[krbdev.mit.edu #8782] [Comment] gss_accept_sec_context() SPNEGO-wrapped src_name interacts badly with gss_localname()

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[krbdev.mit.edu #8782] [Comment] gss_accept_sec_context() SPNEGO-wrapped src_name interacts badly with gss_localname()

Greg Hudson via RT

This is a comment.  It is not sent to the Requestor(s):

Ticket 8901 removes one of the complications for extending the
accept_sec_context contract to apply to src_name. A second complication is
gss_inquire_context(), which is an alternate way to retrieve src_name from an
acceptor context. If gss_accept_sec_context() returned an unwrapped src_name
and gss_inquire_context() returned a wrapped src_name (it currently always
wraps), that would be an unfortunate inconsistency.

Heimdal has a more comprehensive approach to this issue: a mech can declare via
flags that it uses mechglue creds or mechglue names for all purposes. SPNEGO
does both; as a consequence, gss_set_neg_mechs() has to be implemented at the
mechglue layer rather than the SPNEGO layer. There are some interesting and
arguably beneficial side-effects: (1) a non-SPNEGO cred can be used as a SPNEGO
claimant or acceptor cred handle, and (2) SPNEGO does not have to implement
pass-through credential or name methods. However, the mechglue code to
implement these flags is not trivial, and there is a lot of potential for
memory errors if it is done incorrectly.

krb5-bugs mailing list
[hidden email]