plugins/preauth/wpse
plugins/authdata/greet
plugins/authdata/greet_client
+ plugins/authdata/greet_server
clients clients/klist clients/kinit clients/kvno
clients/kdestroy clients/kpasswd clients/ksu
krb5_keyblock *server_key; /* Key used to generate server signature */
krb5_timestamp authtime; /* Authtime of TGT */
krb5_authdata **auth_data; /* Authorization data from TGT */
+ krb5_keyblock *session_key; /* Reply session key */
} kdb_sign_auth_data_req;
typedef struct _kdb_sign_auth_data_rep {
* functions.
*/
/* extern krb5plugin_authdata_ftable_v0 authdata_server_0; */
-typedef struct krb5plugin_authdata_ftable_v0 {
+typedef struct krb5plugin_authdata_server_ftable_v0 {
/* Not-usually-visible name. */
char *name;
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply);
-} krb5plugin_authdata_ftable_v0;
+} krb5plugin_server_authdata_ftable_v0;
-typedef struct krb5plugin_authdata_ftable_v1 {
+typedef krb5plugin_server_authdata_ftable_v0 krb5plugin_authdata_ftable_v0;
+
+typedef struct krb5plugin_authdata_server_ftable_v1 {
/* Not-usually-visible name. */
char *name;
krb5_const_principal for_user_princ,
krb5_enc_tkt_part *enc_tkt_request,
krb5_enc_tkt_part *enc_tkt_reply);
-} krb5plugin_authdata_ftable_v1;
+} krb5plugin_authdata_server_ftable_v1;
+
+typedef krb5plugin_authdata_server_ftable_v1 krb5plugin_authdata_ftable_v1;
typedef krb5_error_code
(*authdata_client_plugin_init_proc)(krb5_context context, void **plugin_context);
void *request_context,
const krb5_auth_context *auth_context,
const krb5_keyblock *key,
- const krb5_ap_req *req);
+ const krb5_ap_req *req,
+ krb5_boolean kdc_issued_flag,
+ krb5_const_principal issuer);
typedef struct krb5plugin_authdata_client_ftable_v0 {
char *name;
val->elements = NULL;
{begin_structure();
get_field(val->ad_checksum, 0, asn1_decode_checksum);
- opt_field(val->i_principal, 1, asn1_decode_realm, 0);
- opt_field(val->i_principal, 2, asn1_decode_principal_name, 0);
+ if (tagnum == 1) {
+ alloc_principal(val->i_principal);
+ opt_field(val->i_principal, 1, asn1_decode_realm, 0);
+ opt_field(val->i_principal, 2, asn1_decode_principal_name, 0);
+ }
get_field(val->elements, 3, asn1_decode_authorization_data);
end_structure();
}
return code;
}
+static krb5_error_code
+k5_get_kdc_issued_authdata(krb5_context kcontext,
+ const krb5_ap_req *ap_req,
+ krb5_principal *kdc_issuer,
+ krb5_authdata ***kdc_issued_authdata)
+{
+ krb5_error_code code;
+ krb5_authdata **authdata;
+ krb5_authdata **ticket_authdata;
+
+ *kdc_issuer = NULL;
+ *kdc_issued_authdata = NULL;
+
+ ticket_authdata = ap_req->ticket->enc_part2->authorization_data;
+
+ code = krb5int_find_authdata(kcontext,
+ ticket_authdata,
+ NULL,
+ KRB5_AUTHDATA_KDC_ISSUED,
+ &authdata);
+ if (code != 0)
+ return code;
+
+ code = krb5_verify_authdata_kdc_issued(kcontext,
+ ap_req->ticket->enc_part2->session,
+ authdata[0],
+ kdc_issuer,
+ kdc_issued_authdata);
+
+ krb5_free_authdata(kcontext, authdata);
+
+ return code;
+}
+
krb5_error_code
krb5int_authdata_verify(krb5_context kcontext,
krb5_authdata_context context,
krb5_error_code code = 0;
krb5_authdata **authen_authdata;
krb5_authdata **ticket_authdata;
+ krb5_principal kdc_issuer = NULL;
+ krb5_authdata **kdc_issued_authdata = NULL;
authen_authdata = (*auth_context)->authentp->authorization_data;
ticket_authdata = ap_req->ticket->enc_part2->authorization_data;
+ k5_get_kdc_issued_authdata(kcontext, ap_req,
+ &kdc_issuer, &kdc_issued_authdata);
for (i = 0; i < context->n_modules; i++) {
struct _krb5_authdata_context_module *module = &context->modules[i];
krb5_authdata **authdata;
+ krb5_boolean kdc_issued_flag = FALSE;
if ((module->flags & usage) == 0)
continue;
authen_authdata,
module->ad_type,
&authdata);
- if (code != 0 || authdata == NULL)
+ if (code != 0)
+ break;
+
+ if (authdata == NULL && kdc_issued_authdata != NULL) {
+ code = krb5int_find_authdata(kcontext,
+ kdc_issued_authdata,
+ NULL,
+ module->ad_type,
+ &authdata);
+ if (code != 0)
+ break;
+
+ kdc_issued_flag = TRUE;
+ }
+
+ if (authdata == NULL)
continue;
assert(authdata[0] != NULL);
*(module->request_context_pp),
auth_context,
key,
- ap_req);
+ ap_req,
+ kdc_issued_flag,
+ kdc_issuer);
}
if (code != 0 && (module->flags & AD_INFORMATIONAL))
code = 0;
break;
}
+ krb5_free_principal(kcontext, kdc_issuer);
+ krb5_free_authdata(kcontext, kdc_issued_authdata);
+
return code;
}
void *request_context,
const krb5_auth_context *auth_context,
const krb5_keyblock *key,
- const krb5_ap_req *req)
+ const krb5_ap_req *req,
+ krb5_boolean kdc_issued_flag,
+ krb5_const_principal issuer)
{
krb5_error_code code;
struct mspac_context *pacctx = (struct mspac_context *)request_context;
if (pacctx->pac == NULL)
return EINVAL;
+ if (kdc_issued_flag)
+ return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+
code = krb5_pac_verify(context,
pacctx->pac,
req->ticket->enc_part2->times.authtime,
gss_release_name(&tmp, &tmp_name);
+#if 0
major = testGreetAuthzData(&minor, name);
if (GSS_ERROR(major))
goto out;
+#endif
} else {
fprintf(stderr, "Usage: %s [principal] [keytab]\n", argv[0]);
exit(1);
projects / thirdparty / krb5.git / commitdiff
