Dan Burkert has uploaded a new change for review. http://gerrit.cloudera.org:8080/6148
Change subject: [security] protect against master SASL negotiation short-circuit ...................................................................... [security] protect against master SASL negotiation short-circuit In both clients we weren't checking that the local SASL client considered the negotiation to be complete when the server sent us a SASL_SUCCESS message. This would allow a malicious server to trick the client into thinking it had authenticated the server, when in reality it had not. This ended up being easier in the Java client because the JDK SASL API includes an 'isComplete', and there is not equivalent in cyrus SASL, so the state has to be tracked explicitly. Change-Id: I8f3b3d4f47e887b48c1c704c900e9260c22cec3a --- M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java M src/kudu/rpc/client_negotiation.cc M src/kudu/rpc/client_negotiation.h 3 files changed, 38 insertions(+), 19 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/48/6148/1 -- To view, visit http://gerrit.cloudera.org:8080/6148 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I8f3b3d4f47e887b48c1c704c900e9260c22cec3a Gerrit-PatchSet: 1 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Dan Burkert <[email protected]>
