On 02/19/2017 09:23 AM, Turner, Jonathan wrote: > If there is a forum that I would be better using for this query please let > me know as I could not find one.
No worries; this list is appropriate for this kind of question. > The issue I have is with calculating the checksum of the encrypted part of > AS-REP messages. > If, in the AS-REQ, I pass an empty PA data of type PA-REQ-ENC-PA-REP (RFC > 6806) I get a response where my client code successfully decrypts the > encrypted part and successfully validates the integrity checksum. However, > if I do not pass any PA data in the AS-REQ, I get a response from my KDC > which my client code successfully decrypts (the values are the same as I > see when I analyse the packets with wireshark) but the integrity checksum I > calculate is not the same as the trailing bytes of the encrypted part. The > response for this also includes PA data with a PA-ETYPE-INFO2 type entry. As far as I know (and can tell from rechecking the code), the presence of PA-REQ-ENC-PA-REP does not affect how we encrypt the reply, only what bytes we put inside the encrypted part. When I have run into crypto interop problems like this in the past, the only good method I know of is to step through the same operation in both code bases (in this case, krb5_c_decrypt() and the equivalent in your Go code, using the same key and RFC 3962 token as input) and compare the inputs to each crypto operation to see where there is a mismatch. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
