generalstring asn.1 encoding

Kevin Coffman kwc at
Wed Mar 21 12:18:11 EDT 2007

See "The real problem ..." below.  Love suggests that this is an
encoding error on the MIT side (sending the terminating null character
in the string).  I looked a bit, but did not find whether the Heimdal
code is correct in forbidding null characters in generalstrings (even
as the last character).

It sounds like Love is going to relax the check in Heimdal, but I
thought I should bring up the issue here.


---------- Forwarded message ----------
From: Love Hörnquist Åstrand <lha at>
Date: Mar 18, 2007 1:39 PM
Subject: Re: problems with kinit against MIT KDC
To: Kevin Coffman <kwc at>
Cc: Heimdal-discuss list <heimdal-discuss at>

17 mar 2007 kl. 06.34 skrev Kevin Coffman:

> Testing the latest CVS kinit against our MIT KDCs (1.4.3 and 1.6+) I
> ran into a couple of problems.  The first error being reported was
> "Did not find a plugin for resolve".  It turns out, this wasn't the
> real error, but it was the only one being reported.
> I patched lib/krb5/krbhost.c to clear the error message if a kdc is
> eventually found.  This allowed the real error to be printed.  It
> seems there is a general problem of getting the right error printed.

Yes, not all patch have enough krb5_clear_error_string() and when
I've pushed more error strings deeper into the codepaths the problem

The problem when the second error code is generated.

> The real problem was then revealed.  I now got the message "ASN.1
> invalid character in string".  After a little digging, I found that
> the error packet returned by the MIT KDC has the string
> "NEEDED_PREAUTH\0" encoded with a length of 15.
> der_get_general_string() checks to see if the string contains a null
> and reports an error.  In this case there is a null, but it the last
> character, which seems harmless.  I'm sure more work could be done to
> eliminate the double null if desired.  Also, I couldn't figure out
> what the initial length check was really trying to check.  What is
> there seems useless.

You should send a bug report to the MIT people since I really think
this is invalid generated data. That said, maybe the code should be
slightly more liberal then it is now.

The check that you can't figure out is for integer overflow in the
malloc below
it, maybe its a little to much paranoia, but I think its better to be
and check for that anyway.


More information about the krbdev mailing list