[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSS-SPNEGO Protocol Details

On Tue, Jan 30, 2007 at 12:13:01AM -0800, Howard Chu wrote:
> When invoked from Cyrus SASL it will only offer confidentiality if the 
> sasl-secprops are set with minssf > 1. Since you're talking about your own 
> private SASL implementations obviously we can't tell.

Hmmm. I have to look at Cyrus SASL, but I don't see a way
how it would be able to not negotiate it. I'm talking about
line 514ff in src/lib/gssapi/krb5/init_sec_context.c of MIT
krb 1.5.1:

   ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG |
                     GSS_C_TRANS_FLAG |
                     ((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG |
                                     GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)));

This way it does not look at the req_flags given to it via
gss_init_sec_context(), it just unconditionally sets
GSS_C_CONF_FLAG. If I change it to take GSS_C_CONF_FLAG and
GSS_C_INTEG_FLAG from req_flags, then it does work as I
would expect.

I hope I don't look stupid here... :-)


Attachment: pgpOxuMUS92WQ.pgp
Description: PGP signature