[VOL-3255] enhancement to support device metrics
Change-Id: Ic26c2db30a58943a4eef6276ae1cf40350d51702
diff --git a/vendor/gopkg.in/jcmturner/gokrb5.v7/client/ASExchange.go b/vendor/gopkg.in/jcmturner/gokrb5.v7/client/ASExchange.go
new file mode 100644
index 0000000..9d1a2f3
--- /dev/null
+++ b/vendor/gopkg.in/jcmturner/gokrb5.v7/client/ASExchange.go
@@ -0,0 +1,189 @@
+package client
+
+import (
+ "gopkg.in/jcmturner/gokrb5.v7/crypto"
+ "gopkg.in/jcmturner/gokrb5.v7/crypto/etype"
+ "gopkg.in/jcmturner/gokrb5.v7/iana/errorcode"
+ "gopkg.in/jcmturner/gokrb5.v7/iana/keyusage"
+ "gopkg.in/jcmturner/gokrb5.v7/iana/patype"
+ "gopkg.in/jcmturner/gokrb5.v7/krberror"
+ "gopkg.in/jcmturner/gokrb5.v7/messages"
+ "gopkg.in/jcmturner/gokrb5.v7/types"
+)
+
+// ASExchange performs an AS exchange for the client to retrieve a TGT.
+func (cl *Client) ASExchange(realm string, ASReq messages.ASReq, referral int) (messages.ASRep, error) {
+ if ok, err := cl.IsConfigured(); !ok {
+ return messages.ASRep{}, krberror.Errorf(err, krberror.ConfigError, "AS Exchange cannot be performed")
+ }
+
+ // Set PAData if required
+ err := setPAData(cl, nil, &ASReq)
+ if err != nil {
+ return messages.ASRep{}, krberror.Errorf(err, krberror.KRBMsgError, "AS Exchange Error: issue with setting PAData on AS_REQ")
+ }
+
+ b, err := ASReq.Marshal()
+ if err != nil {
+ return messages.ASRep{}, krberror.Errorf(err, krberror.EncodingError, "AS Exchange Error: failed marshaling AS_REQ")
+ }
+ var ASRep messages.ASRep
+
+ rb, err := cl.sendToKDC(b, realm)
+ if err != nil {
+ if e, ok := err.(messages.KRBError); ok {
+ switch e.ErrorCode {
+ case errorcode.KDC_ERR_PREAUTH_REQUIRED, errorcode.KDC_ERR_PREAUTH_FAILED:
+ // From now on assume this client will need to do this pre-auth and set the PAData
+ cl.settings.assumePreAuthentication = true
+ err = setPAData(cl, &e, &ASReq)
+ if err != nil {
+ return messages.ASRep{}, krberror.Errorf(err, krberror.KRBMsgError, "AS Exchange Error: failed setting AS_REQ PAData for pre-authentication required")
+ }
+ b, err := ASReq.Marshal()
+ if err != nil {
+ return messages.ASRep{}, krberror.Errorf(err, krberror.EncodingError, "AS Exchange Error: failed marshaling AS_REQ with PAData")
+ }
+ rb, err = cl.sendToKDC(b, realm)
+ if err != nil {
+ if _, ok := err.(messages.KRBError); ok {
+ return messages.ASRep{}, krberror.Errorf(err, krberror.KDCError, "AS Exchange Error: kerberos error response from KDC")
+ }
+ return messages.ASRep{}, krberror.Errorf(err, krberror.NetworkingError, "AS Exchange Error: failed sending AS_REQ to KDC")
+ }
+ case errorcode.KDC_ERR_WRONG_REALM:
+ // Client referral https://tools.ietf.org/html/rfc6806.html#section-7
+ if referral > 5 {
+ return messages.ASRep{}, krberror.Errorf(err, krberror.KRBMsgError, "maximum number of client referrals exceeded")
+ }
+ referral++
+ return cl.ASExchange(e.CRealm, ASReq, referral)
+ default:
+ return messages.ASRep{}, krberror.Errorf(err, krberror.KDCError, "AS Exchange Error: kerberos error response from KDC")
+ }
+ } else {
+ return messages.ASRep{}, krberror.Errorf(err, krberror.NetworkingError, "AS Exchange Error: failed sending AS_REQ to KDC")
+ }
+ }
+ err = ASRep.Unmarshal(rb)
+ if err != nil {
+ return messages.ASRep{}, krberror.Errorf(err, krberror.EncodingError, "AS Exchange Error: failed to process the AS_REP")
+ }
+ if ok, err := ASRep.Verify(cl.Config, cl.Credentials, ASReq); !ok {
+ return messages.ASRep{}, krberror.Errorf(err, krberror.KRBMsgError, "AS Exchange Error: AS_REP is not valid or client password/keytab incorrect")
+ }
+ return ASRep, nil
+}
+
+// setPAData adds pre-authentication data to the AS_REQ.
+func setPAData(cl *Client, krberr *messages.KRBError, ASReq *messages.ASReq) error {
+ if !cl.settings.DisablePAFXFAST() {
+ pa := types.PAData{PADataType: patype.PA_REQ_ENC_PA_REP}
+ ASReq.PAData = append(ASReq.PAData, pa)
+ }
+ if cl.settings.AssumePreAuthentication() {
+ // Identify the etype to use to encrypt the PA Data
+ var et etype.EType
+ var err error
+ var key types.EncryptionKey
+ if krberr == nil {
+ // This is not in response to an error from the KDC. It is preemptive or renewal
+ // There is no KRB Error that tells us the etype to use
+ etn := cl.settings.preAuthEType // Use the etype that may have previously been negotiated
+ if etn == 0 {
+ etn = int32(cl.Config.LibDefaults.PreferredPreauthTypes[0]) // Resort to config
+ }
+ et, err = crypto.GetEtype(etn)
+ if err != nil {
+ return krberror.Errorf(err, krberror.EncryptingError, "error getting etype for pre-auth encryption")
+ }
+ key, err = cl.Key(et, nil)
+ if err != nil {
+ return krberror.Errorf(err, krberror.EncryptingError, "error getting key from credentials")
+ }
+ } else {
+ // Get the etype to use from the PA data in the KRBError e-data
+ et, err = preAuthEType(krberr)
+ if err != nil {
+ return krberror.Errorf(err, krberror.EncryptingError, "error getting etype for pre-auth encryption")
+ }
+ cl.settings.preAuthEType = et.GetETypeID() // Set the etype that has been defined for potential future use
+ key, err = cl.Key(et, krberr)
+ if err != nil {
+ return krberror.Errorf(err, krberror.EncryptingError, "error getting key from credentials")
+ }
+ }
+ // Generate the PA data
+ paTSb, err := types.GetPAEncTSEncAsnMarshalled()
+ if err != nil {
+ return krberror.Errorf(err, krberror.KRBMsgError, "error creating PAEncTSEnc for Pre-Authentication")
+ }
+ //TODO (theme: KVNO from keytab) the kvno should not be hard coded to 1 as this hampers troubleshooting.
+ paEncTS, err := crypto.GetEncryptedData(paTSb, key, keyusage.AS_REQ_PA_ENC_TIMESTAMP, 1)
+ if err != nil {
+ return krberror.Errorf(err, krberror.EncryptingError, "error encrypting pre-authentication timestamp")
+ }
+ pb, err := paEncTS.Marshal()
+ if err != nil {
+ return krberror.Errorf(err, krberror.EncodingError, "error marshaling the PAEncTSEnc encrypted data")
+ }
+ pa := types.PAData{
+ PADataType: patype.PA_ENC_TIMESTAMP,
+ PADataValue: pb,
+ }
+ // Look for and delete any exiting patype.PA_ENC_TIMESTAMP
+ for i, pa := range ASReq.PAData {
+ if pa.PADataType == patype.PA_ENC_TIMESTAMP {
+ ASReq.PAData[i] = ASReq.PAData[len(ASReq.PAData)-1]
+ ASReq.PAData = ASReq.PAData[:len(ASReq.PAData)-1]
+ }
+ }
+ ASReq.PAData = append(ASReq.PAData, pa)
+ }
+ return nil
+}
+
+// preAuthEType establishes what encryption type to use for pre-authentication from the KRBError returned from the KDC.
+func preAuthEType(krberr *messages.KRBError) (etype etype.EType, err error) {
+ //The preferred ordering of the "hint" pre-authentication data that
+ //affect client key selection is: ETYPE-INFO2, followed by ETYPE-INFO,
+ //followed by PW-SALT.
+ //A KDC SHOULD NOT send PA-PW-SALT when issuing a KRB-ERROR message
+ //that requests additional pre-authentication. Implementation note:
+ //Some KDC implementations issue an erroneous PA-PW-SALT when issuing a
+ //KRB-ERROR message that requests additional pre-authentication.
+ //Therefore, clients SHOULD ignore a PA-PW-SALT accompanying a
+ //KRB-ERROR message that requests additional pre-authentication.
+ var etypeID int32
+ var pas types.PADataSequence
+ e := pas.Unmarshal(krberr.EData)
+ if e != nil {
+ err = krberror.Errorf(e, krberror.EncodingError, "error unmashalling KRBError data")
+ return
+ }
+ for _, pa := range pas {
+ switch pa.PADataType {
+ case patype.PA_ETYPE_INFO2:
+ info, e := pa.GetETypeInfo2()
+ if e != nil {
+ err = krberror.Errorf(e, krberror.EncodingError, "error unmashalling ETYPE-INFO2 data")
+ return
+ }
+ etypeID = info[0].EType
+ break
+ case patype.PA_ETYPE_INFO:
+ info, e := pa.GetETypeInfo()
+ if e != nil {
+ err = krberror.Errorf(e, krberror.EncodingError, "error unmashalling ETYPE-INFO data")
+ return
+ }
+ etypeID = info[0].EType
+ }
+ }
+ etype, e = crypto.GetEtype(etypeID)
+ if e != nil {
+ err = krberror.Errorf(e, krberror.EncryptingError, "error creating etype")
+ return
+ }
+ return etype, nil
+}