krb5-1.8-beta1 is available

Marcus Watts mdw at
Thu Feb 25 02:50:36 EST 2010

> Date:    Wed, 24 Feb 2010 23:45:06 EST
> To:      Marcus Watts <mdw at>
> cc:      "krbdev at" <krbdev at>
> From:    Tom Yu <tlyu at MIT.EDU>
> Subject: Re: krb5-1.8-beta1 is available
> Marcus Watts <mdw at> writes:
> > ____ 3. decrypted enc_parts
> >
> > Code fails doing an asn.1 decode of "enc_part" -> "enc_part2".
> > asn.1 decode from decode_krb5_enc_tkt_part.
> Thanks for your help in investigating.
> Would you please provide more details of which code is failing and in
> what way?  Is it stock krb5 library code from an earlier release?  I
> was intending to code-freeze krb5-1.8 earlier this week and would like
> to know if this issue is a showstopper.

Ok.  This issue is definitely not a showstopper; you should feel
free to release krb5-1.8.  I've managed to find the offending
code, it's not in krb5-1.8 at all, and I now have a fixed version
that works without incident.

The code that was failing for me is *not* any version of mit kerberos;
it's separate code which decodes kerberos 5 data using openssl asn.1
logic.  The advantage is that it might catch problems that escaped your
testing; the disadvantage is those problems might be its own problems.
So far, it caught one problem for you, and scored one problem of its own.
Sorry for the confusion; the tight schedule you have didn't give me much
time to get my ducks in a row.

So the main concern I have at this point is it's not clear to me whatever
this is has good documentation, &etc.  I'm now more or less convinced
that S4U2Self and S4U2Proxy aren't ietf draft standards, but at least
I found .

				-Marcus Watts

More information about the krbdev mailing list