code review request: 7077646: gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY

Valerie (Yu-Ching) Peng valerie.peng at oracle.com
Fri Sep 23 20:09:32 UTC 2011


The changes look good to me.
Thanks,
Valerie
On 09/22/11 08:05, Weijun Wang wrote:
> Webrev at
>
>   http://cr.openjdk.java.net/~weijun/7077646/webrev.00/
>
> According to RFC 4121 [1]:
>
>   2.  Key Derivation for Per-Message Tokens
>
>   ...
>
>    During the context initiation and acceptance sequence, the acceptor
>    MAY assert a subkey in the AP-REP message.  If the acceptor asserts a
>    subkey, the base key is the acceptor-asserted subkey and subsequent
>    per-message tokens MUST be flagged with "AcceptorSubkey", as
>    described in section 4.2.2.  Otherwise, if the initiator asserts a
>    subkey in the AP-REQ message, the base key is this subkey;  if the
>    initiator does not assert a subkey, the base key is the session key
>    in the service ticket.
>
> Java has not checked where the key comes from and always sets the 
> AcceptorSubkey on. This has worked well with the MIT impl because it 
> seems the MIT impl only checks the flag if it should be on but doesn't 
> when it should be off. However, Heimdal is more strict and check in 
> both cases and an interop error happens between Java and Heimdal.
>
> In the customer's case, the Apple iChat program uses Heimdal's krb5 
> impl and cannot communicate well with the Openfire Java jabber server.
>
> I would like >= 2 reviewers so it can be backported to a 7u release. 
> I'm still working on a 6u solution at the moment.
>
> Thanks
> Max
>
> [1]
>
> -------- Original Message --------
> *Change Request ID*: 7077646
>
> *Synopsis*: gssapi wrap for CFX per-message tokens always set 
> FLAG_ACCEPTOR_SUBKEY
>
>   Product: java
>   Category: jgss
>   Subcategory: krb5plugin
>
> === *Description* 
> ============================================================
> FULL PRODUCT VERSION :
>
>
> A DESCRIPTION OF THE PROBLEM :
> gssapi wrap for CFX per-message tokens always set FLAG_ACCEPTOR_SUBKEY 
> even though the acceptor doesn't send a sub key.
>
>
>
> STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
> attach debugger to client and see that the the acceptor doesn't send a 
> subkey in the authenticator, see what it sent FLAG_ACCEPTOR_SUBKEY in 
> all per-message tokens.
>
>
>
> EXPECTED VERSUS ACTUAL BEHAVIOR :
> EXPECTED -
> send subkey or don't set flag.
>
> REPRODUCIBILITY :
> This bug can be reproduced always.
>




More information about the security-dev mailing list