<div dir="ltr"><div><div><div><div>Hi, I was just able to prepare usable reproducer (attaching in ZIP file) and fixing patch of JDK (attaching too).</div><div>Before I was able to make my usecase working, I has found second issue too - I has included it too.<br></div></div><div><br></div><div>Issues and their reproducing:<br></div><div><br></div>1) already described problem of wrong initialized SunNativeProvider.INSTANCE<br><br></div>This can be reproduced by recreating GSSManager before createGSSContext - ProviderList.factories<br>will be initialized as part of initSecContext/acceptSecContext which will cause using wrong initialized<br></div>SunNativeProvider.INSTANCE and described exception.<br><div><div><br></div><div>2) when channel binding is used SIGSEGV occure<br></div><div><div><br></div><div>This can be reproduced by setting channel binding without initAddr/acceptAddr. </div>This is caused by sending uninitialized (with random length) cb->initiator_address from JDK to the kerberos.</div><div>(It is used by krb library for messages checksum calculation even when addrtype is GSS_C_AF_NULLADDR.)</div><div><br></div><div>Attached reproducer-gss.zip reproduces both issues and attached patch fixes both.</div><div><br></div><div>I would welcome merging into OpenJDK. (I am covered by OCA of Red Hat)<br></div><div><br></div><div>This issue affect both tested JDKs, JKD8u121 and upstream JDK9 from mercurial master.<br></div><div><br></div><div>Thanks,<br></div><div>Jan<br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 20, 2017 at 1:42 AM, Valerie Peng <span dir="ltr"><<a href="mailto:valerie.peng@oracle.com" target="_blank">valerie.peng@oracle.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
I will take a look. Do you happen to have a test case that I can
reproduce the issue?<br>
Thanks,<br>
Valerie<div><div class="h5"><br>
<br>
<div class="m_2033482757927273198moz-cite-prefix">On 12/14/2017 9:20 AM, Jan Kalina
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Attaching patch, which fixes described issue for
me.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Dec 14, 2017 at 4:03 PM, Jan
Kalina <span dir="ltr"><<a href="mailto:jkalina@redhat.com" target="_blank">jkalina@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>I has found bug in SunNativeProvider:<br>
<br>
</div>
When debug messages are enabled, JDK confirms GSS
library was loaded with mechs:<br>
<br>
[GSSLibStub_init] libName=/usr/lib64/libgssapi_k<wbr>rb5.so.2.2<br>
SunNativeGSS: Loaded GSS library:
/usr/lib64/libgssapi_krb5.so.2<wbr>.2<br>
SunNativeGSS: Native MF for 1.2.840.113554.1.2.2<br>
SunNativeGSS: Native MF for 1.3.6.1.5.2.5<br>
SunNativeGSS: Native MF for 1.3.6.1.5.5.2<br>
<br>
</div>
But when I try to use it, it claims mechanism with
given OID are not supported:<br>
<br>
GSSException: Provider SunNativeGSS does not support
mechanism 1.2.840.113554.1.2.2<br>
at java.security.jgss/sun.securit<wbr>y.jgss.ProviderList.getMechFac<wbr>tory(ProviderList.java:253)<br>
at java.security.jgss/sun.securit<wbr>y.jgss.ProviderList.getMechFac<wbr>tory(ProviderList.java:209)<br>
at java.security.jgss/sun.securit<wbr>y.jgss.GSSManagerImpl.getMecha<wbr>nismContext(GSSManagerImpl.<wbr>java:234)<br>
at java.security.jgss/sun.securit<wbr>y.jgss.GSSContextImpl.acceptSe<wbr>cContext(GSSContextImpl.java:<wbr>337)<br>
at java.security.jgss/sun.securit<wbr>y.jgss.GSSContextImpl.acceptSe<wbr>cContext(GSSContextImpl.java:<wbr>302)<br>
<br>
</div>
<b>When I has try to debug it, I has found the
SunNativeProvider is created in two instances:</b><br>
<br>
</div>
First instance is created on initialization of
SunNativeProvider.INSTANCE, but it is BEFORE</div>
<div>the mechs are passed into SunNativeProvider.MECH_MAP.
The second instance is created</div>
<div>correctly in ProviderList constructor.</div>
<div><br>
</div>
<div>The problem is, in some situations is used the too
soon created SunNativeProvider.INSTANCE,</div>
<div>so the to call throws exception above.<br>
</div>
<div>
<div>
<div>
<div><br>
</div>
<div><b>I think sufficient fix would be to move
SunNativeProvider.INSTANCE declaration after</b></div>
<div><b>the static constructor (filling the </b><b>MECH_MAP)
in SunNativeProvider file.</b></div>
<div><br>
</div>
<div>Would be possible to fix this?</div>
<div>Should I send a patch?</div>
<br>
<div>
<div>
<div>Thanks</div>
<span class="m_2033482757927273198HOEnZb"><font color="#888888">
<div>Jan Kalina<br>
</div>
</font></span></div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>