[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Empty padata in AS-REQ
Hi,
Trying to aquire a TGT without the necessary password, ccache or keytab
entry will result in an AS-REQ with an empty padata field. I'm not talking
about the initial requrest with *null* padata. This is a second request
with a padata SEQUENCE that is simply empty:
$ dumpasn1 /tmp/out.bin
0 169: [APPLICATION 10] {
3 166: SEQUENCE {
6 3: [1] {
8 1: INTEGER 5
: }
11 3: [2] {
13 1: INTEGER 10
: }
16 2: [3] {
18 0: SEQUENCE {} <--- "empty" padata
: }
20 149: [4] {
23 146: SEQUENCE {
26 7: [0] {
28 5: BIT STRING...
This happends because lib/krb5/get_in_tkt.c:add_padata ignores errors
returned by key_proc. I think it would be more appropriate to check to
make sure that padata was successfully added with something like the
following patch:
diff -Naur get_in_tkt.c.0 get_in_tkt.c
--- get_in_tkt.c.0 2007-02-07 20:53:58.000000000 -0500
+++ get_in_tkt.c 2007-02-07 20:55:50.000000000 -0500
@@ -391,6 +391,7 @@
}
md->val = pa2;
+ ret = KRB5_KT_NOTFOUND;
for (i = 0; i < netypes; ++i) {
krb5_keyblock *key;
@@ -406,7 +407,7 @@
}
if(salt == &salt2)
krb5_free_salt(context, salt2);
- return 0;
+ return md->len ? 0 : ret;
}
static krb5_error_code
@@ -548,6 +549,8 @@
}
}
}
+ if (ret)
+ return ret;
} else
/* not sure this is the way to use `ptypes' */
if (ptypes == NULL || *ptypes == KRB5_PADATA_NONE)
Note that this will change the error reported from
KRB5KDC_ERR_PREAUTH_REQUIRED to KRB5_KT_NOTFOUND so one must also consider
any logic that might depend on this error condition.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/