[17049] in Kerberos_V5_Development
Re: Multiple ETYPE-INFO-ENTRY with same etype but different salts
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Jul 19 09:28:31 2011
From: Greg Hudson <ghudson@mit.edu>
To: Weijun Wang <weijun.wang@oracle.com>
In-Reply-To: <4E24DE7E.7060407@oracle.com>
Date: Tue, 19 Jul 2011 09:28:25 -0400
Message-ID: <1311082105.23877.78.camel@t410>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, 2011-07-18 at 21:31 -0400, Weijun Wang wrote:
> >> 3. The other 2 entries have salt missing or empty, so the default salt
> >> should be used
> >
> > An empty salt is like any other explicit salt. Do not use the default
> > salt if you see an empty one.
> ETYPE-INFO2 is:
>
> SEQUENCE
> SEQUENCE
> [0] INTEGER 1
> SEQUENCE
> [0] INTEGER 1
> [1] STRING ""
> SEQUENCE
> [0] INTEGER 1
> [1] STRING "UFL.EDU"
> [2] OCTET STRING 0000: 01
Okay, so yes, in the actual scenario you'd probably use the default
salt, because the first entry (which is just as good as the other
entries) doesn't supply a salt. That entry corresponds to the
des-cbc-md5:normal entry in supported_enctypes.
I just wanted to be clear that if, for whatever reason, the code decided
to go with an entry that looked like the second entry (which comes from
the des-cbc-crc:v4 entry in supported_enctypes), it would want to use a
zero-length salt rather than the default salt.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
