Hi, I have a setup where the server is running on Java and is using the SASL GSSAPI mechanism provided by Java framework. Whereas the client is running on C++ and is using the cyrus-sasl GSSAPI plugin to negotiate for privacy.
I can see the handshake working fine between client and server. But when I try to encrypt data on client side and decrypt on server side it fails with Invalid Token ID exception. Is this issue already known ? Are there any workaround for this case ? Do you know of any other product using the cyrus-sasl plugins and Java provided sasl framework plugins in their client/server setup ?
On looking more I found below:
For path where c++ client encrypt the data and sends to Java server which tries to do decrypt the data: sasl_encode called by client internally calls the sasl_gss_encode api present in gssapi.c which calls the gss_wrap api. After the gss_wrap gives back the encrypted data the sasl_gss_encode is putting extra 4 bytes in front of the encrypted data and gives that back to application. Whereas on server side (which is running on Java) it doesn't expects those 4 bytes and hence fails. I did a test by ignoring first 4 bytes sent from client to server before calling unwrap and then it's working fine.
Thanks, Sorabh |