8186831: Kerberos ignores PA-DATA with a non-null s2kparams

Reviewed-by: xuelei
2025-08-28 15:24:43 +02:00 · 2017-09-21 16:29:45 +08:00 · 2017-09-21 16:29:45 +08:00 · fe19274488
commit fe19274488
parent 8a1e214f37
5 changed files with 140 additions and 15 deletions
--- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/PAData.java
+++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/PAData.java
@ -1,4 +1,5 @@
 /*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -30,7 +31,7 @@

 package sun.security.krb5.internal;

-import sun.security.krb5.KrbException;
+import sun.security.krb5.internal.crypto.EType;
 import sun.security.util.*;
 import sun.security.krb5.Asn1Exception;
 import java.io.IOException;
@ -172,8 +173,8 @@ public class PAData {
            while (d2.data.available() > 0) {
                DerValue value = d2.data.getDerValue();
                ETypeInfo2 tmp = new ETypeInfo2(value);
-                if (tmp.getParams() == null) {
-                    // we don't support non-null s2kparams
+                if (EType.isNewer(tmp.getEType()) || tmp.getParams() == null) {
+                    // we don't support non-null s2kparams for old etypes
                    return tmp.getEType();
                }
            }
@ -239,8 +240,9 @@ public class PAData {
            while (d2.data.available() > 0) {
                DerValue value = d2.data.getDerValue();
                ETypeInfo2 tmp = new ETypeInfo2(value);
-                if (tmp.getParams() == null && tmp.getEType() == eType) {
-                    // we don't support non-null s2kparams
+                if (tmp.getEType() == eType &&
+                        (EType.isNewer(eType) || tmp.getParams() == null)) {
+                    // we don't support non-null s2kparams for old etypes
                    return new SaltAndParams(tmp.getSalt(), tmp.getParams());
                }
            }
--- a/src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java
+++ b/src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -301,6 +301,26 @@ public abstract class EType {
        return isSupported(eTypeConst, enabledETypes);
    }

+    /**
+     * https://tools.ietf.org/html/rfc4120#section-3.1.3:
+     *
+     *                 A "newer" enctype is any enctype first officially
+     * specified concurrently with or subsequent to the issue of this RFC.
+     * The enctypes DES, 3DES, or RC4 and any defined in [RFC1510] are not
+     * "newer" enctypes.
+     *
+     * @param eTypeConst the encryption type
+     * @return true if "newer"
+     */
+    public static boolean isNewer(int eTypeConst) {
+        return eTypeConst != EncryptedData.ETYPE_DES_CBC_CRC &&
+                eTypeConst != EncryptedData.ETYPE_DES_CBC_MD4 &&
+                eTypeConst != EncryptedData.ETYPE_DES_CBC_MD5 &&
+                eTypeConst != EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD &&
+                eTypeConst != EncryptedData.ETYPE_ARCFOUR_HMAC &&
+                eTypeConst != EncryptedData.ETYPE_ARCFOUR_HMAC_EXP;
+    }
+
    public static String toString(int type) {
        switch (type) {
        case 0: