[3421] in Kerberos
Incompatibility found: MIT KV5 beta 3 and OV GSS-API
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Thu Jun 16 13:35:39 1994
Date: Thu, 16 Jun 94 11:20:46 EDT
From: "Barry Jaspan" <bjaspan@cam.ov.com>
To: kerberos@MIT.EDU
Last night, a minor mistake was discovered in MIT Kerberos V5 beta 3
that prevents most of OpenVision's GSS-API implementation from
working. If you have not tried to use GSS-API, this bug has probably
not affected you.
The bug makes the functions gss_sign, gss_verify, gss_seal, and
gss_unseal (and possibly others) fail with the error "decrypt
integrity check failed." gss_init_sec_context and
gss_accept_sec_context function properly, however.
Specifically, lib/crypto/cryptoconf.c line 91 defines
RAW_DES_CBC_CSENTRY to be &krb5_des_cst_entry when it should be
&krb5_raw_des_cst_entry. The non-raw encryption functions include
additional information in the output that was overwriting a buffer and
therefore messing up the checksum of the encrypted data (hence the
integrity check failure). We did not detect this problem earlier
because we had already fixed that particular bug in our local copy of
the Kerberos sources.
This bug is fixed in MIT Kerberos V5 beta 4. To fix it in MIT
Kerberos V5 beta 3, apply the following patch:
*** lib/crypto/cryptoconf.c Thu Jan 13 17:54:45 1994
--- /tmp/cryptoconf.c Thu Jun 16 11:12:58 1994
***************
*** 88,94 ****
#include <krb5/mit-des.h>
#define _DES_DONE__
#endif
! #define RAW_DES_CBC_CSENTRY &krb5_des_cst_entry
#else
#define RAW_DES_CBC_CSENTRY 0
#endif
--- 88,94 ----
#include <krb5/mit-des.h>
#define _DES_DONE__
#endif
! #define RAW_DES_CBC_CSENTRY &krb5_raw_des_cst_entry
#else
#define RAW_DES_CBC_CSENTRY 0
#endif
We apologize for any difficulty you have encountered as a result of
this bug.
Barry Jaspan, bjaspan@cam.ov.com
OpenVision Technologies, Inc.
