[1010] in Kerberos-V5-bugs
krb5 vs. DCE
daemon@ATHENA.MIT.EDU (George W. Baltz)
Wed Dec 28 10:37:13 1994
To: krb5-bugs@MIT.EDU
Cc: gwb@umd5.umd.edu
Date: Wed, 28 Dec 1994 10:36:58 -0500
From: "George W. Baltz" <gwb@holmes.umd.edu>
Believing the FAQ, I tried to run some krb5 clients against our (test) DCE
servers, with less than spectacular results. kinit did connect to the server,
but gave up with ASN.1 missing field errors.
Problem: no code in krb5 for ASN.1 'constructed indefinite' fields, which the
DCE security server uses. (Probably means they don't have to build messages
backwards :-) .)
So I started hacking... With minor mods to asn1buf.[ch] I was able to handle
sequences with indefinite lengths. If all the decoders used asn1buf_imbed(),
asn1buf_remains(), and asn1buf_sync() for every field, this would handle
everything. However, to handle indefinite tags, I had to modify
asn1_decode_k.c, and remove one line from my code in asn1buf.c . Here the
problem wasn't so much decoding the data, but skipping over the 0x00 0x00
afterwards.
This got kinit to retreive a krbtgt (that klist believes, at least.) Whoopeee!
Unfinished: I haven't checked it out any more than this. Other references to
apptag() should be modified to clean up the terminators. There's no way in
the code to distinguish a 0x00 length from a 0x80. Dunno if this can matter,
unless there might be truly null SEQUENCE or SEQUENCE_OF instances. The only
way around this is to really flag it, instead of basing it on length==0.
Anyway, since I'm on my way out for a week, I thought I'd send in the
following patch for your consideration, amusement, edification, or scorn.....
Happy New Year!
*** src/lib/krb5/asn.1/asn1buf.h.orig Sat Jul 23 08:56:31 1994
--- src/lib/krb5/asn.1/asn1buf.h Tue Dec 27 11:01:07 1994
***************
*** 144,150 ****
int asn1buf_remains
! PROTOTYPE((const asn1buf *buf));
/* effects Returns the number of unprocessed octets remaining in *buf. */
/**************** Private Procedures ****************/
--- 144,150 ----
int asn1buf_remains
! PROTOTYPE((asn1buf *buf));
/* effects Returns the number of unprocessed octets remaining in *buf. */
/**************** Private Procedures ****************/
*** src/lib/krb5/asn.1/asn1buf.c.orig Thu Sep 29 14:44:51 1994
--- src/lib/krb5/asn.1/asn1buf.c Tue Dec 27 13:56:59 1994
***************
*** 81,87 ****
OLDDECLARG(const int , length)
{
subbuf->base = subbuf->next = buf->next;
! subbuf->bound = subbuf->base + length - 1;
if(subbuf->bound > buf->bound) return ASN1_OVERRUN;
return 0;
}
--- 81,90 ----
OLDDECLARG(const int , length)
{
subbuf->base = subbuf->next = buf->next;
! if (length > 0 )
! subbuf->bound = subbuf->base + length - 1;
! else /* constructed indefinite */
! subbuf->bound = buf->bound;
if(subbuf->bound > buf->bound) return ASN1_OVERRUN;
return 0;
}
***************
*** 208,218 ****
return 0;
}
! int asn1buf_remains(DECLARG(const asn1buf *, buf))
! OLDDECLARG(const asn1buf *, buf)
{
if(buf == NULL || buf->base == NULL) return 0;
! else return buf->bound - buf->next + 1;
}
asn1_error_code asn12krb5_buf(DECLARG(const asn1buf *, buf),
--- 211,229 ----
return 0;
}
! int asn1buf_remains(DECLARG(asn1buf *, buf))
! OLDDECLARG(asn1buf *, buf)
{
+ int remain;
if(buf == NULL || buf->base == NULL) return 0;
! remain = buf->bound - buf->next +1;
! if (remain <= 0) return remain;
! if ( !*(buf->next) && !*(buf->next + 1)) {
! /* buf->bound = buf->next + 1; */
! buf->next += 2;
! return 0;
! }
! else return remain;
}
asn1_error_code asn12krb5_buf(DECLARG(const asn1buf *, buf),
*** src/lib/krb5/asn.1/asn1_decode_k.c.orig Tue Oct 04 19:18:48 1994
--- src/lib/krb5/asn.1/asn1_decode_k.c Tue Dec 27 16:21:46 1994
***************
*** 31,40 ****
asn1_class class;\
asn1_construction construction;\
asn1_tagnum tagnum;\
! int length
#define next_tag()\
! retval = asn1_get_tag(&subbuf,&class,&construction,&tagnum,NULL);\
if(retval) return retval;\
if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
return ASN1_BAD_ID
--- 31,40 ----
asn1_class class;\
asn1_construction construction;\
asn1_tagnum tagnum;\
! int length,taglen,applen
#define next_tag()\
! retval = asn1_get_tag(&subbuf,&class,&construction,&tagnum,&taglen);\
if(retval) return retval;\
if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
return ASN1_BAD_ID
***************
*** 45,51 ****
#define apptag(tagexpect)\
! retval = asn1_get_tag(buf,&class,&construction,&tagnum,NULL);\
if(retval) return retval;\
if(class != APPLICATION || construction != CONSTRUCTED ||\
tagnum != (tagexpect)) return ASN1_BAD_ID
--- 45,51 ----
#define apptag(tagexpect)\
! retval = asn1_get_tag(buf,&class,&construction,&tagnum,&applen);\
if(retval) return retval;\
if(class != APPLICATION || construction != CONSTRUCTED ||\
tagnum != (tagexpect)) return ASN1_BAD_ID
***************
*** 54,59 ****
--- 54,60 ----
#define get_field_body(var,decoder)\
retval = decoder(&subbuf,&(var));\
if(retval) return retval;\
+ if(!taglen) next_tag();\
next_tag()
#define get_field(var,tagexpect,decoder)\
***************
*** 70,75 ****
--- 71,77 ----
#define get_lenfield_body(len,var,decoder)\
retval = decoder(&subbuf,&(len),&(var));\
if(retval) return retval;\
+ if(!taglen) next_tag();\
next_tag()
#define get_lenfield(len,var,tagexpect,decoder)\
***************
*** 368,373 ****
--- 370,379 ----
get_field(val->server,2,asn1_decode_principal_name);
get_field(val->enc_part,3,asn1_decode_encrypted_data);
end_structure();
+ }
+ if(!applen) {
+ retval = asn1_get_tag(buf,&class,&construction,&tagnum,NULL);
+ if (retval) return retval;
}
cleanup();
}
--
George Baltz N3GB 301-405-3059 gwb@umd5.umd.edu
Captain (Emeritus), UMD Hors d'Oeuvres Team "Another totally unslanted
Computer Science Center, University of Maryland opinion from yet another
College Park, MD 20742-2411 editor of the Daily Feed"
