[jboss-jira] [JBoss JIRA] (WFLY-5121) IBM JDK: Wrong IPv6 address type used in TGS-REQ during kerberos authentication

Martin Choma (JIRA) issues at jboss.org
Tue Aug 18 04:24:26 EDT 2015 

     [ https://issues.jboss.org/browse/WFLY-5121?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Choma moved JBEAP-734 to WFLY-5121:
------------------------------------------

              Project: WildFly  (was: JBoss Enterprise Application Platform)
                  Key: WFLY-5121  (was: JBEAP-734)
             Workflow: GIT Pull Request workflow   (was: CDW v1)
    Affects Version/s: 10.0.0.Beta1
                           (was: EAP 7.0.0.DR8)
          Component/s: Security
                           (was: Security)
       Target Release:   (was: EAP 7.0.0.GA)


>  IBM JDK: Wrong IPv6 address type used in TGS-REQ during kerberos authentication
> --------------------------------------------------------------------------------
>
>                 Key: WFLY-5121
>                 URL: https://issues.jboss.org/browse/WFLY-5121
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 10.0.0.Beta1
>            Reporter: Martin Choma
>         Attachments: capture-ibm7-ipv6-AP_ERR_MODIFIED.pcapng
>
>
> IBM JDK has a bug in its KRB5 implementation. It uses Address type 23 for IPv6 addresses. The RFC-4120 specifies in section 7.5.3 that IPv6 address type has value 24. 
> https://tools.ietf.org/html/rfc4120#section-7.5.3
> ApacheDS Kerberos server after receiving TGS-REQ message with this wrong address type returns KRB-ERROR message with error code 41 (KRB5KRB_AP_ERR_MODIFIED).
> The problem occurs during client's call GSSContext.initSecContext() method.
> Additional info:
> If I change the address type value in debugger to 24 it starts to work as expected.
> The problem seems to be in com.ibm.security.krb5.internal.HostAddress.getAddrType(InetAddress) method:
> {noformat}
> /*     */   private int getAddrType(InetAddress inetAddress)
> /*     */   {
> /* 118 */     int addressType = 0;
> /* 119 */     if ((inetAddress instanceof Inet4Address))
> /* 120 */       addressType = 2;
> /* 121 */     else if ((inetAddress instanceof Inet6Address))
> /* 122 */       addressType = 23;
> /* 123 */     return addressType;
> /*     */   }
> {noformat}
> Important part of the call stack:
> {noformat}
>   [1] com.ibm.security.krb5.internal.HostAddress.<init> (HostAddress.java:212)
>   [2] com.ibm.security.krb5.HostAddresses.<init> (HostAddresses.java:85)
>   [3] com.ibm.security.jgss.mech.krb5.Krb5Context.getDelgCreds (Krb5Context.java:2,472)
>   [4] com.ibm.security.jgss.mech.krb5.Krb5Context.initSecContext (Krb5Context.java:616)
>   [5] com.ibm.security.jgss.mech.krb5.Krb5Context.initSecContext (Krb5Context.java:805)
>   [6] com.ibm.security.jgss.mech.spnego.SPNEGOContext.createInitToken (SPNEGOContext.java:1,146)
>   [7] com.ibm.security.jgss.mech.spnego.SPNEGOContext.initSecContext (SPNEGOContext.java:529)
>   [8] com.ibm.security.jgss.GSSContextImpl.initSecContext (GSSContextImpl.java:382)
>   [9] com.ibm.security.jgss.GSSContextImpl.initSecContext (GSSContextImpl.java:331)
>   [10] org.jboss.as.test.integration.security.common.negotiation.JBossNegotiateScheme.authenticate (JBossNegotiateScheme.java:171)
>   [11] org.apache.http.client.protocol.RequestAuthenticationBase.authenticate (RequestAuthenticationBase.java:120)
>   [12] org.apache.http.client.protocol.RequestAuthenticationBase.process (RequestAuthenticationBase.java:83)
>   [13] org.apache.http.client.protocol.RequestTargetAuthentication.process (RequestTargetAuthentication.java:80)
>   [14] org.apache.http.protocol.ImmutableHttpProcessor.process (ImmutableHttpProcessor.java:131)
>   [15] org.apache.http.protocol.HttpRequestExecutor.preProcess (HttpRequestExecutor.java:165)
>   [16] org.apache.http.impl.client.DefaultRequestDirector.execute (DefaultRequestDirector.java:485)
>   [17] org.apache.http.impl.client.AbstractHttpClient.doExecute (AbstractHttpClient.java:863)
>   [18] org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:82)
>   [19] org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:106)
>   [20] org.jboss.as.test.integration.security.common.Utils$2.run (Utils.java:525)
>   [21] org.jboss.as.test.integration.security.common.Utils$2.run (Utils.java:523)
>   [22] java.security.AccessController.doPrivileged (AccessController.java:366)
>   [23] javax.security.auth.Subject.doAs (Subject.java:572)
>   [24] org.jboss.as.test.integration.security.common.Utils.makeCallWithKerberosAuthn (Utils.java:523)
>   [25] org.jboss.as.test.integration.security.loginmodules.negotiation.SPNEGOLoginModuleTestCase.testAuthn (SPNEGOLoginModuleTestCase.java:157)
> ...
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

More information about the jboss-jira mailing list