[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKINIT to Windows AD fails about half the time

To: Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: PKINIT to Windows AD fails about half the time
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Thu, 21 Apr 2005 09:53:15 -0500
Cc: heimdal-discuss@sics.se
In-Reply-To: <amoec8a57y.fsf@nutcracker.it.su.se>
References: <4266C70D.30701@anl.gov> <amoec8a57y.fsf@nutcracker.it.su.se>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803

Love Hörnquist Åstrand wrote:
> "Douglas E. Engert" <deengert@anl.gov> writes:
> 
> 
>>While testing the Heimdal-20050405 PKINIT client code with smart
>>cards and Windows AD, about half the time the AD would return
>>a KRB_ERROR with error code 60, (generic error) and no
>>e-text or e-data.
>>
>>looking closer the difference appears to be that Win2K AD is
>>expecting the nonce to be a positive int32 or it can't parse the
>>asn1.
> 
> 

Looks like two problems:

(1) Windows wants the pk_nonce to have the first
bit zero, or it returns the KRB_ERROR 60 with no e-text.

(2) Windows uses the pk_nonce in the ticket, so when
_krb5_extract_ticket is called from init_cred_loop
it needs to pass in the pk_nonce rather nonce.

Draft 25 says the nonces may be different, and does not
require the ticket use the pk_nonce. I don't know what
draft 9 said.

There are a number of ways to solve this, but they depend
to the win2k_compat flag to be known when the _krb5_extract_ticket
is called. Or better still, the compat flag used to create the
pa-data needs to be available to process the as-rep.

Could the win2k_compat flag be save in the krb5_get_init_creds_ctx?
or in the krb5_pk_init_ctx?

> Is is the pknonce that is the problem or the nonce ? The reason I'm asking
> is that the old code used 0xffffffff for nonce.
> 
> Love
> 
> --- lib/krb5/init_creds_pw.c	7 Apr 2005 20:15:18 -0000	1.82
> +++ lib/krb5/init_creds_pw.c	21 Apr 2005 08:42:52 -0000
> @@ -1210,12 +1210,8 @@
>      krb5_generate_random_block (&ctx->nonce, sizeof(ctx->nonce));
>      ctx->nonce &= 0xffffffff;
>      ctx->as_req.req_body.nonce = ctx->nonce;
> -#if 0
>      krb5_generate_random_block (&ctx->pk_nonce, sizeof(ctx->pk_nonce));
> -    ctx->pk_nonce &= 0xffffffff;
> -#else
> -    ctx->pk_nonce = ctx->nonce;
> -#endif
> +    ctx->pk_nonce &= 0x7fffffff;
>  
>  #define MAX_PA_COUNTER 3 
>  

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Follow-Ups:
- Re: PKINIT to Windows AD fails about half the time
  - From: Love Hörnquist Åstrand <lha@kth.se>

References:
- PKINIT to Windows AD fails about half the time
  - From: "Douglas E. Engert" <deengert@anl.gov>
- Re: PKINIT to Windows AD fails about half the time
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: Compiling heimdal+pkinit in a Debian sid
Next by Date: Re: PKINIT to Windows AD fails about half the time
Prev by thread: Re: PKINIT to Windows AD fails about half the time
Next by thread: Re: PKINIT to Windows AD fails about half the time
Index(es):
- Date
- Thread