Request for review: 8025124: InitialToken.useNullKey incorrectly applies NULL_KEY in some cases

Weijun Wang weijun.wang at oracle.com
Tue Oct 15 23:50:21 PDT 2013


Thanks.

FYI: I pushed the changeset which only contains the src part. The test 
does not work universally now. On Mac, the krb5 impl is Heimdal and has 
a very different configuration. On Solaris, there is a problem calling 
gss_inquire_cred on GSS_C_NULL_OID.

Noreg-hard added. We are allowed to add test after ZBB. Of course, only 
if I can get the regression test running fine.

Thanks
Max

On 10/14/13 9:06 PM, Xuelei Fan wrote:
> Looks fine to me.
>
> Xuelei
>
> On 10/12/2013 5:28 PM, Weijun Wang wrote:
>> Please review the fix at
>>
>>     http://cr.openjdk.java.net/~weijun/8025124/webrev.00/
>>
>> This is an interop fix. We used to determine if a NULL key should be
>> used based on etype being new or old, now we just look at the etype
>> inside the EncryptedData. If it's 0 then there is no need to decrypt it.
>> Note that this is not a security issue because the whole KRB-CRED is
>> encrypted anyway.
>>
>> A new regression test added.
>>
>> Thanks
>> Max
>


More information about the security-dev mailing list