Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
68cd1736
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
68cd1736
编写于
6月 24, 2010
作者:
W
weijun
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
6946669: SSL/Krb5 should not call EncryptedData.reset(data, false)
Reviewed-by: xuelei
上级
9ce1e8c8
变更
10
隐藏空白更改
内联
并排
Showing
10 changed file
with
81 addition
and
49 deletion
+81
-49
src/share/classes/sun/security/krb5/EncryptedData.java
src/share/classes/sun/security/krb5/EncryptedData.java
+16
-25
src/share/classes/sun/security/krb5/KrbApRep.java
src/share/classes/sun/security/krb5/KrbApRep.java
+2
-2
src/share/classes/sun/security/krb5/KrbApReq.java
src/share/classes/sun/security/krb5/KrbApReq.java
+3
-3
src/share/classes/sun/security/krb5/KrbAsRep.java
src/share/classes/sun/security/krb5/KrbAsRep.java
+2
-2
src/share/classes/sun/security/krb5/KrbCred.java
src/share/classes/sun/security/krb5/KrbCred.java
+2
-2
src/share/classes/sun/security/krb5/KrbPriv.java
src/share/classes/sun/security/krb5/KrbPriv.java
+2
-3
src/share/classes/sun/security/krb5/KrbTgsRep.java
src/share/classes/sun/security/krb5/KrbTgsRep.java
+2
-2
src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java
.../sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java
+1
-1
src/share/classes/sun/security/ssl/krb5/KerberosPreMasterSecret.java
...lasses/sun/security/ssl/krb5/KerberosPreMasterSecret.java
+36
-6
test/sun/security/krb5/auto/SSL.java
test/sun/security/krb5/auto/SSL.java
+15
-3
未找到文件。
src/share/classes/sun/security/krb5/EncryptedData.java
浏览文件 @
68cd1736
/*
* Copyright (c) 2000, 20
06
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 20
10
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -336,38 +336,29 @@ public class EncryptedData implements Cloneable {
}
/**
* Reset data stream after decryption, remove redundant bytes.
* Reset
asn.1
data stream after decryption, remove redundant bytes.
* @param data the decrypted data from decrypt().
* @param encoded true if the encrypted data is ASN1 encoded data,
* false if the encrypted data is not ASN1 encoded data.
* @return the reset byte array which holds exactly one asn1 datum
* including its tag and length.
*
*/
public
byte
[]
reset
(
byte
[]
data
,
boolean
encoded
)
{
public
byte
[]
reset
(
byte
[]
data
)
{
byte
[]
bytes
=
null
;
//
if it is
encoded data, we use length field to
//
for asn.1
encoded data, we use length field to
// determine the data length and remove redundant paddings.
if
(
encoded
)
{
if
((
data
[
1
]
&
0xFF
)
<
128
)
{
bytes
=
new
byte
[
data
[
1
]
+
2
];
System
.
arraycopy
(
data
,
0
,
bytes
,
0
,
data
[
1
]
+
2
);
}
else
if
((
data
[
1
]
&
0xFF
)
>
128
)
{
int
len
=
data
[
1
]
&
(
byte
)
0x7F
;
int
result
=
0
;
for
(
int
i
=
0
;
i
<
len
;
i
++)
{
result
|=
(
data
[
i
+
2
]
&
0xFF
)
<<
(
8
*
(
len
-
i
-
1
));
}
bytes
=
new
byte
[
result
+
len
+
2
];
System
.
arraycopy
(
data
,
0
,
bytes
,
0
,
result
+
len
+
2
);
}
if
((
data
[
1
]
&
0xFF
)
<
128
)
{
bytes
=
new
byte
[
data
[
1
]
+
2
];
System
.
arraycopy
(
data
,
0
,
bytes
,
0
,
data
[
1
]
+
2
);
}
else
{
// if it is not encoded, which happens in GSS tokens,
// we remove padding data according to padding pattern.
bytes
=
new
byte
[
data
.
length
-
data
[
data
.
length
-
1
]];
System
.
arraycopy
(
data
,
0
,
bytes
,
0
,
data
.
length
-
data
[
data
.
length
-
1
]);
if
((
data
[
1
]
&
0xFF
)
>
128
)
{
int
len
=
data
[
1
]
&
(
byte
)
0x7F
;
int
result
=
0
;
for
(
int
i
=
0
;
i
<
len
;
i
++)
{
result
|=
(
data
[
i
+
2
]
&
0xFF
)
<<
(
8
*
(
len
-
i
-
1
));
}
bytes
=
new
byte
[
result
+
len
+
2
];
System
.
arraycopy
(
data
,
0
,
bytes
,
0
,
result
+
len
+
2
);
}
}
return
bytes
;
}
...
...
src/share/classes/sun/security/krb5/KrbApRep.java
浏览文件 @
68cd1736
/*
* Copyright (c) 2000, 20
06
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 20
10
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -130,7 +130,7 @@ public class KrbApRep {
byte
[]
temp
=
rep
.
encPart
.
decrypt
(
tgs_creds
.
key
,
KeyUsage
.
KU_ENC_AP_REP_PART
);
byte
[]
enc_ap_rep_part
=
rep
.
encPart
.
reset
(
temp
,
true
);
byte
[]
enc_ap_rep_part
=
rep
.
encPart
.
reset
(
temp
);
encoding
=
new
DerValue
(
enc_ap_rep_part
);
encPart
=
new
EncAPRepPart
(
encoding
);
...
...
src/share/classes/sun/security/krb5/KrbApReq.java
浏览文件 @
68cd1736
/*
* Copyright (c) 2000, 20
09
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 20
10
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -279,14 +279,14 @@ public class KrbApReq {
byte
[]
bytes
=
apReqMessg
.
ticket
.
encPart
.
decrypt
(
dkey
,
KeyUsage
.
KU_TICKET
);
byte
[]
temp
=
apReqMessg
.
ticket
.
encPart
.
reset
(
bytes
,
true
);
byte
[]
temp
=
apReqMessg
.
ticket
.
encPart
.
reset
(
bytes
);
EncTicketPart
enc_ticketPart
=
new
EncTicketPart
(
temp
);
checkPermittedEType
(
enc_ticketPart
.
key
.
getEType
());
byte
[]
bytes2
=
apReqMessg
.
authenticator
.
decrypt
(
enc_ticketPart
.
key
,
KeyUsage
.
KU_AP_REQ_AUTHENTICATOR
);
byte
[]
temp2
=
apReqMessg
.
authenticator
.
reset
(
bytes2
,
true
);
byte
[]
temp2
=
apReqMessg
.
authenticator
.
reset
(
bytes2
);
authenticator
=
new
Authenticator
(
temp2
);
ctime
=
authenticator
.
ctime
;
cusec
=
authenticator
.
cusec
;
...
...
src/share/classes/sun/security/krb5/KrbAsRep.java
浏览文件 @
68cd1736
/*
* Copyright (c) 2000, 20
05
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 20
10
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -95,7 +95,7 @@ public class KrbAsRep extends KrbKdcRep {
byte
[]
enc_as_rep_bytes
=
rep
.
encPart
.
decrypt
(
dkey
,
KeyUsage
.
KU_ENC_AS_REP_PART
);
byte
[]
enc_as_rep_part
=
rep
.
encPart
.
reset
(
enc_as_rep_bytes
,
true
);
byte
[]
enc_as_rep_part
=
rep
.
encPart
.
reset
(
enc_as_rep_bytes
);
encoding
=
new
DerValue
(
enc_as_rep_part
);
EncASRepPart
enc_part
=
new
EncASRepPart
(
encoding
);
...
...
src/share/classes/sun/security/krb5/KrbCred.java
浏览文件 @
68cd1736
/*
* Copyright (c) 2000, 20
06
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 20
10
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -130,7 +130,7 @@ public class KrbCred {
byte
[]
temp
=
credMessg
.
encPart
.
decrypt
(
key
,
KeyUsage
.
KU_ENC_KRB_CRED_PART
);
byte
[]
plainText
=
credMessg
.
encPart
.
reset
(
temp
,
true
);
byte
[]
plainText
=
credMessg
.
encPart
.
reset
(
temp
);
DerValue
encoding
=
new
DerValue
(
plainText
);
EncKrbCredPart
encPart
=
new
EncKrbCredPart
(
encoding
);
...
...
src/share/classes/sun/security/krb5/KrbPriv.java
浏览文件 @
68cd1736
/*
* Copyright (c) 2000, 20
06
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 20
10
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -31,7 +31,6 @@
package
sun.security.krb5
;
import
sun.security.krb5.EncryptionKey
;
import
sun.security.krb5.internal.*
;
import
sun.security.krb5.internal.crypto.*
;
import
sun.security.util.*
;
...
...
@@ -159,7 +158,7 @@ class KrbPriv extends KrbAppMessage {
byte
[]
bytes
=
krb_priv
.
encPart
.
decrypt
(
key
,
KeyUsage
.
KU_ENC_KRB_PRIV_PART
);
byte
[]
temp
=
krb_priv
.
encPart
.
reset
(
bytes
,
true
);
byte
[]
temp
=
krb_priv
.
encPart
.
reset
(
bytes
);
DerValue
ref
=
new
DerValue
(
temp
);
EncKrbPrivPart
enc_part
=
new
EncKrbPrivPart
(
ref
);
...
...
src/share/classes/sun/security/krb5/KrbTgsRep.java
浏览文件 @
68cd1736
/*
* Copyright (c) 2000, 20
05
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 20
10
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -79,7 +79,7 @@ public class KrbTgsRep extends KrbKdcRep {
tgsReq
.
usedSubkey
()
?
KeyUsage
.
KU_ENC_TGS_REP_PART_SUBKEY
:
KeyUsage
.
KU_ENC_TGS_REP_PART_SESSKEY
);
byte
[]
enc_tgs_rep_part
=
rep
.
encPart
.
reset
(
enc_tgs_rep_bytes
,
true
);
byte
[]
enc_tgs_rep_part
=
rep
.
encPart
.
reset
(
enc_tgs_rep_bytes
);
ref
=
new
DerValue
(
enc_tgs_rep_part
);
EncTGSRepPart
enc_part
=
new
EncTGSRepPart
(
ref
);
rep
.
ticket
.
sname
.
setRealm
(
rep
.
ticket
.
realm
);
...
...
src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java
浏览文件 @
68cd1736
...
...
@@ -212,7 +212,7 @@ public final class KerberosClientKeyExchangeImpl
byte
[]
bytes
=
encPart
.
decrypt
(
secretKey
,
KeyUsage
.
KU_TICKET
);
// Reset data stream after decryption, remove redundant bytes
byte
[]
temp
=
encPart
.
reset
(
bytes
,
true
);
byte
[]
temp
=
encPart
.
reset
(
bytes
);
EncTicketPart
encTicketPart
=
new
EncTicketPart
(
temp
);
// Record the Kerberos Principals
...
...
src/share/classes/sun/security/ssl/krb5/KerberosPreMasterSecret.java
浏览文件 @
68cd1736
/*
* Copyright (c) 2003, 20
09
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 20
10
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -27,7 +27,7 @@ package sun.security.ssl.krb5;
import
java.io.*
;
import
java.security.*
;
import
java.
security.interfaces.*
;
import
java.
util.Arrays
;
import
javax.net.ssl.*
;
...
...
@@ -128,8 +128,8 @@ final class KerberosPreMasterSecret {
"are not supported for TLS Kerberos cipher suites"
);
}
// Decrypt premaster secret
try
{
// Decrypt premaster secret
try
{
EncryptedData
data
=
new
EncryptedData
(
sessionKey
.
getEType
(),
null
/* optional kvno */
,
encrypted
);
...
...
@@ -141,8 +141,25 @@ final class KerberosPreMasterSecret {
}
}
// Reset data stream after decryption, remove redundant bytes
preMaster
=
data
.
reset
(
temp
,
false
);
// Remove padding bytes after decryption. Only DES and DES3 have
// paddings and we don't support DES3 in TLS (see above)
if
(
temp
.
length
==
52
&&
data
.
getEType
()
==
EncryptedData
.
ETYPE_DES_CBC_CRC
)
{
// For des-cbc-crc, 4 paddings. Value can be 0x04 or 0x00.
if
(
paddingByteIs
(
temp
,
52
,
(
byte
)
4
)
||
paddingByteIs
(
temp
,
52
,
(
byte
)
0
))
{
temp
=
Arrays
.
copyOf
(
temp
,
48
);
}
}
else
if
(
temp
.
length
==
56
&&
data
.
getEType
()
==
EncryptedData
.
ETYPE_DES_CBC_MD5
)
{
// For des-cbc-md5, 8 paddings with 0x08, or no padding
if
(
paddingByteIs
(
temp
,
56
,
(
byte
)
8
))
{
temp
=
Arrays
.
copyOf
(
temp
,
48
);
}
}
preMaster
=
temp
;
protocolVersion
=
ProtocolVersion
.
valueOf
(
preMaster
[
0
],
preMaster
[
1
]);
...
...
@@ -191,6 +208,19 @@ final class KerberosPreMasterSecret {
}
}
/**
* Checks if all paddings of data are b
* @param data the block with padding
* @param len length of data, >= 48
* @param b expected padding byte
*/
private
static
boolean
paddingByteIs
(
byte
[]
data
,
int
len
,
byte
b
)
{
for
(
int
i
=
48
;
i
<
len
;
i
++)
{
if
(
data
[
i
]
!=
b
)
return
false
;
}
return
true
;
}
/*
* Used by server to generate premaster secret in case of
* problem decoding ticket.
...
...
test/sun/security/krb5/auto/SSL.java
浏览文件 @
68cd1736
...
...
@@ -25,6 +25,16 @@
* @test
* @bug 6894643 6913636
* @summary Test JSSE Kerberos ciphersuite
* @run main SSL TLS_KRB5_WITH_RC4_128_SHA
* @run main SSL TLS_KRB5_WITH_RC4_128_MD5
* @run main SSL TLS_KRB5_WITH_3DES_EDE_CBC_SHA
* @run main SSL TLS_KRB5_WITH_3DES_EDE_CBC_MD5
* @run main SSL TLS_KRB5_WITH_DES_CBC_SHA
* @run main SSL TLS_KRB5_WITH_DES_CBC_MD5
* @run main SSL TLS_KRB5_EXPORT_WITH_RC4_40_SHA
* @run main SSL TLS_KRB5_EXPORT_WITH_RC4_40_MD5
* @run main SSL TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
* @run main SSL TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
*/
import
java.io.*
;
import
java.net.InetAddress
;
...
...
@@ -37,7 +47,7 @@ import sun.security.krb5.internal.ktab.KeyTab;
public
class
SSL
{
private
static
final
String
KRB5_CIPHER
=
"TLS_KRB5_WITH_3DES_EDE_CBC_SHA"
;
private
static
String
krb5Cipher
;
private
static
final
int
LOOP_LIMIT
=
1
;
private
static
int
loopCount
=
0
;
private
static
volatile
String
server
;
...
...
@@ -45,6 +55,8 @@ public class SSL {
public
static
void
main
(
String
[]
args
)
throws
Exception
{
krb5Cipher
=
args
[
0
];
KDC
kdc
=
KDC
.
create
(
OneKDC
.
REALM
);
// Run this after KDC, so our own DNS service can be started
try
{
...
...
@@ -117,7 +129,7 @@ public class SSL {
SSLSocket
sslSocket
=
(
SSLSocket
)
sslsf
.
createSocket
(
server
,
port
);
// Enable only a KRB5 cipher suite.
String
enabledSuites
[]
=
{
KRB5_CIPHER
};
String
enabledSuites
[]
=
{
krb5Cipher
};
sslSocket
.
setEnabledCipherSuites
(
enabledSuites
);
// Should check for exception if enabledSuites is not supported
...
...
@@ -155,7 +167,7 @@ public class SSL {
port
=
sslServerSocket
.
getLocalPort
();
// Enable only a KRB5 cipher suite.
String
enabledSuites
[]
=
{
KRB5_CIPHER
};
String
enabledSuites
[]
=
{
krb5Cipher
};
sslServerSocket
.
setEnabledCipherSuites
(
enabledSuites
);
// Should check for exception if enabledSuites is not supported
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录