[krbdev.mit.edu #9181] verify_mic_v3 broken in 1.22
Francis Dupont via RT
rt-comment at krbdev.mit.edu
Sat Aug 16 22:31:30 EDT 2025
Sat Aug 16 22:31:29 2025: Request 9181 was acted upon.
Transaction: Ticket created by fdupont at isc.org
Queue: krb5
Subject: verify_mic_v3 broken in 1.22
Owner: Nobody
Requestors: fdupont at isc.org
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9181 >
The function verify_mic_v3() in src/lib/gssapi/krb5/verify_mic.c
calls kg_verify_checksum_v3() as it returns an OM_uint32 status
but kg_verify_checksum_v3() returns a krb5_boolean which has
the opposite interpretation:
- OM_uint32 0 is GSS_S_COMPLETE so no error
- krb5_boolean 0 is false so failure
There are at least two ways to fix this:
- modify verify_mic_v3() body
- kg_verify_checksum_v3() to return an OM_uint32 and update the other
call in unwrap_v3() in src/lib/gssapi/krb5/unwap.c
Regards
Francis Dupont <fdupont at isc.org>
PS: this bug breaks unit tests checking the GSS_C_INTEG_FLAG of a GSS TSIG
code on FreeBSD and macOS two systems where 1.22 was installed.
More information about the krb5-bugs
mailing list