krb5-1.8-alpha1 and enc-padata

Marcus Watts mdw at
Tue Feb 2 17:18:27 EST 2010

I think I found something rather weird in MIT krb5 1.8-alpha1.

It seems that when the kdc generates a krb5_enc_kdc_rep_part,
it includes an empty enc_padata list.  This is sent over
the wire as such.  MIT krb5 1.6.3 code apparently ignores this.
Clients that implement rfc 4120 more strictly may instead

According to RFC 4120 section 5.1.3, an empty list should
be treated the same as no list, and a list should not be
sent if it's empty.  So, am I correct in believing that
there's an asn.1 error here in 1.8: it should never be
sending an empty enc-padata list?  This could be considered
a logic error also - I think 1.7 had similar asn.1 code
but didn't have the FAST code that made the empty array.

RFC 4120 section 5.1.4 goes on to suggest that clients
that encounter tags they don't understand should signal
an error.  Is this still the expectation?  I haven't
actually stepped through the 1.6.3 code to catch it ignoring
the unknown tag element.  I'll do more investigation
if people believe 1.6.3 should have returned an error here.

The best description of enc_padata I could find is in
draft-ietf-krb-wg-kerberos-referrals-11.  Is there a
description in any RFC or is this truely only a draft thing?
On a quick inspection, these drafts might also depend on enc_padata:
draft-ietf-krb-wg-preauth-framework-15 .

				-Marcus Watts

More information about the krbdev mailing list