RFR: 8272162: S4U2Self ticket without forwardable flag
Weijun Wang
weijun at openjdk.java.net
Mon Nov 22 19:06:37 UTC 2021
The S4U2proxy extension requires that the service ticket to the first service has the forwardable flag set, but some versions of Windows Server do not set the forwardable flag in a S4U2self response and accept it in a S4U2proxy request.
There are 2 commits now. The 1st is a refactoring that sends more info into the methods (Ex: `KdcComm::send(byte[])` -> `KdcComm::send(KrbKdcReq)`, and `Ticket` -> `Credentials` in multiple places) so that inside `KdcComm::send` there is enough info to decide how to deal with various errors. The 2nd is the actual fix to this issue, i.e. ignore the flag and retry another KDC.
-------------
Commit messages:
- TGT needs not to be forwardable in S4U2self request
- address martin's comments
- Merge
- also a security property
- a system property, do not care where ticket is from, more renames
- move KDCReq::encoding to KrbKdcReq::obuf, no more ibuf in KrbTgsReq
- a type label for credentials, encoding in KrbKdcReq, and some renames
- implement the change
- 8272162: S4U2Self ticket without forwardable flag
Changes: https://git.openjdk.java.net/jdk/pull/6082/files
Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6082&range=00
Issue: https://bugs.openjdk.java.net/browse/JDK-8272162
Stats: 413 lines in 17 files changed: 218 ins; 38 del; 157 mod
Patch: https://git.openjdk.java.net/jdk/pull/6082.diff
Fetch: git fetch https://git.openjdk.java.net/jdk pull/6082/head:pull/6082
PR: https://git.openjdk.java.net/jdk/pull/6082
More information about the security-dev
mailing list