1 /*
2 * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 /*
25 * @test
26 * @bug 7152176
27 * @summary More krb5 tests
28 * @library ../../../../java/security/testlibrary/
29 * @compile -XDignore.symbol.file ReplayCacheTestProc.java
30 * @run main/othervm/timeout=100 ReplayCacheTestProc
31 */
32
33 import java.io.*;
34 import java.nio.BufferUnderflowException;
35 import java.nio.channels.SeekableByteChannel;
36 import java.nio.file.Files;
37 import java.nio.file.Paths;
38 import java.nio.file.StandardCopyOption;
39 import java.nio.file.StandardOpenOption;
40 import java.security.MessageDigest;
41 import java.util.*;
42 import sun.security.jgss.GSSUtil;
43 import sun.security.krb5.internal.APReq;
44 import sun.security.krb5.internal.rcache.AuthTime;
45
46 // This test runs multiple acceptor Procs to mimin AP-REQ replays.
47 public class ReplayCacheTestProc {
48
49 private static Proc[] ps;
50 private static Proc pc;
51 private static List<Req> reqs = new ArrayList<>();
52 private static String HOST = "localhost";
53
54 // Where should the rcache be saved. It seems KRB5RCACHEDIR is not
55 // recognized on Solaris. Maybe version too low? I see 1.6.
56 private static String cwd =
57 System.getProperty("os.name").startsWith("SunOS") ?
58 "/var/krb5/rcache/" :
59 System.getProperty("user.dir");
60
61
62 private static int uid;
63
64 public static void main0(String[] args) throws Exception {
65 System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
66 if (args.length == 0) { // The controller
67 int ns = 5; // number of servers
68 int nu = 5; // number of users
69 int nx = 50; // number of experiments
70 int np = 5; // number of peers (services)
71 int mode = 0; // native(1), random(0), java(-1)
72 boolean random = true; // random experiments choreograph
73
74 try {
75 Class<?> clazz = Class.forName(
76 "com.sun.security.auth.module.UnixSystem");
77 uid = (int)(long)(Long)
78 clazz.getMethod("getUid").invoke(clazz.newInstance());
79 } catch (Exception e) {
80 uid = -1;
81 }
82
83 KDC kdc = KDC.create(OneKDC.REALM, HOST, 0, true);
84 for (int i=0; i<nu; i++) {
85 kdc.addPrincipal(user(i), OneKDC.PASS);
86 }
87 kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
88 for (int i=0; i<np; i++) {
89 kdc.addPrincipalRandKey(peer(i));
90 }
91
92 kdc.writeKtab(OneKDC.KTAB);
93 KDC.saveConfig(OneKDC.KRB5_CONF, kdc);
94
95 pc = Proc.create("ReplayCacheTestProc").debug("C")
96 .args("client")
97 .start();
98 ps = new Proc[ns];
99 Ex[] result = new Ex[nx];
100
101 if (!random) {
102 // 2 experiments, 2 server, 1 peer, 1 user
103 nx = 2; ns = 2; np = 1; nu = 1;
104
105 // Creates reqs from user# to peer#
106 req(0, 0);
107
108 // Creates server#
109 ps[0] = ns(0);
110 ps[1] = js(1);
111
112 // Runs ex# using req# to server# with expected result
113 result[0] = round(0, 0, 0, true);
114 result[1] = round(1, 0, 1, false);
115 } else {
116 Random r = new Random();
117 for (int i=0; i<ns; i++) {
118 boolean useNative = (mode == 1) ? true
119 : (mode == -1 ? false : r.nextBoolean());
120 ps[i] = useNative?ns(i):js(i);
121 }
122 for (int i=0; i<nx; i++) {
123 result[i] = new Ex();
124 int old; // which req to send
125 boolean expected;
126 if (reqs.isEmpty() || r.nextBoolean()) {
127 Proc.d("Console get new AP-REQ");
128 old = req(r.nextInt(nu), r.nextInt(np));
129 expected = true;
130 } else {
131 Proc.d("Console resue old");
132 old = r.nextInt(reqs.size());
133 expected = false;
134 }
135 int s = r.nextInt(ns);
136 Proc.d("Console send to " + s);
137 result[i] = round(i, old, s, expected);
138 Proc.d("Console sees " + result[i].actual);
139 }
140 }
141
142 pc.println("END");
143 for (int i=0; i<ns; i++) {
144 ps[i].println("END");
145 }
146 System.out.println("Result\n======");
147 boolean finalOut = true;
148 for (int i=0; i<nx; i++) {
149 boolean out = result[i].expected==result[i].actual;
150 finalOut &= out;
151 System.out.printf("%3d: %s (%2d): u%d h%d %s %s %s %2d\n",
152 i,
153 result[i].expected?"----":" ",
154 result[i].old,
155 result[i].user, result[i].peer, result[i].server,
156 result[i].actual?"Good":"Bad ",
157 out?" ":"xxx",
158 result[i].csize);
159 }
160 if (!finalOut) throw new Exception();
161 } else if (args[0].equals("client")) {
162 while (true) {
163 String title = Proc.textIn();
164 Proc.d("Client see " + title);
165 if (title.equals("END")) break;
166 String[] cas = title.split(" ");
167 Context c = Context.fromUserPass(cas[0], OneKDC.PASS, false);
168 c.startAsClient(cas[1], GSSUtil.GSS_KRB5_MECH_OID);
169 c.x().requestCredDeleg(true);
170 byte[] token = c.take(new byte[0]);
171 Proc.d("Client AP-REQ generated");
172 Proc.binOut(token);
173 }
174 } else {
175 Proc.d("Server start");
176 Context s = Context.fromUserKtab("*", OneKDC.KTAB, true);
177 Proc.d("Server login");
178 while (true) {
179 String title = Proc.textIn();
180 Proc.d("Server " + args[0] + " sees " + title);
181 if (title.equals("END")) break;
182 s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
183 byte[] token = Proc.binIn();
184 try {
185 s.take(token);
186 Proc.textOut("true");
187 Proc.d(args[0] + " Good");
188 } catch (Exception e) {
189 Proc.textOut("false");
190 Proc.d(args[0] + " Bad");
191 }
192 }
193 }
194 }
195
196 public static void main(String[] args) throws Exception {
197 try {
198 main0(args);
199 } catch (Exception e) {
200 Proc.d(e);
201 throw e;
202 }
203 }
204
205 // returns the user name
206 private static String user(int p) {
207 return "USER" + p;
208 }
209 // returns the peer name
210 private static String peer(int p) {
211 return "host" + p + "/" + HOST;
212 }
213 // returns the dfl name for a host
214 private static String dfl(int p) {
215 return cwd + "host" + p + (uid == -1 ? "" : ("_"+uid));
216 }
217 // generates an ap-req and save into reqs, returns the index
218 private static int req(int user, int peer) throws Exception {
219 pc.println(user(user) + " " + peer(peer));
220 Req req = new Req(user, peer, pc.readData());
221 reqs.add(req);
222 return reqs.size() - 1;
223 }
224 // carries out a round of experiment
225 // i: ex#, old: which req, server: which server, expected: result?
226 private static Ex round(int i, int old, int server, boolean expected)
227 throws Exception {
228 ps[server].println("TEST");
229 ps[server].println(reqs.get(old).msg);
230 String reply = ps[server].readData();
231 Ex result = new Ex();
232 result.i = i;
233 result.expected = expected;
234 result.server = ps[server].debug();
235 result.actual = Boolean.valueOf(reply);
236 result.user = reqs.get(old).user;
237 result.peer = reqs.get(old).peer;
238 result.old = old;
239 result.csize = csize(result.peer);
240 result.hash = hash(reqs.get(old).msg);
241 if (new File(dfl(result.peer)).exists()) {
242 Files.copy(Paths.get(dfl(result.peer)), Paths.get(
243 String.format("%03d-USER%d-host%d-%s-%s",
244 i, result.user, result.peer, result.server,
245 result.actual)
246 + "-" + result.hash),
247 StandardCopyOption.COPY_ATTRIBUTES);
248 }
249 return result;
250 }
251 // create a native server
252 private static Proc ns(int i) throws Exception {
253 return Proc.create("ReplayCacheTestProc")
254 .args("N"+i)
255 .env("KRB5_CONFIG", OneKDC.KRB5_CONF)
256 .env("KRB5_KTNAME", OneKDC.KTAB)
257 .env("KRB5RCACHEDIR", cwd)
258 .prop("sun.security.jgss.native", "true")
259 .prop("javax.security.auth.useSubjectCredsOnly", "false")
260 .prop("sun.security.nativegss.debug", "true")
261 .debug("N"+i)
262 .start();
263 }
264 // creates a java server
265 private static Proc js(int i) throws Exception {
266 return Proc.create("ReplayCacheTestProc")
267 .debug("S"+i)
268 .args("S"+i)
269 .prop("sun.security.krb5.rcache", "dfl")
270 .prop("java.io.tmpdir", cwd)
271 .start();
272 }
273 // generates hash of authenticator inside ap-req inside initsectoken
274 private static String hash(String req) throws Exception {
275 byte[] data = Base64.getDecoder().decode(req);
276 data = Arrays.copyOfRange(data, 17, data.length);
277 byte[] hash = MessageDigest.getInstance("MD5").digest(new APReq(data).authenticator.getBytes());
278 char[] h = new char[hash.length * 2];
279 char[] hexConst = "0123456789ABCDEF".toCharArray();
280 for (int i=0; i<hash.length; i++) {
281 h[2*i] = hexConst[(hash[i]&0xff)>>4];
282 h[2*i+1] = hexConst[hash[i]&0xf];
283 }
284 return new String(h);
285 }
286 // return size of dfl file, excluding the null hash ones
287 private static int csize(int p) throws Exception {
288 try (SeekableByteChannel chan = Files.newByteChannel(
289 Paths.get(dfl(p)), StandardOpenOption.READ)) {
290 chan.position(6);
291 int cc = 0;
292 while (true) {
293 try {
294 if (AuthTime.readFrom(chan) != null) cc++;
295 } catch (BufferUnderflowException e) {
296 break;
297 }
298 }
299 return cc;
300 } catch (IOException ioe) {
301 return 0;
302 }
303 }
304 // models an experiement
305 private static class Ex {
306 int i; // #
307 boolean expected; // expected result
308 boolean actual; // actual output
309 int old; // which ap-req to send
310 String server; // which server to send to
311 String hash; // the hash of req
312 int user; // which initiator
313 int peer; // which acceptor
314 int csize; // size of rcache after test
315 }
316 // models a saved ap-req msg
317 private static class Req {
318 String msg; // based64-ed req
319 int user; // which initiator
320 int peer; // which accceptor
321 Req(int user, int peer, String msg) {
322 this.msg = msg;
323 this.user= user;
324 this.peer = peer;
325 }
326 }
327 }