<div dir="ltr"><div>Described issues was accepted into Oracle JDK issues:<br><br>1) SunNativeProvider.INSTANCE initialization: <a href="https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8194073">https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8194073</a><br>2) Uninitialized cb->initiator_address: <a href="https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8194630">https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8194630</a><br><br></div>(fixing patches are included in reports too)<br><br><div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 22, 2017 at 5:44 PM, Jan Kalina <span dir="ltr"><<a href="mailto:jkalina@redhat.com" target="_blank">jkalina@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div>Hi, I was just able to prepare usable reproducer (attaching in ZIP file) and fixing patch of JDK (attaching too).</div><div>Before I was able to make my usecase working, I has found second issue too - I has included it too.<br></div></div><div><br></div><div>Issues and their reproducing:<br></div><div><br></div>1) already described problem of wrong initialized SunNativeProvider.INSTANCE<br><br></div>This can be reproduced by recreating GSSManager before createGSSContext - ProviderList.factories<br>will be initialized as part of initSecContext/<wbr>acceptSecContext which will cause using wrong initialized<br></div>SunNativeProvider.INSTANCE and described exception.<br><div><div><br></div><div>2) when channel binding is used SIGSEGV occure<br></div><div><div><br></div><div>This can be reproduced by setting channel binding without initAddr/acceptAddr. </div>This is caused by sending uninitialized (with random length) cb->initiator_address from JDK to the kerberos.</div><div>(It is used by krb library for messages checksum calculation even when addrtype is GSS_C_AF_NULLADDR.)</div><div><br></div><div>Attached reproducer-gss.zip reproduces both issues and attached patch fixes both.</div><div><br></div><div>I would welcome merging into OpenJDK. (I am covered by OCA of Red Hat)<br></div><div><br></div><div>This issue affect both tested JDKs, JKD8u121 and upstream JDK9 from mercurial master.<br></div><div><br></div><div>Thanks,<br></div><div>Jan<br></div></div></div><div class="gmail-HOEnZb"><div class="gmail-h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 20, 2017 at 1:42 AM, Valerie Peng <span dir="ltr"><<a href="mailto:valerie.peng@oracle.com" target="_blank">valerie.peng@oracle.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><br>
</p>
I will take a look. Do you happen to have a test case that I can
reproduce the issue?<br>
Thanks,<br>
Valerie<div><div class="gmail-m_6330590515994392262h5"><br>
<br>
<div class="gmail-m_6330590515994392262m_2033482757927273198moz-cite-prefix">On 12/14/2017 9:20 AM, Jan Kalina
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Attaching patch, which fixes described issue for
me.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Dec 14, 2017 at 4:03 PM, Jan
Kalina <span dir="ltr"><<a href="mailto:jkalina@redhat.com" target="_blank">jkalina@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>I has found bug in SunNativeProvider:<br>
<br>
</div>
When debug messages are enabled, JDK confirms GSS
library was loaded with mechs:<br>
<br>
[GSSLibStub_init] libName=/usr/lib64/libgssapi_k<wbr>rb5.so.2.2<br>
SunNativeGSS: Loaded GSS library:
/usr/lib64/libgssapi_krb5.so.2<wbr>.2<br>
SunNativeGSS: Native MF for 1.2.840.113554.1.2.2<br>
SunNativeGSS: Native MF for 1.3.6.1.5.2.5<br>
SunNativeGSS: Native MF for 1.3.6.1.5.5.2<br>
<br>
</div>
But when I try to use it, it claims mechanism with
given OID are not supported:<br>
<br>
GSSException: Provider SunNativeGSS does not support
mechanism 1.2.840.113554.1.2.2<br>
at java.security.jgss/sun.securit<wbr>y.jgss.ProviderList.getMechFac<wbr>tory(ProviderList.java:253)<br>
at java.security.jgss/sun.securit<wbr>y.jgss.ProviderList.getMechFac<wbr>tory(ProviderList.java:209)<br>
at java.security.jgss/sun.securit<wbr>y.jgss.GSSManagerImpl.getMecha<wbr>nismContext(GSSManagerImpl.jav<wbr>a:234)<br>
at java.security.jgss/sun.securit<wbr>y.jgss.GSSContextImpl.acceptSe<wbr>cContext(GSSContextImpl.java:3<wbr>37)<br>
at java.security.jgss/sun.securit<wbr>y.jgss.GSSContextImpl.acceptSe<wbr>cContext(GSSContextImpl.java:3<wbr>02)<br>
<br>
</div>
<b>When I has try to debug it, I has found the
SunNativeProvider is created in two instances:</b><br>
<br>
</div>
First instance is created on initialization of
SunNativeProvider.INSTANCE, but it is BEFORE</div>
<div>the mechs are passed into SunNativeProvider.MECH_MAP.
The second instance is created</div>
<div>correctly in ProviderList constructor.</div>
<div><br>
</div>
<div>The problem is, in some situations is used the too
soon created SunNativeProvider.INSTANCE,</div>
<div>so the to call throws exception above.<br>
</div>
<div>
<div>
<div>
<div><br>
</div>
<div><b>I think sufficient fix would be to move
SunNativeProvider.INSTANCE declaration after</b></div>
<div><b>the static constructor (filling the </b><b>MECH_MAP)
in SunNativeProvider file.</b></div>
<div><br>
</div>
<div>Would be possible to fix this?</div>
<div>Should I send a patch?</div>
<br>
<div>
<div>
<div>Thanks</div>
<span class="gmail-m_6330590515994392262m_2033482757927273198HOEnZb"><font color="#888888">
<div>Jan Kalina<br>
</div>
</font></span></div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div></div></div>