8279520: SPNEGO has not passed channel binding info into the underlying mechanism

Reviewed-by: mullan, valeriep
2022-01-06 22:02:55 +00:00 · 2022-01-06 22:02:55 +00:00 · 8d0f385fd0
commit 8d0f385fd0
parent b3dbfc6452
2 changed files with 21 additions and 13 deletions
--- a/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoContext.java
+++ b/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoContext.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -866,6 +866,7 @@ public class SpNegoContext implements GSSContextSpi {
            mechContext.requestMutualAuth(mutualAuthState);
            mechContext.requestReplayDet(replayDetState);
            mechContext.requestSequenceDet(sequenceDetState);
+            mechContext.setChannelBinding(channelBinding);
            if (mechContext instanceof GSSContextImpl) {
                ((GSSContextImpl)mechContext).requestDelegPolicy(
                        delegPolicyState);
@ -899,6 +900,7 @@ public class SpNegoContext implements GSSContextSpi {
                myCred.getInternalCred());
            }
            mechContext = factory.manager.createContext(cred);
+            mechContext.setChannelBinding(channelBinding);
        }

        // pass token to mechanism acceptSecContext
--- a/test/jdk/sun/security/krb5/auto/IgnoreChannelBinding.java
+++ b/test/jdk/sun/security/krb5/auto/IgnoreChannelBinding.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2021, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -23,7 +23,7 @@

 /*
 * @test
- * @bug 6851973 8194486
+ * @bug 6851973 8194486 8279520
 * @summary ignore incoming channel binding if acceptor does not set one
 * @library /test/lib
 * @run main jdk.test.lib.FileInstaller TestHosts TestHosts
@ -33,6 +33,7 @@
 import java.net.InetAddress;
 import org.ietf.jgss.ChannelBinding;
 import org.ietf.jgss.GSSException;
+import org.ietf.jgss.Oid;
 import sun.security.jgss.GSSUtil;

 public class IgnoreChannelBinding {
@ -41,33 +42,38 @@ public class IgnoreChannelBinding {
            throws Exception {

        new OneKDC(null).writeJAASConf();
+        test(GSSUtil.GSS_KRB5_MECH_OID);
+        test(GSSUtil.GSS_SPNEGO_MECH_OID);
+    }
+
+    static void test(Oid mech) throws Exception {

        Context c = Context.fromJAAS("client");
        Context s = Context.fromJAAS("server");

        // All silent
-        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
-        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+        c.startAsClient(OneKDC.SERVER, mech);
+        s.startAsServer(mech);
        Context.handshake(c, s);

        // Initiator req, acceptor ignore
-        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
+        c.startAsClient(OneKDC.SERVER, mech);
        c.x().setChannelBinding(new ChannelBinding(
                InetAddress.getByName("client.rabbit.hole"),
                InetAddress.getByName("host.rabbit.hole"),
                new byte[0]
                ));
-        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+        s.startAsServer(mech);
        Context.handshake(c, s);

        // Both req, and match
-        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
+        c.startAsClient(OneKDC.SERVER, mech);
        c.x().setChannelBinding(new ChannelBinding(
                InetAddress.getByName("client.rabbit.hole"),
                InetAddress.getByName("host.rabbit.hole"),
                new byte[0]
                ));
-        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+        s.startAsServer(mech);
        s.x().setChannelBinding(new ChannelBinding(
                InetAddress.getByName("client.rabbit.hole"),
                InetAddress.getByName("host.rabbit.hole"),
@ -76,13 +82,13 @@ public class IgnoreChannelBinding {
        Context.handshake(c, s);

        // Both req, NOT match
-        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
+        c.startAsClient(OneKDC.SERVER, mech);
        c.x().setChannelBinding(new ChannelBinding(
                InetAddress.getByName("client.rabbit.hole"),
                InetAddress.getByName("host.rabbit.hole"),
                new byte[0]
                ));
-        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+        s.startAsServer(mech);
        s.x().setChannelBinding(new ChannelBinding(
                InetAddress.getByName("client.rabbit.hole"),
                InetAddress.getByName("host.rabbit.hole"),
@ -96,8 +102,8 @@ public class IgnoreChannelBinding {
        }

        // Acceptor req, reject
-        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
-        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+        c.startAsClient(OneKDC.SERVER, mech);
+        s.startAsServer(mech);
        s.x().setChannelBinding(new ChannelBinding(
                InetAddress.getByName("client.rabbit.hole"),
                InetAddress.getByName("host.rabbit.hole"),