Code review request: 7195426: kdc_default_options not supported correctly

Xuelei Fan xuelei.fan at oracle.com
Fri Aug 31 10:24:41 UTC 2012 

Got it!

Thanks,
Xuelei

On 8/31/2012 6:02 PM, Weijun Wang wrote:
> Hi Xuelei
> 
> The number is not equivalent to the ASN.1 bit string. It's more like a
> simple mapping to an unsigned 32 bit int. Here are some codes copied
> from MIT krb5:
> 
> krb5.h:
> 
> #define KDC_OPT_FORWARDABLE             0x40000000
> 
> get_in_tkt.c:
> 
>     if (options&KDC_OPT_FORWARDABLE)
>         krb5_get_init_creds_opt_set_forwardable(opt, 1);
>     else krb5_get_init_creds_opt_set_forwardable(opt, 0);
> 
> I also think 1<<(31-n) is more clear, but since the constants have been
> there for so many years, I believe they were defined for this very
> purpose and directly use them.
> 
> Thanks
> Max
> 
> 
> On 08/31/2012 05:51 PM, Xuelei Fan wrote:
>> On 8/31/2012 3:08 PM, Weijun Wang wrote:
>>> Please take a look at the change
>>>
>>>     http://cr.openjdk.java.net/~weijun/7195426/webrev.00
>>>
>> According to ASN.1 spec, "The leading bit of the bit string is
>> identified by the "number" zero, ..." [X.680]
>>
>>   124     private static final int KDC_OPT_RENEWABLE_OK = 0x00000010;
>> The position of renewable-ok is 27. I think the mask is 0x0000,0100.
>>
>>   125     private static final int KDC_OPT_FORWARDABLE = 0x40000000;
>> The position of FORWARDED is 2. I think the mask is 0x2000,0000.
>>
>> Personally, I would like to use (1<<(31-n)) as the mask. It looks more
>> straightforward.
>>
>> Xuelei
>>
>>>
>>> It seems we confused the mask and the position.
>>>
>>> Thanks
>>> Max
>>>
>>>
>>>
>>> -------- Original Message --------
>>> 7195426: kdc_default_options not supported correctly
>>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7195426
>>>
>>>    Product: java
>>>    Category: jgss
>>>    Subcategory: krb5plugin
>>>
>>> === *Description*
>>> ============================================================
>>> kdc_default_options is a hex number for krb5.conf to define the
>>> KDCOptions flags in a single integer where each bit of it represents one
>>> of 32 flags.
>>>
>>> If you want to find out if the n-th flag is turn on, you should check
>>> for
>>>
>>>     kdc_default_options & (1<<(31-n))
>>>
>>> However, java currently checks for
>>>
>>>     kdc_default_options & n
>>>
>>

More information about the security-dev mailing list