stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

6682540: Incorrect SASL DIGEST-MD5 behavior

Browse Source 
Reviewed-by: jnimeh
This commit is contained in:
Weijun Wang 2019-05-25 08:30:53 +08:00
parent 2c002e9355
commit 764258a114
2 changed files with 157 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/java.security.sasl/share/classes/com/sun/security/sasl/digest/DigestMD5Server.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -195,8 +195,13 @@ final class DigestMD5Server extends DigestMD5Base implements SaslServer {
switch (step) {
case 1:
if (response.length != 0) {
throw new SaslException(
"DIGEST-MD5 must not have an initial response");
// We do not support "subsequent authentication" (client
// initial response). According to
// https://tools.ietf.org/html/rfc2831#section-2.2
// If the server does not support subsequent authentication,
// then it sends a "digest-challenge", and authentication
// proceeds as in initial authentication.
logger.log(Level.FINE, "Ignoring initial response");
}
/* Generate first challenge */

149
test/jdk/com/sun/security/sasl/digest/HasInitialResponse.java Normal file
View File

@ -0,0 +1,149 @@
/*
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 6682540
* @summary Incorrect SASL DIGEST-MD5 behavior
*/
import javax.security.auth.callback.CallbackHandler;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import java.nio.charset.StandardCharsets;
public class HasInitialResponse {
private static final String MECH = "DIGEST-MD5";
private static final String SERVER_FQDN = "machineX.imc.org";
private static final String PROTOCOL = "jmx";
private static final byte[] EMPTY = new byte[0];
public static void main(String[] args) throws Exception {
CallbackHandler clntCbh = new ClientCallbackHandler(true);
CallbackHandler srvCbh = new PropertiesFileCallbackHandler(
"pw.properties", "names.properties", null);
// Get an existing SaslClient as base of our own client
SaslClient base = Sasl.createSaslClient(
new String[]{MECH}, null, PROTOCOL, SERVER_FQDN,
null, clntCbh);
// Our own client that has initial response
SaslClient clnt = new MyDigestMD5Client(base);
SaslServer srv = Sasl.createSaslServer(MECH, PROTOCOL, SERVER_FQDN,
null, srvCbh);
// The usual loop
byte[] response = clnt.hasInitialResponse()
? clnt.evaluateChallenge(EMPTY) : EMPTY;
byte[] challenge;
while (!clnt.isComplete() || !srv.isComplete()) {
challenge = srv.evaluateResponse(response);
if (challenge != null) {
response = clnt.evaluateChallenge(challenge);
}
}
if (clnt.isComplete() && srv.isComplete()) {
System.out.println("SUCCESS");
System.out.println("authzid is " + srv.getAuthorizationID());
} else {
throw new IllegalStateException(
"FAILURE: mismatched state:" +
" client complete? " + clnt.isComplete() +
" server complete? " + srv.isComplete());
}
clnt.dispose();
srv.dispose();
}
public static class MyDigestMD5Client implements SaslClient {
final SaslClient base;
boolean first = true;
public MyDigestMD5Client(SaslClient base) {
this.base = base;
}
@Override
public String getMechanismName() {
return base.getMechanismName();
}
@Override
public boolean hasInitialResponse() {
return true; // I have initial response
}
@Override
public byte[] evaluateChallenge(byte[] challenge) throws SaslException {
if (first) {
first = false;
if (challenge.length == 0) {
return "hello".getBytes(StandardCharsets.UTF_8);
} else {
throw new SaslException("Non-empty challenge");
}
} else {
return base.evaluateChallenge(challenge);
}
}
@Override
public boolean isComplete() {
return base.isComplete();
}
@Override
public byte[] unwrap(byte[] incoming, int offset, int len)
throws SaslException {
return base.unwrap(incoming, offset, len);
}
@Override
public byte[] wrap(byte[] outgoing, int offset, int len)
throws SaslException {
return base.wrap(outgoing, offset, len);
}
@Override
public Object getNegotiatedProperty(String propName) {
return base.getNegotiatedProperty(propName);
}
@Override
public void dispose() throws SaslException {
base.dispose();
}
}
}