Ticket History #3207: AS_REP padata missing PA-ETYPE-INFO

From krb5-bugs-incoming-bounces@PCH.mit.edu Wed Oct 5 20:09:28 2005
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id UAA16866; Wed, 5 Oct 2005 20:09:28 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9608qpx018871
for <krb5-send-pr@krbdev.mit.edu>; Wed, 5 Oct 2005 20:08:52 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9608ppx018868
for <krb5-bugs-incoming@PCH.mit.edu>; Wed, 5 Oct 2005 20:08:51 -0400
Received: from brmea-mail-3.sun.com (brmea-mail-3.Sun.COM [192.18.98.34])
j9608n7d017695
for <krb5-bugs@mit.edu>; Wed, 5 Oct 2005 20:08:49 -0400 (EDT)
Received: from centralmail1brm.Central.Sun.COM
(centralmail1brm.central.sun.com [129.147.62.1])
by brmea-mail-3.sun.com (8.12.10/8.12.9) with ESMTP id j9608m1L014563
for <krb5-bugs@mit.edu>; Wed, 5 Oct 2005 18:08:48 -0600 (MDT)
Received: from alton.central.sun.com (alton.Central.Sun.COM [129.153.128.101])
with ESMTP id j9608mZv019875
for <krb5-bugs@mit.edu>; Wed, 5 Oct 2005 18:08:48 -0600 (MDT)
Received: from alton.central.sun.com (localhost [127.0.0.1])
j9608l01009551
for <krb5-bugs@mit.edu>; Wed, 5 Oct 2005 19:08:47 -0500 (CDT)
Received: (from willf@localhost)
by alton.central.sun.com (8.13.4+Sun/8.13.3/Submit) id j9608lfs009550;
Wed, 5 Oct 2005 19:08:47 -0500 (CDT)
Date: Wed, 5 Oct 2005 19:08:47 -0500 (CDT)
Message-Id: <200510060008.j9608lfs009550@alton.central.sun.com>
To: krb5-bugs@mit.edu
From: william.fiveash@sun.com
X-send-pr-version: 3.99
X-Spam-Score: -1.366
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1
Precedence: list
Reply-To: william.fiveash@sun.com
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu




System: SunOS alton 5.10 Generic_118822-18 sun4u sparc SUNW,Sun-Blade-1000
Architecture: sun4



The KDC is returning only PA-ETYPE-INFO2 in the AS_REP even though
the AS_REQ only contains des-cbc-crc. That appears to violate the
text in rfc4120 below:

When the AS server is to include pre-authentication data in a
KRB-ERROR or in an AS-REP, it MUST use PA-ETYPE-INFO2, not PA-ETYPE-
INFO, if the etype field of the client's AS-REQ lists at least one
"newer" encryption type. Otherwise (when the etype field of the
client's AS-REQ does not list any "newer" encryption types), it MUST
send both PA-ETYPE-INFO2 and PA-ETYPE-INFO (both with an entry for
each enctype). A "newer" enctype is any enctype first officially
specified concurrently with or subsequent to the issue of this RFC.
The enctypes DES, 3DES, or RC4 and any defined in [RFC1510] are not
"newer" enctypes.

Hint, look at return_padata() in kdc_preauth.c and etype-info
instance of the preauth_systems[] (no return_padata function
defined).


Set default_tkt_enctypes = des-cbc-crc and kinit.

See the description.

* kdc_preauth.c (etype_info_as_rep_helper): New function; shared
code for handling ETYPE-INFO and ETYPE-INFO2. Checks request for
"newer" enctypes and does not return an ETYPE-INFO if any "newer"
enctypes are present in the request. Reported by Will Fiveash.
(return_etype_info2, return_etype_info): Implement in terms of
etype_info_as_rep_helper.

Commit By: tlyu



Revision: 17424
Changed Files:
U trunk/src/kdc/ChangeLog
U trunk/src/kdc/kdc_preauth.c

On Thu, Oct 13, 2005 at 06:56:39PM -0400, Tom Yu via RT wrote:

I'm looking at it now. I'll get back to you shortly.

--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

Ok, thanks for the confirmation!

---Tom

pull up r17424 from trunk

Commit By: tlyu



Revision: 17430
Changed Files:
U branches/krb5-1-4/src/kdc/ChangeLog
U branches/krb5-1-4/src/kdc/kdc_preauth.c