RFC 4121 (Kerberos 5 V2 - GSSAPI) - RRC

Srinivas Cheruku srinivas.cheruku at gmail.com
Thu May 6 06:37:03 EDT 2010



According to RFC 4121 on RRC Field:


Excluding the first

   16 octets of the token header, the resulting Wrap token in the

   previous section is rotated to the right by "RRC" octets.  The net



The Wrap token should be rotated to the right by count specified in RRC
field, where as looks like MIT Kerberos (1.8.1) is rotating to left (when
gss_unwrap() is called). Is this right?


Code shown from krb5-1.8.1/src/lib/gssapi/krb5/k5sealv3.c, function


    if (toktype == KG_TOK_WRAP_MSG) {

        if (load_16_be(ptr) != KG2_TOK_WRAP_MSG)

            goto defective;

        if (ptr[3] != 0xff)

            goto defective;

        ec = load_16_be(ptr+4);

        rrc = load_16_be(ptr+6);

        seqnum = load_64_be(ptr+8);

        if (!gss_krb5int_rotate_left(ptr+16, bodysize-16, rrc)) {


            *minor_status = ENOMEM;

            return GSS_S_FAILURE;



More information about the krbdev mailing list