Suppressing conf/integ flags in krb5 GSS tokens
Simo Sorce
simo at redhat.com
Mon Jun 1 09:51:57 EDT 2015
On Sun, 2015-05-31 at 23:03 -0500, Nico Williams wrote:
> On Sun, May 31, 2015 at 01:59:24PM -0400, Greg Hudson wrote:
> > Comments?
>
> Heimdal's SPNEGO implementation neither checks the the GSS_C_INTEG_FLAG
> ret_flag, nor requests it as a req_flag. Heimdal's SPNEGO discovers
> integrity support by calling gss_get_mic(): if it returns GSS_S_UNAVAIL,
> then integrity support is not provided, otherwise it is. Heimdal also
> assumes that if a MIC is received then integrity support must be
> available.
>
> I believe calling GSS_GetMIC() and GSS_VerifyMIC() even when
> GSS_C_INTEG_FLAG is not set in ret_flags is perfectly permissible in
> RFC2743.
I think this is fine, and if you receive a MIC you have no other option
(well, except fail).
> Disabling the MIC in SPNEGO when GSS_C_INTEG_FLAG is not set in
> ret_flags, combined with the new cred options, is likely (I think) to
> fail to interop with Microsoft's SPNEGO when used in the application
> protocol in question. It ought to fail to interop, but who know,
> perhaps MSFT's SPNEGO will not require the MIC in this protocol because
> it's running over TLS, but I'd not bet on it. The Heimdal approach
> seems better.
Keep in mind we tested this, with the patch we sent Greg.
It works with all flags turned off and no special handling for MIC,
today.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list