KRB-SAFE bug effects KRB-PRIV too?
Sam Hartman
hartmans at MIT.EDU
Sat Apr 10 13:14:18 EDT 2004
>>>>> "John" == John Hascall <john at iastate.edu> writes:
John> I have an application that I am upgrading from K4 to K5
John> which used/s krb[5]_{mk|rd}_priv and which while testing my
John> new version I have seen return ASN1_MISSING_FIELD.
It seems more likely that the auth context flags are wrong ,r that you
don't have network addresses in the auth context than that you're
seeing sequence number problems.
John> A google search turned up
John> http://mailman.mit.edu/pipermail/krb5-bugs/2003-September/001810.html
John> which mentioned a similar problem with the krb5_xx_safe
John> routines. And it appears from the ChangeLog that shortly
John> thereafter the fix mentioned in
John> http://mailman.mit.edu/pipermail/krb5-bugs/2003-September/001811.html
John> was applied for the 'safe' routines:
John> So, since it doesn't mention fixing KRB-PRIV and knowing
John> that it is similar to KRB-SAFE, I'm wondering if the same
John> problem lurks there?
I don't think so. I don't think we reencode krb-priv messages and you
certainly don't need to reencode them to verify their contents. The
act of decrypting an EncryptedData will check the checksum. With a
safe message, you need to verify the checksum explicitly.
--Sam
More information about the krbdev
mailing list