Integrated: 8272162: S4U2Self ticket without forwardable flag
Weijun Wang
weijun at openjdk.java.net
Wed Dec 1 00:51:39 UTC 2021
On Fri, 22 Oct 2021 16:31:02 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> The S4U2proxy extension requires that the service ticket to the first service has the forwardable flag set, but some versions of Windows Server do not set the forwardable flag in a S4U2self response and accept it in a S4U2proxy request.
>
> There are 2 commits now. The 1st is a refactoring that sends more info into the methods (Ex: `KdcComm::send(byte[])` -> `KdcComm::send(KrbKdcReq)`, and `Ticket` -> `Credentials` in multiple places) so that inside `KdcComm::send` there is enough info to decide how to deal with various errors. The 2nd is the actual fix to this issue, i.e. ignore the flag and retry another KDC.
This pull request has now been integrated.
Changeset: ab867f6c
Author: Weijun Wang <weijun at openjdk.org>
URL: https://git.openjdk.java.net/jdk/commit/ab867f6c7c578ae7e65af2989b6836d523a41c5a
Stats: 413 lines in 17 files changed: 218 ins; 38 del; 157 mod
8272162: S4U2Self ticket without forwardable flag
Reviewed-by: valeriep
-------------
PR: https://git.openjdk.java.net/jdk/pull/6082
More information about the security-dev
mailing list