static krb5_error_code
verify_ad_signedpath(krb5_context context,
krb5_db_entry *krbtgt,
krb5_keyblock *krbtgt_key,
krb5_enc_tkt_part *enc_tkt_part,
krb5_principal **pdelegated,
krb5_boolean *path_is_signed)
{
krb5_error_code code;
krb5_ad_signedpath *sp = NULL;
krb5_authdata **sp_authdata = NULL;
krb5_data enc_sp;
*pdelegated = NULL;
*path_is_signed = FALSE;
code = krb5_find_authdata(context, enc_tkt_part->authorization_data, NULL,
KRB5_AUTHDATA_SIGNTICKET, &sp_authdata);
if (code != 0)
goto cleanup;
if (sp_authdata == NULL ||
sp_authdata[0]->ad_type != KRB5_AUTHDATA_SIGNTICKET ||
sp_authdata[1] != NULL)
goto cleanup;
enc_sp.data = (char *)sp_authdata[0]->contents;
enc_sp.length = sp_authdata[0]->length;
code = decode_krb5_ad_signedpath(&enc_sp, &sp);
if (code != 0) {
/* Treat an invalid signedpath authdata element as a missing one, since
* we believe MS is using the same number for something else. */
code = 0;
goto cleanup;
}
code = verify_ad_signedpath_checksum(context,
krbtgt,
krbtgt_key,
enc_tkt_part,
sp->delegated,
sp->method_data,
&sp->checksum,
path_is_signed);
if (code != 0)
goto cleanup;
if (*path_is_signed) {
*pdelegated = sp->delegated;
sp->delegated = NULL;
}
cleanup:
krb5_free_ad_signedpath(context, sp);
krb5_free_authdata(context, sp_authdata);
return code;
}
krb5_error_code sss_krb5_find_authdata(krb5_context context,
krb5_authdata *const *ticket_authdata,
krb5_authdata *const *ap_req_authdata,
krb5_authdatatype ad_type,
krb5_authdata ***results)
{
#ifdef HAVE_KRB5_FIND_AUTHDATA
return krb5_find_authdata(context, ticket_authdata, ap_req_authdata,
ad_type, results);
#else
return ENOTSUP;
#endif
}
int
main()
{
krb5_context context;
krb5_authdata **results;
krb5_authdata *container[2];
krb5_authdata **container_out;
krb5_authdata **kdci;
assert(krb5_init_context(&context) == 0);
assert(krb5_merge_authdata(context, adseq1, adseq2, &results) == 0);
compare_authdata(results[0], &ad1);
compare_authdata( results[1], &ad2);
compare_authdata(results[2], &ad4);
compare_authdata( results[3], &ad3);
assert(results[4] == NULL);
krb5_free_authdata(context, results);
container[0] = &ad3;
container[1] = NULL;
assert(krb5_encode_authdata_container( context, KRB5_AUTHDATA_IF_RELEVANT, container, &container_out) == 0);
assert(krb5_find_authdata(context, adseq1, container_out, 22,
&results) == 0);
compare_authdata(&ad1, results[0]);
compare_authdata( results[1], &ad4);
compare_authdata( results[2], &ad3);
assert( results[3] == NULL);
krb5_free_authdata(context, container_out);
assert(krb5_make_authdata_kdc_issued(context, &key, NULL, results, &kdci) == 0);
assert(krb5_verify_authdata_kdc_issued(context, &key, kdci[0], NULL, &container_out) == 0);
compare_authdata(container_out[0], results[0]);
compare_authdata(container_out[1], results[1]);
compare_authdata(container_out[2], results[2]);
krb5_free_authdata(context, kdci);
krb5_free_authdata(context, results);
krb5_free_authdata(context, container_out);
krb5_free_context(context);
return 0;
}
