<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p><span style="font-size: 10pt;">Hi, </span></p>
<p><span style="font-size: 10pt;">I have a setup where the server is running on Java and is using the SASL GSSAPI mechanism provided by Java framework. Whereas the client is running on C++ and is using the cyrus-sasl GSSAPI plugin to negotiate for privacy. </span></p>
<p><br>
</p>
<p><span style="font-size: 10pt;">I can see the handshake working fine between client and server. But when I try to encrypt data on client side and decrypt on server side it fails with Invalid Token ID exception. Is this issue already known ? Are there any
workaround for this case ? Do you know of any other product using the cyrus-sasl plugins and Java provided sasl framework plugins in their client/server setup ?</span></p>
<p><br>
</p>
<p><span style="font-size: 10pt;">On looking more I found </span><span style="font-size: 10pt;">below:</span></p>
<p><i><br>
</i></p>
<p><b><i><span style="font-size: 10pt;">For path where c++ client encrypt the data and sends to Java server which tries to do decrypt the data:</span></i></b></p>
<p><span style="font-size: 10pt;"></span><i><span style="font-size: 10pt;">sasl_encode</span></i><span style="font-size: 10pt;"> called by client internally calls the
</span><i><span style="font-size: 10pt;">sasl_gss_encode</span></i><span style="font-size: 10pt;"> api present in
</span><i><span style="font-size: 10pt;">gssapi.c</span></i><span style="font-size: 10pt;"> which calls the
</span><i><span style="font-size: 10pt;">gss_wrap</span></i><span style="font-size: 10pt;"> api. After the gss_wrap gives back the encrypted data the sasl_gss_encode is putting extra 4 bytes in </span><span style="font-size: 10pt;">front of the encrypted data
and gives that back to application. Whereas on server side (which is running on Java) it doesn't expects those 4 bytes and hence fails. I did a test by ignoring first 4 bytes sent from client to server before calling unwrap and then it's working fine.</span></p>
<p><span style="font-size: 10pt;"></span></p>
<p><br>
</p>
<p><span style="font-size: 10pt;">Thanks,</span></p>
<p><span style="font-size: 10pt;">Sorabh</span></p>
</div>
</body>
</html>