7032354: no-addresses should not be used on acceptor side

Reviewed-by: valeriep

7032354: no-addresses should not be used on acceptor side
Reviewed-by: valeriep
889c3127 · weijun · dfffbd5f · 889c3127 · 889c3127 · 889c3127
3 changed file
--- a/src/share/classes/sun/security/krb5/KrbApReq.java
+++ b/src/share/classes/sun/security/krb5/KrbApReq.java
 /*
- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -37,6 +37,7 @@ import sun.security.krb5.internal.rcache.*;
 import java.net.InetAddress;
 import sun.security.util.*;
 import java.io.IOException;
+import java.util.Arrays;

 /**
 * This class encapsulates a KRB-AP-REQ that a client sends to a
@@ -54,9 +55,6 @@ public class KrbApReq {
    private static CacheTable table = new CacheTable();
    private static boolean DEBUG = Krb5.DEBUG;

-    // default is address-less tickets
-    private boolean KDC_EMPTY_ADDRESSES_ALLOWED = true;
-
    /**
     * Contructs a AP-REQ message to send to the peer.
     * @param tgsCred the <code>Credentials</code> to be used to construct the
@@ -312,22 +310,18 @@ public class KrbApReq {
            table.put(client, time, currTime.getTime());
        }

-        // check to use addresses in tickets
-        if (Config.getInstance().useAddresses()) {
-            KDC_EMPTY_ADDRESSES_ALLOWED = false;
-        }
-
-        // sender host address
-        HostAddress sender = null;
        if (initiator != null) {
-            sender = new HostAddress(initiator);
+            // sender host address
+            HostAddress sender = new HostAddress(initiator);
+            if (enc_ticketPart.caddr != null
+                    && !enc_ticketPart.caddr.inList(sender)) {
+                if (DEBUG) {
+                    System.out.println(">>> KrbApReq: initiator is "
+                            + sender.getInetAddress()
+                            + ", but caddr is "
+                            + Arrays.toString(
+                                enc_ticketPart.caddr.getInetAddresses()));
                }
-
-        if (sender != null || !KDC_EMPTY_ADDRESSES_ALLOWED) {
-            if (enc_ticketPart.caddr != null) {
-                if (sender == null)
-                    throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
-                if (!enc_ticketPart.caddr.inList(sender))
                throw new KrbApErrException(Krb5.KRB_AP_ERR_BADADDR);
            }
        }

--- a/test/sun/security/krb5/auto/KDC.java
+++ b/test/sun/security/krb5/auto/KDC.java
 /*
- * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -691,7 +691,10 @@ public class KDC {
                    new KerberosTime(new Date()),
                    body.from,
                    till, body.rtime,
-                    body.addresses,
+                    body.addresses != null  // always set caddr
+                            ? body.addresses
+                            : new HostAddresses(
+                                new InetAddress[]{InetAddress.getLocalHost()}),
                    null);
            EncryptionKey skey = keyForUser(body.sname, e3, true);
            if (skey == null) {
@@ -716,7 +719,10 @@ public class KDC {
                    till, body.rtime,
                    body.crealm,
                    body.sname,
-                    body.addresses
+                    body.addresses != null  // always set caddr
+                            ? body.addresses
+                            : new HostAddresses(
+                                new InetAddress[]{InetAddress.getLocalHost()})
                    );
            EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_TGS_REP_PART_SESSKEY);
            TGSRep tgsRep = new TGSRep(null,

--- a/test/sun/security/krb5/auto/NoAddresses.java
+++ b/test/sun/security/krb5/auto/NoAddresses.java
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7032354
+ * @run main/othervm NoAddresses 1
+ * @run main/othervm NoAddresses 2
+ * @run main/othervm/fail NoAddresses 3
+ * @summary no-addresses should not be used on acceptor side
+ */
+
+import java.net.InetAddress;
+import org.ietf.jgss.ChannelBinding;
+import sun.security.jgss.GSSUtil;
+import sun.security.krb5.Config;
+
+public class NoAddresses {
+
+    public static void main(String[] args)
+            throws Exception {
+
+        OneKDC kdc = new OneKDC(null);
+        kdc.writeJAASConf();
+        KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
+                "noaddresses = false",
+                "default_keytab_name = " + OneKDC.KTAB);
+        Config.refresh();
+
+        Context c = Context.fromJAAS("client");
+        Context s = Context.fromJAAS("server");
+
+        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
+        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+
+        InetAddress initiator = InetAddress.getLocalHost();
+        InetAddress acceptor = InetAddress.getLocalHost();
+        switch (args[0]) {
+            case "1":
+                // no initiator host address available, should be OK
+                break;
+            case "2":
+                // correct initiator host address, still fine
+                c.x().setChannelBinding(
+                        new ChannelBinding(initiator, acceptor, null));
+                s.x().setChannelBinding(
+                        new ChannelBinding(initiator, acceptor, null));
+                break;
+            case "3":
+                // incorrect initiator host address, fail
+                initiator = InetAddress.getByAddress(new byte[]{1,1,1,1});
+                c.x().setChannelBinding(
+                        new ChannelBinding(initiator, acceptor, null));
+                s.x().setChannelBinding(
+                        new ChannelBinding(initiator, acceptor, null));
+                break;
+        }
+
+        Context.handshake(c, s);
+    }
+}