8071643: sun.security.krb5.KrbApReq.authenticate() is not thread safe
authorweijun
Thu, 05 Feb 2015 11:42:39 +0800
changeset 28774 052832e70254
parent 28773 0b8da4d7cda6
child 28775 d786aae24263
8071643: sun.security.krb5.KrbApReq.authenticate() is not thread safe Reviewed-by: mullan
jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbApReq.java
--- a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbApReq.java	Tue Feb 03 14:09:20 2015 -0800
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbApReq.java	Thu Feb 05 11:42:39 2015 +0800
@@ -60,16 +60,6 @@
     private static boolean DEBUG = Krb5.DEBUG;
     private static final char[] hexConst = "0123456789ABCDEF".toCharArray();
 
-    private static final MessageDigest md;
-
-    static {
-        try {
-            md = MessageDigest.getInstance("MD5");
-        } catch (NoSuchAlgorithmException ex) {
-            throw new RuntimeException("Impossible");
-        }
-    }
-
     /**
      * Constructs an AP-REQ message to send to the peer.
      * @param tgsCred the <code>Credentials</code> to be used to construct the
@@ -99,10 +89,10 @@
      * @param tgsCred the <code>Credentials</code> to be used to construct the
      *          AP Request  protocol message.
      * @param mutualRequired Whether mutual authentication is required
-     * @param useSubkey Whether the subkey is to be used to protect this
+     * @param useSubKey Whether the subkey is to be used to protect this
      *        specific application session. If this is not set then the
      *        session key from the ticket will be used.
-     * @param checksum checksum of the application data that accompanies
+     * @param cksum checksum of the application data that accompanies
      *        the KRB_AP_REQ.
      * @throws KrbException for any Kerberos protocol specific error
      * @throws IOException for any IO related errors
@@ -142,8 +132,8 @@
      * Constructs an AP-REQ message from the bytes received from the
      * peer.
      * @param message The message received from the peer
-     * @param keys <code>EncrtyptionKey</code>s to decrypt the message;
-     *       key selected will depend on etype used to encrypte data
+     * @param cred <code>KrbAcceptCredential</code> containing keys to decrypt
+     *    the message; key selected will depend on etype used to encrypt data
      * @throws KrbException for any Kerberos protocol specific error
      * @throws IOException for any IO related errors
      *          (e.g. socket operations)
@@ -311,7 +301,14 @@
         if (!authenticator.ctime.inClockSkew())
             throw new KrbApErrException(Krb5.KRB_AP_ERR_SKEW);
 
-        byte[] hash = md.digest(apReqMessg.authenticator.cipher);
+        byte[] hash;
+        try {
+            hash = MessageDigest.getInstance("MD5")
+                    .digest(apReqMessg.authenticator.cipher);
+        } catch (NoSuchAlgorithmException ex) {
+            throw new AssertionError("Impossible");
+        }
+
         char[] h = new char[hash.length * 2];
         for (int i=0; i<hash.length; i++) {
             h[2*i] = hexConst[(hash[i]&0xff)>>4];