Mercurial > hg > release > icedtea6-1.10
view patches/openjdk/6851973-kerberos.patch @ 2578:96394d394527
Add security patches for 2012/06/12.
2012-06-07 Andrew John Hughes <ahughes@redhat.com>
* Makefile.am:
(ICEDTEA_PATCHES): Add security patches. Make more
patches HotSpot-build specific.
* patches/ecj/override.patch:
Add additional cases from 7143872.
* patches/arm.patch: Moved to HotSpot-specific versions.
* patches/arch.patch,
* patches/freetypeversion.patch,
* patches/gcc-suffix.patch:
Fix to work with no fuzz.
* patches/hotspot/hs20/arm.patch,
* patches/hotspot/hs20/gcc-stack-markings.patch,
* patches/hotspot/hs20/numa_on_early_glibc.patch,
* patches/hotspot/hs20/sparc-trapsfix.patch,
* patches/hotspot/hs20/version-hotspot.patch:
Split to work with hs20 with no fuzz.
* patches/hotspot/original/arm.patch,
* patches/hotspot/original/gcc-stack-markings.patch,
* patches/hotspot/original/numa_on_early_glibc.patch,
* patches/hotspot/original/sparc-trapsfix.patch,
* patches/hotspot/original/version-hotspot.patch:
Likewise for hs19 (original).
* patches/jaxp-serial-version-uid.patch,
* patches/libraries.patch,
* patches/nio2.patch,
* patches/no-static-linking.patch,
* patches/openjdk/6693253-security_warning.patch,
* patches/openjdk/6766342-AA-simple-shape-performance.patch,
* patches/openjdk/6797139-jbutton_truncation.patch,
* patches/openjdk/6851973-kerberos.patch,
* patches/openjdk/7102369-7094468-rmiregistry.patch:
Fixed to work with no fuzz.
* patches/openjdk/hs20/7034464-hugepage.patch,
* patches/openjdk/hs20/7103224-glibc_name_collision.patch,
Fixed to work with hs20 and no fuzz.
* patches/openjdk/mutter.patch:
Fixed to work with no fuzz.
* patches/openjdk/original/7034464-hugepage.patch,
* patches/openjdk/original/7103224-glibc_name_collision.patch,
Fixed to work with hs19 (original) and no fuzz.
* patches/openjdk/remove-mimpure-option-to-gcc.patch:
Fixed to work with no fuzz.
* patches/security/20120612/7079902.patch,
* patches/security/20120612/7143606.patch,
* patches/security/20120612/7143614.patch,
* patches/security/20120612/7143617.patch,
* patches/security/20120612/7143851.patch,
* patches/security/20120612/7143872.patch,
* patches/security/20120612/7145239.patch,
* patches/security/20120612/7157609.patch,
* patches/security/20120612/7160677.patch,
* patches/security/20120612/7160757.patch,
* patches/security/20120612/hs20/7110720.patch,
* patches/security/20120612/hs20/7152811.patch,
* patches/security/20120612/original/7110720.patch,
* patches/security/20120612/original/7152811.patch,
Security patches for 2012/06/12.
* NEWS: Updated.
| author | Andrew John Hughes <ahughes@redhat.com> |
|---|---|
| date | Fri, 08 Jun 2012 14:23:28 +0100 |
| parents | fab44a791e0f |
| children |
line wrap: on
line source
diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/jgss/krb5/InitialToken.java openjdk/jdk/src/share/classes/sun/security/jgss/krb5/InitialToken.java --- openjdk.orig/jdk/src/share/classes/sun/security/jgss/krb5/InitialToken.java 2011-02-28 16:06:38.000000000 +0000 +++ openjdk/jdk/src/share/classes/sun/security/jgss/krb5/InitialToken.java 2012-06-08 12:20:25.948833442 +0100 @@ -33,6 +33,7 @@ import java.net.Inet6Address; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import java.util.Arrays; import sun.security.krb5.*; import sun.security.jgss.GSSUtil; import sun.security.krb5.internal.Krb5; @@ -225,43 +226,35 @@ "Incorrect checksum"); } - byte[] remoteBindingBytes = new byte[CHECKSUM_BINDINGS_SIZE]; - System.arraycopy(checksumBytes, 4, remoteBindingBytes, 0, - CHECKSUM_BINDINGS_SIZE); - - byte[] noBindings = new byte[CHECKSUM_BINDINGS_SIZE]; - boolean tokenContainsBindings = - (!java.util.Arrays.equals(noBindings, remoteBindingBytes)); - ChannelBinding localBindings = context.getChannelBinding(); - if (tokenContainsBindings || - localBindings != null) { - - boolean badBindings = false; - String errorMessage = null; + // Ignore remote channel binding info when not requested at + // local side (RFC 4121 4.1.1.2: the acceptor MAY ignore...). + // + // All major krb5 implementors implement this "MAY", + // and some applications depend on it as a workaround + // for not having a way to negotiate the use of channel + // binding -- the initiator application always uses CB + // and hopes the acceptor will ignore the CB if the + // acceptor doesn't support CB. + if (localBindings != null) { + byte[] remoteBindingBytes = new byte[CHECKSUM_BINDINGS_SIZE]; + System.arraycopy(checksumBytes, 4, remoteBindingBytes, 0, + CHECKSUM_BINDINGS_SIZE); - if (tokenContainsBindings && - localBindings != null) { + byte[] noBindings = new byte[CHECKSUM_BINDINGS_SIZE]; + if (!Arrays.equals(noBindings, remoteBindingBytes)) { byte[] localBindingsBytes = computeChannelBinding(localBindings); - // System.out.println("ChannelBinding hash: " - // + getHexBytes(localBindingsBytes)); - badBindings = - (!java.util.Arrays.equals(localBindingsBytes, - remoteBindingBytes)); - errorMessage = "Bytes mismatch!"; - } else if (localBindings == null) { - errorMessage = "ChannelBinding not provided!"; - badBindings = true; + if (!Arrays.equals(localBindingsBytes, + remoteBindingBytes)) { + throw new GSSException(GSSException.BAD_BINDINGS, -1, + "Bytes mismatch!"); + } } else { - errorMessage = "Token missing ChannelBinding!"; - badBindings = true; - } - - if (badBindings) throw new GSSException(GSSException.BAD_BINDINGS, -1, - errorMessage); + "Token missing ChannelBinding!"); + } } flags = readLittleEndian(checksumBytes, 20, 4); diff -Nru openjdk.orig/jdk/test/sun/security/krb5/auto/IgnoreChannelBinding.java openjdk/jdk/test/sun/security/krb5/auto/IgnoreChannelBinding.java --- openjdk.orig/jdk/test/sun/security/krb5/auto/IgnoreChannelBinding.java 1970-01-01 01:00:00.000000000 +0100 +++ openjdk/jdk/test/sun/security/krb5/auto/IgnoreChannelBinding.java 2012-06-08 12:20:25.948833442 +0100 @@ -0,0 +1,113 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + +/* + * @test + * @bug 6851973 + * @summary ignore incoming channel binding if acceptor does not set one + */ + +import java.net.InetAddress; +import org.ietf.jgss.ChannelBinding; +import org.ietf.jgss.GSSException; +import sun.security.jgss.GSSUtil; + +public class IgnoreChannelBinding { + + public static void main(String[] args) + throws Exception { + + new OneKDC(null).writeJAASConf(); + + Context c = Context.fromJAAS("client"); + Context s = Context.fromJAAS("server"); + + // All silent + c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID); + s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); + Context.handshake(c, s); + + // Initiator req, acceptor ignore + c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID); + c.x().setChannelBinding(new ChannelBinding( + InetAddress.getByName("client.rabbit.hole"), + InetAddress.getByName("host.rabbit.hole"), + new byte[0] + )); + s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); + Context.handshake(c, s); + + // Both req, and match + c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID); + c.x().setChannelBinding(new ChannelBinding( + InetAddress.getByName("client.rabbit.hole"), + InetAddress.getByName("host.rabbit.hole"), + new byte[0] + )); + s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); + s.x().setChannelBinding(new ChannelBinding( + InetAddress.getByName("client.rabbit.hole"), + InetAddress.getByName("host.rabbit.hole"), + new byte[0] + )); + Context.handshake(c, s); + + // Both req, NOT match + c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID); + c.x().setChannelBinding(new ChannelBinding( + InetAddress.getByName("client.rabbit.hole"), + InetAddress.getByName("host.rabbit.hole"), + new byte[0] + )); + s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); + s.x().setChannelBinding(new ChannelBinding( + InetAddress.getByName("client.rabbit.hole"), + InetAddress.getByName("host.rabbit.hole"), + new byte[1] // 0 -> 1 + )); + try { + Context.handshake(c, s); + throw new Exception("Acceptor should reject initiator"); + } catch (GSSException ge) { + // Expected bahavior + } + + // Acceptor req, reject + c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID); + s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); + s.x().setChannelBinding(new ChannelBinding( + InetAddress.getByName("client.rabbit.hole"), + InetAddress.getByName("host.rabbit.hole"), + new byte[0] + )); + try { + Context.handshake(c, s); + throw new Exception("Acceptor should reject initiator"); + } catch (GSSException ge) { + // Expected bahavior + if (ge.getMajor() != GSSException.BAD_BINDINGS) { + throw ge; + } + } + } +}