krb5_const_principal server_princ,
krb5_db_entry *client,
krb5_db_entry *server,
- krb5_db_entry *krbtgt,
+ krb5_db_entry *header_server,
+ krb5_db_entry *local_tgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key,
+ krb5_keyblock *header_key,
+ krb5_keyblock *local_tgt_key,
krb5_keyblock *session_key,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
* server: The DB entry of the service principal, or of a cross-realm
* krbtgt principal in case of referral.
*
- * krbtgt: For S4U2Proxy requests, the DB entry of the second ticket
- * server. For other TGS requests, the DB entry of the header ticket
- * server. For AS requests, the DB entry of the service principal;
- * this is usually a local krbtgt principal.
+ * header_server: For S4U2Proxy requests, the DB entry of the second
+ * ticket server. For other TGS requests, the DB entry of the header
+ * ticket server. For AS requests, NULL.
+ *
+ * local_tgt: the DB entry of the local krbtgt principal.
*
* client_key: The reply key for the KDC request, before any FAST armor
* is applied. For AS requests, this may be the client's long-term key
*
* server_key: The server key used to encrypt the returned ticket.
*
- * krbtgt_key: For S4U2Proxy requests, the key used to decrypt the second
- * ticket. For other TGS requests, the key used to decrypt the header
- * ticket. For AS requests, the server key used to encrypt the
- * returned ticket.
+ * header_key: For S4U2Proxy requests, the key used to decrypt the second
+ * ticket. For TGS requests, the key used to decrypt the header
+ * ticket. For AS requests, NULL.
+ *
+ * local_tgt_key: The decrypted first key of local_tgt.
*
* session_key: The session key of the ticket being granted to the
* requestor.
krb5_const_principal server_princ,
krb5_db_entry *client,
krb5_db_entry *server,
- krb5_db_entry *krbtgt,
+ krb5_db_entry *header_server,
+ krb5_db_entry *local_tgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key,
+ krb5_keyblock *header_key,
+ krb5_keyblock *local_tgt_key,
krb5_keyblock *session_key,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
static krb5_error_code
fetch_kdb_authdata(krb5_context context, unsigned int flags,
krb5_db_entry *client, krb5_db_entry *server,
- krb5_db_entry *header_server, krb5_keyblock *client_key,
- krb5_keyblock *server_key, krb5_keyblock *header_key,
+ krb5_db_entry *header_server, krb5_db_entry *local_tgt,
+ krb5_keyblock *client_key, krb5_keyblock *server_key,
+ krb5_keyblock *header_key, krb5_keyblock *local_tgt_key,
krb5_kdc_req *req, krb5_const_principal altcprinc,
void *ad_info, krb5_enc_tkt_part *enc_tkt_req,
krb5_enc_tkt_part *enc_tkt_reply,
krb5_authdata **tgt_authdata, **db_authdata = NULL;
krb5_boolean tgs_req = (req->msg_type == KRB5_TGS_REQ);
krb5_const_principal actual_client;
- krb5_db_entry *krbtgt;
- krb5_keyblock *krbtgt_key;
/*
* Check whether KDC issued authorization data should be included.
else
actual_client = enc_tkt_reply->client;
- /*
- * For DAL major version 5, always pass "krbtgt" and "krbtgt_key"
- * parameters which are usually, but not always, for local or cross-realm
- * TGT principals. In the future we might rename the parameters and pass
- * NULL for AS requests.
- */
- krbtgt = (header_server != NULL) ? header_server : server;
- krbtgt_key = (header_key != NULL) ? header_key : server_key;
-
tgt_authdata = tgs_req ? enc_tkt_req->authorization_data : NULL;
ret = krb5_db_sign_authdata(context, flags, actual_client, req->server,
- client, server, krbtgt, client_key, server_key,
- krbtgt_key, enc_tkt_reply->session,
+ client, server, header_server, local_tgt,
+ client_key, server_key, header_key,
+ local_tgt_key, enc_tkt_reply->session,
enc_tkt_reply->times.authtime, tgt_authdata,
ad_info, auth_indicators, &db_authdata);
if (ret)
if (!isflagset(enc_tkt_reply->flags, TKT_FLG_ANONYMOUS)) {
/* Fetch authdata from the KDB if appropriate. */
ret = fetch_kdb_authdata(context, flags, client, server, header_server,
- client_key, server_key, header_key, req,
- altcprinc, ad_info, enc_tkt_req,
- enc_tkt_reply, auth_indicators);
+ local_tgt, client_key, server_key, header_key,
+ local_tgt_key, req, altcprinc, ad_info,
+ enc_tkt_req, enc_tkt_reply, auth_indicators);
if (ret)
return ret;
}
krb5_db_sign_authdata(krb5_context kcontext, unsigned int flags,
krb5_const_principal client_princ,
krb5_const_principal server_princ, krb5_db_entry *client,
- krb5_db_entry *server, krb5_db_entry *krbtgt,
- krb5_keyblock *client_key, krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key, krb5_keyblock *session_key,
+ krb5_db_entry *server, krb5_db_entry *header_server,
+ krb5_db_entry *local_tgt, krb5_keyblock *client_key,
+ krb5_keyblock *server_key, krb5_keyblock *header_key,
+ krb5_keyblock *local_tgt_key, krb5_keyblock *session_key,
krb5_timestamp authtime, krb5_authdata **tgt_auth_data,
void *ad_info, krb5_data ***auth_indicators,
krb5_authdata ***signed_auth_data)
if (v->sign_authdata == NULL)
return KRB5_PLUGIN_OP_NOTSUPP;
return v->sign_authdata(kcontext, flags, client_princ, server_princ,
- client, server, krbtgt, client_key, server_key,
- krbtgt_key, session_key, authtime, tgt_auth_data,
- ad_info, auth_indicators, signed_auth_data);
+ client, server, header_server, local_tgt,
+ client_key, server_key, header_key, local_tgt_key,
+ session_key, authtime, tgt_auth_data, ad_info,
+ auth_indicators, signed_auth_data);
}
krb5_error_code
test_sign_authdata(krb5_context context, unsigned int flags,
krb5_const_principal client_princ,
krb5_const_principal server_princ, krb5_db_entry *client,
- krb5_db_entry *server, krb5_db_entry *krbtgt,
- krb5_keyblock *client_key, krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key, krb5_keyblock *session_key,
+ krb5_db_entry *server, krb5_db_entry *header_server,
+ krb5_db_entry *local_tgt, krb5_keyblock *client_key,
+ krb5_keyblock *server_key, krb5_keyblock *header_key,
+ krb5_keyblock *local_tgt_key, krb5_keyblock *session_key,
krb5_timestamp authtime, krb5_authdata **tgt_auth_data,
void *ad_info, krb5_data ***auth_indicators,
krb5_authdata ***signed_auth_data)
projects / thirdparty / krb5.git / commitdiff
