8 år sedan · 8bcad13028
--- a/messages/APReq.go
+++ b/messages/APReq.go
@@ -84,6 +84,29 @@ func encryptAuthenticator(a types.Authenticator, sessionKey types.EncryptionKey,
 
				 	return ed, nil
			
 
				 }
			
 
				 
			
 
				+// Decrypt the Authenticator within the AP_REQ.
			
 
				+// sessionKey may simply be the key within the decrypted EncPart of the ticket within the AP_REQ.
			
 
				+func (a *APReq) DecryptAuthenticator(sessionKey types.EncryptionKey) (auth types.Authenticator, err error) {
			
 
				+	var usage uint32
			
 
				+	switch a.Ticket.SName.NameType {
			
 
				+	case nametype.KRB_NT_PRINCIPAL:
			
 
				+		usage = keyusage.AP_REQ_AUTHENTICATOR
			
 
				+	case nametype.KRB_NT_SRV_INST:
			
 
				+		usage = keyusage.TGS_REQ_PA_TGS_REQ_AP_REQ_AUTHENTICATOR
			
 
				+	}
			
 
				+	ab, e := crypto.DecryptEncPart(a.Authenticator, sessionKey, usage)
			
 
				+	if e != nil {
			
 
				+		err = fmt.Errorf("error decrypting authenticator: %v", err)
			
 
				+		return
			
 
				+	}
			
 
				+	e = auth.Unmarshal(ab)
			
 
				+	if e != nil {
			
 
				+		err = fmt.Errorf("error unmarshaling authenticator")
			
 
				+		return
			
 
				+	}
			
 
				+	return
			
 
				+}
			
 
				+
			
 
				 // Unmarshal bytes b into the APReq struct.
			
 
				 func (a *APReq) Unmarshal(b []byte) error {
			
 
				 	var m marshalAPReq
			
--- a/service/APExchange.go
+++ b/service/APExchange.go
@@ -5,10 +5,8 @@ import (
 
				 	"time"
			
 
				 
			
 
				 	"gopkg.in/jcmturner/gokrb5.v4/credentials"
			
 
				-	"gopkg.in/jcmturner/gokrb5.v4/crypto"
			
 
				 	"gopkg.in/jcmturner/gokrb5.v4/iana/errorcode"
			
 
				 	"gopkg.in/jcmturner/gokrb5.v4/iana/flags"
			
 
				-	"gopkg.in/jcmturner/gokrb5.v4/iana/keyusage"
			
 
				 	"gopkg.in/jcmturner/gokrb5.v4/keytab"
			
 
				 	"gopkg.in/jcmturner/gokrb5.v4/krberror"
			
 
				 	"gopkg.in/jcmturner/gokrb5.v4/messages"
			
@@ -20,16 +18,11 @@ func ValidateAPREQ(APReq messages.APReq, kt keytab.Keytab, sa string, cAddr stri
 
				 	var creds credentials.Credentials
			
 
				 	err := APReq.Ticket.DecryptEncPart(kt, sa)
			
 
				 	if err != nil {
			
 
				-		return false, creds, krberror.Errorf(err, krberror.DecryptingError, "Error decrypting encpart of service ticket provided")
			
 
				+		return false, creds, krberror.Errorf(err, krberror.DecryptingError, "error decrypting encpart of service ticket provided")
			
 
				 	}
			
 
				-	ab, err := crypto.DecryptEncPart(APReq.Authenticator, APReq.Ticket.DecryptedEncPart.Key, keyusage.AP_REQ_AUTHENTICATOR)
			
 
				+	a, err := APReq.DecryptAuthenticator(APReq.Ticket.DecryptedEncPart.Key)
			
 
				 	if err != nil {
			
 
				-		return false, creds, krberror.Errorf(err, krberror.DecryptingError, "Error decrypting authenticator")
			
 
				-	}
			
 
				-	var a types.Authenticator
			
 
				-	err = a.Unmarshal(ab)
			
 
				-	if err != nil {
			
 
				-		return false, creds, krberror.Errorf(err, krberror.EncodingError, "Error unmarshaling authenticator")
			
 
				+		return false, creds, krberror.Errorf(err, krberror.DecryptingError, "error extracting authenticator")
			
 
				 	}
			
 
				 	// Check CName in Authenticator is the same as that in the ticket
			
 
				 	if !a.CName.Equal(APReq.Ticket.DecryptedEncPart.CName) {