infernap12/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2026-04-14 00:49:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

7032354: no-addresses should not be used on acceptor side

Browse Source 
Reviewed-by: valeriep
This commit is contained in:
Weijun Wang 2011-04-07 08:51:33 +08:00
parent 56352663f5
commit 2c02243de9
3 changed files with 104 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
jdk/src/share/classes/sun/security/krb5/KrbApReq.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -37,6 +37,7 @@ import sun.security.krb5.internal.rcache.*;
import java.net.InetAddress;
import sun.security.util.*;
import java.io.IOException;
import java.util.Arrays;
/**
* This class encapsulates a KRB-AP-REQ that a client sends to a
@ -54,9 +55,6 @@ public class KrbApReq {
private static CacheTable table = new CacheTable();
private static boolean DEBUG = Krb5.DEBUG;
// default is address-less tickets
private boolean KDC_EMPTY_ADDRESSES_ALLOWED = true;
/**
* Contructs a AP-REQ message to send to the peer.
* @param tgsCred the <code>Credentials</code> to be used to construct the
@ -312,23 +310,19 @@ public class KrbApReq {
table.put(client, time, currTime.getTime());
}
// check to use addresses in tickets
if (Config.getInstance().useAddresses()) {
KDC_EMPTY_ADDRESSES_ALLOWED = false;
}
// sender host address
HostAddress sender = null;
if (initiator != null) {
sender = new HostAddress(initiator);
}
if (sender != null || !KDC_EMPTY_ADDRESSES_ALLOWED) {
if (enc_ticketPart.caddr != null) {
if (sender == null)
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
if (!enc_ticketPart.caddr.inList(sender))
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
// sender host address
HostAddress sender = new HostAddress(initiator);
if (enc_ticketPart.caddr != null
&& !enc_ticketPart.caddr.inList(sender)) {
if (DEBUG) {
System.out.println(">>> KrbApReq: initiator is "
+ sender.getInetAddress()
+ ", but caddr is "
+ Arrays.toString(
enc_ticketPart.caddr.getInetAddresses()));
}
throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
}
}

12
jdk/test/sun/security/krb5/auto/KDC.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -691,7 +691,10 @@ public class KDC {
new KerberosTime(new Date()),
body.from,
till, body.rtime,
body.addresses,
body.addresses != null // always set caddr
? body.addresses
: new HostAddresses(
new InetAddress[]{InetAddress.getLocalHost()}),
null);
EncryptionKey skey = keyForUser(body.sname, e3, true);
if (skey == null) {
@ -716,7 +719,10 @@ public class KDC {
till, body.rtime,
body.crealm,
body.sname,
body.addresses
body.addresses != null // always set caddr
? body.addresses
: new HostAddresses(
new InetAddress[]{InetAddress.getLocalHost()})
);
EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_TGS_REP_PART_SESSKEY);
TGSRep tgsRep = new TGSRep(null,

81
jdk/test/sun/security/krb5/auto/NoAddresses.java Normal file
View File

@ -0,0 +1,81 @@
/*
* Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 7032354
* @run main/othervm NoAddresses 1
* @run main/othervm NoAddresses 2
* @run main/othervm/fail NoAddresses 3
* @summary no-addresses should not be used on acceptor side
*/
import java.net.InetAddress;
import org.ietf.jgss.ChannelBinding;
import sun.security.jgss.GSSUtil;
import sun.security.krb5.Config;
public class NoAddresses {
public static void main(String[] args)
throws Exception {
OneKDC kdc = new OneKDC(null);
kdc.writeJAASConf();
KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
"noaddresses = false",
"default_keytab_name = " + OneKDC.KTAB);
Config.refresh();
Context c = Context.fromJAAS("client");
Context s = Context.fromJAAS("server");
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
InetAddress initiator = InetAddress.getLocalHost();
InetAddress acceptor = InetAddress.getLocalHost();
switch (args[0]) {
case "1":
// no initiator host address available, should be OK
break;
case "2":
// correct initiator host address, still fine
c.x().setChannelBinding(
new ChannelBinding(initiator, acceptor, null));
s.x().setChannelBinding(
new ChannelBinding(initiator, acceptor, null));
break;
case "3":
// incorrect initiator host address, fail
initiator = InetAddress.getByAddress(new byte[]{1,1,1,1});
c.x().setChannelBinding(
new ChannelBinding(initiator, acceptor, null));
s.x().setChannelBinding(
new ChannelBinding(initiator, acceptor, null));
break;
}
Context.handshake(c, s);
}
}