Mercurial > hg > release > icedtea7-forest-2.6 > jdk
changeset 9878:04f0514ef0fd
8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime
Reviewed-by: mbalao
author | andrew |
---|---|
date | Thu, 30 Jan 2020 04:12:14 +0000 |
parents | 92761da61627 |
children | 72426fcae25f |
files | src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java src/share/classes/javax/security/auth/kerberos/KerberosTicket.java src/share/classes/sun/security/krb5/KrbTgsReq.java test/sun/security/krb5/auto/KDC.java test/sun/security/krb5/auto/NullRenewUntil.java |
diffstat | 5 files changed, 101 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java Wed Feb 05 06:51:11 2020 +0000 +++ b/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java Thu Jan 30 04:12:14 2020 +0000 @@ -976,6 +976,10 @@ if (!creds.isRenewable()) throw new RefreshFailedException("This ticket" + " is not renewable"); + if (creds.getRenewTill() == null) { + // Renewable ticket without renew-till. Illegal and ignored. + return creds; + } if (System.currentTimeMillis() > cred.getRenewTill().getTime()) throw new RefreshFailedException("This ticket is past " + "its last renewal time.");
--- a/src/share/classes/javax/security/auth/kerberos/KerberosTicket.java Wed Feb 05 06:51:11 2020 +0000 +++ b/src/share/classes/javax/security/auth/kerberos/KerberosTicket.java Thu Jan 30 04:12:14 2020 +0000 @@ -301,11 +301,7 @@ } else this.flags = new boolean[NUM_FLAGS]; - if (this.flags[RENEWABLE_TICKET_FLAG]) { - if (renewTill == null) - throw new IllegalArgumentException("The renewable period " - + "end time cannot be null for renewable tickets."); - + if (this.flags[RENEWABLE_TICKET_FLAG] && renewTill != null) { this.renewTill = new Date(renewTill.getTime()); } @@ -546,6 +542,11 @@ if (!isRenewable()) throw new RefreshFailedException("This ticket is not renewable"); + if (getRenewTill() == null) { + // Renewable ticket without renew-till. Illegal and ignored. + return; + } + if (System.currentTimeMillis() > getRenewTill().getTime()) throw new RefreshFailedException("This ticket is past " + "its last renewal time.");
--- a/src/share/classes/sun/security/krb5/KrbTgsReq.java Wed Feb 05 06:51:11 2020 +0000 +++ b/src/share/classes/sun/security/krb5/KrbTgsReq.java Thu Jan 30 04:12:14 2020 +0000 @@ -33,8 +33,10 @@ import sun.security.krb5.internal.*; import sun.security.krb5.internal.crypto.*; + import java.io.IOException; import java.net.UnknownHostException; +import java.util.Calendar; /** * This class encapsulates a Kerberos TGS-REQ that is sent from the @@ -224,7 +226,14 @@ throws IOException, KrbException, UnknownHostException { KerberosTime req_till = null; if (till == null) { - req_till = new KerberosTime(0); + String d = Config.getInstance().get("libdefaults", "ticket_lifetime"); + if (d != null) { + Calendar cal = Calendar.getInstance(); + cal.add(Calendar.SECOND, Config.duration(d)); + req_till = new KerberosTime(cal.getTime()); + } else { + req_till = new KerberosTime(0); // Choose KDC maximum allowed + } } else { req_till = till; }
--- a/test/sun/security/krb5/auto/KDC.java Wed Feb 05 06:51:11 2020 +0000 +++ b/test/sun/security/krb5/auto/KDC.java Thu Jan 30 04:12:14 2020 +0000 @@ -785,6 +785,18 @@ } bFlags[Krb5.TKT_OPTS_INITIAL] = true; + KerberosTime renewTill = etp.renewTill; + if (renewTill != null && body.kdcOptions.get(KDCOptions.RENEW)) { + // till should never pass renewTill + if (till.greaterThan(renewTill)) { + till = renewTill; + } + if (System.getProperty("test.set.null.renew") != null) { + // Testing 8186576, see NullRenewUntil.java. + renewTill = null; + } + } + TicketFlags tFlags = new TicketFlags(bFlags); EncTicketPart enc = new EncTicketPart( tFlags, @@ -793,7 +805,7 @@ new TransitedEncoding(1, new byte[0]), // TODO new KerberosTime(new Date()), body.from, - till, etp.renewTill, + till, renewTill, body.addresses != null // always set caddr ? body.addresses : new HostAddresses( @@ -820,7 +832,7 @@ tFlags, new KerberosTime(new Date()), body.from, - till, etp.renewTill, + till, renewTill, service, body.addresses != null // always set caddr ? body.addresses
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/krb5/auto/NullRenewUntil.java Thu Jan 30 04:12:14 2020 +0000 @@ -0,0 +1,67 @@ +/* + * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8186576 + * @summary KerberosTicket does not properly handle renewable tickets + * at the end of their lifetime + * @library /lib/testlibrary/ + * @compile -XDignore.symbol.file NullRenewUntil.java + * @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock -Dtest.set.null.renew NullRenewUntil + */ + +import jdk.testlibrary.Asserts; +import sun.security.krb5.Config; + +import javax.security.auth.kerberos.KerberosTicket; + +public class NullRenewUntil { + + public static void main(String[] args) throws Exception { + + OneKDC kdc = new OneKDC(null); + + KDC.saveConfig(OneKDC.KRB5_CONF, kdc, + "ticket_lifetime = 10s", + "renew_lifetime = 11s"); + Config.refresh(); + + KerberosTicket ticket = Context + .fromUserPass(OneKDC.USER, OneKDC.PASS, false).s() + .getPrivateCredentials(KerberosTicket.class).iterator().next(); + + System.out.println(ticket); + Asserts.assertTrue(ticket.getRenewTill() != null, ticket.toString()); + + Thread.sleep(2000); + + ticket.refresh(); + System.out.println(ticket); + Asserts.assertTrue(ticket.getRenewTill() == null, ticket.toString()); + + Thread.sleep(2000); + ticket.refresh(); + System.out.println(ticket); + } +}