提交 4bb32bc1 编写于 作者: W weijun

8226352: Improve Kerberos interop capabilities

Reviewed-by: ahgross, mullan, valeriep
上级 6476cef3
/* /*
* Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -73,8 +73,12 @@ abstract class GssKrb5Base extends AbstractSaslImpl { ...@@ -73,8 +73,12 @@ abstract class GssKrb5Base extends AbstractSaslImpl {
} }
try { try {
MessageProp msgProp = new MessageProp(JGSS_QOP, privacy); MessageProp msgProp = new MessageProp(JGSS_QOP, false);
byte[] answer = secCtx.unwrap(incoming, start, len, msgProp); byte[] answer = secCtx.unwrap(incoming, start, len, msgProp);
if (privacy && !msgProp.getPrivacy()) {
throw new SaslException("Privacy not protected");
}
checkMessageProp("", msgProp);
if (logger.isLoggable(Level.FINEST)) { if (logger.isLoggable(Level.FINEST)) {
traceOutput(myClassName, "KRB501:Unwrap", "incoming: ", traceOutput(myClassName, "KRB501:Unwrap", "incoming: ",
incoming, start, len); incoming, start, len);
...@@ -128,4 +132,20 @@ abstract class GssKrb5Base extends AbstractSaslImpl { ...@@ -128,4 +132,20 @@ abstract class GssKrb5Base extends AbstractSaslImpl {
protected void finalize() throws Throwable { protected void finalize() throws Throwable {
dispose(); dispose();
} }
void checkMessageProp(String label, MessageProp msgProp)
throws SaslException {
if (msgProp.isDuplicateToken()) {
throw new SaslException(label + "Duplicate token");
}
if (msgProp.isGapToken()) {
throw new SaslException(label + "Gap token");
}
if (msgProp.isOldToken()) {
throw new SaslException(label + "Old token");
}
if (msgProp.isUnseqToken()) {
throw new SaslException(label + "Token not in sequence");
}
}
} }
/* /*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -230,8 +230,10 @@ final class GssKrb5Client extends GssKrb5Base implements SaslClient { ...@@ -230,8 +230,10 @@ final class GssKrb5Client extends GssKrb5Base implements SaslClient {
// Received S1 (security layer, server max recv size) // Received S1 (security layer, server max recv size)
MessageProp msgProp = new MessageProp(false);
byte[] gssOutToken = secCtx.unwrap(challengeData, 0, byte[] gssOutToken = secCtx.unwrap(challengeData, 0,
challengeData.length, new MessageProp(0, false)); challengeData.length, msgProp);
checkMessageProp("Handshake failure: ", msgProp);
// First octet is a bit-mask specifying the protections // First octet is a bit-mask specifying the protections
// supported by the server // supported by the server
......
/* /*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -250,8 +250,10 @@ final class GssKrb5Server extends GssKrb5Base implements SaslServer { ...@@ -250,8 +250,10 @@ final class GssKrb5Server extends GssKrb5Base implements SaslServer {
try { try {
// Expecting 4 octets from client selected protection // Expecting 4 octets from client selected protection
// and client's receive buffer size // and client's receive buffer size
MessageProp msgProp = new MessageProp(false);
byte[] gssOutToken = secCtx.unwrap(responseData, 0, byte[] gssOutToken = secCtx.unwrap(responseData, 0,
responseData.length, new MessageProp(0, false)); responseData.length, msgProp);
checkMessageProp("Handshake failure: ", msgProp);
if (logger.isLoggable(Level.FINER)) { if (logger.isLoggable(Level.FINER)) {
traceOutput(MY_CLASS_NAME, "doHandshake2", traceOutput(MY_CLASS_NAME, "doHandshake2",
......
/*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8012082 8019267
* @summary SASL: auth-conf negotiated, but unencrypted data is accepted,
* reset to unencrypt
* @compile -XDignore.symbol.file SaslGSS.java
* @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock SaslGSS
*/
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslServer;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.util.HashMap;
import java.util.Locale;
import java.util.logging.ConsoleHandler;
import java.util.logging.Handler;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.ietf.jgss.*;
import sun.security.jgss.GSSUtil;
public class SaslGSS {
public static void main(String[] args) throws Exception {
String name = "host." + OneKDC.REALM.toLowerCase(Locale.US);
new OneKDC(null).writeJAASConf();
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
// Client in JGSS so that it can control wrap privacy mode
GSSManager m = GSSManager.getInstance();
GSSContext sc = m.createContext(
m.createName(OneKDC.SERVER, GSSUtil.NT_GSS_KRB5_PRINCIPAL),
GSSUtil.GSS_KRB5_MECH_OID,
null,
GSSContext.DEFAULT_LIFETIME);
sc.requestMutualAuth(false);
// Server in SASL
final HashMap props = new HashMap();
props.put(Sasl.QOP, "auth-conf");
SaslServer ss = Sasl.createSaslServer("GSSAPI", "server",
name, props,
new CallbackHandler() {
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
for (Callback cb : callbacks) {
if (cb instanceof RealmCallback) {
((RealmCallback) cb).setText(OneKDC.REALM);
} else if (cb instanceof AuthorizeCallback) {
((AuthorizeCallback) cb).setAuthorized(true);
}
}
}
});
ByteArrayOutputStream bout = new ByteArrayOutputStream();
PrintStream oldErr = System.err;
System.setErr(new PrintStream(bout));
Logger.getLogger("javax.security.sasl").setLevel(Level.ALL);
Handler h = new ConsoleHandler();
h.setLevel(Level.ALL);
Logger.getLogger("javax.security.sasl").addHandler(h);
byte[] token = new byte[0];
try {
// Handshake
token = sc.initSecContext(token, 0, token.length);
token = ss.evaluateResponse(token);
token = sc.unwrap(token, 0, token.length, new MessageProp(0, false));
token[0] = (byte)(((token[0] & 4) != 0) ? 4 : 2);
token = sc.wrap(token, 0, token.length, new MessageProp(0, false));
ss.evaluateResponse(token);
} finally {
System.setErr(oldErr);
}
// Talk
// 1. Client sends a auth-int message
byte[] hello = "hello".getBytes();
MessageProp qop = new MessageProp(0, false);
token = sc.wrap(hello, 0, hello.length, qop);
// 2. Server accepts it anyway
ss.unwrap(token, 0, token.length);
// 3. Server sends a message
token = ss.wrap(hello, 0, hello.length);
// 4. Client accepts, should be auth-conf
sc.unwrap(token, 0, token.length, qop);
if (!qop.getPrivacy()) {
throw new Exception();
}
for (String s: bout.toString().split("\\n")) {
if (s.contains("KRB5SRV04") && s.contains("NULL")) {
return;
}
}
System.out.println("=======================");
System.out.println(bout.toString());
System.out.println("=======================");
throw new Exception("Haven't seen KRB5SRV04 with NULL");
}
}
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册