[7243] in Kerberos
ref_flags
daemon@ATHENA.MIT.EDU (Dave Clarke)
Fri May 10 13:00:40 1996
To: kerberos@MIT.EDU
Date: Fri, 10 May 1996 14:53:11 -0700
From: Dave Clarke <DGClarke1@aol.com>
We're using Kerberos 5 Beta 5 currently.
As I understand it, Kerberos provides protection against replays, and out
of sequence messages. However, If using GSS-API I place, for example
GSS_C_REPLAY_FLAG into the req_flags of gss-init_security_context, the
value in ret_flags after the call never includes this feature. I have
checked in src/lib/gssapi/krb5/init_sec_context.c, and the following is
observed:
if (ret_flags)
*ret_flags = ((req_flags & GSS_C_MUTUAL_FLAG) |
GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG);
A similar check in accept_security_context.c reveals something similar.
Surely it would be better to return the requested feature if it was
supplied, and not if it wasn't.
I understand that the replay & sequence checks can't be disabled, but
doing things the way they are now gives rise to difficulties deciding
whether a given context conforms to required policy, since I can't
request a feature generically, looking at the ret_flags to determine
support for it or not.
Any comments?
Dave
