Mercurial > hg > release > icedtea7-forest-2.5 > jdk
changeset 8246:c6ba5a410219
8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred
Reviewed-by: mullan
author | weijun |
---|---|
date | Mon, 21 Jul 2014 22:10:37 +0800 |
parents | c029922f0006 |
children | 73a956abf6da |
files | src/share/classes/sun/security/jgss/spnego/SpNegoContext.java test/sun/security/jgss/spnego/NotPreferredMech.java |
diffstat | 2 files changed, 134 insertions(+), 11 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java Mon Jul 06 21:57:49 2015 +0100 +++ b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java Mon Jul 21 22:10:37 2014 +0800 @@ -523,13 +523,6 @@ valid = false; } - // get the mechanism token - byte[] mechToken = initToken.getMechToken(); - if (mechToken == null) { - throw new GSSException(GSSException.FAILURE, -1, - "mechToken is missing"); - } - /* * Select the best match between the list of mechs * that the initiator requested and the list that @@ -545,7 +538,19 @@ internal_mech = mech_wanted; // get the token for mechanism - byte[] accept_token = GSS_acceptSecContext(mechToken); + byte[] accept_token; + + if (mechList[0].equals(mech_wanted)) { + // get the mechanism token + byte[] mechToken = initToken.getMechToken(); + if (mechToken == null) { + throw new GSSException(GSSException.FAILURE, -1, + "mechToken is missing"); + } + accept_token = GSS_acceptSecContext(mechToken); + } else { + accept_token = null; + } // verify MIC if (!GSSUtil.useMSInterop() && valid) { @@ -594,9 +599,27 @@ retVal = targToken.getEncoded(); } else if (state == STATE_IN_PROCESS) { + // read data + byte[] token = new byte[is.available()]; + SpNegoToken.readFully(is, token); + if (DEBUG) { + System.out.println("SpNegoContext.acceptSecContext: " + + "receiving token = " + + SpNegoToken.getHexBytes(token)); + } + + // read the SPNEGO token + // token will be validated when parsing + NegTokenTarg inputToken = new NegTokenTarg(token); + + if (DEBUG) { + System.out.println("SpNegoContext.acceptSecContext: " + + "received token of type = " + + SpNegoToken.getTokenName(inputToken.getType())); + } + // read the token - byte[] client_token = new byte[is.available()]; - SpNegoToken.readFully(is, client_token); + byte[] client_token = inputToken.getResponseToken(); byte[] accept_token = GSS_acceptSecContext(client_token); if (accept_token == null) { valid = false; @@ -1055,7 +1078,7 @@ * This is only valid on the acceptor side of the context. * @return GSSCredentialSpi object for the delegated credential * @exception GSSException - * @see GSSContext#getDelegCredState + * @see GSSContext#getCredDelegState */ public final GSSCredentialSpi getDelegCred() throws GSSException { if (state != STATE_IN_PROCESS && state != STATE_DONE)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/jgss/spnego/NotPreferredMech.java Mon Jul 21 22:10:37 2014 +0800 @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8048194 + * @run main/othervm NotPreferredMech + * @summary GSSContext.acceptSecContext fails when a supported mech is not initiator preferred + */ + +import org.ietf.jgss.*; +import sun.security.jgss.*; +import sun.security.jgss.spnego.NegTokenInit; +import sun.security.jgss.spnego.NegTokenTarg; +import sun.security.util.BitArray; +import sun.security.util.DerOutputStream; +import sun.security.util.DerValue; +import sun.security.util.ObjectIdentifier; + +import java.io.ByteArrayOutputStream; +import java.lang.reflect.Constructor; +import java.lang.reflect.Method; + +public class NotPreferredMech { + + public static void main(String[] argv) throws Exception { + + // Generates a NegTokenInit mechTypes field, with an + // unsupported mech as the preferred. + DerOutputStream mech = new DerOutputStream(); + mech.write(new Oid("1.2.3.4").getDER()); + mech.write(GSSUtil.GSS_KRB5_MECH_OID.getDER()); + DerOutputStream mechTypeList = new DerOutputStream(); + mechTypeList.write(DerValue.tag_Sequence, mech); + + // Generates a NegTokenInit mechToken field for 1.2.3.4 mech + GSSHeader h1 = new GSSHeader(new ObjectIdentifier("1.2.3.4"), 1); + ByteArrayOutputStream bout = new ByteArrayOutputStream(); + h1.encode(bout); + bout.write(new byte[1]); + + // Generates the NegTokenInit token + Constructor<NegTokenInit> ctor = NegTokenInit.class.getDeclaredConstructor( + byte[].class, BitArray.class, byte[].class, byte[].class); + ctor.setAccessible(true); + NegTokenInit initToken = ctor.newInstance( + mechTypeList.toByteArray(), + new BitArray(0), + bout.toByteArray(), + null); + Method m = Class.forName("sun.security.jgss.spnego.SpNegoToken") + .getDeclaredMethod("getEncoded"); + m.setAccessible(true); + byte[] spnegoToken = (byte[])m.invoke(initToken); + + // and wraps it into a GSSToken + GSSHeader h = new GSSHeader( + new ObjectIdentifier(GSSUtil.GSS_SPNEGO_MECH_OID.toString()), + spnegoToken.length); + bout = new ByteArrayOutputStream(); + h.encode(bout); + bout.write(spnegoToken); + byte[] token = bout.toByteArray(); + + // and feeds it to a GSS acceptor + GSSManager man = GSSManager.getInstance(); + GSSContext ctxt = man.createContext((GSSCredential) null); + token = ctxt.acceptSecContext(token, 0, token.length); + NegTokenTarg targ = new NegTokenTarg(token); + + // Make sure it's a GO-ON message + Method m2 = NegTokenTarg.class.getDeclaredMethod("getNegotiatedResult"); + m2.setAccessible(true); + int negResult = (int)m2.invoke(targ); + + if (negResult != 1 /* ACCEPT_INCOMPLETE */) { + throw new Exception("Not a continue"); + } + } +}