- Notifications
You must be signed in to change notification settings - Fork180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
pkinit: Correctly pad Diffie-Hellman key#1177
base:master
Are you sure you want to change the base?
Conversation
If the Diffie-Hellman key was ‘n’ bytes too short, we would shift it tothe right ‘n’ places, padding it out to the correct length to computethe reply key.Unfortunately, we forgot to increase the size of the key accordingly, so‘n’ trailing key bytes would be discarded. This could mean failure todecrypt a reply when interoperating with a Kerberos implementationwithout this bug.Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
| @@ -230,6 +230,7 @@ generate_dh_keyblock(krb5_context context, | |||
| size -= dh_gen_keylen; | |||
| memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen); | |||
| memset(dh_gen_key, 0, size); | |||
| dh_gen_keylen += size; | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Does the buggy client mean we need to try both possibilities now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Yes, if we want to interoperate with buggy Heimdal clients without sporadic failures. For the other way round, interoperating with buggy Heimdal servers, the client probably would need to keep regenerating the key until it got a working one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Does the existing code successfully interoperate with MIT?
I don’t know. I haven’t tested that.
mattwoodyard commentedJun 6, 2024
The client side of this patch seems to have fixed client side pkinit failures we were seeing against an AD KDC. |
If the Diffie-Hellman key was ‘n’ bytes too short, we would shift it to the right ‘n’ places, padding it out to the correct length to compute the reply key.
Unfortunately, we forgot to increase the size of the key accordingly, so ‘n’ trailing key bytes would be discarded. This could mean failure to decrypt a reply when interoperating with a Kerberos implementation without this bug.