[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PKINIT to Windows AD fails about half the time
"Douglas E. Engert" <deengert@anl.gov> writes:
> While testing the Heimdal-20050405 PKINIT client code with smart
> cards and Windows AD, about half the time the AD would return
> a KRB_ERROR with error code 60, (generic error) and no
> e-text or e-data.
>
> looking closer the difference appears to be that Win2K AD is
> expecting the nonce to be a positive int32 or it can't parse the
> asn1.
Is is the pknonce that is the problem or the nonce ? The reason I'm asking
is that the old code used 0xffffffff for nonce.
Love
--- lib/krb5/init_creds_pw.c 7 Apr 2005 20:15:18 -0000 1.82
+++ lib/krb5/init_creds_pw.c 21 Apr 2005 08:42:52 -0000
@@ -1210,12 +1210,8 @@
krb5_generate_random_block (&ctx->nonce, sizeof(ctx->nonce));
ctx->nonce &= 0xffffffff;
ctx->as_req.req_body.nonce = ctx->nonce;
-#if 0
krb5_generate_random_block (&ctx->pk_nonce, sizeof(ctx->pk_nonce));
- ctx->pk_nonce &= 0xffffffff;
-#else
- ctx->pk_nonce = ctx->nonce;
-#endif
+ ctx->pk_nonce &= 0x7fffffff;
#define MAX_PA_COUNTER 3
PGP signature