Ticket History #2110: MIT KDC fails to handle unknown padata

Sam,
Attached are the mods to 1.3.2 to try the PA_PAC_REQUEST in the AS-REQ
I ported the changes to 1.3.2 from 1.3.1 but never tried them.

There are changes in
kinit.c
krb5.hin
gic_opt.c
get_in_tkt.c

They are controlled by #ifdef NOMSPAC

Note that the kinit.c also has some change for getting a password from stdin.


You can also find these in AFS at /afs/anl.gov/usr/ctd/b17783/pub/NOMSPAC.diff



--

Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

--- ./clients/kinit/,kinit.c Tue Feb 3 10:35:37 2004
+++ ./clients/kinit/kinit.c Tue Feb 3 10:35:37 2004
@@ -127,6 +127,7 @@
int forwardable;
int proxiable;
int addresses;
+ int pstdin;

int not_forwardable;
int not_proxiable;
@@ -141,6 +142,9 @@
char* k4_cache_name;

action_type action;
+#ifdef NOMSPAC
+ int nomspac;
+#endif
};

struct k5_data
@@ -211,10 +215,12 @@
USAGE_BREAK_LONG
"[-A" USAGE_LONG_ADDRESSES "] "
USAGE_BREAK
+ "[-m] "
"[-v] [-R] "
"[-k [-t keytab_file]] "
USAGE_BREAK
"[-c cachename] "
+ "[-Z] "
"[-S service_name] [principal]"
"\n\n",
progname);
@@ -257,10 +263,14 @@
ULINE("\t", "-p proxiable", OPTTYPE_KRB5);
ULINE("\t", "-P not proxiable", OPTTYPE_KRB5);
ULINE("\t", "-A do not include addresses", OPTTYPE_KRB5);
+#ifdef NOMSPAC
+ ULINE("\t", "-m No PAC in ticket", OPTTYPE_KRB5);
+#endif
ULINE("\t", "-v validate", OPTTYPE_KRB5);
ULINE("\t", "-R renew", OPTTYPE_BOTH);
ULINE("\t", "-k use keytab", OPTTYPE_BOTH);
ULINE("\t", "-t filename of keytab to use", OPTTYPE_BOTH);
+ ULINE("\t", "-Z get password from stdin", OPTTYPE_KRB5);
ULINE("\t", "-c Kerberos 5 cache name", OPTTYPE_KRB5);
/* This options is not yet available: */
/* ULINE("\t", "-C Kerberos 4 cache name", OPTTYPE_KRB4); */
@@ -281,9 +291,14 @@
int use_k5 = 0;
int i;

- while ((i = GETOPT(argc, argv, "r:fpFP54AVl:s:c:kt:RS:v"))
+ while ((i = GETOPT(argc, argv, "r:fpFP54AVl:s:c:kt:RS:vZm"))
!= -1) {
switch (i) {
+#ifdef NOMSPAC
+ case 'm':
+ opts->nomspac = 1;
+ break;
+#endif
case 'V':
opts->verbose = 1;
break;
@@ -401,6 +416,9 @@
}
use_k5 = 1;
break;
+ case 'Z':
+ opts->pstdin++;
+ break;
default:
errflg++;
break;
@@ -737,6 +755,8 @@
krb5_creds my_creds;
krb5_error_code code = 0;
krb5_get_init_creds_opt options;
+ char pstdin_pw[1024];
+ int pstdin_pw_size = 0;

if (!got_k5)
return 0;
@@ -749,6 +769,10 @@
initialized.
*/

+#ifdef NOMSPAC
+ if (opts->nomspac)
+ krb5_get_init_creds_opt_set_pa_pac_request(&options);
+#endif
if (opts->lifetime)
krb5_get_init_creds_opt_set_tkt_life(&options, opts->lifetime);
if (opts->rlife)
@@ -787,8 +811,21 @@

switch (opts->action) {
case INIT_PW:
+ if (opts->pstdin) {
+ pstdin_pw_size = read(0,pstdin_pw,sizeof(pstdin_pw)-1);
+ if (pstdin_pw_size > 0) {
+ if (pstdin_pw[pstdin_pw_size-1] == '\n') {
+ pstdin_pw_size--;
+ }
+ pstdin_pw[pstdin_pw_size] = '\0';
+ } else {
+ pstdin_pw_size = 0;
+ }
+ }
+
code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
- 0, kinit_prompter, 0,
+ (pstdin_pw_size > 0)? pstdin_pw: 0,
+ kinit_prompter, 0,
opts->starttime,
opts->service_name,
&options);
--- ./include/,krb5.hin Tue Feb 3 10:38:08 2004
+++ ./include/krb5.hin Tue Feb 3 10:38:09 2004
@@ -876,6 +876,9 @@
#define KRB5_PADATA_SAM_CHALLENGE_2 30 /* draft challenge system, updated */
#define KRB5_PADATA_SAM_RESPONSE_2 31 /* draft challenge system, updated */

+#ifdef NOMSPAC
+#define KRB5_PADATA_PAC_REQUEST 128
+#endif
#define KRB5_SAM_USE_SAD_AS_KEY 0x80000000
#define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000
#define KRB5_SAM_MUST_PK_ENCRYPT_SAD 0x20000000 /* currently must be zero */
@@ -2415,6 +2418,9 @@
#define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST 0x0020
#define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040
#define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080
+#ifdef NOMSPAC
+#define KRB5_GET_INIT_CREDS_OPT_PA_PAC_REQUEST 0x0100
+#endif


void KRB5_CALLCONV
@@ -2462,6 +2468,13 @@
krb5_get_init_creds_opt_set_salt
(krb5_get_init_creds_opt *opt,
krb5_data *salt);
+
+#ifdef NOMSPAC
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_pa_pac_request
+(krb5_get_init_creds_opt *opt);
+#endif
+

krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_password
--- ./lib/krb5/krb/,gic_opt.c Tue Feb 3 11:02:10 2004
+++ ./lib/krb5/krb/gic_opt.c Tue Feb 3 11:02:10 2004
@@ -63,3 +63,11 @@
opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT;
opt->salt = salt;
}
+
+#ifdef NOMSPAC
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_pa_pac_request(krb5_get_init_creds_opt *opt)
+{
+ opt->flags |= KRB5_GET_INIT_CREDS_OPT_PA_PAC_REQUEST;
+}
+#endif
--- ./lib/krb5/krb/,get_in_tkt.c Tue Feb 3 11:02:25 2004
+++ ./lib/krb5/krb/get_in_tkt.c Tue Feb 3 11:02:26 2004
@@ -78,6 +78,70 @@
static krb5_error_code make_preauth_list (krb5_context,
krb5_preauthtype *,
int, krb5_pa_data ***);
+#ifdef NOMSPAC
+ /* Add the Microsoft PA_PAC_REQUEST to the AS
+ * request. Since this needs to be sent on each AS_REQ
+ * the krb5_preauth routines can not be used, as they
+ * add a list the first time, but then only respond to the
+ * pa-data in the error response.
+ * See draft-brezak-win2k-krb-authz-01.txt section 6
+ * Also see MSDN for SEC_WINNT_AUTH_IDENTITY_ONLY
+ */
+static krb5_error_code add_ms_pac_req(krb5_context context,
+ krb5_pa_data *** padata)
+{
+ int i;
+ /* ASN1 for:
+ * KERB-PA-PAC-REQUEST ::= SEQUENCE {
+ * include-pac[0] BOOLEAN
+ * }
+ * where the value is false
+ */
+ static krb5_octet booldata[] = {"\x30\x05\xa0\x03\x01\x01\x00"};
+ void * tmp;
+ krb5_pa_data * pa;
+ krb5_pa_data * * new_padata;
+
+ if ((tmp = (void *)malloc(sizeof(booldata)-1)) == NULL)
+ return(ENOMEM);
+ memcpy(tmp, booldata, sizeof(booldata)-1);
+
+ if ((pa = (krb5_pa_data *)malloc(sizeof(krb5_pa_data))) == NULL) {
+ krb5_xfree(tmp);
+ return(ENOMEM);
+ }
+
+ pa->magic = KV5M_PA_DATA;
+ pa->pa_type = KRB5_PADATA_PAC_REQUEST;
+ pa->length = sizeof(booldata)-1;
+ pa->contents = tmp;
+
+ if (*padata == NULL) {
+ new_padata = (krb5_pa_data **)
+ malloc(2 * sizeof(krb5_pa_data *));
+ i = 0;
+ } else {
+ for (i=0; (*padata)[i]; i++); /* count */
+
+ new_padata = *padata;
+ new_padata = (krb5_pa_data **)
+ realloc(new_padata, (i+2) * sizeof(krb5_pa_data *));
+ }
+ if (new_padata == NULL) {
+ krb5_xfree(pa->contents);
+ krb5_xfree(pa);
+ return(ENOMEM);
+ }
+
+ new_padata[i++] = pa;
+ new_padata[i] = NULL;
+
+ *padata = new_padata;
+
+ return(0);
+}
+#endif
+
/*
* This function sends a request to the KDC, and gets back a response;
* the response is parsed into ret_err_reply or ret_as_reply if the
@@ -951,6 +1015,15 @@
prompter_data, gak_fct, gak_data)))
goto cleanup;

+#ifdef NOMSPAC
+ if (options && (options->flags &
+ KRB5_GET_INIT_CREDS_OPT_PA_PAC_REQUEST)) {
+ if (ret = add_ms_pac_req(context, &request.padata)) {
+ goto cleanup;
+ }
+ }
+#endif
+
if (padata) {
krb5_free_pa_data(context, padata);
padata = 0;
@@ -996,6 +1069,14 @@
&salt, &s2kparams, &etype, &as_key, prompter,
prompter_data, gak_fct, gak_data)))
goto cleanup;
+#ifdef NOMSPAC
+ if (options && (options->flags &
+ KRB5_GET_INIT_CREDS_OPT_PA_PAC_REQUEST)) {
+ if (ret = add_ms_pac_req(context, &padata)) {
+ goto cleanup;
+ }
+ }
+#endif

/* XXX if there's padata on output, something is wrong, but it's
not obviously an error */