Fixes for S3 DCE/RPC GSSAPI with Heimdal
Luke Howard
lukeh at padl.com
Sat Apr 23 00:48:58 MDT 2011
>> BTW: gss_wrap_iov() doesn't work with all encryption types in heimdal.
>
> What are the limitations?
I believe it works only with "newer" (post-RC4) enctypes. At least, that's my quick reading of the code.
> I don't currently propose to use this code for any AD operations.
> However, as this is a supported part of Samba3, I do want it to be
> secure, and operate for at least the existing tests we have, which use
> arcfour-hmac-md5.
The question is what happens if you try gss_wrap_iov() with rc4-hmac. My reading of lib/gssapi/krb5/aeap.c is that you will get GSS_S_FAILURE.
(For the record, I tested MIT IOV against W2K8 with DES, RC4 and AES; I also tested it against itself with Camellia.)
-- Luke
More information about the samba-technical
mailing list