From f1a0ff52356048b329581bc6262f6d28235b25cf Mon Sep 17 00:00:00 2001 From: weijun Date: Wed, 1 May 2013 21:05:10 +0800 Subject: [PATCH] 8012082: SASL: auth-conf negotiated, but unencrypted data is accepted, reset to unencrypt Reviewed-by: vinnie --- .../security/sasl/gsskerb/GssKrb5Base.java | 3 +- .../security/sasl/gsskerb/GssKrb5Client.java | 1 - .../security/sasl/gsskerb/GssKrb5Server.java | 1 - test/sun/security/krb5/auto/SaslGSS.java | 106 ++++++++++++++++++ 4 files changed, 108 insertions(+), 3 deletions(-) create mode 100644 test/sun/security/krb5/auto/SaslGSS.java diff --git a/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java b/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java index fc5d13c2a..b0741591a 100644 --- a/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java +++ b/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java @@ -45,7 +45,6 @@ abstract class GssKrb5Base extends AbstractSaslImpl { } protected GSSContext secCtx = null; - protected MessageProp msgProp; // QOP and privacy for unwrap protected static final int JGSS_QOP = 0; // unrelated to SASL QOP mask protected GssKrb5Base(Map props, String className) @@ -74,6 +73,7 @@ abstract class GssKrb5Base extends AbstractSaslImpl { } try { + MessageProp msgProp = new MessageProp(JGSS_QOP, privacy); byte[] answer = secCtx.unwrap(incoming, start, len, msgProp); if (logger.isLoggable(Level.FINEST)) { traceOutput(myClassName, "KRB501:Unwrap", "incoming: ", @@ -99,6 +99,7 @@ abstract class GssKrb5Base extends AbstractSaslImpl { // Generate GSS token try { + MessageProp msgProp = new MessageProp(JGSS_QOP, privacy); byte[] answer = secCtx.wrap(outgoing, start, len, msgProp); if (logger.isLoggable(Level.FINEST)) { traceOutput(myClassName, "KRB503:Wrap", "outgoing: ", diff --git a/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java b/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java index 15c89e6d3..c96a979c2 100644 --- a/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java +++ b/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java @@ -320,7 +320,6 @@ final class GssKrb5Client extends GssKrb5Base implements SaslClient { } completed = true; // server authenticated - msgProp = new MessageProp(JGSS_QOP, privacy); return gssOutToken; } catch (GSSException e) { diff --git a/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java b/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java index b403bb78a..b3b8a9938 100644 --- a/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java +++ b/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java @@ -270,7 +270,6 @@ final class GssKrb5Server extends GssKrb5Base implements SaslServer { } else if ((selectedQop&INTEGRITY_ONLY_PROTECTION) != 0) { integrity = true; } - msgProp = new MessageProp(JGSS_QOP, privacy); // 2nd-4th octets specifies maximum buffer size expected by // client (in network byte order). This is the server's send diff --git a/test/sun/security/krb5/auto/SaslGSS.java b/test/sun/security/krb5/auto/SaslGSS.java new file mode 100644 index 000000000..e497ab1a2 --- /dev/null +++ b/test/sun/security/krb5/auto/SaslGSS.java @@ -0,0 +1,106 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8012082 + * @summary SASL: auth-conf negotiated, but unencrypted data is accepted, + * reset to unencrypt + * @compile -XDignore.symbol.file SaslGSS.java + * @run main/othervm SaslGSS + */ + +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.sasl.AuthorizeCallback; +import javax.security.sasl.RealmCallback; +import javax.security.sasl.Sasl; +import javax.security.sasl.SaslServer; +import java.io.IOException; +import java.util.HashMap; +import java.util.Locale; +import org.ietf.jgss.*; +import sun.security.jgss.GSSUtil; + +public class SaslGSS { + + public static void main(String[] args) throws Exception { + + String name = "host." + OneKDC.REALM.toLowerCase(Locale.US); + + new OneKDC(null).writeJAASConf(); + System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); + + // Client in JGSS so that it can control wrap privacy mode + GSSManager m = GSSManager.getInstance(); + GSSContext sc = m.createContext( + m.createName(OneKDC.SERVER, GSSUtil.NT_GSS_KRB5_PRINCIPAL), + GSSUtil.GSS_KRB5_MECH_OID, + null, + GSSContext.DEFAULT_LIFETIME); + sc.requestMutualAuth(false); + + // Server in SASL + final HashMap props = new HashMap(); + props.put(Sasl.QOP, "auth-conf"); + SaslServer ss = Sasl.createSaslServer("GSSAPI", "server", + name, props, + new CallbackHandler() { + public void handle(Callback[] callbacks) + throws IOException, UnsupportedCallbackException { + for (Callback cb : callbacks) { + if (cb instanceof RealmCallback) { + ((RealmCallback) cb).setText(OneKDC.REALM); + } else if (cb instanceof AuthorizeCallback) { + ((AuthorizeCallback) cb).setAuthorized(true); + } + } + } + }); + + // Handshake + byte[] token = new byte[0]; + token = sc.initSecContext(token, 0, token.length); + token = ss.evaluateResponse(token); + token = sc.unwrap(token, 0, token.length, new MessageProp(0, false)); + token[0] = (byte)(((token[0] & 4) != 0) ? 4 : 2); + token = sc.wrap(token, 0, token.length, new MessageProp(0, false)); + ss.evaluateResponse(token); + + // Talk + // 1. Client sends a auth-int message + byte[] hello = "hello".getBytes(); + MessageProp qop = new MessageProp(0, false); + token = sc.wrap(hello, 0, hello.length, qop); + // 2. Server accepts it anyway + ss.unwrap(token, 0, token.length); + // 3. Server sends a message + token = ss.wrap(hello, 0, hello.length); + // 4. Client accepts, should be auth-conf + sc.unwrap(token, 0, token.length, qop); + if (!qop.getPrivacy()) { + throw new Exception(); + } + } +} -- GitLab