[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAMBA4][PATCH] Fix up AES sign/seal on DCE/RPC



On Sun, 2005-09-11 at 08:54 +1000, Andrew Bartlett wrote:
> On Sat, 2005-09-10 at 18:38 -0400, Ken Raeburn wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On Sep 10, 2005, at 02:09, Andrew Bartlett wrote:
> > > Sadly it is a mistake that DCE/RPC forces on us:  While I presume you
> > > could simply expand the data portion for the full wrapped data,
> > > Microsoft chose to place the signature in the traditional place,
> > > separate from the main data.  We have to be compatible with that.
> > [...]
> > > As such, I'm in a no-win situation, and took the least ugly way  
> > > out :-)
> > 
> > Pragmatically, yes, it sounds like you're stuck implementing  
> > something along these lines.  But I think it would be a bit less ugly  
> > if the naming made it clear that it's a DCE/RPC thing, not a general  
> > GSSAPI thing.  DCE/RPC isn't GSSAPI.  Likewise for gss_wrap_ex, if it  
> > separates the signature, though I could certainly see AEAD being a  
> > useful GSSAPI addition (and wish we'd had time to properly consider  
> > it for RFC 3961 -- Kerberos cryptosystems -- as well).
> 
> Any suggestions as to the name?  While the particular need here is for
> DCE/RPC, I imagine it is not the only framing that is painful in this
> respect...

Given all this discussion, I'll probably rename it to
gsskrb5_wrap_size(), as that's all it's valid for.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part