提交 9f36164a 编写于 作者: W weijun

7061379: [Kerberos] Cross-realm authentication fails, due to nameType problem

Reviewed-by: valeriep
上级 e58cd544
...@@ -173,12 +173,6 @@ public class PrincipalName ...@@ -173,12 +173,6 @@ public class PrincipalName
boolean equalsWithoutRealm(PrincipalName other) { boolean equalsWithoutRealm(PrincipalName other) {
if (nameType != KRB_NT_UNKNOWN &&
other.nameType != KRB_NT_UNKNOWN &&
nameType != other.nameType)
return false;
if ((nameStrings != null && other.nameStrings == null) || if ((nameStrings != null && other.nameStrings == null) ||
(nameStrings == null && other.nameStrings != null)) (nameStrings == null && other.nameStrings != null))
return false; return false;
......
...@@ -170,6 +170,10 @@ public class KDC { ...@@ -170,6 +170,10 @@ public class KDC {
* Use only one preauth, so that some keys are not easy to generate * Use only one preauth, so that some keys are not easy to generate
*/ */
ONLY_ONE_PREAUTH, ONLY_ONE_PREAUTH,
/**
* Set all name-type to a value in response
*/
RESP_NT,
}; };
static { static {
...@@ -637,10 +641,16 @@ public class KDC { ...@@ -637,10 +641,16 @@ public class KDC {
*/ */
private byte[] processTgsReq(byte[] in) throws Exception { private byte[] processTgsReq(byte[] in) throws Exception {
TGSReq tgsReq = new TGSReq(in); TGSReq tgsReq = new TGSReq(in);
PrincipalName service = tgsReq.reqBody.sname;
if (options.containsKey(KDC.Option.RESP_NT)) {
service = new PrincipalName(service.getNameStrings(),
(int)options.get(KDC.Option.RESP_NT));
service.setRealm(service.getRealm());
}
try { try {
System.out.println(realm + "> " + tgsReq.reqBody.cname + System.out.println(realm + "> " + tgsReq.reqBody.cname +
" sends TGS-REQ for " + " sends TGS-REQ for " +
tgsReq.reqBody.sname); service);
KDCReqBody body = tgsReq.reqBody; KDCReqBody body = tgsReq.reqBody;
int[] eTypes = KDCReqBodyDotEType(body); int[] eTypes = KDCReqBodyDotEType(body);
int e2 = eTypes[0]; // etype for outgoing session key int e2 = eTypes[0]; // etype for outgoing session key
...@@ -708,7 +718,7 @@ public class KDC { ...@@ -708,7 +718,7 @@ public class KDC {
bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true; bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
} }
if (configMatch("", body.sname.getNameString(), "ok-as-delegate")) { if (configMatch("", service.getNameString(), "ok-as-delegate")) {
bFlags[Krb5.TKT_OPTS_DELEGATE] = true; bFlags[Krb5.TKT_OPTS_DELEGATE] = true;
} }
bFlags[Krb5.TKT_OPTS_INITIAL] = true; bFlags[Krb5.TKT_OPTS_INITIAL] = true;
...@@ -728,13 +738,13 @@ public class KDC { ...@@ -728,13 +738,13 @@ public class KDC {
: new HostAddresses( : new HostAddresses(
new InetAddress[]{InetAddress.getLocalHost()}), new InetAddress[]{InetAddress.getLocalHost()}),
null); null);
EncryptionKey skey = keyForUser(body.sname, e3, true); EncryptionKey skey = keyForUser(service, e3, true);
if (skey == null) { if (skey == null) {
throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO
} }
Ticket t = new Ticket( Ticket t = new Ticket(
body.crealm, body.crealm,
body.sname, service,
new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET) new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET)
); );
EncTGSRepPart enc_part = new EncTGSRepPart( EncTGSRepPart enc_part = new EncTGSRepPart(
...@@ -750,7 +760,7 @@ public class KDC { ...@@ -750,7 +760,7 @@ public class KDC {
body.from, body.from,
till, body.rtime, till, body.rtime,
body.crealm, body.crealm,
body.sname, service,
body.addresses != null // always set caddr body.addresses != null // always set caddr
? body.addresses ? body.addresses
: new HostAddresses( : new HostAddresses(
...@@ -781,7 +791,7 @@ public class KDC { ...@@ -781,7 +791,7 @@ public class KDC {
0, 0,
ke.returnCode(), ke.returnCode(),
body.crealm, body.cname, body.crealm, body.cname,
new Realm(getRealm()), body.sname, new Realm(getRealm()), service,
KrbException.errorMessage(ke.returnCode()), KrbException.errorMessage(ke.returnCode()),
null); null);
} }
...@@ -800,10 +810,16 @@ public class KDC { ...@@ -800,10 +810,16 @@ public class KDC {
int[] eTypes = null; int[] eTypes = null;
List<PAData> outPAs = new ArrayList<>(); List<PAData> outPAs = new ArrayList<>();
PrincipalName service = asReq.reqBody.sname;
if (options.containsKey(KDC.Option.RESP_NT)) {
service = new PrincipalName(service.getNameStrings(),
(int)options.get(KDC.Option.RESP_NT));
service.setRealm(service.getRealm());
}
try { try {
System.out.println(realm + "> " + asReq.reqBody.cname + System.out.println(realm + "> " + asReq.reqBody.cname +
" sends AS-REQ for " + " sends AS-REQ for " +
asReq.reqBody.sname); service);
KDCReqBody body = asReq.reqBody; KDCReqBody body = asReq.reqBody;
body.cname.setRealm(getRealm()); body.cname.setRealm(getRealm());
...@@ -812,7 +828,7 @@ public class KDC { ...@@ -812,7 +828,7 @@ public class KDC {
int eType = eTypes[0]; int eType = eTypes[0];
EncryptionKey ckey = keyForUser(body.cname, eType, false); EncryptionKey ckey = keyForUser(body.cname, eType, false);
EncryptionKey skey = keyForUser(body.sname, eType, true); EncryptionKey skey = keyForUser(service, eType, true);
if (options.containsKey(KDC.Option.ONLY_RC4_TGT)) { if (options.containsKey(KDC.Option.ONLY_RC4_TGT)) {
int tgtEType = EncryptedData.ETYPE_ARCFOUR_HMAC; int tgtEType = EncryptedData.ETYPE_ARCFOUR_HMAC;
...@@ -826,7 +842,7 @@ public class KDC { ...@@ -826,7 +842,7 @@ public class KDC {
if (!found) { if (!found) {
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP); throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
} }
skey = keyForUser(body.sname, tgtEType, true); skey = keyForUser(service, tgtEType, true);
} }
if (ckey == null) { if (ckey == null) {
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP); throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
...@@ -943,7 +959,7 @@ public class KDC { ...@@ -943,7 +959,7 @@ public class KDC {
null); null);
Ticket t = new Ticket( Ticket t = new Ticket(
body.crealm, body.crealm,
body.sname, service,
new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET) new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET)
); );
EncASRepPart enc_part = new EncASRepPart( EncASRepPart enc_part = new EncASRepPart(
...@@ -959,7 +975,7 @@ public class KDC { ...@@ -959,7 +975,7 @@ public class KDC {
body.from, body.from,
till, body.rtime, till, body.rtime,
body.crealm, body.crealm,
body.sname, service,
body.addresses body.addresses
); );
EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_AS_REP_PART); EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_AS_REP_PART);
...@@ -1023,7 +1039,7 @@ public class KDC { ...@@ -1023,7 +1039,7 @@ public class KDC {
0, 0,
ke.returnCode(), ke.returnCode(),
body.crealm, body.cname, body.crealm, body.cname,
new Realm(getRealm()), body.sname, new Realm(getRealm()), service,
KrbException.errorMessage(ke.returnCode()), KrbException.errorMessage(ke.returnCode()),
eData); eData);
} }
......
/*
* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 7061379
* @summary [Kerberos] Cross-realm authentication fails, due to nameType problem
* @compile -XDignore.symbol.file PrincipalNameEquals.java
* @run main/othervm PrincipalNameEquals
*/
import sun.security.jgss.GSSUtil;
import sun.security.krb5.PrincipalName;
public class PrincipalNameEquals {
public static void main(String[] args) throws Exception {
OneKDC kdc = new OneKDC(null);
kdc.writeJAASConf();
kdc.setOption(KDC.Option.RESP_NT, PrincipalName.KRB_NT_PRINCIPAL);
Context c, s;
c = Context.fromJAAS("client");
s = Context.fromJAAS("server");
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
Context.handshake(c, s);
Context.transmit("i say high --", c, s);
Context.transmit(" you say low", s, c);
s.dispose();
c.dispose();
}
}
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册