From 74882de47240e96910f05430881fa1dabf92aec7 Mon Sep 17 00:00:00 2001 From: Konstantin Triger Date: Sun, 6 Nov 2005 17:20:34 +0000 Subject: create GSSCredential only once, cleanup svn path=/trunk/mcs/; revision=52628 --- .../Novell.Directory.Ldap.Security.jvm/ChangeLog | 5 ++ .../CreateContextPrivilegedAction.cs | 34 +++++++++---- .../Krb5Helper.cs | 56 +++++++++------------- .../SecureStream.cs | 5 ++ .../Novell.Directory.Ldap/ChangeLog | 4 ++ .../Novell.Directory.Ldap/LdapConnection.cs | 22 +++++---- 6 files changed, 75 insertions(+), 51 deletions(-) (limited to 'mcs/class/Novell.Directory.Ldap') diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/ChangeLog b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/ChangeLog index 97267527548..cc77f724ea8 100644 --- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/ChangeLog +++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/ChangeLog @@ -1,3 +1,8 @@ +2005-11-06 Konstantin Triger + + * SecureStream.cs, CreateContextPrivilegedAction.cs, Krb5Helper.cs: + create GSSCredential only once, cleanup + 2005-11-03 Konstantin Triger * CreateContextPrivilegedAction.cs: always require mutual auth; diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/CreateContextPrivilegedAction.cs b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/CreateContextPrivilegedAction.cs index e98fb9d4053..73b280f5581 100644 --- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/CreateContextPrivilegedAction.cs +++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/CreateContextPrivilegedAction.cs @@ -44,15 +44,17 @@ namespace Novell.Directory.Ldap.Security private readonly bool _signing; private readonly bool _delegation; private readonly string _name; + private readonly string _clientName; private readonly string _mech; #endregion //Fields #region Constructors - public CreateContextPrivilegedAction(string name, string mech, bool encryption, bool signing, bool delegation) + public CreateContextPrivilegedAction(string name, string clientName, string mech, bool encryption, bool signing, bool delegation) { _name = name; + _clientName = clientName; _mech = mech; _encryption = encryption; _signing = signing; @@ -68,16 +70,30 @@ namespace Novell.Directory.Ldap.Security try { Oid krb5Oid = new Oid (_mech); GSSManager manager = GSSManager.getInstance (); - GSSName serverName = manager.createName (_name, GSSName__Finals.NT_HOSTBASED_SERVICE, krb5Oid); - GSSContext context = manager.createContext (serverName, krb5Oid, null, GSSContext__Finals.INDEFINITE_LIFETIME); + GSSName clientName = + manager.createName(_clientName, GSSName__Finals.NT_USER_NAME); + GSSCredential clientCreds = + manager.createCredential(clientName, + GSSContext__Finals.INDEFINITE_LIFETIME, + krb5Oid, + GSSCredential__Finals.INITIATE_ONLY); - context.requestMutualAuth(true); - context.requestConf (_encryption); - if (!_encryption || _signing) - context.requestInteg (!_encryption || _signing); - context.requestCredDeleg (_delegation); +// try { + GSSName serverName = manager.createName (_name, GSSName__Finals.NT_HOSTBASED_SERVICE, krb5Oid); + GSSContext context = manager.createContext (serverName, krb5Oid, clientCreds, GSSContext__Finals.INDEFINITE_LIFETIME); - return context; + context.requestMutualAuth(true); + context.requestConf (_encryption); + if (!_encryption || _signing) + context.requestInteg (!_encryption || _signing); + context.requestCredDeleg (_delegation); + + return context; +// } +// finally { +// // Calling this throws GSSException: Operation unavailable... +// clientCreds.dispose(); +// } } catch (GSSException e) { throw new PrivilegedActionException (e); diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/Krb5Helper.cs b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/Krb5Helper.cs index 41889337d15..65c037f6d7b 100644 --- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/Krb5Helper.cs +++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/Krb5Helper.cs @@ -39,7 +39,7 @@ using org.ietf.jgss; namespace Novell.Directory.Ldap.Security { - internal class Krb5Helper + internal class Krb5Helper : IDisposable { enum QOP { NO_PROTECTION = 1, @@ -57,26 +57,23 @@ namespace Novell.Directory.Ldap.Security private readonly GSSContext _context; - private readonly string _name; - private readonly Subject _subject; - private readonly string _mech; - #endregion // Fields #region Constructors - public Krb5Helper(string name, Subject subject, AuthenticationTypes authenticationTypes, string mech) + public Krb5Helper(string name, string clientName, Subject subject, AuthenticationTypes authenticationTypes, string mech) { - _name = name; - _subject = subject; - _mech = mech; - _encryption = (authenticationTypes & AuthenticationTypes.Sealing) != 0; _signing = (authenticationTypes & AuthenticationTypes.Signing) != 0; _delegation = (authenticationTypes & AuthenticationTypes.Delegation) != 0; - CreateContextPrivilegedAction action = new CreateContextPrivilegedAction (_name,_mech,_encryption,_signing,_delegation); - _context = (GSSContext) Subject.doAs (_subject,action); + CreateContextPrivilegedAction action = new CreateContextPrivilegedAction (name, clientName, mech,_encryption,_signing,_delegation); + try { + _context = (GSSContext) Subject.doAs (subject,action); + } + catch (PrivilegedActionException e) { + throw new LdapException ("Problem performing token exchange with the server",LdapException.OTHER,"",e.getCause()); + } } #endregion // Constructors @@ -126,14 +123,7 @@ namespace Novell.Directory.Ldap.Security return TypeUtils.ToSByteArray (gssOutToken); } - sbyte [] token; - try { - ExchangeTokenPrivilegedAction action = new ExchangeTokenPrivilegedAction (Context, clientToken); - token = (sbyte []) Subject.doAs (_subject, action); - } - catch (PrivilegedActionException e) { - throw new LdapException ("Problem performing token exchange with the server",LdapException.OTHER,"",e); - } + sbyte [] token = Context.initSecContext (clientToken, 0, clientToken.Length); if (Context.isEstablished ()) { @@ -169,13 +159,8 @@ namespace Novell.Directory.Ldap.Security return buff; } - try { - WrapPrivilegedAction action = new WrapPrivilegedAction (Context, outgoing, start, len, messageProp); - return (byte []) Subject.doAs (_subject, action); - } - catch (PrivilegedActionException e) { - throw new LdapException ("Problem performing GSS wrap",LdapException.OTHER,"",e); - } + sbyte [] result = Context.wrap (TypeUtils.ToSByteArray (outgoing), start, len, messageProp); + return (byte []) TypeUtils.ToByteArray (result); } public byte [] Unwrap(byte [] incoming, int start, int len) @@ -195,15 +180,18 @@ namespace Novell.Directory.Ldap.Security return buff; } - try { - UnwrapPrivilegedAction action = new UnwrapPrivilegedAction (Context, incoming, start, len, messageProp); - return (byte []) Subject.doAs (_subject, action); - } - catch (PrivilegedActionException e) { - throw new LdapException("Problems unwrapping SASL buffer",LdapException.OTHER,"",e); - } + sbyte [] result = Context.unwrap (TypeUtils.ToSByteArray (incoming), start, len, messageProp); + return (byte []) TypeUtils.ToByteArray (result); } #endregion // Methods + + #region IDisposable Members + + public void Dispose() { + Context.dispose(); + } + + #endregion } } diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/SecureStream.cs b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/SecureStream.cs index 43508c33313..f9aa4e43aec 100644 --- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/SecureStream.cs +++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/SecureStream.cs @@ -118,6 +118,11 @@ namespace Novell.Directory.Ldap.Security } } + public override void Close() { + _stream.Close(); + _helper.Dispose(); + } + private int Fill() { int actual = ReadAll (_lenBuf, 4); diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/ChangeLog b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/ChangeLog index 19c7e8dcf63..ab0f2a0ecda 100644 --- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/ChangeLog +++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/ChangeLog @@ -1,3 +1,7 @@ +2005-11-06 Konstantin Triger + + * LdapConnection.cs: TARGET_JVM: create GSSCredential only once, cleanup + 2005-11-03 Konstantin Triger * LdapConnection.cs: TARGET_JVM: throw an exception if failed during diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/LdapConnection.cs b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/LdapConnection.cs index 87b3e5c819b..60964d721dd 100644 --- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/LdapConnection.cs +++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/LdapConnection.cs @@ -1601,21 +1601,27 @@ namespace Novell.Directory.Ldap loginContext.login (); } - catch (LoginException e) { + catch (Exception e) { throw new LdapException ("Failed to create login security context", 80, "", e); } - Subject subject = loginContext.getSubject (); - - Krb5Helper krb5Helper = new Krb5Helper ("ldap@" + conn.Host, subject, authenticationTypes, SecurityMech); + Krb5Helper krb5Helper = null; + try { + krb5Helper = new Krb5Helper ("ldap@" + conn.Host, username, loginContext.getSubject (), authenticationTypes, SecurityMech); + } + finally { + loginContext.logout(); + } sbyte [] token = krb5Helper.ExchangeTokens (Krb5Helper.EmptyToken); for (;;) { LdapResponseQueue queue = Bind(LdapConnection.Ldap_V3, username, token, null, null, AuthenticationMech); LdapResponse res = (LdapResponse) queue.getResponse (); if (res.ResultCode != LdapException.SASL_BIND_IN_PROGRESS && - res.ResultCode != LdapException.SUCCESS) + res.ResultCode != LdapException.SUCCESS) { + krb5Helper.Dispose(); throw new LdapException(ExceptionMessages.CONNECTION_ERROR, res.ResultCode, res.ErrorMessage); + } Asn1OctetString serverSaslCreds = ((RfcBindResponse)res.Asn1Object.Response).ServerSaslCreds; token = serverSaslCreds != null ? serverSaslCreds.byteValue () : null; @@ -1635,7 +1641,7 @@ namespace Novell.Directory.Ldap } } - private string SecurityMech + static string SecurityMech { get { string securityMech = null; @@ -1650,7 +1656,7 @@ namespace Novell.Directory.Ldap } } - private string SecurityAppName + static string SecurityAppName { get { string securityAppName = null; @@ -1665,7 +1671,7 @@ namespace Novell.Directory.Ldap } } - private string AuthenticationMech + static string AuthenticationMech { get { string authenticationMech = null; -- cgit v1.2.3