[16495] in Kerberos-V5-bugs
[krbdev.mit.edu #8885] PKINIT calls responder twice
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Mar 9 15:33:39 2020
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.4-59925-1583782383-1100.8885-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8885":;
Date: Mon, 09 Mar 2020 15:33:04 -0400
MIME-Version: 1.0
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Mon Mar 09 15:33:03 2020: Request 8885 was acted upon.
Transaction: Ticket created by ghudson@mit.edu
Queue: krb5
Subject: PKINIT calls responder twice
Owner: Nobody
Requestors: ghudson@mit.edu
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8885 >
During a PKINIT AS-REQ, there are two rounds of client padata processing, one
to generate the request and one to validate the KDC response and compute the
reply key.
During the first round, pkinit_client_prep_questions() calls
pkinit_identity_initialize(), which calls crypto_load_certs() with
defer_id_prompts=TRUE. This accumulates a list of identities in
id_cryptoctx->deferred_ids. pkinit_client_prep_questions () then generates a
PKINIT question containing the list of identities to be prompted for.
During the second round, pkinit_client_prep_questions() is again called. The
pkinit_identity_initialize() call is skipped (because
reqctx->identity_initialized is true), but the list of deferred identities is
still present, so a question is again generated. PKINIT does not need access to
client certificates while processing the KDC response, so the question is
pointless and creates a bad user experience.
The simplest way to to suppress the second question is probably to check that
the padata type is KRB5_PADATA_PK_AS_REQ.
The double-responder behavior is already visible in t_pkinit.py tests, such as
the "FILE identity, password on key (responder)". We simply need to count the
number of "OK:" messages in the output to see how many responder calls are
made.
Reported by Russ Allbery.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
