diff --git a/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java b/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java index adf2cd8ace1..15d6d78c04d 100644 --- a/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java +++ b/jdk/src/share/classes/sun/security/krb5/EncryptionKey.java @@ -511,6 +511,23 @@ public class EncryptionKey return findKey(etype, null, keys); } + /** + * Determines if a kvno matches another kvno. Used in the method + * findKey(type, kvno, keys). Always returns true if either input + * is null or zero, in case any side does not have kvno info available. + * + * Note: zero is included because N/A is not a legal value for kvno + * in javax.security.auth.kerberos.KerberosKey. Therefore, the info + * that the kvno is N/A might be lost when converting between this + * class and KerberosKey. + */ + private static boolean versionMatches(Integer v1, Integer v2) { + if (v1 == null || v1 == 0 || v2 == null || v2 == 0) { + return true; + } + return v1.equals(v2); + } + /** * Find a key with given etype and kvno * @param kvno if null, return any (first?) key @@ -525,15 +542,20 @@ public class EncryptionKey } int ktype; + boolean etypeFound = false; for (int i = 0; i < keys.length; i++) { ktype = keys[i].getEType(); if (EType.isSupported(ktype)) { Integer kv = keys[i].getKeyVersionNumber(); - if (etype == ktype && (kvno == null || kvno.equals(kv))) { - return keys[i]; + if (etype == ktype) { + etypeFound = true; + if (versionMatches(kvno, kv)) { + return keys[i]; + } } } } + // Key not found. // allow DES key to be used for the DES etypes if ((etype == EncryptedData.ETYPE_DES_CBC_CRC || @@ -543,12 +565,16 @@ public class EncryptionKey if (ktype == EncryptedData.ETYPE_DES_CBC_CRC || ktype == EncryptedData.ETYPE_DES_CBC_MD5) { Integer kv = keys[i].getKeyVersionNumber(); - if (kvno == null || kvno.equals(kv)) { + etypeFound = true; + if (versionMatches(kvno, kv)) { return new EncryptionKey(etype, keys[i].getBytes()); } } } } + if (etypeFound) { + throw new KrbException(Krb5.KRB_AP_ERR_BADKEYVER); + } return null; } } diff --git a/jdk/test/sun/security/krb5/auto/KDC.java b/jdk/test/sun/security/krb5/auto/KDC.java index 80b69b639fc..b03058798bd 100644 --- a/jdk/test/sun/security/krb5/auto/KDC.java +++ b/jdk/test/sun/security/krb5/auto/KDC.java @@ -484,8 +484,9 @@ public class KDC { Method stringToKey = EncryptionKey.class.getDeclaredMethod("stringToKey", char[].class, String.class, byte[].class, Integer.TYPE); stringToKey.setAccessible(true); Integer kvno = null; - // For service whose password ending with a number, use it as kvno - if (p.toString().indexOf('/') >= 0) { + // For service whose password ending with a number, use it as kvno. + // Kvno must be postive. + if (p.toString().indexOf('/') > 0) { char[] pass = getPassword(p, server); if (Character.isDigit(pass[pass.length-1])) { kvno = pass[pass.length-1] - '0'; diff --git a/jdk/test/sun/security/krb5/auto/MoreKvno.java b/jdk/test/sun/security/krb5/auto/MoreKvno.java index 66740a8b799..5a2c9e56a58 100644 --- a/jdk/test/sun/security/krb5/auto/MoreKvno.java +++ b/jdk/test/sun/security/krb5/auto/MoreKvno.java @@ -24,15 +24,20 @@ /* * @test * @bug 6893158 + * @bug 6907425 * @summary AP_REQ check should use key version number */ +import org.ietf.jgss.GSSException; import sun.security.jgss.GSSUtil; +import sun.security.krb5.KrbException; import sun.security.krb5.PrincipalName; import sun.security.krb5.internal.ktab.KeyTab; +import sun.security.krb5.internal.Krb5; public class MoreKvno { + static PrincipalName p; public static void main(String[] args) throws Exception { @@ -41,21 +46,40 @@ public class MoreKvno { // Rewrite keytab, 3 set of keys with different kvno KeyTab ktab = KeyTab.create(OneKDC.KTAB); - PrincipalName p = new PrincipalName(OneKDC.SERVER+"@"+OneKDC.REALM, PrincipalName.KRB_NT_SRV_HST); - ktab.addEntry(p, "pass0".toCharArray(), 0); - ktab.addEntry(p, "pass2".toCharArray(), 2); + p = new PrincipalName( + OneKDC.SERVER+"@"+OneKDC.REALM, PrincipalName.KRB_NT_SRV_HST); ktab.addEntry(p, "pass1".toCharArray(), 1); + ktab.addEntry(p, "pass3".toCharArray(), 3); + ktab.addEntry(p, "pass2".toCharArray(), 2); ktab.save(); - kdc.addPrincipal(OneKDC.SERVER, "pass1".toCharArray()); - go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept"); - kdc.addPrincipal(OneKDC.SERVER, "pass2".toCharArray()); + char[] pass = "pass2".toCharArray(); + kdc.addPrincipal(OneKDC.SERVER, pass); + go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept", pass); + + pass = "pass3".toCharArray(); + kdc.addPrincipal(OneKDC.SERVER, pass); // "server" initiate also, check pass2 is used at authentication - go(OneKDC.SERVER, "server"); + go(OneKDC.SERVER, "server", pass); + + try { + pass = "pass4".toCharArray(); + kdc.addPrincipal(OneKDC.SERVER, pass); + go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept", pass); + throw new Exception("This test should fail"); + } catch (GSSException gsse) { + KrbException ke = (KrbException)gsse.getCause(); + if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) { + throw new Exception("Not expected failure code: " + + ke.returnCode()); + } + } } - static void go(String server, String entry) throws Exception { + static void go(String server, String entry, char[] pass) throws Exception { Context c, s; + + // Part 1: Test keytab c = Context.fromUserPass("dummy", "bogus".toCharArray(), false); s = Context.fromJAAS(entry); @@ -66,5 +90,17 @@ public class MoreKvno { s.dispose(); c.dispose(); + + // Part 2: Test username/password pair + c = Context.fromUserPass("dummy", "bogus".toCharArray(), false); + s = Context.fromUserPass(p.getNameString(), pass, true); + + c.startAsClient(server, GSSUtil.GSS_KRB5_MECH_OID); + s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); + + Context.handshake(c, s); + + s.dispose(); + c.dispose(); } }