[15951] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: krb5-1.8 fails to verify MS PAC Checksum when AES 256 is used

daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Jul 1 09:38:35 2010

Message-ID: <4C2C9A55.4010305@anl.gov>
Date: Thu, 01 Jul 2010 08:38:29 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Luke Howard <lukeh@padl.com>
In-Reply-To: <E65B180F-090D-4FC2-8FD5-8E9FE147511E@padl.com>
Cc: "'krbdev@mit.edu'" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu



On 7/1/2010 6:25 AM, Luke Howard wrote
> Does it fail with KRB5_BAD_ENCTYPE? We can change krb5_rd_req_decoded_opt() to try all the keys in the keytab if krb5int_authdata_verify() fails with the key that decrypted the ticket.
>

Yes, it fails in the inlined verify_key function in chsumtypes.h:

     133      ktp = key ? find_enctype(key->keyblock.enctype) : NULL;
     134      if (ctp->enc != NULL && (!ktp || ktp->enc != ctp->enc))
     135          return KRB5_BAD_ENCTYPE;

called from  krb5_c_verify_checksum
  k5_pac_verify_server_checksum
  krb5_pac_verify
  mspac_verify
  krb5int_authdata_verify

(Thats all the stack I saved. I can run gdb again if needed.)










> -- Luke
>

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post