int main()
{
krb5_context context;
krb5_authdata **results;
krb5_authdata *container[2];
krb5_authdata **container_out;
assert(krb5_init_context(&context) == 0);
assert(krb5_merge_authdata(context, adseq1, adseq2, &results) == 0);
compare_authdata(results[0], &ad1);
compare_authdata( results[1], &ad2);
compare_authdata(results[2], &ad4);
compare_authdata( results[3], &ad3);
assert(results[4] == NULL);
krb5_free_authdata(context, results);
container[0] = &ad3;
container[1] = NULL;
assert(krb5_encode_authdata_container( context, KRB5_AUTHDATA_IF_RELEVANT, container, &container_out) == 0);
assert(krb5int_find_authdata(context,
adseq1, container_out, 22, &results) == 0);
compare_authdata(&ad1, results[0]);
compare_authdata( results[1], &ad4);
compare_authdata( results[2], &ad3);
assert( results[3] == NULL);
krb5_free_authdata(context, results);
krb5_free_authdata(context, container_out);
return 0;
}
static krb5_error_code
greet_kdc_sign(krb5_context context,
krb5_enc_tkt_part *enc_tkt_reply,
krb5_const_principal tgs,
krb5_data *greeting)
{
krb5_error_code code;
krb5_authdata ad_datum, *ad_data[2], **kdc_issued = NULL;
krb5_authdata **if_relevant = NULL;
krb5_authdata **tkt_authdata;
ad_datum.ad_type = -42;
ad_datum.contents = (krb5_octet *)greeting->data;
ad_datum.length = greeting->length;
ad_data[0] = &ad_datum;
ad_data[1] = NULL;
code = krb5_make_authdata_kdc_issued(context,
enc_tkt_reply->session,
tgs,
ad_data,
&kdc_issued);
if (code != 0)
return code;
code = krb5_encode_authdata_container(context,
KRB5_AUTHDATA_IF_RELEVANT,
kdc_issued,
&if_relevant);
if (code != 0) {
krb5_free_authdata(context, kdc_issued);
return code;
}
code = krb5_merge_authdata(context,
if_relevant,
enc_tkt_reply->authorization_data,
&tkt_authdata);
if (code == 0) {
krb5_free_authdata(context, enc_tkt_reply->authorization_data);
enc_tkt_reply->authorization_data = tkt_authdata;
}
krb5_free_authdata(context, if_relevant);
krb5_free_authdata(context, kdc_issued);
return code;
}
int
main()
{
krb5_context context;
krb5_authdata **results;
krb5_authdata *container[2];
krb5_authdata **container_out;
krb5_authdata **kdci;
assert(krb5_init_context(&context) == 0);
assert(krb5_merge_authdata(context, adseq1, adseq2, &results) == 0);
compare_authdata(results[0], &ad1);
compare_authdata( results[1], &ad2);
compare_authdata(results[2], &ad4);
compare_authdata( results[3], &ad3);
assert(results[4] == NULL);
krb5_free_authdata(context, results);
container[0] = &ad3;
container[1] = NULL;
assert(krb5_encode_authdata_container( context, KRB5_AUTHDATA_IF_RELEVANT, container, &container_out) == 0);
assert(krb5_find_authdata(context, adseq1, container_out, 22,
&results) == 0);
compare_authdata(&ad1, results[0]);
compare_authdata( results[1], &ad4);
compare_authdata( results[2], &ad3);
assert( results[3] == NULL);
krb5_free_authdata(context, container_out);
assert(krb5_make_authdata_kdc_issued(context, &key, NULL, results, &kdci) == 0);
assert(krb5_verify_authdata_kdc_issued(context, &key, kdci[0], NULL, &container_out) == 0);
compare_authdata(container_out[0], results[0]);
compare_authdata(container_out[1], results[1]);
compare_authdata(container_out[2], results[2]);
krb5_free_authdata(context, kdci);
krb5_free_authdata(context, results);
krb5_free_authdata(context, container_out);
krb5_free_context(context);
return 0;
}
/*
* Create a CAMMAC for contents, using enc_tkt and the first key from krbtgt
* for the KDC verifier. Set *cammac_out to a single-element authdata list
* containing the CAMMAC inside an IF-RELEVANT container.
*/
krb5_error_code
cammac_create(krb5_context context, krb5_enc_tkt_part *enc_tkt,
krb5_keyblock *server_key, krb5_db_entry *krbtgt,
krb5_authdata **contents, krb5_authdata ***cammac_out)
{
krb5_error_code ret;
krb5_data *der_authdata = NULL, *der_enctkt = NULL, *der_cammac = NULL;
krb5_authdata ad, *list[2];
krb5_cammac cammac;
krb5_verifier_mac kdc_verifier, svc_verifier;
krb5_key_data *kd;
krb5_keyblock tgtkey;
krb5_checksum kdc_cksum, svc_cksum;
*cammac_out = NULL;
memset(&tgtkey, 0, sizeof(tgtkey));
memset(&kdc_cksum, 0, sizeof(kdc_cksum));
memset(&svc_cksum, 0, sizeof(svc_cksum));
/* Fetch the first krbtgt key for the KDC verifier. */
ret = krb5_dbe_find_enctype(context, krbtgt, -1, -1, 0, &kd);
if (ret)
goto cleanup;
ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &tgtkey, NULL);
if (ret)
goto cleanup;
/* Checksum the reply with contents as authdata for the KDC verifier. */
ret = encode_kdcver_encpart(enc_tkt, contents, &der_enctkt);
if (ret)
goto cleanup;
ret = krb5_c_make_checksum(context, 0, &tgtkey, KRB5_KEYUSAGE_CAMMAC,
der_enctkt, &kdc_cksum);
if (ret)
goto cleanup;
kdc_verifier.princ = NULL;
kdc_verifier.kvno = kd->key_data_kvno;
kdc_verifier.enctype = ENCTYPE_NULL;
kdc_verifier.checksum = kdc_cksum;
/* Encode the authdata and checksum it for the service verifier. */
ret = encode_krb5_authdata(contents, &der_authdata);
if (ret)
goto cleanup;
ret = krb5_c_make_checksum(context, 0, server_key, KRB5_KEYUSAGE_CAMMAC,
der_authdata, &svc_cksum);
if (ret)
goto cleanup;
svc_verifier.princ = NULL;
svc_verifier.kvno = 0;
svc_verifier.enctype = ENCTYPE_NULL;
svc_verifier.checksum = svc_cksum;
cammac.elements = contents;
cammac.kdc_verifier = &kdc_verifier;
cammac.svc_verifier = &svc_verifier;
cammac.other_verifiers = NULL;
ret = encode_krb5_cammac(&cammac, &der_cammac);
if (ret)
goto cleanup;
/* Wrap the encoded CAMMAC in an IF-RELEVANT container and return it as a
* single-element authdata list. */
ad.ad_type = KRB5_AUTHDATA_CAMMAC;
ad.length = der_cammac->length;
ad.contents = (uint8_t *)der_cammac->data;
list[0] = &ad;
list[1] = NULL;
ret = krb5_encode_authdata_container(context, KRB5_AUTHDATA_IF_RELEVANT,
list, cammac_out);
cleanup:
krb5_free_data(context, der_enctkt);
krb5_free_data(context, der_authdata);
krb5_free_data(context, der_cammac);
krb5_free_keyblock_contents(context, &tgtkey);
krb5_free_checksum_contents(context, &kdc_cksum);
krb5_free_checksum_contents(context, &svc_cksum);
return ret;
}
static krb5_error_code
make_ad_signedpath(krb5_context context,
krb5_const_principal for_user_princ,
krb5_principal server,
const krb5_db_entry *krbtgt,
krb5_keyblock *krbtgt_key,
krb5_principal *deleg_path,
krb5_enc_tkt_part *enc_tkt_reply)
{
krb5_error_code code;
krb5_ad_signedpath sp;
int i;
krb5_data *data = NULL;
krb5_authdata ad_datum, *ad_data[2];
krb5_authdata **if_relevant = NULL;
memset(&sp, 0, sizeof(sp));
sp.enctype = krbtgt_key->enctype;
if (deleg_path != NULL) {
for (i = 0; deleg_path[i] != NULL; i++)
;
} else
i = 0;
sp.delegated = k5calloc(i + (server ? 1 : 0) + 1, sizeof(krb5_principal),
&code);
if (code != 0)
goto cleanup;
/* Combine existing and new transited services, if any */
if (deleg_path != NULL)
memcpy(sp.delegated, deleg_path, i * sizeof(krb5_principal));
if (server != NULL)
sp.delegated[i++] = server;
sp.delegated[i] = NULL;
sp.method_data = NULL;
code = make_ad_signedpath_checksum(context,
for_user_princ,
krbtgt,
krbtgt_key,
enc_tkt_reply,
sp.delegated,
sp.method_data,
&sp.checksum);
if (code != 0) {
if (code == KRB5KRB_AP_ERR_INAPP_CKSUM) {
/*
* In the hopefully unlikely case the TGS key enctype
* has an unkeyed mandatory checksum type, do not fail
* so we do not prevent the KDC from servicing requests.
*/
code = 0;
}
goto cleanup;
}
code = encode_krb5_ad_signedpath(&sp, &data);
if (code != 0)
goto cleanup;
ad_datum.ad_type = KRB5_AUTHDATA_SIGNTICKET;
ad_datum.contents = (krb5_octet *)data->data;
ad_datum.length = data->length;
ad_data[0] = &ad_datum;
ad_data[1] = NULL;
code = krb5_encode_authdata_container(context,
KRB5_AUTHDATA_IF_RELEVANT,
ad_data,
&if_relevant);
if (code != 0)
goto cleanup;
code = merge_authdata(context,
if_relevant,
&enc_tkt_reply->authorization_data,
FALSE, /* !copy */
FALSE); /* !ignore_kdc_issued */
if (code != 0)
goto cleanup;
if_relevant = NULL; /* merge_authdata() freed */
cleanup:
if (sp.delegated != NULL)
free(sp.delegated);
krb5_free_authdata(context, if_relevant);
krb5_free_data(context, data);
krb5_free_checksum_contents(context, &sp.checksum);
krb5_free_pa_data(context, sp.method_data);
return code;
}
