[AFS3-std] Last Call: afs3-rxgk-04, afs3-rxgk-afs-02
Michael Meffie
mmeffie@sinenomine.net
Tue, 14 May 2013 15:40:14 -0400
On Tue, 7 May 2013 18:15:37 -0400
Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> On Mon, 6 May 2013, Benjamin Kaduk wrote:
>
> > Removing the errorcode from RXGK_TokenInfo and adding it as a separate output
> > parameter of GSSNegotiate (and AFSCombineTokens) seems to satisfy both of our
> > concerns/desires. I will draft patches to do so.
Hello All,
Are there any objections or comments for the following changes from Ben in the
rxgk and rxgk-afs drafts?
Thanks,
Mike
>
> GSSNegotiate has ClientInfo, not TokenInfo, and needs no change.
> I am still undecided whether AFSCombineTokens wants an in-band error
> field, but that's in the other document (which is not ready for last call
> anyway) so we have some more time.
>
> I pushed this fix to my github:
> %%%%%%%%%%%%
> commit 4df5f3e6e169daebf68aa73b04c779ce5bc0dd5e
> Author: Ben Kaduk <kaduk@mit.edu>
> Date: Tue May 7 18:05:35 2013 -0400
>
> Remove errorcode from RXGK_TokenInfo
>
> And fallout from it; update changelogs.
> These errors are not actually security sensitive, only the original
> negotiation errors are. Otherwise, if something fails, it fails.
> Try again later, maybe, but don't fall back to something else.
>
> Change-Id: Ia29373708ed81efe81feb79e8f0490f074edbff3
>
> diff --git a/src/rxgk/draft-wilkinson-afs3-rxgk-afs.xml b/src/rxgk/draft-wilkinson-afs3-rxgk-afs.xml
> index 39576b0..0529160 100644
> --- a/src/rxgk/draft-wilkinson-afs3-rxgk-afs.xml
> +++ b/src/rxgk/draft-wilkinson-afs3-rxgk-afs.xml
> @@ -181,18 +181,16 @@
> cannot be combined with any other token, and servers MUST reject
> attempts to do so.</t>
> <t>If the server is unable to perform the AFSCombineTokens operation
> - with the given arguments, a nonzero value is returned in the
> - errorcode field of token_info; errorcode is zero for a successful
> - AFSCombineTokens operation. If errorcode is nonzero, the values
> - of the other fields in token_info and the value of new_token
> - are undefined.</t>
> + with the given arguments, a nonzero value is returned.
> + Clients MUST NOT use such an error as an indication to fall back to
> + to a different security class.</t>
> <t>If the returned token is zero-length, then the destination does not
> support rxgk, and the client MAY fall back to using a different
> authentication mechanism for that server. An rxgk capable client
> operating within an rxgk enabled cell MUST NOT downgrade its
> choice of security layer in any other situation.</t>
> <t>Other aspects of the operation of AFSCombineTokens, including the
> - values for the errorcode field of token_info and the combination
> + combination
> of keys and tokens, are the same as the CombineTokens RPC, documented in
> CombineTokens call, documented in
> <xref target="I-D.wilkinson-afs3-rxgk"/>.</t>
> @@ -557,6 +555,9 @@
> <t>Use a leap of faith for RegisterAddrsAndKey.</t>
> <t>Specify the nametype of the acceptor identity.</t>
> </section>
> + <section title="Since 02">
> + <t>Deal with fallout of errorcode's removal from RXGK_TokenInfo.</t>
> + </section>
> </section>
> </back>
> </rfc>
> diff --git a/src/rxgk/draft-wilkinson-afs3-rxgk.xml b/src/rxgk/draft-wilkinson-afs3-rxgk.xml
> index 0648ea4..e7ddcef 100644
> --- a/src/rxgk/draft-wilkinson-afs3-rxgk.xml
> +++ b/src/rxgk/draft-wilkinson-afs3-rxgk.xml
> @@ -448,7 +448,6 @@ enum RXGK_Level {
> };
>
> struct RXGK_TokenInfo {
> - int errorcode;
> RXGK_Enctype enctype;
> RXGK_Level level;
> unsigned int lifetime;
> @@ -492,25 +491,9 @@ enum RXGK_Level {
> parameter, along with the computed lifetime, bytelife, and
> expiration.</t>
> <t>If the server is unable to perform the CombineTokens operation with
> - the given arguments, a nonzero value is returned in the errorcode
> - element of the info parameter; errorcode is zero for
> - a successful CombineTokens operation. Errors are returned in
> - this in-band field as opposed to as the RPC return value because
> - the error code is security sensitive -- the action taken by the
> - client upon receipt will affect the security of future actions.</t>
> - <t>If errorcode is nonzero, the values of the other fields in the
> - RXGK_TokenInfo structure and the value of new_token are undefined.
> - Nonzero values for errorcode should be com_err codes
> - <xref target="COMERR"/>, from an RX,
> - RXGK, or application-specific table. See
> - <xref target="AFSReg"/> for RXGK error codes.
> - For example,
> - <list style="hanging" hangIndent="6"><t hangText="RXGEN_OPCODE">used when
> - the server will refuse all CombineTokens requests.</t><t hangText="RXGK_BADETYPE">used when none of the enctypes
> - supplied by the client are acceptable to the server.</t><t hangText="RXGK_BADLEVEL">used when none of the security levels
> - supplied by the client are acceptable to the server.</t><t hangText="RXGK_EXPIRED">used when one or more of the input
> - tokens was already expired.</t></list>
> - To reduce the potential for denial of service attacks, servers
> + the given arguments, a nonzero value is returned and the client's
> + request fails.</t>
> + <t> To reduce the potential for denial of service attacks, servers
> SHOULD only offer the CombineTokens operation to clients connecting
> over a secured rxgk connection. CombineTokens SHOULD NOT be offered
> over an RXGK_LEVEL_CLEAR connection.
> @@ -1053,6 +1036,7 @@ end
> <section title="Since 04">
> <t>Correct omissions from description of GSS negotiation loop.</t>
> <t>Adjust limits on variable-length array lengths.</t>
> + <t>Remove errorcode field from RXGK_TokenInfo.</t>
> </section>
> </section>
> </back>
> %%%%%%%%%%%%
--
Michael Meffie <mmeffie@sinenomine.net>