7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
Reviewed-by: valeriep
--- a/jdk/src/share/classes/sun/security/jgss/krb5/AcceptSecContextToken.java Wed Sep 28 14:21:10 2011 +0800
+++ b/jdk/src/share/classes/sun/security/jgss/krb5/AcceptSecContextToken.java Wed Sep 28 14:21:11 2011 +0800
@@ -94,7 +94,7 @@
*/
EncryptionKey subKey = apRep.getSubKey();
if (subKey != null) {
- context.setKey(subKey);
+ context.setKey(Krb5Context.ACCEPTOR_SUBKEY, subKey);
/*
System.out.println("\n\nSub-Session key from AP-REP is: " +
getHexBytes(subKey.getBytes()) + "\n");
--- a/jdk/src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java Wed Sep 28 14:21:10 2011 +0800
+++ b/jdk/src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java Wed Sep 28 14:21:11 2011 +0800
@@ -74,9 +74,9 @@
EncryptionKey subKey = apReq.getSubKey();
if (subKey != null)
- context.setKey(subKey);
+ context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey);
else
- context.setKey(serviceTicket.getSessionKey());
+ context.setKey(Krb5Context.SESSION_KEY, serviceTicket.getSessionKey());
if (!mutualRequired)
context.resetPeerSequenceNumber(0);
@@ -117,13 +117,13 @@
EncryptionKey subKey = apReq.getSubKey();
if (subKey != null) {
- context.setKey(subKey);
+ context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey);
/*
System.out.println("Sub-Session key from authenticator is: " +
getHexBytes(subKey.getBytes()) + "\n");
*/
} else {
- context.setKey(sessionKey);
+ context.setKey(Krb5Context.SESSION_KEY, sessionKey);
//System.out.println("Sub-Session Key Missing in Authenticator.\n");
}
--- a/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java Wed Sep 28 14:21:10 2011 +0800
+++ b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java Wed Sep 28 14:21:11 2011 +0800
@@ -67,6 +67,10 @@
private int state = STATE_NEW;
+ public static final int SESSION_KEY = 0;
+ public static final int INITIATOR_SUBKEY = 1;
+ public static final int ACCEPTOR_SUBKEY = 2;
+
/*
* Optional features that the application can set and their default
* values.
@@ -82,6 +86,7 @@
private int mySeqNumber;
private int peerSeqNumber;
+ private int keySrc;
private TokenTracker peerTokenTracker;
private CipherHelper cipherHelper = null;
@@ -384,12 +389,17 @@
}
}
- final void setKey(EncryptionKey key) throws GSSException {
+ final void setKey(int keySrc, EncryptionKey key) throws GSSException {
this.key = key;
+ this.keySrc = keySrc;
// %%% to do: should clear old cipherHelper first
cipherHelper = new CipherHelper(key); // Need to use new key
}
+ public final int getKeySrc() {
+ return keySrc;
+ }
+
private final EncryptionKey getKey() {
return key;
}
--- a/jdk/src/share/classes/sun/security/jgss/krb5/MessageToken_v2.java Wed Sep 28 14:21:10 2011 +0800
+++ b/jdk/src/share/classes/sun/security/jgss/krb5/MessageToken_v2.java Wed Sep 28 14:21:11 2011 +0800
@@ -141,6 +141,7 @@
// Context properties
private boolean confState = true;
private boolean initiator = true;
+ private boolean have_acceptor_subkey = false;
/* cipher instance used by the corresponding GSSContext */
CipherHelper cipherHelper = null;
@@ -311,8 +312,7 @@
}
// Create a new gss token header as defined in RFC 4121
- tokenHeader = new MessageTokenHeader(tokenId,
- prop.getPrivacy(), true);
+ tokenHeader = new MessageTokenHeader(tokenId, prop.getPrivacy());
// debug("\n\t Message Header = " +
// getHexBytes(tokenHeader.getBytes(), tokenHeader.getBytes().length));
@@ -461,6 +461,8 @@
this.initiator = context.isInitiator();
+ this.have_acceptor_subkey = context.getKeySrc() == Krb5Context.ACCEPTOR_SUBKEY;
+
this.cipherHelper = context.getCipherHelper(null);
// debug("In MessageToken.Cons");
}
@@ -501,8 +503,7 @@
private byte[] bytes = new byte[TOKEN_HEADER_SIZE];
// Writes a new token header
- public MessageTokenHeader(int tokenId, boolean conf,
- boolean have_acceptor_subkey) throws GSSException {
+ public MessageTokenHeader(int tokenId, boolean conf) throws GSSException {
this.tokenId = tokenId;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/AcceptorSubKey.java Wed Sep 28 14:21:11 2011 +0800
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7077646
+ * @summary gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY
+ * @compile -XDignore.symbol.file AcceptorSubKey.java
+ * @run main/othervm AcceptorSubKey
+ */
+
+import java.util.Arrays;
+import sun.security.jgss.GSSUtil;
+
+// The basic krb5 test skeleton you can copy from
+public class AcceptorSubKey {
+
+ public static void main(String[] args) throws Exception {
+
+ new OneKDC(null).writeJAASConf();
+
+ Context c, s;
+ c = Context.fromJAAS("client");
+ s = Context.fromJAAS("server");
+
+ c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_SPNEGO_MECH_OID);
+ s.startAsServer(GSSUtil.GSS_SPNEGO_MECH_OID);
+
+ Context.handshake(c, s);
+
+ byte[] msg = "i say high --".getBytes();
+ byte[] wrapped = s.wrap(msg, false);
+
+ // FLAG_ACCEPTOR_SUBKEY is 4
+ int flagOn = wrapped[2] & 4;
+ if (flagOn != 0) {
+ throw new Exception("Java GSS should not have set acceptor subkey");
+ }
+
+ s.dispose();
+ c.dispose();
+ }
+}