diff --git a/src/share/classes/sun/security/krb5/PrincipalName.java b/src/share/classes/sun/security/krb5/PrincipalName.java index 51e776317144fc2398425de490b67e7359c341c9..86094d629674e5ed27fe0813fc0e84490e33d5c1 100644 --- a/src/share/classes/sun/security/krb5/PrincipalName.java +++ b/src/share/classes/sun/security/krb5/PrincipalName.java @@ -173,12 +173,6 @@ public class PrincipalName boolean equalsWithoutRealm(PrincipalName other) { - - if (nameType != KRB_NT_UNKNOWN && - other.nameType != KRB_NT_UNKNOWN && - nameType != other.nameType) - return false; - if ((nameStrings != null && other.nameStrings == null) || (nameStrings == null && other.nameStrings != null)) return false; diff --git a/test/sun/security/krb5/auto/KDC.java b/test/sun/security/krb5/auto/KDC.java index 45a3d530c4b57a0b1a4b34f787393aac9e82e1e5..e4b4a9d8b9bbe0101cc0ce8fc8817e42fd16163e 100644 --- a/test/sun/security/krb5/auto/KDC.java +++ b/test/sun/security/krb5/auto/KDC.java @@ -170,6 +170,10 @@ public class KDC { * Use only one preauth, so that some keys are not easy to generate */ ONLY_ONE_PREAUTH, + /** + * Set all name-type to a value in response + */ + RESP_NT, }; static { @@ -637,10 +641,16 @@ public class KDC { */ private byte[] processTgsReq(byte[] in) throws Exception { TGSReq tgsReq = new TGSReq(in); + PrincipalName service = tgsReq.reqBody.sname; + if (options.containsKey(KDC.Option.RESP_NT)) { + service = new PrincipalName(service.getNameStrings(), + (int)options.get(KDC.Option.RESP_NT)); + service.setRealm(service.getRealm()); + } try { System.out.println(realm + "> " + tgsReq.reqBody.cname + " sends TGS-REQ for " + - tgsReq.reqBody.sname); + service); KDCReqBody body = tgsReq.reqBody; int[] eTypes = KDCReqBodyDotEType(body); int e2 = eTypes[0]; // etype for outgoing session key @@ -708,7 +718,7 @@ public class KDC { bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true; } - if (configMatch("", body.sname.getNameString(), "ok-as-delegate")) { + if (configMatch("", service.getNameString(), "ok-as-delegate")) { bFlags[Krb5.TKT_OPTS_DELEGATE] = true; } bFlags[Krb5.TKT_OPTS_INITIAL] = true; @@ -728,13 +738,13 @@ public class KDC { : new HostAddresses( new InetAddress[]{InetAddress.getLocalHost()}), null); - EncryptionKey skey = keyForUser(body.sname, e3, true); + EncryptionKey skey = keyForUser(service, e3, true); if (skey == null) { throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO } Ticket t = new Ticket( body.crealm, - body.sname, + service, new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET) ); EncTGSRepPart enc_part = new EncTGSRepPart( @@ -750,7 +760,7 @@ public class KDC { body.from, till, body.rtime, body.crealm, - body.sname, + service, body.addresses != null // always set caddr ? body.addresses : new HostAddresses( @@ -781,7 +791,7 @@ public class KDC { 0, ke.returnCode(), body.crealm, body.cname, - new Realm(getRealm()), body.sname, + new Realm(getRealm()), service, KrbException.errorMessage(ke.returnCode()), null); } @@ -800,10 +810,16 @@ public class KDC { int[] eTypes = null; List outPAs = new ArrayList<>(); + PrincipalName service = asReq.reqBody.sname; + if (options.containsKey(KDC.Option.RESP_NT)) { + service = new PrincipalName(service.getNameStrings(), + (int)options.get(KDC.Option.RESP_NT)); + service.setRealm(service.getRealm()); + } try { System.out.println(realm + "> " + asReq.reqBody.cname + " sends AS-REQ for " + - asReq.reqBody.sname); + service); KDCReqBody body = asReq.reqBody; body.cname.setRealm(getRealm()); @@ -812,7 +828,7 @@ public class KDC { int eType = eTypes[0]; EncryptionKey ckey = keyForUser(body.cname, eType, false); - EncryptionKey skey = keyForUser(body.sname, eType, true); + EncryptionKey skey = keyForUser(service, eType, true); if (options.containsKey(KDC.Option.ONLY_RC4_TGT)) { int tgtEType = EncryptedData.ETYPE_ARCFOUR_HMAC; @@ -826,7 +842,7 @@ public class KDC { if (!found) { throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP); } - skey = keyForUser(body.sname, tgtEType, true); + skey = keyForUser(service, tgtEType, true); } if (ckey == null) { throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP); @@ -943,7 +959,7 @@ public class KDC { null); Ticket t = new Ticket( body.crealm, - body.sname, + service, new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET) ); EncASRepPart enc_part = new EncASRepPart( @@ -959,7 +975,7 @@ public class KDC { body.from, till, body.rtime, body.crealm, - body.sname, + service, body.addresses ); EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_AS_REP_PART); @@ -1023,7 +1039,7 @@ public class KDC { 0, ke.returnCode(), body.crealm, body.cname, - new Realm(getRealm()), body.sname, + new Realm(getRealm()), service, KrbException.errorMessage(ke.returnCode()), eData); } diff --git a/test/sun/security/krb5/auto/PrincipalNameEquals.java b/test/sun/security/krb5/auto/PrincipalNameEquals.java new file mode 100644 index 0000000000000000000000000000000000000000..c4ae6b9aa9df2557acd2f9f100d6db90b34cafd9 --- /dev/null +++ b/test/sun/security/krb5/auto/PrincipalNameEquals.java @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 7061379 + * @summary [Kerberos] Cross-realm authentication fails, due to nameType problem + * @compile -XDignore.symbol.file PrincipalNameEquals.java + * @run main/othervm PrincipalNameEquals + */ + +import sun.security.jgss.GSSUtil; +import sun.security.krb5.PrincipalName; + +public class PrincipalNameEquals { + + public static void main(String[] args) throws Exception { + + OneKDC kdc = new OneKDC(null); + kdc.writeJAASConf(); + kdc.setOption(KDC.Option.RESP_NT, PrincipalName.KRB_NT_PRINCIPAL); + + Context c, s; + c = Context.fromJAAS("client"); + s = Context.fromJAAS("server"); + + c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID); + s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); + + Context.handshake(c, s); + + Context.transmit("i say high --", c, s); + Context.transmit(" you say low", s, c); + + s.dispose(); + c.dispose(); + } +}