[SAMBA4][PATCH] Fix up AES sign/seal on DCE/RPC
Andrew Bartlett
abartlet at samba.org
Sat Sep 10 22:54:00 GMT 2005
On Sat, 2005-09-10 at 18:38 -0400, Ken Raeburn wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sep 10, 2005, at 02:09, Andrew Bartlett wrote:
> > Sadly it is a mistake that DCE/RPC forces on us: While I presume you
> > could simply expand the data portion for the full wrapped data,
> > Microsoft chose to place the signature in the traditional place,
> > separate from the main data. We have to be compatible with that.
> [...]
> > As such, I'm in a no-win situation, and took the least ugly way
> > out :-)
>
> Pragmatically, yes, it sounds like you're stuck implementing
> something along these lines. But I think it would be a bit less ugly
> if the naming made it clear that it's a DCE/RPC thing, not a general
> GSSAPI thing. DCE/RPC isn't GSSAPI. Likewise for gss_wrap_ex, if it
> separates the signature, though I could certainly see AEAD being a
> useful GSSAPI addition (and wish we'd had time to properly consider
> it for RFC 3961 -- Kerberos cryptosystems -- as well).
Any suggestions as to the name? While the particular need here is for
DCE/RPC, I imagine it is not the only framing that is painful in this
respect...
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050911/10aba5f7/attachment.bin
More information about the samba-technical
mailing list