[1858] in Kerberos-V5-bugs
Re: k5 gss doesn't conform to spec
daemon@ATHENA.MIT.EDU (Doug Engert)
Tue Apr 2 11:54:15 1996
Date: Tue, 2 Apr 1996 10:53:48 -0600
From: Doug Engert <DEEngert@anl.gov>
To: "Theodore Ts'o" <tytso@MIT.EDU>
Cc: "Richard Basch" <basch@lehman.com>, krb5-bugs@MIT.EDU,
John Linn <linn@cam.ov.com>, mullan_s@apollo.hp.com (Sean Mullan),
Rich Salz <rsalz@osf.org>
In-Reply-To: <9603291732.AA18399@dcl.MIT.EDU>
Theodore Ts'o writes:
> Date: Fri, 29 Mar 1996 02:10:49 -0500
> From: "Richard Basch" <basch@lehman.com>
>
> 1.2.2.1 Checksum
>
> DES MAC MD5 algorithm ... A standard 64-bit DES-CBC MAC is computed per
> [FIPS PUB 113], employing the context key and a zero IV.
>
> If you follow the checksum logic, it uses the key as the IV.
>
> Thanks for noticing this. A quick check through our sources indicates
> that GSSAPI is the only thing that is using CKSUMTYPE_DESCBC.
>
> The only question, though, is whether anything else used to use that
> cksumtype. My main concern at this point is old OSF/DCE
> implementations. If someone has any information on that score, I'd
> appreciate hearing about it.
Ted,
I got your voice mail on this subject, sorry, I was not in the
office. The changes I had to add to K5.6 to get it to work with DCE
was to use CKSUMTYPE_RSA_MD4 rather then CKSUMTYPE_RSA_MD5 as the
default. I do NOT have the OSF source (yet) to check if the
CKSUMTYPE_DESCBC is used at all.
If you have a mod you would like me to try, I can test to see if I can
still get tickets, forward them and get a DCE context.
Is it as simple as replacing the two calls to
mit_des_cbc_cksum(in, contents, in_length, schedule, key); with
mit_des_cbc_cksum(in, contents, in_length, schedule, 0);
in /lib/crypto/des/cbc_cksum.c ?
Or is there some trap to install to make sure it is not using the
CKSUMTYPE_DESCBC?
I also forward this on to mullan_s@apollo.hp.com (Sean Mullan)
and Rich Salz <rsalz@osf.org> who have access to the source.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
