[Todd Kover <kovert@omniscient.com>] KfW and triple des problems
Douglas E. Engert
deengert at anl.gov
Mon Feb 18 09:52:00 EST 2002
This sounds somewhat familiar to the problm I had wuth 3des on windows.
I tracked it down to what looked like uninitilized enctypes. Ken had
looked at these changes before. I still think it is a problem.
Here are diffs for 1.2.3 in lib/crypto/dk
*** ,derive.c Wed Jan 9 16:27:37 2002
--- derive.c Fri Jan 11 14:33:59 2002
***************
*** 98,103 ****
--- 98,104 ----
inblock.length = keybytes;
(*(enc->make_key))(&inblock, outkey);
+ outkey->enctype = inkey->enctype;
/* clean memory, free resources and exit */
*** ,stringtokey.c Wed Jan 9 16:27:37 2002
--- stringtokey.c Fri Jan 11 14:32:16 2002
***************
*** 72,77 ****
--- 72,78 ----
indata.data = foldstring;
foldkey.length = keylength;
foldkey.contents = foldkeydata;
+ foldkey.enctype = key->enctype;
(*(enc->make_key))(&indata, &foldkey);
Sam Hartman wrote:
>
> I'm somewhat bothered that this doesn't work. I can't think of
> anything obvious the user is doing wrong. We should test this on
> Windows. I can help with test realms that do 3des.
>
> ------- Start of forwarded message -------
> Message-Id: <200202132230.g1DMUtmO025236 at guiness.omniscient.com>
> To: kerberos at mit.edu
> Subject: KfW and triple des problems
> From: Todd Kover <kovert at omniscient.com>
> Date: Wed, 13 Feb 2002 17:30:55 -0500
>
> is anyone aware of problems with KfW 2.1.2 and triple des encryption?
>
> [ This is all krb5. I have no krb4 support turned on anymore. ]
>
> I'm attempting to get WinCVS/cvs working with gserver against the 2.1.2
> sdk and have been successful using keys in my age-old kdc (migrated
> over from v4) which only has a des-cbc-crc key for the relevent service
> principal:
>
> kadmin: getprinc cvs/saidin.omniscient.com
> [ ... ]
> Number of keys: 1
> Key: vno 2, DES cbc mode with CRC-32, no salt
>
> (The kdc is running 1.2.2 now but that's a change since the
> abovementioned principal was created).
>
> I'm able to interact with a cvs server linked against 1.2.2 sources
> using this service key just fine.
>
> Using the same cvs binary, but against a relatively newly configured cvs
> server (initially installed under 1.2) the service side is complaining:
>
> "could not verify credentials"
>
> with a cvs server similiarly linked against 1.2.2 libraries but with a
> cvs/hostname principal in the kdc with key types:
>
> Number of keys: 2
> Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 2, DES cbc mode with CRC-32, no salt
>
> The odd thing is that when I have the windows box's krb5.ini file set
> with:
>
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
>
> I can kinit against it fine from the windows box. If I change this to:
>
> default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
> default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
>
> kinit's fail.
>
> This leads me to believe something is awry with the des3-hmac-sha1
> support.
>
> It seems that the .ini file is ignored when grabbing service tickets
> because the credentials cache on the windows box has both keys in it
> when I attempt to use cvs, regardless of the config file. (this isn't
> surprising).
>
> Does this ring any bells for anyone? I haven't dug deeply into the code
> just yet. I figured I'd ask before I started to try to parse it and get
> the encryption-induced headache I expect. :-)
>
> windows 2000+sp2 if that makes a difference. Everything's built with
> Visual C++&&sp5.
>
> thanks,
> -Todd
> _______________________________________________
> Kerberos mailing list
> Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
> ------- End of forwarded message -------
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list