[17042] in Kerberos-V5-bugs
[krbdev.mit.edu #9181] verify_mic_v3 broken in 1.22
daemon@ATHENA.MIT.EDU (Francis Dupont via RT)
Sat Aug 16 22:31:37 2025
From: "Francis Dupont via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To: <20250816155624.6C8DEB81F3@bikeshed.isc.org>
Message-ID: <rt-4.4.3-2-3487538-1755397890-231.9181-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9181":;
Date: Sat, 16 Aug 2025 22:31:30 -0400
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Sat Aug 16 22:31:29 2025: Request 9181 was acted upon.
Transaction: Ticket created by fdupont@isc.org
Queue: krb5
Subject: verify_mic_v3 broken in 1.22
Owner: Nobody
Requestors: fdupont@isc.org
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9181 >
The function verify_mic_v3() in src/lib/gssapi/krb5/verify_mic.c
calls kg_verify_checksum_v3() as it returns an OM_uint32 status
but kg_verify_checksum_v3() returns a krb5_boolean which has
the opposite interpretation:
- OM_uint32 0 is GSS_S_COMPLETE so no error
- krb5_boolean 0 is false so failure
There are at least two ways to fix this:
- modify verify_mic_v3() body
- kg_verify_checksum_v3() to return an OM_uint32 and update the other
call in unwrap_v3() in src/lib/gssapi/krb5/unwap.c
Regards
Francis Dupont <fdupont@isc.org>
PS: this bug breaks unit tests checking the GSS_C_INTEG_FLAG of a GSS TSIG
code on FreeBSD and macOS two systems where 1.22 was installed.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
