[SAMBA4][PATCH] Fix up AES sign/seal on DCE/RPC

Andrew Bartlett abartlet at samba.org
Sat Sep 10 22:54:00 GMT 2005


On Sat, 2005-09-10 at 18:38 -0400, Ken Raeburn wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Sep 10, 2005, at 02:09, Andrew Bartlett wrote:
> > Sadly it is a mistake that DCE/RPC forces on us:  While I presume you
> > could simply expand the data portion for the full wrapped data,
> > Microsoft chose to place the signature in the traditional place,
> > separate from the main data.  We have to be compatible with that.
> [...]
> > As such, I'm in a no-win situation, and took the least ugly way  
> > out :-)
> 
> Pragmatically, yes, it sounds like you're stuck implementing  
> something along these lines.  But I think it would be a bit less ugly  
> if the naming made it clear that it's a DCE/RPC thing, not a general  
> GSSAPI thing.  DCE/RPC isn't GSSAPI.  Likewise for gss_wrap_ex, if it  
> separates the signature, though I could certainly see AEAD being a  
> useful GSSAPI addition (and wish we'd had time to properly consider  
> it for RFC 3961 -- Kerberos cryptosystems -- as well).

Any suggestions as to the name?  While the particular need here is for
DCE/RPC, I imagine it is not the only framing that is painful in this
respect...

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050911/10aba5f7/attachment.bin


More information about the samba-technical mailing list