Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
5c5ada47
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
3
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
5c5ada47
编写于
6月 17, 2010
作者:
W
weijun
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
6959292: regression: cannot login if session key and preauth does not use the same etype
Reviewed-by: xuelei, valeriep
上级
1a922368
变更
7
隐藏空白更改
内联
并排
Showing
7 changed file
with
70 addition
and
83 deletion
+70
-83
src/share/classes/sun/security/krb5/Credentials.java
src/share/classes/sun/security/krb5/Credentials.java
+5
-17
src/share/classes/sun/security/krb5/EncryptionKey.java
src/share/classes/sun/security/krb5/EncryptionKey.java
+3
-34
src/share/classes/sun/security/krb5/KrbAsReq.java
src/share/classes/sun/security/krb5/KrbAsReq.java
+12
-20
src/share/classes/sun/security/krb5/internal/KRBError.java
src/share/classes/sun/security/krb5/internal/KRBError.java
+26
-0
src/windows/classes/sun/security/krb5/internal/tools/Kinit.java
...ndows/classes/sun/security/krb5/internal/tools/Kinit.java
+2
-6
test/sun/security/krb5/auto/KDC.java
test/sun/security/krb5/auto/KDC.java
+11
-3
test/sun/security/krb5/auto/W83.java
test/sun/security/krb5/auto/W83.java
+11
-3
未找到文件。
src/share/classes/sun/security/krb5/Credentials.java
浏览文件 @
5c5ada47
...
...
@@ -356,7 +356,6 @@ public class Credentials {
* @param princ the client principal. This value cannot be null.
* @param secretKey the secret key of the client principal.This value
* cannot be null.
* @param password if null, caller is using a keytab
* @returns the TGT credentials
*/
public
static
Credentials
acquireTGT
(
PrincipalName
princ
,
...
...
@@ -373,18 +372,8 @@ public class Credentials {
"Cannot have null secretKey to do AS-Exchange"
);
KrbAsRep
asRep
=
null
;
// The etype field to be placed in AS-REQ. If caller is using keytab,
// it must be limited to etypes in keytab. Otherwise, leave it null,
// and KrbAsReq will populate it with all supported etypes.
int
[]
eTypes
=
null
;
if
(
password
==
null
)
{
eTypes
=
EncryptionKey
.
getETypes
(
secretKeys
);
}
try
{
asRep
=
sendASRequest
(
princ
,
secretKeys
,
eTypes
,
null
);
asRep
=
sendASRequest
(
princ
,
secretKeys
,
null
);
}
catch
(
KrbException
ke
)
{
if
((
ke
.
returnCode
()
==
Krb5
.
KDC_ERR_PREAUTH_FAILED
)
||
(
ke
.
returnCode
()
==
Krb5
.
KDC_ERR_PREAUTH_REQUIRED
))
{
...
...
@@ -407,7 +396,7 @@ public class Credentials {
princ
.
getSalt
(),
true
,
error
.
getEType
(),
error
.
getParams
());
}
asRep
=
sendASRequest
(
princ
,
secretKeys
,
eTypes
,
ke
.
getError
());
asRep
=
sendASRequest
(
princ
,
secretKeys
,
ke
.
getError
());
}
else
{
throw
ke
;
}
...
...
@@ -417,18 +406,17 @@ public class Credentials {
/**
* Sends the AS-REQ
* @param eTypes not null if caller using keytab
*/
private
static
KrbAsRep
sendASRequest
(
PrincipalName
princ
,
EncryptionKey
[]
secretKeys
,
int
[]
eTypes
,
KRBError
error
)
EncryptionKey
[]
secretKeys
,
KRBError
error
)
throws
KrbException
,
IOException
{
// %%%
KrbAsReq
asReq
=
null
;
if
(
error
==
null
)
{
asReq
=
new
KrbAsReq
(
princ
,
secretKeys
,
eTypes
);
asReq
=
new
KrbAsReq
(
princ
,
secretKeys
);
}
else
{
asReq
=
new
KrbAsReq
(
princ
,
secretKeys
,
eTypes
,
true
,
asReq
=
new
KrbAsReq
(
princ
,
secretKeys
,
true
,
error
.
getEType
(),
error
.
getSalt
(),
error
.
getParams
());
}
...
...
src/share/classes/sun/security/krb5/EncryptionKey.java
浏览文件 @
5c5ada47
...
...
@@ -76,26 +76,6 @@ public class EncryptionKey
private
static
final
boolean
DEBUG
=
Krb5
.
DEBUG
;
public
static
int
[]
getETypes
(
EncryptionKey
[]
keys
)
{
int
len
=
keys
.
length
;
int
[]
result
=
new
int
[
len
];
int
count
=
0
;
// Number of elements in result. Might be less than
// len if there are keys having the same etype
loopi:
for
(
int
i
=
0
;
i
<
len
;
i
++)
{
int
eType
=
keys
[
i
].
getEType
();
for
(
int
j
=
0
;
j
<
count
;
j
++)
{
if
(
result
[
j
]
==
eType
)
{
continue
loopi
;
}
}
result
[
count
++]
=
eType
;
}
if
(
count
!=
len
)
{
result
=
Arrays
.
copyOf
(
result
,
count
);
}
return
result
;
}
public
synchronized
int
getEType
()
{
return
keyType
;
}
...
...
@@ -208,24 +188,13 @@ public class EncryptionKey
etypes
=
EType
.
getBuiltInDefaults
();
}
// set the preferred etype for preauth
if
((
pa_exists
)
&&
(
pa_etype
!=
EncryptedData
.
ETYPE_NULL
))
{
if
(
DEBUG
)
{
System
.
out
.
println
(
"Pre-Authentication: "
+
"Set preferred etype = "
+
pa_etype
);
}
if
(
EType
.
isSupported
(
pa_etype
))
{
// reset etypes to preferred value
etypes
=
new
int
[
1
];
etypes
[
0
]
=
pa_etype
;
}
}
EncryptionKey
[]
encKeys
=
new
EncryptionKey
[
etypes
.
length
];
for
(
int
i
=
0
;
i
<
etypes
.
length
;
i
++)
{
if
(
EType
.
isSupported
(
etypes
[
i
]))
{
byte
[]
s2kparams
=
(
pa_exists
&&
etypes
[
i
]
==
pa_etype
)
?
pa_s2kparams
:
null
;
encKeys
[
i
]
=
new
EncryptionKey
(
stringToKey
(
password
,
salt
,
pa_
s2kparams
,
etypes
[
i
]),
stringToKey
(
password
,
salt
,
s2kparams
,
etypes
[
i
]),
etypes
[
i
],
null
);
}
else
{
if
(
DEBUG
)
{
...
...
src/share/classes/sun/security/krb5/KrbAsReq.java
浏览文件 @
5c5ada47
...
...
@@ -35,9 +35,11 @@ import sun.security.krb5.internal.*;
import
sun.security.krb5.internal.crypto.EType
;
import
sun.security.krb5.internal.crypto.Nonce
;
import
sun.security.krb5.internal.crypto.KeyUsage
;
import
sun.security.util.*
;
import
java.io.IOException
;
import
java.io.ByteArrayInputStream
;
import
java.net.UnknownHostException
;
import
java.util.
Arrays
;
import
java.util.
StringTokenizer
;
/**
* This class encapsulates the KRB-AS-REQ message that the client
...
...
@@ -62,13 +64,11 @@ public class KrbAsReq extends KrbKdcReq {
/**
* Creates a KRB-AS-REQ to send to the default KDC
* @param eTypes not null when using a keytab, this can make sure the etypes
* in AS-REQ contains only those available on client
* @throws KrbException
* @throws IOException
*/
// Called by Credentials
KrbAsReq
(
PrincipalName
principal
,
EncryptionKey
[]
keys
,
int
[]
eTypes
)
KrbAsReq
(
PrincipalName
principal
,
EncryptionKey
[]
keys
)
throws
KrbException
,
IOException
{
this
(
keys
,
// for pre-authentication
false
,
0
,
null
,
null
,
// pre-auth values
...
...
@@ -78,7 +78,7 @@ public class KrbAsReq extends KrbKdcReq {
null
,
// KerberosTime from
null
,
// KerberosTime till
null
,
// KerberosTime rtime
eTypes
,
// int[] eTypes
null
,
// int[] eTypes
null
,
// HostAddresses addresses
null
);
// Ticket[] additionalTickets
}
...
...
@@ -86,10 +86,8 @@ public class KrbAsReq extends KrbKdcReq {
/**
* Creates a KRB-AS-REQ to send to the default KDC
* with pre-authentication values
* @param eTypes not null when using a keytab, this can make sure the etypes
* in AS-REQ contains only those available on client
*/
KrbAsReq
(
PrincipalName
principal
,
EncryptionKey
[]
keys
,
int
[]
eTypes
,
KrbAsReq
(
PrincipalName
principal
,
EncryptionKey
[]
keys
,
boolean
pa_exists
,
int
etype
,
String
salt
,
byte
[]
s2kparams
)
throws
KrbException
,
IOException
{
this
(
keys
,
// for pre-authentication
...
...
@@ -100,7 +98,7 @@ public class KrbAsReq extends KrbKdcReq {
null
,
// KerberosTime from
null
,
// KerberosTime till
null
,
// KerberosTime rtime
eTypes
,
// int[] eTypes
null
,
// int[] eTypes
null
,
// HostAddresses addresses
null
);
// Ticket[] additionalTickets
}
...
...
@@ -344,24 +342,18 @@ public class KrbAsReq extends KrbKdcReq {
}
princName
=
cname
;
// keys might contain many etypes, or only one if in preauth mode,
// coz EncryptionKey.acquireSecretKeys() with pa returns only one key.
int
[]
tktETypes
=
EType
.
getDefaults
(
"default_tkt_enctypes"
,
keys
);
PAData
[]
paData
=
null
;
if
(
PA_ENC_TIMESTAMP_REQUIRED
)
{
EncryptionKey
key
=
null
;
if
(
pa_etype
!=
EncryptedData
.
ETYPE_NULL
)
{
if
(
DEBUG
)
{
System
.
out
.
println
(
"Pre-Authenticaton: "
+
"find key for etype = "
+
pa_etype
);
System
.
out
.
println
(
"Pre-Authenticaton: find key for etype = "
+
pa_etype
);
}
key
=
EncryptionKey
.
findKey
(
pa_etype
,
keys
);
}
else
{
int
[]
availableETypes
=
EType
.
getDefaults
(
"default_tkt_enctypes"
,
keys
);
if
(
availableETypes
.
length
>
0
)
{
key
=
EncryptionKey
.
findKey
(
availableETypes
[
0
],
keys
);
if
(
tktETypes
.
length
>
0
)
{
key
=
EncryptionKey
.
findKey
(
tktETypes
[
0
],
keys
);
}
}
if
(
DEBUG
)
{
...
...
@@ -384,7 +376,7 @@ public class KrbAsReq extends KrbKdcReq {
}
if
(
eTypes
==
null
)
{
eTypes
=
EType
.
getDefaults
(
"default_tkt_enctypes"
)
;
eTypes
=
tktETypes
;
}
// check to use addresses in tickets
...
...
src/share/classes/sun/security/krb5/internal/KRBError.java
浏览文件 @
5c5ada47
...
...
@@ -286,6 +286,19 @@ public class KRBError implements java.io.Serializable {
salt
=
info
.
getSalt
();
if
(
DEBUG
)
{
System
.
out
.
println
(
"\t PA-ETYPE-INFO etype = "
+
etype
);
System
.
out
.
println
(
"\t PA-ETYPE-INFO salt = "
+
salt
);
}
while
(
der
.
data
.
available
()
>
0
)
{
value
=
der
.
data
.
getDerValue
();
info
=
new
ETypeInfo
(
value
);
if
(
DEBUG
)
{
etype
=
info
.
getEType
();
System
.
out
.
println
(
"\t salt for "
+
etype
+
" is "
+
info
.
getSalt
());
}
if
(
salt
==
null
||
salt
.
isEmpty
())
{
salt
=
info
.
getSalt
();
}
}
}
break
;
...
...
@@ -299,6 +312,19 @@ public class KRBError implements java.io.Serializable {
s2kparams
=
info2
.
getParams
();
if
(
DEBUG
)
{
System
.
out
.
println
(
"\t PA-ETYPE-INFO2 etype = "
+
etype
);
System
.
out
.
println
(
"\t PA-ETYPE-INFO salt = "
+
salt
);
}
while
(
der
.
data
.
available
()
>
0
)
{
value
=
der
.
data
.
getDerValue
();
info2
=
new
ETypeInfo2
(
value
);
if
(
DEBUG
)
{
etype
=
info2
.
getEType
();
System
.
out
.
println
(
"\t salt for "
+
etype
+
" is "
+
info2
.
getSalt
());
}
if
(
salt
==
null
||
salt
.
isEmpty
())
{
salt
=
info2
.
getSalt
();
}
}
}
break
;
...
...
src/windows/classes/sun/security/krb5/internal/tools/Kinit.java
浏览文件 @
5c5ada47
...
...
@@ -229,9 +229,7 @@ public class Kinit {
if
(
useKeytab
)
{
as_req
=
new
KrbAsReq
(
skeys
,
opt
,
principal
,
sname
,
null
,
null
,
null
,
EncryptionKey
.
getETypes
(
skeys
),
addresses
,
null
);
null
,
null
,
null
,
null
,
addresses
,
null
);
}
else
{
as_req
=
new
KrbAsReq
(
psswd
,
opt
,
principal
,
sname
,
...
...
@@ -259,9 +257,7 @@ public class Kinit {
if
(
useKeytab
)
{
as_req
=
new
KrbAsReq
(
skeys
,
true
,
etype
,
salt
,
s2kparams
,
opt
,
principal
,
sname
,
null
,
null
,
null
,
EncryptionKey
.
getETypes
(
skeys
),
addresses
,
null
);
null
,
null
,
null
,
null
,
addresses
,
null
);
}
else
{
as_req
=
new
KrbAsReq
(
psswd
,
true
,
etype
,
salt
,
s2kparams
,
opt
,
principal
,
sname
,
...
...
test/sun/security/krb5/auto/KDC.java
浏览文件 @
5c5ada47
...
...
@@ -155,9 +155,13 @@ public class KDC {
*/
PREAUTH_REQUIRED
,
/**
* Only
y
issue TGT in RC4
* Only issue TGT in RC4
*/
ONLY_RC4_TGT
,
/**
* Only use RC4 in preauth, enc-type still using eTypes[0]
*/
ONLY_RC4_PREAUTH
,
};
static
{
...
...
@@ -905,7 +909,11 @@ public class KDC {
ke
.
returnCode
()
==
Krb5
.
KDC_ERR_PREAUTH_FAILED
)
{
PAData
pa
;
ETypeInfo2
ei2
=
new
ETypeInfo2
(
eTypes
[
0
],
null
,
null
);
int
epa
=
eTypes
[
0
];
if
(
options
.
containsKey
(
KDC
.
Option
.
ONLY_RC4_PREAUTH
))
{
epa
=
EncryptedData
.
ETYPE_ARCFOUR_HMAC
;
}
ETypeInfo2
ei2
=
new
ETypeInfo2
(
epa
,
null
,
null
);
DerOutputStream
eid
=
new
DerOutputStream
();
eid
.
write
(
DerValue
.
tag_Sequence
,
ei2
.
asn1Encode
());
...
...
@@ -924,7 +932,7 @@ public class KDC {
}
}
if
(
allOld
)
{
ETypeInfo
ei
=
new
ETypeInfo
(
e
Types
[
0
]
,
null
);
ETypeInfo
ei
=
new
ETypeInfo
(
e
pa
,
null
);
eid
=
new
DerOutputStream
();
eid
.
write
(
DerValue
.
tag_Sequence
,
ei
.
asn1Encode
());
pa
=
new
PAData
(
Krb5
.
PA_ETYPE_INFO
,
eid
.
toByteArray
());
...
...
test/sun/security/krb5/auto/W83.java
浏览文件 @
5c5ada47
...
...
@@ -23,8 +23,9 @@
/*
* @test
* @bug 69
51366
* @bug 69
32525 6951366 6959292
* @summary kerberos login failure on win2008 with AD set to win2000 compat mode
* and cannot login if session key and preauth does not use the same etype
*/
import
com.sun.security.auth.module.Krb5LoginModule
;
import
java.io.File
;
...
...
@@ -52,8 +53,6 @@ public class W83 {
new
File
(
OneKDC
.
KRB5_CONF
).
deleteOnExit
();
new
File
(
OneKDC
.
KTAB
).
deleteOnExit
();
kdc
.
setOption
(
KDC
.
Option
.
ONLY_RC4_TGT
,
true
);
KeyTab
ktab
=
KeyTab
.
getInstance
(
OneKDC
.
KTAB
);
for
(
int
etype:
EType
.
getBuiltInDefaults
())
{
if
(
etype
!=
EncryptedData
.
ETYPE_ARCFOUR_HMAC
)
{
...
...
@@ -61,6 +60,15 @@ public class W83 {
}
}
ktab
.
save
();
// For 6932525 and 6951366, make sure the etypes sent in 2nd AS-REQ
// is not restricted to that of preauth
kdc
.
setOption
(
KDC
.
Option
.
ONLY_RC4_TGT
,
true
);
x
.
go
();
// For 6959292, make sure that when etype for enc-part in 2nd AS-REQ
// is different from that of preauth, client can still decrypt it
kdc
.
setOption
(
KDC
.
Option
.
ONLY_RC4_PREAUTH
,
true
);
x
.
go
();
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录