krb5: Add name attributes to krb5_principal

We now have what we need in krb5_principal to implement much of RFC6680. Now we populate those fields so that they can be accessed by GSS-API RFC6680 name attributes functions. The next commit should add much of the GSS-API RFC6680 name attributes functions and functionality.
2021-12-20 16:22:52 -06:00
parent f3484d5e2e
commit 87f8c0d2b5
6 changed files with 163 additions and 19 deletions
--- a/lib/krb5/asn1_glue.c
+++ b/lib/krb5/asn1_glue.c
@@ -70,3 +70,93 @@ _krb5_principalname2krb5_principal (krb5_context context,
    *principal = p;
    return 0;
 }
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_ticket2krb5_principal(krb5_context context,
+                            krb5_principal *principal,
+                            const EncTicketPart *ticket,
+                            const AuthorizationData *authenticator_ad)
+{
+    krb5_error_code ret;
+    krb5_principal p;
+
+    *principal = NULL;
+
+    ret = _krb5_principalname2krb5_principal(context,
+                                             &p,
+                                             ticket->cname,
+                                             ticket->crealm);
+    if (ret == 0 &&
+        (p->nameattrs = calloc(1, sizeof(p->nameattrs[0]))) == NULL)
+        ret = krb5_enomem(context);
+    if (ret == 0)
+        p->nameattrs->authenticated = 1;
+    if (ret == 0 &&
+        (p->nameattrs->source =
+         calloc(1, sizeof(p->nameattrs->source[0]))) == NULL)
+        ret = krb5_enomem(context);
+    if (ret == 0) {
+        p->nameattrs->source->element =
+            choice_PrincipalNameAttrSrc_enc_ticket_part;
+        ret = copy_EncTicketPart(ticket,
+                                 &p->nameattrs->source->u.enc_ticket_part);
+        /* NOTE: we don't want to keep a copy of the session key here! */
+        if (ret == 0)
+            der_free_octet_string(&p->nameattrs->source->u.enc_ticket_part.key.keyvalue);
+    }
+    if (ret == 0 && authenticator_ad) {
+        p->nameattrs->authenticator_ad =
+            calloc(1, sizeof(p->nameattrs->authenticator_ad[0]));
+        if (p->nameattrs->authenticator_ad == NULL)
+            ret = krb5_enomem(context);
+        if (ret == 0)
+            ret = copy_AuthorizationData(authenticator_ad,
+                                         p->nameattrs->authenticator_ad);
+    }
+
+    if (ret == 0)
+        *principal = p;
+    else
+        krb5_free_principal(context, p);
+    return ret;
+}
+
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+_krb5_kdcrep2krb5_principal(krb5_context context,
+                            krb5_principal *principal,
+                            const EncKDCRepPart *kdcrep)
+{
+    krb5_error_code ret;
+    krb5_principal p;
+
+    *principal = NULL;
+
+    ret = _krb5_principalname2krb5_principal(context,
+                                             &p,
+                                             kdcrep->sname,
+                                             kdcrep->srealm);
+    if (ret == 0 &&
+        (p->nameattrs = calloc(1, sizeof(p->nameattrs[0]))) == NULL)
+        ret = krb5_enomem(context);
+    if (ret == 0)
+        p->nameattrs->authenticated = 1;
+    if (ret == 0 &&
+        (p->nameattrs->source =
+         calloc(1, sizeof(p->nameattrs->source[0]))) == NULL)
+        ret = krb5_enomem(context);
+    if (ret == 0) {
+        p->nameattrs->source->element =
+            choice_PrincipalNameAttrSrc_enc_kdc_rep_part;
+        ret = copy_EncKDCRepPart(kdcrep,
+                                 &p->nameattrs->source->u.enc_kdc_rep_part);
+        /* NOTE: we don't want to keep a copy of the session key here! */
+        if (ret == 0)
+            der_free_octet_string(&p->nameattrs->source->u.enc_kdc_rep_part.key.keyvalue);
+    }
+
+    if (ret == 0)
+        *principal = p;
+    else
+        krb5_free_principal(context, p);
+    return ret;
+}