krb5_pa_data **e_data = NULL;
kdc_realm_t *kdc_active_realm = NULL;
krb5_audit_state *au_state = NULL;
+ krb5_data **auth_indicators = NULL;
memset(&reply, 0, sizeof(reply));
memset(&reply_encpart, 0, sizeof(reply_encpart));
subject_tkt = header_enc_tkt;
authtime = subject_tkt->times.authtime;
+ /* Extract auth indicators from the subject ticket, except for S4U2Proxy
+ * requests (where the client didn't authenticate). */
+ if (s4u_x509_user == NULL) {
+ errcode = get_auth_indicators(kdc_context, subject_tkt, local_tgt,
+ &auth_indicators);
+ if (errcode) {
+ status = "GET_AUTH_INDICATORS";
+ goto cleanup;
+ }
+ }
+
if (is_referral)
ticket_reply.server = server->princ;
else
s4u_x509_user ?
s4u_x509_user->user_id.user : NULL,
subject_tkt,
- NULL,
+ auth_indicators,
&enc_tkt_reply);
if (errcode) {
krb5_klog_syslog(LOG_INFO, _("TGS_REQ : handle_authdata (%d)"),
if (enc_tkt_reply.authorization_data != NULL)
krb5_free_authdata(kdc_context, enc_tkt_reply.authorization_data);
krb5_free_pa_data(kdc_context, e_data);
+ k5_free_data_ptr_list(auth_indicators);
return retval;
}
return ret;
}
+/* Extract any properly verified authentication indicators from the authdata in
+ * enc_tkt. */
+krb5_error_code
+get_auth_indicators(krb5_context context, krb5_enc_tkt_part *enc_tkt,
+ krb5_db_entry *local_tgt, krb5_data ***indicators_out)
+{
+ krb5_error_code ret;
+ krb5_authdata **cammacs = NULL, **adp;
+ krb5_cammac *cammac = NULL;
+ krb5_data **indicators = NULL, der_cammac;
+
+ *indicators_out = NULL;
+
+ ret = krb5_find_authdata(context, enc_tkt->authorization_data, NULL,
+ KRB5_AUTHDATA_CAMMAC, &cammacs);
+ if (ret)
+ goto cleanup;
+
+ for (adp = cammacs; adp != NULL && *adp != NULL; adp++) {
+ der_cammac = make_data((*adp)->contents, (*adp)->length);
+ ret = decode_krb5_cammac(&der_cammac, &cammac);
+ if (ret)
+ goto cleanup;
+ if (cammac_check_kdcver(context, cammac, enc_tkt, local_tgt)) {
+ ret = authind_extract(context, cammac->elements, &indicators);
+ if (ret)
+ goto cleanup;
+ }
+ k5_free_cammac(context, cammac);
+ cammac = NULL;
+ }
+
+ *indicators_out = indicators;
+ indicators = NULL;
+
+cleanup:
+ krb5_free_authdata(context, cammacs);
+ k5_free_cammac(context, cammac);
+ k5_free_data_ptr_list(indicators);
+ return ret;
+}
+
krb5_error_code
handle_authdata(krb5_context context, unsigned int flags,
krb5_db_entry *client, krb5_db_entry *server,
krb5_error_code
unload_authdata_plugins(krb5_context context);
+krb5_error_code
+get_auth_indicators(krb5_context context, krb5_enc_tkt_part *enc_tkt,
+ krb5_db_entry *local_tgt, krb5_data ***indicators_out);
+
krb5_error_code
handle_authdata (krb5_context context,
unsigned int flags,
projects / thirdparty / krb5.git / commitdiff
