code review request: 7077640: gss wrap for cfx doesn't handle rrc != 0
Valerie (Yu-Ching) Peng
valerie.peng at oracle.com
Tue Sep 27 23:09:11 UTC 2011
Changes look good to me.
Thanks,
Valerie
On 09/19/11 22:12, Weijun Wang wrote:
> Code changes
>
> http://cr.openjdk.java.net/~weijun/7077640/webrev.00
>
> The original handling of rrc != 0 is not correct. We did rotate the
> bytes but have not reset the RRC field in the GSS message header
> before calculating the checksum. According to RFC 4121 [1]:
>
> 4.2.4. Encryption and Checksum Operations
>
> ....
>
> In Wrap tokens that do not provide for confidentiality, the checksum
> SHALL be calculated first over the to-be-signed plaintext data, and
> then over the first 16 octets of the Wrap token (the "header", as
> defined in section 4.2.6). Both the EC field and the RRC field in
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> the token header SHALL be filled with zeroes for the purpose of
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> calculating the checksum...
> ^^^^^^^^^^^^^^^^^^^^^^^^
>
> In the test, the Context.transmit() method is split into 4 basic
> methods so that we have a chance to call wrap without confidentiality.
>
> Thanks
> Max
>
> [1] http://tools.ietf.org/html/rfc4121#section-4.2.4
>
>
> On 08/12/2011 09:41 AM, weijun.wang at oracle.com wrote:
>> *Change Request ID*: 7077640
>>
>> *Synopsis*: gss wrap for cfx doesn't handle rrc != 0
>>
>> Product: java
>> Category: jgss
>> Subcategory: krb5plugin
>>
>> === *Description*
>> ============================================================
>> FULL PRODUCT VERSION :
>> java version "1.6.0_26"
>>
>> A DESCRIPTION OF THE PROBLEM :
>> gss wrap for cfx doesn't handle rrc != 0
>>
>> Heimdal and mac os x always use an RRC != 0
>>
>>
>>
>> STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
>> git clone git at github.com:heimdal/heimdal.git
>> cd heimdal
>> sh autogen.sh
>> ./configure
>> make
>> cd tests/java
>> make check
>>
>>
>>
>> REPRODUCIBILITY :
>> This bug can be reproduced always.
More information about the security-dev
mailing list