Bug 1217 - gss_export_name() does not conform to RFC 2743 section 3.2
: gss_export_name() does not conform to RFC 2743 section 3.2
: unspecified
: PC All
: P2 blocker
: ---
Assigned To:
  Show dependency treegraph
Reported: 2003-09-17 11:24 by
Modified: 2008-08-11 15:17 (History)

patch tested successfully against gsi_openssh (5.29 KB, patch)
2004-10-06 16:56, Jim Basney


You need to log in before you can comment on or make changes to this bug.

Description From 2003-09-17 11:24:09
Section 3.2 of RFC 2743 specifies the mechanism-independent format for names 
exported via gss_export_name().  Specifically, exported names must begin with 
the two bytes 04 01 followed by a 2 byte mechanism OID length followed by the 
mechanism OID in DER format.  The GSI GSSAPI library does not conform to this 
specification.  Instead, it returns the output of X509_NAME_oneline(), i.e., an 
ASCII subject string.  OpenSSH 3.7 includes code to verify the format of the 
name returned by gss_export_name() which fails for GSI GSSAPI authentication.  
I had to add a work-around for this issue specifically for the GSI mechanism in 
OpenSSH GSSAPI code which is otherwise mechanism-independent.
------- Comment #1 From 2004-06-30 15:53:05 -------
Are there plans to fix this bug?  I want to try to get GSI support accepted
the main OpenSSH distribution, and I'd prefer not to need to include a
work-around for this bug in the patch I submit to the OpenSSH team.
------- Comment #2 From 2004-06-30 16:12:19 -------
I don't know to what extend external folks are relying on this function, but
this will be a substantial API change. I would vote that we fix it, but we need
to be sure to publishize it well and make sure there is a compile time test for
the change.
------- Comment #3 From 2004-10-06 16:56:07 -------
Created an attachment (id=437) [details]
patch tested successfully against gsi_openssh
------- Comment #4 From 2004-10-09 21:13:08 -------