[1307] in Kerberos-V5-bugs
Kerberos 5 interoperability with OSF/DCE
daemon@ATHENA.MIT.EDU (Doug Engert)
Mon Mar 27 14:28:13 1995
Date: Mon, 27 Mar 95 13:26:07 CST
From: "Doug Engert" <DEEngert@anl.gov>
To: <krb5-bugs@MIT.EDU>, <escc-auth-tf@es.net>
As you may know, ESnet is very interested in the interoperability
of Kerberos 5 and OSF/DCE. (I talked to Jeff Schiller in the
airport after the ISOC meeting last month in San Diego about
this.) We are looking at using the DCE security server with
Kerberos 5 clients for the missing componets such as telnet, FTP,
and "r" commands. Kerberos 5 would also allow for cross realm
authentication.
I know there were some problems with the ASN.1 hand encoded
routines when processing the AS messages. I have obtained via a
contact at HP the attached modifications which appear to fix the
problem. I have compiled these with Kerberos 5 beta 4 patchlevel
3, on a Solaris 2.3 and AIX 3.2.5 system using gcc 2.6.3. I can
use the DCE security server (Transrc's 1.0.3a on a Solaris 2.3
system) to obtain credentials either via the dce_login or the K5
kinit for "host/nodename". I can then use these with telnet,
rlogin, rsh and the "sample" sclient and sserver modified to use
"host".
There are still problems, which may not be related to these
modification:
o The modified sample programs work fine, between the AIX and
Solaris systems.
o I can get a KRB5KRB_AP_ERR_BAD_INTEGRITY from
crypto/des/krb_glue.c when using the telnet, and rlogin
commands when the server is the AIX 3.2.5 system. I can also
get this with telnet from the AIX to a Solaris server.
Since all of these tests are using the same cached credential, it
is surprising that the sclient/server have no problem sending it
as a AP_REQ, while the telnet and "r" commands do.
It looks like there may be some uninitialized variable which is
causing the problem in the AIX version.
The questions are then:
o Is there a better version of the mods to the ASN.1 routines
which I could test?
o Are there any other known fixes which I could try which might
get the AIX version to work?
o Is there any thing which I could do which would help in
testing the interoperability of K5 and DCE?
(I still need to get back to you on the Configurable
Authentication Path modifications, which appear to just drop into
K5 beta4 pl3.)
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
------------------------------------------------------------------------
*** src/lib/krb5/asn.1/asn1buf.h.orig Sat Jul 23 08:56:31 1994
--- src/lib/krb5/asn.1/asn1buf.h Tue Dec 27 11:01:07 1994
***************
*** 144,150 ****
int asn1buf_remains
! PROTOTYPE((const asn1buf *buf));
/* effects Returns the number of unprocessed octets remaining in *buf. */
/**************** Private Procedures ****************/
--- 144,150 ----
int asn1buf_remains
! PROTOTYPE((asn1buf *buf));
/* effects Returns the number of unprocessed octets remaining in *buf. */
/**************** Private Procedures ****************/
*** src/lib/krb5/asn.1/asn1buf.c.orig Thu Sep 29 14:44:51 1994
--- src/lib/krb5/asn.1/asn1buf.c Tue Dec 27 13:56:59 1994
***************
*** 81,87 ****
OLDDECLARG(const int , length)
{
subbuf->base = subbuf->next = buf->next;
! subbuf->bound = subbuf->base + length - 1;
if(subbuf->bound > buf->bound) return ASN1_OVERRUN;
return 0;
}
--- 81,90 ----
OLDDECLARG(const int , length)
{
subbuf->base = subbuf->next = buf->next;
! if (length > 0 )
! subbuf->bound = subbuf->base + length - 1;
! else /* constructed indefinite */
! subbuf->bound = buf->bound;
if(subbuf->bound > buf->bound) return ASN1_OVERRUN;
return 0;
}
***************
*** 208,218 ****
return 0;
}
! int asn1buf_remains(DECLARG(const asn1buf *, buf))
! OLDDECLARG(const asn1buf *, buf)
{
if(buf == NULL || buf->base == NULL) return 0;
! else return buf->bound - buf->next + 1;
}
asn1_error_code asn12krb5_buf(DECLARG(const asn1buf *, buf),
--- 211,229 ----
return 0;
}
! int asn1buf_remains(DECLARG(asn1buf *, buf))
! OLDDECLARG(asn1buf *, buf)
{
+ int remain;
if(buf == NULL || buf->base == NULL) return 0;
! remain = buf->bound - buf->next +1;
! if (remain <= 0) return remain;
! if ( !*(buf->next) && !*(buf->next + 1)) {
! /* buf->bound = buf->next + 1; */
! buf->next += 2;
! return 0;
! }
! else return remain;
}
asn1_error_code asn12krb5_buf(DECLARG(const asn1buf *, buf),
*** src/lib/krb5/asn.1/asn1_decode_k.c.orig Tue Oct 04 19:18:48 1994
--- src/lib/krb5/asn.1/asn1_decode_k.c Tue Dec 27 16:21:46 1994
***************
*** 31,40 ****
asn1_class class;\
asn1_construction construction;\
asn1_tagnum tagnum;\
! int length
#define next_tag()\
! retval = asn1_get_tag(&subbuf,&class,&construction,&tagnum,NULL);\
if(retval) return retval;\
if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
return ASN1_BAD_ID
--- 31,40 ----
asn1_class class;\
asn1_construction construction;\
asn1_tagnum tagnum;\
! int length,taglen,applen
#define next_tag()\
! retval = asn1_get_tag(&subbuf,&class,&construction,&tagnum,&taglen);\
if(retval) return retval;\
if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
return ASN1_BAD_ID
***************
*** 45,51 ****
#define apptag(tagexpect)\
! retval = asn1_get_tag(buf,&class,&construction,&tagnum,NULL);\
if(retval) return retval;\
if(class != APPLICATION || construction != CONSTRUCTED ||\
tagnum != (tagexpect)) return ASN1_BAD_ID
--- 45,51 ----
#define apptag(tagexpect)\
! retval = asn1_get_tag(buf,&class,&construction,&tagnum,&applen);\
if(retval) return retval;\
if(class != APPLICATION || construction != CONSTRUCTED ||\
tagnum != (tagexpect)) return ASN1_BAD_ID
***************
*** 54,59 ****
--- 54,60 ----
#define get_field_body(var,decoder)\
retval = decoder(&subbuf,&(var));\
if(retval) return retval;\
+ if(!taglen) next_tag();\
next_tag()
#define get_field(var,tagexpect,decoder)\
***************
*** 70,75 ****
--- 71,77 ----
#define get_lenfield_body(len,var,decoder)\
retval = decoder(&subbuf,&(len),&(var));\
if(retval) return retval;\
+ if(!taglen) next_tag();\
next_tag()
#define get_lenfield(len,var,tagexpect,decoder)\
***************
*** 368,373 ****
--- 370,379 ----
get_field(val->server,2,asn1_decode_principal_name);
get_field(val->enc_part,3,asn1_decode_encrypted_data);
end_structure();
+ }
+ if(!applen) {
+ retval = asn1_get_tag(buf,&class,&construction,&tagnum,NULL);
+ if (retval) return retval;
}
cleanup();
}
