Ticket History #6622: kinit_fast fails if weak enctype is among client principal keys

# Mon Jan 04 22:18:40 2010 tlyu (Taylor Yu) - Ticket created

Subject:

kinit_fast fails if weak enctype is among client principal keys

Download (untitled) / with headers
text/plain 685B

If the following patch is applied, make check in tests/dejagnu fails when attempting to test
kinit with FAST enabled.

diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index 8e540b3..3f20d30 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -177,7 +177,7 @@ set passes {
aes-only
mode=udp
des3_krbtgt=0
- {supported_enctypes=aes256-cts-hmac-sha1-96:normal}
+ {supported_enctypes=aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal}
{permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96}
{permitted_enctypes(client)=aes256-cts-hmac-sha1-96}
{permitted_enctypes(server)=aes256-cts-hmac-sha1-96}

# Wed Jan 06 17:59:03 2010 ghudson@mit.edu (Greg Hudson) - Correspondence added

Download (untitled) / with headers
text/plain 882B

There are a few things going on here:

* When it comes time to generate the PA_ETYPE_INFO2 padata,
etype_info_helper is getting a KRB5_KDB_NO_PERMITTED_KEY error from
krb5_dbe_search_enctype and is barfing. So there is no etype
information transmitted to the client in the preauth-required error.
This is the main cause of the bug.

* This is causing the encrypted timestamp code to try to string-to-key
the password with a 0 enctype, which in turn causes it to fail and not
generate any padata.

* Then we get bug #6430 where the client loops if it doesn't manage to
generate any padata.

The appropriate fix is under discussion. The krb5_dbe_search_enctype
logic for when to return NO_PERMITTED_KEY is a little weird, and perhaps
it should not be returning that error if *start was not 0 upon entry to
the function (because that implies matching keys were previously returned).

# Wed Jan 06 18:14:15 2010 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)

# Wed Jan 06 18:14:15 2010 ghudson@mit.edu (Greg Hudson) - Target_Version 1.8 added

# Wed Jan 06 18:14:15 2010 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Wed Jan 06 18:14:15 2010 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Wed Jan 06 18:14:15 2010 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 294B

Don't return KRB5_KDB_NO_PERMITTED_KEY from
krb5_dbe_def_search_enctype if we previously returned results (i.e. if
*start > 0).

https://github.com/krb5/krb5/commit/a9ac2726b22a22f999b52ff05b4991474bd82d10
Commit By: ghudson
Revision: 23597
Changed Files:
U trunk/src/lib/kdb/kdb_default.c

# Fri Jan 08 17:45:17 2010 tlyu (Taylor Yu) - Comments added

Download (untitled) / with headers
text/plain 84B

Should also pull up r23599, which makes the NO_PERMITTED_KEY return more consistent.

# Fri Jan 08 18:42:59 2010 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Fri Jan 08 18:42:59 2010 tlyu (Taylor Yu) - Version_Fixed 1.8 added

# Fri Jan 08 18:42:59 2010 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 894B

pull up r23597, r23599 from trunk

------------------------------------------------------------------------
r23599 | ghudson | 2010-01-06 18:44:04 -0500 (Wed, 06 Jan 2010) | 4 lines

Make krb5_dbe_def_search_enctype more consistent about when it returns
KRB5_KDB_NO_PERMITTED_KEY. Now it will return that error if it sees
any non-permitted enctypes which match the search criteria.

------------------------------------------------------------------------
r23597 | ghudson | 2010-01-06 18:14:14 -0500 (Wed, 06 Jan 2010) | 8 lines

ticket: 6622
target_version: 1.8
tags: pullup

Don't return KRB5_KDB_NO_PERMITTED_KEY from
krb5_dbe_def_search_enctype if we previously returned results (i.e. if
*start > 0).

https://github.com/krb5/krb5/commit/32a72f8b65681e8841e34d75811b83de30bf9943
Commit By: tlyu
Revision: 23615
Changed Files:
U branches/krb5-1-8/src/lib/kdb/kdb_default.c

# Wed Dec 16 18:02:54 2015 tlyu (Taylor Yu) - CustomField pullup deleted