-
Bug
-
Resolution: Fixed
-
P3
-
5.0
-
None
-
beta
-
generic
-
generic
The following J2SE 5.0 code, starting at line 283 in Java method
>>computeChannelBinding(ChannelBinding channelBinding) in module
>>j2se/src/share/classes/sun/security/jgss/krb5/InitialToken.java, is
>>not correct.
>>
>>The code is wrong because it throws GSSException exceptions for legal
>>IPv6 addresses. The problem is that if either the initiatorAddress
>>or the acceptorAddress is an IPv6 address then the address lengths
>>will be 16. The code only allows addresses of length 4. For address
>>lengths other than 4, the code throws GSSException exceptions.
>>
>>==============================================================================
>>
>> if (initiatorAddress != null) {
>> initiatorAddressType = CHANNEL_BINDING_AF_INET;
>> initiatorAddressBytes = initiatorAddress.getAddress();
>>--> if (initiatorAddressBytes.length != 4)
>> throw new GSSException(GSSException.FAILURE, -1,
>> "Cannot handle non AF-INET addresses in ChannelBinding.");
>> size += initiatorAddressBytes.length;
>> }
>>
>> if (acceptorAddress != null) {
>> acceptorAddressType = CHANNEL_BINDING_AF_INET;
>> acceptorAddressBytes = acceptorAddress.getAddress();
>>--> if (acceptorAddressBytes.length != 4)
>> throw new GSSException(GSSException.FAILURE, -1,
>> "Cannot handle non AF-INET addresses in ChannelBinding.");
>> size += acceptorAddressBytes.length;
>> }
>>
>>==============================================================================
>>
>>The problem showed up when we specified
>>-Djava.net.preferIPv6Addresses=true when we ran JCK-15 test
>>javasoft.sqe.tests.api.org.ietf.jgss.GSSContext.SetGetTests
>>with both the localhost and the Kerberos server having IPv6 addresses.
>>
>>Here is a stack trace showing the exception:
>> ...
>><Client> Authentication succeeded!. Will start execution ...
>><Client> Connected to server
>>ptrpan.zko.dec.com/fe80:0:0:0:a00:2bff:fee2:7e45
>><Server> Got connection from client /fe80:0:0:0:a00:2bff:fee2:7e45
>>GSSException: Failure unspecified at GSS-API level (Mechanism level: Cannot
>>handle non AF-INET addresses in ChannelBinding.)
>> at
>>sun.security.jgss.krb5.InitialToken.computeChannelBinding(InitialToken.java:287)
>> at sun.security.jgss.krb5.InitialToken.access$100(InitialToken.java:18)
>> at
>>sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:86)
>> at
>>sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:38)
>> at
>>sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:624)
>> at
>>sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)
>> at
>>javasoft.sqe.tests.api.org.ietf.jgss.GSSContext.setCBClient$Action.run(setCB.java:440)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:454)
>> at
>>javasoft.sqe.tests.api.org.ietf.jgss.GSSContext.setCBClient.thisRun(setCB.java:353)
>> at
>>javasoft.sqe.tests.api.org.ietf.jgss.GSSContext.setCBClient.run(setCB.java:312)
###@###.### 2005-03-22 00:48:27 GMT
>>computeChannelBinding(ChannelBinding channelBinding) in module
>>j2se/src/share/classes/sun/security/jgss/krb5/InitialToken.java, is
>>not correct.
>>
>>The code is wrong because it throws GSSException exceptions for legal
>>IPv6 addresses. The problem is that if either the initiatorAddress
>>or the acceptorAddress is an IPv6 address then the address lengths
>>will be 16. The code only allows addresses of length 4. For address
>>lengths other than 4, the code throws GSSException exceptions.
>>
>>==============================================================================
>>
>> if (initiatorAddress != null) {
>> initiatorAddressType = CHANNEL_BINDING_AF_INET;
>> initiatorAddressBytes = initiatorAddress.getAddress();
>>--> if (initiatorAddressBytes.length != 4)
>> throw new GSSException(GSSException.FAILURE, -1,
>> "Cannot handle non AF-INET addresses in ChannelBinding.");
>> size += initiatorAddressBytes.length;
>> }
>>
>> if (acceptorAddress != null) {
>> acceptorAddressType = CHANNEL_BINDING_AF_INET;
>> acceptorAddressBytes = acceptorAddress.getAddress();
>>--> if (acceptorAddressBytes.length != 4)
>> throw new GSSException(GSSException.FAILURE, -1,
>> "Cannot handle non AF-INET addresses in ChannelBinding.");
>> size += acceptorAddressBytes.length;
>> }
>>
>>==============================================================================
>>
>>The problem showed up when we specified
>>-Djava.net.preferIPv6Addresses=true when we ran JCK-15 test
>>javasoft.sqe.tests.api.org.ietf.jgss.GSSContext.SetGetTests
>>with both the localhost and the Kerberos server having IPv6 addresses.
>>
>>Here is a stack trace showing the exception:
>> ...
>><Client> Authentication succeeded!. Will start execution ...
>><Client> Connected to server
>>ptrpan.zko.dec.com/fe80:0:0:0:a00:2bff:fee2:7e45
>><Server> Got connection from client /fe80:0:0:0:a00:2bff:fee2:7e45
>>GSSException: Failure unspecified at GSS-API level (Mechanism level: Cannot
>>handle non AF-INET addresses in ChannelBinding.)
>> at
>>sun.security.jgss.krb5.InitialToken.computeChannelBinding(InitialToken.java:287)
>> at sun.security.jgss.krb5.InitialToken.access$100(InitialToken.java:18)
>> at
>>sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:86)
>> at
>>sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:38)
>> at
>>sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:624)
>> at
>>sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)
>> at
>>javasoft.sqe.tests.api.org.ietf.jgss.GSSContext.setCBClient$Action.run(setCB.java:440)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:454)
>> at
>>javasoft.sqe.tests.api.org.ietf.jgss.GSSContext.setCBClient.thisRun(setCB.java:353)
>> at
>>javasoft.sqe.tests.api.org.ietf.jgss.GSSContext.setCBClient.run(setCB.java:312)
###@###.### 2005-03-22 00:48:27 GMT