[krbdev.mit.edu #3196] asn.1 encoding of nonce differs from rfc4120 (signedness)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[krbdev.mit.edu #3196] asn.1 encoding of nonce differs from rfc4120 (signedness)

Greg Hudson via RT
rfc4120 indicates that nonce should be an unsigned integer. ASN.1
encoding of a signed vs. unsigned int will differ if the high-bit is
set... Then, an additional octect of 0 needs to be included.

Currently, our nonce is based on time(0) - and the high bit is not
set... Nor will it be until 2038... But we should get this fixed sooner
rather than later.

Heimdal 0.7.1 is still using a signed int. The nonce is a randomly
assigned - so for interoperability - we would need to be careful in how
to handle this... If we encode as an unsigned int - would heimdals
decoder handle properly? Looking at heimdals code - der_get_integer will
only decode encodings of four bytes or less - sending a proper
would bomb... So - if a heimdal client talks to a v5 kdc sending a nonce
with the high bit set - we will respond with a five byte encoding -
which heimdal will reject...

A patch for the basics - without interoperability issues is attached...

krb5-bugs mailing list
[hidden email]