[15951] in Kerberos_V5_Development
Re: krb5-1.8 fails to verify MS PAC Checksum when AES 256 is used
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Jul 1 09:38:35 2010
Message-ID: <4C2C9A55.4010305@anl.gov>
Date: Thu, 01 Jul 2010 08:38:29 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Luke Howard <lukeh@padl.com>
In-Reply-To: <E65B180F-090D-4FC2-8FD5-8E9FE147511E@padl.com>
Cc: "'krbdev@mit.edu'" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 7/1/2010 6:25 AM, Luke Howard wrote
> Does it fail with KRB5_BAD_ENCTYPE? We can change krb5_rd_req_decoded_opt() to try all the keys in the keytab if krb5int_authdata_verify() fails with the key that decrypted the ticket.
>
Yes, it fails in the inlined verify_key function in chsumtypes.h:
133 ktp = key ? find_enctype(key->keyblock.enctype) : NULL;
134 if (ctp->enc != NULL && (!ktp || ktp->enc != ctp->enc))
135 return KRB5_BAD_ENCTYPE;
called from krb5_c_verify_checksum
k5_pac_verify_server_checksum
krb5_pac_verify
mspac_verify
krb5int_authdata_verify
(Thats all the stack I saved. I can run gdb again if needed.)
> -- Luke
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev