Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/openjdk-multiarch-jdk8u
 Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java
38922 views
1
/*

2
 * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.  Oracle designates this

8
 * particular file as subject to the "Classpath" exception as provided

9
 * by Oracle in the LICENSE file that accompanied this code.

10
 *

11
 * This code is distributed in the hope that it will be useful, but WITHOUT

12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

14
 * version 2 for more details (a copy is included in the LICENSE file that

15
 * accompanied this code).

16
 *

17
 * You should have received a copy of the GNU General Public License version

18
 * 2 along with this work; if not, write to the Free Software Foundation,

19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

20
 *

21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

22
 * or visit www.oracle.com if you need additional information or have any

23
 * questions.

24
 */

25


26
package sun.security.jgss.krb5;

27


28
import com.sun.security.jgss.AuthorizationDataEntry;

29
import org.ietf.jgss.*;

30
import java.io.InputStream;

31
import java.io.IOException;

32


33
import sun.security.action.GetPropertyAction;

34
import sun.security.krb5.*;

35
import java.net.InetAddress;

36
import sun.security.krb5.internal.AuthorizationData;

37
import sun.security.krb5.internal.KerberosTime;

38


39
class InitSecContextToken extends InitialToken {

40


41
    // If non-mutual authentication is requested, there is no AP-REP message.

42
    // The acceptor thus has no chance to send the seq-number field to the

43
    // initiator. In this case, the initiator and acceptor should has an

44
    // agreement to derive acceptor's initial seq-number if the acceptor wishes

45
    // to send messages to the initiator.

46


47
    // If this flag is true, it will the same as the initiator's initial

48
    // seq-number (as MIT krb5 and Windows SSPI do). Otherwise, it will be zero

49
    // (as Heimdal does). The default value is true.

50
    private static final boolean ACCEPTOR_USE_INITIATOR_SEQNUM;

51


52
    static {

53
        // The ACCEPTOR_USE_INITIATOR_SEQNUM value is determined by the system

54
        // property "sun.security.krb5.acceptor.sequence.number.nonmutual",

55
        // which can be set to "initiator", "zero" or "0".

56
        String propName = "sun.security.krb5.acceptor.sequence.number.nonmutual";

57
        String s = GetPropertyAction.privilegedGetProperty(propName, "initiator");

58
        if (s.equals("initiator")) {

59
            ACCEPTOR_USE_INITIATOR_SEQNUM = true;

60
        } else if (s.equals("zero") || s.equals("0")) {

61
            ACCEPTOR_USE_INITIATOR_SEQNUM = false;

62
        } else {

63
            throw new AssertionError("Unrecognized value for " + propName

64
                    + ": " + s);

65
        }

66
    }

67


68
    private KrbApReq apReq = null;

69


70
    /**

71
     * For the context initiator to call. It constructs a new

72
     * InitSecContextToken to send over to the peer containing the desired

73
     * flags and the AP-REQ. It also updates the context with the local

74
     * sequence number and shared context key.

75
     * (When mutual auth is enabled the peer has an opportunity to

76
     * renegotiate the session key in the followup AcceptSecContextToken

77
     * that it sends.)

78
     */

79
    InitSecContextToken(Krb5Context context,

80
                               Credentials tgt,

81
                               Credentials serviceTicket)

82
        throws KrbException, IOException, GSSException {

83


84
        boolean mutualRequired = context.getMutualAuthState();

85
        boolean useSubkey = true; // MIT Impl will crash if this is not set!

86
        boolean useSequenceNumber = true;

87


88
        OverloadedChecksum gssChecksum =

89
            new OverloadedChecksum(context, tgt, serviceTicket);

90


91
        Checksum checksum = gssChecksum.getChecksum();

92


93
        context.setTktFlags(serviceTicket.getFlags());

94
        context.setAuthTime(

95
                new KerberosTime(serviceTicket.getAuthTime()).toString());

96
        apReq = new KrbApReq(serviceTicket,

97
                             mutualRequired,

98
                             useSubkey,

99
                             useSequenceNumber,

100
                             checksum);

101


102
        context.resetMySequenceNumber(apReq.getSeqNumber().intValue());

103


104
        EncryptionKey subKey = apReq.getSubKey();

105
        if (subKey != null)

106
            context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey);

107
        else

108
            context.setKey(Krb5Context.SESSION_KEY, serviceTicket.getSessionKey());

109


110
        if (!mutualRequired)

111
            context.resetPeerSequenceNumber(

112
                    ACCEPTOR_USE_INITIATOR_SEQNUM

113
                    ? apReq.getSeqNumber().intValue()

114
                    : 0);

115
    }

116


117
    /**

118
     * For the context acceptor to call. It reads the bytes out of an

119
     * InputStream and constructs an InitSecContextToken with them.

120
     */

121
    InitSecContextToken(Krb5Context context, Krb5AcceptCredential cred,

122
                               InputStream is)

123
        throws IOException, GSSException, KrbException  {

124


125
        int tokenId = ((is.read()<<8) | is.read());

126


127
        if (tokenId != Krb5Token.AP_REQ_ID)

128
            throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1,

129
                                   "AP_REQ token id does not match!");

130


131
        // XXX Modify KrbApReq cons to take an InputStream

132
        byte[] apReqBytes =

133
            new sun.security.util.DerValue(is).toByteArray();

134
        //debug("=====ApReqBytes: [" + getHexBytes(apReqBytes) + "]\n");

135


136
        InetAddress addr = null;

137
        if (context.getChannelBinding() != null) {

138
            addr = context.getChannelBinding().getInitiatorAddress();

139
        }

140
        apReq = new KrbApReq(apReqBytes, cred, addr);

141
        //debug("\nReceived AP-REQ and authenticated it.\n");

142


143
        EncryptionKey sessionKey = apReq.getCreds().getSessionKey();

144


145
        /*

146
          System.out.println("\n\nSession key from service ticket is: " +

147
          getHexBytes(sessionKey.getBytes()));

148
        */

149


150
        EncryptionKey subKey = apReq.getSubKey();

151
        if (subKey != null) {

152
            context.setKey(Krb5Context.INITIATOR_SUBKEY, subKey);

153
            /*

154
              System.out.println("Sub-Session key from authenticator is: " +

155
              getHexBytes(subKey.getBytes()) + "\n");

156
            */

157
        } else {

158
            context.setKey(Krb5Context.SESSION_KEY, sessionKey);

159
            //System.out.println("Sub-Session Key Missing in Authenticator.\n");

160
        }

161


162
        OverloadedChecksum gssChecksum = new OverloadedChecksum(

163
                context, apReq.getChecksum(), sessionKey, subKey);

164
        gssChecksum.setContextFlags(context);

165
        Credentials delegCred = gssChecksum.getDelegatedCreds();

166
        if (delegCred != null) {

167
            Krb5CredElement credElement =

168
                Krb5InitCredential.getInstance(

169
                                   (Krb5NameElement)context.getSrcName(),

170
                                   delegCred);

171
            context.setDelegCred(credElement);

172
        }

173


174
        Integer apReqSeqNumber = apReq.getSeqNumber();

175
        int peerSeqNumber = (apReqSeqNumber != null ?

176
                             apReqSeqNumber.intValue() :

177
                             0);

178
        context.resetPeerSequenceNumber(peerSeqNumber);

179
        if (!context.getMutualAuthState()) {

180
            context.resetMySequenceNumber(

181
                    ACCEPTOR_USE_INITIATOR_SEQNUM

182
                            ? peerSeqNumber

183
                            : 0);

184
        }

185
        context.setAuthTime(

186
                new KerberosTime(apReq.getCreds().getAuthTime()).toString());

187
        context.setTktFlags(apReq.getCreds().getFlags());

188
        AuthorizationData ad = apReq.getCreds().getAuthzData();

189
        if (ad == null) {

190
            context.setAuthzData(null);

191
        } else {

192
            AuthorizationDataEntry[] authzData =

193
                    new AuthorizationDataEntry[ad.count()];

194
            for (int i=0; i<ad.count(); i++) {

195
                authzData[i] = new AuthorizationDataEntry(

196
                        ad.item(i).adType, ad.item(i).adData);

197
            }

198
            context.setAuthzData(authzData);

199
        }

200
    }

201


202
    public final KrbApReq getKrbApReq() {

203
        return apReq;

204
    }

205


206
    public final byte[] encode() throws IOException {

207
        byte[] apReqBytes = apReq.getMessage();

208
        byte[] retVal = new byte[2 + apReqBytes.length];

209
        writeInt(Krb5Token.AP_REQ_ID, retVal, 0);

210
        System.arraycopy(apReqBytes, 0, retVal, 2, apReqBytes.length);

211
        //      System.out.println("GSS-Token with AP_REQ is:");

212
        //      System.out.println(getHexBytes(retVal));

213
        return retVal;

214
    }

215
}

216


217