[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Empty padata in AS-REQ



Hi,

Trying to aquire a TGT without the necessary password, ccache or keytab
entry will result in an AS-REQ with an empty padata field. I'm not talking
about the initial requrest with *null* padata. This is a second request
with a padata SEQUENCE that is simply empty:

$ dumpasn1 /tmp/out.bin 
   0  169: [APPLICATION 10] {
   3  166:   SEQUENCE {
   6    3:     [1] {
   8    1:       INTEGER 5
         :       }
  11    3:     [2] {
  13    1:       INTEGER 10
         :       }
  16    2:     [3] {
  18    0:       SEQUENCE {}     <--- "empty" padata
         :       }
  20  149:     [4] {
  23  146:       SEQUENCE {
  26    7:         [0] {
  28    5:           BIT STRING...

This happends because lib/krb5/get_in_tkt.c:add_padata ignores errors
returned by key_proc. I think it would be more appropriate to check to
make sure that padata was successfully added with something like the
following patch:

diff -Naur get_in_tkt.c.0 get_in_tkt.c
--- get_in_tkt.c.0      2007-02-07 20:53:58.000000000 -0500
+++ get_in_tkt.c        2007-02-07 20:55:50.000000000 -0500
@@ -391,6 +391,7 @@
     }
     md->val = pa2;
 
+    ret = KRB5_KT_NOTFOUND;
     for (i = 0; i < netypes; ++i) {
        krb5_keyblock *key;
 
@@ -406,7 +407,7 @@
     }
     if(salt == &salt2)
        krb5_free_salt(context, salt2);
-    return 0;
+    return md->len ? 0 : ret;
 }
 
 static krb5_error_code
@@ -548,6 +549,8 @@
                }
            }
        }
+       if (ret)
+           return ret;
     } else 
     /* not sure this is the way to use `ptypes' */
     if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE)

Note that this will change the error reported from
KRB5KDC_ERR_PREAUTH_REQUIRED to KRB5_KT_NOTFOUND so one must also consider
any logic that might depend on this error condition.

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/