Implement GSS naming extensions and authdata verification

Merge Luke's users/lhoward/authdata branch to trunk. Implements GSS naming extensions and verification of authorization data. ticket: 6572 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22875 dc483132-0cff-0310-8789-dd5450dbe970
author: Greg Hudson <ghudson@mit.edu> 2009-10-09 18:29:34 +0000
committer: Greg Hudson <ghudson@mit.edu> 2009-10-09 18:29:34 +0000
commit: 17ffdd0e93271072369e479f440ddf85e020580a (patch)
tree: cdaf4944a478128a1d53d854063a7d809b7c6aae /src/include
parent: 6ad74ac369b09df7d29ca8e09b0af946b4819523 (diff)
download: krb5-17ffdd0e93271072369e479f440ddf85e020580a.tar.gz
krb5-17ffdd0e93271072369e479f440ddf85e020580a.tar.xz
krb5-17ffdd0e93271072369e479f440ddf85e020580a.zip
4 files changed, 316 insertions, 6 deletions
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 1c8a1c92d8..77221724ca 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1035,6 +1035,11 @@ typedef struct _krb5_fast_response {
     krb5_int32 nonce;
 } krb5_fast_response;
 
+typedef struct _krb5_ad_kdcissued {
+    krb5_checksum ad_checksum;
+    krb5_principal i_principal;
+    krb5_authdata **elements;
+} krb5_ad_kdcissued;
 
 typedef krb5_error_code (*krb5_preauth_obtain_proc)
     (krb5_context,
@@ -1345,11 +1350,111 @@ void KRB5_CALLCONV krb5_free_fast_finished
 (krb5_context, krb5_fast_finished *);
 void KRB5_CALLCONV krb5_free_fast_response
 (krb5_context, krb5_fast_response *);
+void KRB5_CALLCONV krb5_free_ad_kdcissued
+(krb5_context, krb5_ad_kdcissued *);
 
 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
 #include "com_err.h"
 #include "k5-plugin.h"
 
+#include <krb5/authdata_plugin.h>
+
+struct _krb5_authdata_context {
+    krb5_magic magic;
+    int n_modules;
+    struct _krb5_authdata_context_module {
+	krb5_authdatatype ad_type;
+	void *plugin_context;
+        authdata_client_plugin_fini_proc client_fini;
+	krb5_flags flags;
+	krb5plugin_authdata_client_ftable_v0 *ftable;
+	authdata_client_request_init_proc client_req_init;
+	authdata_client_request_fini_proc client_req_fini;
+	const char *name;
+	void *request_context;
+	void **request_context_pp;
+    } *modules;
+    struct plugin_dir_handle plugins;
+};
+
+typedef struct _krb5_authdata_context *krb5_authdata_context;
+
+void KRB5_CALLCONV krb5int_free_data_list
+(krb5_context context, krb5_data *data);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_context_init
+(krb5_context kcontext, krb5_authdata_context *pcontext);
+
+void KRB5_CALLCONV
+krb5_authdata_context_free
+(krb5_context kcontext, krb5_authdata_context context);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_authdata
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ krb5_authdata ***pauthdata);
+
+krb5_error_code KRB5_CALLCONV
+krb5_authdata_get_attribute_types
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_data **attrs);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_get_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const krb5_data *attribute,
+ krb5_boolean *authenticated,
+ krb5_boolean *complete,
+ krb5_data *value,
+ krb5_data *display_value,
+ int *more);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_set_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_boolean complete,
+ const krb5_data *attribute,
+ const krb5_data *value);
+
+krb5_error_code KRB5_CALLCONV
+krb5_authdata_delete_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const krb5_data *attribute);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_import_attributes
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ const krb5_data *attributes);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_attributes
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ krb5_data **pattributes);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_internal
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_boolean restrict_authenticated,
+ const char *module,
+ void **ptr);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_context_copy
+(krb5_context kcontext,
+ krb5_authdata_context src,
+ krb5_authdata_context *dst);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_free_internal
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const char *module,
+ void *ptr);
+
+
 struct _kdb5_dal_handle;	/* private, in kdb5.h */
 typedef struct _kdb5_dal_handle kdb5_dal_handle;
 struct _kdb_log_context;
@@ -1669,6 +1774,9 @@ krb5_error_code encode_krb5_pa_fx_fast_reply
 krb5_error_code encode_krb5_fast_response
 (const krb5_fast_response *, krb5_data **);
 
+krb5_error_code encode_krb5_ad_kdcissued
+(const krb5_ad_kdcissued *, krb5_data **);
+
 /*************************************************************************
  * End of prototypes for krb5_encode.c
  *************************************************************************/
@@ -1844,6 +1952,9 @@ krb5_error_code decode_krb5_pa_fx_fast_reply
 krb5_error_code decode_krb5_fast_response
 (const krb5_data *, krb5_fast_response **);
 
+krb5_error_code decode_krb5_ad_kdcissued
+(const krb5_data *, krb5_ad_kdcissued **);
+
 struct _krb5_key_data;		/* kdb.h */
 
 struct ldap_seqof_key_data {
@@ -2686,6 +2797,7 @@ krb5_error_code krb5_rd_req_decoded_anyflag
 		krb5_keytab,
 		krb5_flags *,
 		krb5_ticket **);
+
 krb5_error_code KRB5_CALLCONV krb5_cc_register
 	(krb5_context,
 		const krb5_cc_ops *,
@@ -2730,6 +2842,18 @@ krb5_error_code krb5_auth_con_get_subkey_enctype
 	    krb5_auth_context,
 	    krb5_enctype *);
 
+krb5_error_code
+krb5_auth_con_get_authdata_context
+	(krb5_context context,
+	    krb5_auth_context auth_context,
+	    krb5_authdata_context *ad_context);
+
+krb5_error_code
+krb5_auth_con_set_authdata_context
+	(krb5_context context,
+	    krb5_auth_context auth_context,
+	    krb5_authdata_context ad_context);
+
 krb5_error_code KRB5_CALLCONV
 krb5int_server_decrypt_ticket_keyblock
   	(krb5_context context,
diff --git a/src/include/kdb_ext.h b/src/include/kdb_ext.h
index 348be51273..3841920058 100644
--- a/src/include/kdb_ext.h
+++ b/src/include/kdb_ext.h
@@ -97,6 +97,7 @@ typedef struct _kdb_sign_auth_data_req {
     krb5_keyblock *server_key;		/* Key used to generate server signature */
     krb5_timestamp authtime;		/* Authtime of TGT */
     krb5_authdata **auth_data;		/* Authorization data from TGT */
+    krb5_keyblock *session_key;		/* Reply session key */
 } kdb_sign_auth_data_req;
 
 typedef struct _kdb_sign_auth_data_rep {
diff --git a/src/include/krb5/authdata_plugin.h b/src/include/krb5/authdata_plugin.h
index e8c9fce2dc..449b7f8908 100644
--- a/src/include/krb5/authdata_plugin.h
+++ b/src/include/krb5/authdata_plugin.h
@@ -7,7 +7,7 @@
  *   require a specific license from the United States Government.
  *   It is the responsibility of any person or organization contemplating
  *   export to obtain such a license before exporting.
- * 
+ *
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -21,7 +21,7 @@
  * M.I.T. makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
- * 
+ *
  * AuthorizationData plugin definitions for Kerberos 5.
  */
 
@@ -68,7 +68,7 @@ struct _krb5_db_entry_new;
  * functions.
  */
 /* extern krb5plugin_authdata_ftable_v0 authdata_server_0; */
-typedef struct krb5plugin_authdata_ftable_v0 {
+typedef struct krb5plugin_authdata_server_ftable_v0 {
     /* Not-usually-visible name. */
     char *name;
 
@@ -107,9 +107,11 @@ typedef struct krb5plugin_authdata_ftable_v0 {
 				     krb5_data *req_pkt,
 				     krb5_kdc_req *request,
 				     krb5_enc_tkt_part *enc_tkt_reply);
-} krb5plugin_authdata_ftable_v0;
+} krb5plugin_server_authdata_ftable_v0;
 
-typedef struct krb5plugin_authdata_ftable_v1 {
+typedef krb5plugin_server_authdata_ftable_v0 krb5plugin_authdata_ftable_v0;
+
+typedef struct krb5plugin_authdata_server_ftable_v1 {
     /* Not-usually-visible name. */
     char *name;
 
@@ -155,6 +157,173 @@ typedef struct krb5plugin_authdata_ftable_v1 {
 				     krb5_const_principal for_user_princ,
 				     krb5_enc_tkt_part *enc_tkt_request,
 				     krb5_enc_tkt_part *enc_tkt_reply);
-} krb5plugin_authdata_ftable_v1;
+} krb5plugin_authdata_server_ftable_v1;
+
+typedef krb5plugin_authdata_server_ftable_v1 krb5plugin_authdata_ftable_v1;
+
+typedef krb5_error_code
+(*authdata_client_plugin_init_proc)(krb5_context context,
+				    void **plugin_context);
+
+#define AD_USAGE_AS_REQ		0x01
+#define AD_USAGE_TGS_REQ	0x02
+#define AD_USAGE_AP_REQ		0x04
+#define AD_USAGE_KDC_ISSUED	0x08
+#define AD_USAGE_MASK		0x0F
+#define AD_INFORMATIONAL	0x10
+
+struct _krb5_authdata_context;
+
+typedef void
+(*authdata_client_plugin_flags_proc)(krb5_context kcontext,
+				     void *plugin_context,
+				     krb5_authdatatype ad_type,
+				     krb5_flags *flags);
+
+typedef void
+(*authdata_client_plugin_fini_proc)(krb5_context kcontext,
+				    void *plugin_context);
+
+typedef krb5_error_code
+(*authdata_client_request_init_proc)(krb5_context kcontext,
+				     struct _krb5_authdata_context *context,
+				     void *plugin_context,
+				     void **request_context);
+
+typedef void
+(*authdata_client_request_fini_proc)(krb5_context kcontext,
+				     struct _krb5_authdata_context *context,
+				     void *plugin_context,
+				     void *request_context);
+
+typedef krb5_error_code
+(*authdata_client_import_authdata_proc)(krb5_context kcontext,
+					struct _krb5_authdata_context *context,
+					void *plugin_context,
+					void *request_context,
+					krb5_authdata **authdata,
+					krb5_boolean kdc_issued_flag,
+					krb5_const_principal issuer);
+
+typedef krb5_error_code
+(*authdata_client_export_authdata_proc)(krb5_context kcontext,
+					struct _krb5_authdata_context *context,
+					void *plugin_context,
+					void *request_context,
+					krb5_flags usage,
+					krb5_authdata ***authdata);
+
+typedef krb5_error_code
+(*authdata_client_get_attribute_types_proc)(krb5_context kcontext,
+					    struct _krb5_authdata_context *context,
+					    void *plugin_context,
+					    void *request_context,
+					    krb5_data **attrs);
+
+typedef krb5_error_code
+(*authdata_client_get_attribute_proc)(krb5_context kcontext,
+				      struct _krb5_authdata_context *context,
+				      void *plugin_context,
+				      void *request_context,
+				      const krb5_data *attribute,
+				      krb5_boolean *authenticated,
+				      krb5_boolean *complete,
+				      krb5_data *value,
+				      krb5_data *display_value,
+				      int *more);
+
+typedef krb5_error_code
+(*authdata_client_set_attribute_proc)(krb5_context kcontext,
+				      struct _krb5_authdata_context *context,
+				      void *plugin_context,
+				      void *request_context,
+				      krb5_boolean complete,
+				      const krb5_data *attribute,
+				      const krb5_data *value);
+
+typedef krb5_error_code
+(*authdata_client_delete_attribute_proc)(krb5_context kcontext,
+					 struct _krb5_authdata_context *context,
+					 void *plugin_context,
+					 void *request_context,
+					 const krb5_data *attribute);
+
+typedef krb5_error_code
+(*authdata_client_export_internal_proc)(krb5_context kcontext,
+					struct _krb5_authdata_context *context,
+					void *plugin_context,
+					void *request_context,
+					krb5_boolean restrict_authenticated,
+					void **ptr);
+
+typedef void
+(*authdata_client_free_internal_proc)(krb5_context kcontext,
+				      struct _krb5_authdata_context *context,
+				      void *plugin_context,
+				      void *request_context,
+				      void *ptr);
+
+typedef krb5_error_code
+(*authdata_client_verify_proc)(krb5_context kcontext,
+			       struct _krb5_authdata_context *context,
+			       void *plugin_context,
+			       void *request_context,
+			       const krb5_auth_context *auth_context,
+			       const krb5_keyblock *key,
+			       const krb5_ap_req *req);
+
+typedef krb5_error_code
+(*authdata_client_size_proc)(krb5_context kcontext,
+			     struct _krb5_authdata_context *context,
+			     void *plugin_context,
+			     void *request_context,
+			     size_t *sizep);
+
+typedef krb5_error_code
+(*authdata_client_externalize_proc)(krb5_context kcontext,
+				    struct _krb5_authdata_context *context,
+				    void *plugin_context,
+				    void *request_context,
+				    krb5_octet **buffer,
+				    size_t *lenremain);
+
+typedef krb5_error_code
+(*authdata_client_internalize_proc)(krb5_context kcontext,
+				    struct _krb5_authdata_context *context,
+				    void *plugin_context,
+				    void *request_context,
+				    krb5_octet **buffer,
+				    size_t *lenremain);
+
+typedef krb5_error_code
+(*authdata_client_copy_proc)(krb5_context kcontext,
+			     struct _krb5_authdata_context *context,
+			     void *plugin_context,
+			     void *request_context,
+			     void *dst_plugin_context,
+			     void *dst_request_context);
+
+typedef struct krb5plugin_authdata_client_ftable_v0 {
+    char *name;
+    krb5_authdatatype *ad_type_list;
+    authdata_client_plugin_init_proc init;
+    authdata_client_plugin_fini_proc fini;
+    authdata_client_plugin_flags_proc flags;
+    authdata_client_request_init_proc request_init;
+    authdata_client_request_fini_proc request_fini;
+    authdata_client_get_attribute_types_proc get_attribute_types;
+    authdata_client_get_attribute_proc get_attribute;
+    authdata_client_set_attribute_proc set_attribute;
+    authdata_client_delete_attribute_proc delete_attribute;
+    authdata_client_export_authdata_proc export_authdata;
+    authdata_client_import_authdata_proc import_authdata;
+    authdata_client_export_internal_proc export_internal;
+    authdata_client_free_internal_proc free_internal;
+    authdata_client_verify_proc verify;
+    authdata_client_size_proc size;
+    authdata_client_externalize_proc externalize;
+    authdata_client_internalize_proc internalize;
+    authdata_client_copy_proc copy; /* optional */
+} krb5plugin_authdata_client_ftable_v0;
 
 #endif /* KRB5_AUTHDATA_PLUGIN_H_INCLUDED */
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 8111c5bb62..81bc1cf6e5 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -2575,6 +2575,22 @@ krb5_encode_authdata_container(krb5_context context,
     krb5_authdata ***container);
 
 /*
+ * AD-KDCIssued
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_make_authdata_kdc_issued(krb5_context context,
+    const krb5_keyblock *key,
+    krb5_const_principal issuer,
+    krb5_authdata *const *authdata,
+    krb5_authdata ***ad_kdcissued);
+krb5_error_code KRB5_CALLCONV
+krb5_verify_authdata_kdc_issued(krb5_context context,
+    const krb5_keyblock *key,
+    const krb5_authdata *ad_kdcissued,
+    krb5_principal *issuer,
+    krb5_authdata ***authdata);
+
+/*
  * Windows PAC
  */
 struct krb5_pac_data;
author	Greg Hudson <ghudson@mit.edu>	2009-10-09 18:29:34 +0000
committer	Greg Hudson <ghudson@mit.edu>	2009-10-09 18:29:34 +0000
commit	17ffdd0e93271072369e479f440ddf85e020580a (patch)
tree	cdaf4944a478128a1d53d854063a7d809b7c6aae /src/include
parent	6ad74ac369b09df7d29ca8e09b0af946b4819523 (diff)
download	krb5-17ffdd0e93271072369e479f440ddf85e020580a.tar.gz krb5-17ffdd0e93271072369e479f440ddf85e020580a.tar.xz krb5-17ffdd0e93271072369e479f440ddf85e020580a.zip