3.1.5.6 Send Fragmented Messages

  • Article

The first fragment includes the ASN.1 header for the message, so that the recipient can reconstruct the length of the completed message. This requires that MaxOutputTokenSize be at least 5 bytes.

The SPNEGO Extension calls InitFragmentToken (section 3.1.5.4), where:

  • Token contains the message.

  • MaxOutputTokenSize contains the MaxOutputTokenSize provided by the application.

The SPNEGO Extension MUST return GSS_S_CONTINUE_NEEDED status ([RFC2478]) and an initial packet containing OutputToken, as specified in section 3.1.5.4.

When FragmentOutputToken is set to TRUE, the SPNEGO Extension calls FragmentToken (section 3.1.5.5) to get the next fragment, and MUST return GSS_S_CONTINUE_NEEDED status and OutputToken. If FragmentOutputToken is not set to TRUE, the SPNEGO Extension MUST return GSS_S_COMPLETE status, as specified in [RFC2478].

If the server does not support fragmentation, the application service receives an error from its GSS_Accept_sec_context call, and the negotiation fails. Whether the client application receives the error depends on the application service behavior.