8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup

martinuy · martinuy · commit bdfc60abbd85 · 2021-08-11T19:01:23.000Z
Backport-of: 67869b491ae1eaf311dfb8c61a9e94329a822ffc
diff --git a/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java b/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -53,22 +53,22 @@ private static enum S4U2Type {
 
     /**
      * Used by a middle server to acquire credentials on behalf of a
-     * client to itself using the S4U2self extension.
-     * @param client the client to impersonate
+     * user to itself using the S4U2self extension.
+     * @param user the user to impersonate
      * @param ccreds the TGT of the middle service
-     * @return the new creds (cname=client, sname=middle)
+     * @return the new creds (cname=user, sname=middle)
      */
-    public static Credentials acquireS4U2selfCreds(PrincipalName client,
+    public static Credentials acquireS4U2selfCreds(PrincipalName user,
             Credentials ccreds) throws KrbException, IOException {
         if (!ccreds.isForwardable()) {
             throw new KrbException("S4U2self needs a FORWARDABLE ticket");
         }
         PrincipalName sname = ccreds.getClient();
-        String uRealm = client.getRealmString();
+        String uRealm = user.getRealmString();
         String localRealm = ccreds.getClient().getRealmString();
         if (!uRealm.equals(localRealm)) {
             // Referrals will be required because the middle service
-            // and the client impersonated are on different realms.
+            // and the user impersonated are on different realms.
             if (Config.DISABLE_REFERRALS) {
                 throw new KrbException("Cross-realm S4U2Self request not" +
                         " possible when referrals are disabled.");
@@ -87,18 +87,18 @@ public static Credentials acquireS4U2selfCreds(PrincipalName client,
         }
         Credentials creds = serviceCreds(
                 KDCOptions.with(KDCOptions.FORWARDABLE),
-                ccreds, ccreds.getClient(), sname, null,
-                new PAData[] {
+                ccreds, ccreds.getClient(), sname, user,
+                null, new PAData[] {
                         new PAData(Krb5.PA_FOR_USER,
-                                new PAForUserEnc(client,
+                                new PAForUserEnc(user,
                                         ccreds.getSessionKey()).asn1Encode()),
                         new PAData(Krb5.PA_PAC_OPTIONS,
                                 new PaPacOptions()
                                         .setResourceBasedConstrainedDelegation(true)
                                         .setClaims(true)
                                         .asn1Encode())
                         }, S4U2Type.SELF);
-        if (!creds.getClient().equals(client)) {
+        if (!creds.getClient().equals(user)) {
             throw new KrbException("S4U2self request not honored by KDC");
         }
         if (!creds.isForwardable()) {
@@ -136,7 +136,7 @@ public static Credentials acquireS4U2proxyCreds(
         }
         Credentials creds = serviceCreds(KDCOptions.with(
                 KDCOptions.CNAME_IN_ADDL_TKT, KDCOptions.FORWARDABLE),
-                ccreds, ccreds.getClient(), backendPrincipal,
+                ccreds, ccreds.getClient(), backendPrincipal, null,
                 new Ticket[] {second}, new PAData[] {
                         new PAData(Krb5.PA_PAC_OPTIONS,
                                 new PaPacOptions()
@@ -313,7 +313,7 @@ private static Credentials serviceCreds(
             throws KrbException, IOException {
         return serviceCreds(new KDCOptions(), ccreds,
                 ccreds.getClient(), service, null, null,
-                S4U2Type.NONE);
+                null, S4U2Type.NONE);
     }
 
     /*
@@ -325,21 +325,21 @@ private static Credentials serviceCreds(
     private static Credentials serviceCreds(
             KDCOptions options, Credentials asCreds,
             PrincipalName cname, PrincipalName sname,
-            Ticket[] additionalTickets, PAData[] extraPAs,
-            S4U2Type s4u2Type)
+            PrincipalName user, Ticket[] additionalTickets,
+            PAData[] extraPAs, S4U2Type s4u2Type)
             throws KrbException, IOException {
         if (!Config.DISABLE_REFERRALS) {
             try {
                 return serviceCredsReferrals(options, asCreds, cname, sname,
-                        s4u2Type, additionalTickets, extraPAs);
+                        s4u2Type, user, additionalTickets, extraPAs);
             } catch (KrbException e) {
                 // Server may raise an error if CANONICALIZE is true.
                 // Try CANONICALIZE false.
             }
         }
         return serviceCredsSingle(options, asCreds, cname,
                 asCreds.getClientAlias(), sname, sname, s4u2Type,
-                additionalTickets, extraPAs);
+                user, additionalTickets, extraPAs);
     }
 
     /*
@@ -349,8 +349,8 @@ private static Credentials serviceCreds(
     private static Credentials serviceCredsReferrals(
             KDCOptions options, Credentials asCreds,
             PrincipalName cname, PrincipalName sname,
-            S4U2Type s4u2Type, Ticket[] additionalTickets,
-            PAData[] extraPAs)
+            S4U2Type s4u2Type, PrincipalName user,
+            Ticket[] additionalTickets, PAData[] extraPAs)
                     throws KrbException, IOException {
         options = new KDCOptions(options.toBooleanArray());
         options.set(KDCOptions.CANONICALIZE, true);
@@ -362,12 +362,13 @@ private static Credentials serviceCredsReferrals(
         PrincipalName clientAlias = asCreds.getClientAlias();
         while (referrals.size() <= Config.MAX_REFERRALS) {
             ReferralsCache.ReferralCacheEntry ref =
-                    ReferralsCache.get(cname, sname, refSname.getRealmString());
+                    ReferralsCache.get(cname, sname, user,
+                            additionalTickets, refSname.getRealmString());
             String toRealm = null;
             if (ref == null) {
                 creds = serviceCredsSingle(options, asCreds, cname,
                         clientAlias, refSname, cSname, s4u2Type,
-                        additionalTickets, extraPAs);
+                        user, additionalTickets, extraPAs);
                 PrincipalName server = creds.getServer();
                 if (!refSname.equals(server)) {
                     String[] serverNameStrings = server.getNameStrings();
@@ -378,15 +379,9 @@ private static Credentials serviceCredsReferrals(
                                 serverNameStrings[1])) {
                         // Server Name (sname) has the following format:
                         //      krbtgt/TO-REALM.COM@FROM-REALM.COM
-                        if (s4u2Type == S4U2Type.NONE) {
-                            // Do not store S4U2Self or S4U2Proxy referral
-                            // TGTs in the cache. Caching such tickets is not
-                            // defined in MS-SFU and may cause unexpected
-                            // results when using them in a different context.
-                            ReferralsCache.put(cname, sname,
-                                    server.getRealmString(),
-                                    serverNameStrings[1], creds);
-                        }
+                        ReferralsCache.put(cname, sname, user,
+                                additionalTickets, server.getRealmString(),
+                                serverNameStrings[1], creds);
                         toRealm = serverNameStrings[1];
                         isReferral = true;
                     }
@@ -411,7 +406,7 @@ private static Credentials serviceCredsReferrals(
                     }
                     additionalTickets[0] = credsInOut[1].getTicket();
                 } else if (s4u2Type == S4U2Type.SELF) {
-                    handleS4U2SelfReferral(extraPAs, asCreds, creds);
+                    handleS4U2SelfReferral(extraPAs, user, creds);
                 }
                 if (referrals.contains(toRealm)) {
                     // Referrals loop detected
@@ -440,8 +435,8 @@ private static Credentials serviceCredsSingle(
             KDCOptions options, Credentials asCreds,
             PrincipalName cname, PrincipalName clientAlias,
             PrincipalName refSname, PrincipalName sname,
-            S4U2Type s4u2Type, Ticket[] additionalTickets,
-            PAData[] extraPAs)
+            S4U2Type s4u2Type, PrincipalName user,
+            Ticket[] additionalTickets, PAData[] extraPAs)
                     throws KrbException, IOException {
         Credentials theCreds = null;
         boolean[] okAsDelegate = new boolean[]{true};
@@ -469,7 +464,7 @@ private static Credentials serviceCredsSingle(
                 Credentials.printDebug(newTgt);
             }
             if (s4u2Type == S4U2Type.SELF) {
-                handleS4U2SelfReferral(extraPAs, asCreds, newTgt);
+                handleS4U2SelfReferral(extraPAs, user, newTgt);
             }
             asCreds = newTgt;
             cname = asCreds.getClient();
@@ -498,19 +493,16 @@ private static Credentials serviceCredsSingle(
      * different realm or when using a referral TGT.
      */
     private static void handleS4U2SelfReferral(PAData[] pas,
-            Credentials oldCeds, Credentials newCreds)
+            PrincipalName user, Credentials newCreds)
                     throws Asn1Exception, KrbException, IOException {
         if (DEBUG) {
             System.out.println(">>> Handling S4U2Self referral");
         }
         for (int i = 0; i < pas.length; i++) {
             PAData pa = pas[i];
             if (pa.getType() == Krb5.PA_FOR_USER) {
-                PAForUserEnc paForUser = new PAForUserEnc(
-                        new DerValue(pa.getValue()),
-                        oldCeds.getSessionKey());
                 pas[i] = new PAData(Krb5.PA_FOR_USER,
-                        new PAForUserEnc(paForUser.getName(),
+                        new PAForUserEnc(user,
                                 newCreds.getSessionKey()).asn1Encode());
                 break;
             }
diff --git a/src/java.security.jgss/share/classes/sun/security/krb5/internal/ReferralsCache.java b/src/java.security.jgss/share/classes/sun/security/krb5/internal/ReferralsCache.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, Red Hat, Inc.
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,12 +25,14 @@
 
 package sun.security.krb5.internal;
 
+import java.util.Arrays;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Objects;
 
 import sun.security.krb5.Credentials;
 import sun.security.krb5.PrincipalName;
@@ -51,19 +53,33 @@ final class ReferralsCache {
     static private final class ReferralCacheKey {
         private PrincipalName cname;
         private PrincipalName sname;
-        ReferralCacheKey (PrincipalName cname, PrincipalName sname) {
+        private PrincipalName user; // S4U2Self only
+        private byte[] userSvcTicketEnc; // S4U2Proxy only
+        ReferralCacheKey (PrincipalName cname, PrincipalName sname,
+                PrincipalName user, Ticket userSvcTicket) {
             this.cname = cname;
             this.sname = sname;
+            this.user = user;
+            if (userSvcTicket != null && userSvcTicket.encPart != null) {
+                byte[] userSvcTicketEnc = userSvcTicket.encPart.getBytes();
+                if (userSvcTicketEnc.length > 0) {
+                    this.userSvcTicketEnc = userSvcTicketEnc;
+                }
+            }
         }
         public boolean equals(Object other) {
             if (!(other instanceof ReferralCacheKey))
                 return false;
             ReferralCacheKey that = (ReferralCacheKey)other;
             return cname.equals(that.cname) &&
-                    sname.equals(that.sname);
+                    sname.equals(that.sname) &&
+                    Objects.equals(user, that.user) &&
+                    Arrays.equals(userSvcTicketEnc, that.userSvcTicketEnc);
         }
         public int hashCode() {
-            return cname.hashCode() + sname.hashCode();
+            return cname.hashCode() + sname.hashCode() +
+                    Objects.hashCode(user) +
+                    Arrays.hashCode(userSvcTicketEnc);
         }
     }
 
@@ -84,7 +100,8 @@ String getToRealm() {
 
     /*
      * Add a new referral entry to the cache, including: client principal,
-     * service principal, source KDC realm, destination KDC realm and
+     * service principal, user principal (S4U2Self only), client service
+     * ticket (S4U2Proxy only), source KDC realm, destination KDC realm and
      * referral TGT.
      *
      * If a loop is generated when adding the new referral, the first hop is
@@ -94,8 +111,12 @@ String getToRealm() {
      * REALM-1.COM -> REALM-2.COM referral entry is removed from the cache.
      */
     static synchronized void put(PrincipalName cname, PrincipalName service,
-            String fromRealm, String toRealm, Credentials creds) {
-        ReferralCacheKey k = new ReferralCacheKey(cname, service);
+            PrincipalName user, Ticket[] userSvcTickets, String fromRealm,
+            String toRealm, Credentials creds) {
+        Ticket userSvcTicket = (userSvcTickets != null ?
+                userSvcTickets[0] : null);
+        ReferralCacheKey k = new ReferralCacheKey(cname, service,
+                user, userSvcTicket);
         pruneExpired(k);
         if (creds.getEndTime().before(new Date())) {
             return;
@@ -125,11 +146,16 @@ static synchronized void put(PrincipalName cname, PrincipalName service,
 
     /*
      * Obtain a referral entry from the cache given a client principal,
-     * service principal and a source KDC realm.
+     * a service principal, a user principal (S4U2Self only), a client
+     * service ticket (S4U2Proxy only) and a source KDC realm.
      */
     static synchronized ReferralCacheEntry get(PrincipalName cname,
-            PrincipalName service, String fromRealm) {
-        ReferralCacheKey k = new ReferralCacheKey(cname, service);
+            PrincipalName service, PrincipalName user,
+            Ticket[] userSvcTickets, String fromRealm) {
+        Ticket userSvcTicket = (userSvcTickets != null ?
+                userSvcTickets[0] : null);
+        ReferralCacheKey k = new ReferralCacheKey(cname, service,
+                user, userSvcTicket);
         pruneExpired(k);
         Map<String, ReferralCacheEntry> entries = referralsMap.get(k);
         if (entries != null) {
diff --git a/test/jdk/sun/security/krb5/auto/ReferralsTest.java b/test/jdk/sun/security/krb5/auto/ReferralsTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2020, Red Hat, Inc.
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -287,6 +287,16 @@ private static void testDelegation() throws Exception {
      * on different realms.
      */
     private static void testImpersonation() throws Exception {
+        testImpersonationSingle();
+
+        // Try a second time to force the use of the Referrals Cache.
+        // During this execution, the referral ticket from RABBIT.HOLE
+        // to DEV.RABBIT.HOLE (upon the initial S4U2Self message) will
+        // be obtained from the Cache.
+        testImpersonationSingle();
+    }
+
+    private static void testImpersonationSingle() throws Exception {
         Context s = Context.fromUserPass(serviceKDC2Name, password, true);
         s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
         GSSName impName = s.impersonate(userKDC1Name).cred().getName();
@@ -306,6 +316,16 @@ private static void testImpersonation() throws Exception {
      * because the server and the backend are on different realms.
      */
     private static void testDelegationWithReferrals() throws Exception {
+        testDelegationWithReferralsSingle();
+
+        // Try a second time to force the use of the Referrals Cache.
+        // During this execution, the referral ticket from RABBIT.HOLE
+        // to DEV.RABBIT.HOLE (upon the initial S4U2Proxy message) will
+        // be obtained from the Cache.
+        testDelegationWithReferralsSingle();
+    }
+
+    private static void testDelegationWithReferralsSingle() throws Exception {
         Context c = Context.fromUserPass(userKDC1Name, password, false);
         c.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID);
         Context s = Context.fromUserPass(serviceKDC2Name, password, true);
