[krbdev.mit.edu #7561] kprop doesn't work with RC4 session key
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Sun Feb 3 11:20:30 EST 2013
If you create a working kprop/kpropd setup and then add
"permitted_enctypes=arcfour-hmac-md5" to [libdefaults] in krb5.conf,
running kprop will produce:
kprop: Message size is incompatible with encryption type while
encoding database block starting at 0
The error originates from lib/crypto/builtin/enc_provider/rc4.c line 112
where it checks the size of the cipher state.
The offender here is krb5_auth_con_initivector() and the corresponding
code in mk_priv.c (line 73, where it processes i_vector). This code
assumes that an all-zeros block of the cipher blocksize is a valid
cipher state, which isn't true for RC4.
Nothing else in our code base uses krb5_auth_con_initivector, so this
bug has flown under the radar so far. It has likely been present since
the introduction of RC4.
More information about the krb5-bugs
mailing list