[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PKINIT to Windows AD fails about half the time
While testing the Heimdal-20050405 PKINIT client code with smart
cards and Windows AD, about half the time the AD would return
a KRB_ERROR with error code 60, (generic error) and no
e-text or e-data.
looking closer the difference appears to be that Win2K AD is
expecting the nonce to be a positive int32 or it can't parse the
A temporary fix to init_creds_pw.c:
--- ./lib/krb5/,init_creds_pw.c Wed Feb 2 01:30:25 2005
+++ ./lib/krb5/init_creds_pw.c Wed Apr 20 13:57:00 2005
@@ -1199,7 +1207,7 @@
/* Set a new nonce. */
krb5_generate_random_block (&ctx->nonce, sizeof(ctx->nonce));
- ctx->nonce &= 0xffffffff;
+ ctx->nonce &= 0x7fffffff; /* shot in dark that win2k wants positive */
ctx->as_req.req_body.nonce = ctx->nonce;
krb5_generate_random_block (&ctx->pk_nonce, sizeof(ctx->pk_nonce));
It looks like if the top bit is on, the AS_REQ is one byte larger
then if it is off. I suspect this is asn1 adding a zero byte.
Has this been seen before? There is some code to have a different
pk_nonce, but it is #if'ed out.
Or is this a ans1 encoding problem on the client side.
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439