[Date Prev][Date Next]
Re: Fwd: GSSAPI contexts used in multiple threads
Russ Allbery wrote:
As part of the discussion of adding additional thread safety guarantees to
MIT Kerberos's GSS-API implementation to support OpenLDAP's use case, Sam
Hartman had the following additional questions about how OpenLDAP uses
SASL in such a way as to run into this problem. I'm happy to forward
answers back to him. I don't understand the usage well enough to explain
The point is that an LDAP session is full duplex, as I already described here
Let me know if Sam needs more details than that.
| From: Sam Hartman<email@example.com>
| Subject: GSSAPI contexts used in multiple threads
| Date: Mon, 03 Mar 2008 16:28:13 -0500
| Hi. I'm catching up on email. I read a discussion (although I cannot
| find it now) of adding support so that an established gss-api context
| can be used in multiple threads at the same time. This seems like a
| fine feature to add to MIT Kerberos.
| However I'm quite puzzled as to how this works for LDAP or any other
| SASL application. SASL is a stream protocol; it presents an ordered
| stream across the network connection. In order to guarantee this the
| sasl security layer requires that tokens be wrapped and unwrapped in
| the same order. If you don't do that you can get into a situation
| where the wrap order is different from the unwrap order and you get
| spurious gap tokens or out of order tokens. You cannot tell the
| difference between this and an attack. Also, since SASL applications
| may chunk data into GSS-API tokens in arbitrary order, GSS-API tokens
| may not line up with LDAP PDU boundaries.
| So, I'm very confused about how an LDAP implementation could be a
| correct application and run into problems with MIT's current thread
| safety requirements.
| I'd appreciate it if people who do remember the original discussion
| could forward my message to the right place to get an answer.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/