Mercurial > hg > release > icedtea7-forest-2.6 > jdk

changeset 9878:04f0514ef0fd

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime Reviewed-by: mbalao
author andrew
date Thu, 30 Jan 2020 04:12:14 +0000
parents 92761da61627
children 72426fcae25f
files src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java src/share/classes/javax/security/auth/kerberos/KerberosTicket.java src/share/classes/sun/security/krb5/KrbTgsReq.java test/sun/security/krb5/auto/KDC.java test/sun/security/krb5/auto/NullRenewUntil.java
diffstat 5 files changed, 101 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	Wed Feb 05 06:51:11 2020 +0000
+++ b/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	Thu Jan 30 04:12:14 2020 +0000
@@ -976,6 +976,10 @@
             if (!creds.isRenewable())
                 throw new RefreshFailedException("This ticket" +
                                 " is not renewable");
+            if (creds.getRenewTill() == null) {
+                // Renewable ticket without renew-till. Illegal and ignored.
+                return creds;
+            }
             if (System.currentTimeMillis() > cred.getRenewTill().getTime())
                 throw new RefreshFailedException("This ticket is past "
                                              + "its last renewal time.");
--- a/src/share/classes/javax/security/auth/kerberos/KerberosTicket.java	Wed Feb 05 06:51:11 2020 +0000
+++ b/src/share/classes/javax/security/auth/kerberos/KerberosTicket.java	Thu Jan 30 04:12:14 2020 +0000
@@ -301,11 +301,7 @@
         } else
            this.flags = new boolean[NUM_FLAGS];
 
-        if (this.flags[RENEWABLE_TICKET_FLAG]) {
-           if (renewTill == null)
-                throw new IllegalArgumentException("The renewable period "
-                       + "end time cannot be null for renewable tickets.");
-
+        if (this.flags[RENEWABLE_TICKET_FLAG] && renewTill != null) {
            this.renewTill = new Date(renewTill.getTime());
         }
 
@@ -546,6 +542,11 @@
         if (!isRenewable())
             throw new RefreshFailedException("This ticket is not renewable");
 
+        if (getRenewTill() == null) {
+            // Renewable ticket without renew-till. Illegal and ignored.
+            return;
+        }
+
         if (System.currentTimeMillis() > getRenewTill().getTime())
             throw new RefreshFailedException("This ticket is past "
                                              + "its last renewal time.");
--- a/src/share/classes/sun/security/krb5/KrbTgsReq.java	Wed Feb 05 06:51:11 2020 +0000
+++ b/src/share/classes/sun/security/krb5/KrbTgsReq.java	Thu Jan 30 04:12:14 2020 +0000
@@ -33,8 +33,10 @@
 
 import sun.security.krb5.internal.*;
 import sun.security.krb5.internal.crypto.*;
+
 import java.io.IOException;
 import java.net.UnknownHostException;
+import java.util.Calendar;
 
 /**
  * This class encapsulates a Kerberos TGS-REQ that is sent from the
@@ -224,7 +226,14 @@
         throws IOException, KrbException, UnknownHostException {
         KerberosTime req_till = null;
         if (till == null) {
-            req_till = new KerberosTime(0);
+            String d = Config.getInstance().get("libdefaults", "ticket_lifetime");
+            if (d != null) {
+                Calendar cal = Calendar.getInstance();
+                cal.add(Calendar.SECOND, Config.duration(d));
+                req_till = new KerberosTime(cal.getTime());
+            } else {
+                req_till = new KerberosTime(0); // Choose KDC maximum allowed
+            }
         } else {
             req_till = till;
         }
--- a/test/sun/security/krb5/auto/KDC.java	Wed Feb 05 06:51:11 2020 +0000
+++ b/test/sun/security/krb5/auto/KDC.java	Thu Jan 30 04:12:14 2020 +0000
@@ -785,6 +785,18 @@
             }
             bFlags[Krb5.TKT_OPTS_INITIAL] = true;
 
+            KerberosTime renewTill = etp.renewTill;
+            if (renewTill != null && body.kdcOptions.get(KDCOptions.RENEW)) {
+                // till should never pass renewTill
+                if (till.greaterThan(renewTill)) {
+                    till = renewTill;
+                }
+                if (System.getProperty("test.set.null.renew") != null) {
+                    // Testing 8186576, see NullRenewUntil.java.
+                    renewTill = null;
+                }
+            }
+
             TicketFlags tFlags = new TicketFlags(bFlags);
             EncTicketPart enc = new EncTicketPart(
                     tFlags,
@@ -793,7 +805,7 @@
                     new TransitedEncoding(1, new byte[0]),  // TODO
                     new KerberosTime(new Date()),
                     body.from,
-                    till, etp.renewTill,
+                    till, renewTill,
                     body.addresses != null  // always set caddr
                             ? body.addresses
                             : new HostAddresses(
@@ -820,7 +832,7 @@
                     tFlags,
                     new KerberosTime(new Date()),
                     body.from,
-                    till, etp.renewTill,
+                    till, renewTill,
                     service,
                     body.addresses != null  // always set caddr
                             ? body.addresses
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/krb5/auto/NullRenewUntil.java	Thu Jan 30 04:12:14 2020 +0000
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8186576
+ * @summary KerberosTicket does not properly handle renewable tickets
+ *          at the end of their lifetime
+ * @library /lib/testlibrary/
+ * @compile -XDignore.symbol.file NullRenewUntil.java
+ * @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock -Dtest.set.null.renew NullRenewUntil
+ */
+
+import jdk.testlibrary.Asserts;
+import sun.security.krb5.Config;
+
+import javax.security.auth.kerberos.KerberosTicket;
+
+public class NullRenewUntil {
+
+    public static void main(String[] args) throws Exception {
+
+        OneKDC kdc = new OneKDC(null);
+
+        KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
+                "ticket_lifetime = 10s",
+                "renew_lifetime = 11s");
+        Config.refresh();
+
+        KerberosTicket ticket = Context
+                .fromUserPass(OneKDC.USER, OneKDC.PASS, false).s()
+                .getPrivateCredentials(KerberosTicket.class).iterator().next();
+
+        System.out.println(ticket);
+        Asserts.assertTrue(ticket.getRenewTill() != null, ticket.toString());
+
+        Thread.sleep(2000);
+
+        ticket.refresh();
+        System.out.println(ticket);
+        Asserts.assertTrue(ticket.getRenewTill() == null, ticket.toString());
+
+        Thread.sleep(2000);
+        ticket.refresh();
+        System.out.println(ticket);
+    }
+}