Decrypt integrity check failed after sending several correct messages
Ken Raeburn
raeburn at MIT.EDU
Mon Feb 11 16:24:58 EST 2008
On Feb 11, 2008, at 6:08, Jose Miguel Such wrote:
> The problem is solved if i retry to call gss_unwrap with the same
> message
> after waiting for 10 or 20 milliseconds once it has failed for the
> first
> time.
That's ... really strange. Does it fail if you immediately retry
without waiting?
As far as I know, gss_unwrap should be completely deterministic. Two
invocations on the same input should get the same result. Well,
aside from sequence-number and timestamp checks, but decrypt-
integrity-failed isn't the sort of error that would come up if those
failed. Aside from random hardware issues, I have no guess as to
what the problem would be here. I'd probably start with adding lots
of debugging code to the libraries to log lots of info if the check
fails, and then log some of the same info when you retry again.
Sorry, I know it's not very helpful if you're not comfortable diving
into the Kerberos code....
Hmm... you said this is a large number of processes. I assume they
are all single-threaded? Are you using shared memory or memory-
mapped files for interprocess communication?
Ken
More information about the krbdev
mailing list