Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
c55b1f96
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
3
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
c55b1f96
编写于
6月 19, 2009
作者:
W
weijun
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
6851973: ignore incoming channel binding if acceptor does not set one
Reviewed-by: valeriep
上级
9d990a58
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
136 addition
and
30 deletion
+136
-30
src/share/classes/sun/security/jgss/krb5/InitialToken.java
src/share/classes/sun/security/jgss/krb5/InitialToken.java
+23
-30
test/sun/security/krb5/auto/IgnoreChannelBinding.java
test/sun/security/krb5/auto/IgnoreChannelBinding.java
+113
-0
未找到文件。
src/share/classes/sun/security/jgss/krb5/InitialToken.java
浏览文件 @
c55b1f96
...
...
@@ -33,6 +33,7 @@ import java.net.Inet4Address;
import
java.net.Inet6Address
;
import
java.security.MessageDigest
;
import
java.security.NoSuchAlgorithmException
;
import
java.util.Arrays
;
import
sun.security.krb5.*
;
import
sun.security.jgss.HttpCaller
;
import
sun.security.krb5.internal.Krb5
;
...
...
@@ -219,43 +220,35 @@ abstract class InitialToken extends Krb5Token {
"Incorrect checksum"
);
}
byte
[]
remoteBindingBytes
=
new
byte
[
CHECKSUM_BINDINGS_SIZE
];
System
.
arraycopy
(
checksumBytes
,
4
,
remoteBindingBytes
,
0
,
CHECKSUM_BINDINGS_SIZE
);
byte
[]
noBindings
=
new
byte
[
CHECKSUM_BINDINGS_SIZE
];
boolean
tokenContainsBindings
=
(!
java
.
util
.
Arrays
.
equals
(
noBindings
,
remoteBindingBytes
));
ChannelBinding
localBindings
=
context
.
getChannelBinding
();
if
(
tokenContainsBindings
||
localBindings
!=
null
)
{
boolean
badBindings
=
false
;
String
errorMessage
=
null
;
// Ignore remote channel binding info when not requested at
// local side (RFC 4121 4.1.1.2: the acceptor MAY ignore...).
//
// All major krb5 implementors implement this "MAY",
// and some applications depend on it as a workaround
// for not having a way to negotiate the use of channel
// binding -- the initiator application always uses CB
// and hopes the acceptor will ignore the CB if the
// acceptor doesn't support CB.
if
(
localBindings
!=
null
)
{
byte
[]
remoteBindingBytes
=
new
byte
[
CHECKSUM_BINDINGS_SIZE
];
System
.
arraycopy
(
checksumBytes
,
4
,
remoteBindingBytes
,
0
,
CHECKSUM_BINDINGS_SIZE
);
if
(
tokenContainsBindings
&&
localBindings
!=
null
)
{
byte
[]
noBindings
=
new
byte
[
CHECKSUM_BINDINGS_SIZE
];
if
(!
Arrays
.
equals
(
noBindings
,
remoteBindingBytes
)
)
{
byte
[]
localBindingsBytes
=
computeChannelBinding
(
localBindings
);
// System.out.println("ChannelBinding hash: "
// + getHexBytes(localBindingsBytes));
badBindings
=
(!
java
.
util
.
Arrays
.
equals
(
localBindingsBytes
,
remoteBindingBytes
));
errorMessage
=
"Bytes mismatch!"
;
}
else
if
(
localBindings
==
null
)
{
errorMessage
=
"ChannelBinding not provided!"
;
badBindings
=
true
;
if
(!
Arrays
.
equals
(
localBindingsBytes
,
remoteBindingBytes
))
{
throw
new
GSSException
(
GSSException
.
BAD_BINDINGS
,
-
1
,
"Bytes mismatch!"
);
}
}
else
{
errorMessage
=
"Token missing ChannelBinding!"
;
badBindings
=
true
;
}
if
(
badBindings
)
throw
new
GSSException
(
GSSException
.
BAD_BINDINGS
,
-
1
,
errorMessage
);
"Token missing ChannelBinding!"
);
}
}
flags
=
readLittleEndian
(
checksumBytes
,
20
,
4
);
...
...
test/sun/security/krb5/auto/IgnoreChannelBinding.java
0 → 100644
浏览文件 @
c55b1f96
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/*
* @test
* @bug 6851973
* @summary ignore incoming channel binding if acceptor does not set one
*/
import
java.net.InetAddress
;
import
org.ietf.jgss.ChannelBinding
;
import
org.ietf.jgss.GSSException
;
import
sun.security.jgss.GSSUtil
;
public
class
IgnoreChannelBinding
{
public
static
void
main
(
String
[]
args
)
throws
Exception
{
new
OneKDC
(
null
).
writeJAASConf
();
Context
c
=
Context
.
fromJAAS
(
"client"
);
Context
s
=
Context
.
fromJAAS
(
"server"
);
// All silent
c
.
startAsClient
(
OneKDC
.
SERVER
,
GSSUtil
.
GSS_KRB5_MECH_OID
);
s
.
startAsServer
(
GSSUtil
.
GSS_KRB5_MECH_OID
);
Context
.
handshake
(
c
,
s
);
// Initiator req, acceptor ignore
c
.
startAsClient
(
OneKDC
.
SERVER
,
GSSUtil
.
GSS_KRB5_MECH_OID
);
c
.
x
().
setChannelBinding
(
new
ChannelBinding
(
InetAddress
.
getByName
(
"client.rabbit.hole"
),
InetAddress
.
getByName
(
"host.rabbit.hole"
),
new
byte
[
0
]
));
s
.
startAsServer
(
GSSUtil
.
GSS_KRB5_MECH_OID
);
Context
.
handshake
(
c
,
s
);
// Both req, and match
c
.
startAsClient
(
OneKDC
.
SERVER
,
GSSUtil
.
GSS_KRB5_MECH_OID
);
c
.
x
().
setChannelBinding
(
new
ChannelBinding
(
InetAddress
.
getByName
(
"client.rabbit.hole"
),
InetAddress
.
getByName
(
"host.rabbit.hole"
),
new
byte
[
0
]
));
s
.
startAsServer
(
GSSUtil
.
GSS_KRB5_MECH_OID
);
s
.
x
().
setChannelBinding
(
new
ChannelBinding
(
InetAddress
.
getByName
(
"client.rabbit.hole"
),
InetAddress
.
getByName
(
"host.rabbit.hole"
),
new
byte
[
0
]
));
Context
.
handshake
(
c
,
s
);
// Both req, NOT match
c
.
startAsClient
(
OneKDC
.
SERVER
,
GSSUtil
.
GSS_KRB5_MECH_OID
);
c
.
x
().
setChannelBinding
(
new
ChannelBinding
(
InetAddress
.
getByName
(
"client.rabbit.hole"
),
InetAddress
.
getByName
(
"host.rabbit.hole"
),
new
byte
[
0
]
));
s
.
startAsServer
(
GSSUtil
.
GSS_KRB5_MECH_OID
);
s
.
x
().
setChannelBinding
(
new
ChannelBinding
(
InetAddress
.
getByName
(
"client.rabbit.hole"
),
InetAddress
.
getByName
(
"host.rabbit.hole"
),
new
byte
[
1
]
// 0 -> 1
));
try
{
Context
.
handshake
(
c
,
s
);
throw
new
Exception
(
"Acceptor should reject initiator"
);
}
catch
(
GSSException
ge
)
{
// Expected bahavior
}
// Acceptor req, reject
c
.
startAsClient
(
OneKDC
.
SERVER
,
GSSUtil
.
GSS_KRB5_MECH_OID
);
s
.
startAsServer
(
GSSUtil
.
GSS_KRB5_MECH_OID
);
s
.
x
().
setChannelBinding
(
new
ChannelBinding
(
InetAddress
.
getByName
(
"client.rabbit.hole"
),
InetAddress
.
getByName
(
"host.rabbit.hole"
),
new
byte
[
0
]
));
try
{
Context
.
handshake
(
c
,
s
);
throw
new
Exception
(
"Acceptor should reject initiator"
);
}
catch
(
GSSException
ge
)
{
// Expected bahavior
if
(
ge
.
getMajor
()
!=
GSSException
.
BAD_BINDINGS
)
{
throw
ge
;
}
}
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录