[2480] in Kerberos-V5-bugs
krb5-kdc/212: TGS-REQ handling is incorrect
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Wed Nov 20 19:53:27 1996
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, Marc Horowitz <marc@cygnus.com>
Date: 20 Nov 1996 19:52:34 -0500
From: Marc Horowitz <marc@cygnus.com>
To: krb5-bugs@MIT.EDU
>Number: 212
>Category: krb5-kdc
>Synopsis: TGS-REQ handling is incorrect
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Nov 20 19:53:00 EST 1996
>Last-Modified:
>Originator: Marc Horowitz
>Organization:
Cygnus Support, Mountain View, CA
>Release:
>Environment:
<machine, os, target, libraries (multiple lines)>
System: NetBSD rover 1.2B NetBSD 1.2B (MARC) #0: Thu Nov 7 00:29:02 EST 1996 marc@rover:/u3/netbsd/src/sys/arch/i386/compile/MARC i386
>Description:
There are some discrepancies between RFC1510 and the code in the MIT
tree w.r.t. TGS-REQ handling. rfc1510 section 3.3.2 states:
Once the accompanying ticket has been decrypted, the user-supplied
checksum in the Authenticator must be verified against the contents
of the request, and the message rejected if the checksums do not
match (with an error code of KRB_AP_ERR_MODIFIED) or if the checksum
is not keyed or not collision-proof (with an error code of
KRB_AP_ERR_INAPP_CKSUM).
Thus, the checksum in the authenticator must be keyed and
collision-proof.
rfc1510 section 5.4.1 says:
The checksum in the authenticator
(which must be collisionproof) is to be computed over the
KDC-REQ-BODY encoding.
Which just requires that it be collision-proof.
These two section conflict. The kdc only requires that the checksum
be collision-proof. The client library defaults to a non-keyed
checksum, but one could be customized in the krb5.conf file.
TGS-REP seems to be handled properly, with or without a subkey
present.
There does not seem to be any code which would cause a core dump if an
improper request is sent to the kdc.
>How-To-Repeat:
<code/input/activities to reproduce the problem (multiple lines)>
>Fix:
<how to correct or work around the problem, if known (multiple lines)>
>Audit-Trail:
>Unformatted:
