git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Tue, 16 Apr 2013 17:32:04 +0000 (13:32 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Thu, 20 Jun 2024 20:36:30 +0000 (16:36 -0400)
commit	04f9c19c98aed91d96afa377557da86e04db6b44
tree	7b2dfffd2bc6174c4b0228188edcceea4d6d9862	tree
parent	13e97260e012c34b454fba66a8525b32fe21e438	commit \| diff

Correct IAKERB protocol implementation

The initial implementation of IAKERB in MIT krb5 mistakenly used
draft-zhu-ws-kerb instead of draft-kitten-ietf-iakerb, and
additionally used the wrong ASN.1 tag value for the target-realm field
of the IAKERB-HEADER sequence.  Correct the following aspects of the
protocol implementation:

* Require and use framing on all messages, not just the initial
  context token.
* Use extension value 2 for the finish message instead of 1.
* Use key usage value 41 instead of 42 for the finish message
  checksum.
* Use UTF8String (12) for target-realm instead of OCTET STRING (4).

With these changes, the IAKERB implementation is interoperable with
other krb5 implementations, but not with the implementation before
these changes.

ticket: 9123 (new)

doc/appdev/refs/macros/index.rst		diff \| blob \| blame \| history
src/include/krb5/krb5.hin		diff \| blob \| blame \| history
src/lib/gssapi/krb5/accept_sec_context.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/gssapiP_krb5.h		diff \| blob \| blame \| history
src/lib/gssapi/krb5/iakerb.c		diff \| blob \| blame \| history
src/lib/gssapi/krb5/init_sec_context.c		diff \| blob \| blame \| history
src/lib/krb5/asn.1/asn1_k_encode.c		diff \| blob \| blame \| history
src/tests/asn.1/krb5_decode_test.c		diff \| blob \| blame \| history
src/tests/asn.1/reference_encode.out		diff \| blob \| blame \| history
src/tests/asn.1/trval.c		diff \| blob \| blame \| history
src/tests/asn.1/trval_reference.out		diff \| blob \| blame \| history