Skip Menu |
 

Subject: pkinit-obtained tickets can't make TGS requests
In krb5 1.7, pkinit AS requests work and you get initial tickets.
However, if you try to make a TGS request with those tickets, it doesn't
work. The failure is as follows:

* process_tgs_req calls kdc_process_tgs_req.
* kdc_process_tgs_req calls krb5int_find_authdata to see if the ticket
should be refused on account of containing FX_ARMOR authdata.
* krb5int_find_authdata calls find_authdata_1.
* find_authdata_1 runs into an AD_IF_RELEVANT container and attempts to
decode it. This decode operation fails.
* find_authdata_1 continues its loop, but never performs another
operation which would change retval from its current failure value.
* The failure propagates up to process_tgs_req, which sets status to
"PROCESS_TGS" and returns an error reply.

The behavior of find_authdata_1 is a bit dodgy, but the real issue is of
course why the decoding of the AD_IF_RELEVANT container fails.
I forgot to mention: the decode operation on the AD-IF-RELEVANT
container fails with ASN1_BAD_ID.
From: hartmans@mit.edu
Subject: SVN Commit

In the initial pkinit implementation, the server plugin generates an
incorrect encoding for ad-initial-verified-cas. In particular, it
assumes that ad-if-relevant takes a single authorization data element
not a sequence of authorization data elements. Nothing looked at the
authorization data in 1.6.3 so this was not noticed. However in 1.7,
the FAST implementation looks for authorization data. In 1.8 several
more parts of the KDC examine authorization data. The net result is
that the KDC fails to process the TGT it issues.

However on top of this bug, there is a spec problem. For many of its intended uses, ad-initial-verified-cas needs to be integrity protected by the KDC in order to prevent a client from injecting it. So, it should be contained in kdc-issued not ad-if-relevant.

For now we're simply removing the generation of this AD element until the spec is clarified.

https://github.com/krb5/krb5/commit/4f8a0a259a82af2f89cbb00092cff9a480ebcfd8
Commit By: hartmans
Revision: 23492
Changed Files:
U branches/anonymous/src/plugins/preauth/pkinit/pkinit_srv.c
From: tlyu@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 1.4KiB

Pull up r23492 from branches/anonymous.

------------------------------------------------------------------------
r23492 | hartmans | 2009-12-23 16:09:50 -0500 (Wed, 23 Dec 2009) | 17 lines

Subject: ad-initial-verified-cas logic broken
ticket: 6587
status: open

In the initial pkinit implementation, the server plugin generates an
incorrect encoding for ad-initial-verified-cas. In particular, it
assumes that ad-if-relevant takes a single authorization data element
not a sequence of authorization data elements. Nothing looked at the
authorization data in 1.6.3 so this was not noticed. However in 1.7,
the FAST implementation looks for authorization data. In 1.8 several
more parts of the KDC examine authorization data. The net result is
that the KDC fails to process the TGT it issues.

However on top of this bug, there is a spec problem. For many of its
intended uses, ad-initial-verified-cas needs to be integrity
protected by the KDC in order to prevent a client from injecting it.
So, it should be contained in kdc-issued not ad-if-relevant.

For now we're simply removing the generation of this AD element until
the spec is clarified.

------------------------------------------------------------------------

https://github.com/krb5/krb5/commit/923455eea32b35d5ad32c527d3eb5f63f2499827
Commit By: tlyu
Revision: 23654
Changed Files:
U branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c