From: | Sam Hartman <hartmans@MIT.EDU> |
To: | krb5-bugs@MIT.EDU |
Subject: | trunk a86e885 does not deal with default salt |
Date: | Wed, 07 Mar 2012 16:38:44 -0500 |
CC: | kevin.wasserman@painless-security.com |
I have a 1.10 KDC and a principal configured as follows:
Key: vno 3, aes256-cts-hmac-sha1-96, no salt
Key: vno 3, des3-cbc-sha1, no salt
Key: vno 3, des-cbc-crc, no salt
Key: vno 3, des-cbc-md5, Version 4
Key: vno 3, des-cbc-md5, Version 5 - No Realm
Key: vno 3, des-cbc-md5, Version 5 - Realm Only
Key: vno 3, des-cbc-md5, AFS version 3
We get a decrypt integrity check failure because the salt is empty
(data 0 length 0) rather than being the default salt.
My guess is that the new ASN.1 decoder fails to distinguish an absent
salt sequence in etype_info2 from a v4 style present but empty octet
string sequence.
I'm not at all sure why regression tests don't catch this.
However setting an onlyrealm salt does seem to fix this.