/src/samba/third_party/heimdal/lib/krb5/authdata.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (c) 1997-2021 Kungliga Tekniska Högskolan |
3 | | * (Royal Institute of Technology, Stockholm, Sweden). |
4 | | * Copyright (c) 2021 Isaac Boukris |
5 | | * All rights reserved. |
6 | | * |
7 | | * Redistribution and use in source and binary forms, with or without |
8 | | * modification, are permitted provided that the following conditions |
9 | | * are met: |
10 | | * |
11 | | * 1. Redistributions of source code must retain the above copyright |
12 | | * notice, this list of conditions and the following disclaimer. |
13 | | * |
14 | | * 2. Redistributions in binary form must reproduce the above copyright |
15 | | * notice, this list of conditions and the following disclaimer in the |
16 | | * documentation and/or other materials provided with the distribution. |
17 | | * |
18 | | * 3. Neither the name of the Institute nor the names of its contributors |
19 | | * may be used to endorse or promote products derived from this software |
20 | | * without specific prior written permission. |
21 | | * |
22 | | * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND |
23 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
24 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
25 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE |
26 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
27 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
28 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
29 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
30 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
31 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
32 | | * SUCH DAMAGE. |
33 | | */ |
34 | | |
35 | | #include "krb5_locl.h" |
36 | | |
37 | | /* |
38 | | * Add the AuthorizationData `data´ of `type´ to the last element in |
39 | | * the sequence of authorization_data in `tkt´ wrapped in an IF_RELEVANT |
40 | | */ |
41 | | |
42 | | KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL |
43 | | _kdc_tkt_add_if_relevant_ad(krb5_context context, |
44 | | EncTicketPart *tkt, |
45 | | int type, |
46 | | const krb5_data *data) |
47 | 0 | { |
48 | 0 | krb5_error_code ret; |
49 | 0 | size_t size = 0; |
50 | |
|
51 | 0 | if (tkt->authorization_data == NULL) { |
52 | 0 | tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data)); |
53 | 0 | if (tkt->authorization_data == NULL) { |
54 | 0 | return krb5_enomem(context); |
55 | 0 | } |
56 | 0 | } |
57 | | |
58 | | /* add the entry to the last element */ |
59 | 0 | { |
60 | 0 | AuthorizationData ad = { 0, NULL }; |
61 | 0 | AuthorizationDataElement ade; |
62 | |
|
63 | 0 | ade.ad_type = type; |
64 | 0 | ade.ad_data = *data; |
65 | |
|
66 | 0 | ret = add_AuthorizationData(&ad, &ade); |
67 | 0 | if (ret) { |
68 | 0 | krb5_set_error_message(context, ret, "add AuthorizationData failed"); |
69 | 0 | return ret; |
70 | 0 | } |
71 | | |
72 | 0 | ade.ad_type = KRB5_AUTHDATA_IF_RELEVANT; |
73 | |
|
74 | 0 | ASN1_MALLOC_ENCODE(AuthorizationData, |
75 | 0 | ade.ad_data.data, ade.ad_data.length, |
76 | 0 | &ad, &size, ret); |
77 | 0 | free_AuthorizationData(&ad); |
78 | 0 | if (ret) { |
79 | 0 | krb5_set_error_message(context, ret, "ASN.1 encode of " |
80 | 0 | "AuthorizationData failed"); |
81 | 0 | return ret; |
82 | 0 | } |
83 | 0 | if (ade.ad_data.length != size) |
84 | 0 | krb5_abortx(context, "internal asn.1 encoder error"); |
85 | | |
86 | 0 | ret = add_AuthorizationData(tkt->authorization_data, &ade); |
87 | 0 | der_free_octet_string(&ade.ad_data); |
88 | 0 | if (ret) { |
89 | 0 | krb5_set_error_message(context, ret, "add AuthorizationData failed"); |
90 | 0 | return ret; |
91 | 0 | } |
92 | 0 | } |
93 | | |
94 | 0 | return 0; |
95 | 0 | } |
96 | | |
97 | | /* |
98 | | * Insert a PAC wrapped in AD-IF-RELEVANT container as the first AD element, |
99 | | * as some clients such as Windows may fail to parse it otherwise. |
100 | | */ |
101 | | |
102 | | KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL |
103 | | _kdc_tkt_insert_pac(krb5_context context, |
104 | | EncTicketPart *tkt, |
105 | | const krb5_data *data) |
106 | 0 | { |
107 | 0 | AuthorizationDataElement ade; |
108 | 0 | unsigned int i; |
109 | 0 | krb5_error_code ret; |
110 | |
|
111 | 0 | ret = _kdc_tkt_add_if_relevant_ad(context, tkt, KRB5_AUTHDATA_WIN2K_PAC, |
112 | 0 | data); |
113 | 0 | if (ret) |
114 | 0 | return ret; |
115 | | |
116 | 0 | heim_assert(tkt->authorization_data->len != 0, "No authorization_data!"); |
117 | 0 | ade = tkt->authorization_data->val[tkt->authorization_data->len - 1]; |
118 | 0 | for (i = 0; i < tkt->authorization_data->len - 1; i++) { |
119 | 0 | tkt->authorization_data->val[i + 1] = tkt->authorization_data->val[i]; |
120 | 0 | } |
121 | 0 | tkt->authorization_data->val[0] = ade; |
122 | |
|
123 | 0 | return 0; |
124 | 0 | } |