RFR: 8362268 : NPE thrown from SASL GSSAPI impl when TLS is used with QOP auth-int against Active Directory
Weijun Wang
weijun at openjdk.org
Thu Aug 21 13:14:53 UTC 2025
On Wed, 30 Jul 2025 20:20:33 GMT, Weibing Xiao <wxiao at openjdk.org> wrote:
> [webrev.zip](https://github.com/user-attachments/files/21517501/webrev.zip)
> NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP auth-int against Active Directory.
>
> When the exception is triggered, LDAP Connection will do "clean-up" operation and output stream get flushed and closed the context while GssKrb5Client is still wrapping the message and SaslOuput Stream is writing the content of the buffer; and at the time GSSContext is disposed and it is null. That's the reason to throw NPE.
>
> 1) Check if the context is null or not; then wrap the NPE. The change is done in GssKrb5Base.java
>
> No test file is attached for this MR since it needs Sasl LDAP server with security setup. Attached webrev for the reference.
My "here" was
> Not an LDAP expert, but I see that `abandonRequest()` still wants to write into outStream. If the SASL/GSS context is already disposed by now what stream should this be? Should it be reverted back to the raw stream?
However, I'm not sure if this correct. This means the security guaranteed by the SASL layer is lost and I also don't know if the peer can parse it correctly.
@michael-o What have JDK 8 and `ldapsearch` done? Did they send error messages in the clear?
-------------
PR Comment: https://git.openjdk.org/jdk/pull/26566#issuecomment-3210553944
More information about the security-dev
mailing list