RFR: 8273670: Remove weak etypes from default krb5 etype list
Weijun Wang
weijun at openjdk.java.net
Fri Sep 24 21:27:52 UTC 2021
On Fri, 24 Sep 2021 19:49:14 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> This code change removes weak etypes from the default list so it's safer to enable one of them. See the corresponding CSR at https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, please review the CSR as well.
>
> src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java line 242:
>
>> 240: // used in Config
>> 241: public static int[] getBuiltInDefaults() {
>> 242: return defaultETypes;
>
> It might be safer to return a clone here since it is mutable. The previous code always returned a new array. This array gets passed back to calling code via Etype.getDefaults(), returning a clone would prevent the configured value from being accidentally modified.
OK.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5654
More information about the security-dev
mailing list