KRB5KRB_AP_ERR_MODIFIED: MIT Kerberos 1.8.1 & arcfour-hmac-md5 session key
Greg Hudson
ghudson at MIT.EDU
Fri Jun 4 12:45:30 EDT 2010
On Fri, 2010-06-04 at 12:24 -0400, Richard E. Silverman wrote:
> I tracked down the bug.
With apologies for being a pain in the butt, I'm not sure we understand
the situation well enough to safely make a change.
Providing zero-length input data is not the same as not providing any
input data. The change you suggested could have interoperability or
security ramifications if an application genuinely wants to checksum the
empty string in an authenticator.
Moreover, the mk_req_ext behavior you're proposing to change did not
change between 1.6 and current. The behavior of callers may have
changed, of course.
More information about the Kerberos
mailing list