6682540: Incorrect SASL DIGEST-MD5 behavior
authorweijun
Sat, 25 May 2019 08:30:53 +0800
changeset 55040 0627b8ad33c1
parent 55039 4947a097db60
child 55041 18f94e911c55
6682540: Incorrect SASL DIGEST-MD5 behavior Reviewed-by: jnimeh
src/java.security.sasl/share/classes/com/sun/security/sasl/digest/DigestMD5Server.java
test/jdk/com/sun/security/sasl/digest/HasInitialResponse.java
--- a/src/java.security.sasl/share/classes/com/sun/security/sasl/digest/DigestMD5Server.java	Fri May 24 15:06:58 2019 -0400
+++ b/src/java.security.sasl/share/classes/com/sun/security/sasl/digest/DigestMD5Server.java	Sat May 25 08:30:53 2019 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -195,8 +195,13 @@
         switch (step) {
         case 1:
             if (response.length != 0) {
-                throw new SaslException(
-                    "DIGEST-MD5 must not have an initial response");
+                // We do not support "subsequent authentication" (client
+                // initial response). According to
+                // https://tools.ietf.org/html/rfc2831#section-2.2
+                // If the server does not support subsequent authentication,
+                // then it sends a "digest-challenge", and authentication
+                // proceeds as in initial authentication.
+                logger.log(Level.FINE, "Ignoring initial response");
             }
 
             /* Generate first challenge */
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/com/sun/security/sasl/digest/HasInitialResponse.java	Sat May 25 08:30:53 2019 +0800
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 6682540
+ * @summary Incorrect SASL DIGEST-MD5 behavior
+ */
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.sasl.Sasl;
+import javax.security.sasl.SaslClient;
+import javax.security.sasl.SaslException;
+import javax.security.sasl.SaslServer;
+import java.nio.charset.StandardCharsets;
+
+public class HasInitialResponse {
+
+    private static final String MECH = "DIGEST-MD5";
+    private static final String SERVER_FQDN = "machineX.imc.org";
+    private static final String PROTOCOL = "jmx";
+
+    private static final byte[] EMPTY = new byte[0];
+
+    public static void main(String[] args) throws Exception {
+
+        CallbackHandler clntCbh = new ClientCallbackHandler(true);
+        CallbackHandler srvCbh = new PropertiesFileCallbackHandler(
+                "pw.properties", "names.properties", null);
+
+        // Get an existing SaslClient as base of our own client
+        SaslClient base = Sasl.createSaslClient(
+                new String[]{MECH}, null, PROTOCOL, SERVER_FQDN,
+                null, clntCbh);
+
+        // Our own client that has initial response
+        SaslClient clnt = new MyDigestMD5Client(base);
+
+        SaslServer srv = Sasl.createSaslServer(MECH, PROTOCOL, SERVER_FQDN,
+                null, srvCbh);
+
+        // The usual loop
+        byte[] response = clnt.hasInitialResponse()
+                ? clnt.evaluateChallenge(EMPTY) : EMPTY;
+        byte[] challenge;
+
+        while (!clnt.isComplete() || !srv.isComplete()) {
+            challenge = srv.evaluateResponse(response);
+
+            if (challenge != null) {
+                response = clnt.evaluateChallenge(challenge);
+            }
+        }
+
+        if (clnt.isComplete() && srv.isComplete()) {
+            System.out.println("SUCCESS");
+            System.out.println("authzid is " + srv.getAuthorizationID());
+        } else {
+            throw new IllegalStateException(
+                    "FAILURE: mismatched state:" +
+                            " client complete? " + clnt.isComplete() +
+                            " server complete? " + srv.isComplete());
+        }
+
+        clnt.dispose();
+        srv.dispose();
+    }
+
+    public static class MyDigestMD5Client implements SaslClient {
+
+        final SaslClient base;
+        boolean first = true;
+
+        public MyDigestMD5Client(SaslClient base) {
+            this.base = base;
+        }
+
+        @Override
+        public String getMechanismName() {
+            return base.getMechanismName();
+        }
+
+        @Override
+        public boolean hasInitialResponse() {
+            return true; // I have initial response
+        }
+
+        @Override
+        public byte[] evaluateChallenge(byte[] challenge) throws SaslException {
+            if (first) {
+                first = false;
+                if (challenge.length == 0) {
+                    return "hello".getBytes(StandardCharsets.UTF_8);
+                } else {
+                    throw new SaslException("Non-empty challenge");
+                }
+            } else {
+                return base.evaluateChallenge(challenge);
+            }
+        }
+
+        @Override
+        public boolean isComplete() {
+            return base.isComplete();
+        }
+
+        @Override
+        public byte[] unwrap(byte[] incoming, int offset, int len)
+                throws SaslException {
+            return base.unwrap(incoming, offset, len);
+        }
+
+        @Override
+        public byte[] wrap(byte[] outgoing, int offset, int len)
+                throws SaslException {
+            return base.wrap(outgoing, offset, len);
+        }
+
+        @Override
+        public Object getNegotiatedProperty(String propName) {
+            return base.getNegotiatedProperty(propName);
+        }
+
+        @Override
+        public void dispose() throws SaslException {
+            base.dispose();
+        }
+    }
+}