[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: incompatibility between Heimdal GSSAPI and MIT GSSAPI for aes256-cts-hmac-sha1-96 credentials?
On Friday 21 October 2005 22:22, Love Hörnquist Åstrand wrote:
> Hi Karsten,
>
> > So, the only case which doesn't work is delegating
> > aes256-cts-hmac-sha1-96 credentials from MIT to Heimdal. I don't know
> > who's at fault here but maybe someone with a deeper understanding of the
> > protocol than me can have a look.
>
> Can you try this patch ? This was brought to my attention during the last
> interop event in Seattle.
>
> Love
>
> --- lib/krb5/rd_cred.c 2005/07/13 20:51:09 1.22.2.1
> +++ lib/krb5/rd_cred.c 2005/10/22 02:21:00
> @@ -99,13 +99,37 @@ krb5_rd_cred(krb5_context context,
> enc_krb_cred_part_data.length = cred.enc_part.cipher.length;
> enc_krb_cred_part_data.data = cred.enc_part.cipher.data;
> } else {
> - if (auth_context->remote_subkey)
> + /* Try both subkey and session key.
> + *
> + * RFC2140 claims we should use the session key, but Heimdal
> + * before 0.8 used the remote subkey if it was send in the
> + * auth_context.
> + */
> +
> + if (auth_context->remote_subkey) {
> ret = krb5_crypto_init(context, auth_context->remote_subkey,
> 0, &crypto);
> - else
> + if (ret)
> + goto out;
> +
> + ret = krb5_decrypt_EncryptedData(context,
> + crypto,
> + KRB5_KU_KRB_CRED,
> + &cred.enc_part,
> + &enc_krb_cred_part_data);
> +
> + krb5_crypto_destroy(context, crypto);
> + }
> +
> + /*
> + * If there was not subkey, or we failed using subkey,
> + * retry using the session key
> + */
> + if (auth_context->remote_subkey == NULL || ret ==
> KRB5KRB_AP_ERR_BAD_INTEGRITY) + {
> +
> ret = krb5_crypto_init(context, auth_context->keyblock,
> 0, &crypto);
> - /* DK: MIT rsh */
>
> if (ret)
> goto out;
> @@ -117,6 +141,7 @@ krb5_rd_cred(krb5_context context,
> &enc_krb_cred_part_data);
>
> krb5_crypto_destroy(context, crypto);
> + }
> if (ret)
> goto out;
> }
Thanks! That seems to do the trick.
Karsten.