Re: TGS revisited

[Simon Josefsson]

Elrond <address@hidden> writes:

> On Tue, Apr 25, 2006 at 07:53:00PM +0200, Elrond wrote:
> [...]
>> > This could be the problem, from your earlier logs, I think your
>> > current kvno is 2.  It seems shishi hard code the authenticator
>> > checksum kvno to 1, which is bad.  I've fixed this in CVS, and I think
>> > the daily Debian packages has it.  Could you re-try?
>> 
>> Ahhh.
>> 
>> Yes, my heimdal keys have kvno > 1 sometimes, too.
>> 
>> Okay, will retry soon.
>
> Okay.
>
> Bad news: It did not help.
> Good news: The kvno isn't anymore in the TGS-REQ.
>
> Okay, here's a quick list, what I can see:
>
> 1) The name-type issue still isn't fixed. (unknown/0, but
>    should be Prinicpal/1)

Do you have cvs buildable?  Could you try this patch?  I re-read RFC
4120 on this topic, and I think it should not be necessary, but you
never know how this was implemented in w2k3.

6.2.  Principal Names

   As was the case for realm names, conventions are needed to ensure
   that all agree on what information is implied by a principal name.
   The name-type field that is part of the principal name indicates the
   kind of information implied by the name.  The name-type SHOULD be
   treated only as a hint to interpreting the meaning of a name.  It is
   not significant when checking for equivalence.  Principal names that
   differ only in the name-type identify the same principal.  The name
   type does not partition the name space.  Ignoring the name type, no
   two names can be the same (i.e., at least one of the components, or
   the realm, MUST be different).  The following name types are defined:

cvs diff: Diffing .
Index: principal.c
===================================================================
RCS file: /home/jas/self/public-cvs/shishi/lib/principal.c,v
retrieving revision 1.48
diff -u -p -r1.48 principal.c
--- principal.c 20 Apr 2006 18:16:09 -0000      1.48
+++ principal.c 26 Apr 2006 13:37:19 -0000
@@ -412,7 +412,7 @@ shishi_principal_set (Shishi * handle,
     }
 
   res = shishi_principal_name_set (handle, namenode, namefield,
-                                  SHISHI_NT_UNKNOWN, namebuf);
+                                  SHISHI_NT_PRINCIPAL, namebuf);
   free (namebuf);
   free (tmpname);
   if (res != SHISHI_OK)
Index: tkt.c
===================================================================
RCS file: /home/jas/self/public-cvs/shishi/lib/tkt.c,v
retrieving revision 1.53
diff -u -p -r1.53 tkt.c
--- tkt.c       20 Apr 2006 17:57:50 -0000      1.53
+++ tkt.c       26 Apr 2006 13:30:45 -0000
@@ -342,7 +342,7 @@ shishi_tkt_clientrealm_set (Shishi_tkt *
 
   res = shishi_encticketpart_cname_set (tkt->handle,
                                        tkt->encticketpart,
-                                       SHISHI_NT_UNKNOWN, client);
+                                       SHISHI_NT_PRINCIPAL, client);
   if (res != SHISHI_OK)
     return res;

> 2) shishi has a sub-key and sequence number in the TGS-REQ.
>    heimdal doesn't. (no idea, if that is good or not.)

Could you try this patch?

--- tgs.c       26 May 2005 17:12:35 +0200      1.40
+++ tgs.c       26 Apr 2006 15:44:13 +0200      
@@ -1,5 +1,5 @@
 /* tgs.c --- High level client TGS functions.
- * Copyright (C) 2002, 2003, 2004  Simon Josefsson
+ * Copyright (C) 2002, 2003, 2004, 2006  Simon Josefsson
  *
  * This file is part of Shishi.
  *
@@ -79,7 +79,12 @@
       return SHISHI_ASN1_ERROR;
     }
 
-  res = shishi_ap (handle, &ltgs->ap);
+  res = shishi_ap_nosubkey (handle, &ltgs->ap);
+  if (res != SHISHI_OK)
+    return res;
+
+  res = shishi_authenticator_remove_subkey
+    (handle, shishi_ap_authenticator (ltgs->ap));
   if (res != SHISHI_OK)
     return res;
 

If you don't have CVS buildable, I can prepare debian packages with
these patches applied.

/Simon