[00:10:54] --- kula has left
[00:11:36] --- kula has become available
[00:35:20] --- ballbery has left
[00:35:26] --- ballbery has become available
[00:42:04] --- Stephan Wiesand has become available
[00:48:10] --- Stephan Wiesand has left
[02:30:03] --- abo has left
[04:38:42] --- simonxwilkinson has become available
[04:41:30] --- simonxwilkinson has left
[05:03:04] --- Stephan Wiesand has become available
[05:39:50] --- mvitale has become available
[05:42:47] --- meffie has become available
[06:49:32] --- kula has left
[06:50:37] --- kula has become available
[06:58:01] --- kula has left
[06:59:13] --- kula has become available
[07:15:38] --- kula has left
[07:17:11] --- kula has become available
[07:18:53] --- deason has become available
[07:26:49] --- kula has left
[07:28:07] --- kula has become available
[07:33:09] <deason> kaduk@mit.edu/barnowl: you pretty much have to reencode it
[07:33:40] <deason> it could be possible to have rx 'sniff' it or something while it's decoding parameters, but obv there's nothing like that right now
[07:35:28] <kaduk@mit.edu/barnowl> deason: Okay, thanks for the confirmation.  I was pretty sure, but
figured it was worth checking that I hadn't missed anything.
[08:02:33] --- Stephan Wiesand has left
[08:59:22] --- stephan.wiesand has become available
[10:54:20] --- stephan.wiesand has left
[11:00:08] --- meffie has left
[11:31:39] --- simonxwilkinson has become available
[11:43:01] --- simonxwilkinson has left
[12:40:21] --- Simon Wilkinson has become available
[12:41:58] <Simon Wilkinson> kaduk: There are ways at getting at the raw XDR encoded data, but none of them are really suitable for production use.
[12:42:56] <Simon Wilkinson> Your best bet is just to re-encode the structure. That also provides protection against an attacker doing something clever with XDR to screw with you (not that I can think what that something clever would be - XDR doesn't have the same edge cases as ASN.1)
[12:43:36] <kaduk@mit.edu/barnowl> Sounds good.
[12:44:38] <Simon Wilkinson> xdrlen and xdrmem exist to help you in this quest :)
[12:45:14] <kaduk@mit.edu/barnowl> :)
[12:46:48] <kaduk@mit.edu/barnowl> I'll also note that the text for the termination condition of
GSSNegotiate is not quite right for mechs requiring 1.5 exchanges
(i.e., krb5 mech with GSS_C_CONF_FLAG).
[12:51:18] --- Simon Wilkinson has left
[12:51:54] --- Simon Wilkinson has become available
[12:53:15] <Simon Wilkinson> What's up? As far as I can recall the language, and behaviour, is modelled after ssh's negotiation behaviour
[12:55:23] <kaduk@mit.edu/barnowl> gss_accept_sec_context on the server will return gss_major_status=0
but also have a token to give back to the client.  If we only use the
received value of gss_major_status, the client will not call
gss_init_sec_context with that token, so the client will not have
finished the context establishment.
[12:57:22] <Simon Wilkinson> Correct. The client should only terminate the negotiation when it gets a GSS_S_COMPLETE
[12:58:06] <Simon Wilkinson> The server's status is just informative - the client can only use it to detect errors.
[12:59:02] <Simon Wilkinson> Gah, but that's exactly not what the text says. boo.
[12:59:08] <kaduk@mit.edu/barnowl> I think the intention is clear, yes, but--
[12:59:18] <kaduk@mit.edu/barnowl> I won't quote the text, then.
[13:00:10] <Simon Wilkinson> Yeah - it gets it wrong on two successive paragraphs.
[13:03:10] <Simon Wilkinson> I think a correct implementation does, approximately … while(1) { clientStatus = gss_init_sec_context(); if (GSS_ERROR(clientStatus) || serverStatus == GSS_S_COMPLETE) break; RXGK_GSSNegotiate(… &serverStatus …); }
[13:04:17] <Simon Wilkinson> Not quite sure how to explain that in the english language, though.
[13:04:21] <kaduk@mit.edu/barnowl> With serverStatus initialized to GSS_S_CONTINUE_NEEDED or something,
sure.
[13:04:52] <Simon Wilkinson> Yeah - serverStatus starts as you say
[13:04:52] <kaduk@mit.edu/barnowl> I'll try to come up with something in the next day or two.
I'm currently drowning in mail that was backlogged when the mit.edu
DNS was hijacked.
[13:05:17] <Simon Wilkinson> I'm still going to do draft 3 based on what's there now.
[13:05:37] <kaduk@mit.edu/barnowl> Sounds good.  Does this mean I can stop polling tools.ietf.org to see
if it's gone through?
[13:06:01] <Simon Wilkinson> Yeah. Turns out I didn't get as much time on the train as I thought. Not there yet. I'll mail you when it is!
[13:07:24] <kaduk@mit.edu/barnowl> Thanks :)
[13:18:43] --- Simon Wilkinson has left
[13:46:19] --- Simon Wilkinson has become available
[14:05:08] --- mdionne has become available
[14:53:23] --- Simon Wilkinson has left
[15:32:43] --- mvitale has left
[16:06:19] --- deason has left
[16:30:20] --- mdionne has left
[18:21:14] --- mdionne has become available
[19:22:31] --- mdionne has left