提交 764edc37 编写于 作者: W weijun

8012679: Let allow_weak_crypto default to false

Reviewed-by: valeriep
上级 49886064
...@@ -55,11 +55,11 @@ public abstract class EType { ...@@ -55,11 +55,11 @@ public abstract class EType {
} }
public static void initStatic() { public static void initStatic() {
boolean allowed = true; boolean allowed = false;
try { try {
Config cfg = Config.getInstance(); Config cfg = Config.getInstance();
String temp = cfg.get("libdefaults", "allow_weak_crypto"); String temp = cfg.get("libdefaults", "allow_weak_crypto");
if (temp != null && temp.equals("false")) allowed = false; if (temp != null && temp.equals("true")) allowed = true;
} catch (Exception exc) { } catch (Exception exc) {
if (DEBUG) { if (DEBUG) {
System.out.println ("Exception in getting allow_weak_crypto, " + System.out.println ("Exception in getting allow_weak_crypto, " +
......
...@@ -34,6 +34,7 @@ ...@@ -34,6 +34,7 @@
*/ */
import sun.security.jgss.GSSUtil; import sun.security.jgss.GSSUtil;
import sun.security.krb5.Config;
public class DupEtypes { public class DupEtypes {
...@@ -42,6 +43,14 @@ public class DupEtypes { ...@@ -42,6 +43,14 @@ public class DupEtypes {
OneKDC kdc = new OneKDC(null); OneKDC kdc = new OneKDC(null);
kdc.writeJAASConf(); kdc.writeJAASConf();
KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
"default_keytab_name = " + OneKDC.KTAB,
"allow_weak_crypto = true");
Config.refresh();
// Rewrite to include DES keys
kdc.writeKtab(OneKDC.KTAB);
// Different test cases, read KDC.processAsReq for details // Different test cases, read KDC.processAsReq for details
kdc.setOption(KDC.Option.DUP_ETYPE, Integer.parseInt(args[0])); kdc.setOption(KDC.Option.DUP_ETYPE, Integer.parseInt(args[0]));
......
...@@ -22,29 +22,41 @@ ...@@ -22,29 +22,41 @@
*/ */
/* /*
* @test * @test
* @bug 6844909 * @bug 6844909 8012679
* @run main/othervm WeakCrypto * @run main/othervm WeakCrypto
* @run main/othervm WeakCrypto true
* @run main/othervm WeakCrypto false
* @summary support allow_weak_crypto in krb5.conf * @summary support allow_weak_crypto in krb5.conf
*/ */
import java.io.File; import java.io.File;
import java.lang.Exception;
import java.nio.file.Files;
import java.nio.file.Paths;
import sun.security.krb5.internal.crypto.EType; import sun.security.krb5.internal.crypto.EType;
import sun.security.krb5.EncryptedData; import sun.security.krb5.EncryptedData;
public class WeakCrypto { public class WeakCrypto {
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
System.setProperty("java.security.krb5.conf", String conf = "[libdefaults]\n" +
System.getProperty("test.src", ".") + (args.length > 0 ? ("allow_weak_crypto = " + args[0]) : "");
File.separator + Files.write(Paths.get("krb5.conf"), conf.getBytes());
"weakcrypto.conf"); System.setProperty("java.security.krb5.conf", "krb5.conf");
boolean expected = args.length != 0 && args[0].equals("true");
int[] etypes = EType.getBuiltInDefaults(); int[] etypes = EType.getBuiltInDefaults();
boolean found = false;
for (int i=0, length = etypes.length; i<length; i++) { for (int i=0, length = etypes.length; i<length; i++) {
if (etypes[i] == EncryptedData.ETYPE_DES_CBC_CRC || if (etypes[i] == EncryptedData.ETYPE_DES_CBC_CRC ||
etypes[i] == EncryptedData.ETYPE_DES_CBC_MD4 || etypes[i] == EncryptedData.ETYPE_DES_CBC_MD4 ||
etypes[i] == EncryptedData.ETYPE_DES_CBC_MD5) { etypes[i] == EncryptedData.ETYPE_DES_CBC_MD5) {
throw new Exception("DES should not appear"); found = true;
} }
} }
if (expected != found) {
throw new Exception();
}
} }
} }
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册