vendor/gopkg.in/jcmturner/gokrb5.v7/messages/APReq.go - bbsim - Gitiles

 package messages

 import (
 	"fmt"
 	"time"

 	"github.com/jcmturner/gofork/encoding/asn1"
 	"gopkg.in/jcmturner/gokrb5.v7/asn1tools"
 	"gopkg.in/jcmturner/gokrb5.v7/crypto"
 	"gopkg.in/jcmturner/gokrb5.v7/iana"
 	"gopkg.in/jcmturner/gokrb5.v7/iana/asnAppTag"
 	"gopkg.in/jcmturner/gokrb5.v7/iana/errorcode"
 	"gopkg.in/jcmturner/gokrb5.v7/iana/keyusage"
 	"gopkg.in/jcmturner/gokrb5.v7/iana/msgtype"
 	"gopkg.in/jcmturner/gokrb5.v7/keytab"
 	"gopkg.in/jcmturner/gokrb5.v7/krberror"
 	"gopkg.in/jcmturner/gokrb5.v7/types"
 )

 /*AP-REQ          ::= [APPLICATION 14] SEQUENCE {
 pvno            [0] INTEGER (5),
 msg-type        [1] INTEGER (14),
 ap-options      [2] APOptions,
 ticket          [3] Ticket,
 authenticator   [4] EncryptedData -- Authenticator
 }

 APOptions       ::= KerberosFlags
 -- reserved(0),
 -- use-session-key(1),
 -- mutual-required(2)*/

 type marshalAPReq struct {
 	PVNO      int            `asn1:"explicit,tag:0"`
 	MsgType   int            `asn1:"explicit,tag:1"`
 	APOptions asn1.BitString `asn1:"explicit,tag:2"`
 	// Ticket needs to be a raw value as it is wrapped in an APPLICATION tag
 	Ticket                 asn1.RawValue       `asn1:"explicit,tag:3"`
 	EncryptedAuthenticator types.EncryptedData `asn1:"explicit,tag:4"`
 }

 // APReq implements RFC 4120 KRB_AP_REQ: https://tools.ietf.org/html/rfc4120#section-5.5.1.
 type APReq struct {
 	PVNO                   int                 `asn1:"explicit,tag:0"`
 	MsgType                int                 `asn1:"explicit,tag:1"`
 	APOptions              asn1.BitString      `asn1:"explicit,tag:2"`
 	Ticket                 Ticket              `asn1:"explicit,tag:3"`
 	EncryptedAuthenticator types.EncryptedData `asn1:"explicit,tag:4"`
 	Authenticator          types.Authenticator `asn1:"optional"`
 }

 // NewAPReq generates a new KRB_AP_REQ struct.
 func NewAPReq(tkt Ticket, sessionKey types.EncryptionKey, auth types.Authenticator) (APReq, error) {
 	var a APReq
 	ed, err := encryptAuthenticator(auth, sessionKey, tkt)
 	if err != nil {
 		return a, krberror.Errorf(err, krberror.KRBMsgError, "error creating Authenticator for AP_REQ")
 	}
 	a = APReq{
 		PVNO:                   iana.PVNO,
 		MsgType:                msgtype.KRB_AP_REQ,
 		APOptions:              types.NewKrbFlags(),
 		Ticket:                 tkt,
 		EncryptedAuthenticator: ed,
 	}
 	return a, nil
 }

 // Encrypt Authenticator
 func encryptAuthenticator(a types.Authenticator, sessionKey types.EncryptionKey, tkt Ticket) (types.EncryptedData, error) {
 	var ed types.EncryptedData
 	m, err := a.Marshal()
 	if err != nil {
 		return ed, krberror.Errorf(err, krberror.EncodingError, "marshaling error of EncryptedData form of Authenticator")
 	}
 	usage := authenticatorKeyUsage(tkt.SName)
 	ed, err = crypto.GetEncryptedData(m, sessionKey, uint32(usage), tkt.EncPart.KVNO)
 	if err != nil {
 		return ed, krberror.Errorf(err, krberror.EncryptingError, "error encrypting Authenticator")
 	}
 	return ed, nil
 }

 // DecryptAuthenticator decrypts the Authenticator within the AP_REQ.
 // sessionKey may simply be the key within the decrypted EncPart of the ticket within the AP_REQ.
 func (a *APReq) DecryptAuthenticator(sessionKey types.EncryptionKey) error {
 	usage := authenticatorKeyUsage(a.Ticket.SName)
 	ab, e := crypto.DecryptEncPart(a.EncryptedAuthenticator, sessionKey, uint32(usage))
 	if e != nil {
 		return fmt.Errorf("error decrypting authenticator: %v", e)
 	}
 	err := a.Authenticator.Unmarshal(ab)
 	if err != nil {
 		return fmt.Errorf("error unmarshaling authenticator: %v", err)
 	}
 	return nil
 }

 func authenticatorKeyUsage(pn types.PrincipalName) int {
 	if pn.NameString[0] == "krbtgt" {
 		return keyusage.TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR
 	}
 	return keyusage.AP_REQ_AUTHENTICATOR
 }

 // Unmarshal bytes b into the APReq struct.
 func (a *APReq) Unmarshal(b []byte) error {
 	var m marshalAPReq
 	_, err := asn1.UnmarshalWithParams(b, &m, fmt.Sprintf("application,explicit,tag:%v", asnAppTag.APREQ))
 	if err != nil {
 		return krberror.Errorf(err, krberror.EncodingError, "unmarshal error of AP_REQ")
 	}
 	if m.MsgType != msgtype.KRB_AP_REQ {
 		return NewKRBError(types.PrincipalName{}, "", errorcode.KRB_AP_ERR_MSG_TYPE, errorcode.Lookup(errorcode.KRB_AP_ERR_MSG_TYPE))
 	}
 	a.PVNO = m.PVNO
 	a.MsgType = m.MsgType
 	a.APOptions = m.APOptions
 	a.EncryptedAuthenticator = m.EncryptedAuthenticator
 	a.Ticket, err = unmarshalTicket(m.Ticket.Bytes)
 	if err != nil {
 		return krberror.Errorf(err, krberror.EncodingError, "unmarshaling error of Ticket within AP_REQ")
 	}
 	return nil
 }

 // Marshal APReq struct.
 func (a *APReq) Marshal() ([]byte, error) {
 	m := marshalAPReq{
 		PVNO:                   a.PVNO,
 		MsgType:                a.MsgType,
 		APOptions:              a.APOptions,
 		EncryptedAuthenticator: a.EncryptedAuthenticator,
 	}
 	var b []byte
 	b, err := a.Ticket.Marshal()
 	if err != nil {
 		return b, err
 	}
 	m.Ticket = asn1.RawValue{
 		Class:      asn1.ClassContextSpecific,
 		IsCompound: true,
 		Tag:        3,
 		Bytes:      b,
 	}
 	mk, err := asn1.Marshal(m)
 	if err != nil {
 		return mk, krberror.Errorf(err, krberror.EncodingError, "marshaling error of AP_REQ")
 	}
 	mk = asn1tools.AddASNAppTag(mk, asnAppTag.APREQ)
 	return mk, nil
 }

 // Verify an AP_REQ using service's keytab, spn and max acceptable clock skew duration.
 // The service ticket encrypted part and authenticator will be decrypted as part of this operation.
 func (a *APReq) Verify(kt *keytab.Keytab, d time.Duration, cAddr types.HostAddress) (bool, error) {
 	// Decrypt ticket's encrypted part with service key
 	//TODO decrypt with service's session key from its TGT is use-to-user. Need to figure out how to get TGT.
 	//if types.IsFlagSet(&a.APOptions, flags.APOptionUseSessionKey) {
 	//	//If the USE-SESSION-KEY flag is set in the ap-options field, it indicates to
 	//	//the server that user-to-user authentication is in use, and that the ticket
 	//	//is encrypted in the session key from the server's TGT rather than in the server's secret key.
 	//	err := a.Ticket.Decrypt(tgt.DecryptedEncPart.Key)
 	//	if err != nil {
 	//		return false, krberror.Errorf(err, krberror.DecryptingError, "error decrypting encpart of ticket provided using session key")
 	//	}
 	//} else {
 	//	// Because it is possible for the server to be registered in multiple
 	//	// realms, with different keys in each, the srealm field in the
 	//	// unencrypted portion of the ticket in the KRB_AP_REQ is used to
 	//	// specify which secret key the server should use to decrypt that
 	//	// ticket.The KRB_AP_ERR_NOKEY error code is returned if the server
 	//	// doesn't have the proper key to decipher the ticket.
 	//	// The ticket is decrypted using the version of the server's key
 	//	// specified by the ticket.
 	//	err := a.Ticket.DecryptEncPart(*kt, &a.Ticket.SName)
 	//	if err != nil {
 	//		return false, krberror.Errorf(err, krberror.DecryptingError, "error decrypting encpart of service ticket provided")
 	//	}
 	//}
 	err := a.Ticket.DecryptEncPart(kt, &a.Ticket.SName)
 	if err != nil {
 		return false, krberror.Errorf(err, krberror.DecryptingError, "error decrypting encpart of service ticket provided")
 	}

 	// Check time validity of ticket
 	ok, err := a.Ticket.Valid(d)
 	if err != nil || !ok {
 		return ok, err
 	}

 	// Check client's address is listed in the client addresses in the ticket
 	if len(a.Ticket.DecryptedEncPart.CAddr) > 0 {
 		//The addresses in the ticket (if any) are then searched for an address matching the operating-system reported
 		//address of the client.  If no match is found or the server insists on ticket addresses but none are present in
 		//the ticket, the KRB_AP_ERR_BADADDR error is returned.
 		if !types.HostAddressesContains(a.Ticket.DecryptedEncPart.CAddr, cAddr) {
 			return false, NewKRBError(a.Ticket.SName, a.Ticket.Realm, errorcode.KRB_AP_ERR_BADADDR, "client address not within the list contained in the service ticket")
 		}
 	}

 	// Decrypt authenticator with session key from ticket's encrypted part
 	err = a.DecryptAuthenticator(a.Ticket.DecryptedEncPart.Key)
 	if err != nil {
 		return false, NewKRBError(a.Ticket.SName, a.Ticket.Realm, errorcode.KRB_AP_ERR_BAD_INTEGRITY, "could not decrypt authenticator")
 	}

 	// Check CName in authenticator is the same as that in the ticket
 	if !a.Authenticator.CName.Equal(a.Ticket.DecryptedEncPart.CName) {
 		return false, NewKRBError(a.Ticket.SName, a.Ticket.Realm, errorcode.KRB_AP_ERR_BADMATCH, "CName in Authenticator does not match that in service ticket")
 	}

 	// Check the clock skew between the client and the service server
 	ct := a.Authenticator.CTime.Add(time.Duration(a.Authenticator.Cusec) * time.Microsecond)
 	t := time.Now().UTC()
 	if t.Sub(ct) > d || ct.Sub(t) > d {
 		return false, NewKRBError(a.Ticket.SName, a.Ticket.Realm, errorcode.KRB_AP_ERR_SKEW, fmt.Sprintf("clock skew with client too large. greater than %v seconds", d))
 	}
 	return true, nil
 }
	package messages

	import (
	"fmt"
	"time"

	"github.com/jcmturner/gofork/encoding/asn1"
	"gopkg.in/jcmturner/gokrb5.v7/asn1tools"
	"gopkg.in/jcmturner/gokrb5.v7/crypto"
	"gopkg.in/jcmturner/gokrb5.v7/iana"
	"gopkg.in/jcmturner/gokrb5.v7/iana/asnAppTag"
	"gopkg.in/jcmturner/gokrb5.v7/iana/errorcode"
	"gopkg.in/jcmturner/gokrb5.v7/iana/keyusage"
	"gopkg.in/jcmturner/gokrb5.v7/iana/msgtype"
	"gopkg.in/jcmturner/gokrb5.v7/keytab"
	"gopkg.in/jcmturner/gokrb5.v7/krberror"
	"gopkg.in/jcmturner/gokrb5.v7/types"
	)

	/*AP-REQ ::= [APPLICATION 14] SEQUENCE {
	pvno [0] INTEGER (5),
	msg-type [1] INTEGER (14),
	ap-options [2] APOptions,
	ticket [3] Ticket,
	authenticator [4] EncryptedData -- Authenticator
	}

	APOptions ::= KerberosFlags
	-- reserved(0),
	-- use-session-key(1),
	-- mutual-required(2)*/

	type marshalAPReq struct {
	PVNO int `asn1:"explicit,tag:0"`
	MsgType int `asn1:"explicit,tag:1"`
	APOptions asn1.BitString `asn1:"explicit,tag:2"`
	// Ticket needs to be a raw value as it is wrapped in an APPLICATION tag
	Ticket asn1.RawValue `asn1:"explicit,tag:3"`
	EncryptedAuthenticator types.EncryptedData `asn1:"explicit,tag:4"`
	}

	// APReq implements RFC 4120 KRB_AP_REQ: https://tools.ietf.org/html/rfc4120#section-5.5.1.
	type APReq struct {
	PVNO int `asn1:"explicit,tag:0"`
	MsgType int `asn1:"explicit,tag:1"`
	APOptions asn1.BitString `asn1:"explicit,tag:2"`
	Ticket Ticket `asn1:"explicit,tag:3"`
	EncryptedAuthenticator types.EncryptedData `asn1:"explicit,tag:4"`
	Authenticator types.Authenticator `asn1:"optional"`
	}

	// NewAPReq generates a new KRB_AP_REQ struct.
	func NewAPReq(tkt Ticket, sessionKey types.EncryptionKey, auth types.Authenticator) (APReq, error) {
	var a APReq
	ed, err := encryptAuthenticator(auth, sessionKey, tkt)
	if err != nil {
	return a, krberror.Errorf(err, krberror.KRBMsgError, "error creating Authenticator for AP_REQ")
	}
	a = APReq{
	PVNO: iana.PVNO,
	MsgType: msgtype.KRB_AP_REQ,
	APOptions: types.NewKrbFlags(),
	Ticket: tkt,
	EncryptedAuthenticator: ed,
	}
	return a, nil
	}

	// Encrypt Authenticator
	func encryptAuthenticator(a types.Authenticator, sessionKey types.EncryptionKey, tkt Ticket) (types.EncryptedData, error) {
	var ed types.EncryptedData
	m, err := a.Marshal()
	if err != nil {
	return ed, krberror.Errorf(err, krberror.EncodingError, "marshaling error of EncryptedData form of Authenticator")
	}
	usage := authenticatorKeyUsage(tkt.SName)
	ed, err = crypto.GetEncryptedData(m, sessionKey, uint32(usage), tkt.EncPart.KVNO)
	if err != nil {
	return ed, krberror.Errorf(err, krberror.EncryptingError, "error encrypting Authenticator")
	}
	return ed, nil
	}

	// DecryptAuthenticator decrypts the Authenticator within the AP_REQ.
	// sessionKey may simply be the key within the decrypted EncPart of the ticket within the AP_REQ.
	func (a *APReq) DecryptAuthenticator(sessionKey types.EncryptionKey) error {
	usage := authenticatorKeyUsage(a.Ticket.SName)
	ab, e := crypto.DecryptEncPart(a.EncryptedAuthenticator, sessionKey, uint32(usage))
	if e != nil {
	return fmt.Errorf("error decrypting authenticator: %v", e)
	}
	err := a.Authenticator.Unmarshal(ab)
	if err != nil {
	return fmt.Errorf("error unmarshaling authenticator: %v", err)
	}
	return nil
	}

	func authenticatorKeyUsage(pn types.PrincipalName) int {
	if pn.NameString[0] == "krbtgt" {
	return keyusage.TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR
	}
	return keyusage.AP_REQ_AUTHENTICATOR
	}

	// Unmarshal bytes b into the APReq struct.
	func (a *APReq) Unmarshal(b []byte) error {
	var m marshalAPReq
	_, err := asn1.UnmarshalWithParams(b, &m, fmt.Sprintf("application,explicit,tag:%v", asnAppTag.APREQ))
	if err != nil {
	return krberror.Errorf(err, krberror.EncodingError, "unmarshal error of AP_REQ")
	}
	if m.MsgType != msgtype.KRB_AP_REQ {
	return NewKRBError(types.PrincipalName{}, "", errorcode.KRB_AP_ERR_MSG_TYPE, errorcode.Lookup(errorcode.KRB_AP_ERR_MSG_TYPE))
	}
	a.PVNO = m.PVNO
	a.MsgType = m.MsgType
	a.APOptions = m.APOptions
	a.EncryptedAuthenticator = m.EncryptedAuthenticator
	a.Ticket, err = unmarshalTicket(m.Ticket.Bytes)
	if err != nil {
	return krberror.Errorf(err, krberror.EncodingError, "unmarshaling error of Ticket within AP_REQ")
	}
	return nil
	}

	// Marshal APReq struct.
	func (a *APReq) Marshal() ([]byte, error) {
	m := marshalAPReq{
	PVNO: a.PVNO,
	MsgType: a.MsgType,
	APOptions: a.APOptions,
	EncryptedAuthenticator: a.EncryptedAuthenticator,
	}
	var b []byte
	b, err := a.Ticket.Marshal()
	if err != nil {
	return b, err
	}
	m.Ticket = asn1.RawValue{
	Class: asn1.ClassContextSpecific,
	IsCompound: true,
	Tag: 3,
	Bytes: b,
	}
	mk, err := asn1.Marshal(m)
	if err != nil {
	return mk, krberror.Errorf(err, krberror.EncodingError, "marshaling error of AP_REQ")
	}
	mk = asn1tools.AddASNAppTag(mk, asnAppTag.APREQ)
	return mk, nil
	}

	// Verify an AP_REQ using service's keytab, spn and max acceptable clock skew duration.
	// The service ticket encrypted part and authenticator will be decrypted as part of this operation.
	func (a APReq) Verify(kt keytab.Keytab, d time.Duration, cAddr types.HostAddress) (bool, error) {
	// Decrypt ticket's encrypted part with service key
	//TODO decrypt with service's session key from its TGT is use-to-user. Need to figure out how to get TGT.
	//if types.IsFlagSet(&a.APOptions, flags.APOptionUseSessionKey) {
	// //If the USE-SESSION-KEY flag is set in the ap-options field, it indicates to
	// //the server that user-to-user authentication is in use, and that the ticket
	// //is encrypted in the session key from the server's TGT rather than in the server's secret key.
	// err := a.Ticket.Decrypt(tgt.DecryptedEncPart.Key)
	// if err != nil {
	// return false, krberror.Errorf(err, krberror.DecryptingError, "error decrypting encpart of ticket provided using session key")
	// }
	//} else {
	// // Because it is possible for the server to be registered in multiple
	// // realms, with different keys in each, the srealm field in the
	// // unencrypted portion of the ticket in the KRB_AP_REQ is used to
	// // specify which secret key the server should use to decrypt that
	// // ticket.The KRB_AP_ERR_NOKEY error code is returned if the server
	// // doesn't have the proper key to decipher the ticket.
	// // The ticket is decrypted using the version of the server's key
	// // specified by the ticket.
	// err := a.Ticket.DecryptEncPart(*kt, &a.Ticket.SName)
	// if err != nil {
	// return false, krberror.Errorf(err, krberror.DecryptingError, "error decrypting encpart of service ticket provided")
	// }
	//}
	err := a.Ticket.DecryptEncPart(kt, &a.Ticket.SName)
	if err != nil {
	return false, krberror.Errorf(err, krberror.DecryptingError, "error decrypting encpart of service ticket provided")
	}

	// Check time validity of ticket
	ok, err := a.Ticket.Valid(d)
	if err != nil \|\| !ok {
	return ok, err
	}

	// Check client's address is listed in the client addresses in the ticket
	if len(a.Ticket.DecryptedEncPart.CAddr) > 0 {
	//The addresses in the ticket (if any) are then searched for an address matching the operating-system reported
	//address of the client. If no match is found or the server insists on ticket addresses but none are present in
	//the ticket, the KRB_AP_ERR_BADADDR error is returned.
	if !types.HostAddressesContains(a.Ticket.DecryptedEncPart.CAddr, cAddr) {
	return false, NewKRBError(a.Ticket.SName, a.Ticket.Realm, errorcode.KRB_AP_ERR_BADADDR, "client address not within the list contained in the service ticket")
	}
	}

	// Decrypt authenticator with session key from ticket's encrypted part
	err = a.DecryptAuthenticator(a.Ticket.DecryptedEncPart.Key)
	if err != nil {
	return false, NewKRBError(a.Ticket.SName, a.Ticket.Realm, errorcode.KRB_AP_ERR_BAD_INTEGRITY, "could not decrypt authenticator")
	}

	// Check CName in authenticator is the same as that in the ticket
	if !a.Authenticator.CName.Equal(a.Ticket.DecryptedEncPart.CName) {
	return false, NewKRBError(a.Ticket.SName, a.Ticket.Realm, errorcode.KRB_AP_ERR_BADMATCH, "CName in Authenticator does not match that in service ticket")
	}

	// Check the clock skew between the client and the service server
	ct := a.Authenticator.CTime.Add(time.Duration(a.Authenticator.Cusec) * time.Microsecond)
	t := time.Now().UTC()
	if t.Sub(ct) > d \|\| ct.Sub(t) > d {
	return false, NewKRBError(a.Ticket.SName, a.Ticket.Realm, errorcode.KRB_AP_ERR_SKEW, fmt.Sprintf("clock skew with client too large. greater than %v seconds", d))
	}
	return true, nil
	}