JDK-8225687 : Newly added sspi.cpp in JDK-6722928 still contains some small errors
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss
  • Affected Version: 13
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2019-06-13
  • Updated: 2023-09-20
  • Resolved: 2019-07-10
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 JDK 8 Other
11.0.10Fixed 13 b29Fixed 14Fixed 8u371Fixed openjdk8u392Fixed
Related Reports
Relates :  
JDK-6722928 - Provide a default native GSS-API library on Windows
Description
 - CHECK_*() macros

   Macro bodies should not end in a semi-colon.

   If these were public and since these macro bodies are all if
   statements, you should wrap them in do { } while (0), but since
   they're private we can make sure that all uses are correct.

 - gss_import_name() doesn't check that the first two bytes of the
   input buffer are the expected token ID when the name-type is
   GSS_C_NT_EXPORTED_NAME.

 - gss_import_name() doesn't check that the third byte of the input
   buffer is 0 when the name-type is GSS_C_NT_EXPORTED_NAME.

 - gss_compare_name(), this code will not distinguish a name of the
   form 'foo@' from 'foo\@'

      434     if (l1 < l2 && n2[l1] != L'@'
      435             || l2 < l1 && n1[l2] != L'@') {
      436         return GSS_S_COMPLETE; // different
      437     }

   Honestly, this is not the most serious problem because nothing
   really should be using gss_compare_name(), but you do use it... and
   anyways, it's wrong.

   Perhaps the gss_name_struct struct should have a length of realm or
   length-of-not-realm-part field to make this check easier.

 - gss_compare_name(), do not use NORM_IGNORECASE

 - gss_canonicalize_name() should check that mech_type is Kerberos
Comments
Fix request [8u] I'd like to backport this fix into 8u as a follow-up for the JDK-6722928. JDK-6722928 is fixed in 8u392, please approve it to include in 8u392 also. The patch is applied cleanly, all related tests are passed, and the risk is low.
06-09-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk8u/pull/47 Date: 2023-08-30 14:05:26 +0000
30-08-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk8u-dev/pull/353 Date: 2023-08-12 00:25:03 +0000
12-08-2023
Fix request (11u) Now that JDK-6722928 is in 11u, this release is affected by JDK-8225687. I'd like to request a backport of JDK-8225687. Patch applies cleanly and the risk is low.
25-11-2020
URL: https://hg.openjdk.java.net/jdk/jdk13/rev/430a51e86f28 User: weijun Date: 2019-07-10 01:44:05 +0000
10-07-2019