Code changes
http://cr.openjdk.java.net/~weijun/7077640/webrev.00
The original handling of rrc != 0 is not correct. We did rotate the
bytes but have not reset the RRC field in the GSS message header before
calculating the checksum. According to RFC 4121 [1]:
4.2.4. Encryption and Checksum Operations
....
In Wrap tokens that do not provide for confidentiality, the checksum
SHALL be calculated first over the to-be-signed plaintext data, and
then over the first 16 octets of the Wrap token (the "header", as
defined in section 4.2.6). Both the EC field and the RRC field in
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
the token header SHALL be filled with zeroes for the purpose of
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
calculating the checksum...
^^^^^^^^^^^^^^^^^^^^^^^^
In the test, the Context.transmit() method is split into 4 basic methods
so that we have a chance to call wrap without confidentiality.
Thanks
Max
[1] http://tools.ietf.org/html/rfc4121#section-4.2.4
On 08/12/2011 09:41 AM, weijun.w...@oracle.com wrote:
*Change Request ID*: 7077640
*Synopsis*: gss wrap for cfx doesn't handle rrc != 0
Product: java
Category: jgss
Subcategory: krb5plugin
=== *Description* ============================================================
FULL PRODUCT VERSION :
java version "1.6.0_26"
A DESCRIPTION OF THE PROBLEM :
gss wrap for cfx doesn't handle rrc != 0
Heimdal and mac os x always use an RRC != 0
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
git clone g...@github.com:heimdal/heimdal.git
cd heimdal
sh autogen.sh
./configure
make
cd tests/java
make check
REPRODUCIBILITY :
This bug can be reproduced always.
