archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-09-22 03:54:33 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge

Browse source
This commit is contained in:
Jesper Wilhelmsson 2020-01-16 04:09:50 +01:00
commit 51d5164ca2
102 changed files with 2027 additions and 937 deletions
Download patch file Download diff file Expand all files Collapse all files

151
src/java.security.jgss/share/classes/sun/security/krb5/Checksum.java
View file

@ -73,6 +73,7 @@ public class Checksum {
// draft-brezak-win2k-krb-rc4-hmac-04.txt
public static final int CKSUMTYPE_HMAC_MD5_ARCFOUR = -138;
// default checksum type, -1 if not set
static int CKSUMTYPE_DEFAULT;
static int SAFECKSUMTYPE_DEFAULT;
@ -87,26 +88,19 @@ public class Checksum {
try {
cfg = Config.getInstance();
temp = cfg.get("libdefaults", "default_checksum");
if (temp != null)
{
CKSUMTYPE_DEFAULT = Config.getType(temp);
} else {
/*
* If the default checksum is not
* specified in the configuration we
* set it to RSA_MD5. We follow the MIT and
* SEAM implementation.
*/
CKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5;
}
if (temp != null) {
CKSUMTYPE_DEFAULT = Config.getType(temp);
} else {
CKSUMTYPE_DEFAULT = -1;
}
} catch (Exception exc) {
if (DEBUG) {
System.out.println("Exception in getting default checksum "+
"value from the configuration. " +
"Setting default checksum to be RSA-MD5");
"No default checksum set.");
exc.printStackTrace();
}
CKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5;
CKSUMTYPE_DEFAULT = -1;
}
@ -116,117 +110,100 @@ public class Checksum {
{
SAFECKSUMTYPE_DEFAULT = Config.getType(temp);
} else {
SAFECKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5_DES;
SAFECKSUMTYPE_DEFAULT = -1;
}
} catch (Exception exc) {
if (DEBUG) {
System.out.println("Exception in getting safe default " +
"checksum value " +
"from the configuration. Setting " +
"safe default checksum to be RSA-MD5");
"from the configuration Setting. " +
"No safe default checksum set.");
exc.printStackTrace();
}
SAFECKSUMTYPE_DEFAULT = CKSUMTYPE_RSA_MD5_DES;
SAFECKSUMTYPE_DEFAULT = -1;
}
}
/**
* Constructs a new Checksum using the raw data and type.
*
* This constructor is only used by Authenticator Checksum
* {@link sun.security.jgss.krb5.InitialToken.OverloadedChecksum}
* where the checksum type must be 0x8003
* (see https://tools.ietf.org/html/rfc4121#section-4.1.1)
* and checksum field/value is used to convey service flags,
* channel bindings, and optional delegation information.
* This special type does NOT have a {@link CksumType} and has its
* own calculating and verification rules. It does has the same
* ASN.1 encoding though.
*
* @param data the byte array of checksum.
* @param new_cksumType the type of checksum.
*
*/
// used in InitialToken
public Checksum(byte[] data, int new_cksumType) {
cksumType = new_cksumType;
checksum = data;
}
/**
* Constructs a new Checksum by calculating the checksum over the data
* using specified checksum type.
* @param new_cksumType the type of checksum.
* @param data the data that needs to be performed a checksum calculation on.
* Constructs a new Checksum by calculating over the data using
* the specified checksum type. If the checksum is unkeyed, key
* and usage are ignored.
*
* @param new_cksumType the type of checksum. If set to -1, the
* {@linkplain EType#checksumType() mandatory checksum type}
* for the encryption type of {@code key} will be used
* @param data the data that needs to be performed a checksum calculation on
* @param key the key used by a keyed checksum
* @param usage the usage used by a keyed checksum
*/
public Checksum(int new_cksumType, byte[] data)
throws KdcErrException, KrbCryptoException {
cksumType = new_cksumType;
CksumType cksumEngine = CksumType.getInstance(cksumType);
if (!cksumEngine.isSafe()) {
checksum = cksumEngine.calculateChecksum(data, data.length);
} else {
throw new KdcErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM);
}
}
/**
* Constructs a new Checksum by calculating the keyed checksum
* over the data using specified checksum type.
* @param new_cksumType the type of checksum.
* @param data the data that needs to be performed a checksum calculation on.
*/
// KrbSafe, KrbTgsReq
public Checksum(int new_cksumType, byte[] data,
EncryptionKey key, int usage)
throws KdcErrException, KrbApErrException, KrbCryptoException {
cksumType = new_cksumType;
CksumType cksumEngine = CksumType.getInstance(cksumType);
if (!cksumEngine.isSafe())
throw new KrbApErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM);
checksum =
cksumEngine.calculateKeyedChecksum(data,
data.length,
key.getBytes(),
usage);
EncryptionKey key, int usage)
throws KdcErrException, KrbApErrException, KrbCryptoException {
if (new_cksumType == -1) {
cksumType = EType.getInstance(key.getEType()).checksumType();
} else {
cksumType = new_cksumType;
}
checksum = CksumType.getInstance(cksumType).calculateChecksum(
data, data.length, key.getBytes(), usage);
}
/**
* Verifies the keyed checksum over the data passed in.
*/
public boolean verifyKeyedChecksum(byte[] data, EncryptionKey key,
int usage)
throws KdcErrException, KrbApErrException, KrbCryptoException {
public boolean verifyKeyedChecksum(byte[] data, EncryptionKey key, int usage)
throws KdcErrException, KrbApErrException, KrbCryptoException {
CksumType cksumEngine = CksumType.getInstance(cksumType);
if (!cksumEngine.isSafe())
if (!cksumEngine.isKeyed()) {
throw new KrbApErrException(Krb5.KRB_AP_ERR_INAPP_CKSUM);
return cksumEngine.verifyKeyedChecksum(data,
data.length,
key.getBytes(),
checksum,
usage);
}
// =============== ATTENTION! Use with care ==================
// According to https://tools.ietf.org/html/rfc3961#section-6.1,
// An unkeyed checksum should only be used "in limited circumstances
// where the lack of a key does not provide a window for an attack,
// preferably as part of an encrypted message".
public boolean verifyAnyChecksum(byte[] data, EncryptionKey key,
int usage)
throws KdcErrException, KrbCryptoException {
CksumType cksumEngine = CksumType.getInstance(cksumType);
if (!cksumEngine.isSafe()) {
return cksumEngine.verifyChecksum(data, checksum);
} else {
return cksumEngine.verifyKeyedChecksum(data,
data.length,
key.getBytes(),
checksum,
usage);
return cksumEngine.verifyChecksum(
data, data.length, key.getBytes(), checksum, usage);
}
}
/*
public Checksum(byte[] data) throws KdcErrException, KrbCryptoException {
this(Checksum.CKSUMTYPE_DEFAULT, data);
/**
* Verifies the checksum over the data passed in. The checksum might
* be a keyed or not.
*
* =============== ATTENTION! Use with care ==================
* According to https://tools.ietf.org/html/rfc3961#section-6.1,
* An unkeyed checksum should only be used "in limited circumstances
* where the lack of a key does not provide a window for an attack,
* preferably as part of an encrypted message".
*/
public boolean verifyAnyChecksum(byte[] data, EncryptionKey key, int usage)
throws KdcErrException, KrbCryptoException {
return CksumType.getInstance(cksumType).verifyChecksum(
data, data.length, key.getBytes(), checksum, usage);
}
*/
boolean isEqual(Checksum cksum) throws KdcErrException {
if (cksumType != cksum.cksumType)
if (cksumType != cksum.cksumType) {
return false;
CksumType cksumEngine = CksumType.getInstance(cksumType);
}
return CksumType.isChecksumEqual(checksum, cksum.checksum);
}

22
src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsReq.java
View file

@ -318,28 +318,8 @@ public class KrbTgsReq {
byte[] temp = reqBody.asn1Encode(Krb5.KRB_TGS_REQ);
// if the checksum type is one of the keyed checksum types,
// use session key.
Checksum cksum;
switch (Checksum.CKSUMTYPE_DEFAULT) {
case Checksum.CKSUMTYPE_RSA_MD4_DES:
case Checksum.CKSUMTYPE_DES_MAC:
case Checksum.CKSUMTYPE_DES_MAC_K:
case Checksum.CKSUMTYPE_RSA_MD4_DES_K:
case Checksum.CKSUMTYPE_RSA_MD5_DES:
case Checksum.CKSUMTYPE_HMAC_SHA1_DES3_KD:
case Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR:
case Checksum.CKSUMTYPE_HMAC_SHA1_96_AES128:
case Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256:
case Checksum.CKSUMTYPE_HMAC_SHA256_128_AES128:
case Checksum.CKSUMTYPE_HMAC_SHA384_192_AES256:
cksum = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp, key,
Checksum cksum = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp, key,
KeyUsage.KU_PA_TGS_REQ_CKSUM);
break;
case Checksum.CKSUMTYPE_CRC32:
case Checksum.CKSUMTYPE_RSA_MD4:
case Checksum.CKSUMTYPE_RSA_MD5:
default:
cksum = new Checksum(Checksum.CKSUMTYPE_DEFAULT, temp);
}
// Usage will be KeyUsage.KU_PA_TGS_REQ_AUTHENTICATOR

4
src/java.security.jgss/share/classes/sun/security/krb5/internal/NetClient.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -102,7 +102,7 @@ class TCPClient extends NetClient {
}
try {
return IOUtils.readFully(in, len, true);
return IOUtils.readExactlyNBytes(in, len);
} catch (IOException ioe) {
if (Krb5.DEBUG) {
System.out.println(

1
src/java.security.jgss/share/classes/sun/security/krb5/internal/PAForUserEnc.java
View file

@ -135,6 +135,7 @@ public class PAForUserEnc {
bytes.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0x01), name.getRealm().asn1Encode());
try {
// MS-SFU 2.2.1: use hmac-md5 checksum regardless of key type
Checksum cks = new Checksum(
Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR,
getS4UByteArray(),

8
src/java.security.jgss/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java
View file

@ -128,7 +128,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
length--;
for (int i = 0; i <= length; i++) {
namelength = readLength4();
byte[] bytes = IOUtils.readFully(this, namelength, true);
byte[] bytes = IOUtils.readExactlyNBytes(this, namelength);
result.add(new String(bytes));
}
if (result.isEmpty()) {
@ -186,7 +186,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
if (version == KRB5_FCC_FVNO_3)
read(2); /* keytype recorded twice in fvno 3 */
keyLen = readLength4();
byte[] bytes = IOUtils.readFully(this, keyLen, true);
byte[] bytes = IOUtils.readExactlyNBytes(this, keyLen);
return new EncryptionKey(bytes, keyType, version);
}
@ -239,7 +239,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
for (int i = 0; i < num; i++) {
adtype = read(2);
adlength = readLength4();
data = IOUtils.readFully(this, adlength, true);
data = IOUtils.readExactlyNBytes(this, adlength);
auData.add(new AuthorizationDataEntry(adtype, data));
}
return auData.toArray(new AuthorizationDataEntry[auData.size()]);
@ -253,7 +253,7 @@ public class CCacheInputStream extends KrbDataInputStream implements FileCCacheC
if (length == 0) {
return null;
} else {
return IOUtils.readFully(this, length, true);
return IOUtils.readExactlyNBytes(this, length);
}
}

55
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/CksumType.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -31,10 +31,7 @@
package sun.security.krb5.internal.crypto;
import sun.security.krb5.Config;
import sun.security.krb5.Checksum;
import sun.security.krb5.EncryptedData;
import sun.security.krb5.KrbException;
import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*;
@ -81,12 +78,25 @@ public abstract class CksumType {
cksumTypeName =
"sun.security.krb5.internal.crypto.HmacSha1Aes128CksumType";
break;
case Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256:
cksumType = new HmacSha1Aes256CksumType();
cksumTypeName =
"sun.security.krb5.internal.crypto.HmacSha1Aes256CksumType";
break;
case Checksum.CKSUMTYPE_HMAC_SHA256_128_AES128:
cksumType = new HmacSha2Aes128CksumType();
cksumTypeName =
"sun.security.krb5.internal.crypto.HmacSha2Aes128CksumType";
break;
case Checksum.CKSUMTYPE_HMAC_SHA384_192_AES256:
cksumType = new HmacSha2Aes256CksumType();
cksumTypeName =
"sun.security.krb5.internal.crypto.HmacSha2Aes256CksumType";
break;
case Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR:
cksumType = new HmacMd5ArcFourCksumType();
cksumTypeName =
@ -117,32 +127,11 @@ public abstract class CksumType {
return cksumType;
}
/**
* Returns default checksum type.
*/
public static CksumType getInstance() throws KdcErrException {
// this method provided for Kerberos applications.
int cksumType = Checksum.CKSUMTYPE_RSA_MD5; // default
try {
Config c = Config.getInstance();
if ((cksumType = (Config.getType(c.get("libdefaults",
"ap_req_checksum_type")))) == - 1) {
if ((cksumType = Config.getType(c.get("libdefaults",
"checksum_type"))) == -1) {
cksumType = Checksum.CKSUMTYPE_RSA_MD5; // default
}
}
} catch (KrbException e) {
}
return getInstance(cksumType);
}
public abstract int confounderSize();
public abstract int cksumType();
public abstract boolean isSafe();
public abstract boolean isKeyed();
public abstract int cksumSize();
@ -150,18 +139,12 @@ public abstract class CksumType {
public abstract int keySize();
public abstract byte[] calculateChecksum(byte[] data, int size)
throws KrbCryptoException;
public abstract byte[] calculateKeyedChecksum(byte[] data, int size,
// Note: key and usage will be ignored for an unkeyed checksum.
public abstract byte[] calculateChecksum(byte[] data, int size,
byte[] key, int usage) throws KrbCryptoException;
public boolean verifyChecksum(byte[] data, byte[] checksum)
throws KrbCryptoException {
throw new UnsupportedOperationException("Not supported");
}
public abstract boolean verifyKeyedChecksum(byte[] data, int size,
// Note: key and usage will be ignored for an unkeyed checksum.
public abstract boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException;
public static boolean isChecksumEqual(byte[] cksum1, byte[] cksum2) {

18
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/Crc32CksumType.java
View file

@ -32,7 +32,6 @@ package sun.security.krb5.internal.crypto;
import sun.security.krb5.*;
import sun.security.krb5.internal.*;
import java.util.zip.CRC32;
public class Crc32CksumType extends CksumType {
@ -47,7 +46,7 @@ public class Crc32CksumType extends CksumType {
return Checksum.CKSUMTYPE_CRC32;
}
public boolean isSafe() {
public boolean isKeyed() {
return false;
}
@ -63,18 +62,15 @@ public class Crc32CksumType extends CksumType {
return 0;
}
public byte[] calculateChecksum(byte[] data, int size) {
public byte[] calculateChecksum(byte[] data, int size,
byte[] key, int usage) {
return crc32.byte2crc32sum_bytes(data, size);
}
public byte[] calculateKeyedChecksum(byte[] data, int size,
byte[] key, int usage) {
return null;
}
public boolean verifyKeyedChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) {
return false;
public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) {
return CksumType.isChecksumEqual(checksum,
crc32.byte2crc32sum_bytes(data));
}
public static byte[] int2quad(long input) {

2
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/DesCbcCrcEType.java
View file

@ -53,7 +53,7 @@ public class DesCbcCrcEType extends DesCbcEType {
}
public int checksumType() {
return Checksum.CKSUMTYPE_CRC32;
return Checksum.CKSUMTYPE_RSA_MD5;
}
public int checksumSize() {

10
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/DesMacCksumType.java
View file

@ -49,7 +49,7 @@ public class DesMacCksumType extends CksumType {
return Checksum.CKSUMTYPE_DES_MAC;
}
public boolean isSafe() {
public boolean isKeyed() {
return true;
}
@ -65,10 +65,6 @@ public class DesMacCksumType extends CksumType {
return 8;
}
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/**
* Calculates keyed checksum.
* @param data the data used to generate the checksum.
@ -78,7 +74,7 @@ public class DesMacCksumType extends CksumType {
*
* @modified by Yanni Zhang, 12/08/99.
*/
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException {
byte[] new_data = new byte[size + confounderSize()];
byte[] conf = Confounder.bytes(confounderSize());
@ -130,7 +126,7 @@ public class DesMacCksumType extends CksumType {
*
* @modified by Yanni Zhang, 12/08/99.
*/
public boolean verifyKeyedChecksum(byte[] data, int size,
public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
byte[] cksum = decryptKeyedChecksum(checksum, key);

12
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/DesMacKCksumType.java
View file

@ -48,7 +48,7 @@ public class DesMacKCksumType extends CksumType {
return Checksum.CKSUMTYPE_DES_MAC_K;
}
public boolean isSafe() {
public boolean isKeyed() {
return true;
}
@ -64,10 +64,6 @@ public class DesMacKCksumType extends CksumType {
return 8;
}
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/**
* Calculates keyed checksum.
* @param data the data used to generate the checksum.
@ -77,7 +73,7 @@ public class DesMacKCksumType extends CksumType {
*
* @modified by Yanni Zhang, 12/08/99.
*/
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException {
//check for weak keys
try {
@ -93,9 +89,9 @@ public class DesMacKCksumType extends CksumType {
return cksum;
}
public boolean verifyKeyedChecksum(byte[] data, int size,
public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
byte[] new_cksum = calculateKeyedChecksum(data, data.length, key, usage);
byte[] new_cksum = calculateChecksum(data, data.length, key, usage);
return isChecksumEqual(checksum, new_cksum);
}

14
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/HmacMd5ArcFourCksumType.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto;
import sun.security.krb5.Checksum;
import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*;
import javax.crypto.spec.DESKeySpec;
import java.security.InvalidKeyException;
import java.security.GeneralSecurityException;
/**
@ -51,7 +49,7 @@ public class HmacMd5ArcFourCksumType extends CksumType {
return Checksum.CKSUMTYPE_HMAC_MD5_ARCFOUR;
}
public boolean isSafe() {
public boolean isKeyed() {
return true;
}
@ -67,10 +65,6 @@ public class HmacMd5ArcFourCksumType extends CksumType {
return 16; // bytes
}
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/**
* Calculates keyed checksum.
* @param data the data used to generate the checksum.
@ -78,7 +72,7 @@ public class HmacMd5ArcFourCksumType extends CksumType {
* @param key the key used to encrypt the checksum.
* @return keyed checksum.
*/
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException {
try {
@ -98,7 +92,7 @@ public class HmacMd5ArcFourCksumType extends CksumType {
* @param checksum the checksum.
* @return true if verification is successful.
*/
public boolean verifyKeyedChecksum(byte[] data, int size,
public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
try {

14
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/HmacSha1Aes128CksumType.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto;
import sun.security.krb5.Checksum;
import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*;
import javax.crypto.spec.DESKeySpec;
import java.security.InvalidKeyException;
import java.security.GeneralSecurityException;
/*
@ -51,7 +49,7 @@ public class HmacSha1Aes128CksumType extends CksumType {
return Checksum.CKSUMTYPE_HMAC_SHA1_96_AES128;
}
public boolean isSafe() {
public boolean isKeyed() {
return true;
}
@ -67,10 +65,6 @@ public class HmacSha1Aes128CksumType extends CksumType {
return 16; // bytes
}
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/**
* Calculates keyed checksum.
* @param data the data used to generate the checksum.
@ -78,7 +72,7 @@ public class HmacSha1Aes128CksumType extends CksumType {
* @param key the key used to encrypt the checksum.
* @return keyed checksum.
*/
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException {
try {
@ -98,7 +92,7 @@ public class HmacSha1Aes128CksumType extends CksumType {
* @param checksum the checksum.
* @return true if verification is successful.
*/
public boolean verifyKeyedChecksum(byte[] data, int size,
public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
try {

14
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/HmacSha1Aes256CksumType.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto;
import sun.security.krb5.Checksum;
import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*;
import javax.crypto.spec.DESKeySpec;
import java.security.InvalidKeyException;
import java.security.GeneralSecurityException;
/*
@ -51,7 +49,7 @@ public class HmacSha1Aes256CksumType extends CksumType {
return Checksum.CKSUMTYPE_HMAC_SHA1_96_AES256;
}
public boolean isSafe() {
public boolean isKeyed() {
return true;
}
@ -67,10 +65,6 @@ public class HmacSha1Aes256CksumType extends CksumType {
return 32; // bytes
}
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/**
* Calculates keyed checksum.
* @param data the data used to generate the checksum.
@ -78,7 +72,7 @@ public class HmacSha1Aes256CksumType extends CksumType {
* @param key the key used to encrypt the checksum.
* @return keyed checksum.
*/
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException {
try {
@ -98,7 +92,7 @@ public class HmacSha1Aes256CksumType extends CksumType {
* @param checksum the checksum.
* @return true if verification is successful.
*/
public boolean verifyKeyedChecksum(byte[] data, int size,
public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
try {

14
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/HmacSha1Des3KdCksumType.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -28,8 +28,6 @@ package sun.security.krb5.internal.crypto;
import sun.security.krb5.Checksum;
import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*;
import javax.crypto.spec.DESKeySpec;
import java.security.InvalidKeyException;
import java.security.GeneralSecurityException;
public class HmacSha1Des3KdCksumType extends CksumType {
@ -45,7 +43,7 @@ public class HmacSha1Des3KdCksumType extends CksumType {
return Checksum.CKSUMTYPE_HMAC_SHA1_DES3_KD;
}
public boolean isSafe() {
public boolean isKeyed() {
return true;
}
@ -61,10 +59,6 @@ public class HmacSha1Des3KdCksumType extends CksumType {
return 24; // bytes
}
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/**
* Calculates keyed checksum.
* @param data the data used to generate the checksum.
@ -72,7 +66,7 @@ public class HmacSha1Des3KdCksumType extends CksumType {
* @param key the key used to encrypt the checksum.
* @return keyed checksum.
*/
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException {
try {
@ -92,7 +86,7 @@ public class HmacSha1Des3KdCksumType extends CksumType {
* @param checksum the checksum.
* @return true if verification is successful.
*/
public boolean verifyKeyedChecksum(byte[] data, int size,
public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
try {

12
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/HmacSha2Aes128CksumType.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -47,7 +47,7 @@ public class HmacSha2Aes128CksumType extends CksumType {
return Checksum.CKSUMTYPE_HMAC_SHA256_128_AES128;
}
public boolean isSafe() {
public boolean isKeyed() {
return true;
}
@ -63,10 +63,6 @@ public class HmacSha2Aes128CksumType extends CksumType {
return 16; // bytes
}
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/**
* Calculates keyed checksum.
* @param data the data used to generate the checksum.
@ -74,7 +70,7 @@ public class HmacSha2Aes128CksumType extends CksumType {
* @param key the key used to encrypt the checksum.
* @return keyed checksum.
*/
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException {
try {
@ -94,7 +90,7 @@ public class HmacSha2Aes128CksumType extends CksumType {
* @param checksum the checksum.
* @return true if verification is successful.
*/
public boolean verifyKeyedChecksum(byte[] data, int size,
public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
try {

12
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/HmacSha2Aes256CksumType.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -47,7 +47,7 @@ public class HmacSha2Aes256CksumType extends CksumType {
return Checksum.CKSUMTYPE_HMAC_SHA384_192_AES256;
}
public boolean isSafe() {
public boolean isKeyed() {
return true;
}
@ -63,10 +63,6 @@ public class HmacSha2Aes256CksumType extends CksumType {
return 32; // bytes
}
public byte[] calculateChecksum(byte[] data, int size) {
return null;
}
/**
* Calculates keyed checksum.
* @param data the data used to generate the checksum.
@ -74,7 +70,7 @@ public class HmacSha2Aes256CksumType extends CksumType {
* @param key the key used to encrypt the checksum.
* @return keyed checksum.
*/
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException {
try {
@ -94,7 +90,7 @@ public class HmacSha2Aes256CksumType extends CksumType {
* @param checksum the checksum.
* @return true if verification is successful.
*/
public boolean verifyKeyedChecksum(byte[] data, int size,
public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
try {

20
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/RsaMd5CksumType.java
View file

@ -33,8 +33,6 @@ import sun.security.krb5.Checksum;
import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*;
import java.security.MessageDigest;
import java.security.Provider;
import java.security.Security;
public final class RsaMd5CksumType extends CksumType {
@ -49,7 +47,7 @@ public final class RsaMd5CksumType extends CksumType {
return Checksum.CKSUMTYPE_RSA_MD5;
}
public boolean isSafe() {
public boolean isKeyed() {
return false;
}
@ -74,7 +72,8 @@ public final class RsaMd5CksumType extends CksumType {
* @modified by Yanni Zhang, 12/08/99.
*/
public byte[] calculateChecksum(byte[] data, int size) throws KrbCryptoException{
public byte[] calculateChecksum(byte[] data, int size,
byte[] key, int usage) throws KrbCryptoException{
MessageDigest md5;
byte[] result = null;
try {
@ -91,18 +90,9 @@ public final class RsaMd5CksumType extends CksumType {
return result;
}
public byte[] calculateKeyedChecksum(byte[] data, int size,
byte[] key, int usage) throws KrbCryptoException {
return null;
}
public boolean verifyKeyedChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
return false;
}
@Override
public boolean verifyChecksum(byte[] data, byte[] checksum)
public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage)
throws KrbCryptoException {
try {
byte[] calculated = MessageDigest.getInstance("MD5").digest(data);

17
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/RsaMd5DesCksumType.java
View file

@ -33,12 +33,8 @@ import sun.security.krb5.Checksum;
import sun.security.krb5.Confounder;
import sun.security.krb5.KrbCryptoException;
import sun.security.krb5.internal.*;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.DESKeySpec;
import java.security.MessageDigest;
import java.security.Provider;
import java.security.Security;
import java.security.InvalidKeyException;
public final class RsaMd5DesCksumType extends CksumType {
@ -54,7 +50,7 @@ public final class RsaMd5DesCksumType extends CksumType {
return Checksum.CKSUMTYPE_RSA_MD5_DES;
}
public boolean isSafe() {
public boolean isKeyed() {
return true;
}
@ -79,7 +75,7 @@ public final class RsaMd5DesCksumType extends CksumType {
*
* @modified by Yanni Zhang, 12/08/99.
*/
public byte[] calculateKeyedChecksum(byte[] data, int size, byte[] key,
public byte[] calculateChecksum(byte[] data, int size, byte[] key,
int usage) throws KrbCryptoException {
//prepend confounder
byte[] new_data = new byte[size + confounderSize()];
@ -88,7 +84,7 @@ public final class RsaMd5DesCksumType extends CksumType {
System.arraycopy(data, 0, new_data, confounderSize(), size);
//calculate md5 cksum
byte[] mdc_cksum = calculateChecksum(new_data, new_data.length);
byte[] mdc_cksum = calculateRawChecksum(new_data, new_data.length);
byte[] cksum = new byte[cksumSize()];
System.arraycopy(conf, 0, cksum, 0, confounderSize());
System.arraycopy(mdc_cksum, 0, cksum, confounderSize(),
@ -125,7 +121,7 @@ public final class RsaMd5DesCksumType extends CksumType {
*
* @modified by Yanni Zhang, 12/08/99.
*/
public boolean verifyKeyedChecksum(byte[] data, int size,
public boolean verifyChecksum(byte[] data, int size,
byte[] key, byte[] checksum, int usage) throws KrbCryptoException {
//decrypt checksum
byte[] cksum = decryptKeyedChecksum(checksum, key);
@ -135,7 +131,7 @@ public final class RsaMd5DesCksumType extends CksumType {
System.arraycopy(cksum, 0, new_data, 0, confounderSize());
System.arraycopy(data, 0, new_data, confounderSize(), size);
byte[] new_cksum = calculateChecksum(new_data, new_data.length);
byte[] new_cksum = calculateRawChecksum(new_data, new_data.length);
//extract original cksum value
byte[] orig_cksum = new byte[cksumSize() - confounderSize()];
System.arraycopy(cksum, confounderSize(), orig_cksum, 0,
@ -181,7 +177,7 @@ public final class RsaMd5DesCksumType extends CksumType {
*
* @modified by Yanni Zhang, 12/08/99.
*/
public byte[] calculateChecksum(byte[] data, int size) throws KrbCryptoException{
private byte[] calculateRawChecksum(byte[] data, int size) throws KrbCryptoException{
MessageDigest md5;
byte[] result = null;
try {
@ -197,5 +193,4 @@ public final class RsaMd5DesCksumType extends CksumType {
}
return result;
}
}

100
src/java.security.jgss/windows/native/libsspi_bridge/sspi.cpp
View file

@ -132,8 +132,9 @@ seconds_until(int inputIsUTC, TimeStamp *time)
return 0;
}
ULONGLONG diff = (time->QuadPart - uiLocal.QuadPart) / 10000000;
if (diff > (ULONGLONG)~(OM_uint32)0)
if (diff > (ULONGLONG)~(OM_uint32)0) {
return GSS_C_INDEFINITE;
}
return (OM_uint32)diff;
}
@ -177,8 +178,10 @@ static gss_cred_id_t
new_cred()
{
gss_cred_id_t out = new gss_cred_id_struct;
out->phCredK = out->phCredS = NULL;
out->time = 0L;
if (out) {
out->phCredK = out->phCredS = NULL;
out->time = 0L;
}
return out;
}
@ -864,6 +867,7 @@ gss_init_sec_context(OM_uint32 *minor_status,
SecBufferDesc outBuffDesc;
SecBuffer outSecBuff;
BOOLEAN isSPNEGO = is_same_oid(mech_type, &SPNEGO_OID);
CredHandle* newCred = NULL;
gss_ctx_id_t pc;
@ -928,7 +932,10 @@ gss_init_sec_context(OM_uint32 *minor_status,
pc->isLocalCred = FALSE;
} else {
PP("No credentials provided, acquire myself");
CredHandle* newCred = new CredHandle;
newCred = new CredHandle;
if (!newCred) {
goto err;
}
SEC_WINNT_AUTH_IDENTITY_EX auth;
ZeroMemory(&auth, sizeof(auth));
auth.Version = SEC_WINNT_AUTH_IDENTITY_VERSION;
@ -947,7 +954,6 @@ gss_init_sec_context(OM_uint32 *minor_status,
newCred,
&lifeTime);
if (!(SEC_SUCCESS(ss))) {
delete newCred;
goto err;
}
pc->phCred = newCred;
@ -989,7 +995,6 @@ gss_init_sec_context(OM_uint32 *minor_status,
output_token->value = new char[outSecBuff.cbBuffer];
if (!output_token->value) {
FreeContextBuffer(outSecBuff.pvBuffer);
output_token->length = 0;
goto err;
}
memcpy(output_token->value, outSecBuff.pvBuffer, outSecBuff.cbBuffer);
@ -1009,14 +1014,17 @@ gss_init_sec_context(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
}
err:
if (newCred) {
delete newCred;
}
if (firstTime) {
OM_uint32 dummy;
gss_delete_sec_context(&dummy, context_handle, GSS_C_NO_BUFFER);
}
if (output_token->value) {
gss_release_buffer(NULL, output_token);
output_token = GSS_C_NO_BUFFER;
}
output_token = GSS_C_NO_BUFFER;
return GSS_S_FAILURE;
}
@ -1233,17 +1241,26 @@ gss_get_mic(OM_uint32 *minor_status,
secBuff[1].cbBuffer = context_handle->SecPkgContextSizes.cbMaxSignature;
secBuff[1].pvBuffer = msg_token->value = new char[secBuff[1].cbBuffer];
if (!secBuff[1].pvBuffer) {
goto err;
}
ss = MakeSignature((PCtxtHandle)&context_handle->hCtxt, 0, &buffDesc, 0);
if (!SEC_SUCCESS(ss)) {
msg_token->length = 0;
msg_token->value = NULL;
delete[] secBuff[1].pvBuffer;
return GSS_S_FAILURE;
goto err;
}
msg_token->length = secBuff[1].cbBuffer;
return GSS_S_COMPLETE;
err:
msg_token->length = 0;
msg_token->value = NULL;
if (secBuff[1].pvBuffer) {
delete[] secBuff[1].pvBuffer;
}
return GSS_S_FAILURE;
}
__declspec(dllexport) OM_uint32
@ -1317,16 +1334,25 @@ gss_wrap(OM_uint32 *minor_status,
context_handle->SecPkgContextSizes.cbSecurityTrailer
+ input_message_buffer->length
+ context_handle->SecPkgContextSizes.cbBlockSize);;
if (!output_message_buffer->value) {
goto err;
}
secBuff[1].BufferType = SECBUFFER_DATA;
secBuff[1].cbBuffer = (ULONG)input_message_buffer->length;
secBuff[1].pvBuffer = malloc(secBuff[1].cbBuffer);
if (!secBuff[1].pvBuffer) {
goto err;
}
memcpy_s(secBuff[1].pvBuffer, secBuff[1].cbBuffer,
input_message_buffer->value, input_message_buffer->length);
secBuff[2].BufferType = SECBUFFER_PADDING;
secBuff[2].cbBuffer = context_handle->SecPkgContextSizes.cbBlockSize;
secBuff[2].pvBuffer = malloc(secBuff[2].cbBuffer);
if (!secBuff[2].pvBuffer) {
goto err;
}
ss = EncryptMessage((PCtxtHandle)&context_handle->hCtxt,
conf_req_flag ? 0 : SECQOP_WRAP_NO_ENCRYPT,
@ -1336,12 +1362,7 @@ gss_wrap(OM_uint32 *minor_status,
}
if (!SEC_SUCCESS(ss)) {
free(secBuff[0].pvBuffer);
free(secBuff[1].pvBuffer);
free(secBuff[2].pvBuffer);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
return GSS_S_FAILURE;
goto err;
}
memcpy_s((PBYTE)secBuff[0].pvBuffer + secBuff[0].cbBuffer,
@ -1359,6 +1380,20 @@ gss_wrap(OM_uint32 *minor_status,
free(secBuff[2].pvBuffer);
return GSS_S_COMPLETE;
err:
if (secBuff[0].pvBuffer) {
free(secBuff[0].pvBuffer);
}
if (secBuff[1].pvBuffer) {
free(secBuff[1].pvBuffer);
}
if (secBuff[2].pvBuffer) {
free(secBuff[2].pvBuffer);
}
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
return GSS_S_FAILURE;
}
__declspec(dllexport) OM_uint32
@ -1386,6 +1421,11 @@ gss_unwrap(OM_uint32 *minor_status,
secBuff[0].BufferType = SECBUFFER_STREAM;
secBuff[0].cbBuffer = (ULONG)input_message_buffer->length;
secBuff[0].pvBuffer = malloc(input_message_buffer->length);
if (!secBuff[0].pvBuffer) {
goto err;
}
memcpy_s(secBuff[0].pvBuffer, input_message_buffer->length,
input_message_buffer->value, input_message_buffer->length);
@ -1398,21 +1438,31 @@ gss_unwrap(OM_uint32 *minor_status,
*qop_state = ulQop;
}
if (!SEC_SUCCESS(ss)) {
free(secBuff[0].pvBuffer);
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
return GSS_S_FAILURE;
goto err;
}
// Must allocate a new memory block so client can release it correctly
output_message_buffer->length = secBuff[1].cbBuffer;
output_message_buffer->value = new char[secBuff[1].cbBuffer];
if (!output_message_buffer->value) {
goto err;
}
memcpy_s(output_message_buffer->value, secBuff[1].cbBuffer,
secBuff[1].pvBuffer, secBuff[1].cbBuffer);
*conf_state = ulQop == SECQOP_WRAP_NO_ENCRYPT ? 0 : 1;
free(secBuff[0].pvBuffer);
return GSS_S_COMPLETE;
err:
if (secBuff[0].pvBuffer) {
free(secBuff[0].pvBuffer);
}
output_message_buffer->length = 0;
output_message_buffer->value = NULL;
return GSS_S_FAILURE;
}
__declspec(dllexport) OM_uint32
@ -1544,11 +1594,19 @@ gss_display_status(OM_uint32 *minor_status,
msg, 256, 0);
if (len > 0) {
status_string->value = new char[len + 20];
if (!status_string->value) {
status_string = GSS_C_NO_BUFFER;
return GSS_S_FAILURE;
}
status_string->length = sprintf_s(
(LPSTR)status_string->value, len + 19,
"(%lx) %ls", status_value, msg);
} else {
status_string->value = new char[33];
if (!status_string->value) {
status_string = GSS_C_NO_BUFFER;
return GSS_S_FAILURE;
}
status_string->length = sprintf_s(
(LPSTR)status_string->value, 32,
"status is %lx", status_value);