static krb5_error_code verify_ad_signedpath(krb5_context context, krb5_db_entry *krbtgt, krb5_keyblock *krbtgt_key, krb5_enc_tkt_part *enc_tkt_part, krb5_principal **pdelegated, krb5_boolean *path_is_signed) { krb5_error_code code; krb5_ad_signedpath *sp = NULL; krb5_authdata **sp_authdata = NULL; krb5_data enc_sp; *pdelegated = NULL; *path_is_signed = FALSE; code = krb5_find_authdata(context, enc_tkt_part->authorization_data, NULL, KRB5_AUTHDATA_SIGNTICKET, &sp_authdata); if (code != 0) goto cleanup; if (sp_authdata == NULL || sp_authdata[0]->ad_type != KRB5_AUTHDATA_SIGNTICKET || sp_authdata[1] != NULL) goto cleanup; enc_sp.data = (char *)sp_authdata[0]->contents; enc_sp.length = sp_authdata[0]->length; code = decode_krb5_ad_signedpath(&enc_sp, &sp); if (code != 0) { /* Treat an invalid signedpath authdata element as a missing one, since * we believe MS is using the same number for something else. */ code = 0; goto cleanup; } code = verify_ad_signedpath_checksum(context, krbtgt, krbtgt_key, enc_tkt_part, sp->delegated, sp->method_data, &sp->checksum, path_is_signed); if (code != 0) goto cleanup; if (*path_is_signed) { *pdelegated = sp->delegated; sp->delegated = NULL; } cleanup: krb5_free_ad_signedpath(context, sp); krb5_free_authdata(context, sp_authdata); return code; }
krb5_error_code sss_krb5_find_authdata(krb5_context context, krb5_authdata *const *ticket_authdata, krb5_authdata *const *ap_req_authdata, krb5_authdatatype ad_type, krb5_authdata ***results) { #ifdef HAVE_KRB5_FIND_AUTHDATA return krb5_find_authdata(context, ticket_authdata, ap_req_authdata, ad_type, results); #else return ENOTSUP; #endif }
int main() { krb5_context context; krb5_authdata **results; krb5_authdata *container[2]; krb5_authdata **container_out; krb5_authdata **kdci; assert(krb5_init_context(&context) == 0); assert(krb5_merge_authdata(context, adseq1, adseq2, &results) == 0); compare_authdata(results[0], &ad1); compare_authdata( results[1], &ad2); compare_authdata(results[2], &ad4); compare_authdata( results[3], &ad3); assert(results[4] == NULL); krb5_free_authdata(context, results); container[0] = &ad3; container[1] = NULL; assert(krb5_encode_authdata_container( context, KRB5_AUTHDATA_IF_RELEVANT, container, &container_out) == 0); assert(krb5_find_authdata(context, adseq1, container_out, 22, &results) == 0); compare_authdata(&ad1, results[0]); compare_authdata( results[1], &ad4); compare_authdata( results[2], &ad3); assert( results[3] == NULL); krb5_free_authdata(context, container_out); assert(krb5_make_authdata_kdc_issued(context, &key, NULL, results, &kdci) == 0); assert(krb5_verify_authdata_kdc_issued(context, &key, kdci[0], NULL, &container_out) == 0); compare_authdata(container_out[0], results[0]); compare_authdata(container_out[1], results[1]); compare_authdata(container_out[2], results[2]); krb5_free_authdata(context, kdci); krb5_free_authdata(context, results); krb5_free_authdata(context, container_out); krb5_free_context(context); return 0; }