On Wed, 11 Dec 2013, Simon Wilkinson wrote:
On 11 Dec 2013, at 21:44, Benjamin Kaduk <[email protected]> wrote:
On Tue, 10 Dec 2013, Benjamin Kaduk wrote:
have not yet done so). I have only tested with MIT krb5's gssapi library;
reports from people building against heimdal will be useful. (The system
heimdal on my mac is too old to have gss_pseudo_random(), alas.)
Well, maybe "too old" is not quite right, but "too weird to have a usable
gss_pseudo_random()", perhaps.
On Mac OS X, you don't get to play with Heimdal directly, instead you
have to go through a shim that emulates the MIT API on top of Heimdal.
Heimdal itself is hidden away in a private framework that applications
can't link against directly.
Well, I think that the GSS situation is slightly less bad than for krb5
itself, but the headers in /usr/include/gssapi and in
/System/Library/Frameworks/GSS.framework/Headers/ are rather different.
The framework setup is also incompatible with rra-c-util and including
headers as <gssapi/gssapi.h>, so it still counts as "you don't get to use
it".
It also encodes the counter with the wrong endianness for its PRF+, so
aes256-cts-hmac-sha1-96 keys don't work, but aes128-cts-hmac-sha1-96 keys do.
Nico caught this, and it's fixed as
7d459095377eff93b0e0bc1a96e1a4e9ecd817a1 on Heimdal master. I think the
fix will be in their next release. It's a little bit awkward, because
the fix will affect Heimdal -> Heimdal compatibility - you won't be able
to use a pre-fix Heimdal client against a post-fix Heimdal server.
OpenAFS should perhaps just refuse to build against Heimdal versions
that have this issue.
We were chatting with Nico on IRC about it, yup. Greg also started a
thread on kitten about the wrong index being used for the PRF+ (in both
MIT and Heimdal) from RFC 4402.
-Ben
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
