archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 07:14:30 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8272162: S4U2Self ticket without forwardable flag

Browse source 
Reviewed-by: valeriep
This commit is contained in:
Weijun Wang 2021-12-01 00:48:28 +00:00
parent dd73e3cea2
commit ab867f6c7c
17 changed files with 375 additions and 195 deletions
Download patch file Download diff file Expand all files Collapse all files

35
src/java.security.jgss/share/classes/sun/security/krb5/KdcComm.java
View file

@ -188,21 +188,22 @@ public final class KdcComm {
this.realm = realm;
}
public byte[] send(byte[] obuf)
public byte[] send(KrbKdcReq req)
throws IOException, KrbException {
int udpPrefLimit = getRealmSpecificValue(
realm, "udp_preference_limit", defaultUdpPrefLimit);
byte[] obuf = req.encoding();
boolean useTCP = (udpPrefLimit > 0 &&
(obuf != null && obuf.length > udpPrefLimit));
return send(obuf, useTCP);
return send(req, useTCP);
}
private byte[] send(byte[] obuf, boolean useTCP)
private byte[] send(KrbKdcReq req, boolean useTCP)
throws IOException, KrbException {
if (obuf == null)
if (req == null)
return null;
Config cfg = Config.getInstance();
@ -225,12 +226,12 @@ public final class KdcComm {
}
byte[] ibuf = null;
try {
ibuf = sendIfPossible(obuf, tempKdc.next(), useTCP);
ibuf = sendIfPossible(req, tempKdc.next(), useTCP);
} catch(Exception first) {
boolean ok = false;
while(tempKdc.hasNext()) {
try {
ibuf = sendIfPossible(obuf, tempKdc.next(), useTCP);
ibuf = sendIfPossible(req, tempKdc.next(), useTCP);
ok = true;
break;
} catch(Exception ignore) {}
@ -243,13 +244,13 @@ public final class KdcComm {
return ibuf;
}
// send the AS Request to the specified KDC
// send the KDC Request to the specified KDC
// failover to using TCP if useTCP is not set and response is too big
private byte[] sendIfPossible(byte[] obuf, String tempKdc, boolean useTCP)
private byte[] sendIfPossible(KrbKdcReq req, String tempKdc, boolean useTCP)
throws IOException, KrbException {
try {
byte[] ibuf = send(obuf, tempKdc, useTCP);
byte[] ibuf = send(req, tempKdc, useTCP);
KRBError ke = null;
try {
ke = new KRBError(ibuf);
@ -259,10 +260,17 @@ public final class KdcComm {
if (ke != null) {
if (ke.getErrorCode() ==
Krb5.KRB_ERR_RESPONSE_TOO_BIG) {
ibuf = send(obuf, tempKdc, true);
ibuf = send(req, tempKdc, true);
} else if (ke.getErrorCode() ==
Krb5.KDC_ERR_SVC_UNAVAILABLE) {
throw new KrbException("A service is not available");
} else if (ke.getErrorCode() == Krb5.KDC_ERR_BADOPTION
&& Credentials.S4U2PROXY_ACCEPT_NON_FORWARDABLE
&& req instanceof KrbTgsReq tgsReq) {
Credentials extra = tgsReq.getAdditionalCreds();
if (extra != null && !extra.isForwardable()) {
throw new KrbException("S4U2Proxy with non-forwardable ticket");
}
}
}
KdcAccessibility.removeBad(tempKdc);
@ -278,12 +286,12 @@ public final class KdcComm {
}
}
// send the AS Request to the specified KDC
// send the KDC Request to the specified KDC
private byte[] send(byte[] obuf, String tempKdc, boolean useTCP)
private byte[] send(KrbKdcReq req, String tempKdc, boolean useTCP)
throws IOException, KrbException {
if (obuf == null)
if (req == null)
return null;
int port = Krb5.KDC_INET_DEFAULT_PORT;
@ -336,6 +344,7 @@ public final class KdcComm {
port = tempPort;
}
byte[] obuf = req.encoding();
if (DEBUG) {
System.out.println(">>> KrbKdcReq send: kdc=" + kdc
+ (useTCP ? " TCP:":" UDP:")