[krbdev.mit.edu #5867] krb-priv sequence numbers don't match up in retransmitted requests

The RT System itself via RT rt-comment at krbdev.mit.edu
Mon Jan 7 13:29:27 EST 2008 

>From krb5-bugs-incoming-bounces at PCH.MIT.EDU  Mon Jan  7 13:29:18 2008
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP
	id m07ITIHW027014; Mon, 7 Jan 2008 13:29:18 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m07ITDe4012944;
	Mon, 7 Jan 2008 13:29:13 -0500
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m07GWWoP013673
	for <krb5-bugs-incoming at PCH.mit.edu>; Mon, 7 Jan 2008 11:32:32 -0500
Received: from mit.edu (M24-004-BARRACUDA-3.MIT.EDU [18.7.7.114])
	by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	m07GWMMY023434
	for <krb5-bugs at mit.edu>; Mon, 7 Jan 2008 11:32:23 -0500 (EST)
Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31])
	by mit.edu (Spam Firewall) with ESMTP id 0C53DD026BE
	for <krb5-bugs at mit.edu>; Mon,  7 Jan 2008 11:32:01 -0500 (EST)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
	[172.16.52.254])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id m07GW1Od031270
	for <krb5-bugs at mit.edu>; Mon, 7 Jan 2008 11:32:01 -0500
Received: from blade.boston.redhat.com (blade.boston.redhat.com [172.16.80.50])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m07GW1GF005060
	for <krb5-bugs at mit.edu>; Mon, 7 Jan 2008 11:32:01 -0500
Received: from blade.boston.redhat.com (localhost.localdomain [127.0.0.1])
	by blade.boston.redhat.com (8.14.2/8.14.2) with ESMTP id m07GW0VJ025213
	for <krb5-bugs at mit.edu>; Mon, 7 Jan 2008 11:32:00 -0500
Received: (from nalin at localhost)
	by blade.boston.redhat.com (8.14.2/8.14.2/Submit) id m07GW0S4025212;
	Mon, 7 Jan 2008 11:32:00 -0500
Date: Mon, 7 Jan 2008 11:32:00 -0500
Message-Id: <200801071632.m07GW0S4025212 at blade.boston.redhat.com>
To: krb5-bugs at mit.edu
Subject: kpasswd requests sent to second and subsequent servers contain
	incorrect sequence numbers
From: nalin at redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.42
X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Mailman-Approved-At: Mon, 07 Jan 2008 13:29:12 -0500
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin at redhat.com
Sender: krb5-bugs-incoming-bounces at PCH.MIT.EDU
Errors-To: krb5-bugs-incoming-bounces at PCH.MIT.EDU


>Submitter-Id:	net
>Originator:	
>Organization:
Nalin
>Confidential:	no
>Synopsis:	krb-priv sequence numbers don't match up in retransmitted requests
>Severity:	non-critical
>Priority:	medium
>Category:	krb5-libs
>Class:		sw-bug
>Release:	1.6.3
>Environment:
	
System: Linux blade.boston.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

>Description:
	The kpasswd_sendto_msg_callback() function in src/lib/krb5/os/changepw.c
	generates a new krb-priv message for each server to which it will be
	sending a set/change request so that the right channel bindings get set.
	It does this using an auth_context for which it resets the address
	information for each request, but the sequence numbers don't get reset.
	As a result, if the request is sent to more than one server, every
	request except the first will fail to decrypt if the server is checking
	sequence numbers.
>How-To-Repeat:
	Configure a client to have multiple kpasswd_servers specified in its
	configuration.  Make the first one a bogus one which isn't actually
	listening for requests.  The "real" one will fail to decrypt the
	client's request.
>Fix:
	The code might be rewritten to use different auth_context structures
	and unique as-req requests at some point, but the least intrusive
	thing seems to be to continue reusing the auth_context, resetting
	the local and remote sequence numbers before every krb-priv
	messages is generated, like this:

Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c	(revision 20199)
+++ src/lib/krb5/os/changepw.c	(working copy)
@@ -34,6 +34,7 @@
 #include "k5-int.h"
 #include "os-proto.h"
 #include "cm.h"
+#include "../krb/auth_con.h"
 
 #include <stdio.h>
 #include <errno.h>
@@ -48,6 +49,7 @@
     krb5_principal 	set_password_for;
     char 		*newpw;
     krb5_data 		ap_req;
+    krb5_ui_4		remote_seq_num, local_seq_num;
 };
 
 
@@ -159,6 +161,9 @@
 				       &local_kaddr, NULL))) 
 	goto cleanup;
 
+    ctx->auth_context->remote_seq_number = ctx->remote_seq_num;
+    ctx->auth_context->local_seq_number = ctx->local_seq_num;
+
     if (ctx->set_password_for)
 	code = krb5int_mk_setpw_req(ctx->context, 
 				    ctx->auth_context, 
@@ -225,6 +230,9 @@
 				     &callback_ctx.ap_req)))
 	goto cleanup;
 
+    callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number;
+    callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number;
+
     do {
 	if ((code = krb5_locate_kpasswd(callback_ctx.context,
 					krb5_princ_realm(callback_ctx.context,

More information about the krb5-bugs mailing list