[krbdev.mit.edu #1352] kg_seal should check GSS_C_PROT_READY_FLAG value
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Fri Feb 21 15:44:57 EST 2003
O, I completely agree that the MIT code is broken with regard to
prot_ready. My question is whether there is a reasonable way to make
prot_ready work for an RFC 1964 mechanism? Reading the base GSSAPI
spec, it sounds like both pwrap and unwrap must work. I.E. in the
Kerberos case, a client must be able to receive both a context token
and a message token from the acceptor, and pass the message token into
gss_unwrap before passing the context token into
gss_accept_sec_context.
I don't know how to handle sequence state in that case. Clearly we
cannot make sequence service available until the context is
established, but I don't even know how to resynchronize state dealing
with messages that may have already been received in order to set that
up.
More information about the krb5-bugs
mailing list