[OpenAFS-devel] Re: rxgk updates
Simon Wilkinson
simonxwilkinson@gmail.com
Wed, 11 Dec 2013 22:01:34 +0000
On 11 Dec 2013, at 21:44, Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> On Tue, 10 Dec 2013, Benjamin Kaduk wrote:
>=20
>> have not yet done so). I have only tested with MIT krb5's gssapi =
library; reports from people building against heimdal will be useful. =
(The system heimdal on my mac is too old to have gss_pseudo_random(), =
alas.)
>=20
> Well, maybe "too old" is not quite right, but "too weird to have a =
usable gss_pseudo_random()", perhaps.
On Mac OS X, you don't get to play with Heimdal directly, instead you =
have to go through a shim that emulates the MIT API on top of Heimdal. =
Heimdal itself is hidden away in a private framework that applications =
can't link against directly.
> It also encodes the counter with the wrong endianness for its PRF+, so =
aes256-cts-hmac-sha1-96 keys don't work, but aes128-cts-hmac-sha1-96 =
keys do.
Nico caught this, and it's fixed as =
7d459095377eff93b0e0bc1a96e1a4e9ecd817a1 on Heimdal master. I think the =
fix will be in their next release. It's a little bit awkward, because =
the fix will affect Heimdal -> Heimdal compatibility - you won't be able =
to use a pre-fix Heimdal client against a post-fix Heimdal server. =
OpenAFS should perhaps just refuse to build against Heimdal versions =
that have this issue.
Cheers,
Simon