8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred
authorweijun
Mon, 21 Jul 2014 22:10:37 +0800
changeset 25664 66c6924fb620
parent 25663 9f511964aee6
child 25665 0646dc563d47
8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred Reviewed-by: mullan
jdk/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
jdk/test/sun/security/jgss/spnego/NotPreferredMech.java
--- a/jdk/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java	Mon Jul 21 22:09:38 2014 +0800
+++ b/jdk/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java	Mon Jul 21 22:10:37 2014 +0800
@@ -523,13 +523,6 @@
                     valid = false;
                 }
 
-                // get the mechanism token
-                byte[] mechToken = initToken.getMechToken();
-                if (mechToken == null) {
-                    throw new GSSException(GSSException.FAILURE, -1,
-                            "mechToken is missing");
-                }
-
                 /*
                  * Select the best match between the list of mechs
                  * that the initiator requested and the list that
@@ -545,7 +538,19 @@
                 internal_mech = mech_wanted;
 
                 // get the token for mechanism
-                byte[] accept_token = GSS_acceptSecContext(mechToken);
+                byte[] accept_token;
+
+                if (mechList[0].equals(mech_wanted)) {
+                    // get the mechanism token
+                    byte[] mechToken = initToken.getMechToken();
+                    if (mechToken == null) {
+                        throw new GSSException(GSSException.FAILURE, -1,
+                                "mechToken is missing");
+                    }
+                    accept_token = GSS_acceptSecContext(mechToken);
+                } else {
+                    accept_token = null;
+                }
 
                 // verify MIC
                 if (!GSSUtil.useMSInterop() && valid) {
@@ -594,9 +599,27 @@
                 retVal = targToken.getEncoded();
 
             } else if (state == STATE_IN_PROCESS) {
+                // read data
+                byte[] token = new byte[is.available()];
+                SpNegoToken.readFully(is, token);
+                if (DEBUG) {
+                    System.out.println("SpNegoContext.acceptSecContext: " +
+                            "receiving token = " +
+                            SpNegoToken.getHexBytes(token));
+                }
+
+                // read the SPNEGO token
+                // token will be validated when parsing
+                NegTokenTarg inputToken = new NegTokenTarg(token);
+
+                if (DEBUG) {
+                    System.out.println("SpNegoContext.acceptSecContext: " +
+                            "received token of type = " +
+                            SpNegoToken.getTokenName(inputToken.getType()));
+                }
+
                 // read the token
-                byte[] client_token = new byte[is.available()];
-                SpNegoToken.readFully(is, client_token);
+                byte[] client_token = inputToken.getResponseToken();
                 byte[] accept_token = GSS_acceptSecContext(client_token);
                 if (accept_token == null) {
                     valid = false;
@@ -1055,7 +1078,7 @@
      * This is only valid on the acceptor side of the context.
      * @return GSSCredentialSpi object for the delegated credential
      * @exception GSSException
-     * @see GSSContext#getDelegCredState
+     * @see GSSContext#getCredDelegState
      */
     public final GSSCredentialSpi getDelegCred() throws GSSException {
         if (state != STATE_IN_PROCESS && state != STATE_DONE)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/jgss/spnego/NotPreferredMech.java	Mon Jul 21 22:10:37 2014 +0800
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8048194
+ * @run main/othervm NotPreferredMech
+ * @summary GSSContext.acceptSecContext fails when a supported mech is not initiator preferred
+ */
+
+import org.ietf.jgss.*;
+import sun.security.jgss.*;
+import sun.security.jgss.spnego.NegTokenInit;
+import sun.security.jgss.spnego.NegTokenTarg;
+import sun.security.util.BitArray;
+import sun.security.util.DerOutputStream;
+import sun.security.util.DerValue;
+import sun.security.util.ObjectIdentifier;
+
+import java.io.ByteArrayOutputStream;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Method;
+
+public class NotPreferredMech {
+
+    public static void main(String[] argv) throws Exception {
+
+        // Generates a NegTokenInit mechTypes field, with an
+        // unsupported mech as the preferred.
+        DerOutputStream mech = new DerOutputStream();
+        mech.write(new Oid("1.2.3.4").getDER());
+        mech.write(GSSUtil.GSS_KRB5_MECH_OID.getDER());
+        DerOutputStream mechTypeList = new DerOutputStream();
+        mechTypeList.write(DerValue.tag_Sequence, mech);
+
+        // Generates a NegTokenInit mechToken field for 1.2.3.4 mech
+        GSSHeader h1 = new GSSHeader(new ObjectIdentifier("1.2.3.4"), 1);
+        ByteArrayOutputStream bout = new ByteArrayOutputStream();
+        h1.encode(bout);
+        bout.write(new byte[1]);
+
+        // Generates the NegTokenInit token
+        Constructor<NegTokenInit> ctor = NegTokenInit.class.getDeclaredConstructor(
+                byte[].class, BitArray.class, byte[].class, byte[].class);
+        ctor.setAccessible(true);
+        NegTokenInit initToken = ctor.newInstance(
+                mechTypeList.toByteArray(),
+                new BitArray(0),
+                bout.toByteArray(),
+                null);
+        Method m = Class.forName("sun.security.jgss.spnego.SpNegoToken")
+                .getDeclaredMethod("getEncoded");
+        m.setAccessible(true);
+        byte[] spnegoToken = (byte[])m.invoke(initToken);
+
+        // and wraps it into a GSSToken
+        GSSHeader h = new GSSHeader(
+                new ObjectIdentifier(GSSUtil.GSS_SPNEGO_MECH_OID.toString()),
+                spnegoToken.length);
+        bout = new ByteArrayOutputStream();
+        h.encode(bout);
+        bout.write(spnegoToken);
+        byte[] token = bout.toByteArray();
+
+        // and feeds it to a GSS acceptor
+        GSSManager man = GSSManager.getInstance();
+        GSSContext ctxt = man.createContext((GSSCredential) null);
+        token = ctxt.acceptSecContext(token, 0, token.length);
+        NegTokenTarg targ = new NegTokenTarg(token);
+
+        // Make sure it's a GO-ON message
+        Method m2 = NegTokenTarg.class.getDeclaredMethod("getNegotiatedResult");
+        m2.setAccessible(true);
+        int negResult = (int)m2.invoke(targ);
+
+        if (negResult != 1 /* ACCEPT_INCOMPLETE */) {
+            throw new Exception("Not a continue");
+        }
+    }
+}