8200400: Restrict Sasl mechanisms
Reviewed-by: mullan
This commit is contained in:
parent
7c6a83fb27
commit
31af27a1ee
@ -1160,6 +1160,23 @@ jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep
|
||||
#
|
||||
#jdk.includeInExceptions=hostInfo,jar
|
||||
|
||||
#
|
||||
# Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
|
||||
#
|
||||
# Disabled mechanisms will not be negotiated by both SASL clients and servers.
|
||||
# These mechanisms will be ignored if they are specified in the mechanisms argument
|
||||
# of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
|
||||
#
|
||||
# The value of this property is a comma-separated list of SASL mechanisms.
|
||||
# The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
|
||||
#
|
||||
# Note: This property is currently used by the JDK Reference implementation.
|
||||
# It is not guaranteed to be examined and used by other implementations.
|
||||
#
|
||||
# Example:
|
||||
# jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5
|
||||
jdk.sasl.disabledMechanisms=
|
||||
|
||||
#
|
||||
# Policies for distrusting Certificate Authorities (CAs).
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -26,9 +26,12 @@
|
||||
package javax.security.sasl;
|
||||
|
||||
import javax.security.auth.callback.CallbackHandler;
|
||||
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Enumeration;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.HashSet;
|
||||
@ -38,6 +41,8 @@ import java.security.NoSuchAlgorithmException;
|
||||
import java.security.Provider;
|
||||
import java.security.Provider.Service;
|
||||
import java.security.Security;
|
||||
import java.util.logging.Level;
|
||||
import java.util.logging.Logger;
|
||||
|
||||
/**
|
||||
* A static class for creating SASL clients and servers.
|
||||
@ -65,6 +70,30 @@ import java.security.Security;
|
||||
* @author Rob Weltman
|
||||
*/
|
||||
public class Sasl {
|
||||
|
||||
private static List<String> disabledMechanisms = new ArrayList<>();
|
||||
|
||||
static {
|
||||
String prop = AccessController.doPrivileged(
|
||||
(PrivilegedAction<String>)
|
||||
() -> Security.getProperty("jdk.sasl.disabledMechanisms"));
|
||||
|
||||
if (prop != null) {
|
||||
for (String s : prop.split("\\s*,\\s*")) {
|
||||
if (!s.isEmpty()) {
|
||||
disabledMechanisms.add(s);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static final String SASL_LOGGER_NAME = "javax.security.sasl";
|
||||
|
||||
/**
|
||||
* Logger for debug messages
|
||||
*/
|
||||
private static final Logger logger = Logger.getLogger(SASL_LOGGER_NAME);
|
||||
|
||||
// Cannot create one of these
|
||||
private Sasl() {
|
||||
}
|
||||
@ -318,6 +347,9 @@ public class Sasl {
|
||||
* the preferred provider order for the specified algorithm. This
|
||||
* may be different than the order of providers returned by
|
||||
* {@link Security#getProviders() Security.getProviders()}.
|
||||
* <p>
|
||||
* If a mechanism is listed in the {@code jdk.sasl.disabledMechanisms}
|
||||
* security property, it will be ignored and won't be negotiated.
|
||||
*
|
||||
* @param mechanisms The non-null list of mechanism names to try. Each is the
|
||||
* IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5").
|
||||
@ -381,6 +413,10 @@ public class Sasl {
|
||||
"Mechanism name cannot be null");
|
||||
} else if (mechName.length() == 0) {
|
||||
continue;
|
||||
} else if (isDisabled(mechName)) {
|
||||
logger.log(Level.FINE,
|
||||
"Disabled " + mechName + " mechanism ignored");
|
||||
continue;
|
||||
}
|
||||
String type = "SaslClientFactory";
|
||||
Provider[] provs = Security.getProviders(type + "." + mechName);
|
||||
@ -468,6 +504,9 @@ public class Sasl {
|
||||
* the preferred provider order for the specified algorithm. This
|
||||
* may be different than the order of providers returned by
|
||||
* {@link Security#getProviders() Security.getProviders()}.
|
||||
* <p>
|
||||
* If {@code mechanism} is listed in the {@code jdk.sasl.disabledMechanisms}
|
||||
* security property, it will be ignored and this method returns {@code null}.
|
||||
*
|
||||
* @param mechanism The non-null mechanism name. It must be an
|
||||
* IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5").
|
||||
@ -521,6 +560,10 @@ public class Sasl {
|
||||
throw new NullPointerException("Mechanism name cannot be null");
|
||||
} else if (mechanism.length() == 0) {
|
||||
return null;
|
||||
} else if (isDisabled(mechanism)) {
|
||||
logger.log(Level.FINE,
|
||||
"Disabled " + mechanism + " mechanism ignored");
|
||||
return null;
|
||||
}
|
||||
|
||||
String type = "SaslServerFactory";
|
||||
@ -616,4 +659,8 @@ public class Sasl {
|
||||
}
|
||||
return Collections.unmodifiableSet(result);
|
||||
}
|
||||
|
||||
private static boolean isDisabled(String name) {
|
||||
return disabledMechanisms.contains(name);
|
||||
}
|
||||
}
|
||||
|
86
test/jdk/javax/security/sasl/Sasl/DisabledMechanisms.java
Normal file
86
test/jdk/javax/security/sasl/Sasl/DisabledMechanisms.java
Normal file
@ -0,0 +1,86 @@
|
||||
/*
|
||||
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License version 2 only, as
|
||||
* published by the Free Software Foundation.
|
||||
*
|
||||
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* version 2 for more details (a copy is included in the LICENSE file that
|
||||
* accompanied this code).
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License version
|
||||
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
* or visit www.oracle.com if you need additional information or have any
|
||||
* questions.
|
||||
*/
|
||||
|
||||
/*
|
||||
* @test
|
||||
* @bug 8200400
|
||||
* @modules java.security.sasl
|
||||
* @library /test/lib
|
||||
* @run main/othervm DisabledMechanisms
|
||||
* DIGEST-MD5 DIGEST-MD5
|
||||
* @run main/othervm -DdisabledMechanisms= DisabledMechanisms
|
||||
* DIGEST-MD5 DIGEST-MD5
|
||||
* @run main/othervm -DdisabledMechanisms=DIGEST-MD5,NTLM DisabledMechanisms
|
||||
* null null
|
||||
* @run main/othervm -DdisabledMechanisms=DIGEST-MD5 DisabledMechanisms
|
||||
* NTLM null
|
||||
* @run main/othervm -DdisabledMechanisms=NTLM DisabledMechanisms
|
||||
* DIGEST-MD5 DIGEST-MD5
|
||||
*/
|
||||
|
||||
import java.security.Security;
|
||||
import java.util.Collections;
|
||||
import java.util.Map;
|
||||
import javax.security.auth.callback.PasswordCallback;
|
||||
import javax.security.sasl.Sasl;
|
||||
import javax.security.sasl.SaslClient;
|
||||
import javax.security.sasl.SaslServer;
|
||||
import javax.security.auth.callback.Callback;
|
||||
import javax.security.auth.callback.CallbackHandler;
|
||||
|
||||
import jdk.test.lib.Asserts;
|
||||
|
||||
public class DisabledMechanisms {
|
||||
|
||||
public static void main(String[] args) throws Exception {
|
||||
|
||||
String authorizationId = "username";
|
||||
String protocol = "ldap";
|
||||
String serverName = "server1";
|
||||
Map props = Collections.emptyMap();
|
||||
|
||||
String disabled = System.getProperty("disabledMechanisms");
|
||||
if (disabled != null) {
|
||||
Security.setProperty("jdk.sasl.disabledMechanisms", disabled);
|
||||
}
|
||||
|
||||
CallbackHandler callbackHandler = callbacks -> {
|
||||
for (Callback cb : callbacks) {
|
||||
if (cb instanceof PasswordCallback) {
|
||||
((PasswordCallback) cb).setPassword("password".toCharArray());
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
SaslClient client = Sasl.createSaslClient(
|
||||
new String[]{"DIGEST-MD5", "NTLM"}, authorizationId,
|
||||
protocol, serverName, props, callbackHandler);
|
||||
Asserts.assertEQ(client == null ? null : client.getMechanismName(),
|
||||
args[0].equals("null") ? null : args[0]);
|
||||
|
||||
SaslServer server = Sasl.createSaslServer(
|
||||
"DIGEST-MD5", protocol, serverName, props, callbackHandler);
|
||||
Asserts.assertEQ(server == null ? null : server.getMechanismName(),
|
||||
args[1].equals("null") ? null : args[1]);
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user