Compatibility between Cyrus-SASL C GSSAPI Plugin and Java SASL GSSAPI
Sorabh Hamirwasia
shamirwasia at mapr.com
Tue Mar 21 20:40:09 EDT 2017
Hi,
I have a setup where the server is running on Java and is using the SASL GSSAPI mechanism provided by Java framework. Whereas the client is running on C++ and is using the cyrus-sasl GSSAPI plugin to negotiate for privacy.
I can see the handshake working fine between client and server. But when I try to encrypt data on client side and decrypt on server side it fails with Invalid Token ID exception. Is this issue already known ? Are there any workaround for this case ? Do you know of any other product using the cyrus-sasl plugins and Java provided sasl framework plugins in their client/server setup ?
On looking more I found below:
For path where c++ client encrypt the data and sends to Java server which tries to do decrypt the data:
sasl_encode called by client internally calls the sasl_gss_encode api present in gssapi.c which calls the gss_wrap api. After the gss_wrap gives back the encrypted data the sasl_gss_encode is putting extra 4 bytes in front of the encrypted data and gives that back to application. Whereas on server side (which is running on Java) it doesn't expects those 4 bytes and hence fails. I did a test by ignoring first 4 bytes sent from client to server before calling unwrap and then it's working fine.
Thanks,
Sorabh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20170322/67cc128c/attachment.html>
More information about the Cyrus-sasl
mailing list