[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
problems with kinit against MIT KDC
- To: "Heimdal-discuss list" <heimdal-discuss@sics.se>
- Subject: problems with kinit against MIT KDC
- From: "Kevin Coffman" <kwc@citi.umich.edu>
- Date: Fri, 16 Mar 2007 16:34:14 -0400
- DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:mime-version:content-type:x-google-sender-auth; b=asXCq1H7W2zA67Rl4iaCZ/vzniCGGZ/kfCov0zcxjRuCxztDz6X2TW+RfjLPJwPpSoyJLXfI6C2gnYTKxdirESE68621DVKlZL1nqgi+lH4tzLhXFM/rx0QkxNH9t55KIu6XFk65akegVQY1CpqQNMV1vCgWLZEp/GxDvJBhqWI=
- DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:x-google-sender-auth; b=ZxlL6ExUoCN4oLcDYEykynlKzFGFfZigL8RDtgap6am2SpBE41L3Cta6CDKLCNQ0pas1WCzT9e0AcslFWBVBlzYftPGJeo3CP4sHrvD86PV9aYklIcm8p4iHGuMAwGfNkVInTqDRL2eNKUfK45+3lsmUd76yxaS+gp46oHcl44Y=
- Sender: owner-heimdal-discuss@sics.se
Testing the latest CVS kinit against our MIT KDCs (1.4.3 and 1.6+) I
ran into a couple of problems. The first error being reported was
"Did not find a plugin for resolve". It turns out, this wasn't the
real error, but it was the only one being reported.
I patched lib/krb5/krbhost.c to clear the error message if a kdc is
eventually found. This allowed the real error to be printed. It
seems there is a general problem of getting the right error printed.
The real problem was then revealed. I now got the message "ASN.1
invalid character in string". After a little digging, I found that
the error packet returned by the MIT KDC has the string
"NEEDED_PREAUTH\0" encoded with a length of 15.
der_get_general_string() checks to see if the string contains a null
and reports an error. In this case there is a null, but it the last
character, which seems harmless. I'm sure more work could be done to
eliminate the double null if desired. Also, I couldn't figure out
what the initial length check was really trying to check. What is
there seems useless.
Patch attached. (Again, the krbhost.c change is really only a
band-aid for a more general problem.)
K.C.
Index: lib/asn1/der_get.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/lib/asn1/der_get.c,v
retrieving revision 1.52
diff -p -u -r1.52 der_get.c
--- lib/asn1/der_get.c 20 Jan 2007 21:53:32 -0000 1.52
+++ lib/asn1/der_get.c 16 Mar 2007 20:25:50 -0000
@@ -137,10 +137,10 @@ der_get_general_string (const unsigned c
{
char *s;
- if (len > len + 1)
+ if (len > len + 1) /* XXX What is this trying to check? */
return ASN1_BAD_LENGTH;
- if (memchr(p, 0, len) != NULL)
+ if ((memchr(p, 0, len) != NULL) && (memchr(p, 0, len-1) != NULL))
return ASN1_BAD_CHARACTER;
s = malloc (len + 1);
Index: lib/krb5/krbhst.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/lib/krb5/krbhst.c,v
retrieving revision 1.61
diff -p -u -r1.61 krbhst.c
--- lib/krb5/krbhst.c 30 Nov 2006 17:23:08 -0000 1.61
+++ lib/krb5/krbhst.c 16 Mar 2007 20:25:51 -0000
@@ -570,8 +570,10 @@ kdc_get_next(krb5_context context,
if((kd->flags & KD_CONFIG) == 0) {
config_get_hosts(context, kd, "kdc");
kd->flags |= KD_CONFIG;
- if(get_next(kd, host))
+ if(get_next(kd, host)) {
+ krb5_clear_error_string(context);
return 0;
+ }
}
if (kd->flags & KD_CONFIG_EXISTS)