changeset 4622:8d88e694441c

7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY Reviewed-by: valeriep
author weijun
date Wed, 28 Sep 2011 14:21:11 +0800
parents 9b951304bd0a
children 74f5fef1d961
files src/share/classes/sun/security/jgss/krb5/AcceptSecContextToken.java src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java src/share/classes/sun/security/jgss/krb5/Krb5Context.java src/share/classes/sun/security/jgss/krb5/MessageToken_v2.java test/sun/security/krb5/auto/AcceptorSubKey.java
diffstat 5 files changed, 84 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/jgss/krb5/AcceptSecContextToken.java	Wed Sep 28 14:21:10 2011 +0800
+++ b/src/share/classes/sun/security/jgss/krb5/AcceptSecContextToken.java	Wed Sep 28 14:21:11 2011 +0800
@@ -94,7 +94,7 @@
          */
         EncryptionKey subKey = apRep.getSubKey();
         if (subKey != null) {
-            context.setKey(subKey);
+            context.setKey(Krb5Context.ACCEPTOR_SUBKEY, subKey);
             /*
             System.out.println("\n\nSub-Session key from AP-REP is: " +
                                getHexBytes(subKey.getBytes()) + "\n");
--- a/src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java	Wed Sep 28 14:21:10 2011 +0800
+++ b/src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java	Wed Sep 28 14:21:11 2011 +0800
@@ -74,9 +74,9 @@
 
         EncryptionKey subKey = apReq.getSubKey();
         if (subKey != null)
-            context.setKey(subKey);
+            context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey);
         else
-            context.setKey(serviceTicket.getSessionKey());
+            context.setKey(Krb5Context.SESSION_KEY, serviceTicket.getSessionKey());
 
         if (!mutualRequired)
             context.resetPeerSequenceNumber(0);
@@ -117,13 +117,13 @@
 
         EncryptionKey subKey = apReq.getSubKey();
         if (subKey != null) {
-            context.setKey(subKey);
+            context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey);
             /*
               System.out.println("Sub-Session key from authenticator is: " +
               getHexBytes(subKey.getBytes()) + "\n");
             */
         } else {
-            context.setKey(sessionKey);
+            context.setKey(Krb5Context.SESSION_KEY, sessionKey);
             //System.out.println("Sub-Session Key Missing in Authenticator.\n");
         }
 
--- a/src/share/classes/sun/security/jgss/krb5/Krb5Context.java	Wed Sep 28 14:21:10 2011 +0800
+++ b/src/share/classes/sun/security/jgss/krb5/Krb5Context.java	Wed Sep 28 14:21:11 2011 +0800
@@ -67,6 +67,10 @@
 
     private int state = STATE_NEW;
 
+    public static final int SESSION_KEY = 0;
+    public static final int INITIATOR_SUBKEY = 1;
+    public static final int ACCEPTOR_SUBKEY = 2;
+
     /*
      * Optional features that the application can set and their default
      * values.
@@ -82,6 +86,7 @@
 
     private int mySeqNumber;
     private int peerSeqNumber;
+    private int keySrc;
     private TokenTracker peerTokenTracker;
 
     private CipherHelper cipherHelper = null;
@@ -384,12 +389,17 @@
         }
     }
 
-    final void setKey(EncryptionKey key) throws GSSException {
+    final void setKey(int keySrc, EncryptionKey key) throws GSSException {
         this.key = key;
+        this.keySrc = keySrc;
         // %%% to do: should clear old cipherHelper first
         cipherHelper = new CipherHelper(key);  // Need to use new key
     }
 
+    public final int getKeySrc() {
+        return keySrc;
+    }
+
     private final EncryptionKey getKey() {
         return key;
     }
--- a/src/share/classes/sun/security/jgss/krb5/MessageToken_v2.java	Wed Sep 28 14:21:10 2011 +0800
+++ b/src/share/classes/sun/security/jgss/krb5/MessageToken_v2.java	Wed Sep 28 14:21:11 2011 +0800
@@ -141,6 +141,7 @@
     // Context properties
     private boolean confState = true;
     private boolean initiator = true;
+    private boolean have_acceptor_subkey = false;
 
     /* cipher instance used by the corresponding GSSContext */
     CipherHelper cipherHelper = null;
@@ -311,8 +312,7 @@
         }
 
         // Create a new gss token header as defined in RFC 4121
-        tokenHeader = new MessageTokenHeader(tokenId,
-                                prop.getPrivacy(), true);
+        tokenHeader = new MessageTokenHeader(tokenId, prop.getPrivacy());
         // debug("\n\t Message Header = " +
         // getHexBytes(tokenHeader.getBytes(), tokenHeader.getBytes().length));
 
@@ -461,6 +461,8 @@
 
         this.initiator = context.isInitiator();
 
+        this.have_acceptor_subkey = context.getKeySrc() == Krb5Context.ACCEPTOR_SUBKEY;
+
         this.cipherHelper = context.getCipherHelper(null);
         //    debug("In MessageToken.Cons");
     }
@@ -501,8 +503,7 @@
          private byte[] bytes = new byte[TOKEN_HEADER_SIZE];
 
          // Writes a new token header
-         public MessageTokenHeader(int tokenId, boolean conf,
-                boolean have_acceptor_subkey) throws GSSException {
+         public MessageTokenHeader(int tokenId, boolean conf) throws GSSException {
 
             this.tokenId = tokenId;
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/krb5/auto/AcceptorSubKey.java	Wed Sep 28 14:21:11 2011 +0800
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7077646
+ * @summary gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
+ * @compile -XDignore.symbol.file AcceptorSubKey.java
+ * @run main/othervm AcceptorSubKey
+ */
+
+import java.util.Arrays;
+import sun.security.jgss.GSSUtil;
+
+// The basic krb5 test skeleton you can copy from
+public class AcceptorSubKey {
+
+    public static void main(String[] args) throws Exception {
+
+        new OneKDC(null).writeJAASConf();
+
+        Context c, s;
+        c = Context.fromJAAS("client");
+        s = Context.fromJAAS("server");
+
+        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_SPNEGO_MECH_OID);
+        s.startAsServer(GSSUtil.GSS_SPNEGO_MECH_OID);
+
+        Context.handshake(c, s);
+
+        byte[] msg = "i say high --".getBytes();
+        byte[] wrapped = s.wrap(msg, false);
+
+        // FLAG_ACCEPTOR_SUBKEY is 4
+        int flagOn = wrapped[2] & 4;
+        if (flagOn != 0) {
+            throw new Exception("Java GSS should not have set acceptor subkey");
+        }
+
+        s.dispose();
+        c.dispose();
+    }
+}