[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI signing/encryption for unsuspectingly applications (its not a bug)

--On May 14, 2009 3:05:25 PM -0700 Howard Chu <hyc@symas.com> wrote:

Quanah Gibson-Mount wrote:
--On May 14, 2009 2:22:46 PM -0700 Howard Chu<hyc@symas.com>  wrote:

Secondly it seems so that Cyrus SASL code does not support SSF larger
than 56 for GSSAPI based signing/encryption (aka integrity/confidential

Also wrong, Cyrus SASL/GSSAPI is known to work with up to ssf=112.

Hm, I thought for the GSSAPI mech, it was hard coded to 56.  I've
certainly not seen it higher even with newer enc types that were at much
higher encryption levels.

Read TF code.

/* Heimdal and MIT use the following */
# define K5_MAX_SSF  112
# endif

But that's behind a further ifdef:


which seems to only get set if you specifically set that at compile time. I certainly don't find it defined in any files generated from configure in my builds.


#ifndef K5_MAX_SSF
/* All Kerberos implementations support DES */
#define K5_MAX_SSF  56

So I stand behind it being hard coded at 56 for pretty much anyone.



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration