lördag 5 september 2009

The use of of gss_init_sec_context (ISC)

ISC


Lets start to dissect some of the GSS-API functions, first out in gss_init_sec_context (ISC for short).

The gssapi function ISC is a very complicated function, just look at the 13 arguments it takes, and for every round its call in an authentication some of them need to be same, and some need to change.
OM_uint32
gss_init_sec_context
           (OM_uint32 * /*minor_status*/,
            const gss_cred_id_t /*initiator_cred_handle*/,
            gss_ctx_id_t * /*context_handle*/,
            const gss_name_t /*target_name*/,
            const gss_OID /*mech_type*/,
            OM_uint32 /*req_flags*/,
            OM_uint32 /*time_req*/,
            const gss_channel_bindings_t /*input_chan_bindings*/,
            const gss_buffer_t /*input_token*/,
            gss_OID * /*actual_mech_type*/,
            gss_buffer_t /*output_token*/,
            OM_uint32 * /*ret_flags*/,
            OM_uint32 * /*time_rec*/
           );

In that 13 that lays the confusion, to make make ISC work you only need to pass in 7 arguments, you can leave the other 6 to a default values, in fact, this will probably make it work better in most cases.
gss_init_sec_context(&minor_status, GSS_C_NO_CREDENTIAL, &ctx, &target_name, GSS_C_NO_OID,
    GSS_C_MUTUAL_FLAG, GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, &in, NULL, &out, &ret_flags, NULL);

You need to check that ret_flags is what you wanted in flags, the reason is that the server might downgarde your security to a level you don't find acceptiable, like no encryption (leaving out GSS_C_CONF_FLAG).

The logic flow for ISC


The flow of a client part of gss-api negotiation looks like this:
name = gss_import_name("service@server", GSS_C_NT_HOSTBASED_SERVICE);

if (client_name && client_name_type) {
   cname = gss_import_name(client_name, client_name_type);
   cred = gss_acquire_cred(cname, GSS_C_INITIATE);
} else
   cred = NULL;

in = null;
do {
   ret = gss_init_sec_context(in, out);
   if (GSS_ERROR(ret))
      abort();
  send_message(out);
  if (ret == GSS_C_CONTINUE)
      in = read_message();
} while (ret == GSS_C_CONTINUE);

if (check_return_flags())
   abort();

/* done */

Next out is gss_accept_sec_context (ASC)


ASC is the awesome function, mostly every time we have to fix 3rd party code that uses ASC the resolution is mostly always to remove code
Upplagd av kl.
Etiketter:

1 kommentar:

  1. haizellafahner4 mars 2022 kl. 16:32

    Casinos near Borgata Hotel Casino & Spa - MapyRO
    Find Casinos Near Borgata 삼척 출장마사지 Hotel Casino & Spa in Atlantic City NJ. 태백 출장안마 The Borgata is one of 용인 출장샵 a handful of Atlantic City casinos with casino gaming on 양산 출장안마 the 경산 출장안마 east coast.

    SvaraRadera

Prenumerera på: Kommentarer till inlägget (Atom)