-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong type of TGS nonce? #1219
Comments
You're correct, this is a bug in |
@nicowilliams Thansk for the prompt confirmation! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The environment is using samba lorikeet-heimdal which is forked from here and is patched for KDC. But the problem was found as kerberos client with a Windows AD. I thouth the bug might exist in both repo due to the same encode implmentation of kerberos TGS nonce.
Symptom
While using Kerberos authentication, the TGS process may fail on the client side due to a mismatched nonce.
Reproduce*
It is hard to reproduce because it relies on the random nonce value generated by the
krb5_generate_random_block
function withinget_cred_kdc
. However, it can still be reproduced by directly assigning the nonce value using gdb.Bug
The nonce will be encoded in ASN1. And I found that if the nonce is greater than 4286578687 ( > 0xFF7FFFFF), the MSB 8 bits will be discarded.
Details
Based on the RFC4120, the
nonce
should beunsigned int
, but theKDC-REQ-BODY
in krb5.asn1 is stillKrb5Int32
which is differ toKrb5UInt32
for ASN1 encode.If the nonce type is
Krb5Int32
, it will callder_put_integer
to encode the value. And if the nonce type isKrb5UInt32
, it will callder_put_unsigned
to encode the value. After I change the nonce type ofKDC-REQ-BODY
fromKrb5Int32
toKrb5UInt32
inkrb5.asn1
, the issue was solved.I wonder is there a compatibility issue with the kerberos implementation? I found that RFC1510 specifies the nonce as an
INTEGER
. However, RFC4120, which I previously mentioned, stipulates that it should beUInt32
.The text was updated successfully, but these errors were encountered: