issue regarding gss_krb5int_make_seal_token_v3()

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

issue regarding gss_krb5int_make_seal_token_v3()

Will Fiveash

In gss_krb5int_make_seal_token_v3() (MIT 1.4) I see:

    } else if (toktype == KG_TOK_DEL_CTX) {
    tok_id = 0x0405;
    message = message2 = &empty_message;
    goto wrap_with_checksum;

(Notice the tok_id and also be aware that this function can be called
indirectly via GSS_Delete_sec_context().)

Nico points out to me that draft-ietf-krb-wg-gssapi-cfx-07.txt
states:

4.3. Context Deletion Tokens
 
   Context deletion tokens are empty in this mechanism.  Both peers to
   a security context invoke GSS_Delete_sec_context() [RFC-2743]
   independently, passing a null output_context_token buffer to
   indicate that no context_token is required.  Implementations of
   GSS_Delete_sec_context() should delete relevant locally-stored
   context information.

So my question is why is gss_krb5int_make_seal_token_v3() creating a
output token for a KG_TOK_DEL_CTX type of token and where is the token
ID of 0x0405 defined?

--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: issue regarding gss_krb5int_make_seal_token_v3()

hartmans
I'm not sure; we'll need to wait for Ken to respond.  However that
code does seem broken.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: issue regarding gss_krb5int_make_seal_token_v3()

Will Fiveash
On Mon, Jun 27, 2005 at 02:57:40PM -0400, Sam Hartman wrote:
> I'm not sure; we'll need to wait for Ken to respond.  However that
> code does seem broken.

Note a co-worker pointed out that in:
http://mirrors.isc.org/pub/www.watersprings.org/pub/id/draft-ietf-krb-wg-gssapi-cfx-02.txt
(or tiny URL: http://tinyurl.com/ahc58)

the Context Deletion Token defines TOK_ID as hex 0405 but this was
removed in subsequent revisions of draft-ietf-krb-wg-gssapi-cfx.  Still,
the current version indicates that no output token should be output by
GSS_Delete_sec_context().

--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev