[39521] in Kerberos
Re: GSS unwrap fails using RC4 session key instead of subkey
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed May 7 17:59:57 2025
Message-ID: <ab72df03-6661-4eaf-90f7-eac59420b9f2@mit.edu>
Date: Wed, 7 May 2025 17:59:21 -0400
MIME-Version: 1.0
To: Michael B Allen <ioplex@gmail.com>, kerberos <kerberos@mit.edu>
Content-Language: en-US
From: "Greg Hudson" <ghudson@mit.edu>
In-Reply-To: <CAGMFw4h2LAOk0qLXkf0mg8yWTZNdXTHZgBcC2Lpupj=UX+fJ_g@mail.gmail.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 5/7/25 13:36, Michael B Allen wrote:
> Where does the MITK initiator select the session key vs the subkey?
RC4 is a "not newer" enctype, so krb5_gss_wrap() calls
make_seal_token_v1() with enc=ctx->enc.
ctx->enc is set up by kg_setup_keys() called at init_sec_context time.
It is called first unconditionally in kg_new_connection(), with the
initiator's subkey as set by krb5_mk_req_extended(). It may be called
again by mutual_auth() with the acceptor's subkey, but only if:
* Mutual authentication is performed
* The AP-REP EncAPRepPart included an acceptor subkey
* The RFC 4121 message format is used (not for RC4), OR
DCE-style authencation is in use, OR
the acceptor subkey has a different enctype from the initiator subkey
> Bonus question: Is there a trick to getting gdb to work with gss-client
> -pass?
I haven't needed any trick. Using the test suite, I can run (from the
top level of a build tree):
cd appl/gss-sample
PYTHONPATH=../../../src/util python3
../../../src/appl/gss-sample/t_gss_sample.py
# Open testlog in a text editor and search for "arcfour"
# from there, search for "-pass" and note the command number
# for me right now that is 156, but there have been some recent
# changes to the test script
PYTHONPATH=../../../src/util python3
../../../src/appl/gss-sample/t_gss_sample.py -v --debug=156
(gdb) break krb5_gss_wrap
(gdb) run
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
