19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.jgss.krb5;
27
28 import org.ietf.jgss.*;
29 import javax.security.auth.kerberos.DelegationPermission;
30 import java.io.IOException;
31 import java.net.InetAddress;
32 import java.net.Inet4Address;
33 import java.net.Inet6Address;
34 import java.security.MessageDigest;
35 import java.security.NoSuchAlgorithmException;
36 import java.util.Arrays;
37 import sun.security.krb5.*;
38 import sun.security.krb5.internal.Krb5;
39
40 abstract class InitialToken extends Krb5Token {
41
42 private static final int CHECKSUM_TYPE = 0x8003;
43
44 private static final int CHECKSUM_LENGTH_SIZE = 4;
45 private static final int CHECKSUM_BINDINGS_SIZE = 16;
46 private static final int CHECKSUM_FLAGS_SIZE = 4;
47 private static final int CHECKSUM_DELEG_OPT_SIZE = 2;
48 private static final int CHECKSUM_DELEG_LGTH_SIZE = 2;
49
50 private static final int CHECKSUM_DELEG_FLAG = 1;
51 private static final int CHECKSUM_MUTUAL_FLAG = 2;
52 private static final int CHECKSUM_REPLAY_FLAG = 4;
53 private static final int CHECKSUM_SEQUENCE_FLAG = 8;
54 private static final int CHECKSUM_CONF_FLAG = 16;
55 private static final int CHECKSUM_INTEG_FLAG = 32;
56
57 private final byte[] CHECKSUM_FIRST_BYTES =
58 {(byte)0x10, (byte)0x00, (byte)0x00, (byte)0x00};
59
60 private static final int CHANNEL_BINDING_AF_INET = 2;
61 private static final int CHANNEL_BINDING_AF_INET6 = 24;
62 private static final int CHANNEL_BINDING_AF_NULL_ADDR = 255;
63
64 private static final int Inet4_ADDRSZ = 4;
65 private static final int Inet6_ADDRSZ = 16;
66
67 protected class OverloadedChecksum {
68
69 private byte[] checksumBytes = null;
70 private Credentials delegCreds = null;
71 private int flags = 0;
72
73 /**
74 * Called on the initiator side when creating the
75 * InitSecContextToken.
76 */
77 public OverloadedChecksum(Krb5Context context,
78 Credentials tgt,
79 Credentials serviceTicket)
316 context.setCredDelegState(true);
317 // default for the following are true
318 if ((flags & CHECKSUM_MUTUAL_FLAG) == 0) {
319 context.setMutualAuthState(false);
320 }
321 if ((flags & CHECKSUM_REPLAY_FLAG) == 0) {
322 context.setReplayDetState(false);
323 }
324 if ((flags & CHECKSUM_SEQUENCE_FLAG) == 0) {
325 context.setSequenceDetState(false);
326 }
327 if ((flags & CHECKSUM_CONF_FLAG) == 0) {
328 context.setConfState(false);
329 }
330 if ((flags & CHECKSUM_INTEG_FLAG) == 0) {
331 context.setIntegState(false);
332 }
333 }
334 }
335
336 private int getAddrType(InetAddress addr) {
337 int addressType = CHANNEL_BINDING_AF_NULL_ADDR;
338
339 if (addr instanceof Inet4Address)
340 addressType = CHANNEL_BINDING_AF_INET;
341 else if (addr instanceof Inet6Address)
342 addressType = CHANNEL_BINDING_AF_INET6;
343 return (addressType);
344 }
345
346 private byte[] getAddrBytes(InetAddress addr) throws GSSException {
347 int addressType = getAddrType(addr);
348 byte[] addressBytes = addr.getAddress();
349 if (addressBytes != null) {
350 switch (addressType) {
351 case CHANNEL_BINDING_AF_INET:
352 if (addressBytes.length != Inet4_ADDRSZ) {
353 throw new GSSException(GSSException.FAILURE, -1,
354 "Incorrect AF-INET address length in ChannelBinding.");
355 }
356 return (addressBytes);
357 case CHANNEL_BINDING_AF_INET6:
358 if (addressBytes.length != Inet6_ADDRSZ) {
359 throw new GSSException(GSSException.FAILURE, -1,
360 "Incorrect AF-INET6 address length in ChannelBinding.");
361 }
362 return (addressBytes);
363 default:
364 throw new GSSException(GSSException.FAILURE, -1,
365 "Cannot handle non AF-INET addresses in ChannelBinding.");
366 }
367 }
368 return null;
369 }
370
371 private byte[] computeChannelBinding(ChannelBinding channelBinding)
372 throws GSSException {
373
374 InetAddress initiatorAddress = channelBinding.getInitiatorAddress();
375 InetAddress acceptorAddress = channelBinding.getAcceptorAddress();
376 int size = 5*4;
377
378 int initiatorAddressType = getAddrType(initiatorAddress);
379 int acceptorAddressType = getAddrType(acceptorAddress);
380
381 byte[] initiatorAddressBytes = null;
382 if (initiatorAddress != null) {
383 initiatorAddressBytes = getAddrBytes(initiatorAddress);
384 size += initiatorAddressBytes.length;
385 }
386
387 byte[] acceptorAddressBytes = null;
388 if (acceptorAddress != null) {
389 acceptorAddressBytes = getAddrBytes(acceptorAddress);
390 size += acceptorAddressBytes.length;
391 }
392
393 byte[] appDataBytes = channelBinding.getApplicationData();
394 if (appDataBytes != null) {
395 size += appDataBytes.length;
396 }
397
398 byte[] data = new byte[size];
399
|
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.jgss.krb5;
27
28 import org.ietf.jgss.*;
29 import javax.security.auth.kerberos.DelegationPermission;
30 import java.io.IOException;
31 import java.net.InetAddress;
32 import java.net.Inet4Address;
33 import java.net.Inet6Address;
34 import java.security.MessageDigest;
35 import java.security.NoSuchAlgorithmException;
36 import java.util.Arrays;
37 import sun.security.krb5.*;
38 import sun.security.krb5.internal.Krb5;
39 import sun.security.jgss.krb5.internal.TlsChannelBindingImpl;
40
41 abstract class InitialToken extends Krb5Token {
42
43 private static final int CHECKSUM_TYPE = 0x8003;
44
45 private static final int CHECKSUM_LENGTH_SIZE = 4;
46 private static final int CHECKSUM_BINDINGS_SIZE = 16;
47 private static final int CHECKSUM_FLAGS_SIZE = 4;
48 private static final int CHECKSUM_DELEG_OPT_SIZE = 2;
49 private static final int CHECKSUM_DELEG_LGTH_SIZE = 2;
50
51 private static final int CHECKSUM_DELEG_FLAG = 1;
52 private static final int CHECKSUM_MUTUAL_FLAG = 2;
53 private static final int CHECKSUM_REPLAY_FLAG = 4;
54 private static final int CHECKSUM_SEQUENCE_FLAG = 8;
55 private static final int CHECKSUM_CONF_FLAG = 16;
56 private static final int CHECKSUM_INTEG_FLAG = 32;
57
58 private final byte[] CHECKSUM_FIRST_BYTES =
59 {(byte)0x10, (byte)0x00, (byte)0x00, (byte)0x00};
60
61 private static final int CHANNEL_BINDING_AF_UNSPEC = 0;
62 private static final int CHANNEL_BINDING_AF_INET = 2;
63 private static final int CHANNEL_BINDING_AF_INET6 = 24;
64 private static final int CHANNEL_BINDING_AF_NULL_ADDR = 255;
65
66 private static final int Inet4_ADDRSZ = 4;
67 private static final int Inet6_ADDRSZ = 16;
68
69 protected class OverloadedChecksum {
70
71 private byte[] checksumBytes = null;
72 private Credentials delegCreds = null;
73 private int flags = 0;
74
75 /**
76 * Called on the initiator side when creating the
77 * InitSecContextToken.
78 */
79 public OverloadedChecksum(Krb5Context context,
80 Credentials tgt,
81 Credentials serviceTicket)
318 context.setCredDelegState(true);
319 // default for the following are true
320 if ((flags & CHECKSUM_MUTUAL_FLAG) == 0) {
321 context.setMutualAuthState(false);
322 }
323 if ((flags & CHECKSUM_REPLAY_FLAG) == 0) {
324 context.setReplayDetState(false);
325 }
326 if ((flags & CHECKSUM_SEQUENCE_FLAG) == 0) {
327 context.setSequenceDetState(false);
328 }
329 if ((flags & CHECKSUM_CONF_FLAG) == 0) {
330 context.setConfState(false);
331 }
332 if ((flags & CHECKSUM_INTEG_FLAG) == 0) {
333 context.setIntegState(false);
334 }
335 }
336 }
337
338 private int getAddrType(InetAddress addr, int defValue) {
339 int addressType = defValue;
340
341 if (addr instanceof Inet4Address)
342 addressType = CHANNEL_BINDING_AF_INET;
343 else if (addr instanceof Inet6Address)
344 addressType = CHANNEL_BINDING_AF_INET6;
345 return (addressType);
346 }
347
348 private byte[] getAddrBytes(InetAddress addr) throws GSSException {
349 int addressType = getAddrType(addr, CHANNEL_BINDING_AF_NULL_ADDR);
350 byte[] addressBytes = addr.getAddress();
351 if (addressBytes != null) {
352 switch (addressType) {
353 case CHANNEL_BINDING_AF_INET:
354 if (addressBytes.length != Inet4_ADDRSZ) {
355 throw new GSSException(GSSException.FAILURE, -1,
356 "Incorrect AF-INET address length in ChannelBinding.");
357 }
358 return (addressBytes);
359 case CHANNEL_BINDING_AF_INET6:
360 if (addressBytes.length != Inet6_ADDRSZ) {
361 throw new GSSException(GSSException.FAILURE, -1,
362 "Incorrect AF-INET6 address length in ChannelBinding.");
363 }
364 return (addressBytes);
365 default:
366 throw new GSSException(GSSException.FAILURE, -1,
367 "Cannot handle non AF-INET addresses in ChannelBinding.");
368 }
369 }
370 return null;
371 }
372
373 private byte[] computeChannelBinding(ChannelBinding channelBinding)
374 throws GSSException {
375
376 InetAddress initiatorAddress = channelBinding.getInitiatorAddress();
377 InetAddress acceptorAddress = channelBinding.getAcceptorAddress();
378 int size = 5*4;
379
380 // LDAP TLS Channel Binding requires CHANNEL_BINDING_AF_UNSPEC address type
381 // for unspecified initiator and acceptor addresses.
382 // CHANNEL_BINDING_AF_NULL_ADDR value should be used for unspecified address
383 // in all other cases.
384 int initiatorAddressType = getAddrType(initiatorAddress,
385 (channelBinding instanceof TlsChannelBindingImpl)?
386 CHANNEL_BINDING_AF_UNSPEC:CHANNEL_BINDING_AF_NULL_ADDR);
387 int acceptorAddressType = getAddrType(acceptorAddress,
388 (channelBinding instanceof TlsChannelBindingImpl)?
389 CHANNEL_BINDING_AF_UNSPEC:CHANNEL_BINDING_AF_NULL_ADDR);
390
391 byte[] initiatorAddressBytes = null;
392 if (initiatorAddress != null) {
393 initiatorAddressBytes = getAddrBytes(initiatorAddress);
394 size += initiatorAddressBytes.length;
395 }
396
397 byte[] acceptorAddressBytes = null;
398 if (acceptorAddress != null) {
399 acceptorAddressBytes = getAddrBytes(acceptorAddress);
400 size += acceptorAddressBytes.length;
401 }
402
403 byte[] appDataBytes = channelBinding.getApplicationData();
404 if (appDataBytes != null) {
405 size += appDataBytes.length;
406 }
407
408 byte[] data = new byte[size];
409
|