Skip Menu |
 

Subject: GSSAPI accept_sec_context() sets INTEG and CONF flags producing inconsistent state with cleint
Microsoft reports that their Kerberos SSPI code is incompatible with MIT
GSSAPI when INTEG or CONF modes are used independent of one another.
1964 states that the INTEG and CONF flags are to indicate the
availability of the modes in the client. They are not to be set by the
server.

MIT's clients always set both flags which is fine, but we must be
prepared to accept security contexts which only set one of them.
Download (untitled) / with headers
text/plain 1.4KiB
2004-02-05 Jeffrey Altman <jaltman@mit.edu>

* gssapiP_krb5.h: remove KG_IMPLFLAGS macro

* init_sec_context.c (init_sec_context): Expand KG_IMPLFLAGS
macro with previous macro definition

* accept_sec_context.c (accept_sec_context): Replace KG_IMPLFLAGS
macro with new definition. As per 1964 the INTEG and CONF flags
are supposed to indicate the availability of the services in
the client. By applying the previous definition of KG_IMPLFLAGS
the INTEG and CONF flags are always on. This can be a problem
because some clients such as Microsoft's Kerberos SSPI allow
CONF and INTEG to be used independently. By forcing the flags
on, we would end up with inconsist state with the client.

cvs commit gssapiP_krb5.h accept_sec_context.c init_sec_context.c ChangeLog
Checking in gssapiP_krb5.h;
/cvs/krbdev/krb5/src/lib/gssapi/krb5/gssapiP_krb5.h,v <-- gssapiP_krb5.h
new revision: 1.56; previous revision: 1.55
done
Checking in accept_sec_context.c;
/cvs/krbdev/krb5/src/lib/gssapi/krb5/accept_sec_context.c,v <--
accept_sec_context.c
new revision: 1.85; previous revision: 1.84
done
Checking in init_sec_context.c;
/cvs/krbdev/krb5/src/lib/gssapi/krb5/init_sec_context.c,v <--
init_sec_context.c
new revision: 1.77; previous revision: 1.76
done
Checking in ChangeLog;
/cvs/krbdev/krb5/src/lib/gssapi/krb5/ChangeLog,v <-- ChangeLog
new revision: 1.236; previous revision: 1.235
Download (untitled) / with headers
text/plain 1.3KiB
Module Name: krb5
Committed By: jaltman
Date: Fri Feb 6 07:00:53 UTC 2004

Modified Files:
krb5/src/lib/gssapi/krb5/ChangeLog
krb5/src/lib/gssapi/krb5/accept_sec_context.c
krb5/src/lib/gssapi/krb5/gssapiP_krb5.h
krb5/src/lib/gssapi/krb5/init_sec_context.c
Added Files:

Removed Files:


Log Message
2004-02-05 Jeffrey Altman <jaltman@mit.edu>

* gssapiP_krb5.h: remove KG_IMPLFLAGS macro

* init_sec_context.c (init_sec_context): Expand KG_IMPLFLAGS
macro with previous macro definition

* accept_sec_context.c (accept_sec_context): Replace KG_IMPLFLAGS
macro with new definition. As per 1964 the INTEG and CONF flags
are supposed to indicate the availability of the services in
the client. By applying the previous definition of KG_IMPLFLAGS
the INTEG and CONF flags are always on. This can be a problem
because some clients such as Microsoft's Kerberos SSPI allow
CONF and INTEG to be used independently. By forcing the flags
on, we would end up with inconsist state with the client.


To generate a diff of this commit:
cvs diff -r1.235 -r1.236 krb5/src/lib/gssapi/krb5/ChangeLog
cvs diff -r1.84 -r1.85
krb5/src/lib/gssapi/krb5/accept_sec_context.c
cvs diff -r1.55 -r1.56 krb5/src/lib/gssapi/krb5/gssapiP_krb5.h
cvs diff -r1.76 -r1.77 krb5/src/lib/gssapi/krb5/init_sec_context.c
Date: Fri, 06 Feb 2004 10:51:44 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
To: rt-comment@krbdev.mit.edu
Cc: krb5-prs@mit.edu
Subject: Re: [krbdev.mit.edu #2210] GSSAPI accept_sec_context() sets INTEG andCONF flags producing inconsistent state with cleint
RT-Send-Cc:


The flags might be what the client appl wants, but the SSPI might be
actually doing both because it only has an enctype that does both.

So the protection on the packets may be more then the client requested.
So should the acceptor appl be told what the user requested, or what is
actually being used?


Jeffrey Altman via RT wrote:
Show quoted text
>
> Microsoft reports that their Kerberos SSPI code is incompatible with MIT
> GSSAPI when INTEG or CONF modes are used independent of one another.
> 1964 states that the INTEG and CONF flags are to indicate the
> availability of the modes in the client. They are not to be set by the
> server.
>
> MIT's clients always set both flags which is fine, but we must be
> prepared to accept security contexts which only set one of them.
>
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs

--

Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Date: Fri, 06 Feb 2004 12:42:06 -0500
From: Jeffrey Altman <jaltman@columbia.edu>
To: "Douglas E. Engert" <deengert@anl.gov>
Cc: rt-comment@krbdev.mit.edu, krb5-prs@MIT.EDU
Subject: Re: [krbdev.mit.edu #2210] GSSAPI accept_sec_context() sets INTEG andCONF flags producing inconsistent state with cleint
RT-Send-Cc:
Download smime.p7s
application/x-pkcs7-signature 3.3KiB

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 1.1KiB
The flags are what the client is capable of; not what the client wants.
If the flags are not set by the client and the server uses the functionality
anyway you will lose.


Douglas E. Engert wrote:
Show quoted text

The flags might be what the client appl wants, but the SSPI might be
actually doing both because it only has an enctype that does both. 

So the protection on the packets may be more then the client requested.
So should the acceptor appl be told what the user requested, or what is
actually being used?   


Jeffrey Altman via RT wrote:
Microsoft reports that their Kerberos SSPI code is incompatible with MIT
GSSAPI when INTEG or CONF modes are used independent of one another.
1964 states that the INTEG and CONF flags are to indicate the
availability of the modes in the client.  They are not to be set by the
server.

MIT's clients always set both flags which is fine, but we must be
prepared to accept security contexts which only set one of them.

_______________________________________________ krb5-bugs mailing list krb5-bugs@mit.edu https://mailman.mit.edu/mailman/listinfo/krb5-bugs

Date: Fri, 06 Feb 2004 12:01:17 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
To: Jeffrey Altman <jaltman@columbia.edu>
Cc: krb5-prs@mit.edu, rt-comment@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2210] GSSAPI accept_sec_context() sets INTEGandCONF flags producing inconsistent state with cleint
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.7KiB


Show quoted text
> Jeffrey Altman wrote:
>
> The flags are what the client is capable of; not what the client wants.
> If the flags are not set by the client and the server uses the functionality
> anyway you will lose.

You are right. I should have read the RFCs first.

Show quoted text
>
> Douglas E. Engert wrote:
>
> >
> > The flags might be what the client appl wants, but the SSPI might be
> > actually doing both because it only has an enctype that does both.
> >
> > So the protection on the packets may be more then the client requested.
> > So should the acceptor appl be told what the user requested, or what is
> > actually being used?
> >
> >
> > Jeffrey Altman via RT wrote:
> >
> >> Microsoft reports that their Kerberos SSPI code is incompatible with MIT
> >> GSSAPI when INTEG or CONF modes are used independent of one another.
> >> 1964 states that the INTEG and CONF flags are to indicate the
> >> availability of the modes in the client. They are not to be set by the
> >> server.
> >>
> >> MIT's clients always set both flags which is fine, but we must be
> >> prepared to accept security contexts which only set one of them.
> >>
> >> _______________________________________________
> >> krb5-bugs mailing list
> >> krb5-bugs@mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/krb5-bugs
> >>
> >
> >
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs

--

Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r1.218.2.14 -r1.218.2.15
krb5/src/lib/gssapi/krb5/ChangeLog
cvs diff -r1.77.2.7 -r1.77.2.8
krb5/src/lib/gssapi/krb5/accept_sec_context.c
cvs diff -r1.50.2.4 -r1.50.2.5
krb5/src/lib/gssapi/krb5/gssapiP_krb5.h
cvs diff -r1.66.2.9 -r1.66.2.10
krb5/src/lib/gssapi/krb5/init_sec_context.c