JDK-6959292 : regression: cannot login if session key and preauth does not use the same etype
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 7
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2010-06-08
  • Updated: 2011-03-07
  • Resolved: 2011-03-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other JDK 6 JDK 7
5.0u29Fixed 6u25Fixed 7 b100Fixed
Related Reports
Relates :  
Relates :  
Relates :  
Relates :  
Description
This is a regression of 6932525.

Before 6932525, Java only uses the etype for preauth as supported etypes in the 2nd AS-REQ. As 6932525 shows this does not interop well with Windows 2008 (with Windows 2000 compat mode), but it does force the KDC to use the same etype in the enc-part of the final AS-REP.

After 6932525, Java allows all supported etypes in the 2nd AS-REQ, and it seems that at least Windows 2000 might responds with an AS-REP whose enc-part is *not* encrypted with the etype used for preauth. Since Java already allows all suppored etypes in the request, there is nothing to blame here.

Unfortunately, we have a bug that only uses the preauth etype to decrypt the enc-part in the final AS-REP. Now that the etype for preauth and enc-part is different, a KrbException is thrown.
The following sqe tests fail in b97 tl pit because of this bug:

SPNEGO_HTTP_AUTH/WWW_KRB	execute_script	pit
SPNEGO_HTTP_AUTH/WWW_SPNEGO	execute_script	pit
SPNEGO_HTTP_AUTH/PROXY_KRB_2	execute_script	pit
SPNEGO_HTTP_AUTH/PROXY_SPNEGO_2	execute_script	pit
SPNEGO_HTTP_AUTH/WWW_SPNEGO_DELE/TRUSTED_HOST_TRUSTED_USER execute_script	pit

Comments
EVALUATION Returns all supported keys in EncryptionKey.acquireSecretKeys(pass,salt,pa,pa_etype,pa_s2kparams)
17-06-2010

EVALUATION http://hg.openjdk.java.net/jdk7/tl/jdk/rev/3df25d0680f3
17-06-2010