1 /*
2 * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26
27 package sun.security.krb5.internal.rcache;
28
29 import java.io.*;
30 import java.nio.BufferUnderflowException;
31 import java.nio.ByteBuffer;
32 import java.nio.ByteOrder;
33 import java.nio.channels.SeekableByteChannel;
34 import java.nio.file.Files;
35 import java.nio.file.Path;
36 import java.nio.file.StandardCopyOption;
37 import java.nio.file.StandardOpenOption;
38 import java.nio.file.attribute.PosixFilePermission;
39 import java.security.AccessController;
40 import java.util.*;
41
42 import sun.security.action.GetPropertyAction;
43 import sun.security.krb5.internal.KerberosTime;
44 import sun.security.krb5.internal.Krb5;
45 import sun.security.krb5.internal.KrbApErrException;
46 import sun.security.krb5.internal.ReplayCache;
47
48
49 /**
50 * A dfl file is used to sustores AuthTime entries when the system property
51 * sun.security.krb5.rcache is set to
52 *
53 * dfl(|:path/|:path/name|:name)
54 *
55 * The file will be path/name. If path is not given, it will be
56 *
57 * System.getProperty("java.io.tmpdir")
58 *
59 * If name is not given, it will be
60 *
61 * service_euid
62 *
63 * in which euid is available as jdk.internal.misc.VM.geteuid().
64 *
65 * The file has a header:
66 *
67 * i16 0x0501 (KRB5_RC_VNO) in network order
68 * i32 number of seconds for lifespan (in native order, same below)
69 *
70 * followed by cache entries concatenated, which can be encoded in
71 * 2 styles:
72 *
73 * The traditional style is:
74 *
75 * LC of client principal
76 * LC of server principal
77 * i32 cusec of Authenticator
78 * i32 ctime of Authenticator
79 *
80 * The new style has a hash:
81 *
82 * LC of ""
83 * LC of "HASH:%s %lu:%s %lu:%s" of (hash, clientlen, client, serverlen,
84 * server) where msghash is 32 char (lower case) text mode md5sum
85 * of the ciphertext of authenticator.
86 * i32 cusec of Authenticator
87 * i32 ctime of Authenticator
88 *
89 * where LC of a string means
90 *
91 * i32 strlen(string) + 1
92 * octets of string, with the \0x00 ending
93 *
94 * The old style block is always created by MIT krb5 used even if a new style
95 * is available, which means there can be 2 entries for a single Authenticator.
96 * Java also does this way.
97 *
98 * See src/lib/krb5/rcache/rc_io.c and src/lib/krb5/rcache/rc_dfl.c.
99 */
100 public class DflCache extends ReplayCache {
101
102 private static final int KRB5_RV_VNO = 0x501;
103 private static final int EXCESSREPS = 30; // if missed-hit>this, recreate
104
105 private final String source;
106
107 private static long uid;
108 static {
109 // Available on Solaris, Linux and Mac. Otherwise, -1 and no _euid suffix
110 uid = jdk.internal.misc.VM.geteuid();
111 }
112
113 public DflCache (String source) {
114 this.source = source;
115 }
116
117 private static String defaultPath() {
118 return AccessController.doPrivileged(
119 new GetPropertyAction("java.io.tmpdir"));
120 }
121
122 private static String defaultFile(String server) {
123 // service/host@REALM -> service
124 int slash = server.indexOf('/');
125 if (slash == -1) {
126 // A normal principal? say, dummy@REALM
127 slash = server.indexOf('@');
128 }
129 if (slash != -1) {
130 // Should not happen, but be careful
131 server= server.substring(0, slash);
132 }
133 if (uid != -1) {
134 server += "_" + uid;
135 }
136 return server;
137 }
138
139 private static Path getFileName(String source, String server) {
140 String path, file;
141 if (source.equals("dfl")) {
142 path = defaultPath();
143 file = defaultFile(server);
144 } else if (source.startsWith("dfl:")) {
145 source = source.substring(4);
146 int pos = source.lastIndexOf('/');
147 int pos1 = source.lastIndexOf('\\');
148 if (pos1 > pos) pos = pos1;
149 if (pos == -1) {
150 // Only file name
151 path = defaultPath();
152 file = source;
153 } else if (new File(source).isDirectory()) {
154 // Only path
155 path = source;
156 file = defaultFile(server);
157 } else {
158 // Full pathname
159 path = null;
160 file = source;
161 }
162 } else {
163 throw new IllegalArgumentException();
164 }
165 return new File(path, file).toPath();
166 }
167
168 @Override
169 public void checkAndStore(KerberosTime currTime, AuthTimeWithHash time)
170 throws KrbApErrException {
171 try {
172 checkAndStore0(currTime, time);
173 } catch (IOException ioe) {
174 KrbApErrException ke = new KrbApErrException(Krb5.KRB_ERR_GENERIC);
175 ke.initCause(ioe);
176 throw ke;
177 }
178 }
179
180 private synchronized void checkAndStore0(KerberosTime currTime, AuthTimeWithHash time)
181 throws IOException, KrbApErrException {
182 Path p = getFileName(source, time.server);
183 int missed = 0;
184 try (Storage s = new Storage()) {
185 try {
186 missed = s.loadAndCheck(p, time, currTime);
187 } catch (IOException ioe) {
188 // Non-existing or invalid file
189 Storage.create(p);
190 missed = s.loadAndCheck(p, time, currTime);
191 }
192 s.append(time);
193 }
194 if (missed > EXCESSREPS) {
195 Storage.expunge(p, currTime);
196 }
197 }
198
199
200 private static class Storage implements Closeable {
201 // Static methods
202 @SuppressWarnings("try")
203 private static void create(Path p) throws IOException {
204 try (SeekableByteChannel newChan = createNoClose(p)) {
205 // Do nothing, wait for close
206 }
207 makeMine(p);
208 }
209
210 private static void makeMine(Path p) throws IOException {
211 // chmod to owner-rw only, otherwise MIT krb5 rejects
212 try {
213 Set<PosixFilePermission> attrs = new HashSet<>();
214 attrs.add(PosixFilePermission.OWNER_READ);
215 attrs.add(PosixFilePermission.OWNER_WRITE);
216 Files.setPosixFilePermissions(p, attrs);
217 } catch (UnsupportedOperationException uoe) {
218 // No POSIX permission. That's OK.
219 }
220 }
221
222 private static SeekableByteChannel createNoClose(Path p)
223 throws IOException {
224 SeekableByteChannel newChan = Files.newByteChannel(
225 p, StandardOpenOption.CREATE,
226 StandardOpenOption.TRUNCATE_EXISTING,
227 StandardOpenOption.WRITE);
228 ByteBuffer buffer = ByteBuffer.allocate(6);
229 buffer.putShort((short)KRB5_RV_VNO);
230 buffer.order(ByteOrder.nativeOrder());
231 buffer.putInt(KerberosTime.getDefaultSkew());
232 buffer.flip();
233 newChan.write(buffer);
234 return newChan;
235 }
236
237 private static void expunge(Path p, KerberosTime currTime)
238 throws IOException {
239 Path p2 = Files.createTempFile(p.getParent(), "rcache", null);
240 try (SeekableByteChannel oldChan = Files.newByteChannel(p);
241 SeekableByteChannel newChan = createNoClose(p2)) {
242 long timeLimit = currTime.getSeconds() - readHeader(oldChan);
243 while (true) {
244 try {
245 AuthTime at = AuthTime.readFrom(oldChan);
246 if (at.ctime > timeLimit) {
247 ByteBuffer bb = ByteBuffer.wrap(at.encode(true));
248 newChan.write(bb);
249 }
250 } catch (BufferUnderflowException e) {
251 break;
252 }
253 }
254 }
255 makeMine(p2);
256 Files.move(p2, p,
257 StandardCopyOption.REPLACE_EXISTING,
258 StandardCopyOption.ATOMIC_MOVE);
259 }
260
261 // Instance methods
262 SeekableByteChannel chan;
263 private int loadAndCheck(Path p, AuthTimeWithHash time,
264 KerberosTime currTime)
265 throws IOException, KrbApErrException {
266 int missed = 0;
267 if (Files.isSymbolicLink(p)) {
268 throw new IOException("Symlink not accepted");
269 }
270 try {
271 Set<PosixFilePermission> perms =
272 Files.getPosixFilePermissions(p);
273 if (uid != -1 &&
274 (Integer)Files.getAttribute(p, "unix:uid") != uid) {
275 throw new IOException("Not mine");
276 }
277 if (perms.contains(PosixFilePermission.GROUP_READ) ||
278 perms.contains(PosixFilePermission.GROUP_WRITE) ||
279 perms.contains(PosixFilePermission.GROUP_EXECUTE) ||
280 perms.contains(PosixFilePermission.OTHERS_READ) ||
281 perms.contains(PosixFilePermission.OTHERS_WRITE) ||
282 perms.contains(PosixFilePermission.OTHERS_EXECUTE)) {
283 throw new IOException("Accessible by someone else");
284 }
285 } catch (UnsupportedOperationException uoe) {
286 // No POSIX permissions? Ignore it.
287 }
288 chan = Files.newByteChannel(p, StandardOpenOption.WRITE,
289 StandardOpenOption.READ);
290
291 long timeLimit = currTime.getSeconds() - readHeader(chan);
292
293 long pos = 0;
294 boolean seeNewButNotSame = false;
295 while (true) {
296 try {
297 pos = chan.position();
298 AuthTime a = AuthTime.readFrom(chan);
299 if (a instanceof AuthTimeWithHash) {
300 if (time.equals(a)) {
301 // Exact match, must be a replay
302 throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT);
303 } else if (time.isSameIgnoresHash(a)) {
304 // Two different authenticators in the same second.
305 // Remember it
306 seeNewButNotSame = true;
307 }
308 } else {
309 if (time.isSameIgnoresHash(a)) {
310 // Two authenticators in the same second. Considered
311 // same if we haven't seen a new style version of it
312 if (!seeNewButNotSame) {
313 throw new KrbApErrException(Krb5.KRB_AP_ERR_REPEAT);
314 }
315 }
316 }
317 if (a.ctime < timeLimit) {
318 missed++;
319 } else {
320 missed--;
321 }
322 } catch (BufferUnderflowException e) {
323 // Half-written file?
324 chan.position(pos);
325 break;
326 }
327 }
328 return missed;
329 }
330
331 private static int readHeader(SeekableByteChannel chan)
332 throws IOException {
333 ByteBuffer bb = ByteBuffer.allocate(6);
334 chan.read(bb);
335 if (bb.getShort(0) != KRB5_RV_VNO) {
336 throw new IOException("Not correct rcache version");
337 }
338 bb.order(ByteOrder.nativeOrder());
339 return bb.getInt(2);
340 }
341
342 private void append(AuthTimeWithHash at) throws IOException {
343 // Write an entry with hash, to be followed by one without it,
344 // for the benefit of old implementations.
345 ByteBuffer bb;
346 bb = ByteBuffer.wrap(at.encode(true));
347 chan.write(bb);
348 bb = ByteBuffer.wrap(at.encode(false));
349 chan.write(bb);
350 }
351
352 @Override
353 public void close() throws IOException {
354 if (chan != null) chan.close();
355 chan = null;
356 }
357 }
358 }