svn rev #21035: branches/mskrb-integ/src/lib/gssapi/ generic/ krb5/
lhoward@MIT.EDU
lhoward at MIT.EDU
Fri Nov 7 01:49:27 EST 2008
Commit By: lhoward
Log Message:
Eliminate the requirement that the gss_wrap_iov() caller must know about
the trailer. The caller now passes at least three buffers: TOKEN, DATA,
and PADDING.
For pre-CFX crypto PADDING is used purely for padding (managed by the
application in the DCE case).
For CFX crypto, PADDING is used for EC | E(GSS-Header) | Kerb-Trailer,
except in the DCE case where it is used only for padding (because the
rest is rotated into TOKEN).
A bug in Windows means that for DCE it always rotates by EC + RRC. We
workaround on wrap by always setting EC = 0, knowing that DCE will be
capable of managing the padding length. We workaround on unwrap
explicitly. Testing is necessary to verify this.
Finally, it should be possible to implement gss_wrap() and gss_unwrap()
on top of the IOV APIs in the following manner: for gss_wrap(), pass in
empty TOKEN and PADDING and either set the ALLOCATE flag or call
gss_wrap_iov_length() to determine the appropriate lengths. For
gss_unwrap(), pass in STREAM and DATA (setting the ALLOCATE flag if you
do not want in-place decryption). This is similar to SSPI.
This code is still under development and is untested.
Changed Files:
U branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h
U branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h
U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealiov.c
U branches/mskrb-integ/src/lib/gssapi/krb5/k5sealv3iov.c
U branches/mskrb-integ/src/lib/gssapi/krb5/k5unsealiov.c
U branches/mskrb-integ/src/lib/gssapi/krb5/util_cksum.c
U branches/mskrb-integ/src/lib/gssapi/krb5/util_crypt.c
More information about the cvs-krb5
mailing list