On 11 Dec 2013, at 21:44, Benjamin Kaduk <[email protected]> wrote: > On Tue, 10 Dec 2013, Benjamin Kaduk wrote: > >> have not yet done so). I have only tested with MIT krb5's gssapi library; >> reports from people building against heimdal will be useful. (The system >> heimdal on my mac is too old to have gss_pseudo_random(), alas.) > > Well, maybe "too old" is not quite right, but "too weird to have a usable > gss_pseudo_random()", perhaps.
On Mac OS X, you don't get to play with Heimdal directly, instead you have to go through a shim that emulates the MIT API on top of Heimdal. Heimdal itself is hidden away in a private framework that applications can't link against directly. > It also encodes the counter with the wrong endianness for its PRF+, so > aes256-cts-hmac-sha1-96 keys don't work, but aes128-cts-hmac-sha1-96 keys do. Nico caught this, and it's fixed as 7d459095377eff93b0e0bc1a96e1a4e9ecd817a1 on Heimdal master. I think the fix will be in their next release. It's a little bit awkward, because the fix will affect Heimdal -> Heimdal compatibility - you won't be able to use a pre-fix Heimdal client against a post-fix Heimdal server. OpenAFS should perhaps just refuse to build against Heimdal versions that have this issue. Cheers, Simon _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
