svn rev #23611: trunk/src/lib/crypto/crypto_tests/

Sam Hartman hartmans at MIT.EDU
Mon Jan 11 12:25:21 EST 2010

>>>>> "Greg" == Greg Hudson <ghudson at MIT.EDU> writes:

    Greg> On Fri, 2010-01-08 at 07:59 -0500, Ezra Peisach wrote:
    >> I added an assertion in the free code to see if enctype was 0...
    >> Get hit in a number of programs...  The kdc in verify_checksum
    >> from the kdc_find_fast.  I think it using an empty krb5_keyblock
    >> - with zero length - so in theory who cares about the encryption
    >> type...

    Greg> This code is a little special:

    Greg>     /* * We need to confirm that a keyed checksum is used for
    Greg> the * fast_req checksum.  In April 2009, the best way to do
    Greg> this is * to try verifying the checksum with a keyblock with
    Greg> an zero * length; if it succeeds, then an unkeyed checksum is
    Greg> used.  */ ret = krb5_c_verify_checksum(kdc_context,
    Greg> &empty_keyblock, ...);

    Greg> I think that comment is ignoring the existence of
    Greg> krb5_c_is_keyed_cksum.  

It is.  Neither Tom nor I remembered that function when I asked about
this issue at the interop event.

    Greg> Even if not, passing a NULL keyblock
    Greg> should work as well as passing an invalid one.

You'd think that.  Something segfaulted on a null keyblock though.
I don't remember what now.

More information about the krbdev mailing list