directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Bersenev (JIRA)" <>
Subject [jira] [Updated] (DIRSERVER-2068) Failed to decrypt a timestamp if it was encrypted with non-best-fit algo
Date Tue, 02 Jun 2015 20:01:50 GMT


Alexander Bersenev updated DIRSERVER-2068:
    Attachment: preauth.patch

The patch

> Failed to decrypt a timestamp if it was encrypted with non-best-fit algo
> ------------------------------------------------------------------------
>                 Key: DIRSERVER-2068
>                 URL:
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.0-M20
>            Reporter: Alexander Bersenev
>             Fix For: 2.0.0-M21
>         Attachments: preauth.patch
> Suppose the client supports two encryption suites:
> default_tkt_enctypes = des-cbc-md5 des3-cbc-sha1-kd
> Server also supports three encryption suites: 
> des-cbc-md5, des3-cbc-sha1-kd and aes128-cts-hmac-sha1-96
> The client send as-req with list of supported ciphers. Server answers the client with
three ciphers.
> The client chooses des-cbc-md5 and sends as-req with encrypted timestamp.
> The bug is here. The server can try to decrypt timestamp with wrong algo(des3-cbc-sha1-kd).
This occurs because of function 
> getBestEncryptionType( Set<EncryptionType> requestedTypes,        Set<EncryptionType>
configuredTypes )
> returns some encryption type that both client and server support. It not necessary the
cipher that was used to encrypt the timestamp.
> Attached patch does decryption of timestamp always with cipher it was encrypted(if the
server is configured to support that cipher)

This message was sent by Atlassian JIRA

View raw message