提交 11688187 编写于 作者: W weijun

7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY

Reviewed-by: valeriep
上级 a7010730
......@@ -94,7 +94,7 @@ class AcceptSecContextToken extends InitialToken {
*/
EncryptionKey subKey = apRep.getSubKey();
if (subKey != null) {
context.setKey(subKey);
context.setKey(Krb5Context.ACCEPTOR_SUBKEY, subKey);
/*
System.out.println("\n\nSub-Session key from AP-REP is: " +
getHexBytes(subKey.getBytes()) + "\n");
......
......@@ -74,9 +74,9 @@ class InitSecContextToken extends InitialToken {
EncryptionKey subKey = apReq.getSubKey();
if (subKey != null)
context.setKey(subKey);
context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey);
else
context.setKey(serviceTicket.getSessionKey());
context.setKey(Krb5Context.SESSION_KEY, serviceTicket.getSessionKey());
if (!mutualRequired)
context.resetPeerSequenceNumber(0);
......@@ -117,13 +117,13 @@ class InitSecContextToken extends InitialToken {
EncryptionKey subKey = apReq.getSubKey();
if (subKey != null) {
context.setKey(subKey);
context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey);
/*
System.out.println("Sub-Session key from authenticator is: " +
getHexBytes(subKey.getBytes()) + "\n");
*/
} else {
context.setKey(sessionKey);
context.setKey(Krb5Context.SESSION_KEY, sessionKey);
//System.out.println("Sub-Session Key Missing in Authenticator.\n");
}
......
......@@ -67,6 +67,10 @@ class Krb5Context implements GSSContextSpi {
private int state = STATE_NEW;
public static final int SESSION_KEY = 0;
public static final int INITIATOR_SUBKEY = 1;
public static final int ACCEPTOR_SUBKEY = 2;
/*
* Optional features that the application can set and their default
* values.
......@@ -82,6 +86,7 @@ class Krb5Context implements GSSContextSpi {
private int mySeqNumber;
private int peerSeqNumber;
private int keySrc;
private TokenTracker peerTokenTracker;
private CipherHelper cipherHelper = null;
......@@ -384,12 +389,17 @@ class Krb5Context implements GSSContextSpi {
}
}
final void setKey(EncryptionKey key) throws GSSException {
final void setKey(int keySrc, EncryptionKey key) throws GSSException {
this.key = key;
this.keySrc = keySrc;
// %%% to do: should clear old cipherHelper first
cipherHelper = new CipherHelper(key); // Need to use new key
}
public final int getKeySrc() {
return keySrc;
}
private final EncryptionKey getKey() {
return key;
}
......
......@@ -141,6 +141,7 @@ abstract class MessageToken_v2 extends Krb5Token {
// Context properties
private boolean confState = true;
private boolean initiator = true;
private boolean have_acceptor_subkey = false;
/* cipher instance used by the corresponding GSSContext */
CipherHelper cipherHelper = null;
......@@ -311,8 +312,7 @@ abstract class MessageToken_v2 extends Krb5Token {
}
// Create a new gss token header as defined in RFC 4121
tokenHeader = new MessageTokenHeader(tokenId,
prop.getPrivacy(), true);
tokenHeader = new MessageTokenHeader(tokenId, prop.getPrivacy());
// debug("\n\t Message Header = " +
// getHexBytes(tokenHeader.getBytes(), tokenHeader.getBytes().length));
......@@ -461,6 +461,8 @@ abstract class MessageToken_v2 extends Krb5Token {
this.initiator = context.isInitiator();
this.have_acceptor_subkey = context.getKeySrc() == Krb5Context.ACCEPTOR_SUBKEY;
this.cipherHelper = context.getCipherHelper(null);
// debug("In MessageToken.Cons");
}
......@@ -501,8 +503,7 @@ abstract class MessageToken_v2 extends Krb5Token {
private byte[] bytes = new byte[TOKEN_HEADER_SIZE];
// Writes a new token header
public MessageTokenHeader(int tokenId, boolean conf,
boolean have_acceptor_subkey) throws GSSException {
public MessageTokenHeader(int tokenId, boolean conf) throws GSSException {
this.tokenId = tokenId;
......
/*
* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 7077646
* @summary gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
* @compile -XDignore.symbol.file AcceptorSubKey.java
* @run main/othervm AcceptorSubKey
*/
import java.util.Arrays;
import sun.security.jgss.GSSUtil;
// The basic krb5 test skeleton you can copy from
public class AcceptorSubKey {
public static void main(String[] args) throws Exception {
new OneKDC(null).writeJAASConf();
Context c, s;
c = Context.fromJAAS("client");
s = Context.fromJAAS("server");
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_SPNEGO_MECH_OID);
s.startAsServer(GSSUtil.GSS_SPNEGO_MECH_OID);
Context.handshake(c, s);
byte[] msg = "i say high --".getBytes();
byte[] wrapped = s.wrap(msg, false);
// FLAG_ACCEPTOR_SUBKEY is 4
int flagOn = wrapped[2] & 4;
if (flagOn != 0) {
throw new Exception("Java GSS should not have set acceptor subkey");
}
s.dispose();
c.dispose();
}
}
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册