--On May 14, 2009 3:05:25 PM -0700 Howard Chu <hyc(a)symas.com> wrote:
Quanah Gibson-Mount wrote:
> --On May 14, 2009 2:22:46 PM -0700 Howard Chu<hyc(a)symas.com> wrote:
>>> Secondly it seems so that Cyrus SASL code does not support SSF larger
>>> than 56 for GSSAPI based signing/encryption (aka integrity/confidential
>> Also wrong, Cyrus SASL/GSSAPI is known to work with up to ssf=112.
> Hm, I thought for the GSSAPI mech, it was hard coded to 56. I've
> certainly not seen it higher even with newer enc types that were at much
> higher encryption levels.
Read TF code.
/* Heimdal and MIT use the following */
# ifdef GSS_KRB5_CONF_C_QOP_DES3_KD
# define K5_MAX_SSF 112
But that's behind a further ifdef:
which seems to only get set if you specifically set that at compile time.
I certainly don't find it defined in any files generated from configure in
/* All Kerberos implementations support DES */
#define K5_MAX_SSF 56
So I stand behind it being hard coded at 56 for pretty much anyone.
Principal Software Engineer
Zimbra :: the leader in open source messaging and collaboration