KRB-SAFE bug effects KRB-PRIV too?

John Hascall john at
Sun Apr 11 22:12:02 EDT 2004

> >>>>> "John" == John Hascall <john at> writes:
>     John> I have an application that I am upgrading from K4 to K5
>     John> which used/s krb[5]_{mk|rd}_priv and which while testing my
>     John> new version I have seen return ASN1_MISSING_FIELD.
> It seems more likely that the auth context flags are wrong ,r that you
> don't have network addresses in the auth context than that you're
> seeing sequence number problems.
>     John> A google search turned up
>     John>
>     John> which mentioned a similar problem with the krb5_xx_safe
>     John> routines.  And it appears from the ChangeLog that shortly
>     John> thereafter the fix mentioned in
>     John>
>     John> was applied for the 'safe' routines:
>     John> So, since it doesn't mention fixing KRB-PRIV and knowing
>     John> that it is similar to KRB-SAFE, I'm wondering if the same
>     John> problem lurks there?

> I don't think so.  I don't think we reencode krb-priv messages and you
> certainly don't need to reencode them to verify their contents.  The
> act of decrypting an EncryptedData will check the checksum.  With a
> safe message, you need to verify the checksum explicitly.

Right you are.  I found the error and it was mine.
I guess ASN1_MISSING_FIELD just wasn't something
I expected out of those routines.


More information about the krbdev mailing list