KRB-SAFE bug effects KRB-PRIV too?

Sam Hartman hartmans at MIT.EDU
Sat Apr 10 13:14:18 EDT 2004

>>>>> "John" == John Hascall <john at> writes:

    John> I have an application that I am upgrading from K4 to K5
    John> which used/s krb[5]_{mk|rd}_priv and which while testing my
    John> new version I have seen return ASN1_MISSING_FIELD.

It seems more likely that the auth context flags are wrong ,r that you
don't have network addresses in the auth context than that you're
seeing sequence number problems.

    John> A google search turned up
    John> which mentioned a similar problem with the krb5_xx_safe
    John> routines.  And it appears from the ChangeLog that shortly
    John> thereafter the fix mentioned in
    John> was applied for the 'safe' routines:

    John> So, since it doesn't mention fixing KRB-PRIV and knowing
    John> that it is similar to KRB-SAFE, I'm wondering if the same
    John> problem lurks there?

I don't think so.  I don't think we reencode krb-priv messages and you
certainly don't need to reencode them to verify their contents.  The
act of decrypting an EncryptedData will check the checksum.  With a
safe message, you need to verify the checksum explicitly.


More information about the krbdev mailing list