RFR: 8367344: Better error message when decryption of AP-REQ fails because of kvno mismatch [v6]
Weijun Wang
weijun at openjdk.org
Wed Jan 7 03:20:17 UTC 2026
> For interoperability, AP-REQ decryption uses the key with the highest kvno in the keytab if no exact match is found. If decryption fails, a normal "checksum failed" error is reported, which may hide the real cause that the wrong key is used. This code change throws a KRB_AP_ERR_BADKEYVER error in this case.
>
> The change is only made in AP-REQ decryption to minimize impact. A previous test is enhanced to cover the case.
Weijun Wang has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains seven additional commits since the last revision:
- Merge branch 'master' into 8367344
- missing space
- call fromUserKtab directly with aotomatic isInitiator being false; show exception if not correct code
- typo
- more etypes in test
- different exception for other etypes; test
- the fix
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/27298/files
- new: https://git.openjdk.org/jdk/pull/27298/files/aee6aec3..f82bc7d0
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=27298&range=05
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=27298&range=04-05
Stats: 590634 lines in 7429 files changed: 409328 ins; 113541 del; 67765 mod
Patch: https://git.openjdk.org/jdk/pull/27298.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/27298/head:pull/27298
PR: https://git.openjdk.org/jdk/pull/27298
More information about the security-dev
mailing list