Decrypt integrity check failed after sending several correct messages

Ken Raeburn raeburn at MIT.EDU
Mon Feb 11 16:24:58 EST 2008

On Feb 11, 2008, at 6:08, Jose Miguel Such wrote:
> The problem is solved if i retry to call gss_unwrap with the same  
> message
> after waiting for 10 or 20 milliseconds once it has failed for the  
> first
> time.

That's ... really strange.  Does it fail if you immediately retry  
without waiting?

As far as I know, gss_unwrap should be completely deterministic.  Two  
invocations on the same input should get the same result.  Well,  
aside from sequence-number and timestamp checks, but decrypt- 
integrity-failed isn't the sort of error that would come up if those  
failed.  Aside from random hardware issues, I have no guess as to  
what the problem would be here.  I'd probably start with adding lots  
of debugging code to the libraries to log lots of info if the check  
fails, and then log some of the same info when you retry again.   
Sorry, I know it's not very helpful if you're not comfortable diving  
into the Kerberos code....

Hmm... you said this is a large number of processes.  I assume they  
are all single-threaded?  Are you using shared memory or memory- 
mapped files for interprocess communication?


More information about the krbdev mailing list