RFR: 8362268 : NPE thrown from SASL GSSAPI impl when TLS is used with QOP auth-int against Active Directory

Weibing Xiao wxiao at openjdk.org
Wed Aug 20 15:19:41 UTC 2025


On Wed, 30 Jul 2025 20:20:33 GMT, Weibing Xiao <wxiao at openjdk.org> wrote:

> [webrev.zip](https://github.com/user-attachments/files/21517501/webrev.zip)
> NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP auth-int against Active Directory.
> 
> When the exception is triggered, LDAP Connection will do "clean-up" operation and output stream get flushed and closed the context while GssKrb5Client is still wrapping the message and SaslOuput Stream is writing the content of the buffer; and at the time GSSContext is disposed and it is null. That's the reason to throw NPE.
> 
> 1) Check if the context is null or not; then wrap the NPE. The change is done in GssKrb5Base.java
> 
> No test file is attached for this MR since it needs Sasl LDAP server with security setup. Attached webrev for the reference.

The failure only happened when Sasl.QOP set with the value of auth-int or auth-conf. It needs a ldap server with the setting of SASL authentication. It is not available in OpenJDK community.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/26566#issuecomment-3206844337


More information about the security-dev mailing list