JDK-6946669 : SSL/Krb5 should not call EncryptedData.reset(data, false)
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 7
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2010-04-23
  • Updated: 2011-03-07
  • Resolved: 2011-03-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7 b102Fixed
EncryptedData.reset(data, false) is not implemented correct. It always tries to remove last byte number of padding bytes at the end. In fact, even in Java, only DES-related etypes append paddings that way, while 3DES uses all zero, and others does not pad at all.

The method is called in TLS's Kerberos ciphersuite after decrypting pre-master secret. The default etype now is DES-related. However, since DES is now abandoned by most vendors, the bug is likely to show up soon.

Furthermore, it's not interopable with other Kerberos implementations. At least Windows uses all zero for DES-related etypes.

EVALUATION Final fix: only remove padding in two cases: 1. etype is des-cbc-crc, and padding is 4 bytes of 0x04 or 0x00 2. etype is des-cbc-md5, and padding is 8 bytes of 0x08

EVALUATION http://hg.openjdk.java.net/jdk7/tl/jdk/rev/9c0f542c8b37

EVALUATION EncryptedData.reset() seems unfixable. Fix KerberosPreMasterSecret in the JSSE side: Truncate decrypted data to 48-byte long.