Code review request: 8005523: Unbound krb5 for TLS

Xuelei Fan xuelei.fan at oracle.com
Sat Apr 27 09:34:54 UTC 2013 

Looks fine to me. A very minor suggestion to add one more comment here:

ServerHandshaker.java
---------------------
1340                     // Pre-check permission if bound

It would be nice to say more that the permission checking for unbound
krb5 will be done in Kerberos ClientKeyExchange.

Thanks,
Xuelei


On 4/17/2013 9:39 AM, Weijun Wang wrote:
> Webrev updated:
> 
>    http://cr.openjdk.java.net/~weijun/8005523/webrev.02/
> 
> Changes since webrev.01:
> 
> 1. Add a isRelated() Krb5Helper method to find out if a Subject can
> provide creds for a service principal.
> 
> 2. Server check permission at initialization if bound
> 
> 3. Only check permission again at clientkeyexchange if unbound
> 
> Thanks
> Max
> 
> On 4/16/13 8:48 PM, Weijun Wang wrote:
>>
>>
>> On 4/16/13 8:18 PM, Xuelei Fan wrote:
>>> On 4/16/2013 5:44 PM, Weijun Wang wrote:
>>>>>
>>>>> I am not sure how to do that. Can I just skip this check and whenever
>>>>> subject != null always set resumingSession to true? This is not very
>>>>> correct but is it possible to detect the mismatch later and "resume"
>>>>> the
>>>>> full negotiation?
>>>>>
>>> No, it is dangerous. The server has to make the right decision while
>>> parsing ClientHello.
>>>
>>> Can you design a new Krb5Helper method to match the principals and
>>> implement it in krb5/Krb5ProxyImpl.java.  If it is a bound krb5, need to
>>> match exactly; otherwise, the matching is performed per the request of
>>> unbound krb5.
>>
>> I'll try.
>>
>>>
>>> For unbound krb5, what's the return value of KerberosKey.getPrincipal()?
>>
>> Unbound krb5 has no KerberosKey, it only has KeyTab, and KeyTab.isBound
>> is false.
>>
>> -Max
>>
>>> Is it a "*"?  If it is always a "*", we also can check it in
>>> ServerHandshake.java. I'm afraid it is not reliable so you won't
>>> consider it.
>>>
>>>>
>>>> It seems the purpose of this check is that, if it fails, you can be
>>>> sure
>>>> that kerberos is not loaded so the full negotiation will try to find a
>>>> RSA ciphersuite. Is that right?
>>>>
>>> It depends. The check is also can be used to prevent abused session
>>> resuming. The following full negotiation acts like a new handshaking, so
>>> the Kerberos cipher suite may be used again.
>>>
>>>> I cannot call kerberos-specific codes in SSL because of module
>>>> independence.
>>>>
>>> krb5/Krb5ProxyImpl.java? See above.
>>>
>>> Xuelei
>>>

More information about the security-dev mailing list