RRC and sign_only
Luke Howard
lukeh at padl.com
Thu Dec 18 03:30:31 EST 2008
> It's now clear to me that Sam was talking about the lower-layer
> crypto API,
> and at that layer, I agree it's entirely reasonable for some cases
> not to
> support arbitrary RRC. It's OK that some interfaces are not useful in
> constructing an RFC4121 implementation.
You can construct RFC4121 gss_unwrap() on top of gss_unwrap_iov(), as
long as you use STREAM. Arbitrary RRC is accepted.
Indeed, should a mechanism provide gss_[un]wrap_iov() but not
gss_[un]wrap(), the mechglue will synthesise the latter. I used this
to test RFC4121 interoperability.
http://src.mit.edu/opengrok/xref/branches/mskrb-integ/src/lib/gssapi/mechglue/g_unseal.c
http://src.mit.edu/opengrok/xref/branches/mskrb-integ/src/lib/gssapi/mechglue/g_seal.c
-- Luke
More information about the krbdev
mailing list