-
Bug
-
Resolution: Won't Do
-
Major
-
10.0.0.Beta1
-
None
IBM JDK has a bug in its KRB5 implementation. It uses Address type 23 for IPv6 addresses. The RFC-4120 specifies in section 7.5.3 that IPv6 address type has value 24.
https://tools.ietf.org/html/rfc4120#section-7.5.3
ApacheDS Kerberos server after receiving TGS-REQ message with this wrong address type returns KRB-ERROR message with error code 41 (KRB5KRB_AP_ERR_MODIFIED).
The problem occurs during client's call GSSContext.initSecContext() method.
Additional info:
If I change the address type value in debugger to 24 it starts to work as expected.
The problem seems to be in com.ibm.security.krb5.internal.HostAddress.getAddrType(InetAddress) method:
/* */ private int getAddrType(InetAddress inetAddress) /* */ { /* 118 */ int addressType = 0; /* 119 */ if ((inetAddress instanceof Inet4Address)) /* 120 */ addressType = 2; /* 121 */ else if ((inetAddress instanceof Inet6Address)) /* 122 */ addressType = 23; /* 123 */ return addressType; /* */ }
Important part of the call stack:
[1] com.ibm.security.krb5.internal.HostAddress.<init> (HostAddress.java:212) [2] com.ibm.security.krb5.HostAddresses.<init> (HostAddresses.java:85) [3] com.ibm.security.jgss.mech.krb5.Krb5Context.getDelgCreds (Krb5Context.java:2,472) [4] com.ibm.security.jgss.mech.krb5.Krb5Context.initSecContext (Krb5Context.java:616) [5] com.ibm.security.jgss.mech.krb5.Krb5Context.initSecContext (Krb5Context.java:805) [6] com.ibm.security.jgss.mech.spnego.SPNEGOContext.createInitToken (SPNEGOContext.java:1,146) [7] com.ibm.security.jgss.mech.spnego.SPNEGOContext.initSecContext (SPNEGOContext.java:529) [8] com.ibm.security.jgss.GSSContextImpl.initSecContext (GSSContextImpl.java:382) [9] com.ibm.security.jgss.GSSContextImpl.initSecContext (GSSContextImpl.java:331) [10] org.jboss.as.test.integration.security.common.negotiation.JBossNegotiateScheme.authenticate (JBossNegotiateScheme.java:171) [11] org.apache.http.client.protocol.RequestAuthenticationBase.authenticate (RequestAuthenticationBase.java:120) [12] org.apache.http.client.protocol.RequestAuthenticationBase.process (RequestAuthenticationBase.java:83) [13] org.apache.http.client.protocol.RequestTargetAuthentication.process (RequestTargetAuthentication.java:80) [14] org.apache.http.protocol.ImmutableHttpProcessor.process (ImmutableHttpProcessor.java:131) [15] org.apache.http.protocol.HttpRequestExecutor.preProcess (HttpRequestExecutor.java:165) [16] org.apache.http.impl.client.DefaultRequestDirector.execute (DefaultRequestDirector.java:485) [17] org.apache.http.impl.client.AbstractHttpClient.doExecute (AbstractHttpClient.java:863) [18] org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:82) [19] org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:106) [20] org.jboss.as.test.integration.security.common.Utils$2.run (Utils.java:525) [21] org.jboss.as.test.integration.security.common.Utils$2.run (Utils.java:523) [22] java.security.AccessController.doPrivileged (AccessController.java:366) [23] javax.security.auth.Subject.doAs (Subject.java:572) [24] org.jboss.as.test.integration.security.common.Utils.makeCallWithKerberosAuthn (Utils.java:523) [25] org.jboss.as.test.integration.security.loginmodules.negotiation.SPNEGOLoginModuleTestCase.testAuthn (SPNEGOLoginModuleTestCase.java:157) ...
- clones
-
JBEAP-733 IBM JDK: Wrong IPv6 address type used in TGS-REQ during kerberos authentication
- Closed