[2444] in Kerberos-V5-bugs
krb5-libs/180: GSS-RPC, channel bindings, and UDP
daemon@ATHENA.MIT.EDU (bjaspan@MIT.EDU)
Tue Nov 12 16:21:44 1996
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, bjaspan@MIT.EDU
Date: Tue, 12 Nov 1996 21:18:20 GMT
From: bjaspan@MIT.EDU
Reply-To: bjaspan@MIT.EDU
To: krb5-bugs@MIT.EDU
>Number: 180
>Category: krb5-libs
>Synopsis: GSS-RPC, channel bindings, and UDP
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Nov 12 16:20:00 EST 1996
>Last-Modified:
>Originator: Barry Jaspan
>Organization:
mit
>Release: 1.0-development
>Environment:
System: IRIX beeblebrox 5.3 11091812 IP22 mips
>Description:
The GSS-RPC uses channel bindings when its internal protocol is
version 3 or higher. Channel bindings work by having the client and
server specify the source and destination address of the context
initiation tokens and then having the libraries verify a checksum of
that data in each token.
For TCP, GSS-RPC uses getsockname() and getpeername() to determine the
correct addresses. For UDP, this doesn't work: the socket is
unconnected on the server side, so getsockname() returns a zero
address. The recvmsg() syscall returns the dest address of a packet,
but unlike recvfrom does *not* return the source address. Thus, the
only way for the server to get the destination address of the packet
is to open a separate UDP socket bound to each of the machine's local
addresses. This is not a change I want to make before the 1.0
release.
My temporary workaround is to have the client fall back from version
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
>=3 to version 2 when the server returns a "bad channel bindings
error." This works because the server-side RPC layer is still happy
to accept the old (pre-bindings) version.
I am also going to enhance the rpc unit tests to run both on TCP and
UDP so we make sure this behavior continues to work.
