[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL_MAX_BUFF_SIZE in /libraries/libldap/cyrus.c

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: SASL_MAX_BUFF_SIZE in /libraries/libldap/cyrus.c
From: Norbert Klasen <klasen@zdv.uni-tuebingen.de>
Date: Mon, 22 Jan 2001 18:41:00 +0100
Cc: openldap-devel <openldap-devel@OpenLDAP.org>, SASL Discuss <cyrus-sasl@lists.andrew.cmu.edu>
Organization: DFN Directory Services, ZDV Uni Tübingen
References: <5.0.2.1.0.20010118110029.00ab38f0@router.boolean.net>

"Kurt D. Zeilenga" wrote:
> 
> At 07:48 PM 1/18/01 +0100, Norbert Klasen wrote:
> >Is the size of this buffer mandated by some standard or arbitrarily
> >chosen for this implementation?
> 
> RFC 2222, Section 3 says (in part):
>    If the use of a security layer is agreed upon, then the mechanism
>    must also define or negotiate the maximum cipher-text buffer size
>    that each side is able to receive.
> 
>    The length of the cipher-text buffer must be no larger than the
>    maximum size that was defined or negotiated by the other side.
> 
> Section 7 (GSSAPI) indicates that the length is negotiated.
> 
> OpenLDAP, by default, sets the maxbufsize.  If we get buffers
> returned larger than this, that's an error.  I note that our
> code should have some additional sanity checks.  I committed
> a couple.
> 
> >I ask because I get errors on large result sets from Active Directory
> >when GSSAPI privacy protection is in place:
> >sb_sasl_pkt_length: received illegal packet length of 66112 bytes
> >sb_sasl_read: failed to decode packet: generic failure
> 
> Well, I'd be interested to see if Cyrus SASL sent AD the maxbufsize
> requested by OpenLDAP.  If it did, then I would think AD is
> in error.

It didn't but AD is still in error:
The maxbufsize was hardcoded in the gssapi plugin to 0x0FFFFF. I patched
/cyrus-sasl-1.5.24/plugins/gssapi.c (see attachment) to send the
requested bufsize, but AD seems to disregard this value: The whole
result set is still transmitted at once.

P.S.: The maxbufsize is made of 3 octets to be found just before the
padding in the 3rd LDAP SASL bind request. Can anybody confirm this
behavior? I'd like to file a bug report with Microsoft.

-- 
Norbert Klasen
DFN Directory Services                           tel: +49 7071 29 70335
ZDV, Universität Tübingen                        fax: +49 7071 29 5912
Wächterstr. 76, 72074 Tübingen              http://www.directory.dfn.de
Germany                             norbert.klasen@zdv.uni-tuebingen.de

--- gssapi.c.orig	Mon Jan 22 17:52:32 2001
+++ gssapi.c	Mon Jan 22 18:22:58 2001
@@ -1274,6 +1274,8 @@
 	    return SASL_TOOWEAK;
 	}
 	
+	oparams->maxoutbuf = (((char *)output_token->value)[1]<<8 | ((char *)output_token->value)[2]) <<8 |((char *)output_token->value)[3];
+
 	gss_release_buffer(&min_stat, output_token);
 
 	if (oparams->user)
@@ -1294,10 +1296,12 @@
 	
 	
 	((unsigned char *)input_token->value)[0] = mychoice;
-	oparams->maxoutbuf = 1024; /* XXX do something real here */
-	((unsigned char *)input_token->value)[1] = 0x0F;
-	((unsigned char *)input_token->value)[2] = 0xFF;
-	((unsigned char *)input_token->value)[3] = 0xFF;
+	if (secprops.maxbufsize > 0xFFFFFF) {
+       return SASL_BADPARAM;
+   }
+	((unsigned char *)input_token->value)[1] = (secprops.maxbufsize>>16) & 0xFF;
+	((unsigned char *)input_token->value)[2] = (secprops.maxbufsize>>8) & 0xFF;
+	((unsigned char *)input_token->value)[3] = secprops.maxbufsize & 0xFF;
 
 	maj_stat = gss_wrap (&min_stat,
 			     text->gss_ctx,

References:
- Re: SASL_MAX_BUFF_SIZE in /libraries/libldap/cyrus.c
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Open LDAP configuration
Next by Date: glibc 2.2 problem? (off topic)
Index(es):
- Chronological
- Thread