Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8048194

GSSContext.acceptSecContext fails when a supported mech is initiator preferred

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: 8u5
    • Fix Version/s: 9
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      b25
    • CPU:
      x86
    • OS:
      windows_2008

      Backports

        Description

        FULL PRODUCT VERSION :
        java version "1.8.0_05"
        Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
        Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)

        ADDITIONAL OS VERSION INFORMATION :
        Microsoft Windows [Version 6.2.9200]

        EXTRA RELEVANT SYSTEM CONFIGURATION :
        Windows Server 2012 with IE 11.

        A DESCRIPTION OF THE PROBLEM :
        Seems like by default on Windows 2012 Server with IE 11, when it sends SPNEGO token, it contains the following:

        SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
        SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
        SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
        SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30

        Since Java only supports 1.2.840.113554.1.2.2, SpNegoContext picked that as the mechanism:

        SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2

        But because the initiator preferred mechanism is 1.3.6.1.4.1.311.2.2.10
        The mech Token read is for that mech, and NOT 1.2.840.113554.1.2.2.

        But the current code ignored that fact and resulted in parsing error.



        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        set up a server with SPNEGO (with HTTP), and try hitting it with IE from Windows 2012.

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Expected it to work similar to IE from Windows 2008.
        ACTUAL -
        GSSContent.acceptSecContext failed with the following exception:

        GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:98)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)


        ERROR MESSAGES/STACK TRACES THAT OCCUR :
        GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:98)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)


        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
        Here is the patch to that fixes the issue:

        diff --git a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
        --- a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
        +++ b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
        @@ -523,12 +523,8 @@
                             valid = false;
                         }
         
        - // get the mechanism token
        - byte[] mechToken = initToken.getMechToken();
        - if (mechToken == null) {
        - throw new GSSException(GSSException.FAILURE, -1,
        - "mechToken is missing");
        - }
        + // get the mechanism token (OPTIONAL)
        + byte[] mechToken = null;
         
                         /*
                          * Select the best match between the list of mechs
        @@ -543,9 +539,15 @@
                         }
                         // save the desired mechanism
                         internal_mech = mech_wanted;
        +
        + byte[] accept_token = null;
        + if (mechList[0] == mech_wanted) {
        + // mechToken is only for the first mech.
        + mechToken = initToken.getMechToken();
        + accept_token = GSS_acceptSecContext(mechToken);
        + }
         
                         // get the token for mechanism
        - byte[] accept_token = GSS_acceptSecContext(mechToken);
         
                         // verify MIC
                         if (!GSSUtil.useMSInterop() && valid) {
        @@ -584,7 +586,7 @@
         
                         // generate SPNEGO token
                         NegTokenTarg targToken = new NegTokenTarg(negoResult.ordinal(),
        - mech_wanted, accept_token, null);
        + mech_wanted, accept_token, initToken.getMechListMIC());
                         if (DEBUG) {
                             System.out.println("SpNegoContext.acceptSecContext: " +
                                         "sending token of type = " +
        @@ -595,9 +597,24 @@
         
                     } else if (state == STATE_IN_PROCESS) {
                         // read the token
        - byte[] client_token = new byte[is.available()];
        - SpNegoToken.readFully(is, client_token);
        - byte[] accept_token = GSS_acceptSecContext(client_token);
        + byte[] token = new byte[is.available()];
        + SpNegoToken.readFully(is, token);
        + if (DEBUG) {
        + System.out.println("SpNegoContext.acceptSecContext: " +
        + "receiving token = " +
        + SpNegoToken.getHexBytes(token));
        + }
        +
        + // read the SPNEGO token
        + // token will be validated when parsing
        + NegTokenTarg respToken = new NegTokenTarg(token);
        +
        + if (DEBUG) {
        + System.out.println("SpNegoContext.acceptSecContext: " +
        + "received token of type = " +
        + SpNegoToken.getTokenName(respToken.getType()));
        + }
        + byte[] accept_token = GSS_acceptSecContext(respToken.getResponseToken());
                         if (accept_token == null) {
                             valid = false;
                         }
        @@ -618,7 +635,7 @@
         
                         // generate SPNEGO token
                         NegTokenTarg targToken = new NegTokenTarg(negoResult.ordinal(),
        - null, accept_token, null);
        + null, accept_token, respToken.getMechListMIC());
                         if (DEBUG) {
                             System.out.println("SpNegoContext.acceptSecContext: " +
                                         "sending token of type = " +

        ---------- END SOURCE ----------

          Issue Links

            Activity

            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/20c60b5568db
            User: weijun
            Date: 2014-07-22 01:29:04 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/dev/jdk/rev/20c60b5568db User: weijun Date: 2014-07-22 01:29:04 +0000
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/20c60b5568db
            User: lana
            Date: 2014-07-30 19:22:46 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/20c60b5568db User: lana Date: 2014-07-30 19:22:46 +0000

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: