Date: Tue, 02 Sep 2003 12:12:02 -0600 (MDT)
From: Shawn Emery <Shawn.Emery@Sun.COM>
Subject: Exact match enctype
To: krb5-bugs@mit.edu
Cc: Shawn.Emery@Sun.COM
Reply-To: Shawn Emery <Shawn.Emery@Sun.COM>
Message-Id: <0HKL00D7SMJZQN@giza-mail1.Central.Sun.COM>
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-Md5: z1uMAhGWhLQ8wUPCeQZ3BQ==
Content-Length: 1246

krbv5,

I'm currently in the Solaris security group at Sun and found an issue when using 
our Solaris 9+ client with an MS AD server.  I've checked the 1.3.1 source tree 
and discovered that it also has this issue.

I found a problem to be that an exact match is performed between the enctype 
in the response to the enctype in the keytab file.  In actuality a "similar" 
match should be performed when checking for encryption types.  We've integrated 
this change into our source tree and I'm just checking to see if you would be 
interested in the diffs for this.

krb5-1.3.1/src/lib/krb5/krb/rd_req_dec.c:
*** 77,86 ****
--- 77,93 ----
      if ((retval = krb5_kt_get_entry(context, keytab, req->ticket->server,
  				    req->ticket->enc_part.kvno,
  				    enctype, &ktent)))
  	return retval;
  
+    /*
+     * If we get this far then we know that the enc types are similar,
+     * therefore we should change the enc type to match that of what
+     * we are decrypting.
+     */
+     ktent.key.enctype = enctype;
+ 
      retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket);
      /* Upon error, Free keytab entry first, then return */
  
      (void) krb5_kt_free_entry(context, &ktent);
      return retval;

Shawn.
--