svn rev #23611: trunk/src/lib/crypto/crypto_tests/

Greg Hudson ghudson at
Fri Jan 8 11:30:05 EST 2010

On Fri, 2010-01-08 at 07:59 -0500, Ezra Peisach wrote:
> I added an assertion in the free code to see if enctype was 0...  Get 
> hit in a number of programs...  The kdc in verify_checksum from the 
> kdc_find_fast.  I think it using an empty krb5_keyblock - with zero 
> length - so in theory
> who cares about the encryption type...

This code is a little special:

     * We need to confirm that a keyed checksum is used for the         
     * fast_req checksum.  In April 2009, the best way to do this is    
     * to try verifying the checksum with a keyblock with an zero       
     * length; if it succeeds, then an unkeyed checksum is used.        
    ret  = krb5_c_verify_checksum(kdc_context, &empty_keyblock, ...);

I think that comment is ignoring the existence of krb5_c_is_keyed_cksum.
Even if not, passing a NULL keyblock should work as well as passing an
invalid one.


More information about the krbdev mailing list