GSSAPI contexts used in multiple threads
rra at stanford.edu
Mon Mar 3 17:17:07 EST 2008
Sam Hartman <hartmans at mit.edu> writes:
> However I'm quite puzzled as to how this works for LDAP or any other
> SASL application. SASL is a stream protocol; it presents an ordered
> stream across the network connection. In order to guarantee this the
> sasl security layer requires that tokens be wrapped and unwrapped in
> the same order. If you don't do that you can get into a situation
> where the wrap order is different from the unwrap order and you get
> spurious gap tokens or out of order tokens. You cannot tell the
> difference between this and an attack. Also, since SASL applications
> may chunk data into GSS-API tokens in arbitrary order, GSS-API tokens
> may not line up with LDAP PDU boundaries.
> So, I'm very confused about how an LDAP implementation could be a
> correct application and run into problems with MIT's current thread
> safety requirements.
The answer from Howard is that OpenLDAP treats the stream as full duplex.
His message explaining more details is at:
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev