On Tue, 7 May 2013 18:15:37 -0400 Benjamin Kaduk <[email protected]> wrote:
> On Mon, 6 May 2013, Benjamin Kaduk wrote: > > > Removing the errorcode from RXGK_TokenInfo and adding it as a separate > > output > > parameter of GSSNegotiate (and AFSCombineTokens) seems to satisfy both of > > our > > concerns/desires. I will draft patches to do so. Hello All, Are there any objections or comments for the following changes from Ben in the rxgk and rxgk-afs drafts? Thanks, Mike > > GSSNegotiate has ClientInfo, not TokenInfo, and needs no change. > I am still undecided whether AFSCombineTokens wants an in-band error > field, but that's in the other document (which is not ready for last call > anyway) so we have some more time. > > I pushed this fix to my github: > %%%%%%%%%%%% > commit 4df5f3e6e169daebf68aa73b04c779ce5bc0dd5e > Author: Ben Kaduk <[email protected]> > Date: Tue May 7 18:05:35 2013 -0400 > > Remove errorcode from RXGK_TokenInfo > > And fallout from it; update changelogs. > These errors are not actually security sensitive, only the original > negotiation errors are. Otherwise, if something fails, it fails. > Try again later, maybe, but don't fall back to something else. > > Change-Id: Ia29373708ed81efe81feb79e8f0490f074edbff3 > > diff --git a/src/rxgk/draft-wilkinson-afs3-rxgk-afs.xml > b/src/rxgk/draft-wilkinson-afs3-rxgk-afs.xml > index 39576b0..0529160 100644 > --- a/src/rxgk/draft-wilkinson-afs3-rxgk-afs.xml > +++ b/src/rxgk/draft-wilkinson-afs3-rxgk-afs.xml > @@ -181,18 +181,16 @@ > cannot be combined with any other token, and servers MUST reject > attempts to do so.</t> > <t>If the server is unable to perform the AFSCombineTokens operation > - with the given arguments, a nonzero value is returned in the > - errorcode field of token_info; errorcode is zero for a successful > - AFSCombineTokens operation. If errorcode is nonzero, the values > - of the other fields in token_info and the value of new_token > - are undefined.</t> > + with the given arguments, a nonzero value is returned. > + Clients MUST NOT use such an error as an indication to fall back to > + to a different security class.</t> > <t>If the returned token is zero-length, then the destination does > not > support rxgk, and the client MAY fall back to using a different > authentication mechanism for that server. An rxgk capable client > operating within an rxgk enabled cell MUST NOT downgrade its > choice of security layer in any other situation.</t> > <t>Other aspects of the operation of AFSCombineTokens, including the > - values for the errorcode field of token_info and the combination > + combination > of keys and tokens, are the same as the CombineTokens RPC, > documented in > CombineTokens call, documented in > <xref target="I-D.wilkinson-afs3-rxgk"/>.</t> > @@ -557,6 +555,9 @@ > <t>Use a leap of faith for RegisterAddrsAndKey.</t> > <t>Specify the nametype of the acceptor identity.</t> > </section> > + <section title="Since 02"> > + <t>Deal with fallout of errorcode's removal from RXGK_TokenInfo.</t> > + </section> > </section> > </back> > </rfc> > diff --git a/src/rxgk/draft-wilkinson-afs3-rxgk.xml > b/src/rxgk/draft-wilkinson-afs3-rxgk.xml > index 0648ea4..e7ddcef 100644 > --- a/src/rxgk/draft-wilkinson-afs3-rxgk.xml > +++ b/src/rxgk/draft-wilkinson-afs3-rxgk.xml > @@ -448,7 +448,6 @@ enum RXGK_Level { > }; > > struct RXGK_TokenInfo { > - int errorcode; > RXGK_Enctype enctype; > RXGK_Level level; > unsigned int lifetime; > @@ -492,25 +491,9 @@ enum RXGK_Level { > parameter, along with the computed lifetime, bytelife, and > expiration.</t> > <t>If the server is unable to perform the CombineTokens operation with > - the given arguments, a nonzero value is returned in the errorcode > - element of the info parameter; errorcode is zero for > - a successful CombineTokens operation. Errors are returned in > - this in-band field as opposed to as the RPC return value because > - the error code is security sensitive -- the action taken by the > - client upon receipt will affect the security of future actions.</t> > - <t>If errorcode is nonzero, the values of the other fields in the > - RXGK_TokenInfo structure and the value of new_token are undefined. > - Nonzero values for errorcode should be com_err codes > - <xref target="COMERR"/>, from an RX, > - RXGK, or application-specific table. See > - <xref target="AFSReg"/> for RXGK error codes. > - For example, > - <list style="hanging" hangIndent="6"><t > hangText="RXGEN_OPCODE">used when > - the server will refuse all CombineTokens requests.</t><t > hangText="RXGK_BADETYPE">used when none of the enctypes > - supplied by the client are acceptable to the server.</t><t > hangText="RXGK_BADLEVEL">used when none of the security levels > - supplied by the client are acceptable to the server.</t><t > hangText="RXGK_EXPIRED">used when one or more of the input > - tokens was already expired.</t></list> > - To reduce the potential for denial of service attacks, servers > + the given arguments, a nonzero value is returned and the client's > + request fails.</t> > + <t> To reduce the potential for denial of service attacks, servers > SHOULD only offer the CombineTokens operation to clients connecting > over a secured rxgk connection. CombineTokens SHOULD NOT be offered > over an RXGK_LEVEL_CLEAR connection. > @@ -1053,6 +1036,7 @@ end > <section title="Since 04"> > <t>Correct omissions from description of GSS negotiation loop.</t> > <t>Adjust limits on variable-length array lengths.</t> > + <t>Remove errorcode field from RXGK_TokenInfo.</t> > </section> > </section> > </back> > %%%%%%%%%%%% -- Michael Meffie <[email protected]> _______________________________________________ AFS3-standardization mailing list [email protected] http://lists.openafs.org/mailman/listinfo/afs3-standardization
