1481103 – NullPointerException when setting org.ietf.jgss.ChannelBinding without InetAddresses in GSSContext

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1481103 - NullPointerException when setting org.ietf.jgss.ChannelBinding without InetAddresses in GSSContext

Summary: NullPointerException when setting org.ietf.jgss.ChannelBinding without InetA...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	java-1.8.0-ibm
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	7.5
Assignee:	jiri vanek
QA Contact:	BaseOS QE - Apps
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1399177
TreeView+	depends on / blocked

Reported:	2017-08-14 06:10 UTC by Josef Cacek
Modified:	2018-03-21 16:46 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-03-21 16:46:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
bz-1481103-reproducer.zip (5.27 KB, application/zip) 2017-08-22 15:27 UTC, Josef Cacek	no flags	Details
bz-1481103-reproducer.log (35.13 KB, text/plain) 2017-08-22 15:31 UTC, Josef Cacek	no flags	Details
java.security (44.00 KB, text/plain) 2017-08-22 15:33 UTC, Josef Cacek	no flags	Details
ibmjgssprovider.jar testfix (1.02 MB, application/octet-stream) 2017-09-10 23:50 UTC, IBM Bug Proxy	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
IBM Linux Technology Center	157650	0	None	None	None	2017-08-14 13:53:20 UTC
Red Hat Issue Tracker	JBEAP-12698	0	Blocker	Closed	Elytron GS2-KRB5 SASL mechanism implementation throws NullPointerException on IBM JDK	2018-10-26 06:21:52 UTC

Description Josef Cacek 2017-08-14 06:10:30 UTC

Description of problem:

org.ietf.jgss.ChannelBinding constructed without InetAddresses causes NullPointerException when passed into gssContext.setChannelBinding(channelBinding):

java.lang.NullPointerException
        at com.ibm.security.krb5.internal.HostAddress.<init>(HostAddress.java:62)
        at com.ibm.security.jgss.mech.krb5.Z.<init>(Z.java:71)
        at com.ibm.security.jgss.mech.krb5.g.setChannelBinding(g.java:1108)
        at com.ibm.security.jgss.GSSContextImpl.setChannelBinding(GSSContextImpl.java:287)

There is missing null-check in Z.<init>

We hit this issue in GS2 family SASL mechanisms implmenetations in WildFly Elytron project.

The related RFC 5801 Section 5.1 indicates that the initiator address and acceptor address should be unspecified:

> The initiator-address-type and acceptor-address-type fields of the GSS-CHANNEL-BINDINGS structure MUST be set to 0. The initiator-address and acceptor-address fields MUST be the empty string.

The ChannelBinding documentation talks about nulls allowed for both - initiatorAddress and acceptorAddress:
https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.api.doc/jgss/org/ietf/jgss/ChannelBinding.html


Version-Release number of selected component (if applicable):
java version "1.8.0"
Java(TM) SE Runtime Environment (build pxa6480sr4fp6-20170518_02(SR4 FP6))
IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 20170516_348050 (JIT enabled, AOT enabled)
J9VM - R28_20170516_1905_B348050
JIT  - tr.r14.java_20170516_348050
GC   - R28_20170516_1905_B348050_CMPRSS
J9CL - 20170516_348050)
JCL - 20170516_01 based on Oracle jdk8u131-b11

How reproducible:
Always

Steps to Reproduce are available in WildFly JIRA https://issues.jboss.org/browse/JBEAP-12698 - it tests GS2 SASL mechanism in WildFly Core:

export JAVA_HOME=/path/to/IBMJDK
export PATH=$JAVA_HOME/bin:$PATH
# clone and build wildfly-core project - reproducer is in the testsuite
git clone -b ELY-1328-reproducer https://github.com/kwart/wildfly-core.git
cd wildfly-core
mvn clean install -DskipTests -Dcheckstyle.skip -Denforcer.skip
cd testsuite/elytron
mvn clean test -Dcheckstyle.skip -Denforcer.skip -DtestLogToFile=false -Dtest=KerberosMgmtSaslTestCase#testGs2Krb5WithoutSsl

Actual results:
Test fails and because the NPE is thrown.

Expected results:
Test passes.

Comment 2 Hanns-Joachim Uhl 2017-08-14 14:20:30 UTC

(In reply to Josef Cacek from comment #0)
...
> 
> 
> Version-Release number of selected component (if applicable):
> java version "1.8.0"
> Java(TM) SE Runtime Environment (build pxa6480sr4fp6-20170518_02(SR4 FP6))
> IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References
> 20170516_348050 (JIT enabled, AOT enabled)
> J9VM - R28_20170516_1905_B348050
> JIT  - tr.r14.java_20170516_348050
> GC   - R28_20170516_1905_B348050_CMPRSS
> J9CL - 20170516_348050)
> JCL - 20170516_01 based on Oracle jdk8u131-b11
> 
.
Hello Red Hat / Josef,
by chance ... do you have maybe the possibility to retest 
this bugzilla with the most current
IBM Java 8 SR4 FP10 as now available from
https://developer.ibm.com/javasdk/downloads/sdk8/ ...?
Please advise ...
Thanks in advance for your support.

Comment 3 Josef Cacek 2017-08-14 14:41:48 UTC

I see the same issue with the newest Java

jcacek@jcacek:~/projects/wildfly/wildfly-core/testsuite/elytron$ java -version
java version "1.8.0"
Java(TM) SE Runtime Environment (build pxa6480sr4fp10-20170727_01(SR4 FP10))
IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 20170722_357405 (JIT enabled, AOT enabled)
J9VM - R28_20170722_0201_B357405
JIT  - tr.r14.java_20170722_357405
GC   - R28_20170722_0201_B357405_CMPRSS
J9CL - 20170722_357405)
JCL - 20170726_01 based on Oracle jdk8u144-b01

Comment 4 IBM Bug Proxy 2017-08-15 20:30:25 UTC

------- Comment From chavez.com 2017-08-15 16:28 EDT-------
A problem report has been raised with IBM Java L3. Will keep y'all posted on the status.

Comment 5 IBM Bug Proxy 2017-08-16 22:50:16 UTC

------- Comment From chavez.com 2017-08-16 18:45 EDT-------
Java L3 attempted to reproduce the problem but has run into the following maven errors. I don't think the particular developer has much experience with maven so would appreciate help getting past this roadblock.

----

I tried to recreate the issue which you had mentioned , however I am getting the following errors during my recreate.

[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.134 s
[INFO] Finished at: 2017-08-16T17:01:39+05:30
[INFO] Final Memory: 80M/512M
[INFO] ------------------------------------------------------------------------
[ERROR] The goal you specified requires a project to execute but there is no POM in this directory (/data/subbu/pmr/00957/wildfly-core/testsuite/elytron/target/surefire-reports). Please verify you invoked Maven from the correct directory. -> [Help 1]
org.apache.maven.lifecycle.MissingProjectException: The goal you specified requires a project to execute but there is no POM in this directory (/data/subbu/pmr/00957/wildfly-core/testsuite/elytron/target/surefire-reports). Please verify you invoked Maven from the correct directory.
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:84)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:191)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
[ERROR]
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MissingProjectException

Comment 6 mchoma 2017-08-17 12:31:02 UTC

mvn command must be run in directory where pom.xml file is located.

Just keep reproducer steps strictly and run mvn commands in directories wildfly-core or testsuite/elytron respectively.

Comment 7 IBM Bug Proxy 2017-08-18 17:20:17 UTC

------- Comment From chavez.com 2017-08-18 13:15 EDT-------
A request from Java L3:

Can you please send the JGSS traces while enabling the following flags:
-Dcom.ibm.security.jgss.debug=all
-Dcom.ibm.security.krb5.Krb5Debug=all

Please also send a copy of the java.security file.

Comment 8 Josef Cacek 2017-08-22 15:27:31 UTC

Created attachment 1316678 [details]
bz-1481103-reproducer.zip

I'm attaching a very simplified reproducer. It just works with an existing credential cache. I'll attach also its output with debug options enabled as the next attachment.

The steps to use it (read included README.md for more details):

# Get a kerberos ticket
kinit yourKerberosName

# Check the credential cache file path
# search for Ticket cache line in the output of klist
klist

# Run the reproducer and use the credential cache file path as krb5cc.path system property
mvn install exec:java -Dkrb5cc.path=/path/to/krb5cc_xxx

Comment 9 Josef Cacek 2017-08-22 15:31:34 UTC

Created attachment 1316682 [details]
bz-1481103-reproducer.log

Comment 10 Josef Cacek 2017-08-22 15:33:07 UTC

Created attachment 1316683 [details]
java.security

Comment 11 IBM Bug Proxy 2017-08-25 14:10:21 UTC

------- Comment From chavez.com 2017-08-25 10:03 EDT-------
Thank you for the testcase. I was out of the office earlier this week due to a family emergency so I posted the update to the Java L3 problem ticket yesterday and this was the reply today:

Thanks for the code.
Unfortunately, I wasn't able to reproduce the problem by using my local cache.
Maybe I need to modify something here in my lab, but that's why I need to see the JGSS trace, to check what configs are they using.
So, please ask them to send me the JGSS trace showing the NPE.
Thanks!

Comment 12 Josef Cacek 2017-08-29 08:04:06 UTC

The trace is already in this attachment:

https://bugzilla.redhat.com/attachment.cgi?id=1316682

If the Docker image would help to show you the issue, I could prepare one.

Comment 13 IBM Bug Proxy 2017-08-31 22:10:26 UTC

------- Comment From chavez.com 2017-08-31 18:03 EDT-------
Update yesterday from Java L3:

Thanks for the information.
I'll investigate the trace and let you know what's happening.

Comment 14 IBM Bug Proxy 2017-09-10 23:50:28 UTC

Created attachment 1324306 [details]
ibmjgssprovider.jar testfix


------- Comment on attachment From chavez.com 2017-09-10 19:47 EDT-------


Update from Java L3:

We were able to reproduce the issue with the customer's testcase.
Can you ask the customer to move the original ibmjgssprovider.jar to a location completely outside of the classpath, and replace it with this modified version attached to see if it fixes the issue in their environment?
Thanks!

Comment 15 Josef Cacek 2017-09-11 07:29:43 UTC

The provided JAR patches the NPE in channel-binding for me. 

It resolves the problem in both my usecases - the simple reproducer and the JBoss EAP Kerberos tests.

Comment 16 IBM Bug Proxy 2017-09-15 13:40:25 UTC

------- Comment From chavez.com 2017-09-15 09:30 EDT-------
Update from Java L3 (I will be monitoring the APAR a few weeks from now for updates to share):

We created APAR IJ00028 to address this issue.
We take 3-6 weeks to close the APARs. After that, you'll see which versions will include the fix.
I believe the versions that will include the fix will be available by the end of October or within the first two weeks of November. However, this is just an estimate.
Please let me know if you have any other questions.

Comment 17 Hanns-Joachim Uhl 2017-12-01 17:09:13 UTC

(In reply to IBM Bug Proxy from comment #16)
> ------- Comment From chavez.com 2017-09-15 09:30 EDT-------
> Update from Java L3 (I will be monitoring the APAR a few weeks from now for
> updates to share):
> 
> We created APAR IJ00028 to address this issue.
> We take 3-6 weeks to close the APARs. After that, you'll see which versions
> will include the fix.
> I believe the versions that will include the fix will be available by the
> end of October or within the first two weeks of November. However, this is
> just an estimate.
> Please let me know if you have any other questions.
.
fyi ... APAR IJ00028 is now closed
(see http://www-01.ibm.com/support/docview.wss?uid=swg1IJ00028 ...)
as follows:
"
Problem conclusion

    Updated the Krb5ChannelBinding(ChannelBinding) ctor to allow
    NULL initiator and acceptor host addresses.
    The associated RTC PR is 135339
    The associated Austin CMVC defect is 117715
    The associated Austin APAR is IJ00028
    JVMs affected : Java 8, 7, and 6
    The fix was delivered for: Java 8 SR5 FP5, Java 7 SR10 FP15,
    Java 727 SR4 FP15, Java 6 SR16 FP55, Java 626 SR8 FP55
    The affected jars:  ibmjgssprovider.jar
    The build level of this jar for the affected releases is
    "20171010"
"
...
Hello Red Hat / Josef or Jiri,
... with IBM Java 8 SR5 FP5 available on RHN since 11/27/2017 
(see https://access.redhat.com/errata/RHSA-2017:3264 ...)
please verify as soon as possible whether this bugzilla is resolved ...
Thanks in advance for your support.

Comment 18 mchoma 2017-12-04 11:13:40 UTC

I can confirm I don't see issue on latest java [1]

Thank you

[1]
java -version
java version "1.8.0_151"
Java(TM) SE Runtime Environment (build 8.0.5.6 - pxa6480sr5fp6-20171124_02(SR5 FP6))
IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64 Compressed References 20171122_371101 (JIT enabled, AOT enabled)
OpenJ9   - 8e3c85d
OMR      - 713f08e
IBM      - c041ee8)
JCL - 20171113_01 based on Oracle jdk8u151-b12

Comment 19 zzambers 2018-03-21 16:45:50 UTC

PASSED on 1.8.0.5.10, which is currently being shipped on rhel-7:

java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 8.0.5.10 - pxa6480sr5fp10-20180214_01(SR5 FP10))
IBM J9 VM (build 2.9, JRE 1.8.0 Linux amd64-64 Compressed References 20180208_378436 (JIT enabled, AOT enabled)
OpenJ9   - 39bb844
OMR      - c04ccb2
IBM      - 2321a81)
JCL - 20180209_01 based on Oracle jdk8u161-b12


closing

Note You need to log in before you can comment on or make changes to this bug.