6913636: kvno check in JSSE

Reviewed-by: valeriep

src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java

 /*
- * Copyright 2003-2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2003-2010 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -50,11 +50,12 @@ import sun.security.krb5.internal.EncTicketPart;
 import sun.security.krb5.internal.crypto.KeyUsage;
 
 import sun.security.jgss.krb5.Krb5Util;
+import sun.security.krb5.KrbException;
+import sun.security.krb5.internal.Krb5;
 
 import sun.security.ssl.Debug;
 import sun.security.ssl.HandshakeInStream;
 import sun.security.ssl.HandshakeOutStream;
-import sun.security.ssl.KerberosClientKeyExchange;
 import sun.security.ssl.ProtocolVersion;
 
 /**
@@ -188,7 +189,14 @@ public final class KerberosClientKeyExchangeImpl
             // See if we have the right key to decrypt the ticket to get
             // the session key.
             int encPartKeyType = encPart.getEType();
-            KerberosKey dkey = findKey(encPartKeyType, serverKeys);
+            Integer encPartKeyVersion = encPart.getKeyVersionNumber();
+            KerberosKey dkey = null;
+            try {
+                dkey = findKey(encPartKeyType, encPartKeyVersion, serverKeys);
+            } catch (KrbException ke) { // a kvno mismatch
+                throw new IOException(
+                        "Cannot find key matching version number", ke);
+            }
             if (dkey == null) {
                 // %%% Should print string repr of etype
                 throw new IOException(
@@ -355,12 +363,34 @@ public final class KerberosClientKeyExchangeImpl
         return localPrincipal;
     }
 
-    private static KerberosKey findKey(int etype, KerberosKey[] keys) {
+    /**
+     * Determines if a kvno matches another kvno. Used in the method
+     * findKey(etype, version, keys). Always returns true if either input
+     * is null or zero, in case any side does not have kvno info available.
+     *
+     * Note: zero is included because N/A is not a legal value for kvno
+     * in javax.security.auth.kerberos.KerberosKey. Therefore, the info
+     * that the kvno is N/A might be lost when converting between
+     * EncryptionKey and KerberosKey.
+     */
+    private static boolean versionMatches(Integer v1, int v2) {
+        if (v1 == null || v1 == 0 || v2 == 0) {
+            return true;
+        }
+        return v1.equals(v2);
+    }
+
+    private static KerberosKey findKey(int etype, Integer version,
+            KerberosKey[] keys) throws KrbException {
         int ktype;
+        boolean etypeFound = false;
         for (int i = 0; i < keys.length; i++) {
             ktype = keys[i].getKeyType();
             if (etype == ktype) {
-                return keys[i];
+                etypeFound = true;
+                if (versionMatches(version, keys[i].getVersionNumber())) {
+                    return keys[i];
+                }
             }
         }
         // Key not found.
@@ -370,14 +400,20 @@ public final class KerberosClientKeyExchangeImpl
             for (int i = 0; i < keys.length; i++) {
                 ktype = keys[i].getKeyType();
                 if (ktype == EncryptedData.ETYPE_DES_CBC_CRC ||
-                    ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
-                    return new KerberosKey(keys[i].getPrincipal(),
-                        keys[i].getEncoded(),
-                        etype,
-                        keys[i].getVersionNumber());
+                        ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
+                    etypeFound = true;
+                    if (versionMatches(version, keys[i].getVersionNumber())) {
+                        return new KerberosKey(keys[i].getPrincipal(),
+                            keys[i].getEncoded(),
+                            etype,
+                            keys[i].getVersionNumber());
+                    }
                 }
             }
         }
+        if (etypeFound) {
+            throw new KrbException(Krb5.KRB_AP_ERR_BADKEYVER);
+        }
         return null;
     }
 }

test/sun/security/krb5/auto/SSL.java

 /*
- * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2009-2010 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 6894643
+ * @bug 6894643 6913636
  * @summary Test JSSE Kerberos ciphersuite
  */
 import java.io.*;
@@ -32,12 +32,13 @@ import javax.net.ssl.*;
 import java.security.Principal;
 import java.util.Date;
 import sun.security.jgss.GSSUtil;
+import sun.security.krb5.PrincipalName;
+import sun.security.krb5.internal.ktab.KeyTab;
 
 public class SSL {
 
     private static final String KRB5_CIPHER = "TLS_KRB5_WITH_3DES_EDE_CBC_SHA";
     private static final int LOOP_LIMIT = 1;
-    private static final char[] PASS = "secret".toCharArray();
     private static int loopCount = 0;
     private static volatile String server;
     private static volatile int port;
@@ -54,12 +55,39 @@ public class SSL {
 
         kdc.addPrincipal(OneKDC.USER, OneKDC.PASS);
         kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
-        kdc.addPrincipal("host/" + server, PASS);
         KDC.saveConfig(OneKDC.KRB5_CONF, kdc);
         System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
 
+        // Add 3 versions of keys into keytab
+        KeyTab ktab = KeyTab.create(OneKDC.KTAB);
+        PrincipalName service = new PrincipalName(
+                "host/" + server, PrincipalName.KRB_NT_SRV_HST);
+        ktab.addEntry(service, "pass1".toCharArray(), 1);
+        ktab.addEntry(service, "pass2".toCharArray(), 2);
+        ktab.addEntry(service, "pass3".toCharArray(), 3);
+        ktab.save();
+
+        // and use the middle one as the real key
+        kdc.addPrincipal("host/" + server, "pass2".toCharArray());
+
+        // JAAS config entry name ssl
+        System.setProperty("java.security.auth.login.config", OneKDC.JAAS_CONF);
+        File f = new File(OneKDC.JAAS_CONF);
+        FileOutputStream fos = new FileOutputStream(f);
+        fos.write((
+                "ssl {\n" +
+                "    com.sun.security.auth.module.Krb5LoginModule required\n" +
+                "    principal=\"host/" + server + "\"\n" +
+                "    useKeyTab=true\n" +
+                "    keyTab=" + OneKDC.KTAB + "\n" +
+                "    isInitiator=false\n" +
+                "    storeKey=true;\n};\n"
+                ).getBytes());
+        fos.close();
+        f.deleteOnExit();
+
         final Context c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
-        final Context s = Context.fromUserPass("host/" + server, PASS, true);
+        final Context s = Context.fromJAAS("ssl");
 
         c.startAsClient("host/" + server, GSSUtil.GSS_KRB5_MECH_OID);
         s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);