Fix difference between cname/crealm in TGS-REP cleartext vs ticket enc-part

[MaximeKjaer]

What's the problem?

The cname and crealm fields in a KDC-REP should be the same in the cleartext body as in the enc-part of the ticket. Currently, they are generated by two slightly different implementations, which can lead to mismatches.

This is a problem, because the TGS-REP's cleartext cname/crealm get placed into the AP-REQ's Authenticator structure, see RFC 4120 § 3.2.2. Generation of a KRB_AP_REQ Message:

the client constructs a new Authenticator from the system time and its name

And the AP then compares the cname/crealm in Authenticator to the encrypted cname/crealm in the ticket, see RFC 4120 § 3.2.3. Receipt of KRB_AP_REQ Message:

The authenticator is decrypted using the session key extracted from the decrypted ticket. [...] The name and realm of the client from the ticket are compared against the same fields in the authenticator. If they don't match, the KRB_AP_ERR_BADMATCH error is returned.

• Bugfix
• New Feature

What's the solution?

For TGS-REP cleartext, copy cname/crealm from the ticket enc-part instead of regenerating them.

I included a unit test that triggered the bug. Before the fix, it would return computer$ in the cleartext, and `computer$@test.com" in the ticket enc-part. Now it returns the latter in both (principals without realms were handled differently by the code doing the ticket enc-part, compared to the code doing cleartext).

• Includes unit tests
• Requires manual test

What issue is this related to, if any?

None.