Code review request: 8024861: Incomplete token triggers GSS-API NullPointerException

Weijun Wang weijun.wang at oracle.com
Thu Sep 26 12:28:14 UTC 2013


Hi All

Please take a review at

   http://cr.openjdk.java.net/~weijun/8024861/webrev.00/

When the first NegTokenInit does not include the mechToken, Java throws 
an NPE. This code change checks it and throw a GSSException instead.

Precisely, the mechToken can be missing and the initiator will send it 
in the second packet. Unfortunately, our current SPNEGO impl cannot 
handle a handshake with more than 2 rounds nicely. I plan to support the 
missing mechToken later when we fully support RFC 4178. The current impl 
was coded according to RFC 2478.

Thanks
Max



More information about the security-dev mailing list