KRB-SAFE bug effects KRB-PRIV too?
John Hascall
john at iastate.edu
Sun Apr 11 22:12:02 EDT 2004
> >>>>> "John" == John Hascall <john at iastate.edu> writes:
>
> John> I have an application that I am upgrading from K4 to K5
> John> which used/s krb[5]_{mk|rd}_priv and which while testing my
> John> new version I have seen return ASN1_MISSING_FIELD.
>
> It seems more likely that the auth context flags are wrong ,r that you
> don't have network addresses in the auth context than that you're
> seeing sequence number problems.
>
> John> A google search turned up
> John> http://mailman.mit.edu/pipermail/krb5-bugs/2003-September/001810.ht
ml
> John> which mentioned a similar problem with the krb5_xx_safe
> John> routines. And it appears from the ChangeLog that shortly
> John> thereafter the fix mentioned in
> John> http://mailman.mit.edu/pipermail/krb5-bugs/2003-September/001811.ht
ml
> John> was applied for the 'safe' routines:
>
> John> So, since it doesn't mention fixing KRB-PRIV and knowing
> John> that it is similar to KRB-SAFE, I'm wondering if the same
> John> problem lurks there?
> I don't think so. I don't think we reencode krb-priv messages and you
> certainly don't need to reencode them to verify their contents. The
> act of decrypting an EncryptedData will check the checksum. With a
> safe message, you need to verify the checksum explicitly.
Right you are. I found the error and it was mine.
I guess ASN1_MISSING_FIELD just wasn't something
I expected out of those routines.
John
More information about the krbdev
mailing list