[AFS3-std] Last Call: afs3-rxgk-04, afs3-rxgk-afs-02

Benjamin Kaduk kaduk@MIT.EDU
Tue, 7 May 2013 18:15:37 -0400 (EDT)


On Mon, 6 May 2013, Benjamin Kaduk wrote:

> Removing the errorcode from RXGK_TokenInfo and adding it as a separate output 
> parameter of GSSNegotiate (and AFSCombineTokens) seems to satisfy both of our 
> concerns/desires.  I will draft patches to do so.

GSSNegotiate has ClientInfo, not TokenInfo, and needs no change.
I am still undecided whether AFSCombineTokens wants an in-band error 
field, but that's in the other document (which is not ready for last call 
anyway) so we have some more time.

I pushed this fix to my github:
%%%%%%%%%%%%
commit 4df5f3e6e169daebf68aa73b04c779ce5bc0dd5e
Author: Ben Kaduk <kaduk@mit.edu>
Date:   Tue May 7 18:05:35 2013 -0400

     Remove errorcode from RXGK_TokenInfo

     And fallout from it; update changelogs.
     These errors are not actually security sensitive, only the original
     negotiation errors are.  Otherwise, if something fails, it fails.
     Try again later, maybe, but don't fall back to something else.

     Change-Id: Ia29373708ed81efe81feb79e8f0490f074edbff3

diff --git a/src/rxgk/draft-wilkinson-afs3-rxgk-afs.xml b/src/rxgk/draft-wilkinson-afs3-rxgk-afs.xml
index 39576b0..0529160 100644
--- a/src/rxgk/draft-wilkinson-afs3-rxgk-afs.xml
+++ b/src/rxgk/draft-wilkinson-afs3-rxgk-afs.xml
@@ -181,18 +181,16 @@
  	   cannot be combined with any other token, and servers MUST reject
  	   attempts to do so.</t>
          <t>If the server is unable to perform the AFSCombineTokens operation
-          with the given arguments, a nonzero value is returned in the
-          errorcode field of token_info; errorcode is zero for a successful
-          AFSCombineTokens operation.  If errorcode is nonzero, the values
-          of the other fields in token_info and the value of new_token
-          are undefined.</t>
+          with the given arguments, a nonzero value is returned.
+          Clients MUST NOT use such an error as an indication to fall back to
+          to a different security class.</t>
          <t>If the returned token is zero-length, then the destination does not
            support rxgk, and the client MAY fall back to using a different
  	  authentication mechanism for that server. An rxgk capable client
  	  operating within an rxgk enabled cell MUST NOT downgrade its
  	  choice of security layer in any other situation.</t>
          <t>Other aspects of the operation of AFSCombineTokens, including the
-          values for the errorcode field of token_info and the combination
+          combination
            of keys and tokens, are the same as the CombineTokens RPC, documented in
            CombineTokens call, documented in
            <xref target="I-D.wilkinson-afs3-rxgk"/>.</t>
@@ -557,6 +555,9 @@
          <t>Use a leap of faith for RegisterAddrsAndKey.</t>
          <t>Specify the nametype of the acceptor identity.</t>
        </section>
+      <section title="Since 02">
+        <t>Deal with fallout of errorcode's removal from RXGK_TokenInfo.</t>
+      </section>
      </section>
    </back>
  </rfc>
diff --git a/src/rxgk/draft-wilkinson-afs3-rxgk.xml b/src/rxgk/draft-wilkinson-afs3-rxgk.xml
index 0648ea4..e7ddcef 100644
--- a/src/rxgk/draft-wilkinson-afs3-rxgk.xml
+++ b/src/rxgk/draft-wilkinson-afs3-rxgk.xml
@@ -448,7 +448,6 @@ enum RXGK_Level {
      };

      struct RXGK_TokenInfo {
-        int errorcode;
          RXGK_Enctype enctype;
          RXGK_Level level;
          unsigned int lifetime;
@@ -492,25 +491,9 @@ enum RXGK_Level {
  	 parameter, along with the computed lifetime, bytelife, and
  	 expiration.</t>
  	<t>If the server is unable to perform the CombineTokens operation with
-	 the given arguments, a nonzero value is returned in the errorcode
-	 element of the info parameter; errorcode is zero for
-	 a successful CombineTokens operation.  Errors are returned in
-	 this in-band field as opposed to as the RPC return value because
-	 the error code is security sensitive -- the action taken by the
-	 client upon receipt will affect the security of future actions.</t>
-	<t>If errorcode is nonzero, the values of the other fields in the
-	 RXGK_TokenInfo structure and the value of new_token are undefined.
-         Nonzero values for errorcode should be com_err codes
-         <xref target="COMERR"/>, from an RX,
-         RXGK, or application-specific table.  See
-         <xref target="AFSReg"/> for RXGK error codes.
-         For example,
-         <list style="hanging" hangIndent="6"><t hangText="RXGEN_OPCODE">used when
-             the server will refuse all CombineTokens requests.</t><t hangText="RXGK_BADETYPE">used when none of the enctypes
-             supplied by the client are acceptable to the server.</t><t hangText="RXGK_BADLEVEL">used when none of the security levels
-             supplied by the client are acceptable to the server.</t><t hangText="RXGK_EXPIRED">used when one or more of the input
-             tokens was already expired.</t></list>
-         To reduce the potential for denial of service attacks, servers
+	 the given arguments, a nonzero value is returned and the client's
+	 request fails.</t>
+	<t> To reduce the potential for denial of service attacks, servers
  	 SHOULD only offer the CombineTokens operation to clients connecting
  	 over a secured rxgk connection.  CombineTokens SHOULD NOT be offered
  	 over an RXGK_LEVEL_CLEAR connection.
@@ -1053,6 +1036,7 @@ end
        <section title="Since 04">
          <t>Correct omissions from description of GSS negotiation loop.</t>
          <t>Adjust limits on variable-length array lengths.</t>
+        <t>Remove errorcode field from RXGK_TokenInfo.</t>
        </section>
      </section>
    </back>
%%%%%%%%%%%%


-Ben