changeset 13773:a97ac4b5e45a

8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime Reviewed-by: mbalao
author andrew
date Sun, 12 Jan 2020 01:07:03 +0000
parents dc83d1c180d2
children 52b4ca5a31fa
files src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java src/share/classes/javax/security/auth/kerberos/KerberosTicket.java src/share/classes/sun/security/krb5/KrbTgsReq.java test/sun/security/krb5/auto/KDC.java test/sun/security/krb5/auto/NullRenewUntil.java
diffstat 5 files changed, 98 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	Sun Jan 12 01:02:12 2020 +0000
+++ b/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	Sun Jan 12 01:07:03 2020 +0000
@@ -1021,6 +1021,10 @@
             if (!creds.isRenewable())
                 throw new RefreshFailedException("This ticket" +
                                 " is not renewable");
+            if (creds.getRenewTill() == null) {
+                // Renewable ticket without renew-till. Illegal and ignored.
+                return creds;
+            }
             if (System.currentTimeMillis() > cred.getRenewTill().getTime())
                 throw new RefreshFailedException("This ticket is past "
                                              + "its last renewal time.");
--- a/src/share/classes/javax/security/auth/kerberos/KerberosTicket.java	Sun Jan 12 01:02:12 2020 +0000
+++ b/src/share/classes/javax/security/auth/kerberos/KerberosTicket.java	Sun Jan 12 01:07:03 2020 +0000
@@ -308,11 +308,7 @@
         } else
            this.flags = new boolean[NUM_FLAGS];
 
-        if (this.flags[RENEWABLE_TICKET_FLAG]) {
-           if (renewTill == null)
-                throw new IllegalArgumentException("The renewable period "
-                       + "end time cannot be null for renewable tickets.");
-
+        if (this.flags[RENEWABLE_TICKET_FLAG] && renewTill != null) {
            this.renewTill = new Date(renewTill.getTime());
         }
 
@@ -553,6 +549,11 @@
         if (!isRenewable())
             throw new RefreshFailedException("This ticket is not renewable");
 
+        if (getRenewTill() == null) {
+            // Renewable ticket without renew-till. Illegal and ignored.
+            return;
+        }
+
         if (System.currentTimeMillis() > getRenewTill().getTime())
             throw new RefreshFailedException("This ticket is past "
                                              + "its last renewal time.");
--- a/src/share/classes/sun/security/krb5/KrbTgsReq.java	Sun Jan 12 01:02:12 2020 +0000
+++ b/src/share/classes/sun/security/krb5/KrbTgsReq.java	Sun Jan 12 01:07:03 2020 +0000
@@ -35,6 +35,7 @@
 import sun.security.krb5.internal.crypto.*;
 import java.io.IOException;
 import java.net.UnknownHostException;
+import java.time.Instant;
 import java.util.Arrays;
 
 /**
@@ -250,7 +251,12 @@
         throws IOException, KrbException, UnknownHostException {
         KerberosTime req_till = null;
         if (till == null) {
-            req_till = new KerberosTime(0);
+            String d = Config.getInstance().get("libdefaults", "ticket_lifetime");
+            if (d != null) {
+                req_till = new KerberosTime(Instant.now().plusSeconds(Config.duration(d)));
+            } else {
+                req_till = new KerberosTime(0); // Choose KDC maximum allowed
+            }
         } else {
             req_till = till;
         }
--- a/test/sun/security/krb5/auto/KDC.java	Sun Jan 12 01:02:12 2020 +0000
+++ b/test/sun/security/krb5/auto/KDC.java	Sun Jan 12 01:07:03 2020 +0000
@@ -30,8 +30,6 @@
 import java.security.SecureRandom;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
-import java.time.temporal.TemporalAmount;
-import java.time.temporal.TemporalUnit;
 import java.util.*;
 import java.util.concurrent.*;
 
@@ -912,6 +910,18 @@
             }
             bFlags[Krb5.TKT_OPTS_INITIAL] = true;
 
+            KerberosTime renewTill = etp.renewTill;
+            if (renewTill != null && body.kdcOptions.get(KDCOptions.RENEW)) {
+                // till should never pass renewTill
+                if (till.greaterThan(renewTill)) {
+                    till = renewTill;
+                }
+                if (System.getProperty("test.set.null.renew") != null) {
+                    // Testing 8186576, see NullRenewUntil.java.
+                    renewTill = null;
+                }
+            }
+
             TicketFlags tFlags = new TicketFlags(bFlags);
             EncTicketPart enc = new EncTicketPart(
                     tFlags,
@@ -920,7 +930,7 @@
                     new TransitedEncoding(1, new byte[0]),  // TODO
                     new KerberosTime(new Date()),
                     body.from,
-                    till, etp.renewTill,
+                    till, renewTill,
                     body.addresses != null  // always set caddr
                             ? body.addresses
                             : new HostAddresses(
@@ -947,7 +957,7 @@
                     tFlags,
                     new KerberosTime(new Date()),
                     body.from,
-                    till, etp.renewTill,
+                    till, renewTill,
                     service,
                     body.addresses != null  // always set caddr
                             ? body.addresses
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/krb5/auto/NullRenewUntil.java	Sun Jan 12 01:07:03 2020 +0000
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8186576
+ * @summary KerberosTicket does not properly handle renewable tickets
+ *          at the end of their lifetime
+ * @library /lib/testlibrary/
+ * @compile -XDignore.symbol.file NullRenewUntil.java
+ * @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock -Dtest.set.null.renew NullRenewUntil
+ */
+
+import jdk.testlibrary.Asserts;
+import sun.security.krb5.Config;
+
+import javax.security.auth.kerberos.KerberosTicket;
+
+public class NullRenewUntil {
+
+    public static void main(String[] args) throws Exception {
+
+        OneKDC kdc = new OneKDC(null);
+
+        KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
+                "ticket_lifetime = 10s",
+                "renew_lifetime = 11s");
+        Config.refresh();
+
+        KerberosTicket ticket = Context
+                .fromUserPass(OneKDC.USER, OneKDC.PASS, false).s()
+                .getPrivateCredentials(KerberosTicket.class).iterator().next();
+
+        System.out.println(ticket);
+        Asserts.assertTrue(ticket.getRenewTill() != null, ticket.toString());
+
+        Thread.sleep(2000);
+
+        ticket.refresh();
+        System.out.println(ticket);
+        Asserts.assertTrue(ticket.getRenewTill() == null, ticket.toString());
+
+        Thread.sleep(2000);
+        ticket.refresh();
+        System.out.println(ticket);
+    }
+}