[JDK-8186831] Kerberos ignores PA-DATA with a non-null s2kparams - Java Bug System

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 10
Component/s: security-libs
Labels:
None

Subcomponent:
org.ietf.jgss:krb5
Resolved In Build:
b25

Backports

Issue	Fix Version	Assignee	Priority	Status	Resolution	Resolved In Build
JDK-8239185	openjdk8u252	Weijun Wang	P3	Resolved	Fixed	b03
JDK-8237154	openjdk8u242	Weijun Wang	P3	Resolved	Fixed	b07
JDK-8240017	openjdk7u	Weijun Wang	P3	Resolved	Fixed	master

Description

When adding a new principal in KDC with a password, keys are generated with a salt and an optional parameter known as s2kparams (string-to-key parameters). s2kparams is defined for AES etypes and is useless for DES, DES3 and RC4. Although Java has supported AES for a long time, it has never supported KDC-provided s2kparams. If the KDC sends out a PA-DATA with a non-null s2kparams, the whole PA-DATA (including the salt) will be ignored.

In most cases, user would not notice a problem because default salt and s2kparams are used. However, if a KDC decides to create a new principal with a non-default salt or s2kparams, a Java Kerberos client would fail at login, because it cannot generate a correct key to decrypt KDC's response.

For new aes-sha2 etypes defined in RFC 8009, there will be no default salt value (always has a random part) and the login will always fail. It's better to fix this bug before we support these new etypes.

Attachments

Issue Links

backported by

JDK-8237154 Kerberos ignores PA-DATA with a non-null s2kparams

Resolved

JDK-8239185 Kerberos ignores PA-DATA with a non-null s2kparams

Resolved

JDK-8240017 Kerberos ignores PA-DATA with a non-null s2kparams

Resolved

Activity

People

Assignee:: Weijun Wang

Reporter:: Weijun Wang

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2017-08-28 03:36

Updated:: 2020-02-25 22:02

Resolved:: 2017-09-21 01:34