RFR 8005819: Support cross-realm MSSFU

Weijun Wang weijun.wang at oracle.com
Thu Dec 12 23:32:17 UTC 2019



> On Dec 12, 2019, at 10:46 PM, Martin Balao <mbalao at redhat.com> wrote:
> 
> Good observation. I've had a look and you are probably right. The in/out
> parameter is spread across all the code. Looks to me that, at some
> point, the idea was that there could be more than one additional ticket
> (and it was not an in/out parameter really). What makes me think so is
> the iteration here [1]. Given that this is not particularly related to
> 8005819, I agree that it would be better to analyze it in the context of
> a new fix. Before getting rid of the in/out parameter, I suggest to
> decide whether or not there could be more than one ticket.

I've only seen the one ticket case, but in the ASN.1 definition of KDC-REQ-BODY there can be multiple. Maybe one day we'll see more.

--Max

> 
> --
> [1] -
> http://hg.openjdk.java.net/jdk/jdk/file/fe65e995a765/src/java.security.jgss/share/classes/sun/security/krb5/internal/KDCReqBody.java#l113
> 



More information about the security-dev mailing list