[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AP REQUEST decrypt using shared secret

Hello,

We have an older version of an application server, written in Java,
but we're converting the Java tool to C(++).
I used one of the (correct) incoming messages of the previous Java tool,
and the key is our private key, so we know the key perfectly.

The file based did not seem to work either.

I already debugged to the function I mentioned below to see if the
keyvalue was propagated correctly, this was no problem.

It looks like it has to do something with the formatting of the key...

Tom.

On Mon, 2008-01-28 at 23:37 +0100, Love Hörnquist Åstrand wrote:
> Hello
> 
> Does the keytab work if you use a FILE based keytab ?
> How do you know the key is correct ?
> 
> Love
> 
> 28 jan 2008 kl. 08.06 skrev Tom Ghyselinck:
> 
> > Hello,
> >
> > I'm having a problem decrypting a ticket from an AP REQUEST using
> > krb5_rd_req().
> >
> > I'm trying to use a MEMORY keytab which seems to work, but my  
> > problem is
> > the keyblock keyvalue.
> >
> > We have a shared key between the KDC and our AP REQUEST parser...
> > The ticket is using des3-cbc-md5 encryption.
> >
> > I tried several things to use our shared key:
> > - setting the keyblock directly (with the exact hex value
> >  of the key string, keytab.keyvalue.length + keytab.keyvalue.data )
> > - using krb5_keyblock_init(),
> > - Converting the key value using krb5_string_to_key(),
> > - Converting the key value using krb5_string_to_key_salt(),
> > - ...
> >
> > But all tries got me into the same result:
> >
> > 'krb5_rd_req: Decrypt integrity check failed'
> >
> > Is there any special format for the keyvalue I have to use?
> > Or should it be OK when I use krb5_string_to_key?
> >
> > while debugging a little bit myself,
> > the error seems to come from the method:
> >
> > static krb5_error_code
> > verify_checksum(krb5_context context,
> >                krb5_crypto crypto,
> >                unsigned usage, /* not krb5_key_usage */
> >                void *data,
> >                size_t len,
> >                Checksum *cksum)
> > during:
> >
> >    if(c.checksum.length != cksum->checksum.length ||
> >       memcmp(c.checksum.data, cksum->checksum.data,
> > c.checksum.length))
> >
> > the checksum length was always ok, but the data failed...
> >
> > Anyone has any ideas?
> >
> > Thanks!
> >
> > Tom Ghyselinck.
> >
> > -- 
> >
> > +---------------------------------------------
> > | Please note new email address: tom.ghyselinck@excentis.com
> > |
> > | Tom Ghyselinck
> > | Software Developer
> > | Excentis N.V.
> > | Gildestraat 8 B-9000 Gent
> > | Tel: +32 9 269 22 91 - Fax: +32 9 329 31 74
> > +---------------------------------------------
> >
> >
> 
-- 

+---------------------------------------------
| Please note new email address: tom.ghyselinck@excentis.com
|
| Tom Ghyselinck
| Software Developer
| Excentis N.V.
| Gildestraat 8 B-9000 Gent
| Tel: +32 9 269 22 91 - Fax: +32 9 329 31 74
+---------------------------------------------