GSSAPI contexts used in multiple threads
rra at stanford.edu
Mon Mar 3 16:37:32 EST 2008
Sam Hartman <hartmans at mit.edu> writes:
> Hi. I'm catching up on email. I read a discussion (although I cannot
> find it now) of adding support so that an established gss-api context
> can be used in multiple threads at the same time. This seems like a
> fine feature to add to MIT Kerberos.
> However I'm quite puzzled as to how this works for LDAP or any other
> SASL application. SASL is a stream protocol; it presents an ordered
> stream across the network connection. In order to guarantee this the
> sasl security layer requires that tokens be wrapped and unwrapped in
> the same order. If you don't do that you can get into a situation
> where the wrap order is different from the unwrap order and you get
> spurious gap tokens or out of order tokens. You cannot tell the
> difference between this and an attack. Also, since SASL applications
> may chunk data into GSS-API tokens in arbitrary order, GSS-API tokens
> may not line up with LDAP PDU boundaries.
> So, I'm very confused about how an LDAP implementation could be a
> correct application and run into problems with MIT's current thread
> safety requirements.
> I'd appreciate it if people who do remember the original discussion
> could forward my message to the right place to get an answer.
Doing so now. Thanks!
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev