[Bug] NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP auth-int against Active Directory

Weibing Xiao weibing.xiao at oracle.com
Wed May 7 19:59:15 UTC 2025 

Hi Michael,

Please share a working copy of the code to duplicate the failure scenario of NPE related to Connection.java. BTW, I checked the stack trace posted on April 28 it did not clearly show Connection::cleanup got called. Was there something missed?

Thank you,
Weibing

From: security-dev <security-dev-retn at openjdk.org> on behalf of security-dev-request at openjdk.org <security-dev-request at openjdk.org>
Date: Tuesday, April 29, 2025 at 4:54 AM
To: security-dev at openjdk.org <security-dev at openjdk.org>
Subject: security-dev Digest, Vol 214, Issue 151
Send security-dev mailing list submissions to
        security-dev at openjdk.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://mail.openjdk.org/mailman/listinfo/security-dev
or, via email, send a message with subject or body 'help' to
        security-dev-request at openjdk.org

You can reach the person managing the list at
        security-dev-owner at openjdk.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of security-dev digest..."


Today's Topics:

   1. Re: RFR: 8350498: Remove two Camerfirma root CA certificates
      (Mark Powers)
   2. Re: RFR: 8354305: SHAKE128 and SHAKE256 MessageDigest
      algorithms [v3] (Valerie Peng)
   3. Re: [Bug] NPE thrown from SASL GSSAPI impl on Java 11+ when
      TLS is used with QOP auth-int against Active Directory
      (Osipov, Michael (IN IT IN))


----------------------------------------------------------------------

Message: 1
Date: Tue, 29 Apr 2025 01:21:44 GMT
From: Mark Powers <mpowers at openjdk.org>
To: <security-dev at openjdk.org>
Subject: Re: RFR: 8350498: Remove two Camerfirma root CA certificates
Message-ID:
        <A9eAJBJDaHecIKxXaVFN1OYPI3klaPxL5AkWVbC39Eg=.23a9c6ce-9cf2-4d30-94e2-5bc9f9a2f688 at github.com>

Content-Type: text/plain; charset=utf-8

On Tue, 22 Apr 2025 20:27:04 GMT, Rajan Halade <rhalade at openjdk.org> wrote:

> The change is to remove two Camerfirma root certificates which are terminated and no longer in use. These two roots are removed from `cacerts` truststore. Distrust of these roots is also removed as these roots will no longer be trusted by JDK by default.
>
> The release-note is at [JDK-8355325](https://bugs.openjdk.org/browse/JDK-8355325)

This looks good to me.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/24800#issuecomment-2837171301


------------------------------

Message: 2
Date: Tue, 29 Apr 2025 01:41:44 GMT
From: Valerie Peng <valeriep at openjdk.org>
To: <security-dev at openjdk.org>
Subject: Re: RFR: 8354305: SHAKE128 and SHAKE256 MessageDigest
        algorithms [v3]
Message-ID:
        <7tQk66i69YQpgGj4_thPeRH0Dvx3Z5ohyzefcsLL7wA=.b11500ea-08b1-4961-b65d-e68082b56d92 at github.com>

Content-Type: text/plain; charset=utf-8

On Mon, 28 Apr 2025 14:48:34 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Add 2 `MessageDigest` algorithms.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>
>   test alias usage

Changes look fine. However, we should probably caution about these being different from the regular message digest algorithms, i.e. regarding their related output property.

-------------

Marked as reviewed by valeriep (Reviewer).

PR Review: https://git.openjdk.org/jdk/pull/24576#pullrequestreview-2801570550


------------------------------

Message: 3
Date: Tue, 29 Apr 2025 10:54:31 +0200
From: "Osipov, Michael (IN IT IN)" <michael.osipov at innomotics.com>
To: security-dev at openjdk.org
Cc: andrewlu at openjdk.org
Subject: Re: [Bug] NPE thrown from SASL GSSAPI impl on Java 11+ when
        TLS is used with QOP auth-int against Active Directory
Message-ID: <9baba8d6-066a-42cd-9649-e16033108ee7 at siemens.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 2025-04-28 10:22, Osipov, Michael (IN IT IN) wrote:
 > Hi folks,
 > Hi Max,
 >
 > please assess the following bug I have found in Java 11+, it does not
exist
 > in Java 8. I have tried the following most versions on Azul Zulu/
 > OpenJDK: 8, 11, 17, 21, 24 on multiple platforms. Searched JBS as well,
 > nothing found.

I was able to debug this and find the cause.
It is a regression from
https://github.com/openjdk/jdk11u/commit/bcac47f00ac6cf511ad7709fb9d39276ac27b049,
introduced with https://bugs.openjdk.org/browse/JDK-8313657.
I can even reproduce this with the HPE JDK 8 for HP-UX, so I guess they
have backported that broken fix.

Connection#flushAndCloseOutputStream() closes the SaslOutputStream()
which disposes the GSS security context and sets it to null. After that
Connection#abandonRequest(LdapRequest, Control[]) is invoked which still
uses the SaslOutputStream:
 >             synchronized (this) {
 >                 outStream.write(ber.getBuf(), 0, ber.getDataLen());
 >                 outStream.flush();
 >             }

Andrew,

can you log a bug here?

Michael


End of security-dev Digest, Vol 214, Issue 151
**********************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20250507/1d2d3a82/attachment-0001.htm>

More information about the security-dev mailing list