Hi Max,
<sspi.cpp>
- the DER related code is very hard to read... Would be nice to use
constants/enum for commonly used tag or use some method to construct them.
- line 449, I think you mean to use "c" instead of "cred_handle"
- gss_unwrap: add "const" to the 2nd and 3rd arguments? Isn't variable
naming convention starts with lower case? the argument qop_state may be
non-null but is not set?||
- gss_indicate_mechs: the SSPI docs that I found mentioned that you need
to call FreeContextBuffer on pkgInfo after calling
QuerySecurityPackageInfo(). Local variable "minor" not used and can be
removed?
- gss_inquire_names_for_mech: why does the PP output has "IMPLEMENTED"
wording, other methods do not. Is this intentional?
- gss_create_empty_oid_set: do we need to check the specified oid_set
for existing content and free if not-empty before wiping it out? This is
called by a few other gss api methods also, it may be better to defend
against user errors.
- gss_add_oid_set_member: add "const" to the 2nd argument?
- gss_release_buffer: maybe set buffer->length = 0 outside the if-block.
Do we need to check for GSS_C_NO_BUFFER in addition to null?
- gss_display_status: add "const" to the 4th argument? As for the impl,
I have a question, this particular method is for displaying text output
for gssapi error codes, but the FormatMessage() call takes window
specific message id. Are they the same?
I am still going through the rest of sspi.cpp, but thought that I will
send you what I have first.
Good that you have this targeted to 13 as there is almost no time left
for RFEs to get into JDK12.
Thanks,
Valerie
On 11/19/2018 5:56 PM, Weijun Wang wrote:
Please take a review at
https://cr.openjdk.java.net/~weijun/6722928/webrev.01/
We ported [1] the native GSS bridge to Windows in JDK 11, but user still have to download
and install a native GSS-API library. This code change provides a native GSS-API library
inside JDK that can be used without setting the "sun.security.jgss.lib" system
property. It is based on Windows SSPI and now only supports the client side using the
default credentials.
No regression tests included. A Windows Active Directory server is needed.
Thanks
Max
[1]https://bugs.openjdk.java.net/browse/JDK-8200468
