Code review request: 8024861: Incomplete token triggers GSS-API NullPointerException
Sean Mullan
sean.mullan at oracle.com
Thu Sep 26 16:39:43 UTC 2013
On 09/26/2013 05:28 AM, Weijun Wang wrote:
> Hi All
>
> Please take a review at
>
> http://cr.openjdk.java.net/~weijun/8024861/webrev.00/
>
> When the first NegTokenInit does not include the mechToken, Java throws
> an NPE. This code change checks it and throw a GSSException instead.
>
> Precisely, the mechToken can be missing and the initiator will send it
> in the second packet. Unfortunately, our current SPNEGO impl cannot
> handle a handshake with more than 2 rounds nicely. I plan to support the
> missing mechToken later when we fully support RFC 4178. The current impl
> was coded according to RFC 2478.
>
> Thanks
> Max
Looks ok to me. Please add 8 to the Affects Version and the Fix Version
fields.
--Sean
More information about the security-dev
mailing list