[3556] in Kerberos-V5-bugs
[krbdev.mit.edu #1229] [Wyllys Ingersoll ] keytab file entry comparison problem
daemon@ATHENA.MIT.EDU (Sam Hartman via RT)
Sat Oct 26 20:06:18 2002
Message-Id: <rt-1229-3229.8.66251775975755@krbdev.mit.edu>
In-Reply-To: <rt-1229@krbdev.mit.edu>
From: "Sam Hartman via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
To: krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Sat, 26 Oct 2002 20:05:41 -0400 (EDT)
Return-Path: <krbdev-admin@MIT.EDU>
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP; Mon, 30 Sep
2002 09:08:20 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <krbdev-admin@MIT.EDU>
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by suchdamage.org (Postfix) with ESMTP id E94BC131CB
for <hartmans@suchdamage.org>; Mon, 30 Sep 2002 09:08:19 -0400 (EDT)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id JAA12008;
Mon, 30 Sep 2002 09:08:15 -0400 (EDT)
Received: from pch.mit.edu (localhost [127.0.0.1])
by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA01784;
Mon, 30 Sep 2002 09:08:13 -0400 (EDT)
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.9.3+Sun/8.9.3) with ESMTP id JAA01772
for <krbdev@PCH.mit.edu>; Mon, 30 Sep 2002 09:07:39 -0400 (EDT)
Received: from nwkea-mail-1.sun.com (nwkea-mail-1.sun.com [192.18.42.13])
by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id JAA08018;
Mon, 30 Sep 2002 09:07:38 -0400 (EDT)
Received: from jurassic.eng.sun.com ([129.146.17.55])
by nwkea-mail-1.sun.com (8.9.3+Sun/8.9.3) with ESMTP id GAA10546;
Mon, 30 Sep 2002 06:07:37 -0700 (PDT)
Received: from sun.com (vpn-129-148-154-51.East.Sun.COM [129.148.154.51])
by jurassic.eng.sun.com (8.12.6+Sun/8.12.6) with ESMTP id g8UD7ZdZ142013;
Mon, 30 Sep 2002 06:07:36 -0700 (PDT)
Message-ID: <3D984C97.6060307@sun.com>
From: Wyllys Ingersoll <wyllys.ingersoll@sun.com>
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.1) Gecko/20020827
X-Accept-Language: en-us, en
To: krbdev@mit.edu, krb5-bugs@mit.edu
Subject: keytab file entry comparison problem
Sender: krbdev-admin@MIT.EDU
Errors-To: krbdev-admin@MIT.EDU
X-BeenThere: krbdev@mit.edu
X-Mailman-Version: 2.0
Precedence: bulk
List-Help: <mailto:krbdev-request@mit.edu?subject=help>
List-Post: <mailto:krbdev@mit.edu>
List-Subscribe: <http://mailman.mit.edu/mailman/listinfo/krbdev>,
<mailto:krbdev-request@mit.edu?subject=subscribe>
List-Id: Kerberos Developers Mailing List <krbdev.mit.edu>
List-Unsubscribe: <http://mailman.mit.edu/mailman/listinfo/krbdev>,
<mailto:krbdev-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/krbdev/>
X-Original-Date: Mon, 30 Sep 2002 09:07:35 -0400
Date: Mon, 30 Sep 2002 09:07:35 -0400
X-Spam-Status: No, hits=0.0 required=5.0 tests= version=2.20
X-Spam-Level:
MIME-Version: 1.0
In ktf_g_enc.c, the code does a loop where it reads entries
from the keytab file and compares to match up with
a specified principal, kvno, and enctype.
routine: krb5_ktfile_get_entry()
I have a situation where my keytab file contains keys
for the local host from 3 different realms. One of my
realms does not have 3DES key support but the others
do.
When trying to find a match for the realm which does NOT
support 3DES keys, this function always returns a
"bad encryption type" error because keys from the *other*
realms have 3DES keys. The problem is that this routine
checks the enctype before it checks to see if the principals or
realms match. I think this is incorrect, if the key we are searching
for is in realm FOO.COM (enctype 1), and the search
routine comes across an entry for BAR.COM (enctype 16),
it should not even bother looking at the enctype because this
key is not of interest.
The fix is to compare principal's before comparing enctypes.
See below (I just moved the principal compare function ahead of the
enctype comparison):
ktf_g_ent.c
69a70,76
> /* if the principal isn't the one requested, free new_entry
> and continue to the next. */
> if (!krb5_principal_compare(context, principal, new_entry.principal)) {
> krb5_kt_free_entry(context, &new_entry);
> continue;
> }
>
72d78
<
95,102d100
< /* if the principal isn't the one requested, free new_entry
< and continue to the next. */
<
< if (!krb5_principal_compare(context, principal, new_entry.principal)) {
< krb5_kt_free_entry(context, &new_entry);
< continue;
< }
<
-Wyllys Ingersoll
Sun Microsystems, Inc
_______________________________________________
krbdev mailing list krbdev@mit.edu
http://mailman.mit.edu/mailman/listinfo/krbdev
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
