diff options
author | andrew <unknown> | 2020-01-15 20:05:09 +0000 |
---|---|---|
committer | bell-sw <liberica@bell-sw.com> | 2020-01-19 09:13:28 +0300 |
commit | e4c899fda33cc58bb87d7624f1893bfffc108a22 (patch) | |
tree | ab74898a75f49cca995a62c856bd6a30748e47c1 | |
parent | 00e6887ff48fa51ca98407cc2363f77709771b7e (diff) | |
download | jdk8u_jdk-e4c899fda33cc58bb87d7624f1893bfffc108a22.tar.gz |
8132111: Do not request for addresses for forwarded TGT
Reviewed-by: mbalao, shade
4 files changed, 16 insertions, 26 deletions
diff --git a/src/share/classes/sun/security/krb5/KrbCred.java b/src/share/classes/sun/security/krb5/KrbCred.java index 7f02df8ef0..0ce26efc4a 100644 --- a/src/share/classes/sun/security/krb5/KrbCred.java +++ b/src/share/classes/sun/security/krb5/KrbCred.java @@ -34,8 +34,6 @@ package sun.security.krb5; import sun.security.krb5.internal.*; import sun.security.krb5.internal.crypto.KeyUsage; import java.io.IOException; -import java.net.InetAddress; -import java.net.UnknownHostException; import sun.security.util.DerValue; @@ -65,7 +63,6 @@ public class KrbCred { PrincipalName client = tgt.getClient(); PrincipalName tgService = tgt.getServer(); - PrincipalName server = serviceTicket.getServer(); if (!serviceTicket.getClient().equals(client)) throw new KrbException(Krb5.KRB_ERR_GENERIC, "Client principal does not match"); @@ -78,29 +75,9 @@ public class KrbCred { options.set(KDCOptions.FORWARDED, true); options.set(KDCOptions.FORWARDABLE, true); - HostAddresses sAddrs = null; - - // GSSName.NT_HOSTBASED_SERVICE should display with KRB_NT_SRV_HST - if (server.getNameType() == PrincipalName.KRB_NT_SRV_HST) { - sAddrs = new HostAddresses(server); - } else if (server.getNameType() == PrincipalName.KRB_NT_UNKNOWN) { - // Sometimes this is also a server - if (server.getNameStrings().length >= 2) { - String host = server.getNameStrings()[1]; - try { - InetAddress[] addr = InetAddress.getAllByName(host); - if (addr != null && addr.length > 0) { - sAddrs = new HostAddresses(addr); - } - } catch (UnknownHostException ioe) { - // maybe we guessed wrong, let sAddrs be null - } - } - } - KrbTgsReq tgsReq = new KrbTgsReq(options, tgt, tgService, null, null, null, null, null, - sAddrs, // Only non-null for KRB_NT_SRV_HST, see JDK-8132111 + null, // No easy way to get addresses right null, null, null); credMessg = createMessage(tgsReq.sendAndGetCreds(), key); @@ -113,7 +90,6 @@ public class KrbCred { EncryptionKey sessionKey = delegatedCreds.getSessionKey(); PrincipalName princ = delegatedCreds.getClient(); - Realm realm = princ.getRealm(); PrincipalName tgService = delegatedCreds.getServer(); KrbCredInfo credInfo = new KrbCredInfo(sessionKey, diff --git a/src/share/classes/sun/security/krb5/internal/HostAddress.java b/src/share/classes/sun/security/krb5/internal/HostAddress.java index f3d1d87467..77e00a0d61 100644 --- a/src/share/classes/sun/security/krb5/internal/HostAddress.java +++ b/src/share/classes/sun/security/krb5/internal/HostAddress.java @@ -39,6 +39,7 @@ import java.net.Inet4Address; import java.net.Inet6Address; import java.net.UnknownHostException; import java.io.IOException; +import java.util.Arrays; /** * Implements the ASN.1 HostAddress type. @@ -295,4 +296,11 @@ public class HostAddress implements Cloneable { } } + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append(Arrays.toString(address)); + sb.append('(').append(addrType).append(')'); + return sb.toString(); + } } diff --git a/src/share/classes/sun/security/krb5/internal/HostAddresses.java b/src/share/classes/sun/security/krb5/internal/HostAddresses.java index 04eeb5de99..38bb6a348b 100644 --- a/src/share/classes/sun/security/krb5/internal/HostAddresses.java +++ b/src/share/classes/sun/security/krb5/internal/HostAddresses.java @@ -338,4 +338,9 @@ public class HostAddresses implements Cloneable { for (int i = 0; i < inetAddresses.length; i++) addresses[i] = new HostAddress(inetAddresses[i]); } + + @Override + public String toString() { + return Arrays.toString(addresses); + } } diff --git a/test/sun/security/krb5/auto/KDC.java b/test/sun/security/krb5/auto/KDC.java index fa4ab5a658..0c5a891664 100644 --- a/test/sun/security/krb5/auto/KDC.java +++ b/test/sun/security/krb5/auto/KDC.java @@ -903,9 +903,10 @@ public class KDC { bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true; } } + // We do not request for addresses for FORWARDED tickets if (options.containsKey(Option.CHECK_ADDRESSES) && body.kdcOptions.get(KDCOptions.FORWARDED) - && body.addresses == null) { + && body.addresses != null) { throw new KrbException(Krb5.KDC_ERR_BADOPTION); } if (body.kdcOptions.get(KDCOptions.FORWARDED) || |