Mercurial > hg > icedtea8-forest > jdk
changeset 14350:c63c2923e1f9 jdk8u242-b08 jdk8u242-ga
8132111: Do not request for addresses for forwarded TGT
Reviewed-by: mbalao, shade
author | andrew |
---|---|
date | Wed, 15 Jan 2020 20:05:09 +0000 |
parents | c13e1bbeb020 |
children | 28d575fbb0cb |
files | src/share/classes/sun/security/krb5/KrbCred.java src/share/classes/sun/security/krb5/internal/HostAddress.java src/share/classes/sun/security/krb5/internal/HostAddresses.java test/sun/security/krb5/auto/KDC.java |
diffstat | 4 files changed, 16 insertions(+), 26 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/krb5/KrbCred.java Wed Jan 15 02:09:49 2020 +0000 +++ b/src/share/classes/sun/security/krb5/KrbCred.java Wed Jan 15 20:05:09 2020 +0000 @@ -34,8 +34,6 @@ import sun.security.krb5.internal.*; import sun.security.krb5.internal.crypto.KeyUsage; import java.io.IOException; -import java.net.InetAddress; -import java.net.UnknownHostException; import sun.security.util.DerValue; @@ -65,7 +63,6 @@ PrincipalName client = tgt.getClient(); PrincipalName tgService = tgt.getServer(); - PrincipalName server = serviceTicket.getServer(); if (!serviceTicket.getClient().equals(client)) throw new KrbException(Krb5.KRB_ERR_GENERIC, "Client principal does not match"); @@ -78,29 +75,9 @@ options.set(KDCOptions.FORWARDED, true); options.set(KDCOptions.FORWARDABLE, true); - HostAddresses sAddrs = null; - - // GSSName.NT_HOSTBASED_SERVICE should display with KRB_NT_SRV_HST - if (server.getNameType() == PrincipalName.KRB_NT_SRV_HST) { - sAddrs = new HostAddresses(server); - } else if (server.getNameType() == PrincipalName.KRB_NT_UNKNOWN) { - // Sometimes this is also a server - if (server.getNameStrings().length >= 2) { - String host = server.getNameStrings()[1]; - try { - InetAddress[] addr = InetAddress.getAllByName(host); - if (addr != null && addr.length > 0) { - sAddrs = new HostAddresses(addr); - } - } catch (UnknownHostException ioe) { - // maybe we guessed wrong, let sAddrs be null - } - } - } - KrbTgsReq tgsReq = new KrbTgsReq(options, tgt, tgService, null, null, null, null, null, - sAddrs, // Only non-null for KRB_NT_SRV_HST, see JDK-8132111 + null, // No easy way to get addresses right null, null, null); credMessg = createMessage(tgsReq.sendAndGetCreds(), key); @@ -113,7 +90,6 @@ EncryptionKey sessionKey = delegatedCreds.getSessionKey(); PrincipalName princ = delegatedCreds.getClient(); - Realm realm = princ.getRealm(); PrincipalName tgService = delegatedCreds.getServer(); KrbCredInfo credInfo = new KrbCredInfo(sessionKey,
--- a/src/share/classes/sun/security/krb5/internal/HostAddress.java Wed Jan 15 02:09:49 2020 +0000 +++ b/src/share/classes/sun/security/krb5/internal/HostAddress.java Wed Jan 15 20:05:09 2020 +0000 @@ -39,6 +39,7 @@ import java.net.Inet6Address; import java.net.UnknownHostException; import java.io.IOException; +import java.util.Arrays; /** * Implements the ASN.1 HostAddress type. @@ -295,4 +296,11 @@ } } + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append(Arrays.toString(address)); + sb.append('(').append(addrType).append(')'); + return sb.toString(); + } }
--- a/src/share/classes/sun/security/krb5/internal/HostAddresses.java Wed Jan 15 02:09:49 2020 +0000 +++ b/src/share/classes/sun/security/krb5/internal/HostAddresses.java Wed Jan 15 20:05:09 2020 +0000 @@ -338,4 +338,9 @@ for (int i = 0; i < inetAddresses.length; i++) addresses[i] = new HostAddress(inetAddresses[i]); } + + @Override + public String toString() { + return Arrays.toString(addresses); + } }
--- a/test/sun/security/krb5/auto/KDC.java Wed Jan 15 02:09:49 2020 +0000 +++ b/test/sun/security/krb5/auto/KDC.java Wed Jan 15 20:05:09 2020 +0000 @@ -903,9 +903,10 @@ bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true; } } + // We do not request for addresses for FORWARDED tickets if (options.containsKey(Option.CHECK_ADDRESSES) && body.kdcOptions.get(KDCOptions.FORWARDED) - && body.addresses == null) { + && body.addresses != null) { throw new KrbException(Krb5.KDC_ERR_BADOPTION); } if (body.kdcOptions.get(KDCOptions.FORWARDED) ||