1 /* |
1 /* |
2 * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
26 package sun.security.jgss.krb5; |
26 package sun.security.jgss.krb5; |
27 |
27 |
28 import org.ietf.jgss.*; |
28 import org.ietf.jgss.*; |
29 import java.io.InputStream; |
29 import java.io.InputStream; |
30 import java.io.IOException; |
30 import java.io.IOException; |
|
31 |
|
32 import sun.security.action.GetPropertyAction; |
31 import sun.security.krb5.*; |
33 import sun.security.krb5.*; |
32 import java.net.InetAddress; |
34 import java.net.InetAddress; |
33 import sun.security.krb5.internal.AuthorizationData; |
35 import sun.security.krb5.internal.AuthorizationData; |
34 import sun.security.krb5.internal.KerberosTime; |
36 import sun.security.krb5.internal.KerberosTime; |
35 |
37 |
36 class InitSecContextToken extends InitialToken { |
38 class InitSecContextToken extends InitialToken { |
|
39 |
|
40 // If non-mutual authentication is requested, there is no AP-REP message. |
|
41 // The acceptor thus has no chance to send the seq-number field to the |
|
42 // initiator. In this case, the initiator and acceptor should has an |
|
43 // agreement to derive acceptor's initial seq-number if the acceptor wishes |
|
44 // to send messages to the initiator. |
|
45 |
|
46 // If this flag is true, it will the same as the initiator's initial |
|
47 // seq-number (as MIT krb5 and Windows SSPI do). Otherwise, it will be zero |
|
48 // (as Heimdal does). The default value is true. |
|
49 private static final boolean ACCEPTOR_USE_INITIATOR_SEQNUM; |
|
50 |
|
51 static { |
|
52 // The ACCEPTOR_USE_INITIATOR_SEQNUM value is determined by the system |
|
53 // property "sun.security.krb5.acceptor.sequence.number.nonmutual", |
|
54 // which can be set to "initiator", "zero" or "0". |
|
55 String propName = "sun.security.krb5.acceptor.sequence.number.nonmutual"; |
|
56 String s = GetPropertyAction.privilegedGetProperty(propName, "initiator"); |
|
57 if (s.equals("initiator")) { |
|
58 ACCEPTOR_USE_INITIATOR_SEQNUM = true; |
|
59 } else if (s.equals("zero") || s.equals("0")) { |
|
60 ACCEPTOR_USE_INITIATOR_SEQNUM = false; |
|
61 } else { |
|
62 throw new AssertionError("Unrecognized value for " + propName |
|
63 + ": " + s); |
|
64 } |
|
65 } |
37 |
66 |
38 private KrbApReq apReq = null; |
67 private KrbApReq apReq = null; |
39 |
68 |
40 /** |
69 /** |
41 * For the context initiator to call. It constructs a new |
70 * For the context initiator to call. It constructs a new |
76 context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey); |
105 context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey); |
77 else |
106 else |
78 context.setKey(Krb5Context.SESSION_KEY, serviceTicket.getSessionKey()); |
107 context.setKey(Krb5Context.SESSION_KEY, serviceTicket.getSessionKey()); |
79 |
108 |
80 if (!mutualRequired) |
109 if (!mutualRequired) |
81 context.resetPeerSequenceNumber(0); |
110 context.resetPeerSequenceNumber( |
|
111 ACCEPTOR_USE_INITIATOR_SEQNUM |
|
112 ? apReq.getSeqNumber().intValue() |
|
113 : 0); |
82 } |
114 } |
83 |
115 |
84 /** |
116 /** |
85 * For the context acceptor to call. It reads the bytes out of an |
117 * For the context acceptor to call. It reads the bytes out of an |
86 * InputStream and constructs an InitSecContextToken with them. |
118 * InputStream and constructs an InitSecContextToken with them. |
141 Integer apReqSeqNumber = apReq.getSeqNumber(); |
173 Integer apReqSeqNumber = apReq.getSeqNumber(); |
142 int peerSeqNumber = (apReqSeqNumber != null ? |
174 int peerSeqNumber = (apReqSeqNumber != null ? |
143 apReqSeqNumber.intValue() : |
175 apReqSeqNumber.intValue() : |
144 0); |
176 0); |
145 context.resetPeerSequenceNumber(peerSeqNumber); |
177 context.resetPeerSequenceNumber(peerSeqNumber); |
146 if (!context.getMutualAuthState()) |
178 if (!context.getMutualAuthState()) { |
147 // Use the same sequence number as the peer |
179 context.resetMySequenceNumber( |
148 // (Behaviour exhibited by the Windows SSPI server) |
180 ACCEPTOR_USE_INITIATOR_SEQNUM |
149 context.resetMySequenceNumber(peerSeqNumber); |
181 ? peerSeqNumber |
|
182 : 0); |
|
183 } |
150 context.setAuthTime( |
184 context.setAuthTime( |
151 new KerberosTime(apReq.getCreds().getAuthTime()).toString()); |
185 new KerberosTime(apReq.getCreds().getAuthTime()).toString()); |
152 context.setTktFlags(apReq.getCreds().getFlags()); |
186 context.setTktFlags(apReq.getCreds().getFlags()); |
153 AuthorizationData ad = apReq.getCreds().getAuthzData(); |
187 AuthorizationData ad = apReq.getCreds().getAuthzData(); |
154 context.setAuthzData(ad); |
188 context.setAuthzData(ad); |