Questions on gss_verify_mic_iov
ghudson at mit.edu
Tue Sep 15 21:10:09 EDT 2015
On 09/15/2015 11:00 AM, Natalie Li wrote:
> 1) Is it intended for supporting GSS_VerifyMICEx() call [support
> multiple input buffers] mentioned in MS-KILE document as shown below?
Not specifically, but it should serve a similar function, and it seems
like they should interoperate.
> 2) If yes to (1), then can you please confirm the usage of
> gss_verify_mic_iov() in the following scenario described by MS-RPCE
It seems right to me.
> a) Is GSS_C_BUFFER_TYPE_TRAILER intended for sec_trailer mentioned in
> section 18.104.22.168 as shown below?
No, it's used by gss_wrap_iov()/gss_unwrap_iov() for the RFC 3961
authentication trailer. Microsoft's implementation rotates this into
the header; we do the same if no trailer buffer is given.
gss_verify_mic_iov() does not use this buffer type.
> One of the Solaris Kerberos team members suggested that
> GSS_C_BUFFER_TYPE_TRAILER required due to:
No; the logic is somewhat tortured due to the way code is shared between
unwrap and verify_iov, but checksum_iov_v3() doesn't require a trailer
in the verify_iov case because rrc is set to a synthetic value.
> (GSS major error): A token had an invalid Message Integrity Check (MIC)
> (GSS minor error): Message size is incompatible with encryption type
What is the encryption type of the session key, and what is the size of
the MIC token?
> b) GSS_C_BUFFER_TYPE_HEADER is not intended for the PDU header (MS-RPC
> header) mentioned in (2), right? The MIT krb doc suggests that for
> GSSAPI wrap token header.
Correct, the MS-RPC PDU header is at a higher protocol layer.
> c) Is GSS_C_BUFFER_TYPE_DATA used only for encryption, not for signing?
GSS_C_BUFFER_TYPE_DATA and GSS_IOV_BUFFER_TYPE_SIGN_ONLY are both used
for signing. They have the same meaning to the MIC functions, but have
different meanings for gss_wrap_iov(), where DATA buffers are encrypted
and SIGN_ONLY buffers are not--but again, both types are included in the
calculation of the authentication tag.
More information about the krbdev