GSSAPI: A token had an invalid MIC

Phil Pennock info-cyrus-spodhuis at spodhuis.org
Sat Oct 28 07:49:37 EDT 2006


On 2006-10-28 at 01:27 -0400, Wesley Craig wrote:
> Given the versions of things, I'd suspect one or both of these two  
> problems:

Thanks for the pointers, it's appreciated.  Alas, no.

> 	http://people.su.se/~lha/patches/heimdal/cfx-wrap-size.txt

Read it over when more awake (being a little paranoid about patching
security-critical stuff with unsigned patches ;^) ).  Applied it.
Rebuilt Heimdal, no effect.  Rebuilt cyrus-sasl and cyrus-imapd in case
the function renames affected the ABI.  No effect.  I still see the
problem.

> 	http://www.irbs.net/internet/cyrus-sasl/0609/0011.html

Heh, no.  I see the problem in cyradm, imtest and my own code.  My own
code reimplements the SASL layers because I wrote it to learn CRAM-MD5
and DIGEST-MD5 (since writing the code helped clarify some obscure parts
of the RFCs).  I also wrap GSSAPI.pm myself; I tested both with my SASL
wrapping of GSSAPI and with the Perl SASL code (renamed my function, so
the fallback to the SASL library was used (and diagnostics decreased)).

I take it that people are using GSSAPI with Cyrus IMAP 2.3.7, so the
problem's not there?  And slapd is linked against libsasl2, so the
problem's unlikely to be there unless it's related to the base64
convenience support in libsasl2.  I guess.


Any other ideas about either cause or how I can isolate the cause?

Thanks,
-Phil


More information about the Info-cyrus mailing list