Re: TGS revisited

[Simon Josefsson]

Elrond <address@hidden> writes:

> BINGO!
>
> I found it!
>
> On Wed, Apr 26, 2006 at 03:52:22PM +0200, Simon Josefsson wrote:
> [...]
>> >> There is a XXX nit in
>> >> shishi_ap_set_tktoptionsasn1usage() which you could watch out for.
>> >
>> > That memmove looks interesting there...
>> >
>> > Is that to skip the asn1-tag and length?
>> >
>> > What if the encoded length is more than 128byte?
>> >
>> > (I'm just talking useless crap. You're fully free to ignore
>> > the last few lines. ;) )
>> 
>> I'm not sure what it is for, but it works so I haven't touched it. :)
>
> It's the source of my problem!
>
> Making it skip 3 bytes instead of 2 solved my
> heimdal-issue.
>
> And it now explains, why it works for some principals in my
> heimdal-kdc and not for others:
>
> length!
>
> The memcpy is to skip the asn1-tag and the asn1-length.
>
> So to reproduce this: Just create a long service principal.
> Please let me know, that you can reproduce it!

Yes, I could reproduce it!  Wow, this one was weird, but shows that
any XXX can bite you later.  It seems libtasn1 doesn't encode only the
actual field, but the tag too:

address@hidden:~/src/shishi$ dumpasn1 foo.der
   0  257: [4] {
   4  254:   SEQUENCE {
...

(With this long principal, skipping the first four bytes make it
work.)

I've worked around this libtasn1 bug now, see patch below.  You'll
have to remove the XXX stuff in ap.c too.

Many thanks for tracking this down...

Thanks,
Simon

Index: asn1.c
===================================================================
RCS file: /home/jas/self/public-cvs/shishi/lib/asn1.c,v
retrieving revision 1.81
retrieving revision 1.82
diff -u -p -r1.81 -r1.82
--- asn1.c      21 Apr 2006 13:12:09 -0000      1.81
+++ asn1.c      27 Apr 2006 09:07:12 -0000      1.82
@@ -773,6 +773,37 @@ shishi_asn1_to_der_field (Shishi * handl
       return SHISHI_ASN1_ERROR;
     }
 
+  if (strcmp (field, "req-body") == 0)
+    {
+      unsigned char class;
+      int derlen, derlen2;
+      unsigned long tag;
+      signed long lenlen;
+
+      /* XXX when encoding a field inside a SEQUENCE, libtasn1 appear
+        to include the tag from the SEQUENCE in the encoding of a
+        particular field.  This appear wrong, so we frob it here.
+        This typically happens when encoding req-body in KDC-REQ for
+        TGS checksums.  */
+
+      rc = asn1_get_tag_der (*der, mylen, &class, &derlen, &tag);
+      if (rc != ASN1_SUCCESS)
+       {
+         shishi_error_set (handle, errorDescription);
+         return SHISHI_ASN1_ERROR;
+       }
+
+      lenlen = asn1_get_length_der(*der + derlen, mylen - derlen, &derlen2);
+      if (lenlen < 0)
+       return SHISHI_ASN1_ERROR;
+
+      if (derlen + derlen2 < mylen)
+       {
+         mylen -= derlen + derlen2;
+         memmove (*der, *der + derlen + derlen2, mylen);
+       }
+    }
+
   *len = mylen;
 
   return SHISHI_OK;