Your KDC produces invalid ASN.1

Love lha at stacken.kth.se
Thu Jun 19 12:10:19 EDT 2003 

Sam Hartman <hartmans at MIT.EDU> writes:

> Hi.  I got a bug report last night from Andrew Tridgell on IRC.  He
> reported that with MIT Kerberos 1.3 beta2, he was receiving an error
> contacting your KDC.  In particular, our ASN.1 library complained
> about the encoding of a preauthentication required krb_error that our
> library received from your KDC.
>
> I have attached the encoding of that krb_error (with the application
> tag stripped) to this message.
>
> Our code is correct: the error packet is broken.
>
> Per the Kerberos spec, it includes a sequence of padata in the e_data
> field of the krb_error sequence.  The first element of this sequence
> is the enc-ts padata element and is fine.  The second element is of
> type 11 (etype-info) and should include a sequence of
> etype-info-entry.
>
>
>    ETYPE-INFO-ENTRY        ::= SEQUENCE {
>            etype           [0] Int32,
>            salt            [1] OCTET STRING OPTIONAL
>    }

Heimdal have this definition of ETYPE-INFO-ENTRY

ETYPE-INFO-ENTRY ::= SEQUENCE {
	etype[0]		ENCTYPE,
	salt[1]			OCTET STRING OPTIONAL,
	salttype[2]		INTEGER OPTIONAL
}

The comment in the cvs log I can find related to this is:

----------------------------
revision 1.18
date: 1998/03/21 00:45:54;  author: joda;  state: Exp;  lines: +5 -6
Rename PA-KEY-INFO -> ETYPE-INFO.
----------------------------

1.17         (joda     22-Jan-98): PA-KEY-INFO-ENTRY ::= SEQUENCE {
1.17         (joda     22-Jan-98): 	keytype[0]		INTEGER,
1.17         (joda     22-Jan-98): 	salttype[1]		INTEGER,
1.17         (joda     22-Jan-98): 	salt[2]			OCTET STRING OPTIONAL
1.17         (joda     22-Jan-98): }

Now, this have been i heimdal 0.0o

> We'd appreciate knowing how widely deployed the code is with this
> particular bug.  That will help us evaluate how necessary a
> work-around for this issue will be.  We will make a decision on
> whether we need a work-around by the end of the week, so a prompt
> reply would be appreciated.

This have been i heimdal 0.0o

Love

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 823 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20030619/91a9acf5/attachment.bin

More information about the krbdev mailing list