A fundamental JGSS-API bug?
Weijun Wang
weijun.wang at oracle.com
Fri Jun 7 13:42:45 UTC 2013
Hi All
The GSSContext::initSecContext() method could either return a token
(possibly null if no more token is needed) when the call succeeds or
throw a GSSException if there is a failure, but not *both*. The same
applies to acceptSecContext().
However, according to RFC 2743 2.2.1 [1], the C bindings of GSS-API:
It is the caller's responsibility to establish a communications path
to the target, and to transmit any returned output_token (independent
of the accompanying returned major_status value) to the target over
that path.
In fact, MIT krb5's gss-client.c sample does show:
do {
maj_stat = gss_init_sec_context(..., &send_tok, ...);
...
if (send_tok.length != 0) { # send the token anyway
if (send_token(..., &send_tok) < 0) {
...
return -1;
}
} # before return value check
if (maj_stat != GSS_S_COMPLETE
&& maj_stat != GSS_S_CONTINUE_NEEDED) {
...
return -1;
}
if (maj_stat == GSS_S_CONTINUE_NEEDED) {
...
}
} while (maj_stat == GSS_S_CONTINUE_NEEDED);
Without the ability to send a token when there is a failure, a Java
program has no chance to tell the other side what's happening. This is
very user-unfriendly. Also, in the case of SPNEGO, a "reject"
NegTokenResp token will never be able to sent.
I cannot find a good way to fix it without changing the semantic of
current APIs. Maybe we can add a new GSSException::getResidue() method
to return this last token. But that means the method call will be quite
complicated, something like
try {
send(initSecContext(inToken));
} catch (GSSException e) {
if (e.getResidue() != null) {
send(e.getResidue());
}
throw e;
}
As for the overloaded initSecContext(InputStream, OutputStream) style,
it looks easier to update this method to do the correct thing without
any new API. However, the change will be very confusing because there is
no more number of written bytes to return. More importantly, if it's
just a silent behavior change, we'll have to care about compatibility
(Maybe someone already added his/her own KRB-ERROR sending codes?),
which makes the situation much tougher.
Thanks
Max
[1] http://tools.ietf.org/html/rfc2743#page-46
More information about the security-dev
mailing list