Re: GSSAPI signing/encryption for unsuspectingly applications (its not a bug)
--On May 14, 2009 3:05:25 PM -0700 Howard Chu <hyc(a)symas.com> wrote:
Quanah Gibson-Mount wrote:
> --On May 14, 2009 2:22:46 PM -0700 Howard Chu<hyc(a)symas.com> wrote:
>
>>> Secondly it seems so that Cyrus SASL code does not support SSF larger
>>> than 56 for GSSAPI based signing/encryption (aka integrity/confidential
>>
>> Also wrong, Cyrus SASL/GSSAPI is known to work with up to ssf=112.
>
> Hm, I thought for the GSSAPI mech, it was hard coded to 56. I've
> certainly not seen it higher even with newer enc types that were at much
> higher encryption levels.
Read TF code.
/* Heimdal and MIT use the following */
# ifdef GSS_KRB5_CONF_C_QOP_DES3_KD
# define K5_MAX_SSF 112
# endif
But that's behind a further ifdef:
#ifdef WANT_KERBEROS5_3DES
which seems to only get set if you specifically set that at compile time.
I certainly don't find it defined in any files generated from configure in
my builds.
Otherwise:
#ifndef K5_MAX_SSF
/* All Kerberos implementations support DES */
#define K5_MAX_SSF 56
#endif
So I stand behind it being hard coded at 56 for pretty much anyone.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration