a979586dce
Reviewed-by: psandoz, mchung
354 lines
14 KiB
Java
354 lines
14 KiB
Java
/*
|
|
* Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
*
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
* accompanied this code).
|
|
*
|
|
* You should have received a copy of the GNU General Public License version
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
* questions.
|
|
*/
|
|
|
|
/*
|
|
* @test
|
|
* @bug 6911951 7150092
|
|
* @summary NTLM should be a supported Java SASL mechanism
|
|
* @modules java.base/sun.security.util
|
|
* java.security.sasl
|
|
*/
|
|
import java.io.IOException;
|
|
import javax.security.sasl.*;
|
|
import javax.security.auth.callback.*;
|
|
import java.util.*;
|
|
import sun.security.util.HexDumpEncoder;
|
|
|
|
public class NTLMTest {
|
|
|
|
private static final String MECH = "NTLM";
|
|
private static final String REALM = "REALM";
|
|
private static final String PROTOCOL = "jmx";
|
|
private static final byte[] EMPTY = new byte[0];
|
|
|
|
private static final String USER1 = "dummy";
|
|
private static final char[] PASS1 = "bogus".toCharArray();
|
|
private static final String USER2 = "foo";
|
|
private static final char[] PASS2 = "bar".toCharArray();
|
|
|
|
private static final Map<String,char[]> maps =
|
|
new HashMap<String,char[]>();
|
|
static {
|
|
maps.put(USER1, PASS1);
|
|
maps.put(USER2, PASS2);
|
|
}
|
|
|
|
static char[] getPass(String d, String u) {
|
|
if (!d.equals(REALM)) return null;
|
|
return maps.get(u);
|
|
}
|
|
|
|
public static void main(String[] args) throws Exception {
|
|
|
|
checkAuthOnly();
|
|
checkClientNameOverride();
|
|
checkClientDomainOverride();
|
|
checkVersions();
|
|
checkClientHostname();
|
|
}
|
|
|
|
static void checkVersions() throws Exception {
|
|
// Server accepts all version
|
|
checkVersion(null, null);
|
|
checkVersion("LM/NTLM", null);
|
|
checkVersion("LM", null);
|
|
checkVersion("NTLM", null);
|
|
checkVersion("NTLM2", null);
|
|
checkVersion("LMv2/NTLMv2", null);
|
|
checkVersion("LMv2", null);
|
|
checkVersion("NTLMv2", null);
|
|
|
|
// Client's default version is LMv2
|
|
checkVersion(null, "LMv2");
|
|
|
|
// Also works if they specified identical versions
|
|
checkVersion("LM/NTLM", "LM");
|
|
checkVersion("LM", "LM");
|
|
checkVersion("NTLM", "LM");
|
|
checkVersion("NTLM2", "NTLM2");
|
|
checkVersion("LMv2/NTLMv2", "LMv2");
|
|
checkVersion("LMv2", "LMv2");
|
|
checkVersion("NTLMv2", "LMv2");
|
|
|
|
// But should not work if different
|
|
try {
|
|
checkVersion("LM/NTLM", "LMv2");
|
|
throw new Exception("Should not succeed");
|
|
} catch (SaslException se) {
|
|
// OK
|
|
}
|
|
try {
|
|
checkVersion("LMv2/NTLMv2", "LM");
|
|
throw new Exception("Should not succeed");
|
|
} catch (SaslException se) {
|
|
// OK
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
* A test on version matching
|
|
* @param vc ntlm version specified for client
|
|
* @param vs ntlm version specified for server
|
|
* @throws Exception
|
|
*/
|
|
private static void checkVersion(String vc, String vs) throws Exception {
|
|
Map<String,Object> pc = new HashMap<>();
|
|
pc.put("com.sun.security.sasl.ntlm.version", vc);
|
|
Map<String,Object> ps = new HashMap<>();
|
|
ps.put("com.sun.security.sasl.ntlm.version", vs);
|
|
SaslClient clnt = Sasl.createSaslClient(
|
|
new String[]{MECH}, USER1, PROTOCOL, REALM, pc,
|
|
new CallbackHandler() {
|
|
public void handle(Callback[] callbacks)
|
|
throws IOException, UnsupportedCallbackException {
|
|
for (Callback cb: callbacks) {
|
|
if (cb instanceof PasswordCallback) {
|
|
((PasswordCallback)cb).setPassword(PASS1);
|
|
}
|
|
}
|
|
}
|
|
});
|
|
|
|
SaslServer srv = Sasl.createSaslServer(MECH, PROTOCOL, REALM, ps,
|
|
new CallbackHandler() {
|
|
public void handle(Callback[] callbacks)
|
|
throws IOException, UnsupportedCallbackException {
|
|
String domain = null, name = null;
|
|
PasswordCallback pcb = null;
|
|
for (Callback cb: callbacks) {
|
|
if (cb instanceof NameCallback) {
|
|
name = ((NameCallback)cb).getDefaultName();
|
|
} else if (cb instanceof RealmCallback) {
|
|
domain = ((RealmCallback)cb).getDefaultText();
|
|
} else if (cb instanceof PasswordCallback) {
|
|
pcb = (PasswordCallback)cb;
|
|
}
|
|
}
|
|
if (pcb != null) {
|
|
pcb.setPassword(getPass(domain, name));
|
|
}
|
|
}
|
|
});
|
|
|
|
handshake(clnt, srv);
|
|
}
|
|
|
|
private static void checkClientHostname() throws Exception {
|
|
Map<String,Object> pc = new HashMap<>();
|
|
pc.put("com.sun.security.sasl.ntlm.hostname", "this.is.com");
|
|
SaslClient clnt = Sasl.createSaslClient(
|
|
new String[]{MECH}, USER1, PROTOCOL, REALM, pc,
|
|
new CallbackHandler() {
|
|
public void handle(Callback[] callbacks)
|
|
throws IOException, UnsupportedCallbackException {
|
|
for (Callback cb: callbacks) {
|
|
if (cb instanceof PasswordCallback) {
|
|
((PasswordCallback)cb).setPassword(PASS1);
|
|
}
|
|
}
|
|
}
|
|
});
|
|
|
|
SaslServer srv = Sasl.createSaslServer(MECH, PROTOCOL, REALM, null,
|
|
new CallbackHandler() {
|
|
public void handle(Callback[] callbacks)
|
|
throws IOException, UnsupportedCallbackException {
|
|
String domain = null, name = null;
|
|
PasswordCallback pcb = null;
|
|
for (Callback cb: callbacks) {
|
|
if (cb instanceof NameCallback) {
|
|
name = ((NameCallback)cb).getDefaultName();
|
|
} else if (cb instanceof RealmCallback) {
|
|
domain = ((RealmCallback)cb).getDefaultText();
|
|
} else if (cb instanceof PasswordCallback) {
|
|
pcb = (PasswordCallback)cb;
|
|
}
|
|
}
|
|
if (pcb != null) {
|
|
pcb.setPassword(getPass(domain, name));
|
|
}
|
|
}
|
|
});
|
|
|
|
handshake(clnt, srv);
|
|
if (!"this.is.com".equals(
|
|
srv.getNegotiatedProperty("com.sun.security.sasl.ntlm.hostname"))) {
|
|
throw new Exception("Hostname not trasmitted to server");
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Client realm override, but finally overridden by server response
|
|
*/
|
|
private static void checkClientDomainOverride() throws Exception {
|
|
SaslClient clnt = Sasl.createSaslClient(
|
|
new String[]{MECH}, USER1, PROTOCOL, "ANOTHERREALM", null,
|
|
new CallbackHandler() {
|
|
public void handle(Callback[] callbacks)
|
|
throws IOException, UnsupportedCallbackException {
|
|
for (Callback cb: callbacks) {
|
|
if (cb instanceof RealmCallback) {
|
|
((RealmCallback)cb).setText(REALM);
|
|
} else if (cb instanceof PasswordCallback) {
|
|
((PasswordCallback)cb).setPassword(PASS1);
|
|
}
|
|
}
|
|
}
|
|
});
|
|
|
|
SaslServer srv = Sasl.createSaslServer(MECH, PROTOCOL, REALM, null,
|
|
new CallbackHandler() {
|
|
public void handle(Callback[] callbacks)
|
|
throws IOException, UnsupportedCallbackException {
|
|
String domain = null, name = null;
|
|
PasswordCallback pcb = null;
|
|
for (Callback cb: callbacks) {
|
|
if (cb instanceof NameCallback) {
|
|
name = ((NameCallback)cb).getDefaultName();
|
|
} else if (cb instanceof RealmCallback) {
|
|
domain = ((RealmCallback)cb).getDefaultText();
|
|
} else if (cb instanceof PasswordCallback) {
|
|
pcb = (PasswordCallback)cb;
|
|
}
|
|
}
|
|
if (pcb != null) {
|
|
pcb.setPassword(getPass(domain, name));
|
|
}
|
|
}
|
|
});
|
|
|
|
handshake(clnt, srv);
|
|
}
|
|
|
|
/**
|
|
* Client side user name provided in callback.
|
|
* @throws Exception
|
|
*/
|
|
private static void checkClientNameOverride() throws Exception {
|
|
SaslClient clnt = Sasl.createSaslClient(
|
|
new String[]{MECH}, "someone", PROTOCOL, REALM, null,
|
|
new CallbackHandler() {
|
|
public void handle(Callback[] callbacks)
|
|
throws IOException, UnsupportedCallbackException {
|
|
for (Callback cb: callbacks) {
|
|
if (cb instanceof NameCallback) {
|
|
NameCallback ncb = (NameCallback) cb;
|
|
ncb.setName(USER1);
|
|
} else if (cb instanceof PasswordCallback) {
|
|
((PasswordCallback)cb).setPassword(PASS1);
|
|
}
|
|
}
|
|
}
|
|
});
|
|
|
|
SaslServer srv = Sasl.createSaslServer(MECH, PROTOCOL, "FAKE", null,
|
|
new CallbackHandler() {
|
|
public void handle(Callback[] callbacks)
|
|
throws IOException, UnsupportedCallbackException {
|
|
String domain = null, name = null;
|
|
PasswordCallback pcb = null;
|
|
for (Callback cb: callbacks) {
|
|
if (cb instanceof NameCallback) {
|
|
name = ((NameCallback)cb).getDefaultName();
|
|
} else if (cb instanceof RealmCallback) {
|
|
domain = ((RealmCallback)cb).getDefaultText();
|
|
} else if (cb instanceof PasswordCallback) {
|
|
pcb = (PasswordCallback)cb;
|
|
}
|
|
}
|
|
if (pcb != null) {
|
|
pcb.setPassword(getPass(domain, name));
|
|
}
|
|
}
|
|
});
|
|
|
|
handshake(clnt, srv);
|
|
}
|
|
|
|
private static void checkAuthOnly() throws Exception {
|
|
Map<String,Object> props = new HashMap<>();
|
|
props.put(Sasl.QOP, "auth-conf");
|
|
try {
|
|
Sasl.createSaslClient(
|
|
new String[]{MECH}, USER2, PROTOCOL, REALM, props, null);
|
|
throw new Exception("NTLM should not support auth-conf");
|
|
} catch (SaslException se) {
|
|
// Normal
|
|
}
|
|
}
|
|
|
|
private static void handshake(SaslClient clnt, SaslServer srv)
|
|
throws Exception {
|
|
if (clnt == null) {
|
|
throw new IllegalStateException(
|
|
"Unable to find client impl for " + MECH);
|
|
}
|
|
if (srv == null) {
|
|
throw new IllegalStateException(
|
|
"Unable to find server impl for " + MECH);
|
|
}
|
|
|
|
byte[] response = (clnt.hasInitialResponse()
|
|
? clnt.evaluateChallenge(EMPTY) : EMPTY);
|
|
System.out.println("Initial:");
|
|
new HexDumpEncoder().encodeBuffer(response, System.out);
|
|
byte[] challenge;
|
|
|
|
while (!clnt.isComplete() || !srv.isComplete()) {
|
|
challenge = srv.evaluateResponse(response);
|
|
response = null;
|
|
if (challenge != null) {
|
|
System.out.println("Challenge:");
|
|
new HexDumpEncoder().encodeBuffer(challenge, System.out);
|
|
response = clnt.evaluateChallenge(challenge);
|
|
}
|
|
if (response != null) {
|
|
System.out.println("Response:");
|
|
new HexDumpEncoder().encodeBuffer(response, System.out);
|
|
}
|
|
}
|
|
|
|
if (clnt.isComplete() && srv.isComplete()) {
|
|
System.out.println("SUCCESS");
|
|
if (!srv.getAuthorizationID().equals(USER1)) {
|
|
throw new Exception("Not correct user");
|
|
}
|
|
} else {
|
|
throw new IllegalStateException(
|
|
"FAILURE: mismatched state:"
|
|
+ " client complete? " + clnt.isComplete()
|
|
+ " server complete? " + srv.isComplete());
|
|
}
|
|
|
|
if (!clnt.getNegotiatedProperty(Sasl.QOP).equals("auth") ||
|
|
!srv.getNegotiatedProperty(Sasl.QOP).equals("auth") ||
|
|
!clnt.getNegotiatedProperty(
|
|
"com.sun.security.sasl.ntlm.domain").equals(REALM)) {
|
|
throw new Exception("Negotiated property error");
|
|
}
|
|
clnt.dispose();
|
|
srv.dispose();
|
|
}
|
|
}
|