Skip Menu |
 

Download (untitled) / with headers
text/plain 4.4KiB
From kdrenard@ARL.MIL Tue Dec 24 10:33:37 1996
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id KAA04914 for <bugs@RT-11.MIT.EDU>; Tue, 24 Dec 1996 10:33:36 -0500
Received: from smokey.arl.mil by MIT.EDU with SMTP
id AA17695; Tue, 24 Dec 96 10:33:35 EST
Message-Id: <9612241031.aa25967@SMOKEY.ARL.MIL>
Date: Tue, 24 Dec 96 10:31:46 EST
From: "Kenneth D. Renard" (CICC/HPCD) <kdrenard@ARL.MIL>
To: krb5-bugs@MIT.EDU
Subject: Error in SAM_RESPONSE generation

Show quoted text
>Number: 325
>Category: krb5-libs
>Synopsis: required timestamp not included in SAM_RESPONSE generation
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: tytso
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Dec 24 10:34:00 EST 1996
>Last-Modified: Tue Mar 25 00:55:01 EST 1997
>Originator: Kenneth D. Renard <kdrenard@arl.mil>
>Organization:
Army Research Lab - Advanced Development Team

Show quoted text
>Release: 1.0
>Environment:

All architectures

Show quoted text
>Description:

AS_REQ generation with SAM preauth does not include required ASN.1
field (timestamp or nonce) when sam_challenge->sam_flags !=
KRB5_SAM_USE_SAD_AS_KEY)

Show quoted text
>How-To-Repeat:

Create a preauth system that uses KRB5_SAM_SEND_ENCRYPTED_SAD,
and client will generate incomplete sam_response (no timestamp
or nonce). KDC will choke on ASN.1 decoding (missing required
field...) when decoding sam_response

Show quoted text
>Fix:
<how to correct or work around the problem, if known (multiple lines)>
Move nonce/timestamp generation up a few lines for cases other than
"if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)"

$ rcsdiff -c -r1.1 preauth.c
===================================================================
RCS file: RCS/preauth.c,v
retrieving revision 1.1
diff -c -r1.1 preauth.c
*** 1.1 1996/12/23 15:03:41
--- preauth.c 1996/12/24 15:15:28
***************
*** 518,523 ****
--- 518,533 ----
}

enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce;
+ if (sam_challenge->sam_nonce) {
+ /* use nonce in the next AS request? */
+ } else {
+ retval = krb5_us_timeofday(context,
+ &enc_sam_response_enc.sam_timestamp,
+ &enc_sam_response_enc.sam_usec);
+ sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp;
+ }
+ if (retval)
+ return retval;
if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) {
/* encrypt passcode in key by stuffing it here */
int pcsize = 256;
***************
*** 533,548 ****
enc_sam_response_enc.sam_passcode.data = passcode;
enc_sam_response_enc.sam_passcode.length = pcsize;
} else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {
- if (sam_challenge->sam_nonce) {
- /* use nonce in the next AS request? */
- } else {
- retval = krb5_us_timeofday(context,
- &enc_sam_response_enc.sam_timestamp,
- &enc_sam_response_enc.sam_usec);
- sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp;
- }
- if (retval)
- return retval;
prompt = handle_sam_labels(sam_challenge);
retval = sam_get_pass_from_user(context, etype_info, key_proc,
key_seed, request, &sam_use_key,
--- 543,548 ----

Show quoted text
>Audit-Trail:

Responsible-Changed-From-To: krb5-unassigned->tytso
Responsible-Changed-By: tytso
Responsible-Changed-When: Tue Mar 25 00:48:22 1997
Responsible-Changed-Why: I've handled this one.

State-Changed-From-To: open-closed
State-Changed-By: tytso
State-Changed-When: Tue Mar 25 00:48:40 1997
State-Changed-Why: Patch applied.


From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: "Kenneth D. Renard" <kdrenard@ARL.MIL>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-libs/325: required timestamp not included in SAM_RESPONSE generation
Date: Tue, 25 Mar 1997 00:53:47 -0500

Hi Ken,
Thanks for sending me this preauth fix for the SAM code. Sorry
it's taken a while for us to apply it. I wasn't really familiar with
the code, and I wanted to run it by the original author of the code
before we put it into the tree.

- Ted

src/lib/krb5/krb/ChangeLog 5.203 --> 5.204
src/lib/krb5/krb/preauth.c,v 5.24 --> 5.25
Show quoted text
>Unformatted: