RFR 6722928: Support SSPI as a native GSS-API provider

Valerie Peng valerie.peng at oracle.com
Wed Dec 12 22:20:24 UTC 2018 

Hi Max,

<sspi.cpp>

- the DER related code is very hard to read... Would be nice to use 
constants/enum for commonly used tag or use some method to construct them.

- line 449, I think you mean to use "c" instead of "cred_handle"

- gss_unwrap: add "const" to the 2nd and 3rd arguments? Isn't variable 
naming convention starts with lower case? the argument qop_state may be 
non-null but is not set?||

- gss_indicate_mechs: the SSPI docs that I found mentioned that you need 
to call FreeContextBuffer on pkgInfo after calling 
QuerySecurityPackageInfo(). Local variable "minor" not used and can be 
removed?

- gss_inquire_names_for_mech: why does the PP output has "IMPLEMENTED" 
wording, other methods do not. Is this intentional?

- gss_create_empty_oid_set: do we need to check the specified oid_set 
for existing content and free if not-empty before wiping it out? This is 
called by a few other gss api methods also, it may be better to defend 
against user errors.

- gss_add_oid_set_member: add "const" to the 2nd argument?

- gss_release_buffer: maybe set buffer->length = 0 outside the if-block. 
Do we need to check for GSS_C_NO_BUFFER in addition to null?

- gss_display_status: add "const" to the 4th argument? As for the impl, 
I have a question, this particular method is for displaying text output 
for gssapi error codes, but the FormatMessage() call takes window 
specific message id. Are they the same?

I am still going through the rest of sspi.cpp, but thought that I will 
send you what I have first.

Good that you have this targeted to 13 as there is almost no time left 
for RFEs to get into JDK12.

Thanks,
Valerie


On 11/19/2018 5:56 PM, Weijun Wang wrote:
> Please take a review at
>
>     https://cr.openjdk.java.net/~weijun/6722928/webrev.01/
>
> We ported [1] the native GSS bridge to Windows in JDK 11, but user still have to download and install a native GSS-API library. This code change provides a native GSS-API library inside JDK that can be used without setting the "sun.security.jgss.lib" system property. It is based on Windows SSPI and now only supports the client side using the default credentials.
>
> No regression tests included. A Windows Active Directory server is needed.
>
> Thanks
> Max
>
> [1]https://bugs.openjdk.java.net/browse/JDK-8200468
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20181212/61efd75d/attachment.htm>

More information about the security-dev mailing list