| /* |
| * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| /* |
| * @test |
| * @bug 7152176 |
| * @summary More krb5 tests |
| * @library ../../../../java/security/testlibrary/ |
| * @compile -XDignore.symbol.file ReplayCacheTestProc.java |
| * @run main/othervm/timeout=100 ReplayCacheTestProc |
| */ |
| |
| import java.io.*; |
| import java.nio.BufferUnderflowException; |
| import java.nio.channels.SeekableByteChannel; |
| import java.nio.file.Files; |
| import java.nio.file.Paths; |
| import java.nio.file.StandardCopyOption; |
| import java.nio.file.StandardOpenOption; |
| import java.security.MessageDigest; |
| import java.util.*; |
| import sun.security.jgss.GSSUtil; |
| import sun.security.krb5.internal.APReq; |
| import sun.security.krb5.internal.rcache.AuthTime; |
| |
| // This test runs multiple acceptor Procs to mimin AP-REQ replays. |
| public class ReplayCacheTestProc { |
| |
| private static Proc[] ps; |
| private static Proc pc; |
| private static List<Req> reqs = new ArrayList<>(); |
| private static String HOST = "localhost"; |
| |
| // Where should the rcache be saved. It seems KRB5RCACHEDIR is not |
| // recognized on Solaris. Maybe version too low? I see 1.6. |
| private static String cwd = |
| System.getProperty("os.name").startsWith("SunOS") ? |
| "/var/krb5/rcache/" : |
| System.getProperty("user.dir"); |
| |
| |
| private static int uid; |
| |
| public static void main0(String[] args) throws Exception { |
| System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF); |
| if (args.length == 0) { // The controller |
| int ns = 5; // number of servers |
| int nu = 5; // number of users |
| int nx = 50; // number of experiments |
| int np = 5; // number of peers (services) |
| int mode = 0; // native(1), random(0), java(-1) |
| boolean random = true; // random experiments choreograph |
| |
| // Do not test interop with native GSS on some platforms |
| String os = System.getProperty("os.name", "???"); |
| if (!os.startsWith("SunOS") && !os.startsWith("Linux")) { |
| mode = -1; |
| } |
| |
| try { |
| Class<?> clazz = Class.forName( |
| "com.sun.security.auth.module.UnixSystem"); |
| uid = (int)(long)(Long) |
| clazz.getMethod("getUid").invoke(clazz.newInstance()); |
| } catch (Exception e) { |
| uid = -1; |
| } |
| |
| KDC kdc = KDC.create(OneKDC.REALM, HOST, 0, true); |
| for (int i=0; i<nu; i++) { |
| kdc.addPrincipal(user(i), OneKDC.PASS); |
| } |
| kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM); |
| for (int i=0; i<np; i++) { |
| kdc.addPrincipalRandKey(peer(i)); |
| } |
| |
| kdc.writeKtab(OneKDC.KTAB); |
| KDC.saveConfig(OneKDC.KRB5_CONF, kdc); |
| |
| if (mode != -1) { |
| // A special native server to check basic sanity |
| if (ns(-1).waitFor() != 0) { |
| Proc.d("Native mode sanity check failed, revert to java"); |
| mode = -1; |
| } |
| } |
| |
| pc = Proc.create("ReplayCacheTestProc").debug("C") |
| .args("client") |
| .start(); |
| ps = new Proc[ns]; |
| Ex[] result = new Ex[nx]; |
| |
| if (!random) { |
| // 2 experiments, 2 server, 1 peer, 1 user |
| nx = 2; ns = 2; np = 1; nu = 1; |
| |
| // Creates reqs from user# to peer# |
| req(0, 0); |
| |
| // Creates server# |
| ps[0] = ns(0); |
| ps[1] = js(1); |
| |
| // Runs ex# using req# to server# with expected result |
| result[0] = round(0, 0, 0, true); |
| result[1] = round(1, 0, 1, false); |
| } else { |
| Random r = new Random(); |
| for (int i=0; i<ns; i++) { |
| boolean useNative = (mode == 1) ? true |
| : (mode == -1 ? false : r.nextBoolean()); |
| ps[i] = useNative?ns(i):js(i); |
| } |
| for (int i=0; i<nx; i++) { |
| result[i] = new Ex(); |
| int old; // which req to send |
| boolean expected; |
| if (reqs.isEmpty() || r.nextBoolean()) { |
| Proc.d("Console get new AP-REQ"); |
| old = req(r.nextInt(nu), r.nextInt(np)); |
| expected = true; |
| } else { |
| Proc.d("Console resue old"); |
| old = r.nextInt(reqs.size()); |
| expected = false; |
| } |
| int s = r.nextInt(ns); |
| Proc.d("Console send to " + s); |
| result[i] = round(i, old, s, expected); |
| Proc.d("Console sees " + result[i].actual); |
| } |
| } |
| |
| pc.println("END"); |
| for (int i=0; i<ns; i++) { |
| ps[i].println("END"); |
| } |
| System.out.println("Result\n======"); |
| boolean finalOut = true; |
| for (int i=0; i<nx; i++) { |
| boolean out = result[i].expected==result[i].actual; |
| finalOut &= out; |
| System.out.printf("%3d: %s (%2d): u%d h%d %s %s %s %2d\n", |
| i, |
| result[i].expected?"----":" ", |
| result[i].old, |
| result[i].user, result[i].peer, result[i].server, |
| result[i].actual?"Good":"Bad ", |
| out?" ":"xxx", |
| result[i].csize); |
| } |
| if (!finalOut) throw new Exception(); |
| } else if (args[0].equals("N-1")) { |
| // Native mode sanity check |
| Proc.d("Detect start"); |
| Context s = Context.fromUserKtab("*", OneKDC.KTAB, true); |
| s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); |
| } else if (args[0].equals("client")) { |
| while (true) { |
| String title = Proc.textIn(); |
| Proc.d("Client see " + title); |
| if (title.equals("END")) break; |
| String[] cas = title.split(" "); |
| Context c = Context.fromUserPass(cas[0], OneKDC.PASS, false); |
| c.startAsClient(cas[1], GSSUtil.GSS_KRB5_MECH_OID); |
| c.x().requestCredDeleg(true); |
| byte[] token = c.take(new byte[0]); |
| Proc.d("Client AP-REQ generated"); |
| Proc.binOut(token); |
| } |
| } else { |
| Proc.d("Server start"); |
| Context s = Context.fromUserKtab("*", OneKDC.KTAB, true); |
| Proc.d("Server login"); |
| while (true) { |
| String title = Proc.textIn(); |
| Proc.d("Server " + args[0] + " sees " + title); |
| if (title.equals("END")) break; |
| s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); |
| byte[] token = Proc.binIn(); |
| try { |
| s.take(token); |
| Proc.textOut("true"); |
| Proc.d(args[0] + " Good"); |
| } catch (Exception e) { |
| Proc.textOut("false"); |
| Proc.d(args[0] + " Bad"); |
| } |
| } |
| } |
| } |
| |
| public static void main(String[] args) throws Exception { |
| try { |
| main0(args); |
| } catch (Exception e) { |
| Proc.d(e); |
| throw e; |
| } |
| } |
| |
| // returns the user name |
| private static String user(int p) { |
| return "USER" + p; |
| } |
| // returns the peer name |
| private static String peer(int p) { |
| return "host" + p + "/" + HOST; |
| } |
| // returns the dfl name for a host |
| private static String dfl(int p) { |
| return cwd + "host" + p + (uid == -1 ? "" : ("_"+uid)); |
| } |
| // generates an ap-req and save into reqs, returns the index |
| private static int req(int user, int peer) throws Exception { |
| pc.println(user(user) + " " + peer(peer)); |
| Req req = new Req(user, peer, pc.readData()); |
| reqs.add(req); |
| return reqs.size() - 1; |
| } |
| // carries out a round of experiment |
| // i: ex#, old: which req, server: which server, expected: result? |
| private static Ex round(int i, int old, int server, boolean expected) |
| throws Exception { |
| ps[server].println("TEST"); |
| ps[server].println(reqs.get(old).msg); |
| String reply = ps[server].readData(); |
| Ex result = new Ex(); |
| result.i = i; |
| result.expected = expected; |
| result.server = ps[server].debug(); |
| result.actual = Boolean.valueOf(reply); |
| result.user = reqs.get(old).user; |
| result.peer = reqs.get(old).peer; |
| result.old = old; |
| result.csize = csize(result.peer); |
| result.hash = hash(reqs.get(old).msg); |
| if (new File(dfl(result.peer)).exists()) { |
| Files.copy(Paths.get(dfl(result.peer)), Paths.get( |
| String.format("%03d-USER%d-host%d-%s-%s", |
| i, result.user, result.peer, result.server, |
| result.actual) |
| + "-" + result.hash), |
| StandardCopyOption.COPY_ATTRIBUTES); |
| } |
| return result; |
| } |
| // create a native server |
| private static Proc ns(int i) throws Exception { |
| return Proc.create("ReplayCacheTestProc") |
| .args("N"+i) |
| .env("KRB5_CONFIG", OneKDC.KRB5_CONF) |
| .env("KRB5_KTNAME", OneKDC.KTAB) |
| .env("KRB5RCACHEDIR", cwd) |
| .prop("sun.security.jgss.native", "true") |
| .prop("javax.security.auth.useSubjectCredsOnly", "false") |
| .prop("sun.security.nativegss.debug", "true") |
| .debug("N"+i) |
| .start(); |
| } |
| // creates a java server |
| private static Proc js(int i) throws Exception { |
| return Proc.create("ReplayCacheTestProc") |
| .debug("S"+i) |
| .args("S"+i) |
| .prop("sun.security.krb5.rcache", "dfl") |
| .prop("java.io.tmpdir", cwd) |
| .start(); |
| } |
| // generates hash of authenticator inside ap-req inside initsectoken |
| private static String hash(String req) throws Exception { |
| byte[] data = Base64.getDecoder().decode(req); |
| data = Arrays.copyOfRange(data, 17, data.length); |
| byte[] hash = MessageDigest.getInstance("MD5").digest(new APReq(data).authenticator.getBytes()); |
| char[] h = new char[hash.length * 2]; |
| char[] hexConst = "0123456789ABCDEF".toCharArray(); |
| for (int i=0; i<hash.length; i++) { |
| h[2*i] = hexConst[(hash[i]&0xff)>>4]; |
| h[2*i+1] = hexConst[hash[i]&0xf]; |
| } |
| return new String(h); |
| } |
| // return size of dfl file, excluding the null hash ones |
| private static int csize(int p) throws Exception { |
| try (SeekableByteChannel chan = Files.newByteChannel( |
| Paths.get(dfl(p)), StandardOpenOption.READ)) { |
| chan.position(6); |
| int cc = 0; |
| while (true) { |
| try { |
| if (AuthTime.readFrom(chan) != null) cc++; |
| } catch (BufferUnderflowException e) { |
| break; |
| } |
| } |
| return cc; |
| } catch (IOException ioe) { |
| return 0; |
| } |
| } |
| // models an experiement |
| private static class Ex { |
| int i; // # |
| boolean expected; // expected result |
| boolean actual; // actual output |
| int old; // which ap-req to send |
| String server; // which server to send to |
| String hash; // the hash of req |
| int user; // which initiator |
| int peer; // which acceptor |
| int csize; // size of rcache after test |
| } |
| // models a saved ap-req msg |
| private static class Req { |
| String msg; // based64-ed req |
| int user; // which initiator |
| int peer; // which accceptor |
| Req(int user, int peer, String msg) { |
| this.msg = msg; |
| this.user= user; |
| this.peer = peer; |
| } |
| } |
| } |