Skip to content
Permalink
Browse files

8160818: GssKrb5Client violates RFC 4752

Reviewed-by: xuelei
  • Loading branch information
wangweij committed Feb 15, 2020
1 parent 71ed4f2 commit c4681a95dcfe5107624eab55317347df45e5710e
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,7 +25,6 @@

package com.sun.security.sasl.gsskerb;

import java.io.IOException;
import java.util.Map;
import java.util.logging.Level;
import javax.security.sasl.*;
@@ -85,7 +84,6 @@
private static final String MY_CLASS_NAME = GssKrb5Client.class.getName();

private boolean finalHandshake = false;
private boolean mutual = false; // default false
private byte[] authzID;

/**
@@ -132,7 +130,17 @@
secCtx.requestCredDeleg(true);
}

// Parse properties to set desired context options
// mutual is by default true if there is a security layer
boolean mutual;
if ((allQop & INTEGRITY_ONLY_PROTECTION) != 0
|| (allQop & PRIVACY_PROTECTION) != 0) {
mutual = true;
secCtx.requestSequenceDet(true);
} else {
mutual = false;
}

// User can override default mutual flag
if (props != null) {
// Mutual authentication
String prop = (String)props.get(Sasl.SERVER_AUTH);
@@ -0,0 +1,108 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

/*
* @test
* @bug 8160818
* @summary GssKrb5Client violates RFC 4752
* @library /test/lib
* @compile -XDignore.symbol.file SaslMutual.java
* @run main jdk.test.lib.FileInstaller TestHosts TestHosts
* @run main/othervm -Djdk.net.hosts.file=TestHosts SaslMutual
*/
import jdk.test.lib.Asserts;

import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.sasl.*;

public class SaslMutual {

public static void main(String[] args) throws Exception {

String name = "host." + OneKDC.REALM_LOWER_CASE;

new OneKDC(null).writeJAASConf();
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

SaslClient sc;

sc = Sasl.createSaslClient(
new String[]{"GSSAPI"}, null, "server",
name,
Map.of(),
null);
Asserts.assertEQ(round(sc, server()), 2);

sc = Sasl.createSaslClient(
new String[]{"GSSAPI"}, null, "server",
name,
Map.of(Sasl.SERVER_AUTH, "true"),
null);
Asserts.assertEQ(round(sc, server()), 3);

sc = Sasl.createSaslClient(
new String[]{"GSSAPI"}, null, "server",
name,
Map.of(Sasl.QOP, "auth-int"),
null);
Asserts.assertEQ(round(sc, server()), 3);

sc = Sasl.createSaslClient(
new String[]{"GSSAPI"}, null, "server",
name,
Map.of(Sasl.QOP, "auth-conf"),
null);
Asserts.assertEQ(round(sc, server()), 3);
}

static SaslServer server() throws Exception {
return Sasl.createSaslServer("GSSAPI", "server",
null,
Map.of(Sasl.QOP, "auth,auth-int,auth-conf"),
callbacks -> {
for (Callback cb : callbacks) {
if (cb instanceof RealmCallback) {
((RealmCallback) cb).setText(OneKDC.REALM);
} else if (cb instanceof AuthorizeCallback) {
((AuthorizeCallback) cb).setAuthorized(true);
}
}
});
}

static int round(SaslClient sc, SaslServer ss) throws Exception {
int round = 0;
byte[] token = new byte[0];
while (!sc.isComplete() || !ss.isComplete()) {
if (!sc.isComplete()) {
token = sc.evaluateChallenge(token);
}
if (!ss.isComplete()) {
token = ss.evaluateResponse(token);
}
round++;
}
return round;
}
}

0 comments on commit c4681a9

Please sign in to comment.