Skip Menu |
 

From: ghudson@mit.edu
Subject: SVN Commit

RFC 4120 defines the EncryptedData kvno field as an integer in the
range of unsigned 32-bit numbers. Windows encodes and decodes the
field as a signed 32-bit integer. Historically we do the same in our
encoder in 1.6 and prior, and in our decoder through 1.10. (Actually,
our decoder through 1.10 decoded the value as a long and then cast the
result to unsigned int, so it would accept positive values >= 2^31 on
64-bit platforms but not on 32-bit platforms.)

kvno values that large (or negative) are only likely to appear in the
context of Windows read-only domain controllers. So do what Windows
does instead of what RFC 4120 says.

https://github.com/krb5/krb5/commit/7558fb3af9f9fdfb8195333c11a70ab7b354f82c
Commit By: ghudson
Revision: 25703
Changed Files:
U trunk/src/lib/krb5/asn.1/asn1_k_encode.c
From: ghudson@mit.edu
Subject: SVN Commit

Correct fix for #7092

https://github.com/krb5/krb5/commit/85c8d9595b2767d16043efc42891db2c79a0eb3c
Commit By: ghudson
Revision: 25706
Changed Files:
U trunk/src/lib/krb5/asn.1/asn1_k_encode.c
Should we decide to backport this to 1.10 or earlier, the attached patch
should work. (The trunk patch won't apply, since the ASN.1 encoder has
changed significantly since 1.10.)
Download patch.txt
text/plain 889B
commit 44ff96b7e5c64f3c2a816f36fb64b1d7f0cc50b2
Author: Greg Hudson <ghudson@mit.edu>
Date: Tue Feb 21 15:09:03 2012 -0500

Backported fix for #7092

diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 018aae8..07ea7c8 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -143,9 +143,11 @@ optional_encrypted_data (const void *vptr)
return optional;
}

+/* Encode krb5_kvno as signed 32-bit for Windows RODC interop. */
+DEFINTTYPE(kvno, krb5_kvno);
static const struct field_info encrypted_data_fields[] = {
FIELDOF_NORM(krb5_enc_data, int32, enctype, 0),
- FIELDOF_OPT(krb5_enc_data, uint, kvno, 1, 1),
+ FIELDOF_OPT(krb5_enc_data, kvno, kvno, 1, 1),
FIELDOF_NORM(krb5_enc_data, ostring_data, ciphertext, 2),
};
DEFSEQTYPE(encrypted_data, krb5_enc_data, encrypted_data_fields,
From: tlyu@mit.edu
Subject: SVN Commit

Add test cases for Windows RODC kvno compatibility

https://github.com/krb5/krb5/commit/8b33ff2daebcf3e4ccff6a938b410239b76ba287
Commit By: tlyu
Revision: 25725
Changed Files:
U trunk/src/tests/asn.1/krb5_decode_test.c
U trunk/src/tests/asn.1/krb5_encode_test.c
U trunk/src/tests/asn.1/reference_encode.out
U trunk/src/tests/asn.1/trval_reference.out
My suggested patch for 1.10 wouldn't work because it just caused the
unsigned 32-bit value to be loaded into a 64-bit signed integer. Here's a
less elegant one which ought to work.
Download patch.txt
text/plain 1KiB
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index 018aae8..4c50dc1 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -143,9 +143,23 @@ optional_encrypted_data (const void *vptr)
return optional;
}

+/*
+ * Encode krb5_kvno as signed 32-bit for Windows RODC interop. (This is an
+ * inelegant backport; it's an alteration of the expansion of DEFINTTYPE(kvno,
+ * krb5_kvno).)
+ */
+typedef krb5_kvno aux_typedefname_kvno;
+static asn1_intmax loadint_kvno(const void *p)
+{
+ return (krb5_int32)*(krb5_kvno *)p;
+}
+const struct atype_info krb5int_asn1type_kvno = {
+ atype_int, sizeof(krb5_kvno), 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ loadint_kvno, 0,
+};
static const struct field_info encrypted_data_fields[] = {
FIELDOF_NORM(krb5_enc_data, int32, enctype, 0),
- FIELDOF_OPT(krb5_enc_data, uint, kvno, 1, 1),
+ FIELDOF_OPT(krb5_enc_data, kvno, kvno, 1, 1),
FIELDOF_NORM(krb5_enc_data, ostring_data, ciphertext, 2),
};
DEFSEQTYPE(encrypted_data, krb5_enc_data, encrypted_data_fields,
From: tlyu@mit.edu
Subject: SVN Commit
Download (untitled) / with headers
text/plain 1.5KiB

Pull up r25725 from trunk, along with backport of r25703.

------------------------------------------------------------------------
r25725 | tlyu | 2012-03-02 17:24:38 -0500 (Fri, 02 Mar 2012) | 4 lines

ticket: 7092

Add test cases for Windows RODC kvno compatibility

------------------------------------------------------------------------
r25703 | ghudson | 2012-02-21 13:57:44 -0500 (Tue, 21 Feb 2012) | 15 lines

ticket: 7092
subject: kvno ASN.1 encoding interop with Windows RODCs

RFC 4120 defines the EncryptedData kvno field as an integer in the
range of unsigned 32-bit numbers. Windows encodes and decodes the
field as a signed 32-bit integer. Historically we do the same in our
encoder in 1.6 and prior, and in our decoder through 1.10. (Actually,
our decoder through 1.10 decoded the value as a long and then cast the
result to unsigned int, so it would accept positive values >= 2^31 on
64-bit platforms but not on 32-bit platforms.)

kvno values that large (or negative) are only likely to appear in the
context of Windows read-only domain controllers. So do what Windows
does instead of what RFC 4120 says.

https://github.com/krb5/krb5/commit/adda449cadb58f6ab9aee5a9a15ee2b0d6702e8c
Commit By: tlyu
Revision: 25739
Changed Files:
U branches/krb5-1-10/src/lib/krb5/asn.1/asn1_k_encode.c
U branches/krb5-1-10/src/tests/asn.1/krb5_decode_test.c
U branches/krb5-1-10/src/tests/asn.1/krb5_encode_test.c
U branches/krb5-1-10/src/tests/asn.1/reference_encode.out
U branches/krb5-1-10/src/tests/asn.1/trval_reference.out
From: tlyu@mit.edu
Subject: SVN Commit

Adam Bernstein reported this bug and helped with analysis.

https://github.com/krb5/krb5/commit/c21d9eefe79372129f35ed003f2eeeffb4eae704
Commit By: tlyu
Revision: 25752
Changed Files:
U branches/krb5-1-10/README