Implement s4u extensions

Merge Luke's users/lhoward/s4u branch to trunk.  Implements S4U2Self
and S4U2Proxy extensions.

ticket: 6563

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22736 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 59 insertions, 4 deletions

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 90b6d9cf70..dbe5223569 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -966,6 +966,21 @@ typedef struct _krb5_pa_for_user {
     krb5_data		auth_package;
 } krb5_pa_for_user;
 
+typedef struct _krb5_s4u_userid {
+    krb5_int32		nonce;
+    krb5_principal	user;
+    krb5_data		subject_cert;
+    krb5_flags		options;
+} krb5_s4u_userid;
+
+#define KRB5_S4U_OPTS_CHECK_LOGON_HOURS		0x40000000 /* check logon hour restrictions */
+#define KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE	0x20000000 /* sign with usage 27 instead of 26 */
+
+typedef struct _krb5_pa_s4u_x509_user {
+    krb5_s4u_userid	user_id;
+    krb5_checksum	cksum;
+} krb5_pa_s4u_x509_user;
+
 enum {
   KRB5_FAST_ARMOR_AP_REQUEST = 0x1
 };
@@ -1295,6 +1310,10 @@ void KRB5_CALLCONV krb5_free_pa_enc_ts
 	(krb5_context, krb5_pa_enc_ts *);
 void KRB5_CALLCONV krb5_free_pa_for_user
 	(krb5_context, krb5_pa_for_user * );
+void KRB5_CALLCONV krb5_free_s4u_userid_contents
+	(krb5_context, krb5_s4u_userid * );
+void KRB5_CALLCONV krb5_free_pa_s4u_x509_user
+	(krb5_context, krb5_pa_s4u_x509_user * );
 void KRB5_CALLCONV krb5_free_pa_svr_referral_data
 	(krb5_context, krb5_pa_svr_referral_data * );
 void KRB5_CALLCONV krb5_free_pa_server_referral_data
@@ -1609,6 +1628,12 @@ krb5_error_code encode_krb5_setpw_req
 krb5_error_code encode_krb5_pa_for_user
 	(const krb5_pa_for_user * , krb5_data **);
 
+krb5_error_code encode_krb5_s4u_userid
+	(const krb5_s4u_userid * , krb5_data **);
+
+krb5_error_code encode_krb5_pa_s4u_x509_user
+	(const krb5_pa_s4u_x509_user * , krb5_data **);
+
 krb5_error_code encode_krb5_pa_svr_referral_data
 	(const krb5_pa_svr_referral_data * , krb5_data **);
 
@@ -1778,6 +1803,9 @@ krb5_error_code decode_krb5_setpw_req
 krb5_error_code decode_krb5_pa_for_user
 	(const krb5_data *, krb5_pa_for_user **);
 
+krb5_error_code decode_krb5_pa_s4u_x509_user
+	(const krb5_data *, krb5_pa_s4u_x509_user **);
+
 krb5_error_code decode_krb5_pa_svr_referral_data
 	(const krb5_data *, krb5_pa_svr_referral_data **);
 
@@ -2606,6 +2634,11 @@ krb5_error_code krb5int_send_tgs
 		krb5_pa_data * const *,
 		const krb5_data *,
 		krb5_creds *,
+		krb5_error_code (*gcvt_fct)(krb5_context,
+					    krb5_keyblock *,
+					    krb5_kdc_req *,
+					    void *),
+		void *gcvt_data,
 		krb5_response * , krb5_keyblock **subkey);
                 /* The subkey field is an output parameter; if a
 		 * tgs-rep is received then the subkey will be filled
@@ -2796,6 +2829,21 @@ krb5int_pac_sign(krb5_context context,
 		 const krb5_keyblock *privsvr_key,
 		 krb5_data *data);
 
+krb5_error_code KRB5_CALLCONV
+krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
+			      krb5_ccache ccache,
+			      krb5_creds *in_creds,
+			      krb5_data *cert,
+			      krb5_creds **out_creds);
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_credentials_for_proxy(krb5_context context,
+			       krb5_flags options,
+			       krb5_ccache ccache,
+			       krb5_creds *in_creds,
+			       krb5_ticket *evidence_tkt,
+			       krb5_creds **out_creds);
+
 krb5_error_code krb5int_parse_enctype_list(krb5_context context, char *profstr,
 					   krb5_enctype *default_list,
 					   krb5_enctype **result);
diff --git a/src/include/kdb.h b/src/include/kdb.h
index ea81cfeef1..8c0cd247a2 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -96,6 +96,8 @@
 #define KRB5_KDB_SUPPORT_DESMD5         0x00004000
 #define	KRB5_KDB_NEW_PRINC		0x00008000
 #define KRB5_KDB_OK_AS_DELEGATE		0x00100000
+#define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE	0x00200000 /* S4U2Self OK */
+#define KRB5_KDB_NO_AUTH_DATA_REQUIRED	0x00400000
 
 /* Creation flags */
 #define KRB5_KDB_CREATE_BTREE		0x00000001
diff --git a/src/include/kdb_ext.h b/src/include/kdb_ext.h
index 59323e2322..348be51273 100644
--- a/src/include/kdb_ext.h
+++ b/src/include/kdb_ext.h
@@ -31,10 +31,6 @@
 #ifndef KRB5_KDB5_EXT__
 #define KRB5_KDB5_EXT__
 
-/* Allowed to use protocol transition */
-#define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE	0x00200000
-/* Service does not require authorization data */
-#define KRB5_KDB_NO_AUTH_DATA_REQUIRED	0x00400000
 /* Private flag used to indicate principal is local TGS */
 #define KRB5_KDB_TICKET_GRANTING_SERVICE	0x01000000
 /* Private flag used to indicate xrealm relationship  is non-transitive */
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index bf8c29c59e..8111c5bb62 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -631,6 +631,11 @@ krb5_error_code KRB5_CALLCONV
 
 /* Defined in KDC referrals draft */
 #define KRB5_KEYUSAGE_PA_REFERRAL		26 /* XXX note conflict with above */
+
+/* Defined in [MS-SFU] */
+#define KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST	26 /* XXX note conflict with above */
+#define KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY	27 /* XXX note conflict with above */
+
 /* define in draft-ietf-krb-wg-preauth-framework*/
 #define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50
 #define KRB5_KEYUSAGE_FAST_ENC 51
@@ -1566,6 +1571,10 @@ void KRB5_CALLCONV krb5_free_tgt_creds
 #define	KRB5_GC_USER_USER	1	/* want user-user ticket */
 #define	KRB5_GC_CACHED		2	/* want cached ticket only */
 #define	KRB5_GC_CANONICALIZE	4	/* set canonicalize KDC option */
+#define	KRB5_GC_NO_STORE	8	/* do not store in credentials cache */
+#define	KRB5_GC_FORWARDABLE		16  /* acquire forwardable tickets */
+#define	KRB5_GC_NO_TRANSIT_CHECK	32  /* disable transited check */
+#define	KRB5_GC_CONSTRAINED_DELEGATION	64  /* constrained delegation */
 
 krb5_error_code KRB5_CALLCONV krb5_get_credentials
 	(krb5_context,