kdc_preauth.c: New file, to contain the server-side preauthentication

	routines.

do_as_req.c (process_as_req): Move preauthentication code to
	kdc_preauth.c, for better modularity.

do_as_req.c (prepare_error_as): Add new argument to this function so
	that the e_data field may be passed in and included in the KRB_ERROR
	messsage which is passed back to the user.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6656 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 146 insertions, 0 deletions

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
new file mode 100644
index 0000000000..07018e394f
--- /dev/null
+++ b/src/kdc/kdc_preauth.c
@@ -0,0 +1,146 @@
+/*
+ * kdc/kdc_preauth.c
+ *
+ * Copyright 1995 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * Preauthentication routines for the KDC.
+ */
+
+#include "k5-int.h"
+#include "kdc_util.h"
+#include "extern.h"
+#include <stdio.h>
+
+typedef krb5_error_code (verify_proc)
+    KRB5_PROTOTYPE((krb5_context, krb5_principal client,
+		    krb5_address **src_addr,
+		    krb5_data *data));
+
+typedef krb5_error_code (edata_proc)
+    KRB5_PROTOTYPE((krb5_context, krb5_db_entry *client,
+		    krb5_pa_data *data));
+
+typedef struct _krb5_preauth_systems {
+    int		type;
+    int		flags;
+    edata_proc	*get_edata;
+    verify_proc	*verify;
+} krb5_preauth_systems;
+
+/*
+ * Preauth property flags
+ */
+#define PA_ENCRYPT	0x00000001
+#define PA_HARDWARE	0x00000002
+
+static krb5_preauth_systems preauth_systems[] = {
+    {
+        KRB5_PADATA_ENC_UNIX_TIME,
+        PA_ENCRYPT,
+        0,
+	0,
+    },
+    {
+	KRB5_PADATA_ENC_SANDIA_SECURID,
+	PA_ENCRYPT | PA_HARDWARE,
+	0,
+	0,
+    },
+    { -1,}
+};
+
+#define MAX_PREAUTH_SYSTEMS (sizeof(preauth_systems)/sizeof(preauth_systems[0]))
+
+const char *missing_required_preauth(client, server, enc_tkt_reply)
+    krb5_db_entry *client, *server;
+    krb5_enc_tkt_part *enc_tkt_reply;
+{
+#if 0
+    /*
+     * If this is the pwchange service, and the pre-auth bit is set,
+     * allow it even if the HW preauth would normally be required.
+     * 
+     * Sandia national labs wanted this for some strange reason... we
+     * leave it disabled normally.
+     */
+    if (isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE) &&
+	isflagset(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH))
+	return 0;
+#endif
+    
+    if (isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
+	 !isflagset(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH))
+	return "preauth";
+    
+    if (isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH) &&
+	!isflagset(enc_tkt_reply->flags, TKT_FLG_HW_AUTH))
+	return "HW preauth";
+
+    return 0;
+}
+
+void get_preauth_hint_list(client, server, e_data)
+    krb5_db_entry *client, *server;
+    krb5_data *e_data;
+{
+    int hw_only;
+    krb5_preauth_systems *ap;
+    krb5_pa_data **pa_data, **pa;
+    krb5_data *edat;
+    krb5_error_code retval;
+    
+    /* Zero these out in case we need to abort */
+    e_data->length = 0;
+    e_data->data = 0;
+    
+    hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH);
+    pa_data = malloc(sizeof(krb5_pa_data *) * (MAX_PREAUTH_SYSTEMS+1));
+    if (pa_data == 0)
+	return;
+    memset(pa_data, 0, sizeof(krb5_pa_data *) * (MAX_PREAUTH_SYSTEMS+1));
+    pa = pa_data;
+
+    for (ap = preauth_systems; ap->type != -1; ap++) {
+	if (hw_only && !(ap->flags & PA_HARDWARE))
+	    continue;
+	*pa = malloc(sizeof(krb5_pa_data));
+	if (*pa == 0)
+	    goto errout;
+	memset(pa, 0, sizeof(krb5_pa_data));
+	(*pa)->magic = KV5M_PA_DATA;
+	(*pa)->pa_type = ap->type;
+	if (ap->get_edata)
+	    (ap->get_edata)(kdc_context, client, *pa);
+	pa++;
+    }
+    retval = encode_krb5_padata_sequence((const krb5_pa_data **) pa_data,
+					 &edat);
+    if (retval)
+	goto errout;
+    *e_data = *edat;
+    free(edat);
+
+errout:
+    krb5_free_pa_data(kdc_context, pa_data);
+    return;
+}
+
+
+