[krbdev.mit.edu #1352] Cannot return prot_ready without unwrap working
Wyllys Ingersoll via RT
rt-comment at krbdev.mit.edu
Fri Feb 21 08:51:17 EST 2003
Sam Hartman via RT wrote:
> Hi. I actually think our implementation is wrong to set the
> prot_ready flag before context establishment is complete. If it sets
> that flag then both gss_wrap and gss_unwrap need to work. However
> gss_unwrap cannot work because the sequence state is not yet
> initialized.
>
>
> I'm also not sure that RFC 1964 allows this behavior; I don't think
> having inconsistent support for prot_ready between implementations is
> a good idea.
>
>
> Why do you need this for SPNEGO? You don't have to generate the
> meclistmic until after the underlying mechanism has returned complete.
>
When using mutual authentication, at the time the initial token is generated,
the status is still "CONTINUE_NEEDED" and the context->established flag
is not set even though the PROT_READY flag is set and the
subkey is available. We think (Nico and I) that gss_get_mic should
be able to succeed in this case. I had not considered the "unseal" case since
that was not a problem. The acceptor side context is already "established" when
the MIC is verified, so it wasnt a problem.
-Wyllys
More information about the krb5-bugs
mailing list