From 50ba7155fd7149b58ec9f3603b7f2a3fa71e61ff Mon Sep 17 00:00:00 2001 From: xtian Date: Thu, 8 Jun 2023 01:38:11 +0200 Subject: [PATCH] fix: cross-domain support --- v8/client/TGSExchange.go | 14 +++++++++----- v8/messages/KDCReq.go | 10 +++++----- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/v8/client/TGSExchange.go b/v8/client/TGSExchange.go index fd01342e..3c26ecdf 100644 --- a/v8/client/TGSExchange.go +++ b/v8/client/TGSExchange.go @@ -8,19 +8,23 @@ import ( "github.com/jcmturner/gokrb5/v8/types" ) +func MyCrossDomainPatch() { + // patch for cross-domain +} + // TGSREQGenerateAndExchange generates the TGS_REQ and performs a TGS exchange to retrieve a ticket to the specified SPN. func (cl *Client) TGSREQGenerateAndExchange(spn types.PrincipalName, kdcRealm string, tgt messages.Ticket, sessionKey types.EncryptionKey, renewal bool) (tgsReq messages.TGSReq, tgsRep messages.TGSRep, err error) { - tgsReq, err = messages.NewTGSReq(cl.Credentials.CName(), kdcRealm, cl.Config, tgt, sessionKey, spn, renewal) + tgsReq, err = messages.NewTGSReq(cl.Credentials.CName(), kdcRealm, kdcRealm, cl.Config, tgt, sessionKey, spn, renewal) if err != nil { return tgsReq, tgsRep, krberror.Errorf(err, krberror.KRBMsgError, "TGS Exchange Error: failed to generate a new TGS_REQ") } - return cl.TGSExchange(tgsReq, kdcRealm, tgsRep.Ticket, sessionKey, 0) + return cl.TGSExchange(tgsReq, kdcRealm, kdcRealm, tgsRep.Ticket, sessionKey, 0) } // TGSExchange exchanges the provided TGS_REQ with the KDC to retrieve a TGS_REP. // Referrals are automatically handled. // The client's cache is updated with the ticket received. -func (cl *Client) TGSExchange(tgsReq messages.TGSReq, kdcRealm string, tgt messages.Ticket, sessionKey types.EncryptionKey, referral int) (messages.TGSReq, messages.TGSRep, error) { +func (cl *Client) TGSExchange(tgsReq messages.TGSReq, paRealm string, kdcRealm string, tgt messages.Ticket, sessionKey types.EncryptionKey, referral int) (messages.TGSReq, messages.TGSRep, error) { var tgsRep messages.TGSRep b, err := tgsReq.Marshal() if err != nil { @@ -60,11 +64,11 @@ func (cl *Client) TGSExchange(tgsReq messages.TGSReq, kdcRealm string, tgt messa return tgsReq, tgsRep, err } } - tgsReq, err = messages.NewTGSReq(cl.Credentials.CName(), realm, cl.Config, tgsRep.Ticket, tgsRep.DecryptedEncPart.Key, tgsReq.ReqBody.SName, tgsReq.Renewal) + tgsReq, err = messages.NewTGSReq(cl.Credentials.CName(), paRealm, realm, cl.Config, tgsRep.Ticket, tgsRep.DecryptedEncPart.Key, tgsReq.ReqBody.SName, tgsReq.Renewal) if err != nil { return tgsReq, tgsRep, err } - return cl.TGSExchange(tgsReq, realm, tgsRep.Ticket, tgsRep.DecryptedEncPart.Key, referral) + return cl.TGSExchange(tgsReq, paRealm, realm, tgsRep.Ticket, tgsRep.DecryptedEncPart.Key, referral) } cl.cache.addEntry( tgsRep.Ticket, diff --git a/v8/messages/KDCReq.go b/v8/messages/KDCReq.go index 3745afed..46bc5d6a 100644 --- a/v8/messages/KDCReq.go +++ b/v8/messages/KDCReq.go @@ -154,12 +154,12 @@ func NewASReq(realm string, c *config.Config, cname, sname types.PrincipalName) } // NewTGSReq generates a new KRB_TGS_REQ struct. -func NewTGSReq(cname types.PrincipalName, kdcRealm string, c *config.Config, tgt Ticket, sessionKey types.EncryptionKey, sname types.PrincipalName, renewal bool) (TGSReq, error) { +func NewTGSReq(cname types.PrincipalName, paRealm string, kdcRealm string, c *config.Config, tgt Ticket, sessionKey types.EncryptionKey, sname types.PrincipalName, renewal bool) (TGSReq, error) { a, err := tgsReq(cname, sname, kdcRealm, renewal, c) if err != nil { return a, err } - err = a.setPAData(tgt, sessionKey) + err = a.setPAData(paRealm, tgt, sessionKey) return a, err } @@ -171,7 +171,7 @@ func NewUser2UserTGSReq(cname types.PrincipalName, kdcRealm string, c *config.Co } a.ReqBody.AdditionalTickets = []Ticket{verifyingTGT} types.SetFlag(&a.ReqBody.KDCOptions, flags.EncTktInSkey) - err = a.setPAData(clientTGT, sessionKey) + err = a.setPAData(clientTGT.Realm, clientTGT, sessionKey) return a, err } @@ -226,7 +226,7 @@ func tgsReq(cname, sname types.PrincipalName, kdcRealm string, renewal bool, c * }, nil } -func (k *TGSReq) setPAData(tgt Ticket, sessionKey types.EncryptionKey) error { +func (k *TGSReq) setPAData(paRealm string, tgt Ticket, sessionKey types.EncryptionKey) error { // Marshal the request and calculate checksum b, err := k.ReqBody.Marshal() if err != nil { @@ -243,7 +243,7 @@ func (k *TGSReq) setPAData(tgt Ticket, sessionKey types.EncryptionKey) error { // Form PAData for TGS_REQ // Create authenticator - auth, err := types.NewAuthenticator(tgt.Realm, k.ReqBody.CName) + auth, err := types.NewAuthenticator(paRealm, k.ReqBody.CName) if err != nil { return krberror.Errorf(err, krberror.KRBMsgError, "error generating new authenticator") }