8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime

Reviewed-by: xuelei
This commit is contained in:
Weijun Wang 2017-08-25 09:28:10 +08:00
parent 15a9282cb9
commit 56d9e8360f
5 changed files with 104 additions and 15 deletions

View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -307,11 +307,7 @@ public class KerberosTicket implements Destroyable, Refreshable,
this.flags = new boolean[NUM_FLAGS];
}
if (this.flags[RENEWABLE_TICKET_FLAG]) {
if (renewTill == null) {
throw new IllegalArgumentException("The renewable period "
+ "end time cannot be null for renewable tickets.");
}
if (this.flags[RENEWABLE_TICKET_FLAG] && renewTill != null) {
this.renewTill = new Date(renewTill.getTime());
}
@ -579,6 +575,12 @@ public class KerberosTicket implements Destroyable, Refreshable,
if (!isRenewable()) {
throw new RefreshFailedException("This ticket is not renewable");
}
if (getRenewTill() == null) {
// Renewable ticket without renew-till. Illegal and ignored.
return;
}
if (System.currentTimeMillis() > getRenewTill().getTime()) {
throw new RefreshFailedException("This ticket is past "
+ "its last renewal time.");

View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -35,6 +35,7 @@ import sun.security.krb5.internal.*;
import sun.security.krb5.internal.crypto.*;
import java.io.IOException;
import java.net.UnknownHostException;
import java.time.Instant;
/**
* This class encapsulates a Kerberos TGS-REQ that is sent from the
@ -285,7 +286,12 @@ public class KrbTgsReq {
throws IOException, KrbException, UnknownHostException {
KerberosTime req_till = null;
if (till == null) {
req_till = new KerberosTime(0);
String d = Config.getInstance().get("libdefaults", "ticket_lifetime");
if (d != null) {
req_till = new KerberosTime(Instant.now().plusSeconds(Config.duration(d)));
} else {
req_till = new KerberosTime(0); // Choose KDC maximum allowed
}
} else {
req_till = till;
}

View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -994,6 +994,10 @@ public class Krb5LoginModule implements LoginModule {
if (!creds.isRenewable())
throw new RefreshFailedException("This ticket" +
" is not renewable");
if (creds.getRenewTill() == null) {
// Renewable ticket without renew-till. Illegal and ignored.
return creds;
}
if (System.currentTimeMillis() > cred.getRenewTill().getTime())
throw new RefreshFailedException("This ticket is past "
+ "its last renewal time.");

View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -30,8 +30,6 @@ import java.lang.reflect.Method;
import java.security.SecureRandom;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.time.temporal.TemporalUnit;
import java.util.*;
import java.util.concurrent.*;
@ -734,7 +732,7 @@ public class KDC {
if (till == null) {
throw new KrbException(Krb5.KDC_ERR_NEVER_VALID); // TODO
} else if (till.isZero()) {
till = new KerberosTime(new Date().getTime() + 1000 * 3600 * 11);
till = new KerberosTime(new Date().getTime() + 1000 * DEFAULT_LIFETIME);
}
boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX+1];
@ -811,6 +809,18 @@ public class KDC {
}
bFlags[Krb5.TKT_OPTS_INITIAL] = true;
KerberosTime renewTill = etp.renewTill;
if (renewTill != null && body.kdcOptions.get(KDCOptions.RENEW)) {
// till should never pass renewTill
if (till.greaterThan(renewTill)) {
till = renewTill;
}
if (System.getProperty("test.set.null.renew") != null) {
// Testing 8186576, see NullRenewUntil.java.
renewTill = null;
}
}
TicketFlags tFlags = new TicketFlags(bFlags);
EncTicketPart enc = new EncTicketPart(
tFlags,
@ -819,7 +829,7 @@ public class KDC {
new TransitedEncoding(1, new byte[0]), // TODO
new KerberosTime(new Date()),
body.from,
till, etp.renewTill,
till, renewTill,
body.addresses != null ? body.addresses
: etp.caddr,
null);
@ -844,7 +854,7 @@ public class KDC {
tFlags,
new KerberosTime(new Date()),
body.from,
till, etp.renewTill,
till, renewTill,
service,
body.addresses
);

View File

@ -0,0 +1,67 @@
/*
* Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8186576
* @summary KerberosTicket does not properly handle renewable tickets
* at the end of their lifetime
* @library /test/lib
* @compile -XDignore.symbol.file NullRenewUntil.java
* @run main/othervm -Dtest.set.null.renew NullRenewUntil
*/
import jdk.test.lib.Asserts;
import sun.security.krb5.Config;
import javax.security.auth.kerberos.KerberosTicket;
public class NullRenewUntil {
public static void main(String[] args) throws Exception {
OneKDC kdc = new OneKDC(null);
KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
"ticket_lifetime = 10s",
"renew_lifetime = 11s");
Config.refresh();
KerberosTicket ticket = Context
.fromUserPass(OneKDC.USER, OneKDC.PASS, false).s()
.getPrivateCredentials(KerberosTicket.class).iterator().next();
System.out.println(ticket);
Asserts.assertTrue(ticket.getRenewTill() != null, ticket.toString());
Thread.sleep(2000);
ticket.refresh();
System.out.println(ticket);
Asserts.assertTrue(ticket.getRenewTill() == null, ticket.toString());
Thread.sleep(2000);
ticket.refresh();
System.out.println(ticket);
}
}