krb5_flags ap_req_options;
krb5_keyblock armorkey;
krb5_keyblock explicit_armorkey;
- krb5_boolean explicit_armor;
krb5_error_code ret;
krb5_ap_req ap_req;
KrbFastReq fastreq;
goto out;
}
- explicit_armor = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL;
+ r->explicit_armor_present = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL;
/*
*
ac->remote_subkey,
&ticket->ticket.key,
&armorkey,
- explicit_armor ? NULL : &r->armor_crypto);
+ r->explicit_armor_present ? NULL : &r->armor_crypto);
if (ret)
goto out;
- if (explicit_armor) {
+ if (r->explicit_armor_present) {
ret = _krb5_fast_explicit_armor_key(r->context,
&armorkey,
tgs_ac->remote_subkey,
if (ret)
goto out;
- ret = _kdc_check_pac(r->context, r->config, armor_client_principal, NULL,
+ ret = _kdc_check_pac(r, armor_client_principal, NULL,
armor_client, r->armor_server,
r->armor_server, r->armor_server,
&r->armor_key->key, &r->armor_key->key,
goto out;
}
+ if (r->explicit_armor_present) {
+ r->explicit_armor_clientdb = armor_db;
+ armor_db = NULL;
+
+ r->explicit_armor_client = armor_client;
+ armor_client = NULL;
+
+ r->explicit_armor_pac = mspac;
+ mspac = NULL;
+ }
+
out:
krb5_xfree(armor_client_principal_name);
if (armor_client)
ASTGS_REQUEST_SET_ACCESSOR(uint64_t, pac_attributes)
+/*
+ * const HDB *
+ * kdc_request_get_explicit_armor_clientdb(astgs_request_t);
+ */
+
+ASTGS_REQUEST_GET_ACCESSOR_PTR(HDB *, explicit_armor_clientdb)
+
+/*
+ * const hdb_entry *
+ * kdc_request_get_explicit_armor_client(astgs_request_t);
+ */
+ASTGS_REQUEST_GET_ACCESSOR_PTR(hdb_entry *, explicit_armor_client);
+
+/*
+ * krb5_const_pac
+ * kdc_request_get_explicit_armor_pac(astgs_request_t);
+ */
+
+ASTGS_REQUEST_GET_ACCESSOR_PTR(struct krb5_pac_data *, explicit_armor_pac);
+
#endif /* HEIMDAL_KDC_KDC_ACCESSORS_H */
}
struct generate_uc {
- krb5_kdc_configuration *config;
+ astgs_request_t r;
hdb_entry *client;
hdb_entry *server;
const krb5_keyblock *reply_key;
return KRB5_PLUGIN_NO_HANDLE;
return ft->pac_generate((void *)plug,
- context,
- uc->config,
+ uc->r,
uc->client,
uc->server,
uc->reply_key,
krb5_error_code
-_kdc_pac_generate(krb5_context context,
- krb5_kdc_configuration *config,
+_kdc_pac_generate(astgs_request_t r,
hdb_entry *client,
hdb_entry *server,
const krb5_keyblock *reply_key,
*pac = NULL;
- if (krb5_config_get_bool_default(context, NULL, FALSE, "realms",
+ if (krb5_config_get_bool_default(r->context, NULL, FALSE, "realms",
client->principal->realm,
"disable_pac", NULL))
return 0;
if (have_plugin) {
- uc.config = config;
+ uc.r = r;
uc.client = client;
uc.server = server;
uc.reply_key = reply_key;
uc.pac = pac;
uc.pac_attributes = pac_attributes;
- ret = _krb5_plugin_run_f(context, &kdc_plugin_data,
+ ret = _krb5_plugin_run_f(r->context, &kdc_plugin_data,
0, &uc, generate);
if (ret != KRB5_PLUGIN_NO_HANDLE)
return ret;
}
if (*pac == NULL)
- ret = krb5_pac_init(context, pac);
+ ret = krb5_pac_init(r->context, pac);
return ret;
}
struct verify_uc {
- krb5_kdc_configuration *config;
+ astgs_request_t r;
krb5_principal client_principal;
krb5_principal delegated_proxy_principal;
hdb_entry *client;
return KRB5_PLUGIN_NO_HANDLE;
ret = ft->pac_verify((void *)plug,
- context,
- uc->config,
+ uc->r,
uc->client_principal,
uc->delegated_proxy_principal,
uc->client, uc->server, uc->krbtgt, uc->pac);
}
krb5_error_code
-_kdc_pac_verify(krb5_context context,
- krb5_kdc_configuration *config,
+_kdc_pac_verify(astgs_request_t r,
const krb5_principal client_principal,
const krb5_principal delegated_proxy_principal,
hdb_entry *client,
if (!have_plugin)
return KRB5_PLUGIN_NO_HANDLE;
- uc.config = config;
+ uc.r = r;
uc.client_principal = client_principal;
uc.delegated_proxy_principal = delegated_proxy_principal;
uc.client = client;
uc.krbtgt = krbtgt;
uc.pac = pac;
- return _krb5_plugin_run_f(context, &kdc_plugin_data,
+ return _krb5_plugin_run_f(r->context, &kdc_plugin_data,
0, &uc, verify);
}
typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *,
- krb5_context, /* context */
- krb5_kdc_configuration *, /* configuration */
+ astgs_request_t,
hdb_entry *, /* client */
hdb_entry *, /* server */
const krb5_keyblock *, /* pk_replykey */
typedef krb5_error_code
(KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *,
- krb5_context, /* context */
- krb5_kdc_configuration *, /* configuration */
+ astgs_request_t,
const krb5_principal, /* new ticket client */
const krb5_principal, /* delegation proxy */
hdb_entry *,/* client */
/* only valid for tgs-req */
unsigned int rk_is_subkey : 1;
unsigned int fast_asserted : 1;
+ unsigned int explicit_armor_present : 1;
krb5_crypto armor_crypto;
hdb_entry *armor_server;
krb5_ticket *armor_ticket;
Key *armor_key;
+ hdb_entry *explicit_armor_client;
+ HDB *explicit_armor_clientdb;
+ krb5_pac explicit_armor_pac;
+
KDCFastState fast;
};
* enctype in its KDC-REQ-BODY's etype list, which is what
* `etypes' is here.
*/
+ enctype = p[i];
ret = 0;
break;
}
*/
for (m = 0; m < princ->etypes->len; m++) {
if (p[i] == princ->etypes->val[m]) {
+ enctype = p[i];
ret = 0;
break;
}
* Validate a PA mech was actually used before doing this.
*/
- ret = _kdc_pac_generate(r->context,
- r->config,
+ ret = _kdc_pac_generate(r,
r->client,
r->server,
r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY)
out:
r->error_code = ret;
- _kdc_audit_request(r);
+ {
+ krb5_error_code ret2 = _kdc_audit_request(r);
+ if (ret2) {
+ krb5_data_free(r->reply);
+ ret = ret2;
+ }
+ }
/*
* In case of a non proxy error, build an error message.
*/
- if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && r->reply->length == 0)
+ if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && r->reply->length == 0) {
+ kdc_log(r->context, config, 5, "as-req: sending error: %d to client", ret);
ret = _kdc_fast_mk_error(r,
r->rep.padata,
r->armor_crypto,
r->server_princ,
NULL, NULL,
r->reply);
+ }
if (r->pa_used && r->pa_used->cleanup)
r->pa_used->cleanup(r);
*/
krb5_error_code
-_kdc_check_pac(krb5_context context,
- krb5_kdc_configuration *config,
+_kdc_check_pac(astgs_request_t r,
const krb5_principal client_principal,
const krb5_principal delegated_proxy_principal,
hdb_entry *client,
krb5_principal *pac_canon_name,
uint64_t *pac_attributes)
{
+ krb5_context context = r->context;
+ krb5_kdc_configuration *config = r->config;
krb5_pac pac = NULL;
krb5_error_code ret;
krb5_boolean signedticket;
}
/* Verify the KDC signatures. */
- ret = _kdc_pac_verify(context, config,
+ ret = _kdc_pac_verify(r,
client_principal, delegated_proxy_principal,
client, server, krbtgt, &pac);
if (ret == 0) {
}
/* Verify the PAC of the TGT. */
- ret = _kdc_check_pac(context, config, user2user_princ, NULL,
+ ret = _kdc_check_pac(priv, user2user_princ, NULL,
user2user_client, user2user_krbtgt, user2user_krbtgt, user2user_krbtgt,
&uukey->key, &priv->ticket_key->key, &adtkt,
&user2user_kdc_issued, &user2user_pac, NULL, NULL);
flags &= ~HDB_F_SYNTHETIC_OK;
priv->clientdb = clientdb;
- ret = _kdc_check_pac(context, config, priv->client_princ, NULL,
+ ret = _kdc_check_pac(priv, priv->client_princ, NULL,
priv->client, priv->server,
priv->krbtgt, priv->krbtgt,
&priv->ticket_key->key, &priv->ticket_key->key, tgt,
out:
r->error_code = ret;
- _kdc_audit_request(r);
+ {
+ krb5_error_code ret2 = _kdc_audit_request(r);
+ if (ret2) {
+ krb5_data_free(data);
+ ret = ret2;
+ }
+ }
if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){
METHOD_DATA error_method = { 0, NULL };
krb5_free_ticket(r->context, r->armor_ticket);
if (r->armor_server)
_kdc_free_ent(r->context, r->armor_serverdb, r->armor_server);
+ if (r->explicit_armor_client)
+ _kdc_free_ent(r->context,
+ r->explicit_armor_clientdb,
+ r->explicit_armor_client);
+ if (r->explicit_armor_pac)
+ krb5_pac_free(r->context, r->explicit_armor_pac);
krb5_free_keyblock_contents(r->context, &r->reply_key);
krb5_free_keyblock_contents(r->context, &r->strengthen_key);
kdc_request_get_config
kdc_request_get_cname
kdc_request_get_error_code
+ kdc_request_get_explicit_armor_pac
+ kdc_request_get_explicit_armor_clientdb
+ kdc_request_get_explicit_armor_client
kdc_request_get_from
kdc_request_get_krbtgt
kdc_request_get_krbtgtdb
if (ret)
goto out; /* kdc_check_flags() calls kdc_audit_addreason() */
- ret = _kdc_pac_generate(r->context,
- r->config,
+ ret = _kdc_pac_generate(r,
s4u_client,
r->server,
NULL,
* TODO: pass in t->sname and t->realm and build
* a S4U_DELEGATION_INFO blob to the PAC.
*/
- ret = _kdc_check_pac(r->context, r->config, s4u_client_name, s4u_server_name,
+ ret = _kdc_check_pac(r, s4u_client_name, s4u_server_name,
s4u_client, r->server, r->krbtgt, r->client,
&clientkey->key, &r->ticket_key->key, &evidence_tkt,
&ad_kdc_issued, &s4u_pac,
kdc_request_get_config;
kdc_request_get_cname;
kdc_request_get_error_code;
+ kdc_request_get_explicit_armor_pac;
+ kdc_request_get_explicit_armor_clientdb;
+ kdc_request_get_explicit_armor_client;
kdc_request_get_from;
kdc_request_get_krbtgt;
kdc_request_get_krbtgtdb;
PA-ClientCanonicalizedNames,
PA-DATA,
PA-ENC-TS-ENC,
+ PA-KERB-KEY-LIST-REP,
+ PA-KERB-KEY-LIST-REQ,
+ PA-PAC-OPTIONS,
PA-PAC-REQUEST,
PA-S4U2Self,
+ PA-S4U-X509-USER,
PA-SERVER-REFERRAL-DATA,
PA-ServerReferralData,
PA-SvrReferralData,
KDCFastState,
KDCFastCookie,
KDC-PROXY-MESSAGE,
+ KERB-AD-RESTRICTION-ENTRY,
KERB-TIMES,
KERB-CRED,
KERB-TGS-REQ-IN,
KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
KRB5-PADATA-REQ-ENC-PA-REP(149), --
+ KER5-PADATA-KERB-KEY-LIST-REQ(161), -- MS-KILE
+ KER5-PADATA-KERB-PAKEY-LIST-REP(162), -- MS-KILE
KRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE
+ KRB5-PADATA-PAC-OPTIONS(167), -- MS-KILE
KRB5-PADATA-GSS(655) -- krb-wg-gss-preauth
}
KRB5-AUTHDATA-SIGNTICKET-OLD(142),
KRB5-AUTHDATA-SIGNTICKET(512),
KRB5-AUTHDATA-SYNTHETIC-PRINC-USED(513), -- principal was synthetised
- KRB5-AUTHDATA-AP-OPTIONS(143),
+ KRB5-AUTHDATA-KERB-LOCAL(141), -- MS-KILE
+ KRB5-AUTHDATA-TOKEN-RESTRICTIONS(142), -- MS-KILE
+ KRB5-AUTHDATA-AP-OPTIONS(143), -- MS-KILE
+ KRB5-AUTHDATA-TARGET-PRINCIPAL(144), -- MS-KILE
-- N.B. these assignments have not been confirmed yet.
--
-- DO NOT USE in production yet!
-- should be included or not
}
+-- MS-KILE/MS-SFU
+PAC-OPTIONS-FLAGS ::= BIT STRING {
+ claims(0),
+ branch-aware(1),
+ forward-to-full-dc(2),
+ resource-based-constrained-delegation(3)
+}
+
+-- MS-KILE
+PA-PAC-OPTIONS ::= SEQUENCE {
+ flags [0] PAC-OPTIONS-FLAGS
+}
+
+-- MS-KILE
+-- captures show that [UNIVERSAL 16] is required to parse it
+KERB-AD-RESTRICTION-ENTRY ::= [UNIVERSAL 16] SEQUENCE {
+ restriction-type [0] Krb5Int32,
+ restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure
+}
+
+-- MS-KILE Section 2.2.11
+PA-KERB-KEY-LIST-REQ ::= SEQUENCE OF ENCTYPE
+
+-- MS-KILE Section 2.2.12
+
+PA-KERB-KEY-LIST-REP ::= SEQUENCE OF ENCTYPE -- EncryptionType,
+
-- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf
PROV-SRV-LOCATION ::= GeneralString
auth[3] GeneralString
}
+PA-S4U-X509-USER::= SEQUENCE {
+ user-id[0] S4UUserID,
+ checksum[1] Checksum
+}
+
+S4UUserID ::= SEQUENCE {
+ nonce [0] Krb5UInt32, -- the nonce in KDC-REQ-BODY
+ cname [1] PrincipalName OPTIONAL, -- Certificate mapping hints
+ crealm [2] Realm,
+ subject-certificate [3] OCTET STRING OPTIONAL,
+ options [4] BIT STRING OPTIONAL,
+ ...
+}
+
AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
login-alias [0] PrincipalName,
checksum [1] Checksum
copy_KDC_REQ
copy_KDC_REQ_BODY
copy_KDFAlgorithmId
+ copy_KERB_AD_RESTRICTION_ENTRY
copy_KERB_ARMOR_SERVICE_REPLY
copy_KERB_CRED
copy_KerberosString
copy_PA_ENC_TS_ENC
copy_PA_FX_FAST_REPLY
copy_PA_FX_FAST_REQUEST
+ copy_PA_KERB_KEY_LIST_REP
+ copy_PA_KERB_KEY_LIST_REQ
+ copy_PA_PAC_OPTIONS
copy_PA_PAC_REQUEST
copy_PA_PK_AS_REP
copy_PA_PK_AS_REP_BTMM
copy_PA_PK_AS_REP_Win2k
copy_PA_PK_AS_REQ
copy_PA_PK_AS_REQ_Win2k
+ copy_PA_S4U_X509_USER
copy_PA_S4U2Self
copy_PA_SAM_CHALLENGE_2
copy_PA_SAM_CHALLENGE_2_BODY
decode_KDC_REQ
decode_KDC_REQ_BODY
decode_KDFAlgorithmId
+ decode_KERB_AD_RESTRICTION_ENTRY
decode_KERB_ARMOR_SERVICE_REPLY
decode_KERB_CRED
decode_KerberosString
decode_PA_ENC_TS_ENC
decode_PA_FX_FAST_REPLY
decode_PA_FX_FAST_REQUEST
+ decode_PA_KERB_KEY_LIST_REP
+ decode_PA_KERB_KEY_LIST_REQ
+ decode_PA_PAC_OPTIONS
decode_PA_PAC_REQUEST
decode_PA_PK_AS_REP
decode_PA_PK_AS_REP_BTMM
decode_PA_PK_AS_REP_Win2k
decode_PA_PK_AS_REQ
decode_PA_PK_AS_REQ_Win2k
+ decode_PA_S4U_X509_USER
decode_PA_S4U2Self
decode_PA_SAM_CHALLENGE_2
decode_PA_SAM_CHALLENGE_2_BODY
encode_KDC_REQ
encode_KDC_REQ_BODY
encode_KDFAlgorithmId
+ encode_KERB_AD_RESTRICTION_ENTRY
encode_KERB_ARMOR_SERVICE_REPLY
encode_KERB_CRED
encode_KerberosString
encode_PA_ENC_TS_ENC
encode_PA_FX_FAST_REPLY
encode_PA_FX_FAST_REQUEST
+ encode_PA_KERB_KEY_LIST_REP
+ encode_PA_KERB_KEY_LIST_REQ
+ encode_PA_PAC_OPTIONS
encode_PA_PAC_REQUEST
encode_PA_PK_AS_REP
encode_PA_PK_AS_REP_BTMM
encode_PA_PK_AS_REP_Win2k
encode_PA_PK_AS_REQ
encode_PA_PK_AS_REQ_Win2k
+ encode_PA_S4U_X509_USER
encode_PA_S4U2Self
encode_PA_SAM_CHALLENGE_2
encode_PA_SAM_CHALLENGE_2_BODY
free_KDC_REQ
free_KDC_REQ_BODY
free_KDFAlgorithmId
+ free_KERB_AD_RESTRICTION_ENTRY
free_KERB_ARMOR_SERVICE_REPLY
free_KERB_CRED
free_KerberosString
free_PA_ENC_TS_ENC
free_PA_FX_FAST_REPLY
free_PA_FX_FAST_REQUEST
+ free_PA_KERB_KEY_LIST_REP
+ free_PA_KERB_KEY_LIST_REQ
+ free_PA_PAC_OPTIONS
free_PA_PAC_REQUEST
free_PA_PK_AS_REP
free_PA_PK_AS_REP_BTMM
free_PA_PK_AS_REP_Win2k
free_PA_PK_AS_REQ
free_PA_PK_AS_REQ_Win2k
+ free_PA_S4U_X509_USER
free_PA_S4U2Self
free_PA_SAM_CHALLENGE_2
free_PA_SAM_CHALLENGE_2_BODY
length_KDC_REQ
length_KDC_REQ_BODY
length_KDFAlgorithmId
+ length_KERB_AD_RESTRICTION_ENTRY
length_KERB_ARMOR_SERVICE_REPLY
length_KERB_CRED
length_KerberosString
length_PA_ENC_TS_ENC
length_PA_FX_FAST_REPLY
length_PA_FX_FAST_REQUEST
+ length_PA_KERB_KEY_LIST_REP
+ length_PA_KERB_KEY_LIST_REQ
+ length_PA_PAC_OPTIONS
length_PA_PAC_REQUEST
length_PA_PK_AS_REP
length_PA_PK_AS_REP_BTMM
length_PA_PK_AS_REP_Win2k
length_PA_PK_AS_REQ
length_PA_PK_AS_REQ_Win2k
+ length_PA_S4U_X509_USER
length_PA_S4U2Self
length_PA_SAM_CHALLENGE_2
length_PA_SAM_CHALLENGE_2_BODY
KRB5_KU_PA_SERVER_REFERRAL = 26,
/* Keyusage for the server referral in a TGS req */
KRB5_KU_SAM_ENC_NONCE_SAD = 27,
+ /* Defined in [MS-SFU] */
+ KRB5_KU_PA_S4U_X509_USER_REQUEST = 26,
+ /* Defined in [MS-SFU] */
+ KRB5_KU_PA_S4U_X509_USER_REPLY = 27,
/* Encryption of the SAM-NONCE-OR-SAD field */
KRB5_KU_PA_PKINIT_KX = 44,
/* Encryption type of the kdc session contribution in pk-init */
size_t len, offset, header_end, old_end;
uint32_t i;
- assert(data->length > 0 && data->data != NULL);
+ assert(data->data != NULL);
len = p->pac->numbuffers;
krb5_error_code ret;
krb5_realm r = NULL;
va_list ap;
+
+ *principal = NULL;
+
if(realm == NULL) {
ret = krb5_get_default_realm(context, &r);
if(ret)
krb5_const_principal inprinc,
krb5_principal *outprinc)
{
- krb5_principal p = malloc(sizeof(*p));
+ krb5_principal p;
+
+ *outprinc = NULL;
+
+ p = malloc(sizeof(*p));
if (p == NULL)
return krb5_enomem(context);
if(copy_Principal(inprinc, p)) {
static krb5_error_code KRB5_CALLCONV
pac_generate(void *ctx,
- krb5_context context,
- krb5_kdc_configuration *config,
+ astgs_request_t r,
hdb_entry *client,
hdb_entry *server,
const krb5_keyblock *pk_replykey,
uint64_t pac_attributes,
krb5_pac *pac)
{
+ krb5_context context = kdc_request_get_context((kdc_request_t)r);
krb5_error_code ret;
krb5_data data;
static krb5_error_code KRB5_CALLCONV
pac_verify(void *ctx,
- krb5_context context,
- krb5_kdc_configuration *config,
+ astgs_request_t r,
const krb5_principal new_ticket_client,
const krb5_principal delegation_proxy,
hdb_entry * client,
hdb_entry * krbtgt,
krb5_pac *pac)
{
+ krb5_context context = kdc_request_get_context((kdc_request_t)r);
krb5_error_code ret;
krb5_data data;
krb5_cksumtype cstype;
projects / thirdparty / samba.git / commitdiff
