int main() { krb5_context context; krb5_authdata **results; krb5_authdata *container[2]; krb5_authdata **container_out; assert(krb5_init_context(&context) == 0); assert(krb5_merge_authdata(context, adseq1, adseq2, &results) == 0); compare_authdata(results[0], &ad1); compare_authdata( results[1], &ad2); compare_authdata(results[2], &ad4); compare_authdata( results[3], &ad3); assert(results[4] == NULL); krb5_free_authdata(context, results); container[0] = &ad3; container[1] = NULL; assert(krb5_encode_authdata_container( context, KRB5_AUTHDATA_IF_RELEVANT, container, &container_out) == 0); assert(krb5int_find_authdata(context, adseq1, container_out, 22, &results) == 0); compare_authdata(&ad1, results[0]); compare_authdata( results[1], &ad4); compare_authdata( results[2], &ad3); assert( results[3] == NULL); krb5_free_authdata(context, results); krb5_free_authdata(context, container_out); return 0; }
static krb5_error_code greet_kdc_sign(krb5_context context, krb5_enc_tkt_part *enc_tkt_reply, krb5_const_principal tgs, krb5_data *greeting) { krb5_error_code code; krb5_authdata ad_datum, *ad_data[2], **kdc_issued = NULL; krb5_authdata **if_relevant = NULL; krb5_authdata **tkt_authdata; ad_datum.ad_type = -42; ad_datum.contents = (krb5_octet *)greeting->data; ad_datum.length = greeting->length; ad_data[0] = &ad_datum; ad_data[1] = NULL; code = krb5_make_authdata_kdc_issued(context, enc_tkt_reply->session, tgs, ad_data, &kdc_issued); if (code != 0) return code; code = krb5_encode_authdata_container(context, KRB5_AUTHDATA_IF_RELEVANT, kdc_issued, &if_relevant); if (code != 0) { krb5_free_authdata(context, kdc_issued); return code; } code = krb5_merge_authdata(context, if_relevant, enc_tkt_reply->authorization_data, &tkt_authdata); if (code == 0) { krb5_free_authdata(context, enc_tkt_reply->authorization_data); enc_tkt_reply->authorization_data = tkt_authdata; } krb5_free_authdata(context, if_relevant); krb5_free_authdata(context, kdc_issued); return code; }
int main() { krb5_context context; krb5_authdata **results; krb5_authdata *container[2]; krb5_authdata **container_out; krb5_authdata **kdci; assert(krb5_init_context(&context) == 0); assert(krb5_merge_authdata(context, adseq1, adseq2, &results) == 0); compare_authdata(results[0], &ad1); compare_authdata( results[1], &ad2); compare_authdata(results[2], &ad4); compare_authdata( results[3], &ad3); assert(results[4] == NULL); krb5_free_authdata(context, results); container[0] = &ad3; container[1] = NULL; assert(krb5_encode_authdata_container( context, KRB5_AUTHDATA_IF_RELEVANT, container, &container_out) == 0); assert(krb5_find_authdata(context, adseq1, container_out, 22, &results) == 0); compare_authdata(&ad1, results[0]); compare_authdata( results[1], &ad4); compare_authdata( results[2], &ad3); assert( results[3] == NULL); krb5_free_authdata(context, container_out); assert(krb5_make_authdata_kdc_issued(context, &key, NULL, results, &kdci) == 0); assert(krb5_verify_authdata_kdc_issued(context, &key, kdci[0], NULL, &container_out) == 0); compare_authdata(container_out[0], results[0]); compare_authdata(container_out[1], results[1]); compare_authdata(container_out[2], results[2]); krb5_free_authdata(context, kdci); krb5_free_authdata(context, results); krb5_free_authdata(context, container_out); krb5_free_context(context); return 0; }
/* * Create a CAMMAC for contents, using enc_tkt and the first key from krbtgt * for the KDC verifier. Set *cammac_out to a single-element authdata list * containing the CAMMAC inside an IF-RELEVANT container. */ krb5_error_code cammac_create(krb5_context context, krb5_enc_tkt_part *enc_tkt, krb5_keyblock *server_key, krb5_db_entry *krbtgt, krb5_authdata **contents, krb5_authdata ***cammac_out) { krb5_error_code ret; krb5_data *der_authdata = NULL, *der_enctkt = NULL, *der_cammac = NULL; krb5_authdata ad, *list[2]; krb5_cammac cammac; krb5_verifier_mac kdc_verifier, svc_verifier; krb5_key_data *kd; krb5_keyblock tgtkey; krb5_checksum kdc_cksum, svc_cksum; *cammac_out = NULL; memset(&tgtkey, 0, sizeof(tgtkey)); memset(&kdc_cksum, 0, sizeof(kdc_cksum)); memset(&svc_cksum, 0, sizeof(svc_cksum)); /* Fetch the first krbtgt key for the KDC verifier. */ ret = krb5_dbe_find_enctype(context, krbtgt, -1, -1, 0, &kd); if (ret) goto cleanup; ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &tgtkey, NULL); if (ret) goto cleanup; /* Checksum the reply with contents as authdata for the KDC verifier. */ ret = encode_kdcver_encpart(enc_tkt, contents, &der_enctkt); if (ret) goto cleanup; ret = krb5_c_make_checksum(context, 0, &tgtkey, KRB5_KEYUSAGE_CAMMAC, der_enctkt, &kdc_cksum); if (ret) goto cleanup; kdc_verifier.princ = NULL; kdc_verifier.kvno = kd->key_data_kvno; kdc_verifier.enctype = ENCTYPE_NULL; kdc_verifier.checksum = kdc_cksum; /* Encode the authdata and checksum it for the service verifier. */ ret = encode_krb5_authdata(contents, &der_authdata); if (ret) goto cleanup; ret = krb5_c_make_checksum(context, 0, server_key, KRB5_KEYUSAGE_CAMMAC, der_authdata, &svc_cksum); if (ret) goto cleanup; svc_verifier.princ = NULL; svc_verifier.kvno = 0; svc_verifier.enctype = ENCTYPE_NULL; svc_verifier.checksum = svc_cksum; cammac.elements = contents; cammac.kdc_verifier = &kdc_verifier; cammac.svc_verifier = &svc_verifier; cammac.other_verifiers = NULL; ret = encode_krb5_cammac(&cammac, &der_cammac); if (ret) goto cleanup; /* Wrap the encoded CAMMAC in an IF-RELEVANT container and return it as a * single-element authdata list. */ ad.ad_type = KRB5_AUTHDATA_CAMMAC; ad.length = der_cammac->length; ad.contents = (uint8_t *)der_cammac->data; list[0] = &ad; list[1] = NULL; ret = krb5_encode_authdata_container(context, KRB5_AUTHDATA_IF_RELEVANT, list, cammac_out); cleanup: krb5_free_data(context, der_enctkt); krb5_free_data(context, der_authdata); krb5_free_data(context, der_cammac); krb5_free_keyblock_contents(context, &tgtkey); krb5_free_checksum_contents(context, &kdc_cksum); krb5_free_checksum_contents(context, &svc_cksum); return ret; }
static krb5_error_code make_ad_signedpath(krb5_context context, krb5_const_principal for_user_princ, krb5_principal server, const krb5_db_entry *krbtgt, krb5_keyblock *krbtgt_key, krb5_principal *deleg_path, krb5_enc_tkt_part *enc_tkt_reply) { krb5_error_code code; krb5_ad_signedpath sp; int i; krb5_data *data = NULL; krb5_authdata ad_datum, *ad_data[2]; krb5_authdata **if_relevant = NULL; memset(&sp, 0, sizeof(sp)); sp.enctype = krbtgt_key->enctype; if (deleg_path != NULL) { for (i = 0; deleg_path[i] != NULL; i++) ; } else i = 0; sp.delegated = k5calloc(i + (server ? 1 : 0) + 1, sizeof(krb5_principal), &code); if (code != 0) goto cleanup; /* Combine existing and new transited services, if any */ if (deleg_path != NULL) memcpy(sp.delegated, deleg_path, i * sizeof(krb5_principal)); if (server != NULL) sp.delegated[i++] = server; sp.delegated[i] = NULL; sp.method_data = NULL; code = make_ad_signedpath_checksum(context, for_user_princ, krbtgt, krbtgt_key, enc_tkt_reply, sp.delegated, sp.method_data, &sp.checksum); if (code != 0) { if (code == KRB5KRB_AP_ERR_INAPP_CKSUM) { /* * In the hopefully unlikely case the TGS key enctype * has an unkeyed mandatory checksum type, do not fail * so we do not prevent the KDC from servicing requests. */ code = 0; } goto cleanup; } code = encode_krb5_ad_signedpath(&sp, &data); if (code != 0) goto cleanup; ad_datum.ad_type = KRB5_AUTHDATA_SIGNTICKET; ad_datum.contents = (krb5_octet *)data->data; ad_datum.length = data->length; ad_data[0] = &ad_datum; ad_data[1] = NULL; code = krb5_encode_authdata_container(context, KRB5_AUTHDATA_IF_RELEVANT, ad_data, &if_relevant); if (code != 0) goto cleanup; code = merge_authdata(context, if_relevant, &enc_tkt_reply->authorization_data, FALSE, /* !copy */ FALSE); /* !ignore_kdc_issued */ if (code != 0) goto cleanup; if_relevant = NULL; /* merge_authdata() freed */ cleanup: if (sp.delegated != NULL) free(sp.delegated); krb5_free_authdata(context, if_relevant); krb5_free_data(context, data); krb5_free_checksum_contents(context, &sp.checksum); krb5_free_pa_data(context, sp.method_data); return code; }