[39559] in Kerberos
Re: Failing ASN.1 tests with PKINIT on HP-UX
daemon@ATHENA.MIT.EDU (Osipov, Michael \(IN IT IN\) via K)
Sat Sep 27 11:17:52 2025
Message-ID: <096708bd-e34c-487d-b0dd-cfca5de5846b@innomotics.com>
Date: Sat, 27 Sep 2025 17:16:31 +0200
Content-Language: en-US
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: Kerberos@mit.edu
In-Reply-To: <202509271440.58REekdH020200@hedwig.cmf.nrl.navy.mil>
MIME-Version: 1.0
From: "Osipov, Michael \(IN IT IN\) via Kerberos" <kerberos@mit.edu>
Reply-To: "Osipov, Michael \(IN IT IN\)" <michael.osipov@innomotics.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 2025-09-27 16:40, Ken Hornstein wrote:
>>> 771 #ifndef DISABLE_PKINIT
>>> 772 /****************************************************************/
>>> 773 /* encode_krb5_pa_pk_as_req */
>>> 774 {
>>> 775 krb5_pa_pk_as_req req;
>>> 776 ktest_make_sample_pa_pk_as_req(&req);
>>> 777 encode_run(req, "pa_pk_as_req", "", acc.encode_krb5_pa_pk_as_req);
>
> It would be interesting to drill down into the value of "req". I can see
> two possibilities:
>
> - There's a bug somewhere in the ktest_make_sample_pa_pk_as_req() code path
> that is making an invalid krb5_pa_pk_as_req structure.
> - There's a bug in the ASN.1 encoder somewhere.
>
> Either way, assuming you want PKINIT to work, I don't think it's
> something you should ignore. I'd start with looking at "req" and then
> figuring out what part of req it is trying to encode when you get this
> core dump. It looks like you omitted part of the stack trace?
>
I'll try to look into that if I can with my humble C knowledge. I had a
feeling that it could be an endianess issue since HP-UX on IA64 is big
endian. I have seen weird stuff like
https://github.com/cr-marcstevens/sha1collisiondetection/commit/855827c583bc30645ba427885caa40c5b81764d2.
Michael
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
