<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
Great, thanks!<br>
Valerie<br>
<br>
<div class="moz-cite-prefix">On 1/4/2018 4:51 AM, Jan Kalina wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CANvHcN-5NnqYiQqazQvLnSV5WQU9G2hhpnzEhQVEH03zhBeQMA@mail.gmail.com">
<div dir="ltr">
<div>Described issues was accepted into Oracle JDK issues:<br>
<br>
1) SunNativeProvider.INSTANCE initialization: <a
href="https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8194073"
moz-do-not-send="true">https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8194073</a><br>
2) Uninitialized cb->initiator_address: <a
href="https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8194630"
moz-do-not-send="true">https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8194630</a><br>
<br>
</div>
(fixing patches are included in reports too)<br>
<br>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Dec 22, 2017 at 5:44 PM,
Jan Kalina <span dir="ltr"><<a
href="mailto:jkalina@redhat.com" target="_blank"
moz-do-not-send="true">jkalina@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>Hi, I was just able to prepare usable
reproducer (attaching in ZIP file) and fixing
patch of JDK (attaching too).</div>
<div>Before I was able to make my usecase
working, I has found second issue too - I has
included it too.<br>
</div>
</div>
<div><br>
</div>
<div>Issues and their reproducing:<br>
</div>
<div><br>
</div>
1) already described problem of wrong initialized
SunNativeProvider.INSTANCE<br>
<br>
</div>
This can be reproduced by recreating GSSManager
before createGSSContext - ProviderList.factories<br>
will be initialized as part of initSecContext/<wbr>acceptSecContext
which will cause using wrong initialized<br>
</div>
SunNativeProvider.INSTANCE and described exception.<br>
<div>
<div><br>
</div>
<div>2) when channel binding is used SIGSEGV occure<br>
</div>
<div>
<div><br>
</div>
<div>This can be reproduced by setting channel
binding without initAddr/acceptAddr. </div>
This is caused by sending uninitialized (with
random length) cb->initiator_address from JDK
to the kerberos.</div>
<div>(It is used by krb library for messages
checksum calculation even when addrtype is
GSS_C_AF_NULLADDR.)</div>
<div><br>
</div>
<div>Attached reproducer-gss.zip reproduces both
issues and attached patch fixes both.</div>
<div><br>
</div>
<div>I would welcome merging into OpenJDK. (I am
covered by OCA of Red Hat)<br>
</div>
<div><br>
</div>
<div>This issue affect both tested JDKs, JKD8u121
and upstream JDK9 from mercurial master.<br>
</div>
<div><br>
</div>
<div>Thanks,<br>
</div>
<div>Jan<br>
</div>
</div>
</div>
<div class="gmail-HOEnZb">
<div class="gmail-h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Dec 20, 2017 at
1:42 AM, Valerie Peng <span dir="ltr"><<a
href="mailto:valerie.peng@oracle.com"
target="_blank" moz-do-not-send="true">valerie.peng@oracle.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><br>
</p>
I will take a look. Do you happen to have a
test case that I can reproduce the issue?<br>
Thanks,<br>
Valerie
<div>
<div class="gmail-m_6330590515994392262h5"><br>
<br>
<div
class="gmail-m_6330590515994392262m_2033482757927273198moz-cite-prefix">On
12/14/2017 9:20 AM, Jan Kalina wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Attaching patch, which
fixes described issue for me.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Dec
14, 2017 at 4:03 PM, Jan Kalina <span
dir="ltr"><<a
href="mailto:jkalina@redhat.com"
target="_blank"
moz-do-not-send="true">jkalina@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>I has found bug
in
SunNativeProvider:<br>
<br>
</div>
When debug messages
are enabled, JDK
confirms GSS library
was loaded with mechs:<br>
<br>
[GSSLibStub_init]
libName=/usr/lib64/libgssapi_k<wbr>rb5.so.2.2<br>
SunNativeGSS: Loaded
GSS library:
/usr/lib64/libgssapi_krb5.so.2<wbr>.2<br>
SunNativeGSS: Native
MF for
1.2.840.113554.1.2.2<br>
SunNativeGSS: Native
MF for 1.3.6.1.5.2.5<br>
SunNativeGSS: Native
MF for 1.3.6.1.5.5.2<br>
<br>
</div>
But when I try to use
it, it claims mechanism
with given OID are not
supported:<br>
<br>
GSSException: Provider
SunNativeGSS does not
support mechanism
1.2.840.113554.1.2.2<br>
at
java.security.jgss/sun.securit<wbr>y.jgss.ProviderList.getMechFac<wbr>tory(ProviderList.java:253)<br>
at
java.security.jgss/sun.securit<wbr>y.jgss.ProviderList.getMechFac<wbr>tory(ProviderList.java:209)<br>
at
java.security.jgss/sun.securit<wbr>y.jgss.GSSManagerImpl.getMecha<wbr>nismContext(GSSManagerImpl.jav<wbr>a:234)<br>
at
java.security.jgss/sun.securit<wbr>y.jgss.GSSContextImpl.acceptSe<wbr>cContext(GSSContextImpl.java:3<wbr>37)<br>
at
java.security.jgss/sun.securit<wbr>y.jgss.GSSContextImpl.acceptSe<wbr>cContext(GSSContextImpl.java:3<wbr>02)<br>
<br>
</div>
<b>When I has try to debug
it, I has found the
SunNativeProvider is
created in two
instances:</b><br>
<br>
</div>
First instance is created on
initialization of
SunNativeProvider.INSTANCE,
but it is BEFORE</div>
<div>the mechs are passed into
SunNativeProvider.MECH_MAP.
The second instance is
created</div>
<div>correctly in ProviderList
constructor.</div>
<div><br>
</div>
<div>The problem is, in some
situations is used the too
soon created
SunNativeProvider.INSTANCE,</div>
<div>so the to call throws
exception above.<br>
</div>
<div>
<div>
<div>
<div><br>
</div>
<div><b>I think
sufficient fix would
be to move
SunNativeProvider.INSTANCE
declaration after</b></div>
<div><b>the static
constructor (filling
the </b><b>MECH_MAP)
in SunNativeProvider
file.</b></div>
<div><br>
</div>
<div>Would be possible
to fix this?</div>
<div>Should I send a
patch?</div>
<br>
<div>
<div>
<div>Thanks</div>
<span
class="gmail-m_6330590515994392262m_2033482757927273198HOEnZb"><font
color="#888888">
<div>Jan Kalina<br>
</div>
</font></span></div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>