[Comment] [krbdev.mit.edu #9181] verify_mic_v3 broken in 1.22

Cy Schubert via RT rt-comment at krbdev.mit.edu
Sun Aug 17 11:22:28 EDT 2025 

https://krbdev.mit.edu/rt/Ticket/Display.html?id=9181
This is a comment.  It is not sent to the Requestor(s):

In message <rt-4.4.3-2-3518203-1755417866-577.9181-8-0 at mit.edu>, "Cy 
Schubert v
ia RT" writes:
> 
> https://krbdev.mit.edu/rt/Ticket/Display.html?id=9181
> This is a comment.  It is not sent to the Requestor(s):
>
> In message <rt-4.4.3-2-3487538-1755397890-231.9181-4-0 at mit.edu>, "Francis 
> Dupon
> t via RT" writes:
> > 
> > Sat Aug 16 22:31:29 2025: Request 9181 was acted upon.
> >  Transaction: Ticket created by fdupont at isc.org
> >        Queue: krb5
> >      Subject: verify_mic_v3 broken in 1.22
> >        Owner: Nobody
> >   Requestors: fdupont at isc.org
> >       Status: new
> >  Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9181 >
> >
> >
> > The function verify_mic_v3() in src/lib/gssapi/krb5/verify_mic.c
> > calls kg_verify_checksum_v3() as it returns an OM_uint32 status
> > but kg_verify_checksum_v3() returns a krb5_boolean which has
> > the opposite interpretation:
> >  - OM_uint32 0 is GSS_S_COMPLETE so no error
> >  - krb5_boolean 0 is false so failure
> >
> > There are at least two ways to fix this:
> >  - modify verify_mic_v3() body
> >  - kg_verify_checksum_v3() to return an OM_uint32 and update the other
> >    call in unwrap_v3() in src/lib/gssapi/krb5/unwap.c
>
> Wouldn't this fix it?
>
> diff --git a/crypto/krb5/src/lib/gssapi/krb5/verify_mic.c 
> b/crypto/krb5/src/lib/gssapi/krb5/verify_mic.c
> index 9852f49912a9..a9b146f90ba1 100644
> --- a/crypto/krb5/src/lib/gssapi/krb5/verify_mic.c
> +++ b/crypto/krb5/src/lib/gssapi/krb5/verify_mic.c
> @@ -90,7 +90,6 @@ verify_mic_v3(krb5_context context, OM_uint32 
> *minor_status,
>                krb5_gss_ctx_id_rec *ctx, struct k5input *in,
>                gss_buffer_t message)
>  {
> -    OM_uint32 status;
>      krb5_keyusage usage;
>      krb5_key key;
>      krb5_cksumtype cksumtype;
> @@ -124,12 +123,11 @@ verify_mic_v3(krb5_context context, OM_uint32 
> *minor_status,
>      }
>      assert(key != NULL);
>  
> -    status = kg_verify_checksum_v3(context, key, usage, cksumtype,
> +    if (!kg_verify_checksum_v3(context, key, usage, cksumtype,
>                                     KG2_TOK_MIC_MSG, flags, seqnum,
>                                     message->value, message->length,
> -                                   in->ptr, in->len);
> -    if (status != GSS_S_COMPLETE)
> -        return status;
> +                                   in->ptr, in->len))
> +        return (GSS_S_BAD_SIG);
>  
>      return g_seqstate_check(ctx->seqstate, seqnum);
>  }
>

This won't work.


-- 
Cheers,
Cy Schubert <Cy.Schubert at cschubert.com>
FreeBSD UNIX:  <cy at FreeBSD.org>   Web:  https://FreeBSD.org
NTP:           <cy at nwtime.org>    Web:  https://nwtime.org

			e**(i*pi)+1=0

More information about the krb5-bugs mailing list