[OpenAFS] Heimdal KDC bug mentioned in rekeying document

Derrick Brashear shadow@gmail.com
Fri, 26 Jul 2013 16:15:14 -0400


--001a11c2f670f2ff0e04e26fccff
Content-Type: text/plain; charset=ISO-8859-1

On Fri, Jul 26, 2013 at 7:33 AM, Sergio Gelato <Sergio.Gelato@astro.su.se>wrote:

> * Ragnar Sundblad [2013-07-26 13:01:00 +0200]:
> > >> I believe you should change the test to also check that ret_key ==
> NULL:
> > >>        if (clientbest != ETYPE_NULL && enctype == ETYPE_NUL &&
> ret_key == NULL) {
> > >>            enctype = clientbest;
> > >>            ret = 0;
> > >>    }
> > >> since if there is no common key-type, key will be NULL, and the later
> > >>        if (ret == 0 && ret_key != NULL)
> > >>            *ret_key = key;
> > >> will return a NULL pointer.
> > >
> > > Yes, good point.
> >
> > (Please double check that this is correct, I haven't tried it, only read
> it. :-)
>
> I'm compiling my next (and hopefully final) iteration right now.
> I went for this variant:
>         if (clientbest != (krb5_enctype)ETYPE_NULL &&
>             enctype == (krb5_enctype)ETYPE_NULL) {
>             enctype = clientbest;
>             if (ret_key == NULL)
>                 ret = 0;
>         }
>
> This plus
[kdc]svc-use-strongest-
session-key=true

Works.

-- 
Derrick

--001a11c2f670f2ff0e04e26fccff
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Fri, Jul 26, 2013 at 7:33 AM, Sergio Gelato <span dir=3D"ltr">&l=
t;<a href=3D"mailto:Sergio.Gelato@astro.su.se" target=3D"_blank">Sergio.Gel=
ato@astro.su.se</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex">* Ragnar Sundblad [2013-0=
7-26 13:01:00 +0200]:<br>
<div class=3D"im">&gt; &gt;&gt; I believe you should change the test to als=
o check that ret_key =3D=3D NULL:<br>
&gt; &gt;&gt; =A0 =A0 =A0 =A0if (clientbest !=3D ETYPE_NULL &amp;&amp; enct=
ype =3D=3D ETYPE_NUL &amp;&amp; ret_key =3D=3D NULL) {<br>
&gt; &gt;&gt; =A0 =A0 =A0 =A0 =A0 =A0enctype =3D clientbest;<br>
&gt; &gt;&gt; =A0 =A0 =A0 =A0 =A0 =A0ret =3D 0;<br>
&gt; &gt;&gt; =A0 =A0}<br>
&gt; &gt;&gt; since if there is no common key-type, key will be NULL, and t=
he later<br>
&gt; &gt;&gt; =A0 =A0 =A0 =A0if (ret =3D=3D 0 &amp;&amp; ret_key !=3D NULL)=
<br>
&gt; &gt;&gt; =A0 =A0 =A0 =A0 =A0 =A0*ret_key =3D key;<br>
&gt; &gt;&gt; will return a NULL pointer.<br>
&gt; &gt;<br>
&gt; &gt; Yes, good point.<br>
&gt;<br>
&gt; (Please double check that this is correct, I haven&#39;t tried it, onl=
y read it. :-)<br>
<br>
</div>I&#39;m compiling my next (and hopefully final) iteration right now.<=
br>
I went for this variant:<br>
<div class=3D"im">=A0 =A0 =A0 =A0 if (clientbest !=3D (krb5_enctype)ETYPE_N=
ULL &amp;&amp;<br>
</div><div class=3D"im">=A0 =A0 =A0 =A0 =A0 =A0 enctype =3D=3D (krb5_enctyp=
e)ETYPE_NULL) {<br>
=A0 =A0 =A0 =A0 =A0 =A0 enctype =3D clientbest;<br>
</div>=A0 =A0 =A0 =A0 =A0 =A0 if (ret_key =3D=3D NULL)<br>
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 ret =3D 0;<br>
<div class=3D"im">=A0 =A0 =A0 =A0 }<br>
<br></div></blockquote><div>This plus<br> [kdc]svc-use-strongest-<div id=3D=
":3ag">session-key=3Dtrue<br><br>Works.<br clear=3D"all"></div></div></div>=
<br>-- <br>Derrick
</div></div>

--001a11c2f670f2ff0e04e26fccff--