Code review request: 8012082: SASL auth-conf negotiated, but unencrypted data is accepted, reset to unencrypt
Weijun Wang
weijun.wang at oracle.com
Thu Apr 18 04:19:13 UTC 2013
Webrev withdrawn. I'm studying the behavior of several third-party SASL
impls to see how they deal with this.
Stay tuned.
-Max
On 4/17/13 6:39 PM, Weijun Wang wrote:
> Hi Valerie or Vinnie
>
> Please take a review on this fix
>
> http://cr.openjdk.java.net/~weijun/8012082/webrev.00/
>
> Bug is
>
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8012082
>
> The problem is that a single MessageProp is used in all wrap and unwrap
> calls and the output value is not checked.
>
> After the output check, it looks like it's OK to share the MessageProp
> object (because once it's changed, an exception is thrown), but I create
> one for each wrap/unwrap to be safe and clean, and I don't know if there
> are applications trying to "recover" from an exception.
>
> This is not a security issue, it's after the peer establishing the
> security context, therefore already authenticated.
>
> Thanks
> Max
More information about the security-dev
mailing list