IETF Logo Mail Archive

GSS-API extensions for AEAD

Luke Howard <lukeh@PADL.COM> Sat, 11 September 2004 07:16 UTC

Return-Path: <kitten-bounces@lists.ietf.org>
Received: from solipsist-nation ([unix socket]) by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP; Sat, 11 Sep 2004 03:16:24 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <kitten-bounces@lists.ietf.org>
Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by suchdamage.org (Postfix) with ESMTP id 05221131AC for <ietf.kitten@mailboxes.suchdamage.org>; Sat, 11 Sep 2004 03:16:23 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1C625b-0005hO-7l; Sat, 11 Sep 2004 03:14:27 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1C622E-00053I-SN for kitten@megatron.ietf.org; Sat, 11 Sep 2004 03:10:59 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA28690 for <kitten@ietf.org>; Sat, 11 Sep 2004 03:10:57 -0400 (EDT)
Received: from au.padl.com ([203.13.32.1]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1C626S-0003Cr-3w for kitten@ietf.org; Sat, 11 Sep 2004 03:15:21 -0400
Received: (from lukeh@localhost) by au.padl.com (8.9.3/8.9.3) id RAA16219; Sat, 11 Sep 2004 17:10:22 +1000 (EST)
From: Luke Howard <lukeh@PADL.COM>
Message-Id: <200409110710.RAA16219@au.padl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Organization: PADL Software Pty Ltd
To: kitten@ietf.org
Date: Sat, 11 Sep 2004 17:10:21 +1000
Versions: dmail (bsd44) 2.6d/makemail 2.10
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d0bdc596f8dd1c226c458f0b4df27a88
Cc: tridge@samba.org
Subject: GSS-API extensions for AEAD
X-BeenThere: kitten@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: lukeh@PADL.COM
List-Id: Common Authentication Technologies - Next Generation <kitten.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/kitten>
List-Post: <mailto:kitten@lists.ietf.org>
List-Help: <mailto:kitten-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@lists.ietf.org?subject=subscribe>
Sender: kitten-bounces@lists.ietf.org
Errors-To: kitten-bounces@lists.ietf.org
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on solipsist-nation.suchdamage.org
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham version=2.63
X-Spam-Level:
Status: RO
Content-Length: 2304
Lines: 78

We need to support AEAD in GSS-API in order to interoperate with some
vendor implementations of DCE RPC.

I've extended our GSS-API implementation, which is based on Heimdal,
to add the GSS_Unwrap_Ex() and GSS_Wrap_Ex() APIs. The C bindings are
as follows:

/*
 * GSS_Unwrap() with support for associated data.
 *
 * Notes:
 *
 *	token_header_buffer contains the GSS-API token as
 *	received from the peer
 *
 *	associated_data_buffer contains the complete data
 *	over which the checksum is to be verified;
 *
 *	input_message_buffer contains the complete data to
 *	be decrypted if confidentiality was requested;
 *
 *	input_message_buffer value must point into the value
 *	of associated_data_buffer (hence input_message_buffer
 *	just specifies a span within associated_data_buffer).
 *
 *	On returning GSS_S_COMPLETE, output_message_buffer
 *	will contain input_message_buffer after unwrapping and;
 *
 *	associated_data_buffer will have been authenticated
 *
 */
OM_uint32 gss_unwrap_ex(OM_uint32 *minor_status,
			const gss_ctx_id_t context_handle,
			const gss_buffer_t token_header_buffer,
			const gss_buffer_t associated_data_buffer,
			const gss_buffer_t input_message_buffer,
			gss_buffer_t output_message_buffer,
			int *conf_state,
			gss_qop_t *qop_state);

/*
 * GSS_Wrap() with support for associated data.
 *
 * Notes:
 *
 *	associated_data_buffer contains the complete data
 *	over which the checksum is to be verified;
 *
 *	input_message_buffer contains the data to be
 *	encrypted if conf_req_flag == TRUE.
 *
 *	On returning GSS_S_COMPLETE, output_token_buffer
 *	will contain the GSS-API tokenheader, and;
 *
 *	output_message_buffer will contain input_message_buffer
 *	after wrapping (including any padding)
 */
OM_uint32 gss_wrap_ex(OM_uint32 *minor_status,
		      const gss_ctx_id_t context_handle,
		      int conf_req_flag,
		      gss_qop_t qop_req,
		      const gss_buffer_t associated_data_buffer,
		      const gss_buffer_t input_message_buffer,
		      int *conf_state,
		      gss_buffer_t output_token_buffer,
		      gss_buffer_t output_message_buffer);

Any comments? Worth writing this up as an Internet Draft?

-- Luke


_______________________________________________
Kitten mailing list
Kitten@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten

v2.23.0 | Report a Bug | By Email