Details
-
Type:
Bug
-
Status: Resolved
-
Priority:
P3
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 10
-
Component/s: security-libs
-
Labels:None
-
Subcomponent:
-
Resolved In Build:b25
Backports
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8239185 | openjdk8u252 | Weijun Wang | P3 | Resolved | Fixed | b03 |
JDK-8237154 | openjdk8u242 | Weijun Wang | P3 | Resolved | Fixed | b07 |
JDK-8240017 | openjdk7u | Weijun Wang | P3 | Resolved | Fixed | master |
Description
When adding a new principal in KDC with a password, keys are generated with a salt and an optional parameter known as s2kparams (string-to-key parameters). s2kparams is defined for AES etypes and is useless for DES, DES3 and RC4. Although Java has supported AES for a long time, it has never supported KDC-provided s2kparams. If the KDC sends out a PA-DATA with a non-null s2kparams, the whole PA-DATA (including the salt) will be ignored.
In most cases, user would not notice a problem because default salt and s2kparams are used. However, if a KDC decides to create a new principal with a non-default salt or s2kparams, a Java Kerberos client would fail at login, because it cannot generate a correct key to decrypt KDC's response.
For new aes-sha2 etypes defined in RFC 8009, there will be no default salt value (always has a random part) and the login will always fail. It's better to fix this bug before we support these new etypes.
In most cases, user would not notice a problem because default salt and s2kparams are used. However, if a KDC decides to create a new principal with a non-default salt or s2kparams, a Java Kerberos client would fail at login, because it cannot generate a correct key to decrypt KDC's response.
For new aes-sha2 etypes defined in RFC 8009, there will be no default salt value (always has a random part) and the login will always fail. It's better to fix this bug before we support these new etypes.
Attachments
Issue Links
- backported by
-
JDK-8237154 Kerberos ignores PA-DATA with a non-null s2kparams
-
- Resolved
-
-
JDK-8239185 Kerberos ignores PA-DATA with a non-null s2kparams
-
- Resolved
-
-
JDK-8240017 Kerberos ignores PA-DATA with a non-null s2kparams
-
- Resolved
-