Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8080125

SpNegoContext.acceptSecContext fails if mech_wanted is not the first mechanism

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3
    • Resolution: Duplicate
    • Affects Version/s: 8u40
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:

      Description

      FULL PRODUCT VERSION :
      java version "1.8.0_40"
      Java(TM) SE Runtime Environment (build 1.8.0_40-b25)
      Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode)
      java version "1.8.0_60-ea"
      Java(TM) SE Runtime Environment (build 1.8.0_60-ea-b10)
      Java HotSpot(TM) 64-Bit Server VM (build 25.60-b10, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Microsoft Windows [version 6.3.9600]
      (c) 2013 Microsoft Corporation. Tous droits réservés.

      A DESCRIPTION OF THE PROBLEM :
      the fix of "8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred" has added the following check in sun.security.jgss.spnego.SpNegoContext:
                      if (mechList[0].equals(mech_wanted)) {
                          // get the mechanism token
                          byte[] mechToken = initToken.getMechToken();
                          if (mechToken == null) {
                              throw new GSSException(GSSException.FAILURE, -1,
                                      "mechToken is missing");
                          }
                          accept_token = GSS_acceptSecContext(mechToken);
                      } else {
                          accept_token = null;
                      }
      this fails when mech_wanted is not mechList[0] but mechList[1]

      a quick fix made by replacing it with the following code restore the functionality:
                      boolean mechFound = false;
                      for (int i=0;i<mechList.length && !mechFound; i++) {
                       mechFound = mechList[i].equals(mech_wanted);
                      }
                      if (mechFound) {
                          // get the mechanism token
                          byte[] mechToken = initToken.getMechToken();
                          if (mechToken == null) {
                              throw new GSSException(GSSException.FAILURE, -1,
                                      "mechToken is missing");
                          }
                          accept_token = GSS_acceptSecContext(mechToken);
                      } else {
                          accept_token = null;
                      }

      REGRESSION. Last worked in version 8u40

      ADDITIONAL REGRESSION INFORMATION:
      java version "1.8.0_31"
      Java(TM) SE Runtime Environment (build 1.8.0_31-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode)

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      setup a server with krb5 auth in a way that the best match between the list of mechs that the initiator requested and the list that the acceptor will support is not the first supported mechanism
      request auth

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      authentication is correctly performed
      ACTUAL -
      authentication fails

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      rollback to jdk8-u31

      SUPPORT :
      YES

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              pardesha Pardeep Sharma
              Reporter:
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: