[1472] in Kerberos-V5-bugs
Kerberos V5 beta5 / DCE interoperability problem
daemon@ATHENA.MIT.EDU (John J. Marco)
Wed Jun 14 18:38:31 1995
From: "John J. Marco" <johnma@sco.COM>
To: krb5-bugs@MIT.EDU
Cc: johnma@sco.COM, dceivers@sco.COM, mbrowder@sco.COM, jonco@sco.COM
Date: Wed, 14 Jun 1995 14:50:27 -0700 (PDT)
Kerberos V5 bug report:
Kerberos V5 beta 5 does not interoperate with the OSF DCE 1.0.3
Security service. This appears to be the old ASN.1 encoding
bug from previous releases. (Something about the MIT decoder
not having code for "distinguished indefinite" length encodings
as I recall.)
I looked at the beta 5 code, and most of the patch for the
above bug appears to have been integrated into the beta 5
release. However, I get an error message when I try to use
beta 5 kinit with a DCE 1.0.3 Security Server:
"ASN.1 identifier doesn't match expected value"
After hacking down in the guts of the asn.1 encoder, I
found what appears to be an attempt to inline the functionality
of asn1buf_remains() into the asn1_get_tag() routine.
For some reason, a small piece of code that appears to
skip over two null bytes was omitted in the inlined code.
I added the missing code to asn1_get_tag() and now kinit
works using a DCE 1.0.3 Security Server as the KDC.
Was there a reason for not just using asn1buf_remains() like
in beta4?
Note. My patch below has only been tested using kinit from
a MS Windows system (CNS from beta 5 dist.) and from a SCO Unix
system, both using a DCE 1.0.3 Security Server as the KDC. I haven't tried
using this hack with an MIT Kerberos V5 beta 5 KDC.
Patch follows...
---------------------- Cut Here --------------------------
*** src/lib/krb5/asn.1/asn1_get.c.orig Wed Jun 14 13:25:54 1995
--- src/lib/krb5/asn.1/asn1_get.c Wed Jun 14 14:07:23 1995
***************
*** 37,42 ****
--- 37,49 ----
*tagnum = ASN1_TAGNUM_CEILING;
return 0;
}
+ /* Begin DCE Compatibility Hack */
+ if ( !*(buf->next) && !*(buf->next + 1)) {
+ buf->next += 2;
+ *tagnum = ASN1_TAGNUM_CEILING;
+ return 0;
+ }
+ /* End DCE Compatibility Hack */
retval = asn1_get_id(buf,class,construction,tagnum);
if(retval) return retval;
retval = asn1_get_length(buf,retlen);
---------------------- Cut Here --------------------------
-----------------------------------------------------------------------
| John Marco | The Santa Cruz Operation, Inc. |
| Distributed Systems Engineering | johnma@sco.COM (408)427-7638 |
-----------------------------------------------------------------------
