[krbdev.mit.edu #3196] asn.1 encoding of nonce differs from rfc4120 (signedness)
Ezra Peisach via RT
rt-comment at krbdev.mit.edu
Wed Sep 28 12:02:57 EDT 2005
rfc4120 indicates that nonce should be an unsigned integer. ASN.1
encoding of a signed vs. unsigned int will differ if the high-bit is
set... Then, an additional octect of 0 needs to be included.
Currently, our nonce is based on time(0) - and the high bit is not
set... Nor will it be until 2038... But we should get this fixed sooner
rather than later.
Heimdal 0.7.1 is still using a signed int. The nonce is a randomly
assigned - so for interoperability - we would need to be careful in how
to handle this... If we encode as an unsigned int - would heimdals
decoder handle properly? Looking at heimdals code - der_get_integer will
only decode encodings of four bytes or less - sending a proper
representation
would bomb... So - if a heimdal client talks to a v5 kdc sending a nonce
with the high bit set - we will respond with a five byte encoding -
which heimdal will reject...
A patch for the basics - without interoperability issues is attached...
More information about the krb5-bugs
mailing list