8170732: GssKrb5Client sends non-zero buffer size when qop is "auth"
Reviewed-by: xuelei
--- a/jdk/src/jdk.security.jgss/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java Thu Jan 05 22:58:54 2017 +0800
+++ b/jdk/src/jdk.security.jgss/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Client.java Thu Jan 05 23:19:26 2017 +0800
@@ -298,7 +298,11 @@
Boolean.valueOf(integrity)});
}
- intToNetworkByteOrder(recvMaxBufSize, gssInToken, 1, 3);
+ if (privacy || integrity) {
+ // Last paragraph of RFC 4752 3.1: size ... MUST be 0 if the
+ // client does not support any security layer
+ intToNetworkByteOrder(recvMaxBufSize, gssInToken, 1, 3);
+ }
if (authzID != null) {
// copy authorization id
System.arraycopy(authzID, 0, gssInToken, 4, authzID.length);
--- a/jdk/test/sun/security/krb5/auto/SaslBasic.java Thu Jan 05 22:58:54 2017 +0800
+++ b/jdk/test/sun/security/krb5/auto/SaslBasic.java Thu Jan 05 23:19:26 2017 +0800
@@ -23,14 +23,13 @@
/*
* @test
- * @bug 7110803
+ * @bug 7110803 8170732
* @summary SASL service for multiple hostnames
* @compile -XDignore.symbol.file SaslBasic.java
- * @run main/othervm SaslBasic bound
- * @run main/othervm SaslBasic unbound
+ * @run main/othervm SaslBasic bound auth-int
+ * @run main/othervm SaslBasic unbound auth-conf
+ * @run main/othervm SaslBasic bound auth
*/
-import com.sun.security.jgss.InquireType;
-
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
@@ -51,7 +50,7 @@
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
HashMap clntprops = new HashMap();
- clntprops.put(Sasl.QOP, "auth-conf");
+ clntprops.put(Sasl.QOP, args[1]);
SaslClient sc = Sasl.createSaslClient(
new String[]{"GSSAPI"}, null, "server",
name, clntprops, null);
@@ -74,9 +73,11 @@
});
byte[] token = new byte[0];
+ byte[] lastClientToken = null;
while (!sc.isComplete() || !ss.isComplete()) {
if (!sc.isComplete()) {
token = sc.evaluateChallenge(token);
+ lastClientToken = token;
}
if (!ss.isComplete()) {
token = ss.evaluateResponse(token);
@@ -94,11 +95,20 @@
if (key == null) {
throw new Exception("Extended negotiated property not read");
}
- byte[] hello = "hello".getBytes();
- token = sc.wrap(hello, 0, hello.length);
- token = ss.unwrap(token, 0, token.length);
- if (!Arrays.equals(hello, token)) {
- throw new Exception("Message altered");
+
+ if (args[1].equals("auth")) {
+ // 8170732. These are the maximum size bytes after jgss/krb5 wrap.
+ if (lastClientToken[17] != 0 || lastClientToken[18] != 0
+ || lastClientToken[19] != 0) {
+ throw new Exception("maximum size for auth must be 0");
+ }
+ } else {
+ byte[] hello = "hello".getBytes();
+ token = sc.wrap(hello, 0, hello.length);
+ token = ss.unwrap(token, 0, token.length);
+ if (!Arrays.equals(hello, token)) {
+ throw new Exception("Message altered");
+ }
}
}
}