Re: PKINIT to Windows AD fails about half the time

[Love Hörnquist Åstrand <lha@kth.se>]

"Douglas E. Engert" <deengert@anl.gov> writes:

> While testing the Heimdal-20050405 PKINIT client code with smart
> cards and Windows AD, about half the time the AD would return
> a KRB_ERROR with error code 60, (generic error) and no
> e-text or e-data.
>
> looking closer the difference appears to be that Win2K AD is
> expecting the nonce to be a positive int32 or it can't parse the
> asn1.

Is is the pknonce that is the problem or the nonce ? The reason I'm asking
is that the old code used 0xffffffff for nonce.

Love

--- lib/krb5/init_creds_pw.c	7 Apr 2005 20:15:18 -0000	1.82
+++ lib/krb5/init_creds_pw.c	21 Apr 2005 08:42:52 -0000
@@ -1210,12 +1210,8 @@
     krb5_generate_random_block (&ctx->nonce, sizeof(ctx->nonce));
     ctx->nonce &= 0xffffffff;
     ctx->as_req.req_body.nonce = ctx->nonce;
-#if 0
     krb5_generate_random_block (&ctx->pk_nonce, sizeof(ctx->pk_nonce));
-    ctx->pk_nonce &= 0xffffffff;
-#else
-    ctx->pk_nonce = ctx->nonce;
-#endif
+    ctx->pk_nonce &= 0x7fffffff;
 
 #define MAX_PA_COUNTER 3

PGP signature