svn rev #25703: trunk/src/lib/krb5/asn.1/

ghudson@MIT.EDU ghudson at MIT.EDU
Tue Feb 21 13:57:44 EST 2012 

http://src.mit.edu/fisheye/changelog/krb5/?cs=25703
Commit By: ghudson
Log Message:
ticket: 7092
subject: kvno ASN.1 encoding interop with Windows RODCs

RFC 4120 defines the EncryptedData kvno field as an integer in the
range of unsigned 32-bit numbers.  Windows encodes and decodes the
field as a signed 32-bit integer.  Historically we do the same in our
encoder in 1.6 and prior, and in our decoder through 1.10.  (Actually,
our decoder through 1.10 decoded the value as a long and then cast the
result to unsigned int, so it would accept positive values >= 2^31 on
64-bit platforms but not on 32-bit platforms.)

kvno values that large (or negative) are only likely to appear in the
context of Windows read-only domain controllers.  So do what Windows
does instead of what RFC 4120 says.


Changed Files:
U   trunk/src/lib/krb5/asn.1/asn1_k_encode.c
Modified: trunk/src/lib/krb5/asn.1/asn1_k_encode.c
===================================================================
--- trunk/src/lib/krb5/asn.1/asn1_k_encode.c	2012-02-15 18:55:16 UTC (rev 25702)
+++ trunk/src/lib/krb5/asn.1/asn1_k_encode.c	2012-02-21 18:57:44 UTC (rev 25703)
@@ -173,8 +173,16 @@
 DEFPTRTYPE(ptr_seqof_host_addresses, seqof_host_addresses);
 DEFOPTIONALEMPTYTYPE(opt_ptr_seqof_host_addresses, ptr_seqof_host_addresses);
 
+/*
+ * krb5_kvno is defined as unsigned int, but historically (MIT krb5 through
+ * 1.6, and through 1.10 in the decoder) we treat it as signed, in violation of
+ * RFC 4120.  kvno values large enough to be problematic are only likely to be
+ * seen with Windows read-only domain controllers, which overload the high
+ * 16-bits of kvno values for krbtgt principals.  Since Windows encodes kvnos
+ * as signed 32-bit values, for interoperability it's best if we do the same.
+ */
 DEFFIELD(enc_data_0, krb5_enc_data, enctype, 0, int32);
-DEFFIELD(enc_data_1, krb5_enc_data, kvno, 1, opt_uint);
+DEFFIELD(enc_data_1, krb5_enc_data, kvno, 1, opt_int);
 DEFFIELD(enc_data_2, krb5_enc_data, ciphertext, 2, ostring_data);
 static const struct atype_info *encrypted_data_fields[] = {
     &k5_atype_enc_data_0, &k5_atype_enc_data_1, &k5_atype_enc_data_2

More information about the cvs-krb5 mailing list