Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
4bb32bc1
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
4bb32bc1
编写于
1月 12, 2020
作者:
W
weijun
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8226352: Improve Kerberos interop capabilities
Reviewed-by: ahgross, mullan, valeriep
上级
6476cef3
变更
4
显示空白变更内容
内联
并排
Showing
4 changed file
with
30 addition
and
143 deletion
+30
-143
src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java
...re/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java
+22
-2
src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java
.../classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java
+4
-2
src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java
.../classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java
+4
-2
test/sun/security/krb5/auto/SaslGSS.java
test/sun/security/krb5/auto/SaslGSS.java
+0
-137
未找到文件。
src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java
浏览文件 @
4bb32bc1
/*
* Copyright (c) 2003, 201
3
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -73,8 +73,12 @@ abstract class GssKrb5Base extends AbstractSaslImpl {
}
try
{
MessageProp
msgProp
=
new
MessageProp
(
JGSS_QOP
,
privacy
);
MessageProp
msgProp
=
new
MessageProp
(
JGSS_QOP
,
false
);
byte
[]
answer
=
secCtx
.
unwrap
(
incoming
,
start
,
len
,
msgProp
);
if
(
privacy
&&
!
msgProp
.
getPrivacy
())
{
throw
new
SaslException
(
"Privacy not protected"
);
}
checkMessageProp
(
""
,
msgProp
);
if
(
logger
.
isLoggable
(
Level
.
FINEST
))
{
traceOutput
(
myClassName
,
"KRB501:Unwrap"
,
"incoming: "
,
incoming
,
start
,
len
);
...
...
@@ -128,4 +132,20 @@ abstract class GssKrb5Base extends AbstractSaslImpl {
protected
void
finalize
()
throws
Throwable
{
dispose
();
}
void
checkMessageProp
(
String
label
,
MessageProp
msgProp
)
throws
SaslException
{
if
(
msgProp
.
isDuplicateToken
())
{
throw
new
SaslException
(
label
+
"Duplicate token"
);
}
if
(
msgProp
.
isGapToken
())
{
throw
new
SaslException
(
label
+
"Gap token"
);
}
if
(
msgProp
.
isOldToken
())
{
throw
new
SaslException
(
label
+
"Old token"
);
}
if
(
msgProp
.
isUnseqToken
())
{
throw
new
SaslException
(
label
+
"Token not in sequence"
);
}
}
}
src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java
浏览文件 @
4bb32bc1
/*
* Copyright (c) 2000, 201
3
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -230,8 +230,10 @@ final class GssKrb5Client extends GssKrb5Base implements SaslClient {
// Received S1 (security layer, server max recv size)
MessageProp
msgProp
=
new
MessageProp
(
false
);
byte
[]
gssOutToken
=
secCtx
.
unwrap
(
challengeData
,
0
,
challengeData
.
length
,
new
MessageProp
(
0
,
false
));
challengeData
.
length
,
msgProp
);
checkMessageProp
(
"Handshake failure: "
,
msgProp
);
// First octet is a bit-mask specifying the protections
// supported by the server
...
...
src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java
浏览文件 @
4bb32bc1
/*
* Copyright (c) 2000, 201
3
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -250,8 +250,10 @@ final class GssKrb5Server extends GssKrb5Base implements SaslServer {
try
{
// Expecting 4 octets from client selected protection
// and client's receive buffer size
MessageProp
msgProp
=
new
MessageProp
(
false
);
byte
[]
gssOutToken
=
secCtx
.
unwrap
(
responseData
,
0
,
responseData
.
length
,
new
MessageProp
(
0
,
false
));
responseData
.
length
,
msgProp
);
checkMessageProp
(
"Handshake failure: "
,
msgProp
);
if
(
logger
.
isLoggable
(
Level
.
FINER
))
{
traceOutput
(
MY_CLASS_NAME
,
"doHandshake2"
,
...
...
test/sun/security/krb5/auto/SaslGSS.java
已删除
100644 → 0
浏览文件 @
6476cef3
/*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8012082 8019267
* @summary SASL: auth-conf negotiated, but unencrypted data is accepted,
* reset to unencrypt
* @compile -XDignore.symbol.file SaslGSS.java
* @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock SaslGSS
*/
import
javax.security.auth.callback.Callback
;
import
javax.security.auth.callback.CallbackHandler
;
import
javax.security.auth.callback.UnsupportedCallbackException
;
import
javax.security.sasl.AuthorizeCallback
;
import
javax.security.sasl.RealmCallback
;
import
javax.security.sasl.Sasl
;
import
javax.security.sasl.SaslServer
;
import
java.io.ByteArrayOutputStream
;
import
java.io.IOException
;
import
java.io.PrintStream
;
import
java.util.HashMap
;
import
java.util.Locale
;
import
java.util.logging.ConsoleHandler
;
import
java.util.logging.Handler
;
import
java.util.logging.Level
;
import
java.util.logging.Logger
;
import
org.ietf.jgss.*
;
import
sun.security.jgss.GSSUtil
;
public
class
SaslGSS
{
public
static
void
main
(
String
[]
args
)
throws
Exception
{
String
name
=
"host."
+
OneKDC
.
REALM
.
toLowerCase
(
Locale
.
US
);
new
OneKDC
(
null
).
writeJAASConf
();
System
.
setProperty
(
"javax.security.auth.useSubjectCredsOnly"
,
"false"
);
// Client in JGSS so that it can control wrap privacy mode
GSSManager
m
=
GSSManager
.
getInstance
();
GSSContext
sc
=
m
.
createContext
(
m
.
createName
(
OneKDC
.
SERVER
,
GSSUtil
.
NT_GSS_KRB5_PRINCIPAL
),
GSSUtil
.
GSS_KRB5_MECH_OID
,
null
,
GSSContext
.
DEFAULT_LIFETIME
);
sc
.
requestMutualAuth
(
false
);
// Server in SASL
final
HashMap
props
=
new
HashMap
();
props
.
put
(
Sasl
.
QOP
,
"auth-conf"
);
SaslServer
ss
=
Sasl
.
createSaslServer
(
"GSSAPI"
,
"server"
,
name
,
props
,
new
CallbackHandler
()
{
public
void
handle
(
Callback
[]
callbacks
)
throws
IOException
,
UnsupportedCallbackException
{
for
(
Callback
cb
:
callbacks
)
{
if
(
cb
instanceof
RealmCallback
)
{
((
RealmCallback
)
cb
).
setText
(
OneKDC
.
REALM
);
}
else
if
(
cb
instanceof
AuthorizeCallback
)
{
((
AuthorizeCallback
)
cb
).
setAuthorized
(
true
);
}
}
}
});
ByteArrayOutputStream
bout
=
new
ByteArrayOutputStream
();
PrintStream
oldErr
=
System
.
err
;
System
.
setErr
(
new
PrintStream
(
bout
));
Logger
.
getLogger
(
"javax.security.sasl"
).
setLevel
(
Level
.
ALL
);
Handler
h
=
new
ConsoleHandler
();
h
.
setLevel
(
Level
.
ALL
);
Logger
.
getLogger
(
"javax.security.sasl"
).
addHandler
(
h
);
byte
[]
token
=
new
byte
[
0
];
try
{
// Handshake
token
=
sc
.
initSecContext
(
token
,
0
,
token
.
length
);
token
=
ss
.
evaluateResponse
(
token
);
token
=
sc
.
unwrap
(
token
,
0
,
token
.
length
,
new
MessageProp
(
0
,
false
));
token
[
0
]
=
(
byte
)(((
token
[
0
]
&
4
)
!=
0
)
?
4
:
2
);
token
=
sc
.
wrap
(
token
,
0
,
token
.
length
,
new
MessageProp
(
0
,
false
));
ss
.
evaluateResponse
(
token
);
}
finally
{
System
.
setErr
(
oldErr
);
}
// Talk
// 1. Client sends a auth-int message
byte
[]
hello
=
"hello"
.
getBytes
();
MessageProp
qop
=
new
MessageProp
(
0
,
false
);
token
=
sc
.
wrap
(
hello
,
0
,
hello
.
length
,
qop
);
// 2. Server accepts it anyway
ss
.
unwrap
(
token
,
0
,
token
.
length
);
// 3. Server sends a message
token
=
ss
.
wrap
(
hello
,
0
,
hello
.
length
);
// 4. Client accepts, should be auth-conf
sc
.
unwrap
(
token
,
0
,
token
.
length
,
qop
);
if
(!
qop
.
getPrivacy
())
{
throw
new
Exception
();
}
for
(
String
s:
bout
.
toString
().
split
(
"\\n"
))
{
if
(
s
.
contains
(
"KRB5SRV04"
)
&&
s
.
contains
(
"NULL"
))
{
return
;
}
}
System
.
out
.
println
(
"======================="
);
System
.
out
.
println
(
bout
.
toString
());
System
.
out
.
println
(
"======================="
);
throw
new
Exception
(
"Haven't seen KRB5SRV04 with NULL"
);
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录