8279520: SPNEGO has not passed channel binding info into the underlying mechanism

wangweij · wangweij · commit 8d0f385fd024 · 2022-01-06T22:02:55.000Z
Reviewed-by: mullan, valeriep
diff --git a/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoContext.java b/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoContext.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -866,6 +866,7 @@ private byte[] GSS_initSecContext(byte[] token) throws GSSException {
             mechContext.requestMutualAuth(mutualAuthState);
             mechContext.requestReplayDet(replayDetState);
             mechContext.requestSequenceDet(sequenceDetState);
+            mechContext.setChannelBinding(channelBinding);
             if (mechContext instanceof GSSContextImpl) {
                 ((GSSContextImpl)mechContext).requestDelegPolicy(
                         delegPolicyState);
@@ -899,6 +900,7 @@ private byte[] GSS_acceptSecContext(byte[] token) throws GSSException {
                 myCred.getInternalCred());
             }
             mechContext = factory.manager.createContext(cred);
+            mechContext.setChannelBinding(channelBinding);
         }
 
         // pass token to mechanism acceptSecContext
diff --git a/test/jdk/sun/security/krb5/auto/IgnoreChannelBinding.java b/test/jdk/sun/security/krb5/auto/IgnoreChannelBinding.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 6851973 8194486
+ * @bug 6851973 8194486 8279520
  * @summary ignore incoming channel binding if acceptor does not set one
  * @library /test/lib
  * @run main jdk.test.lib.FileInstaller TestHosts TestHosts
@@ -33,6 +33,7 @@
 import java.net.InetAddress;
 import org.ietf.jgss.ChannelBinding;
 import org.ietf.jgss.GSSException;
+import org.ietf.jgss.Oid;
 import sun.security.jgss.GSSUtil;
 
 public class IgnoreChannelBinding {
@@ -41,33 +42,38 @@ public static void main(String[] args)
             throws Exception {
 
         new OneKDC(null).writeJAASConf();
+        test(GSSUtil.GSS_KRB5_MECH_OID);
+        test(GSSUtil.GSS_SPNEGO_MECH_OID);
+    }
+
+    static void test(Oid mech) throws Exception {
 
         Context c = Context.fromJAAS("client");
         Context s = Context.fromJAAS("server");
 
         // All silent
-        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
-        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+        c.startAsClient(OneKDC.SERVER, mech);
+        s.startAsServer(mech);
         Context.handshake(c, s);
 
         // Initiator req, acceptor ignore
-        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
+        c.startAsClient(OneKDC.SERVER, mech);
         c.x().setChannelBinding(new ChannelBinding(
                 InetAddress.getByName("client.rabbit.hole"),
                 InetAddress.getByName("host.rabbit.hole"),
                 new byte[0]
                 ));
-        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+        s.startAsServer(mech);
         Context.handshake(c, s);
 
         // Both req, and match
-        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
+        c.startAsClient(OneKDC.SERVER, mech);
         c.x().setChannelBinding(new ChannelBinding(
                 InetAddress.getByName("client.rabbit.hole"),
                 InetAddress.getByName("host.rabbit.hole"),
                 new byte[0]
                 ));
-        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+        s.startAsServer(mech);
         s.x().setChannelBinding(new ChannelBinding(
                 InetAddress.getByName("client.rabbit.hole"),
                 InetAddress.getByName("host.rabbit.hole"),
@@ -76,13 +82,13 @@ public static void main(String[] args)
         Context.handshake(c, s);
 
         // Both req, NOT match
-        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
+        c.startAsClient(OneKDC.SERVER, mech);
         c.x().setChannelBinding(new ChannelBinding(
                 InetAddress.getByName("client.rabbit.hole"),
                 InetAddress.getByName("host.rabbit.hole"),
                 new byte[0]
                 ));
-        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+        s.startAsServer(mech);
         s.x().setChannelBinding(new ChannelBinding(
                 InetAddress.getByName("client.rabbit.hole"),
                 InetAddress.getByName("host.rabbit.hole"),
@@ -96,8 +102,8 @@ public static void main(String[] args)
         }
 
         // Acceptor req, reject
-        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
-        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+        c.startAsClient(OneKDC.SERVER, mech);
+        s.startAsServer(mech);
         s.x().setChannelBinding(new ChannelBinding(
                 InetAddress.getByName("client.rabbit.hole"),
                 InetAddress.getByName("host.rabbit.hole"),
