Kerberos Ticket Forwarding Patch/Update (3.2)

Love Hörnquist Åstrand lha at kth.se
Mon Jul 28 21:44:11 GMT 2008


All fields longer then one byte needs to be byte swaped to LE on BE  
platforms.

Love



28 jul 2008 kl. 20.44 skrev Derrick Schommer:

> I'm not sure anything needs to be byte swapped if I'm reading this  
> spec right:
>
>
> The 0x8003 GSS checksum MUST have the following
>   structure:
> Octet     Name       Description
>      -----------------------------------------------------------------
>      0..3      Lgth       Number of octets in Bnd field;  Represented
>                            in little-endian order;  Currently contains
>                            hex value 10 00 00 00 (16).
>      4..19     Bnd        Channel binding information, as described in
>                            section 4.1.1.2 [RFC4121].
>      20..23    Flags      Four-octet context-establishment flags in
>                            little-endian order as described in section
>                            4.1.1.1 [RFC4121].
>      24..25    DlgOpt     The delegation option identifier (=1) in
>                            little-endian order [optional].  This field
>                            and the next two fields are present if and
>                            only if GSS_C_DELEG_FLAG is set as  
> described
>                            in section 4.1.1.1 [RFC4121].
>      26..27    Dlgth      The length of the Deleg field in
>                            little-endian order [optional].
>      28..(n-1) Deleg      KRB_CRED message (n = Dlgth + 28)  
> [optional].
>      n..last   Exts       Extensions
>
>
> source: http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-gss-cb-hash-agility-04.txt
>
>
>
> -----Original Message-----
> From: Love Hörnquist Åstrand [mailto:lha at kth.se]
> Sent: Saturday, July 26, 2008 14:41
> To: Derrick Schommer
> Cc: samba-technical at lists.samba.org
> Subject: Re: Kerberos Ticket Forwarding Patch/Update (3.2)
>
> The flags field in the 8003 checksum should match the gss-api flags
> given to gss_init_sec_context(), your patch sets it to
> GSSAPI_NO_C_BINDINGS (0), which is wrong, it should at least be
> GSS_C_DELEG_FLAG, see page 4 of rfc1934.
>
> +  uint8_t    deleg[];                    /* Deleg field buffer ( one
> or more bytes of GSS-API data) */
>
> This is not valid c89.
>
> The patch do no byte swaping, so it will only work on LE machines.
>
> Love
>
>
> 25 jul 2008 kl. 20.14 skrev Derrick Schommer:
>
>> Here is the update with C-style comment fixes for 3.2 for the  
>> Kerberos
>> update and the gss_init() updated to have the C_DELEGAT flag enabled.
>>
>



More information about the samba-technical mailing list