<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
I have found an incompatability between 1.2.2 and 1.3.1 that has been
causing us problems. The specific example is using a 1.2.2 Master KDC
and replicating to a 1.3.1 slave (although I suspect that the problem
is more general). In our case, we are running 1.2.2 on a Tru64 Cluster
and I was trying to replicate to a Solaris machine running 1.3.1 using
the standard kprop/kpropd. Sometimes this worked (i.e. the database
was correctly transmitted and loaded into the slave machine), but
sometimes I get a checksum error (message was changed...). After a lot
of debugging, it turns out that this can be traced to a single change
in src/lib/krb5/asn.1/asn1_k_encode.c:<br>
<br>
<span style="font-family: monospace;">RCS file:
/usr/src/cvs/cvsroot/contrib/Kerberos/src/lib/krb5/asn.1/asn1_k_encode.c,v</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">retrieving revision 1.1.1.3</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">diff -c -r1.1.1.3 asn1_k_encode.c</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">*** asn1_k_encode.c 11 Aug
2003 22:28:46 -0000 1.1.1.3</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">--- asn1_k_encode.c 13 Sep
2003 19:51:45 -0000</span><br style="font-family: monospace;">
<span style="font-family: monospace;">***************</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">*** 643,658 ****</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> if(val->r_address != NULL)</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">
asn1_addfield(val->r_address,5,asn1_encode_host_address);</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">
asn1_addfield(val->s_address,4,asn1_encode_host_address);</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> if(val->seq_number)</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">!
asn1_addfield(val->seq_number,3,asn1_encode_unsigned_integer);</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> if(val->timestamp){</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">
asn1_addfield(val->usec,2,asn1_encode_integer);</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">
asn1_addfield(val->timestamp,1,asn1_encode_kerberos_time);</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> }</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> if (val->user_data.length
&& val->user_data.data == NULL)</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> return
ASN1_MISSING_FIELD;</span><br style="font-family: monospace;">
<span style="font-family: monospace;">!
asn1_addlenfield(val->user_data.length,val->user_data.data,0,asn1_encode_charstring)</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">! ;</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> </span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> asn1_makeseq();</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> asn1_cleanup();</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">--- 643,664 ----</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> if(val->r_address != NULL)</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">
asn1_addfield(val->r_address,5,asn1_encode_host_address);</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">
asn1_addfield(val->s_address,4,asn1_encode_host_address);</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">+ </span><br
style="font-family: monospace;">
<span style="font-family: monospace;">+ /*</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">+ * WARNING!!! This needs to be
asn1_encode_integer to be compatable</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">+ * with older versions!!</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">+ * if(val->seq_number)</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">+ *
asn1_addfield(val->seq_number,3,asn1_encode_unsigned_integer);</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">+ */</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> if(val->seq_number)</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">!
asn1_addfield(val->seq_number,3,asn1_encode_integer);</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> if(val->timestamp){</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">
asn1_addfield(val->usec,2,asn1_encode_integer);</span><br
style="font-family: monospace;">
<span style="font-family: monospace;">
asn1_addfield(val->timestamp,1,asn1_encode_kerberos_time);</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> }</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> if (val->user_data.length
&& val->user_data.data == NULL)</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> return
ASN1_MISSING_FIELD;</span><br style="font-family: monospace;">
<span style="font-family: monospace;">!
asn1_addlenfield(val->user_data.length,val->user_data.data,0,asn1_encode_charstring);</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> </span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> asn1_makeseq();</span><br
style="font-family: monospace;">
<span style="font-family: monospace;"> asn1_cleanup();</span><br
style="font-family: monospace;">
<br>
When the sequence number is large (i.e. negative), the 1.2.2 system
encodes it as an integer and sends it. The 1.3.1 system correctly
receives and decodes it. So far, so good. Not, the 1.3.1 system <span
style="font-style: italic;">re-encodes</span> the message to calculate
and compare the checksums. This is where the change causes problems.
The asn1_encode_unsigned_integer routine will insert an extra byte in
the encoded stream to preserve the high-order bit without making it
negative. This, unfortunately, causes the checksums not to validate
and the data is rejected.<br>
<br>
Its certainly true that for this limited circumstance (kprop/kpropd) we
will be moving to an all 1.3.1 system fairly quickly, so this problem
will go away (the current replication is part of our testing for the
eventual move to 1.3.1). However, I suspect that other clients and
services use mk_safe and rd_safe and this problem will be exhibited in
other circumstances. For now we've applied the patch described above,
but I would be interested in the rationale for changing the encoding
for safe_body...<br>
<br>
-- scooter<br>
<br>
Scooter Morris<br>
Genentech, Inc.<br>
<a class="moz-txt-link-abbreviated" href="mailto:scooter@gene.com">scooter@gene.com</a><br>
</body>
</html>