[36140] in Kerberos
Re: Problems parsing old krbPrincipalKey attributes from LDAP backend
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue May 20 11:03:33 2014
Message-ID: <537B6E4F.4060808@mit.edu>
Date: Tue, 20 May 2014 11:01:35 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Frank Steinberg <steinberg@ibr.cs.tu-bs.de>, kerberos@mit.edu
In-Reply-To: <F8ED6DEB-1BB5-4F55-B947-795E593F9BA7@ibr.cs.tu-bs.de>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 05/20/2014 09:56 AM, Frank Steinberg wrote:
> Did this krbPrincipalKey type change?
Not intentionally. We did do some work on ASN.1 decoding in 1.11, and
it's possible that the LDAP key sequence decoder unintentionally
became more strict. But looking at the 1.10 and current code, I don't
see any obvious differences in strictness.
We can narrow down the problem in one of two ways:
* You could send me a hex dump of a key sequence which decodes in 1.10
but not in 1.12. Obviously this information would contain someone's
long-term keys, so you'd want to make sure the password had been
changed and that the old password won't be reused.
* With the debugger in omit_atype where it generates the fail, you
could extract some information as described in the last section of
src/lib/krb5/asn.1/README.asn1. In particular, for each stack frame
in the function decode_sequence, I need the value of the varibale "i".
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
