提交 c63c8533 编写于 作者: W weijun

8016594: Native Windows ccache still reads DES tickets

Reviewed-by: dsamersoff, xuelei
上级 191f5068
...@@ -62,7 +62,9 @@ public class Credentials { ...@@ -62,7 +62,9 @@ public class Credentials {
private static CredentialsCache cache; private static CredentialsCache cache;
static boolean alreadyLoaded = false; static boolean alreadyLoaded = false;
private static boolean alreadyTried = false; private static boolean alreadyTried = false;
private static native Credentials acquireDefaultNativeCreds();
// Read native ticket with session key type in the given list
private static native Credentials acquireDefaultNativeCreds(int[] eTypes);
public Credentials(Ticket new_ticket, public Credentials(Ticket new_ticket,
PrincipalName new_client, PrincipalName new_client,
...@@ -373,6 +375,8 @@ public class Credentials { ...@@ -373,6 +375,8 @@ public class Credentials {
// It assumes that the GSS call has // It assumes that the GSS call has
// the privilege to access the default cache file. // the privilege to access the default cache file.
// This method is only called on Windows and Mac OS X, the native
// acquireDefaultNativeCreds is also available on these platforms.
public static synchronized Credentials acquireDefaultCreds() { public static synchronized Credentials acquireDefaultCreds() {
Credentials result = null; Credentials result = null;
...@@ -416,10 +420,15 @@ public class Credentials { ...@@ -416,10 +420,15 @@ public class Credentials {
} }
if (alreadyLoaded) { if (alreadyLoaded) {
// There is some native code // There is some native code
if (DEBUG) if (DEBUG) {
System.out.println(">> Acquire default native Credentials"); System.out.println(">> Acquire default native Credentials");
result = acquireDefaultNativeCreds(); }
// only TGT with DES key will be returned by native method try {
result = acquireDefaultNativeCreds(
EType.getDefaults("default_tkt_enctypes"));
} catch (KrbException ke) {
// when there is no default_tkt_enctypes.
}
} }
} }
return result; return result;
......
...@@ -264,13 +264,21 @@ JNIEXPORT void JNICALL JNI_OnUnload(JavaVM *jvm, void *reserved) ...@@ -264,13 +264,21 @@ JNIEXPORT void JNICALL JNI_OnUnload(JavaVM *jvm, void *reserved)
} }
int isIn(krb5_enctype e, int n, jint* etypes)
{
int i;
for (i=0; i<n; i++) {
if (e == etypes[i]) return 1;
}
return 0;
}
/* /*
* Class: sun_security_krb5_Credentials * Class: sun_security_krb5_Credentials
* Method: acquireDefaultNativeCreds * Method: acquireDefaultNativeCreds
* Signature: ()Lsun/security/krb5/Credentials; * Signature: ([I])Lsun/security/krb5/Credentials;
*/ */
JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativeCreds JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativeCreds
(JNIEnv *env, jclass krbcredsClass) (JNIEnv *env, jclass krbcredsClass, jintArray jetypes)
{ {
jobject krbCreds = NULL; jobject krbCreds = NULL;
krb5_error_code err = 0; krb5_error_code err = 0;
...@@ -280,6 +288,9 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ ...@@ -280,6 +288,9 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
krb5_flags flags = 0; krb5_flags flags = 0;
krb5_context kcontext = NULL; krb5_context kcontext = NULL;
int netypes;
jint *etypes = NULL;
/* Initialize the Kerberos 5 context */ /* Initialize the Kerberos 5 context */
err = krb5_init_context (&kcontext); err = krb5_init_context (&kcontext);
...@@ -295,6 +306,9 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ ...@@ -295,6 +306,9 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
err = krb5_cc_start_seq_get (kcontext, ccache, &cursor); err = krb5_cc_start_seq_get (kcontext, ccache, &cursor);
} }
netypes = (*env)->GetArrayLength(env, jetypes);
etypes = (jint *) (*env)->GetIntArrayElements(env, jetypes, NULL);
if (!err) { if (!err) {
while ((err = krb5_cc_next_cred (kcontext, ccache, &cursor, &creds)) == 0) { while ((err = krb5_cc_next_cred (kcontext, ccache, &cursor, &creds)) == 0) {
char *serverName = NULL; char *serverName = NULL;
...@@ -305,7 +319,8 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ ...@@ -305,7 +319,8 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
} }
if (!err) { if (!err) {
if (strncmp (serverName, "krbtgt", strlen("krbtgt")) == 0) { if (strncmp (serverName, "krbtgt", sizeof("krbtgt")-1) == 0 &&
isIn(creds.keyblock.enctype, netypes, etypes)) {
jobject ticket, clientPrincipal, targetPrincipal, encryptionKey; jobject ticket, clientPrincipal, targetPrincipal, encryptionKey;
jobject ticketFlags, startTime, endTime; jobject ticketFlags, startTime, endTime;
jobject authTime, renewTillTime, hostAddresses; jobject authTime, renewTillTime, hostAddresses;
...@@ -321,7 +336,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ ...@@ -321,7 +336,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
targetPrincipal = BuildClientPrincipal(env, kcontext, creds.server); targetPrincipal = BuildClientPrincipal(env, kcontext, creds.server);
if (targetPrincipal == NULL) goto cleanup; if (targetPrincipal == NULL) goto cleanup;
// Build a com.ibm.security.krb5.Ticket // Build a sun/security/krb5/internal/Ticket
ticket = BuildTicket(env, &creds.ticket); ticket = BuildTicket(env, &creds.ticket);
if (ticket == NULL) goto cleanup; if (ticket == NULL) goto cleanup;
...@@ -353,7 +368,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ ...@@ -353,7 +368,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
krbcredsConstructor = (*env)->GetMethodID(env, krbcredsClass, "<init>", krbcredsConstructor = (*env)->GetMethodID(env, krbcredsClass, "<init>",
"(Lsun/security/krb5/internal/Ticket;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/EncryptionKey;Lsun/security/krb5/internal/TicketFlags;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/HostAddresses;)V"); "(Lsun/security/krb5/internal/Ticket;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/EncryptionKey;Lsun/security/krb5/internal/TicketFlags;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/HostAddresses;)V");
if (krbcredsConstructor == 0) { if (krbcredsConstructor == 0) {
printf("Couldn't find com.ibm.security.krb5.Credentials constructor\n"); printf("Couldn't find sun.security.krb5.internal.Ticket constructor\n");
break; break;
} }
} }
...@@ -409,6 +424,10 @@ cleanup: ...@@ -409,6 +424,10 @@ cleanup:
printiferr (err, "while finishing ticket retrieval"); printiferr (err, "while finishing ticket retrieval");
} }
if (etypes != NULL) {
(*env)->ReleaseIntArrayElements(env, jetypes, etypes, 0);
}
krb5_free_context (kcontext); krb5_free_context (kcontext);
return krbCreds; return krbCreds;
} }
......
...@@ -367,11 +367,12 @@ JNIEXPORT void JNICALL JNI_OnUnload( ...@@ -367,11 +367,12 @@ JNIEXPORT void JNICALL JNI_OnUnload(
/* /*
* Class: sun_security_krb5_Credentials * Class: sun_security_krb5_Credentials
* Method: acquireDefaultNativeCreds * Method: acquireDefaultNativeCreds
* Signature: ()Lsun/security/krb5/Credentials; * Signature: ([I])Lsun/security/krb5/Credentials;
*/ */
JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativeCreds( JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativeCreds(
JNIEnv *env, JNIEnv *env,
jclass krbcredsClass) { jclass krbcredsClass,
jintArray jetypes) {
KERB_QUERY_TKT_CACHE_REQUEST CacheRequest; KERB_QUERY_TKT_CACHE_REQUEST CacheRequest;
PKERB_RETRIEVE_TKT_RESPONSE TktCacheResponse = NULL; PKERB_RETRIEVE_TKT_RESPONSE TktCacheResponse = NULL;
...@@ -387,9 +388,12 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ ...@@ -387,9 +388,12 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
jobject ticketFlags, startTime, endTime, krbCreds = NULL; jobject ticketFlags, startTime, endTime, krbCreds = NULL;
jobject authTime, renewTillTime, hostAddresses = NULL; jobject authTime, renewTillTime, hostAddresses = NULL;
KERB_EXTERNAL_TICKET *msticket; KERB_EXTERNAL_TICKET *msticket;
int ignore_cache = 0; int found_in_cache = 0;
FILETIME Now, EndTime, LocalEndTime; FILETIME Now, EndTime, LocalEndTime;
int i, netypes;
jint *etypes = NULL;
while (TRUE) { while (TRUE) {
if (krbcredsConstructor == 0) { if (krbcredsConstructor == 0) {
...@@ -456,31 +460,33 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ ...@@ -456,31 +460,33 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
// got the native MS TGT // got the native MS TGT
msticket = &(TktCacheResponse->Ticket); msticket = &(TktCacheResponse->Ticket);
netypes = (*env)->GetArrayLength(env, jetypes);
etypes = (jint *) (*env)->GetIntArrayElements(env, jetypes, NULL);
// check TGT validity // check TGT validity
switch (msticket->SessionKey.KeyType) { if (native_debug) {
case KERB_ETYPE_DES_CBC_CRC: printf("LSA: TICKET SessionKey KeyType is %d\n", msticket->SessionKey.KeyType);
case KERB_ETYPE_DES_CBC_MD5: }
case KERB_ETYPE_NULL:
case KERB_ETYPE_RC4_HMAC_NT: if ((msticket->TicketFlags & KERB_TICKET_FLAGS_invalid) == 0) {
GetSystemTimeAsFileTime(&Now); GetSystemTimeAsFileTime(&Now);
EndTime.dwLowDateTime = msticket->EndTime.LowPart; EndTime.dwLowDateTime = msticket->EndTime.LowPart;
EndTime.dwHighDateTime = msticket->EndTime.HighPart; EndTime.dwHighDateTime = msticket->EndTime.HighPart;
FileTimeToLocalFileTime(&EndTime, &LocalEndTime); FileTimeToLocalFileTime(&EndTime, &LocalEndTime);
if (CompareFileTime(&Now, &LocalEndTime) >= 0) { if (CompareFileTime(&Now, &LocalEndTime) < 0) {
ignore_cache = 1; for (i=0; i<netypes; i++) {
} if (etypes[i] == msticket->SessionKey.KeyType) {
if (msticket->TicketFlags & KERB_TICKET_FLAGS_invalid) { found_in_cache = 1;
ignore_cache = 1; if (native_debug) {
printf("LSA: Valid etype found: %d\n", etypes[i]);
} }
break; break;
case KERB_ETYPE_RC4_MD4: }
default: }
// not supported }
ignore_cache = 1;
break;
} }
if (ignore_cache) { if (!found_in_cache) {
if (native_debug) { if (native_debug) {
printf("LSA: MS TGT in cache is invalid/not supported; request new ticket\n"); printf("LSA: MS TGT in cache is invalid/not supported; request new ticket\n");
} }
...@@ -494,9 +500,10 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ ...@@ -494,9 +500,10 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
} }
pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage; pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage;
pTicketRequest->EncryptionType = KERB_ETYPE_DES_CBC_MD5;
pTicketRequest->CacheOptions = KERB_RETRIEVE_TICKET_DONT_USE_CACHE; pTicketRequest->CacheOptions = KERB_RETRIEVE_TICKET_DONT_USE_CACHE;
for (i=0; i<netypes; i++) {
pTicketRequest->EncryptionType = etypes[i];
Status = LsaCallAuthenticationPackage( Status = LsaCallAuthenticationPackage(
LogonHandle, LogonHandle,
PackageId, PackageId,
...@@ -508,7 +515,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ ...@@ -508,7 +515,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
); );
if (native_debug) { if (native_debug) {
printf("LSA: Response size is %d\n", responseSize); printf("LSA: Response size is %d for %d\n", responseSize, etypes[i]);
} }
if (!LSA_SUCCESS(Status) || !LSA_SUCCESS(SubStatus)) { if (!LSA_SUCCESS(Status) || !LSA_SUCCESS(SubStatus)) {
...@@ -517,11 +524,17 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ ...@@ -517,11 +524,17 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
} else { } else {
ShowNTError("Protocol status", SubStatus); ShowNTError("Protocol status", SubStatus);
} }
break; continue;
} }
// got the native MS Kerberos TGT // got the native MS Kerberos TGT
msticket = &(pTicketResponse->Ticket); msticket = &(pTicketResponse->Ticket);
break;
}
}
if (etypes != NULL) {
(*env)->ReleaseIntArrayElements(env, jetypes, etypes, 0);
} }
/* /*
...@@ -644,7 +657,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ ...@@ -644,7 +657,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
hostAddresses); hostAddresses);
break; break;
} // end of WHILE } // end of WHILE. This WHILE will never loop.
// clean up resources // clean up resources
if (TktCacheResponse != NULL) { if (TktCacheResponse != NULL) {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册