diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-04-16 13:32:04 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2024-06-20 16:36:30 -0400 |
| commit | 04f9c19c98aed91d96afa377557da86e04db6b44 (patch) | |
| tree | 7b2dfffd2bc6174c4b0228188edcceea4d6d9862 /src/lib/gssapi/krb5/accept_sec_context.c | |
| parent | 13e97260e012c34b454fba66a8525b32fe21e438 (diff) | |
| download | krb5-04f9c19c98aed91d96afa377557da86e04db6b44.zip krb5-04f9c19c98aed91d96afa377557da86e04db6b44.tar.gz krb5-04f9c19c98aed91d96afa377557da86e04db6b44.tar.bz2 | |
Correct IAKERB protocol implementation
The initial implementation of IAKERB in MIT krb5 mistakenly used
draft-zhu-ws-kerb instead of draft-kitten-ietf-iakerb, and
additionally used the wrong ASN.1 tag value for the target-realm field
of the IAKERB-HEADER sequence. Correct the following aspects of the
protocol implementation:
* Require and use framing on all messages, not just the initial
context token.
* Use extension value 2 for the finish message instead of 1.
* Use key usage value 41 instead of 42 for the finish message
checksum.
* Use UTF8String (12) for target-realm instead of OCTET STRING (4).
With these changes, the IAKERB implementation is interoperable with
other krb5 implementations, but not with the implementation before
these changes.
ticket: 9123 (new)
Diffstat (limited to 'src/lib/gssapi/krb5/accept_sec_context.c')
| -rw-r--r-- | src/lib/gssapi/krb5/accept_sec_context.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 227aa54..c224ee9 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -378,7 +378,7 @@ kg_process_extension(krb5_context context, assert(exts != NULL); switch (ext_type) { - case KRB5_GSS_EXTS_IAKERB_FINISHED: + case GSS_EXTS_FINISHED: if (exts->iakerb.conv == NULL) { code = KRB5KRB_AP_ERR_MSG_TYPE; /* XXX */ } else { |