Code review request: 8012082: SASL auth-conf negotiated, but unencrypted data is accepted, reset to unencrypt
Weijun Wang
weijun.wang at oracle.com
Wed Apr 17 10:39:39 UTC 2013
Hi Valerie or Vinnie
Please take a review on this fix
http://cr.openjdk.java.net/~weijun/8012082/webrev.00/
Bug is
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8012082
The problem is that a single MessageProp is used in all wrap and unwrap
calls and the output value is not checked.
After the output check, it looks like it's OK to share the MessageProp
object (because once it's changed, an exception is thrown), but I create
one for each wrap/unwrap to be safe and clean, and I don't know if there
are applications trying to "recover" from an exception.
This is not a security issue, it's after the peer establishing the
security context, therefore already authenticated.
Thanks
Max
More information about the security-dev
mailing list