8012082: SASL: auth-conf negotiated, but unencrypted data is accepted, reset to unencrypt
authorweijun
Wed, 01 May 2013 21:05:10 +0800
changeset 17209 6f556e154816
parent 17208 cf76dafb155d
child 17210 8a90d05f28d8
8012082: SASL: auth-conf negotiated, but unencrypted data is accepted, reset to unencrypt Reviewed-by: vinnie
jdk/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java
jdk/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java
jdk/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java
jdk/test/sun/security/krb5/auto/SaslGSS.java
--- a/jdk/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java	Wed May 01 11:15:35 2013 +0100
+++ b/jdk/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java	Wed May 01 21:05:10 2013 +0800
@@ -45,7 +45,6 @@
     }
 
     protected GSSContext secCtx = null;
-    protected MessageProp msgProp;              // QOP and privacy for unwrap
     protected static final int JGSS_QOP = 0;    // unrelated to SASL QOP mask
 
     protected GssKrb5Base(Map<String, ?> props, String className)
@@ -74,6 +73,7 @@
         }
 
         try {
+            MessageProp msgProp = new MessageProp(JGSS_QOP, privacy);
             byte[] answer = secCtx.unwrap(incoming, start, len, msgProp);
             if (logger.isLoggable(Level.FINEST)) {
                 traceOutput(myClassName, "KRB501:Unwrap", "incoming: ",
@@ -99,6 +99,7 @@
 
         // Generate GSS token
         try {
+            MessageProp msgProp = new MessageProp(JGSS_QOP, privacy);
             byte[] answer = secCtx.wrap(outgoing, start, len, msgProp);
             if (logger.isLoggable(Level.FINEST)) {
                 traceOutput(myClassName, "KRB503:Wrap", "outgoing: ",
--- a/jdk/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java	Wed May 01 11:15:35 2013 +0100
+++ b/jdk/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java	Wed May 01 21:05:10 2013 +0800
@@ -320,7 +320,6 @@
             }
 
             completed = true;  // server authenticated
-            msgProp = new MessageProp(JGSS_QOP, privacy);
 
             return gssOutToken;
         } catch (GSSException e) {
--- a/jdk/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java	Wed May 01 11:15:35 2013 +0100
+++ b/jdk/src/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Server.java	Wed May 01 21:05:10 2013 +0800
@@ -270,7 +270,6 @@
             } else if ((selectedQop&INTEGRITY_ONLY_PROTECTION) != 0) {
                 integrity = true;
             }
-            msgProp = new MessageProp(JGSS_QOP, privacy);
 
             // 2nd-4th octets specifies maximum buffer size expected by
             // client (in network byte order). This is the server's send
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/SaslGSS.java	Wed May 01 21:05:10 2013 +0800
@@ -0,0 +1,106 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8012082
+ * @summary SASL: auth-conf negotiated, but unencrypted data is accepted,
+  *         reset to unencrypt
+ * @compile -XDignore.symbol.file SaslGSS.java
+ * @run main/othervm SaslGSS
+ */
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.sasl.AuthorizeCallback;
+import javax.security.sasl.RealmCallback;
+import javax.security.sasl.Sasl;
+import javax.security.sasl.SaslServer;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Locale;
+import org.ietf.jgss.*;
+import sun.security.jgss.GSSUtil;
+
+public class SaslGSS {
+
+    public static void main(String[] args) throws Exception {
+
+        String name = "host." + OneKDC.REALM.toLowerCase(Locale.US);
+
+        new OneKDC(null).writeJAASConf();
+        System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
+
+        // Client in JGSS so that it can control wrap privacy mode
+        GSSManager m = GSSManager.getInstance();
+        GSSContext sc = m.createContext(
+                        m.createName(OneKDC.SERVER, GSSUtil.NT_GSS_KRB5_PRINCIPAL),
+                        GSSUtil.GSS_KRB5_MECH_OID,
+                        null,
+                        GSSContext.DEFAULT_LIFETIME);
+        sc.requestMutualAuth(false);
+
+        // Server in SASL
+        final HashMap props = new HashMap();
+        props.put(Sasl.QOP, "auth-conf");
+        SaslServer ss = Sasl.createSaslServer("GSSAPI", "server",
+                name, props,
+                new CallbackHandler() {
+                    public void handle(Callback[] callbacks)
+                            throws IOException, UnsupportedCallbackException {
+                        for (Callback cb : callbacks) {
+                            if (cb instanceof RealmCallback) {
+                                ((RealmCallback) cb).setText(OneKDC.REALM);
+                            } else if (cb instanceof AuthorizeCallback) {
+                                ((AuthorizeCallback) cb).setAuthorized(true);
+                            }
+                        }
+                    }
+                });
+
+        // Handshake
+        byte[] token = new byte[0];
+        token = sc.initSecContext(token, 0, token.length);
+        token = ss.evaluateResponse(token);
+        token = sc.unwrap(token, 0, token.length, new MessageProp(0, false));
+        token[0] = (byte)(((token[0] & 4) != 0) ? 4 : 2);
+        token = sc.wrap(token, 0, token.length, new MessageProp(0, false));
+        ss.evaluateResponse(token);
+
+        // Talk
+        // 1. Client sends a auth-int message
+        byte[] hello = "hello".getBytes();
+        MessageProp qop = new MessageProp(0, false);
+        token = sc.wrap(hello, 0, hello.length, qop);
+        // 2. Server accepts it anyway
+        ss.unwrap(token, 0, token.length);
+        // 3. Server sends a message
+        token = ss.wrap(hello, 0, hello.length);
+        // 4. Client accepts, should be auth-conf
+        sc.unwrap(token, 0, token.length, qop);
+        if (!qop.getPrivacy()) {
+            throw new Exception();
+        }
+    }
+}