19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.jgss.krb5; 27 28 import org.ietf.jgss.*; 29 import javax.security.auth.kerberos.DelegationPermission; 30 import java.io.IOException; 31 import java.net.InetAddress; 32 import java.net.Inet4Address; 33 import java.net.Inet6Address; 34 import java.security.MessageDigest; 35 import java.security.NoSuchAlgorithmException; 36 import java.util.Arrays; 37 import sun.security.krb5.*; 38 import sun.security.krb5.internal.Krb5; 39 40 abstract class InitialToken extends Krb5Token { 41 42 private static final int CHECKSUM_TYPE = 0x8003; 43 44 private static final int CHECKSUM_LENGTH_SIZE = 4; 45 private static final int CHECKSUM_BINDINGS_SIZE = 16; 46 private static final int CHECKSUM_FLAGS_SIZE = 4; 47 private static final int CHECKSUM_DELEG_OPT_SIZE = 2; 48 private static final int CHECKSUM_DELEG_LGTH_SIZE = 2; 49 50 private static final int CHECKSUM_DELEG_FLAG = 1; 51 private static final int CHECKSUM_MUTUAL_FLAG = 2; 52 private static final int CHECKSUM_REPLAY_FLAG = 4; 53 private static final int CHECKSUM_SEQUENCE_FLAG = 8; 54 private static final int CHECKSUM_CONF_FLAG = 16; 55 private static final int CHECKSUM_INTEG_FLAG = 32; 56 57 private final byte[] CHECKSUM_FIRST_BYTES = 58 {(byte)0x10, (byte)0x00, (byte)0x00, (byte)0x00}; 59 60 private static final int CHANNEL_BINDING_AF_INET = 2; 61 private static final int CHANNEL_BINDING_AF_INET6 = 24; 62 private static final int CHANNEL_BINDING_AF_NULL_ADDR = 255; 63 64 private static final int Inet4_ADDRSZ = 4; 65 private static final int Inet6_ADDRSZ = 16; 66 67 protected class OverloadedChecksum { 68 69 private byte[] checksumBytes = null; 70 private Credentials delegCreds = null; 71 private int flags = 0; 72 73 /** 74 * Called on the initiator side when creating the 75 * InitSecContextToken. 76 */ 77 public OverloadedChecksum(Krb5Context context, 78 Credentials tgt, 79 Credentials serviceTicket) 316 context.setCredDelegState(true); 317 // default for the following are true 318 if ((flags & CHECKSUM_MUTUAL_FLAG) == 0) { 319 context.setMutualAuthState(false); 320 } 321 if ((flags & CHECKSUM_REPLAY_FLAG) == 0) { 322 context.setReplayDetState(false); 323 } 324 if ((flags & CHECKSUM_SEQUENCE_FLAG) == 0) { 325 context.setSequenceDetState(false); 326 } 327 if ((flags & CHECKSUM_CONF_FLAG) == 0) { 328 context.setConfState(false); 329 } 330 if ((flags & CHECKSUM_INTEG_FLAG) == 0) { 331 context.setIntegState(false); 332 } 333 } 334 } 335 336 private int getAddrType(InetAddress addr) { 337 int addressType = CHANNEL_BINDING_AF_NULL_ADDR; 338 339 if (addr instanceof Inet4Address) 340 addressType = CHANNEL_BINDING_AF_INET; 341 else if (addr instanceof Inet6Address) 342 addressType = CHANNEL_BINDING_AF_INET6; 343 return (addressType); 344 } 345 346 private byte[] getAddrBytes(InetAddress addr) throws GSSException { 347 int addressType = getAddrType(addr); 348 byte[] addressBytes = addr.getAddress(); 349 if (addressBytes != null) { 350 switch (addressType) { 351 case CHANNEL_BINDING_AF_INET: 352 if (addressBytes.length != Inet4_ADDRSZ) { 353 throw new GSSException(GSSException.FAILURE, -1, 354 "Incorrect AF-INET address length in ChannelBinding."); 355 } 356 return (addressBytes); 357 case CHANNEL_BINDING_AF_INET6: 358 if (addressBytes.length != Inet6_ADDRSZ) { 359 throw new GSSException(GSSException.FAILURE, -1, 360 "Incorrect AF-INET6 address length in ChannelBinding."); 361 } 362 return (addressBytes); 363 default: 364 throw new GSSException(GSSException.FAILURE, -1, 365 "Cannot handle non AF-INET addresses in ChannelBinding."); 366 } 367 } 368 return null; 369 } 370 371 private byte[] computeChannelBinding(ChannelBinding channelBinding) 372 throws GSSException { 373 374 InetAddress initiatorAddress = channelBinding.getInitiatorAddress(); 375 InetAddress acceptorAddress = channelBinding.getAcceptorAddress(); 376 int size = 5*4; 377 378 int initiatorAddressType = getAddrType(initiatorAddress); 379 int acceptorAddressType = getAddrType(acceptorAddress); 380 381 byte[] initiatorAddressBytes = null; 382 if (initiatorAddress != null) { 383 initiatorAddressBytes = getAddrBytes(initiatorAddress); 384 size += initiatorAddressBytes.length; 385 } 386 387 byte[] acceptorAddressBytes = null; 388 if (acceptorAddress != null) { 389 acceptorAddressBytes = getAddrBytes(acceptorAddress); 390 size += acceptorAddressBytes.length; 391 } 392 393 byte[] appDataBytes = channelBinding.getApplicationData(); 394 if (appDataBytes != null) { 395 size += appDataBytes.length; 396 } 397 398 byte[] data = new byte[size]; 399 | 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.jgss.krb5; 27 28 import org.ietf.jgss.*; 29 import javax.security.auth.kerberos.DelegationPermission; 30 import java.io.IOException; 31 import java.net.InetAddress; 32 import java.net.Inet4Address; 33 import java.net.Inet6Address; 34 import java.security.MessageDigest; 35 import java.security.NoSuchAlgorithmException; 36 import java.util.Arrays; 37 import sun.security.krb5.*; 38 import sun.security.krb5.internal.Krb5; 39 import sun.security.jgss.krb5.internal.TlsChannelBindingImpl; 40 41 abstract class InitialToken extends Krb5Token { 42 43 private static final int CHECKSUM_TYPE = 0x8003; 44 45 private static final int CHECKSUM_LENGTH_SIZE = 4; 46 private static final int CHECKSUM_BINDINGS_SIZE = 16; 47 private static final int CHECKSUM_FLAGS_SIZE = 4; 48 private static final int CHECKSUM_DELEG_OPT_SIZE = 2; 49 private static final int CHECKSUM_DELEG_LGTH_SIZE = 2; 50 51 private static final int CHECKSUM_DELEG_FLAG = 1; 52 private static final int CHECKSUM_MUTUAL_FLAG = 2; 53 private static final int CHECKSUM_REPLAY_FLAG = 4; 54 private static final int CHECKSUM_SEQUENCE_FLAG = 8; 55 private static final int CHECKSUM_CONF_FLAG = 16; 56 private static final int CHECKSUM_INTEG_FLAG = 32; 57 58 private final byte[] CHECKSUM_FIRST_BYTES = 59 {(byte)0x10, (byte)0x00, (byte)0x00, (byte)0x00}; 60 61 private static final int CHANNEL_BINDING_AF_UNSPEC = 0; 62 private static final int CHANNEL_BINDING_AF_INET = 2; 63 private static final int CHANNEL_BINDING_AF_INET6 = 24; 64 private static final int CHANNEL_BINDING_AF_NULL_ADDR = 255; 65 66 private static final int Inet4_ADDRSZ = 4; 67 private static final int Inet6_ADDRSZ = 16; 68 69 protected class OverloadedChecksum { 70 71 private byte[] checksumBytes = null; 72 private Credentials delegCreds = null; 73 private int flags = 0; 74 75 /** 76 * Called on the initiator side when creating the 77 * InitSecContextToken. 78 */ 79 public OverloadedChecksum(Krb5Context context, 80 Credentials tgt, 81 Credentials serviceTicket) 318 context.setCredDelegState(true); 319 // default for the following are true 320 if ((flags & CHECKSUM_MUTUAL_FLAG) == 0) { 321 context.setMutualAuthState(false); 322 } 323 if ((flags & CHECKSUM_REPLAY_FLAG) == 0) { 324 context.setReplayDetState(false); 325 } 326 if ((flags & CHECKSUM_SEQUENCE_FLAG) == 0) { 327 context.setSequenceDetState(false); 328 } 329 if ((flags & CHECKSUM_CONF_FLAG) == 0) { 330 context.setConfState(false); 331 } 332 if ((flags & CHECKSUM_INTEG_FLAG) == 0) { 333 context.setIntegState(false); 334 } 335 } 336 } 337 338 private int getAddrType(InetAddress addr, int defValue) { 339 int addressType = defValue; 340 341 if (addr instanceof Inet4Address) 342 addressType = CHANNEL_BINDING_AF_INET; 343 else if (addr instanceof Inet6Address) 344 addressType = CHANNEL_BINDING_AF_INET6; 345 return (addressType); 346 } 347 348 private byte[] getAddrBytes(InetAddress addr) throws GSSException { 349 int addressType = getAddrType(addr, CHANNEL_BINDING_AF_NULL_ADDR); 350 byte[] addressBytes = addr.getAddress(); 351 if (addressBytes != null) { 352 switch (addressType) { 353 case CHANNEL_BINDING_AF_INET: 354 if (addressBytes.length != Inet4_ADDRSZ) { 355 throw new GSSException(GSSException.FAILURE, -1, 356 "Incorrect AF-INET address length in ChannelBinding."); 357 } 358 return (addressBytes); 359 case CHANNEL_BINDING_AF_INET6: 360 if (addressBytes.length != Inet6_ADDRSZ) { 361 throw new GSSException(GSSException.FAILURE, -1, 362 "Incorrect AF-INET6 address length in ChannelBinding."); 363 } 364 return (addressBytes); 365 default: 366 throw new GSSException(GSSException.FAILURE, -1, 367 "Cannot handle non AF-INET addresses in ChannelBinding."); 368 } 369 } 370 return null; 371 } 372 373 private byte[] computeChannelBinding(ChannelBinding channelBinding) 374 throws GSSException { 375 376 InetAddress initiatorAddress = channelBinding.getInitiatorAddress(); 377 InetAddress acceptorAddress = channelBinding.getAcceptorAddress(); 378 int size = 5*4; 379 380 // LDAP TLS Channel Binding requires CHANNEL_BINDING_AF_UNSPEC address type 381 // for unspecified initiator and acceptor addresses. 382 // CHANNEL_BINDING_AF_NULL_ADDR value should be used for unspecified address 383 // in all other cases. 384 int initiatorAddressType = getAddrType(initiatorAddress, 385 (channelBinding instanceof TlsChannelBindingImpl)? 386 CHANNEL_BINDING_AF_UNSPEC:CHANNEL_BINDING_AF_NULL_ADDR); 387 int acceptorAddressType = getAddrType(acceptorAddress, 388 (channelBinding instanceof TlsChannelBindingImpl)? 389 CHANNEL_BINDING_AF_UNSPEC:CHANNEL_BINDING_AF_NULL_ADDR); 390 391 byte[] initiatorAddressBytes = null; 392 if (initiatorAddress != null) { 393 initiatorAddressBytes = getAddrBytes(initiatorAddress); 394 size += initiatorAddressBytes.length; 395 } 396 397 byte[] acceptorAddressBytes = null; 398 if (acceptorAddress != null) { 399 acceptorAddressBytes = getAddrBytes(acceptorAddress); 400 size += acceptorAddressBytes.length; 401 } 402 403 byte[] appDataBytes = channelBinding.getApplicationData(); 404 if (appDataBytes != null) { 405 size += appDataBytes.length; 406 } 407 408 byte[] data = new byte[size]; 409 |