-
Bug
-
Resolution: Fixed
-
P4
-
8, 9, 10, 11
-
b15
-
x86
-
linux
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8203977 | 11.0.1 | Weijun Wang | P4 | Resolved | Fixed | team |
A DESCRIPTION OF THE PROBLEM :
A Kerberos keytab can contain holes, which are entries containing only zero bytes that have no semantic meaning. See https://web.mit.edu/kerberos/krb5-1.12/doc/formats/keytab_file_format.html. The MIT Kerberos tools produce keytab files with these holes when they are used to remove entries from existing keytabs.
If such a hole spans byte 8192 (0x2000) or any multiple of 8192 in the keytab file, Java silently fails to parse the entire keytab, which can lead to authentication failure.
The bug is in sun.security.krb5.internal.ktab.KeyTabInputStream, which calls InputStream.skip(int) to skip holes in the keytab file. skip() is allowed to skip over fewer bytes than requested, but KeyTabInputStream does not check the result of skip() and assumes that it always succeeds in full. In particular, BufferedInputStream (an ancestor class of KeyTabInputStream) implements skip() in such a way that it does not skip past the end of its buffer, which has length 8192 by default, giving rise to the observed behavior.
We've created a keytab file that reproduces the bug with the code given below, but there doesn't appear to be a way to attach it to this bug report. I'd be happy to provide it via email, or some other means that works for you.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
The program below expects the name of a keytab file on the command line.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The program should print the service principal name for each entry in the keytab. This behavior is observed for most keytabs, those that do not trigger the bug.
ACTUAL -
For keytabs that trigger the bug, the KeyTab object incorrectly contains no entries, so the program produces no output. (The MIT Kerberos tools are able to correctly list the entries for such keytab files.)
---------- BEGIN SOURCE ----------
import sun.security.krb5.internal.ktab.KeyTab;
import sun.security.krb5.internal.ktab.KeyTabEntry;
final class KeyTabBug {
public static void main(String[] args) {
KeyTab keyTab = KeyTab.getInstance(args[0]);
KeyTabEntry[] entries = keyTab.getEntries();
for (KeyTabEntry entry : entries) {
System.out.println(entry.getService());
}
}
private KeyTabBug() {
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Avoid deleting keytab entries that cross 8192-byte boundaries, or edit keytab files to remove holes that trigger the bug.
FREQUENCY : always
A Kerberos keytab can contain holes, which are entries containing only zero bytes that have no semantic meaning. See https://web.mit.edu/kerberos/krb5-1.12/doc/formats/keytab_file_format.html. The MIT Kerberos tools produce keytab files with these holes when they are used to remove entries from existing keytabs.
If such a hole spans byte 8192 (0x2000) or any multiple of 8192 in the keytab file, Java silently fails to parse the entire keytab, which can lead to authentication failure.
The bug is in sun.security.krb5.internal.ktab.KeyTabInputStream, which calls InputStream.skip(int) to skip holes in the keytab file. skip() is allowed to skip over fewer bytes than requested, but KeyTabInputStream does not check the result of skip() and assumes that it always succeeds in full. In particular, BufferedInputStream (an ancestor class of KeyTabInputStream) implements skip() in such a way that it does not skip past the end of its buffer, which has length 8192 by default, giving rise to the observed behavior.
We've created a keytab file that reproduces the bug with the code given below, but there doesn't appear to be a way to attach it to this bug report. I'd be happy to provide it via email, or some other means that works for you.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
The program below expects the name of a keytab file on the command line.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The program should print the service principal name for each entry in the keytab. This behavior is observed for most keytabs, those that do not trigger the bug.
ACTUAL -
For keytabs that trigger the bug, the KeyTab object incorrectly contains no entries, so the program produces no output. (The MIT Kerberos tools are able to correctly list the entries for such keytab files.)
---------- BEGIN SOURCE ----------
import sun.security.krb5.internal.ktab.KeyTab;
import sun.security.krb5.internal.ktab.KeyTabEntry;
final class KeyTabBug {
public static void main(String[] args) {
KeyTab keyTab = KeyTab.getInstance(args[0]);
KeyTabEntry[] entries = keyTab.getEntries();
for (KeyTabEntry entry : entries) {
System.out.println(entry.getService());
}
}
private KeyTabBug() {
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Avoid deleting keytab entries that cross 8192-byte boundaries, or edit keytab files to remove holes that trigger the bug.
FREQUENCY : always
- backported by
-
JDK-8203977 Kerberos keytabs with holes in certain places are parsed incorrectly
-
- Resolved
-