/* * Copyright (c) 1997-2021 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * Copyright (c) 2021 Isaac Boukris * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of the Institute nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "krb5_locl.h" /* * Add the AuthorizationData `data´ of `type´ to the last element in * the sequence of authorization_data in `tkt´ wrapped in an IF_RELEVANT */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _kdc_tkt_add_if_relevant_ad(krb5_context context, EncTicketPart *tkt, int type, const krb5_data *data) { krb5_error_code ret; size_t size = 0; if (tkt->authorization_data == NULL) { tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data)); if (tkt->authorization_data == NULL) { return krb5_enomem(context); } } /* add the entry to the last element */ { AuthorizationData ad = { 0, NULL }; AuthorizationDataElement ade; ade.ad_type = type; ade.ad_data = *data; ret = add_AuthorizationData(&ad, &ade); if (ret) { krb5_set_error_message(context, ret, "add AuthorizationData failed"); return ret; } ade.ad_type = KRB5_AUTHDATA_IF_RELEVANT; ASN1_MALLOC_ENCODE(AuthorizationData, ade.ad_data.data, ade.ad_data.length, &ad, &size, ret); free_AuthorizationData(&ad); if (ret) { krb5_set_error_message(context, ret, "ASN.1 encode of " "AuthorizationData failed"); return ret; } if (ade.ad_data.length != size) krb5_abortx(context, "internal asn.1 encoder error"); ret = add_AuthorizationData(tkt->authorization_data, &ade); der_free_octet_string(&ade.ad_data); if (ret) { krb5_set_error_message(context, ret, "add AuthorizationData failed"); return ret; } } return 0; } /* * Insert a PAC wrapped in AD-IF-RELEVANT container as the first AD element, * as some clients such as Windows may fail to parse it otherwise. */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL _kdc_tkt_insert_pac(krb5_context context, EncTicketPart *tkt, const krb5_data *data) { AuthorizationDataElement ade; unsigned int i; krb5_error_code ret; ret = _kdc_tkt_add_if_relevant_ad(context, tkt, KRB5_AUTHDATA_WIN2K_PAC, data); if (ret) return ret; heim_assert(tkt->authorization_data->len != 0, "No authorization_data!"); ade = tkt->authorization_data->val[tkt->authorization_data->len - 1]; for (i = 0; i < tkt->authorization_data->len - 1; i++) { tkt->authorization_data->val[i + 1] = tkt->authorization_data->val[i]; } tkt->authorization_data->val[0] = ade; return 0; }