8022582: Relax response flags checking in sun.security.krb5.KrbKdcRep.check.
Reviewed-by: mullan
--- a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbKdcRep.java Tue Jan 27 12:59:45 2015 +0900
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbKdcRep.java Tue Jan 27 18:16:27 2015 +0800
@@ -62,7 +62,8 @@
throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
}
- for (int i = 1; i < 6; i++) {
+ // We allow KDC to return a non-forwardable ticket if request has -f
+ for (int i = 2; i < 6; i++) {
if (req.reqBody.kdcOptions.get(i) !=
rep.encKDCRepPart.flags.get(i)) {
if (Krb5.DEBUG) {
--- a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsReq.java Tue Jan 27 12:59:45 2015 +0900
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsReq.java Tue Jan 27 18:16:27 2015 +0800
@@ -149,19 +149,11 @@
ctime = KerberosTime.now();
// check if they are valid arguments. The optional fields
- // should be consistent with settings in KDCOptions.
-
- // TODO: Is this necessary? If the TGT is not FORWARDABLE,
- // you can still request for a FORWARDABLE ticket, just the
- // KDC will give you a non-FORWARDABLE one. Even if you
- // cannot use the ticket expected, it still contains info.
- // This means there will be problem later. We already have
- // flags check in KrbTgsRep. Of course, sometimes the KDC
- // will not issue the ticket at all.
+ // should be consistent with settings in KDCOptions.
if (options.get(KDCOptions.FORWARDABLE) &&
(!(asCreds.flags.get(Krb5.TKT_OPTS_FORWARDABLE)))) {
- throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
+ options.set(KDCOptions.FORWARDABLE, false);
}
if (options.get(KDCOptions.FORWARDED)) {
if (!(asCreds.flags.get(KDCOptions.FORWARDABLE)))
--- a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java Tue Jan 27 12:59:45 2015 +0900
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java Tue Jan 27 18:16:27 2015 +0800
@@ -58,6 +58,9 @@
// TODO: we do not support kerberos referral now
throw new KrbException("Cross realm impersonation not supported");
}
+ if (!ccreds.isForwardable()) {
+ throw new KrbException("S4U2self needs a FORWARDABLE ticket");
+ }
KrbTgsReq req = new KrbTgsReq(
ccreds,
ccreds.getClient(),
@@ -68,6 +71,9 @@
if (!creds.getClient().equals(client)) {
throw new KrbException("S4U2self request not honored by KDC");
}
+ if (!creds.isForwardable()) {
+ throw new KrbException("S4U2self ticket must be FORWARDABLE");
+ }
return creds;
}
--- a/jdk/test/sun/security/krb5/auto/Context.java Tue Jan 27 12:59:45 2015 +0900
+++ b/jdk/test/sun/security/krb5/auto/Context.java Tue Jan 27 18:16:27 2015 +0800
@@ -23,6 +23,7 @@
import com.sun.security.auth.module.Krb5LoginModule;
+import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
@@ -584,7 +585,12 @@
out.name = name + " as " + out.cred.getName().toString();
return out;
} catch (PrivilegedActionException pae) {
- throw pae.getException();
+ Exception e = pae.getException();
+ if (e instanceof InvocationTargetException) {
+ throw (Exception)((InvocationTargetException) e).getTargetException();
+ } else {
+ throw e;
+ }
}
}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/ForwardableCheck.java Tue Jan 27 18:16:27 2015 +0800
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8022582
+ * @summary Relax response flags checking in sun.security.krb5.KrbKdcRep.check.
+ * @compile -XDignore.symbol.file ForwardableCheck.java
+ * @run main/othervm ForwardableCheck
+ */
+
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSUtil;
+
+import java.util.Arrays;
+
+public class ForwardableCheck {
+
+ public static void main(String[] args) throws Exception {
+ OneKDC kdc = new OneKDC(null);
+ kdc.writeJAASConf();
+
+ // USER can impersonate someone else
+ kdc.setOption(KDC.Option.ALLOW_S4U2SELF,
+ Arrays.asList(OneKDC.USER + "@" + OneKDC.REALM));
+ // USER2 is sensitive
+ kdc.setOption(KDC.Option.SENSITIVE_ACCOUNTS,
+ Arrays.asList(OneKDC.USER2 + "@" + OneKDC.REALM));
+
+ Context c;
+
+ // USER2 is sensitive but it's still able to get a normal ticket
+ c = Context.fromUserPass(OneKDC.USER2, OneKDC.PASS2, false);
+
+ // ... and connect to another account
+ c.startAsClient(OneKDC.USER, GSSUtil.GSS_KRB5_MECH_OID);
+ c.x().requestCredDeleg(true);
+ c.x().requestMutualAuth(false);
+
+ c.take(new byte[0]);
+
+ if (!c.x().isEstablished()) {
+ throw new Exception("Context should have been established");
+ }
+
+ // ... but will not be able to delegate itself
+ if (c.x().getCredDelegState()) {
+ throw new Exception("Impossible");
+ }
+
+ // Although USER is allowed to impersonate other people,
+ // it cannot impersonate USER2 coz it's sensitive.
+ c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
+ try {
+ c.impersonate(OneKDC.USER2);
+ throw new Exception("Should fail");
+ } catch (GSSException e) {
+ e.printStackTrace();
+ }
+ }
+}
--- a/jdk/test/sun/security/krb5/auto/KDC.java Tue Jan 27 12:59:45 2015 +0900
+++ b/jdk/test/sun/security/krb5/auto/KDC.java Tue Jan 27 18:16:27 2015 +0800
@@ -198,6 +198,10 @@
* Krb5.KDC_ERR_POLICY will be send for S4U2proxy request.
*/
ALLOW_S4U2PROXY,
+ /**
+ * Sensitive accounts can never be delegated.
+ */
+ SENSITIVE_ACCOUNTS,
};
static {
@@ -643,7 +647,7 @@
try {
System.out.println(realm + "> " + tgsReq.reqBody.cname +
" sends TGS-REQ for " +
- service);
+ service + ", " + tgsReq.reqBody.kdcOptions);
KDCReqBody body = tgsReq.reqBody;
int[] eTypes = KDCReqBodyDotEType(body);
int e2 = eTypes[0]; // etype for outgoing session key
@@ -719,7 +723,13 @@
boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX+1];
if (body.kdcOptions.get(KDCOptions.FORWARDABLE)
&& allowForwardable) {
- bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
+ List<String> sensitives = (List<String>)
+ options.get(Option.SENSITIVE_ACCOUNTS);
+ if (sensitives != null && sensitives.contains(cname.toString())) {
+ // Cannot make FORWARDABLE
+ } else {
+ bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
+ }
}
if (body.kdcOptions.get(KDCOptions.FORWARDED) ||
etp.flags.get(Krb5.TKT_OPTS_FORWARDED)) {
@@ -824,7 +834,8 @@
t,
edata);
System.out.println(" Return " + tgsRep.cname
- + " ticket for " + tgsRep.ticket.sname);
+ + " ticket for " + tgsRep.ticket.sname + ", flags "
+ + tFlags);
DerOutputStream out = new DerOutputStream();
out.write(DerValue.createTag(DerValue.TAG_APPLICATION,
@@ -869,7 +880,7 @@
try {
System.out.println(realm + "> " + asReq.reqBody.cname +
" sends AS-REQ for " +
- service);
+ service + ", " + asReq.reqBody.kdcOptions);
KDCReqBody body = asReq.reqBody;
@@ -926,7 +937,13 @@
//body.from
boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX+1];
if (body.kdcOptions.get(KDCOptions.FORWARDABLE)) {
- bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
+ List<String> sensitives = (List<String>)
+ options.get(Option.SENSITIVE_ACCOUNTS);
+ if (sensitives != null && sensitives.contains(body.cname.toString())) {
+ // Cannot make FORWARDABLE
+ } else {
+ bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
+ }
}
if (body.kdcOptions.get(KDCOptions.RENEWABLE)) {
bFlags[Krb5.TKT_OPTS_RENEWABLE] = true;
@@ -1102,7 +1119,8 @@
edata);
System.out.println(" Return " + asRep.cname
- + " ticket for " + asRep.ticket.sname);
+ + " ticket for " + asRep.ticket.sname + ", flags "
+ + tFlags);
DerOutputStream out = new DerOutputStream();
out.write(DerValue.createTag(DerValue.TAG_APPLICATION,