From 8676006f11eea0372c948629e0f75b990872ad2a Mon Sep 17 00:00:00 2001 From: Sean Mullan Date: Mon, 8 Nov 2010 11:33:24 -0500 Subject: [PATCH 1/4] 6994717: expired certificate in test ValidateCertPath Reviewed-by: vinnie --- .../nameConstraintsRFC822/ValidateCertPath.java | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/jdk/test/java/security/cert/CertPathValidator/nameConstraintsRFC822/ValidateCertPath.java b/jdk/test/java/security/cert/CertPathValidator/nameConstraintsRFC822/ValidateCertPath.java index afa62e6e526..fad92e826ab 100644 --- a/jdk/test/java/security/cert/CertPathValidator/nameConstraintsRFC822/ValidateCertPath.java +++ b/jdk/test/java/security/cert/CertPathValidator/nameConstraintsRFC822/ValidateCertPath.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2008, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ /* * @test - * @bug 4684810 + * @bug 4684810 6994717 * @summary Verify that RFC822 name constraints are checked correctly */ @@ -38,6 +38,7 @@ import java.security.cert.PKIXReason; import java.util.ArrayList; import java.util.Collections; +import java.util.Date; import java.util.List; import java.util.Set; @@ -100,6 +101,9 @@ public final class ValidateCertPath { Set anchors = Collections.singleton(anchor); params = new PKIXParameters(anchors); params.setRevocationEnabled(false); + // The certificates expired on 10/22/10, so set the validity date to + // 05/01/2009 to avoid expiration failures + params.setDate(new Date(1243828800000l)); } /* From 39a2b6c9ff9d08ad8fb9f2062fa833a1b54ab95d Mon Sep 17 00:00:00 2001 From: Kelly O'Hair Date: Mon, 8 Nov 2010 09:29:18 -0800 Subject: [PATCH 2/4] 6792706: Add JAR file to bootclasspath when using AggressiveOpts Reviewed-by: alanb, kvn, darcy --- jdk/make/Makefile | 7 +- jdk/make/altclasses/Makefile | 84 +++++++++++++++++++ .../java/lang/reflect/Generics/Probe.java | 5 +- jdk/test/java/util/NavigableMap/LockStep.java | 5 +- 4 files changed, 95 insertions(+), 6 deletions(-) create mode 100644 jdk/make/altclasses/Makefile diff --git a/jdk/make/Makefile b/jdk/make/Makefile index 63e7803ffe3..9ec690639a9 100644 --- a/jdk/make/Makefile +++ b/jdk/make/Makefile @@ -1,5 +1,5 @@ # -# Copyright (c) 1995, 2007, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 1995, 2010, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -243,6 +243,11 @@ SUBDIRS = tools java javax sun com SUBDIRS_tools = launchers SUBDIRS_misc = org sunw jpda mkdemo mksample +# Alternate classes implementation +ifndef OPENJDK + SUBDIRS_misc += altclasses +endif + include $(BUILDDIR)/common/Subdirs.gmk all build:: diff --git a/jdk/make/altclasses/Makefile b/jdk/make/altclasses/Makefile new file mode 100644 index 00000000000..201752071d4 --- /dev/null +++ b/jdk/make/altclasses/Makefile @@ -0,0 +1,84 @@ +# +# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Oracle designates this +# particular file as subject to the "Classpath" exception as provided +# by Oracle in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# +# Makefile for building alternate runtime classes (not used by default) +# + +BUILDDIR = .. + +PRODUCT = altclasses + +include $(BUILDDIR)/common/Defs.gmk + +# Root of alternate class sources + +ALTCLASSES_SRCDIR = $(CLOSED_SRC)/share/altclasses + +# Alternate runtime classes + +ALTRT_JAR_FILE = $(LIBDIR)/alt-rt.jar +ALTRT_JAR_SOURCE_FILE = $(TEMPDIR)/alt-rt.jarsrclist +ALTRT_JAR_SOURCES = $(wildcard $(ALTCLASSES_SRCDIR)/java/*/*.java) + +# Use a special file suffix for the file that holds the source list + +.SUFFIXES: .jarsrclist + +# Build rules + +all build: + @if [ -d $(ALTCLASSES_SRCDIR) ] ; then \ + $(MAKE) $(ALTRT_JAR_FILE); \ + fi + +# Source list file creation + +$(ALTRT_JAR_SOURCE_FILE): $(ALTRT_JAR_SOURCES) FRC + $(prep-target) + $(ECHO) $(ALTRT_JAR_SOURCES) > $@ + +clean clobber:: + $(RM) $(ALTRT_JAR_FILE) $(ALTRT_JAR_SOURCE_FILE) + $(RM) -r $(ALTRT_JAR_SOURCE_FILE).classes + +include $(BUILDDIR)/common/Classes.gmk + +# Pattern rule to turn a source list file into a jar file +$(LIBDIR)/%.jar : $(TEMPDIR)/%.jarsrclist + $(prep-target) + $(RM) -r $(<).classes + $(MKDIR) -p $(<).classes + $(JAVAC_CMD) -implicit:none -d $(<).classes @$< + $(BOOT_JAR_CMD) cf $@ -C $(<).classes . $(BOOT_JAR_JFLAGS) + +# Force target + +FRC: + +# Non file targets + +.PHONY: all build clean clobber + diff --git a/jdk/test/java/lang/reflect/Generics/Probe.java b/jdk/test/java/lang/reflect/Generics/Probe.java index c65a0558b0a..14d094a2e6c 100644 --- a/jdk/test/java/lang/reflect/Generics/Probe.java +++ b/jdk/test/java/lang/reflect/Generics/Probe.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -47,9 +47,6 @@ import static java.util.Arrays.*; "java.util.WeakHashMap$EntryIterator", "java.util.WeakHashMap$KeyIterator", "java.util.WeakHashMap$ValueIterator", - "java.util.TreeMap$EntryIterator", - "java.util.TreeMap$KeyIterator", - "java.util.TreeMap$ValueIterator", "java.util.HashMap$EntryIterator", "java.util.HashMap$KeyIterator", "java.util.HashMap$ValueIterator", diff --git a/jdk/test/java/util/NavigableMap/LockStep.java b/jdk/test/java/util/NavigableMap/LockStep.java index fbe58dedc70..64f9bdf7683 100644 --- a/jdk/test/java/util/NavigableMap/LockStep.java +++ b/jdk/test/java/util/NavigableMap/LockStep.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2008, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ * @test * @bug 6420753 6242436 6691185 * @summary Compare NavigableMap implementations for identical behavior + * @run main LockStep + * @run main/othervm -XX:+AggressiveOpts LockStep + * @run main/othervm -XX:+AggressiveOpts -Dthorough=true LockStep * @author Martin Buchholz */ From 5b6c23c8098ea533df007f57091deae3cadba7ff Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Tue, 9 Nov 2010 08:34:11 +0800 Subject: [PATCH 3/4] 6952519: kdc_timeout is not being honoured when using TCP Reviewed-by: valeriep --- .../classes/sun/security/krb5/KrbKdcReq.java | 67 +++------ .../{TCPClient.java => NetClient.java} | 76 +++++++++- .../sun/security/krb5/internal/UDPClient.java | 99 ------------- .../sun/security/krb5/auto/TcpTimeout.java | 138 ++++++++++++++++++ 4 files changed, 228 insertions(+), 152 deletions(-) rename jdk/src/share/classes/sun/security/krb5/internal/{TCPClient.java => NetClient.java} (66%) delete mode 100644 jdk/src/share/classes/sun/security/krb5/internal/UDPClient.java create mode 100644 jdk/test/sun/security/krb5/auto/TcpTimeout.java diff --git a/jdk/src/share/classes/sun/security/krb5/KrbKdcReq.java b/jdk/src/share/classes/sun/security/krb5/KrbKdcReq.java index 9f968014ea1..1919b70fc91 100644 --- a/jdk/src/share/classes/sun/security/krb5/KrbKdcReq.java +++ b/jdk/src/share/classes/sun/security/krb5/KrbKdcReq.java @@ -36,8 +36,7 @@ import java.security.PrivilegedAction; import java.security.Security; import java.util.Locale; import sun.security.krb5.internal.Krb5; -import sun.security.krb5.internal.UDPClient; -import sun.security.krb5.internal.TCPClient; +import sun.security.krb5.internal.NetClient; import java.io.IOException; import java.net.SocketTimeoutException; import java.util.StringTokenizer; @@ -349,12 +348,16 @@ public abstract class KrbKdcReq { byte[] ibuf = null; - if (useTCP) { - TCPClient kdcClient = new TCPClient(kdc, port); + for (int i=1; i <= retries; i++) { + String proto = useTCP?"TCP":"UDP"; + NetClient kdcClient = NetClient.getInstance( + proto, kdc, port, timeout); if (DEBUG) { System.out.println(">>> KDCCommunication: kdc=" + kdc - + " TCP:" - + port + + " " + proto + ":" + + port + ", timeout=" + + timeout + + ",Attempt =" + i + ", #bytes=" + obuf.length); } try { @@ -366,51 +369,19 @@ public abstract class KrbKdcReq { * And get a response. */ ibuf = kdcClient.receive(); + break; + } catch (SocketTimeoutException se) { + if (DEBUG) { + System.out.println ("SocketTimeOutException with " + + "attempt: " + i); + } + if (i == retries) { + ibuf = null; + throw se; + } } finally { kdcClient.close(); } - - } else { - // For each KDC we try defaultKdcRetryLimit times to - // get the response - for (int i=1; i <= retries; i++) { - UDPClient kdcClient = new UDPClient(kdc, port, timeout); - - if (DEBUG) { - System.out.println(">>> KDCCommunication: kdc=" + kdc - + (useTCP ? " TCP:":" UDP:") - + port + ", timeout=" - + timeout - + ",Attempt =" + i - + ", #bytes=" + obuf.length); - } - try { - /* - * Send the data to the kdc. - */ - - kdcClient.send(obuf); - - /* - * And get a response. - */ - try { - ibuf = kdcClient.receive(); - break; - } catch (SocketTimeoutException se) { - if (DEBUG) { - System.out.println ("SocketTimeOutException with " + - "attempt: " + i); - } - if (i == retries) { - ibuf = null; - throw se; - } - } - } finally { - kdcClient.close(); - } - } } return ibuf; } diff --git a/jdk/src/share/classes/sun/security/krb5/internal/TCPClient.java b/jdk/src/share/classes/sun/security/krb5/internal/NetClient.java similarity index 66% rename from jdk/src/share/classes/sun/security/krb5/internal/TCPClient.java rename to jdk/src/share/classes/sun/security/krb5/internal/NetClient.java index 770871e7b6b..36e9a5c59c1 100644 --- a/jdk/src/share/classes/sun/security/krb5/internal/TCPClient.java +++ b/jdk/src/share/classes/sun/security/krb5/internal/NetClient.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -34,18 +34,38 @@ package sun.security.krb5.internal; import java.io.*; import java.net.*; -public class TCPClient { +public abstract class NetClient { + public static NetClient getInstance(String protocol, String hostname, int port, + int timeout) throws IOException { + if (protocol.equals("TCP")) { + return new TCPClient(hostname, port, timeout); + } else { + return new UDPClient(hostname, port, timeout); + } + } + + abstract public void send(byte[] data) throws IOException; + + abstract public byte[] receive() throws IOException; + + abstract public void close() throws IOException; +} + +class TCPClient extends NetClient { private Socket tcpSocket; private BufferedOutputStream out; private BufferedInputStream in; - public TCPClient(String hostname, int port) throws IOException { + TCPClient(String hostname, int port, int timeout) + throws IOException { tcpSocket = new Socket(hostname, port); out = new BufferedOutputStream(tcpSocket.getOutputStream()); in = new BufferedInputStream(tcpSocket.getInputStream()); + tcpSocket.setSoTimeout(timeout); } + @Override public void send(byte[] data) throws IOException { byte[] lenField = new byte[4]; intToNetworkByteOrder(data.length, lenField, 0, 4); @@ -55,6 +75,7 @@ public class TCPClient { out.flush(); } + @Override public byte[] receive() throws IOException { byte[] lenField = new byte[4]; int count = readFully(lenField, 4); @@ -94,6 +115,7 @@ public class TCPClient { } } + @Override public void close() throws IOException { tcpSocket.close(); } @@ -120,7 +142,7 @@ public class TCPClient { /** * Returns the integer represented by 4 bytes in network byte order. */ - private static final int networkByteOrderToInt(byte[] buf, int start, + private static int networkByteOrderToInt(byte[] buf, int start, int count) { if (count > 4) { throw new IllegalArgumentException( @@ -140,7 +162,7 @@ public class TCPClient { * Encodes an integer into 4 bytes in network byte order in the buffer * supplied. */ - private static final void intToNetworkByteOrder(int num, byte[] buf, + private static void intToNetworkByteOrder(int num, byte[] buf, int start, int count) { if (count > 4) { throw new IllegalArgumentException( @@ -153,3 +175,47 @@ public class TCPClient { } } } + +class UDPClient extends NetClient { + InetAddress iaddr; + int iport; + int bufSize = 65507; + DatagramSocket dgSocket; + DatagramPacket dgPacketIn; + + UDPClient(String hostname, int port, int timeout) + throws UnknownHostException, SocketException { + iaddr = InetAddress.getByName(hostname); + iport = port; + dgSocket = new DatagramSocket(); + dgSocket.setSoTimeout(timeout); + } + + @Override + public void send(byte[] data) throws IOException { + DatagramPacket dgPacketOut = new DatagramPacket(data, data.length, + iaddr, iport); + dgSocket.send(dgPacketOut); + } + + @Override + public byte[] receive() throws IOException { + byte ibuf[] = new byte[bufSize]; + dgPacketIn = new DatagramPacket(ibuf, ibuf.length); + try { + dgSocket.receive(dgPacketIn); + } + catch (SocketException e) { + dgSocket.receive(dgPacketIn); + } + byte[] data = new byte[dgPacketIn.getLength()]; + System.arraycopy(dgPacketIn.getData(), 0, data, 0, + dgPacketIn.getLength()); + return data; + } + + @Override + public void close() { + dgSocket.close(); + } +} diff --git a/jdk/src/share/classes/sun/security/krb5/internal/UDPClient.java b/jdk/src/share/classes/sun/security/krb5/internal/UDPClient.java deleted file mode 100644 index 59b53edfcd9..00000000000 --- a/jdk/src/share/classes/sun/security/krb5/internal/UDPClient.java +++ /dev/null @@ -1,99 +0,0 @@ -/* - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -/* - * - * (C) Copyright IBM Corp. 1999 All Rights Reserved. - * Copyright 1997 The Open Group Research Institute. All rights reserved. - */ - -package sun.security.krb5.internal; - -import java.io.*; -import java.net.*; - -public class UDPClient { - InetAddress iaddr; - int iport; - int bufSize = 65507; - DatagramSocket dgSocket; - DatagramPacket dgPacketIn; - - public UDPClient(InetAddress newIAddr, int port) - throws SocketException { - iaddr = newIAddr; - iport = port; - dgSocket = new DatagramSocket(); - } - - public UDPClient(String hostname, int port) - throws UnknownHostException, SocketException { - iaddr = InetAddress.getByName(hostname); - iport = port; - dgSocket = new DatagramSocket(); - } - - public UDPClient(String hostname, int port, int timeout) - throws UnknownHostException, SocketException { - iaddr = InetAddress.getByName(hostname); - iport = port; - dgSocket = new DatagramSocket(); - dgSocket.setSoTimeout(timeout); - } - - public void setBufSize(int newBufSize) { - bufSize = newBufSize; - } - - public InetAddress getInetAddress() { - if (dgPacketIn != null) - return dgPacketIn.getAddress(); - return null; - } - - public void send(byte[] data) throws IOException { - DatagramPacket dgPacketOut = new DatagramPacket(data, data.length, - iaddr, iport); - dgSocket.send(dgPacketOut); - } - - public byte[] receive() throws IOException { - byte ibuf[] = new byte[bufSize]; - dgPacketIn = new DatagramPacket(ibuf, ibuf.length); - try { - dgSocket.receive(dgPacketIn); - } - catch (SocketException e) { - dgSocket.receive(dgPacketIn); - } - byte[] data = new byte[dgPacketIn.getLength()]; - System.arraycopy(dgPacketIn.getData(), 0, data, 0, - dgPacketIn.getLength()); - return data; - } - - public void close() { - dgSocket.close(); - } -} diff --git a/jdk/test/sun/security/krb5/auto/TcpTimeout.java b/jdk/test/sun/security/krb5/auto/TcpTimeout.java new file mode 100644 index 00000000000..9530803b5b2 --- /dev/null +++ b/jdk/test/sun/security/krb5/auto/TcpTimeout.java @@ -0,0 +1,138 @@ +/* + * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 6952519 + * @run main/timeout=40/othervm TcpTimeout + * @summary kdc_timeout is not being honoured when using TCP + */ + +import java.io.*; +import java.net.ServerSocket; +import sun.security.krb5.Config; + +public class TcpTimeout { + public static void main(String[] args) + throws Exception { + + System.setProperty("sun.security.krb5.debug", "true"); + final int p1 = 10000 + new java.util.Random().nextInt(10000); + final int p2 = 20000 + new java.util.Random().nextInt(10000); + final int p3 = 30000 + new java.util.Random().nextInt(10000); + + KDC k = new KDC(OneKDC.REALM, OneKDC.KDCHOST, p3, true); + k.addPrincipal(OneKDC.USER, OneKDC.PASS); + k.addPrincipalRandKey("krbtgt/" + OneKDC.REALM); + + // Start two listener that does not communicate, simulate timeout + new Thread() { + public void run() { + try { + new ServerSocket(p1).accept(); + } catch (Exception e) { + }} + }.start(); + new Thread() { + public void run() { + try { + new ServerSocket(p2).accept(); + } catch (Exception e) { + }} + }.start(); + + FileWriter fw = new FileWriter("alternative-krb5.conf"); + + fw.write("[libdefaults]\n" + + "udp_preference_limit = 1\n" + + "max_retries = 2\n" + + "default_realm = " + OneKDC.REALM + "\n" + + "kdc_timeout = 5000\n"); + fw.write("[realms]\n" + OneKDC.REALM + " = {\n" + + "kdc = " + OneKDC.KDCHOST + ":" + p1 + "\n" + + "kdc = " + OneKDC.KDCHOST + ":" + p2 + "\n" + + "kdc = " + OneKDC.KDCHOST + ":" + p3 + "\n" + + "}\n"); + + fw.close(); + System.setProperty("java.security.krb5.conf", "alternative-krb5.conf"); + Config.refresh(); + + // The correct behavior should be: + // 5 sec on p1, 5 sec on p1, fail + // 5 sec on p2, 5 sec on p2, fail + // p3 ok, p3 ok again for preauth. + // The total time should be 20sec + 2x. x is processing time for AS-REQ. + int count = 6; + long start = System.nanoTime(); + + ByteArrayOutputStream bo = new ByteArrayOutputStream(); + PrintStream oldout = System.out; + System.setOut(new PrintStream(bo)); + Context c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false); + System.setOut(oldout); + + String[] lines = new String(bo.toByteArray()).split("\n"); + for (String line: lines) { + if (line.startsWith(">>> KDCCommunication")) { + System.out.println(line); + count--; + } + } + if (count != 0) { + throw new Exception("Retry count is " + count + " less"); + } + + long end = System.nanoTime(); + if ((end - start)/1000000000L < 20) { + throw new Exception("Too fast? " + (end - start)/1000000000L); + } + } + + private static KDC on(int p) throws Exception { + KDC k = new KDC(OneKDC.REALM, OneKDC.KDCHOST, p, true); + k.addPrincipal(OneKDC.USER, OneKDC.PASS); + k.addPrincipalRandKey("krbtgt/" + OneKDC.REALM); + return k; + } + + private static void addFakeKDCs() + throws Exception { + BufferedReader fr = new BufferedReader(new FileReader(OneKDC.KRB5_CONF)); + FileWriter fw = new FileWriter("alternative-krb5.conf"); + while (true) { + String s = fr.readLine(); + if (s == null) { + break; + } + if (s.trim().startsWith("kdc = ")) { + fw.write(" kdc = localhost:33333\n"); + fw.write(" kdc = localhost:22222\n"); + } + fw.write(s + "\n"); + } + fr.close(); + fw.close(); + sun.security.krb5.Config.refresh(); + } +} From 41fb6ec356d09c158ceceb85e46806fe13c20bf8 Mon Sep 17 00:00:00 2001 From: Chris Hegarty Date: Tue, 9 Nov 2010 16:34:08 +0000 Subject: [PATCH 4/4] 6998250: Remove redundant src/solaris/classes/sun/net/www/protocol/http/NTLMAuthentication.java Reviewed-by: alanb --- .../www/protocol/http/NTLMAuthentication.java | 427 ------------------ 1 file changed, 427 deletions(-) delete mode 100644 jdk/src/solaris/classes/sun/net/www/protocol/http/NTLMAuthentication.java diff --git a/jdk/src/solaris/classes/sun/net/www/protocol/http/NTLMAuthentication.java b/jdk/src/solaris/classes/sun/net/www/protocol/http/NTLMAuthentication.java deleted file mode 100644 index 4bc5a887484..00000000000 --- a/jdk/src/solaris/classes/sun/net/www/protocol/http/NTLMAuthentication.java +++ /dev/null @@ -1,427 +0,0 @@ -/* - * Copyright (c) 2005, 2008, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.net.www.protocol.http; - -import java.io.IOException; -import java.io.UnsupportedEncodingException; -import java.net.InetAddress; -import java.net.PasswordAuthentication; -import java.net.UnknownHostException; -import java.net.URL; -import java.security.GeneralSecurityException; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import javax.crypto.Cipher; -import javax.crypto.NoSuchPaddingException; -import javax.crypto.SecretKey; -import javax.crypto.SecretKeyFactory; -import javax.crypto.spec.DESKeySpec; - -import sun.net.www.HeaderParser; - -/** - * NTLMAuthentication: - * - * @author Michael McMahon - */ - -/* - * NTLM authentication is nominally based on the framework defined in RFC2617, - * but differs from the standard (Basic & Digest) schemes as follows: - * - * 1. A complete authentication requires three request/response transactions - * as shown below: - * REQ -------------------------------> - * <---- 401 (signalling NTLM) -------- - * - * REQ (with type1 NTLM msg) ---------> - * <---- 401 (with type 2 NTLM msg) --- - * - * REQ (with type3 NTLM msg) ---------> - * <---- OK --------------------------- - * - * 2. The scope of the authentication is the TCP connection (which must be kept-alive) - * after the type2 response is received. This means that NTLM does not work end-to-end - * through a proxy, rather between client and proxy, or between client and server (with no proxy) - */ - -class NTLMAuthentication extends AuthenticationInfo { - private static final long serialVersionUID = -2403849171106437142L; - - private byte[] type1; - private byte[] type3; - - private SecretKeyFactory fac; - private Cipher cipher; - private MessageDigest md4; - private String hostname; - private static String defaultDomain; /* Domain to use if not specified by user */ - - static { - defaultDomain = java.security.AccessController.doPrivileged( - new sun.security.action.GetPropertyAction("http.auth.ntlm.domain", - "domain")); - }; - - static boolean supportsTransparentAuth () { - return false; - } - - private void init0() { - type1 = new byte[256]; - type3 = new byte[256]; - System.arraycopy (new byte[] {'N','T','L','M','S','S','P',0,1}, 0, type1, 0, 9); - type1[12] = (byte) 3; - type1[13] = (byte) 0xb2; - type1[28] = (byte) 0x20; - System.arraycopy (new byte[] {'N','T','L','M','S','S','P',0,3}, 0, type3, 0, 9); - type3[12] = (byte) 0x18; - type3[14] = (byte) 0x18; - type3[20] = (byte) 0x18; - type3[22] = (byte) 0x18; - type3[32] = (byte) 0x40; - type3[60] = (byte) 1; - type3[61] = (byte) 0x82; - - try { - hostname = java.security.AccessController.doPrivileged( - new java.security.PrivilegedAction() { - public String run() { - String localhost; - try { - localhost = InetAddress.getLocalHost().getHostName().toUpperCase(); - } catch (UnknownHostException e) { - localhost = "localhost"; - } - return localhost; - } - }); - int x = hostname.indexOf ('.'); - if (x != -1) { - hostname = hostname.substring (0, x); - } - fac = SecretKeyFactory.getInstance ("DES"); - cipher = Cipher.getInstance ("DES/ECB/NoPadding"); - md4 = sun.security.provider.MD4.getInstance(); - } catch (NoSuchPaddingException e) { - assert false; - } catch (NoSuchAlgorithmException e) { - assert false; - } - }; - - PasswordAuthentication pw; - String username; - String ntdomain; - String password; - - /** - * Create a NTLMAuthentication: - * Username may be specified as domainusername in the application Authenticator. - * If this notation is not used, then the domain will be taken - * from a system property: "http.auth.ntlm.domain". - */ - public NTLMAuthentication(boolean isProxy, URL url, PasswordAuthentication pw) { - super(isProxy ? PROXY_AUTHENTICATION : SERVER_AUTHENTICATION, - AuthScheme.NTLM, - url, - ""); - init (pw); - } - - private void init (PasswordAuthentication pw) { - this.pw = pw; - String s = pw.getUserName(); - int i = s.indexOf ('\\'); - if (i == -1) { - username = s; - ntdomain = defaultDomain; - } else { - ntdomain = s.substring (0, i).toUpperCase(); - username = s.substring (i+1); - } - password = new String (pw.getPassword()); - init0(); - } - - /** - * Constructor used for proxy entries - */ - public NTLMAuthentication(boolean isProxy, String host, int port, - PasswordAuthentication pw) { - super(isProxy ? PROXY_AUTHENTICATION : SERVER_AUTHENTICATION, - AuthScheme.NTLM, - host, - port, - ""); - init (pw); - } - - /** - * @return true if this authentication supports preemptive authorization - */ - boolean supportsPreemptiveAuthorization() { - return false; - } - - /** - * @return the name of the HTTP header this authentication wants set - */ - String getHeaderName() { - if (type == SERVER_AUTHENTICATION) { - return "Authorization"; - } else { - return "Proxy-authorization"; - } - } - - /** - * Not supported. Must use the setHeaders() method - */ - String getHeaderValue(URL url, String method) { - throw new RuntimeException ("getHeaderValue not supported"); - } - - /** - * Check if the header indicates that the current auth. parameters are stale. - * If so, then replace the relevant field with the new value - * and return true. Otherwise return false. - * returning true means the request can be retried with the same userid/password - * returning false means we have to go back to the user to ask for a new - * username password. - */ - boolean isAuthorizationStale (String header) { - return false; /* should not be called for ntlm */ - } - - /** - * Set header(s) on the given connection. - * @param conn The connection to apply the header(s) to - * @param p A source of header values for this connection, not used because - * HeaderParser converts the fields to lower case, use raw instead - * @param raw The raw header field. - * @return true if all goes well, false if no headers were set. - */ - synchronized boolean setHeaders(HttpURLConnection conn, HeaderParser p, String raw) { - - try { - String response; - if (raw.length() < 6) { /* NTLM */ - response = buildType1Msg (); - } else { - String msg = raw.substring (5); /* skip NTLM */ - response = buildType3Msg (msg); - } - conn.setAuthenticationProperty(getHeaderName(), response); - return true; - } catch (IOException e) { - return false; - } catch (GeneralSecurityException e) { - return false; - } - } - - private void copybytes (byte[] dest, int destpos, String src, String enc) { - try { - byte[] x = src.getBytes(enc); - System.arraycopy (x, 0, dest, destpos, x.length); - } catch (UnsupportedEncodingException e) { - assert false; - } - } - - private String buildType1Msg () { - int dlen = ntdomain.length(); - type1[16]= (byte) (dlen % 256); - type1[17]= (byte) (dlen / 256); - type1[18] = type1[16]; - type1[19] = type1[17]; - - int hlen = hostname.length(); - type1[24]= (byte) (hlen % 256); - type1[25]= (byte) (hlen / 256); - type1[26] = type1[24]; - type1[27] = type1[25]; - - copybytes (type1, 32, hostname, "ISO8859_1"); - copybytes (type1, hlen+32, ntdomain, "ISO8859_1"); - type1[20] = (byte) ((hlen+32) % 256); - type1[21] = (byte) ((hlen+32) / 256); - - byte[] msg = new byte [32 + hlen + dlen]; - System.arraycopy (type1, 0, msg, 0, 32 + hlen + dlen); - String result = "NTLM " + (new B64Encoder()).encode (msg); - return result; - } - - - /* Convert a 7 byte array to an 8 byte array (for a des key with parity) - * input starts at offset off - */ - private byte[] makeDesKey (byte[] input, int off) { - int[] in = new int [input.length]; - for (int i=0; i> 1)); - out[2] = (byte)(((in[off+1] << 6) & 0xFF) | (in[off+2] >> 2)); - out[3] = (byte)(((in[off+2] << 5) & 0xFF) | (in[off+3] >> 3)); - out[4] = (byte)(((in[off+3] << 4) & 0xFF) | (in[off+4] >> 4)); - out[5] = (byte)(((in[off+4] << 3) & 0xFF) | (in[off+5] >> 5)); - out[6] = (byte)(((in[off+5] << 2) & 0xFF) | (in[off+6] >> 6)); - out[7] = (byte)((in[off+6] << 1) & 0xFF); - return out; - } - - private byte[] calcLMHash () throws GeneralSecurityException { - byte[] magic = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25}; - byte[] pwb = password.toUpperCase ().getBytes(); - byte[] pwb1 = new byte [14]; - int len = password.length(); - if (len > 14) - len = 14; - System.arraycopy (pwb, 0, pwb1, 0, len); /* Zero padded */ - - DESKeySpec dks1 = new DESKeySpec (makeDesKey (pwb1, 0)); - DESKeySpec dks2 = new DESKeySpec (makeDesKey (pwb1, 7)); - - SecretKey key1 = fac.generateSecret (dks1); - SecretKey key2 = fac.generateSecret (dks2); - cipher.init (Cipher.ENCRYPT_MODE, key1); - byte[] out1 = cipher.doFinal (magic, 0, 8); - cipher.init (Cipher.ENCRYPT_MODE, key2); - byte[] out2 = cipher.doFinal (magic, 0, 8); - - byte[] result = new byte [21]; - System.arraycopy (out1, 0, result, 0, 8); - System.arraycopy (out2, 0, result, 8, 8); - return result; - } - - private byte[] calcNTHash () throws GeneralSecurityException { - byte[] pw = null; - try { - pw = password.getBytes ("UnicodeLittleUnmarked"); - } catch (UnsupportedEncodingException e) { - assert false; - } - byte[] out = md4.digest (pw); - byte[] result = new byte [21]; - System.arraycopy (out, 0, result, 0, 16); - return result; - } - - /* key is a 21 byte array. Split it into 3 7 byte chunks, - * Convert each to 8 byte DES keys, encrypt the text arg with - * each key and return the three results in a sequential [] - */ - private byte[] calcResponse (byte[] key, byte[] text) - throws GeneralSecurityException { - assert key.length == 21; - DESKeySpec dks1 = new DESKeySpec (makeDesKey (key, 0)); - DESKeySpec dks2 = new DESKeySpec (makeDesKey (key, 7)); - DESKeySpec dks3 = new DESKeySpec (makeDesKey (key, 14)); - SecretKey key1 = fac.generateSecret (dks1); - SecretKey key2 = fac.generateSecret (dks2); - SecretKey key3 = fac.generateSecret (dks3); - cipher.init (Cipher.ENCRYPT_MODE, key1); - byte[] out1 = cipher.doFinal (text, 0, 8); - cipher.init (Cipher.ENCRYPT_MODE, key2); - byte[] out2 = cipher.doFinal (text, 0, 8); - cipher.init (Cipher.ENCRYPT_MODE, key3); - byte[] out3 = cipher.doFinal (text, 0, 8); - byte[] result = new byte [24]; - System.arraycopy (out1, 0, result, 0, 8); - System.arraycopy (out2, 0, result, 8, 8); - System.arraycopy (out3, 0, result, 16, 8); - return result; - } - - private String buildType3Msg (String challenge) throws GeneralSecurityException, - IOException { - /* First decode the type2 message to get the server nonce */ - /* nonce is located at type2[24] for 8 bytes */ - - byte[] type2 = (new sun.misc.BASE64Decoder()).decodeBuffer (challenge); - byte[] nonce = new byte [8]; - System.arraycopy (type2, 24, nonce, 0, 8); - - int ulen = username.length()*2; - type3[36] = type3[38] = (byte) (ulen % 256); - type3[37] = type3[39] = (byte) (ulen / 256); - int dlen = ntdomain.length()*2; - type3[28] = type3[30] = (byte) (dlen % 256); - type3[29] = type3[31] = (byte) (dlen / 256); - int hlen = hostname.length()*2; - type3[44] = type3[46] = (byte) (hlen % 256); - type3[45] = type3[47] = (byte) (hlen / 256); - - int l = 64; - copybytes (type3, l, ntdomain, "UnicodeLittleUnmarked"); - type3[32] = (byte) (l % 256); - type3[33] = (byte) (l / 256); - l += dlen; - copybytes (type3, l, username, "UnicodeLittleUnmarked"); - type3[40] = (byte) (l % 256); - type3[41] = (byte) (l / 256); - l += ulen; - copybytes (type3, l, hostname, "UnicodeLittleUnmarked"); - type3[48] = (byte) (l % 256); - type3[49] = (byte) (l / 256); - l += hlen; - - byte[] lmhash = calcLMHash(); - byte[] lmresponse = calcResponse (lmhash, nonce); - byte[] nthash = calcNTHash(); - byte[] ntresponse = calcResponse (nthash, nonce); - System.arraycopy (lmresponse, 0, type3, l, 24); - type3[16] = (byte) (l % 256); - type3[17] = (byte) (l / 256); - l += 24; - System.arraycopy (ntresponse, 0, type3, l, 24); - type3[24] = (byte) (l % 256); - type3[25] = (byte) (l / 256); - l += 24; - type3[56] = (byte) (l % 256); - type3[57] = (byte) (l / 256); - - byte[] msg = new byte [l]; - System.arraycopy (type3, 0, msg, 0, l); - String result = "NTLM " + (new B64Encoder()).encode (msg); - return result; - } - -} - - -class B64Encoder extends sun.misc.BASE64Encoder { - /* to force it to to the entire encoding in one line */ - protected int bytesPerLine () { - return 1024; - } -}