krb5_int32 nonce;
} krb5_fast_response;
+typedef struct _krb5_ad_kdcissued {
+ krb5_checksum ad_checksum;
+ krb5_principal i_principal;
+ krb5_authdata **elements;
+} krb5_ad_kdcissued;
typedef krb5_error_code (*krb5_preauth_obtain_proc)
(krb5_context,
(krb5_context, krb5_fast_finished *);
void KRB5_CALLCONV krb5_free_fast_response
(krb5_context, krb5_fast_response *);
+void KRB5_CALLCONV krb5_free_ad_kdcissued
+(krb5_context, krb5_ad_kdcissued *);
/* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
#include "com_err.h"
krb5_error_code encode_krb5_fast_response
(const krb5_fast_response *, krb5_data **);
+krb5_error_code encode_krb5_ad_kdcissued
+(const krb5_ad_kdcissued *, krb5_data **);
+
/*************************************************************************
* End of prototypes for krb5_encode.c
*************************************************************************/
krb5_error_code decode_krb5_fast_response
(const krb5_data *, krb5_fast_response **);
+krb5_error_code decode_krb5_ad_kdcissued
+(const krb5_data *, krb5_ad_kdcissued **);
+
struct _krb5_key_data; /* kdb.h */
struct ldap_seqof_key_data {
krb5_authdata * const*authdata,
krb5_authdata ***container);
+/*
+ * AD-KDCIssued
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_make_authdata_kdc_issued(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_const_principal issuer,
+ krb5_authdata *const *authdata,
+ krb5_authdata **ad_kdcissued);
+krb5_error_code KRB5_CALLCONV
+krb5_verify_authdata_kdc_issued(krb5_context context,
+ const krb5_keyblock *key,
+ const krb5_authdata *ad_kdcissued,
+ krb5_principal *issuer,
+ krb5_authdata ***authdata);
+
/*
* Windows PAC
*/
decode_ptr( krb5_fast_finished *, asn1_decode_fast_finished);
}
-
+asn1_error_code asn1_decode_ad_kdcissued
+(asn1buf *buf, krb5_ad_kdcissued *val)
+{
+ setup();
+ val->ad_checksum.contents = NULL;
+ val->i_principal = NULL;
+ val->elements = NULL;
+ {begin_structure();
+ get_field(val->ad_checksum, 0, asn1_decode_checksum);
+ opt_field(val->i_principal, 1, asn1_decode_realm, 0);
+ opt_field(val->i_principal, 2, asn1_decode_principal_name, 0);
+ get_field(val->elements, 3, asn1_decode_authorization_data);
+ end_structure();
+ }
+ return 0;
+error_out:
+ krb5_free_checksum_contents(NULL, &val->ad_checksum);
+ krb5_free_principal(NULL, val->i_principal);
+ krb5_free_authdata(NULL, val->elements);
+ return retval;
+}
+
#ifndef DISABLE_PKINIT
/* PKINIT */
asn1_error_code asn1_decode_fast_finished_ptr
(asn1buf *buf, krb5_fast_finished **val);
+asn1_error_code asn1_decode_ad_kdcissued
+(asn1buf *buf, krb5_ad_kdcissued *val);
+
+asn1_error_code asn1_decode_ad_kdcissued_ptr
+(asn1buf *buf, krb5_ad_kdcissued **val);
+
#endif
DEFFIELDTYPE(pa_fx_fast_reply, krb5_enc_data,
FIELDOF_ENCODEAS(krb5_enc_data, fast_rep, 0));
+static const struct field_info ad_kdcissued_fields[] = {
+ FIELDOF_NORM(krb5_ad_kdcissued, checksum, ad_checksum, 0),
+ FIELDOF_OPT(krb5_ad_kdcissued, realm_of_principal, i_principal, 1, 1),
+ FIELDOF_OPT(krb5_ad_kdcissued, principal, i_principal, 2, 1),
+ FIELDOF_NORM(krb5_ad_kdcissued, auth_data_ptr, elements, 3),
+};
+
+static unsigned int ad_kdcissued_optional(const void *p)
+{
+ unsigned int optional = 0;
+ const krb5_ad_kdcissued *val = p;
+ if (val->i_principal)
+ optional |= (1u << 1);
+ return optional;
+}
+
+DEFSEQTYPE(ad_kdc_issued, krb5_ad_kdcissued, ad_kdcissued_fields, ad_kdcissued_optional);
MAKE_FULL_ENCODER( encode_krb5_pa_fx_fast_reply, pa_fx_fast_reply);
MAKE_FULL_ENCODER(encode_krb5_fast_response, fast_response);
-
+MAKE_FULL_ENCODER(encode_krb5_ad_kdcissued, ad_kdc_issued);
cleanup(free);
}
+krb5_error_code decode_krb5_ad_kdcissued
+(const krb5_data *code, krb5_ad_kdcissued **repptr)
+{
+ setup_buf_only(krb5_ad_kdcissued *);
+ alloc_field(rep);
+
+ retval = asn1_decode_ad_kdcissued(&buf, rep);
+ if (retval) clean_return(retval);
+
+ cleanup(free);
+}
#ifndef DISABLE_PKINIT
krb5_error_code
else krb5_free_authdata(context, fctx.out);
return retval;
}
+
+krb5_error_code KRB5_CALLCONV
+krb5_make_authdata_kdc_issued(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_const_principal issuer,
+ krb5_authdata *const *authdata,
+ krb5_authdata **ad_kdcissued)
+{
+ krb5_error_code code;
+ krb5_ad_kdcissued ad_kdci;
+ krb5_data *data;
+ krb5_cksumtype cksumtype;
+
+ *ad_kdcissued = NULL;
+
+ ad_kdci.ad_checksum.contents = NULL;
+ ad_kdci.i_principal = (krb5_principal)issuer;
+ ad_kdci.elements = ad_kdcissued;
+
+ code = krb5int_c_mandatory_cksumtype(context, key->enctype,
+ &cksumtype);
+ if (code != 0)
+ return code;
+
+ code = encode_krb5_authdata(ad_kdcissued, &data);
+ if (code != 0)
+ return code;
+
+ code = krb5_c_make_checksum(context, cksumtype,
+ key, KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM,
+ data, &ad_kdci.ad_checksum);
+ if (code != 0) {
+ krb5_free_data(context, data);
+ return code;
+ }
+
+ krb5_free_data(context, data);
+
+ code = encode_krb5_ad_kdcissued(&ad_kdci, &data);
+ if (code != 0)
+ return code;
+
+ krb5_free_checksum_contents(context, &ad_kdci.ad_checksum);
+
+ *ad_kdcissued = calloc(1, sizeof(krb5_authdata));
+ if (*ad_kdcissued == NULL) {
+ krb5_free_data(context, data);
+ return ENOMEM;
+ }
+
+ (*ad_kdcissued)->magic = KV5M_AUTHDATA;
+ (*ad_kdcissued)->ad_type = KRB5_AUTHDATA_KDC_ISSUED;
+ (*ad_kdcissued)->length = data->length;
+ (*ad_kdcissued)->contents = (krb5_octet *)data->data;
+
+ free(data);
+
+ return 0;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_verify_authdata_kdc_issued(krb5_context context,
+ const krb5_keyblock *key,
+ const krb5_authdata *ad_kdcissued,
+ krb5_principal *issuer,
+ krb5_authdata ***authdata)
+{
+ krb5_error_code code;
+ krb5_ad_kdcissued *ad_kdci;
+ krb5_data data, *data2;
+ krb5_boolean valid = FALSE;
+
+ if (issuer != NULL)
+ *issuer = NULL;
+ if (authdata != NULL)
+ *authdata = NULL;
+
+ data.length = ad_kdcissued->length;
+ data.data = (char *)ad_kdcissued->contents;
+
+ code = decode_krb5_ad_kdcissued(&data, &ad_kdci);
+ if (code != 0)
+ return code;
+
+ code = encode_krb5_authdata(ad_kdci->elements, &data2);
+ if (code != 0) {
+ krb5_free_ad_kdcissued(context, ad_kdci);
+ return code;
+ }
+
+ code = krb5_c_verify_checksum(context, key,
+ KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM,
+ data2, &ad_kdci->ad_checksum, &valid);
+ if (code != 0) {
+ krb5_free_ad_kdcissued(context, ad_kdci);
+ krb5_free_data(context, data2);
+ }
+
+ krb5_free_data(context, data2);
+
+ if (valid == FALSE) {
+ krb5_free_ad_kdcissued(context, ad_kdci);
+ return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ }
+
+ if (issuer != NULL) {
+ *issuer = ad_kdci->i_principal;
+ ad_kdci->i_principal = NULL;
+ }
+
+ if (authdata != NULL) {
+ *authdata = ad_kdci->elements;
+ ad_kdci->elements = NULL;
+ }
+
+ krb5_free_ad_kdcissued(context, ad_kdci);
+
+ return 0;
+}
+
free(data);
}
+void KRB5_CALLCONV
+krb5_free_ad_kdcissued(krb5_context context, krb5_ad_kdcissued *val)
+{
+ if (val == NULL)
+ return;
+
+ krb5_free_checksum_contents(context, &val->ad_checksum);
+ krb5_free_principal(context, val->i_principal);
+ krb5_free_authdata(context, val->elements);
+ free(val);
+}
+
krb5_libdefault_boolean
krb5_locate_kdc
krb5_lock_file
+krb5_make_authdata_kdc_issued
krb5_make_full_ipaddr
krb5_make_fulladdr
krb5_max_dgram_size
krb5_us_timeofday
krb5_use_natural_time
krb5_validate_times
+krb5_verify_authdata_kdc_issued
krb5_verify_init_creds
krb5_verify_init_creds_opt_init
krb5_verify_init_creds_opt_set_ap_req_nofail
projects / thirdparty / krb5.git / commitdiff
