<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Arial,Helvetica,sans-serif">
<p><br>
<span style="font-size: 10pt;"></span></p>
<span style="font-size: 10pt;"></span>
<meta content="text/html; charset=UTF-8">
<span style="font-size: 10pt;"></span>
<div dir="ltr"><span style="font-size: 10pt;"></span>
<div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Arial,Helvetica,sans-serif">
<span style="font-size: 10pt;"></span>
<p><span style="font-size: 10pt;">Hi Ken,</span></p>
<span style="font-size: 10pt;"></span>
<p><span style="font-size: 10pt;">Thanks for sharing the details. It looks like Java implementation is following RFC2222 instead and hence the difference in format.</span></p>
<span style="font-size: 10pt;"></span>
<p><br>
<span style="font-size: 10pt;"></span></p>
<p></p>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; margin-top: 0px; margin-bottom: 0px;">
<a href="https://docs.oracle.com/javase/8/docs/api/javax/security/sasl/SaslClient.html#unwrap-byte:A-int-int-" target="_blank" id="LPlnk586676" previewremoved="true"><span id="LPlnk586676"><font size="2"><span style="font-size: 10pt;">https://docs.oracle.com/javase/8/docs/api/javax/security/sasl/SaslClient.html#unwrap-byte:A-int-int-</span></font></span></a></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; margin-top: 0px; margin-bottom: 0px;">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; margin-top: 0px; margin-bottom: 0px;">
<font face="DejaVu Sans Mono,monospace" size="2" color="#474747"><span style="font-size: 14px;"><i>incoming</i></span></font><font face="DejaVu Serif,Georgia,Times New Roman,Times,serif" size="2" color="#474747"><span style="font-size: 14px;"><i> is the contents
of the SASL buffer as defined in RFC 2222 </i></span></font><font face="DejaVu Serif,Georgia,Times New Roman,Times,serif" size="2" color="#474747"><span style="font-size: 14px;"><i>without the leading four octet field that represents the length. </i></span></font><font face="DejaVu Sans Mono,monospace" size="2" color="#474747"><span style="font-size: 14px;"><i>offset</i></span></font><font face="DejaVu Serif,Georgia,Times New Roman,Times,serif" size="2" color="#474747"><span style="font-size: 14px;"><i> and </i></span></font><font face="DejaVu Sans Mono,monospace" size="2" color="#474747"><span style="font-size: 14px;"><i>len</i></span></font><font face="DejaVu Serif,Georgia,Times New Roman,Times,serif" size="2" color="#474747"><span style="font-size: 14px;"><i> specify
the portion of </i></span></font><font face="DejaVu Sans Mono,monospace" size="2" color="#474747"><span style="font-size: 14px;"><i>incoming</i></span></font><font face="DejaVu Serif,Georgia,Times New Roman,Times,serif" size="2" color="#474747"><span style="font-size: 14px;"><i> to
use.</i></span></font></div>
<br>
<p></p>
<p><br>
</p>
<span style="font-size: 10pt;"></span>
<p><span style="font-size: 10pt;">Also I see we need to set </span><i><span style="font-size: 10pt;"><b>maxBufSize</b></span></i><span style="font-size: 10pt;"> in </span><span style="font-size:12pt"><i><span style="font-size: 10pt;"><b>sasl_security_properties_t</b></span></i><span style="font-size: 10pt;">
which is capped at 0XFFFFFF (for gssapi) if negotiated for </span><span style="font-size: 10pt;"><i>auth-conf.
</i>From my understanding this parameter (after negotiation) regulates the maximum size of the encoded buffer which sasl_encode function will return. If yes then does application knows about the maximum plain text size by
<b><i>maxoutbuf</i></b> in <span><i><b>sasl_out_params,</b></i> </span>which they can pass to the encode function so that resulting encrypted payload doesn't exceed the maxBufSize ?</span></span></p>
<span style="font-size: 10pt;"></span>
<p><span style="font-size: 10pt;"><br>
</span></p>
<span style="font-size: 10pt;"></span>
<p><br>
<span style="font-size: 10pt;"></span></p>
<span style="font-size: 10pt;"></span>
<p><span style="font-size: 10pt;">Thanks,</span></p>
<span style="font-size: 10pt;"></span>
<p><span style="font-size: 10pt;">Sorabh</span></p>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Ken Hornstein <kenh@cmf.nrl.navy.mil><br>
<b>Sent:</b> Tuesday, March 21, 2017 6:08:11 PM<br>
<b>To:</b> Sorabh Hamirwasia<br>
<b>Cc:</b> cyrus-sasl@lists.andrew.cmu.edu<br>
<b>Subject:</b> Re: Compatibility between Cyrus-SASL C GSSAPI Plugin and Java SASL GSSAPI</font>
<div> </div>
</div>
</div>
<font size="2"><span style="font-size:10pt">
<div class="PlainText">>sasl_encode called by client internally calls the sasl_gss_encode<br>
>api present in gssapi.c which calls the gss_wrap api. After the<br>
>gss_wrap gives back the encrypted data the sasl_gss_encode is putting<br>
>extra 4 bytes in front of the encrypted data and gives that back to<br>
>application. Whereas on server side (which is running on Java) it<br>
>doesn't expects those 4 bytes and hence fails. I did a test by ignoring<br>
>first 4 bytes sent from client to server before calling unwrap and then<br>
>it's working fine.<br>
<br>
It looks to me that Java is getting it wrong. From RFC 4422, §3.7:<br>
<br>
Each buffer of protected data is transferred over the underlying<br>
transport connection as a sequence of octets prepended with a four-<br>
octet field in network byte order that represents the length of the<br>
buffer.<br>
<br>
Those 4 bytes are supposed to be there. From my (limited) testing, other<br>
SASL implementations interoperate with the Cyrus-SASL GSSAPI mechanism.<br>
<br>
--Ken<br>
</div>
</span></font></div>
</body>
</html>