleton you can copy from
public class AcceptorSubKey {
public static void main(String[] args) throws Exception {
new OneKDC(null).writeJAASConf();
Context c, s;
c = Context.fromJAAS("client");
s = Context.fromJAAS("server");
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_SPNEGO_MECH_OID);
s.startAsServer(GSSUtil.GSS_SPNEGO_MECH_OID);
Context.handshake(c, s);
byte[] msg = "i say high --".getBytes();
byte[] wrapped = s.wrap(msg, false);
// FLAG_ACCEPTOR_SUBKEY is 4
int flagOn = wrapped[2] & 4;
if (flagOn != 0) {
throw new Exception("Java GSS should not have set acceptor subkey");
}
s.dispose();
c.dispose();
}
}
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册