[krbdev.mit.edu #1801] Exact match enctype
Shawn Emery via RT
rt-comment at krbdev.mit.edu
Tue Sep 2 14:12:09 EDT 2003
krbv5,
I'm currently in the Solaris security group at Sun and found an issue when using
our Solaris 9+ client with an MS AD server. I've checked the 1.3.1 source tree
and discovered that it also has this issue.
I found a problem to be that an exact match is performed between the enctype
in the response to the enctype in the keytab file. In actuality a "similar"
match should be performed when checking for encryption types. We've integrated
this change into our source tree and I'm just checking to see if you would be
interested in the diffs for this.
krb5-1.3.1/src/lib/krb5/krb/rd_req_dec.c:
*** 77,86 ****
--- 77,93 ----
if ((retval = krb5_kt_get_entry(context, keytab, req->ticket->server,
req->ticket->enc_part.kvno,
enctype, &ktent)))
return retval;
+ /*
+ * If we get this far then we know that the enc types are similar,
+ * therefore we should change the enc type to match that of what
+ * we are decrypting.
+ */
+ ktent.key.enctype = enctype;
+
retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket);
/* Upon error, Free keytab entry first, then return */
(void) krb5_kt_free_entry(context, &ktent);
return retval;
Shawn.
--
More information about the krb5-bugs
mailing list