[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PKINIT
Hi Dan,
Thanks for the new release. I built it and retried my tests. Here are
the results plus a description of a compile problem with new release:
> 1. kinit segmentation fault - 0 length principal's public key certificate
Still seg faults
> 2. kinit segmentation fault - no file in directory with CA certificates
Fixed
> 3. kinit segmentation fault - receives AS_REPLY without pkinit data
Does not seg fault. However, I don't know if the KDC behavior
is correct. KDC returns an AS-REPLY (without pkinit) that
includes a TGT. Kinit displays the following error:
"kinit: krb5_get_init_creds: Unsupported preauthentication type".
> 4. kdc segmentation fault - after second AS_REQ
Fixed
Compile problem with new PKINIT version (I commented out whole if-statement
"if (et.flags.forwarded && set_equivalent_addresses) {" to get code to compile):
lv -lresolv -lcrypt /usr/lib/libgdbm.so -lresolv -lresolv
kerberos5.o: In function `tgs_make_reply':
/home/cvsbuild/ig7k/Tools/heimdal/heimdal-0.4e/kdc/kerberos5.c:1209: undefined
reference to `set_equivalent_addresses'
/home/cvsbuild/ig7k/Tools/heimdal/heimdal-0.4e/kdc/kerberos5.c:1222: undefined
reference to `list_equiv_addresses'
Christopher
Daniel Kouril wrote:
> Thanks for testing. Please try the new version I've just sent to the heimdal
> list -- I believe the problems you mentioned are fixed there.
>
> --
> Dan
>
> On Thu, May 23, 2002 at 12:16:33PM -0700, Christopher James wrote:
> > Daniel Kouril wrote:
> >
> > > Hi all,
> > > a pre-beta version of the pkinit implementation for Heimdal is enclosed. You
> > > can have a look at it but remember it's still under development.
> > > Unfortunatelly I'm out of my office until end of this week so I assume I'll
> > > continue in this work (and post a version of the patch) at the end of the
> > > next week.
> > >
> > > regards
> > >
> > > --
> > > Dan
> > >
> > > ------------------------------------------------------------------------
> > >
> > > pkinit.patchName: pkinit.patch
> > > Type: Plain Text (text/plain)
> >
> > I have successfully built and run the KDC with the pre-beta
> > PKINIT patch. While getting it to work I found the following
> > conditions that produce seg faults:
> >
> > ------------------------------------------------------------
> >
> > 1. kinit segmentation fault - 0 length principal's public key certificate
> >
> > Run kinit using a 0 length file for the principal's public key certificate,
> > the other files (principal's private key and directory with CA certificates)
> > are present and good. Program seg faults calling free_SignedData() in
> > free_PA_PK_AS_REQ(). Here are some printfs showing sequence of calls:
> >
> > get_init_creds_common() return = 0
> > read X509
> > read X509 end of file
> > pk_load_config() return = 0
> > starting krb5_get_in_cred_ext
> > before init_as_req
> > init_as_req() check patype
> > starting pk_mk_padata()
> > after build_auth_pack()
> > after encode_auth_pack()
> > after krb5_data_copy()
> > pk_create_sign(): starting
> > pk_create_sign(): 1
> > pk_create_sign(): 1a
> > pk_mk_padata(): start end: problem = -1
> > free_PA_PK_AS_REQ: start
> > Segmentation fault
> >
> >
> > 2. kinit segmentation fault - no file in directory with CA certificates
> >
> > Run kinit with no file in directory with CA certificates, other files
> > (principal's public key certificate and principal's private key) are
> > present and good. Program seg faults calling sk_X509_NAME_pop_free() in
> > free_PA_PK_AS_REQ(). Here are some printfs showing sequence of calls:
> >
> > get_init_creds_common() return = 0
> > read X509
> > read X509
> > read X509 end of file
> > pk_load_config() return = 0
> > starting krb5_get_in_cred_ext
> > before init_as_req
> > init_as_req() check patype
> > starting pk_mk_padata()
> > after build_auth_pack()
> > after encode_auth_pack()
> > after krb5_data_copy()
> > pk_create_sign(): starting
> > pk_create_sign(): 1
> > pk_create_sign(): 2
> > pk_create_sign(): 3
> > pk_create_sign(): 4
> > pk_create_sign(): 5
> > pk_create_sign(): 6
> > pk_create_sign(): 7
> > pk_create_sign(): 8
> > pk_mk_padata() after pk_create_sign
> > pk_mk_padata() after trusted certs
> > pk_mk_padata() after encode_PA
> > pk_mk_padata(): start end: problem = 0
> > free_PA_PK_AS_REQ: start
> > free_PA_PK_AS_REQ: after free_SignedData
> > free_PA_PK_AS_REQ: before free trusted certifiers
> > Segmentation fault
> >
> > 3. kinit segmentation fault - receives AS_REPLY without pkinit data
> >
> > Start the kdc with a 0 length file for the key_file. Send AS_REQ
> > using kinit. KDC recieves AS_REQ and sends normal (non-pkinit)
> > AS_REPLY. kinit seg faults reading AS_REPLY.
> >
> > 4. kdc segmentation fault - after second AS_REQ
> >
> > Both kdc and kinit configured correctly to run using pkinit.
> > No problem on first AS_REQ from kinit - kdc returns TGT in AS_REPLY.
> > KDC seg faults when it receives a second AS_REQ from kinit.
> > Seg fault happens in pk_create_sign() in one of these calls:
> >
> > sd->signer_info.sid.issuer = X509_NAME_dup(X509_get_issuer_name(user_cert));
> > sd->signer_info.sid.serial =
> > ASN1_INTEGER_dup(X509_get_serialNumber(user_cert));
> >
> > --------------------------------------------------------
> >
> > Christopher
> >
> >
- References:
- PKINIT
- From: Daniel Kouril <kouril@ics.muni.cz>
- Re: PKINIT
- From: Christopher James <cjames@berkeley.innomedia.com>
- Re: PKINIT
- From: Daniel Kouril <kouril@ics.muni.cz>