[1343] in Kerberos_V5_Development
Re: Audit GSS-API changes
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Fri Jun 21 00:03:00 1996
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "Fri, 14 Jun 1996 14:26:56 EDT."
<9606141826.AA28513@beeblebrox.MIT.EDU>
Date: Fri, 21 Jun 1996 00:02:32 EDT
From: Marc Horowitz <marc@MIT.EDU>
Ok, I've audited barry's patches. There were a few small problems:
- you can't compare oid's with ==, you need to use the g_OID_equal
macro.
- you got the serialize abstraction a little wrong. This is
understandable, since it's paul park code. basically, rather than
having kg_ctx_size internalize knowledge about an oid, there should be
a kg_oid_size function.
I also believe that there was missing functionality:
- gss_acquire_cred needs to be able to deal with both mech oid's. It
should return in actual_mechs the intersection of the set passed in
and the {old,new} mechs, or if the default was requested, it should
return both mech oid's. This state should be stored in the credential
handle, and regurgitated by gss_inquire_cred.
- gss_init_sec_context should use the mech set in the credential. If
the default mech is requested, but the old mech oid was explicitly
passed to gss_acquire_cred, then the context should be the old mech,
otherwise, the new mech. If a mech was requested explicitly, then the
code should insure that the credential is compatible.
- gss_accept_sec_context should make sure that the oid in the token
is compatible with the credential.
I've fixed and implement everything I've described above, and appended
a patch relative to barry's patch if people want to audit it. The
changes are checked in to the repository. I've tagged the files as
barry left them in lib/gssapi/{generic,krb5} as for_audit_960614 for
diff purposes.
If there's a document somewhere on the gssapi implementation (do we
have the gssapi implementation spec?) it should be updated.
The code compiles, but I haven't had a chance to do real testing,
since I don't know the state of the gssapi test setup. I hope to work
with barry on this tomorrow.
Marc
