Skip to content

Commit

Permalink
8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
Browse files Browse the repository at this point in the history
Co-authored-by: Weijun Wang <weijun@openjdk.org>
Reviewed-by: weijun
  • Loading branch information
2 people authored and Vladimir Kempik committed Sep 24, 2021
1 parent 5a12af7 commit 5ba0d09
Show file tree
Hide file tree
Showing 3 changed files with 88 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -256,9 +256,14 @@ private byte[] sendIfPossible(byte[] obuf, String tempKdc, boolean useTCP)
} catch (Exception e) {
// OK
}
if (ke != null && ke.getErrorCode() ==
if (ke != null) {
if (ke.getErrorCode() ==
Krb5.KRB_ERR_RESPONSE_TOO_BIG) {
ibuf = send(obuf, tempKdc, true);
ibuf = send(obuf, tempKdc, true);
} else if (ke.getErrorCode() ==
Krb5.KDC_ERR_SVC_UNAVAILABLE) {
throw new KrbException("A service is not available");
}
}
KdcAccessibility.removeBad(tempKdc);
return ibuf;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,7 @@ public class Krb5 {
public static final int KDC_ERR_KEY_EXPIRED = 23; //Password has expired - change password to reset
public static final int KDC_ERR_PREAUTH_FAILED = 24; //Pre-authentication information was invalid
public static final int KDC_ERR_PREAUTH_REQUIRED = 25; //Additional pre-authentication required
public static final int KDC_ERR_SVC_UNAVAILABLE = 29; //A service is not available
public static final int KRB_AP_ERR_BAD_INTEGRITY = 31; //Integrity check on decrypted field failed
public static final int KRB_AP_ERR_TKT_EXPIRED = 32; //Ticket expired
public static final int KRB_AP_ERR_TKT_NYV = 33; //Ticket not yet valid
Expand Down
80 changes: 80 additions & 0 deletions test/jdk/sun/security/krb5/auto/Unavailable.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
/*
* Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

/*
* @test
* @bug 8274205
* @summary Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
* @library /test/lib
* @compile -XDignore.symbol.file Unavailable.java
* @run main jdk.test.lib.FileInstaller TestHosts TestHosts
* @run main/othervm -Djdk.net.hosts.file=TestHosts Unavailable
*/

import sun.security.krb5.Config;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.internal.KRBError;
import sun.security.krb5.internal.KerberosTime;

import java.nio.file.Files;
import java.nio.file.Path;
import java.util.Locale;

public class Unavailable {

public static void main(String[] args) throws Exception {

// Good KDC
KDC kdc1 = KDC.create(OneKDC.REALM);
kdc1.addPrincipal(OneKDC.USER, OneKDC.PASS);
kdc1.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);

// The "not available" KDC
KDC kdc2 = new KDC(OneKDC.REALM, "kdc." + OneKDC.REALM.toLowerCase(Locale.US), 0, true) {
@Override
protected byte[] processAsReq(byte[] in) throws Exception {
KRBError err = new KRBError(null, null, null,
KerberosTime.now(), 0,
29, // KDC_ERR_SVC_UNAVAILABLE
null, new PrincipalName("krbtgt/" + OneKDC.REALM),
null, null);
return err.asn1Encode();
}
};

Files.write(Path.of(OneKDC.KRB5_CONF), String.format("""
[libdefaults]
default_realm = RABBIT.HOLE
[realms]
RABBIT.HOLE = {
kdc = kdc.rabbit.hole:%d
kdc = kdc.rabbit.hole:%d
}
""", kdc2.getPort(), kdc1.getPort()).getBytes());
System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
Config.refresh();

Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
}
}

3 comments on commit 5ba0d09

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GoeLin
Copy link
Member

@GoeLin GoeLin commented on 5ba0d09 Jun 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/backport jdk11u-dev

@openjdk
Copy link

@openjdk openjdk bot commented on 5ba0d09 Jun 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GoeLin the backport was successfully created on the branch GoeLin-backport-5ba0d09f in my personal fork of openjdk/jdk11u-dev. To create a pull request with this backport targeting openjdk/jdk11u-dev:master, just click the following link:

➡️ Create pull request

The title of the pull request is automatically filled in correctly and below you find a suggestion for the pull request body:

Hi all,

This pull request contains a backport of commit 5ba0d09f from the openjdk/jdk repository.

The commit being backported was authored by Alexey Bakhtin on 24 Sep 2021 and was reviewed by Weijun Wang.

Thanks!

If you need to update the source branch of the pull then run the following commands in a local clone of your personal fork of openjdk/jdk11u-dev:

$ git fetch https://github.com/openjdk-bots/jdk11u-dev.git GoeLin-backport-5ba0d09f:GoeLin-backport-5ba0d09f
$ git checkout GoeLin-backport-5ba0d09f
# make changes
$ git add paths/to/changed/files
$ git commit --message 'Describe additional changes made'
$ git push https://github.com/openjdk-bots/jdk11u-dev.git GoeLin-backport-5ba0d09f

Please sign in to comment.