| /* |
| * Copyright (c) 2004, 2018, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. Oracle designates this |
| * particular file as subject to the "Classpath" exception as provided |
| * by Oracle in the LICENSE file that accompanied this code. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| package sun.security.jgss.krb5; |
| |
| import org.ietf.jgss.*; |
| import java.io.InputStream; |
| import java.io.OutputStream; |
| import java.io.IOException; |
| import java.io.ByteArrayInputStream; |
| import java.io.ByteArrayOutputStream; |
| import java.security.MessageDigest; |
| import java.util.Arrays; |
| |
| /** |
| * This class is a base class for new GSS token definitions, as defined |
| * in RFC 4121, that pertain to per-message GSS-API calls. Conceptually |
| * GSS-API has two types of per-message tokens: WrapToken and MicToken. |
| * They differ in the respect that a WrapToken carries additional plaintext |
| * or ciphertext application data besides just the sequence number and |
| * checksum. This class encapsulates the commonality in the structure of |
| * the WrapToken and the MicToken. This structure can be represented as: |
| * <p> |
| * <pre> |
| * Wrap Tokens |
| * |
| * Octet no Name Description |
| * --------------------------------------------------------------- |
| * 0..1 TOK_ID Identification field. Tokens emitted by |
| * GSS_Wrap() contain the hex value 05 04 |
| * expressed in big-endian order in this field. |
| * 2 Flags Attributes field, as described in section |
| * 4.2.2. |
| * 3 Filler Contains the hex value FF. |
| * 4..5 EC Contains the "extra count" field, in big- |
| * endian order as described in section 4.2.3. |
| * 6..7 RRC Contains the "right rotation count" in big |
| * endian order, as described in section 4.2.5. |
| * 8..15 SND_SEQ Sequence number field in clear text, |
| * expressed in big-endian order. |
| * 16..last Data Encrypted data for Wrap tokens with |
| * confidentiality, or plaintext data followed |
| * by the checksum for Wrap tokens without |
| * confidentiality, as described in section |
| * 4.2.4. |
| * MIC Tokens |
| * |
| * Octet no Name Description |
| * ----------------------------------------------------------------- |
| * 0..1 TOK_ID Identification field. Tokens emitted by |
| * GSS_GetMIC() contain the hex value 04 04 |
| * expressed in big-endian order in this field. |
| * 2 Flags Attributes field, as described in section |
| * 4.2.2. |
| * 3..7 Filler Contains five octets of hex value FF. |
| * 8..15 SND_SEQ Sequence number field in clear text, |
| * expressed in big-endian order. |
| * 16..last SGN_CKSUM Checksum of the "to-be-signed" data and |
| * octet 0..15, as described in section 4.2.4. |
| * |
| * </pre> |
| * <p> |
| * This class is the super class of WrapToken_v2 and MicToken_v2. The token's |
| * header (bytes[0..15]) and data (byte[16..]) are saved in tokenHeader and |
| * tokenData fields. Since there is no easy way to find out the exact length |
| * of a WrapToken_v2 token from any header info, in the case of reading from |
| * stream, we read all available() bytes into the token. |
| * <p> |
| * All read actions are performed in this super class. On the write part, the |
| * super class only write the tokenHeader, and the content writing is inside |
| * child classes. |
| * |
| * @author Seema Malkani |
| */ |
| |
| abstract class MessageToken_v2 extends Krb5Token { |
| |
| protected static final int TOKEN_HEADER_SIZE = 16; |
| private static final int TOKEN_ID_POS = 0; |
| private static final int TOKEN_FLAG_POS = 2; |
| private static final int TOKEN_EC_POS = 4; |
| private static final int TOKEN_RRC_POS = 6; |
| |
| /** |
| * The size of the random confounder used in a WrapToken. |
| */ |
| protected static final int CONFOUNDER_SIZE = 16; |
| |
| // RFC 4121, key usage values |
| static final int KG_USAGE_ACCEPTOR_SEAL = 22; |
| static final int KG_USAGE_ACCEPTOR_SIGN = 23; |
| static final int KG_USAGE_INITIATOR_SEAL = 24; |
| static final int KG_USAGE_INITIATOR_SIGN = 25; |
| |
| // RFC 4121, Flags Field |
| private static final int FLAG_SENDER_IS_ACCEPTOR = 1; |
| private static final int FLAG_WRAP_CONFIDENTIAL = 2; |
| private static final int FLAG_ACCEPTOR_SUBKEY = 4; |
| private static final int FILLER = 0xff; |
| |
| private MessageTokenHeader tokenHeader = null; |
| |
| // Common field |
| private int tokenId = 0; |
| private int seqNumber; |
| protected byte[] tokenData; // content of token, without the header |
| protected int tokenDataLen; |
| |
| // Key usage number for crypto action |
| private int key_usage = 0; |
| |
| // EC and RRC fields, WrapToken only |
| private int ec = 0; |
| private int rrc = 0; |
| |
| // Checksum. Always in MicToken, might be in WrapToken |
| byte[] checksum = null; |
| |
| // Context properties |
| private boolean confState = true; |
| private boolean initiator = true; |
| private boolean have_acceptor_subkey = false; |
| |
| /* cipher instance used by the corresponding GSSContext */ |
| CipherHelper cipherHelper = null; |
| |
| /** |
| * Constructs a MessageToken from a byte array. |
| * |
| * @param tokenId the token id that should be contained in this token as |
| * it is read. |
| * @param context the Kerberos context associated with this token |
| * @param tokenBytes the byte array containing the token |
| * @param tokenOffset the offset where the token begins |
| * @param tokenLen the length of the token |
| * @param prop the MessageProp structure in which the properties of the |
| * token should be stored. |
| * @throws GSSException if there is a problem parsing the token |
| */ |
| MessageToken_v2(int tokenId, Krb5Context context, |
| byte[] tokenBytes, int tokenOffset, int tokenLen, |
| MessageProp prop) throws GSSException { |
| this(tokenId, context, |
| new ByteArrayInputStream(tokenBytes, tokenOffset, tokenLen), |
| prop); |
| } |
| |
| /** |
| * Constructs a MessageToken from an InputStream. Bytes will be read on |
| * demand and the thread might block if there are not enough bytes to |
| * complete the token. Please note there is no accurate way to find out |
| * the size of a token, but we try our best to make sure there is |
| * enough bytes to construct one. |
| * |
| * @param tokenId the token id that should be contained in this token as |
| * it is read. |
| * @param context the Kerberos context associated with this token |
| * @param is the InputStream from which to read |
| * @param prop the MessageProp structure in which the properties of the |
| * token should be stored. |
| * @throws GSSException if there is a problem reading from the |
| * InputStream or parsing the token |
| */ |
| MessageToken_v2(int tokenId, Krb5Context context, InputStream is, |
| MessageProp prop) throws GSSException { |
| init(tokenId, context); |
| |
| try { |
| if (!confState) { |
| prop.setPrivacy(false); |
| } |
| tokenHeader = new MessageTokenHeader(is, prop, tokenId); |
| |
| // set key_usage |
| if (tokenId == Krb5Token.WRAP_ID_v2) { |
| key_usage = (!initiator ? KG_USAGE_INITIATOR_SEAL |
| : KG_USAGE_ACCEPTOR_SEAL); |
| } else if (tokenId == Krb5Token.MIC_ID_v2) { |
| key_usage = (!initiator ? KG_USAGE_INITIATOR_SIGN |
| : KG_USAGE_ACCEPTOR_SIGN); |
| } |
| |
| int minSize = 0; // minimal size for token data |
| if (tokenId == Krb5Token.WRAP_ID_v2 && prop.getPrivacy()) { |
| minSize = CONFOUNDER_SIZE + |
| TOKEN_HEADER_SIZE + cipherHelper.getChecksumLength(); |
| } else { |
| minSize = cipherHelper.getChecksumLength(); |
| } |
| |
| // Read token data |
| if (tokenId == Krb5Token.MIC_ID_v2) { |
| // The only case we can precisely predict the token data length |
| tokenDataLen = minSize; |
| tokenData = new byte[minSize]; |
| readFully(is, tokenData); |
| } else { |
| tokenDataLen = is.available(); |
| if (tokenDataLen >= minSize) { // read in one shot |
| tokenData = new byte[tokenDataLen]; |
| readFully(is, tokenData); |
| } else { |
| byte[] tmp = new byte[minSize]; |
| readFully(is, tmp); |
| // Hope while blocked in the read above, more data would |
| // come and is.available() below contains the whole token. |
| int more = is.available(); |
| tokenDataLen = minSize + more; |
| tokenData = Arrays.copyOf(tmp, tokenDataLen); |
| readFully(is, tokenData, minSize, more); |
| } |
| } |
| |
| if (tokenId == Krb5Token.WRAP_ID_v2) { |
| rotate(); |
| } |
| |
| if (tokenId == Krb5Token.MIC_ID_v2 || |
| (tokenId == Krb5Token.WRAP_ID_v2 && !prop.getPrivacy())) { |
| // Read checksum |
| int chkLen = cipherHelper.getChecksumLength(); |
| checksum = new byte[chkLen]; |
| System.arraycopy(tokenData, tokenDataLen-chkLen, |
| checksum, 0, chkLen); |
| |
| // validate EC for Wrap tokens without confidentiality |
| if (tokenId == Krb5Token.WRAP_ID_v2 && !prop.getPrivacy()) { |
| if (chkLen != ec) { |
| throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, |
| getTokenName(tokenId) + ":" + "EC incorrect!"); |
| } |
| } |
| } |
| } catch (IOException e) { |
| throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, |
| getTokenName(tokenId) + ":" + e.getMessage()); |
| } |
| } |
| |
| /** |
| * Used to obtain the token id that was contained in this token. |
| * @return the token id in the token |
| */ |
| public final int getTokenId() { |
| return tokenId; |
| } |
| |
| /** |
| * Used to obtain the key_usage type for this token. |
| * @return the key_usage for the token |
| */ |
| public final int getKeyUsage() { |
| return key_usage; |
| } |
| |
| /** |
| * Used to determine if this token contains any encrypted data. |
| * @return true if it contains any encrypted data, false if there is only |
| * plaintext data or if there is no data. |
| */ |
| public final boolean getConfState() { |
| return confState; |
| } |
| |
| /** |
| * Generates the checksum field and the sequence number field. |
| * |
| * @param prop the MessageProp structure |
| * @param data the application data to checksum |
| * @param offset the offset where the data starts |
| * @param len the length of the data |
| * |
| * @throws GSSException if an error occurs in the checksum calculation or |
| * sequence number calculation. |
| */ |
| public void genSignAndSeqNumber(MessageProp prop, |
| byte[] data, int offset, int len) |
| throws GSSException { |
| |
| // debug("Inside MessageToken.genSignAndSeqNumber:\n"); |
| |
| int qop = prop.getQOP(); |
| if (qop != 0) { |
| qop = 0; |
| prop.setQOP(qop); |
| } |
| |
| if (!confState) { |
| prop.setPrivacy(false); |
| } |
| |
| // Create a new gss token header as defined in RFC 4121 |
| tokenHeader = new MessageTokenHeader(tokenId, prop.getPrivacy()); |
| // debug("\n\t Message Header = " + |
| // getHexBytes(tokenHeader.getBytes(), tokenHeader.getBytes().length)); |
| |
| // set key_usage |
| if (tokenId == Krb5Token.WRAP_ID_v2) { |
| key_usage = (initiator ? KG_USAGE_INITIATOR_SEAL |
| : KG_USAGE_ACCEPTOR_SEAL); |
| } else if (tokenId == Krb5Token.MIC_ID_v2) { |
| key_usage = (initiator ? KG_USAGE_INITIATOR_SIGN |
| : KG_USAGE_ACCEPTOR_SIGN); |
| } |
| |
| // Calculate SGN_CKSUM |
| if ((tokenId == MIC_ID_v2) || |
| (!prop.getPrivacy() && (tokenId == WRAP_ID_v2))) { |
| checksum = getChecksum(data, offset, len); |
| // debug("\n\tCalc checksum=" + |
| // getHexBytes(checksum, checksum.length)); |
| } |
| |
| // In Wrap tokens without confidentiality, the EC field SHALL be used |
| // to encode the number of octets in the trailing checksum |
| if (!prop.getPrivacy() && (tokenId == WRAP_ID_v2)) { |
| byte[] tok_header = tokenHeader.getBytes(); |
| tok_header[4] = (byte) (checksum.length >>> 8); |
| tok_header[5] = (byte) (checksum.length); |
| } |
| } |
| |
| /** |
| * Verifies the validity of checksum field |
| * |
| * @param data the application data |
| * @param offset the offset where the data begins |
| * @param len the length of the application data |
| * |
| * @throws GSSException if an error occurs in the checksum calculation |
| */ |
| public final boolean verifySign(byte[] data, int offset, int len) |
| throws GSSException { |
| |
| // debug("\t====In verifySign:====\n"); |
| // debug("\t\t checksum: [" + getHexBytes(checksum) + "]\n"); |
| // debug("\t\t data = [" + getHexBytes(data) + "]\n"); |
| |
| byte[] myChecksum = getChecksum(data, offset, len); |
| // debug("\t\t mychecksum: [" + getHexBytes(myChecksum) +"]\n"); |
| |
| if (MessageDigest.isEqual(checksum, myChecksum)) { |
| // debug("\t\t====Checksum PASS:====\n"); |
| return true; |
| } |
| return false; |
| } |
| |
| /** |
| * Rotate bytes as per the "RRC" (Right Rotation Count) received. |
| * Our implementation does not do any rotates when sending, only |
| * when receiving, we rotate left as per the RRC count, to revert it. |
| */ |
| private void rotate() { |
| if (rrc % tokenDataLen != 0) { |
| rrc = rrc % tokenDataLen; |
| byte[] newBytes = new byte[tokenDataLen]; |
| |
| System.arraycopy(tokenData, rrc, newBytes, 0, tokenDataLen-rrc); |
| System.arraycopy(tokenData, 0, newBytes, tokenDataLen-rrc, rrc); |
| |
| tokenData = newBytes; |
| } |
| } |
| |
| public final int getSequenceNumber() { |
| return seqNumber; |
| } |
| |
| /** |
| * Computes the checksum based on the algorithm stored in the |
| * tokenHeader. |
| * |
| * @param data the application data |
| * @param offset the offset where the data begins |
| * @param len the length of the application data |
| * |
| * @throws GSSException if an error occurs in the checksum calculation. |
| */ |
| byte[] getChecksum(byte[] data, int offset, int len) |
| throws GSSException { |
| |
| // debug("Will do getChecksum:\n"); |
| |
| /* |
| * For checksum calculation the token header bytes i.e., the first 16 |
| * bytes following the GSSHeader, are logically prepended to the |
| * application data to bind the data to this particular token. |
| * |
| * Note: There is no such requirement wrt adding padding to the |
| * application data for checksumming, although the cryptographic |
| * algorithm used might itself apply some padding. |
| */ |
| |
| byte[] tokenHeaderBytes = tokenHeader.getBytes(); |
| |
| // check confidentiality |
| int conf_flag = tokenHeaderBytes[TOKEN_FLAG_POS] & |
| FLAG_WRAP_CONFIDENTIAL; |
| |
| // clear EC and RRC in token header for checksum calculation |
| if ((conf_flag == 0) && (tokenId == WRAP_ID_v2)) { |
| tokenHeaderBytes[4] = 0; |
| tokenHeaderBytes[5] = 0; |
| tokenHeaderBytes[6] = 0; |
| tokenHeaderBytes[7] = 0; |
| } |
| return cipherHelper.calculateChecksum(tokenHeaderBytes, data, |
| offset, len, key_usage); |
| } |
| |
| |
| /** |
| * Constructs an empty MessageToken for the local context to send to |
| * the peer. It also increments the local sequence number in the |
| * Krb5Context instance it uses after obtaining the object lock for |
| * it. |
| * |
| * @param tokenId the token id that should be contained in this token |
| * @param context the Kerberos context associated with this token |
| */ |
| MessageToken_v2(int tokenId, Krb5Context context) throws GSSException { |
| /* |
| debug("\n============================"); |
| debug("\nMySessionKey=" + |
| getHexBytes(context.getMySessionKey().getBytes())); |
| debug("\nPeerSessionKey=" + |
| getHexBytes(context.getPeerSessionKey().getBytes())); |
| debug("\n============================\n"); |
| */ |
| init(tokenId, context); |
| this.seqNumber = context.incrementMySequenceNumber(); |
| } |
| |
| private void init(int tokenId, Krb5Context context) throws GSSException { |
| this.tokenId = tokenId; |
| // Just for consistency check in Wrap |
| this.confState = context.getConfState(); |
| |
| this.initiator = context.isInitiator(); |
| |
| this.have_acceptor_subkey = context.getKeySrc() == Krb5Context.ACCEPTOR_SUBKEY; |
| |
| this.cipherHelper = context.getCipherHelper(null); |
| // debug("In MessageToken.Cons"); |
| } |
| |
| /** |
| * Encodes a MessageTokenHeader onto an OutputStream. |
| * |
| * @param os the OutputStream to which this should be written |
| * @throws IOException is an error occurs while writing to the OutputStream |
| */ |
| protected void encodeHeader(OutputStream os) throws IOException { |
| tokenHeader.encode(os); |
| } |
| |
| /** |
| * Encodes a MessageToken_v2 onto an OutputStream. |
| * |
| * @param os the OutputStream to which this should be written |
| * @throws IOException is an error occurs while encoding the token |
| */ |
| public abstract void encode(OutputStream os) throws IOException; |
| |
| protected final byte[] getTokenHeader() { |
| return (tokenHeader.getBytes()); |
| } |
| |
| // ******************************************* // |
| // I N N E R C L A S S E S F O L L O W |
| // ******************************************* // |
| |
| /** |
| * This inner class represents the initial portion of the message token. |
| * It constitutes the first 16 bytes of the message token. |
| */ |
| class MessageTokenHeader { |
| |
| private int tokenId; |
| private byte[] bytes = new byte[TOKEN_HEADER_SIZE]; |
| |
| // Writes a new token header |
| public MessageTokenHeader(int tokenId, boolean conf) throws GSSException { |
| |
| this.tokenId = tokenId; |
| |
| bytes[0] = (byte) (tokenId >>> 8); |
| bytes[1] = (byte) (tokenId); |
| |
| // Flags (Note: MIT impl requires subkey) |
| int flags = 0; |
| flags = (initiator ? 0 : FLAG_SENDER_IS_ACCEPTOR) | |
| ((conf && tokenId != MIC_ID_v2) ? |
| FLAG_WRAP_CONFIDENTIAL : 0) | |
| (have_acceptor_subkey ? FLAG_ACCEPTOR_SUBKEY : 0); |
| bytes[2] = (byte) flags; |
| |
| // filler |
| bytes[3] = (byte) FILLER; |
| |
| if (tokenId == WRAP_ID_v2) { |
| // EC field |
| bytes[4] = (byte) 0; |
| bytes[5] = (byte) 0; |
| // RRC field |
| bytes[6] = (byte) 0; |
| bytes[7] = (byte) 0; |
| } else if (tokenId == MIC_ID_v2) { |
| // more filler for MicToken |
| for (int i = 4; i < 8; i++) { |
| bytes[i] = (byte) FILLER; |
| } |
| } |
| |
| // Calculate SND_SEQ, only write 4 bytes from the 12th position |
| writeBigEndian(seqNumber, bytes, 12); |
| } |
| |
| /** |
| * Reads a MessageTokenHeader from an InputStream and sets the |
| * appropriate confidentiality and quality of protection |
| * values in a MessageProp structure. |
| * |
| * @param is the InputStream to read from |
| * @param prop the MessageProp to populate |
| * @throws IOException is an error occurs while reading from the |
| * InputStream |
| */ |
| public MessageTokenHeader(InputStream is, MessageProp prop, int tokId) |
| throws IOException, GSSException { |
| |
| readFully(is, bytes, 0, TOKEN_HEADER_SIZE); |
| tokenId = readInt(bytes, TOKEN_ID_POS); |
| |
| // validate Token ID |
| if (tokenId != tokId) { |
| throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, |
| getTokenName(tokenId) + ":" + "Defective Token ID!"); |
| } |
| |
| /* |
| * Validate new GSS TokenHeader |
| */ |
| |
| // valid acceptor_flag |
| // If I am initiator, the received token should have ACCEPTOR on |
| int acceptor_flag = (initiator ? FLAG_SENDER_IS_ACCEPTOR : 0); |
| int flag = bytes[TOKEN_FLAG_POS] & FLAG_SENDER_IS_ACCEPTOR; |
| if (flag != acceptor_flag) { |
| throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, |
| getTokenName(tokenId) + ":" + "Acceptor Flag Error!"); |
| } |
| |
| // check for confidentiality |
| int conf_flag = bytes[TOKEN_FLAG_POS] & FLAG_WRAP_CONFIDENTIAL; |
| if ((conf_flag == FLAG_WRAP_CONFIDENTIAL) && |
| (tokenId == WRAP_ID_v2)) { |
| prop.setPrivacy(true); |
| } else { |
| prop.setPrivacy(false); |
| } |
| |
| if (tokenId == WRAP_ID_v2) { |
| // validate filler |
| if ((bytes[3] & 0xff) != FILLER) { |
| throw new GSSException(GSSException.DEFECTIVE_TOKEN, -1, |
| getTokenName(tokenId) + ":" + "Defective Token Filler!"); |
| } |
| |
| // read EC field |
| ec = readBigEndian(bytes, TOKEN_EC_POS, 2); |
| |
| // read RRC field |
| rrc = readBigEndian(bytes, TOKEN_RRC_POS, 2); |
| } else if (tokenId == MIC_ID_v2) { |
| for (int i = 3; i < 8; i++) { |
| if ((bytes[i] & 0xff) != FILLER) { |
| throw new GSSException(GSSException.DEFECTIVE_TOKEN, |
| -1, getTokenName(tokenId) + ":" + |
| "Defective Token Filler!"); |
| } |
| } |
| } |
| |
| // set default QOP |
| prop.setQOP(0); |
| |
| // sequence number |
| seqNumber = readBigEndian(bytes, 12, 4); |
| } |
| |
| /** |
| * Encodes this MessageTokenHeader onto an OutputStream |
| * @param os the OutputStream to write to |
| * @throws IOException is an error occurs while writing |
| */ |
| public final void encode(OutputStream os) throws IOException { |
| os.write(bytes); |
| } |
| |
| |
| /** |
| * Returns the token id for the message token. |
| * @return the token id |
| * @see sun.security.jgss.krb5.Krb5Token#MIC_ID_v2 |
| * @see sun.security.jgss.krb5.Krb5Token#WRAP_ID_v2 |
| */ |
| public final int getTokenId() { |
| return tokenId; |
| } |
| |
| /** |
| * Returns the bytes of this header. |
| * @return 8 bytes that form this header |
| */ |
| public final byte[] getBytes() { |
| return bytes; |
| } |
| } // end of class MessageTokenHeader |
| } |
