diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-04-16 13:32:04 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2024-06-20 16:36:30 -0400 |
| commit | 04f9c19c98aed91d96afa377557da86e04db6b44 (patch) | |
| tree | 7b2dfffd2bc6174c4b0228188edcceea4d6d9862 /src/include/krb5/krb5.hin | |
| parent | 13e97260e012c34b454fba66a8525b32fe21e438 (diff) | |
| download | krb5-04f9c19c98aed91d96afa377557da86e04db6b44.zip krb5-04f9c19c98aed91d96afa377557da86e04db6b44.tar.gz krb5-04f9c19c98aed91d96afa377557da86e04db6b44.tar.bz2 | |
Correct IAKERB protocol implementation
The initial implementation of IAKERB in MIT krb5 mistakenly used
draft-zhu-ws-kerb instead of draft-kitten-ietf-iakerb, and
additionally used the wrong ASN.1 tag value for the target-realm field
of the IAKERB-HEADER sequence. Correct the following aspects of the
protocol implementation:
* Require and use framing on all messages, not just the initial
context token.
* Use extension value 2 for the finish message instead of 1.
* Use key usage value 41 instead of 42 for the finish message
checksum.
* Use UTF8String (12) for target-realm instead of OCTET STRING (4).
With these changes, the IAKERB implementation is interoperable with
other krb5 implementations, but not with the implementation before
these changes.
ticket: 9123 (new)
Diffstat (limited to 'src/include/krb5/krb5.hin')
| -rw-r--r-- | src/include/krb5/krb5.hin | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 7496383..7c4fc10 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -977,6 +977,7 @@ krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, #define KRB5_KEYUSAGE_PA_REFERRAL 26 #define KRB5_KEYUSAGE_AD_SIGNEDPATH -21 +#define KRB5_KEYUSAGE_FINISHED 41 #define KRB5_KEYUSAGE_IAKERB_FINISHED 42 #define KRB5_KEYUSAGE_PA_PKINIT_KX 44 #define KRB5_KEYUSAGE_PA_OTP_REQUEST 45 /**< See RFC 6560 section 4.2 */ |