Implement s4u extensions

Merge Luke's users/lhoward/s4u branch to trunk.  Implements S4U2Self
and S4U2Proxy extensions.

ticket: 6563

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22736 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 91 insertions, 0 deletions

diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c
index 1917d89743..b1b09371bc 100644
--- a/src/lib/krb5/asn.1/asn1_k_decode.c
+++ b/src/lib/krb5/asn.1/asn1_k_decode.c
@@ -1616,6 +1616,47 @@ error_out:
     return retval;
 }
 
+asn1_error_code asn1_decode_s4u_userid(asn1buf *buf, krb5_s4u_userid *val)
+{
+    setup();
+    val->nonce = 0;
+    val->user = NULL;
+    val->subject_cert.data = NULL;
+    val->options = 0;
+    { begin_structure();
+        get_field(val->nonce,0,asn1_decode_int32);
+        alloc_principal(val->user);
+        opt_field(val->user,1,asn1_decode_principal_name,0);
+        get_field(val->user,2,asn1_decode_realm);
+        opt_lenfield(val->subject_cert.length,val->subject_cert.data,3,asn1_decode_charstring);
+        opt_field(val->options,4,asn1_decode_krb5_flags,0);
+        end_structure();
+    }
+    return 0;
+error_out:
+    krb5_free_principal(NULL, val->user);
+    krb5_free_data_contents(NULL, &val->subject_cert);
+    val->user = NULL;
+    val->subject_cert.data = NULL;
+    return retval;
+}
+
+asn1_error_code asn1_decode_pa_s4u_x509_user(asn1buf *buf, krb5_pa_s4u_x509_user *val)
+{
+    setup();
+    val->cksum.contents = NULL;
+    { begin_structure();
+        get_field(val->user_id,0,asn1_decode_s4u_userid);
+        get_field(val->cksum,1,asn1_decode_checksum);
+        end_structure();
+    }
+    return 0;
+error_out:
+    krb5_free_s4u_userid_contents(NULL, &val->user_id);
+    krb5_free_checksum_contents(NULL, &val->cksum);
+    return retval;
+}
+
 asn1_error_code asn1_decode_pa_pac_req(asn1buf *buf, krb5_pa_pac_req *val)
 {
     setup();
diff --git a/src/lib/krb5/asn.1/asn1_k_decode.h b/src/lib/krb5/asn.1/asn1_k_decode.h
index 7444443ba5..fc62c8f4ec 100644
--- a/src/lib/krb5/asn.1/asn1_k_decode.h
+++ b/src/lib/krb5/asn.1/asn1_k_decode.h
@@ -263,6 +263,10 @@ asn1_error_code asn1_decode_setpw_req
         (asn1buf *buf, krb5_data *rep, krb5_principal *principal);
 asn1_error_code asn1_decode_pa_for_user
         (asn1buf *buf, krb5_pa_for_user *val);
+asn1_error_code asn1_decode_s4u_userid
+        (asn1buf *buf, krb5_s4u_userid *val);
+asn1_error_code asn1_decode_pa_s4u_x509_user
+        (asn1buf *buf, krb5_pa_s4u_x509_user *val);
 asn1_error_code asn1_decode_pa_pac_req
         (asn1buf *buf, krb5_pa_pac_req *val);
 
diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c
index ed01b7560d..cd63ffbb95 100644
--- a/src/lib/krb5/asn.1/asn1_k_encode.c
+++ b/src/lib/krb5/asn.1/asn1_k_encode.c
@@ -263,6 +263,8 @@ static unsigned int optional_enc_kdc_rep_part(const void *p)
         optional |= (1u << 8);
     if (val->caddrs != NULL && val->caddrs[0] != NULL)
         optional |= (1u << 11);
+    if (val->enc_padata != NULL)
+        optional |= (1u << 12);
 
     return optional;
 }
@@ -1147,6 +1149,36 @@ static const struct field_info pa_for_user_fields[] = {
 
 DEFSEQTYPE(pa_for_user, krb5_pa_for_user, pa_for_user_fields, 0);
 
+/* [MS-SFU] Section 2.2.2. */
+static const struct field_info s4u_userid_fields[] = {
+    FIELDOF_NORM(krb5_s4u_userid, int32, nonce, 0),
+    FIELDOF_OPT(krb5_s4u_userid, principal, user, 1, 1),
+    FIELDOF_NORM(krb5_s4u_userid, realm_of_principal, user, 2),
+    FIELDOF_OPT(krb5_s4u_userid, ostring_data, subject_cert, 3, 3),
+    FIELDOF_OPT(krb5_s4u_userid, krb5_flags, options, 4, 4),
+};
+
+static unsigned int s4u_userid_optional (const void *p) {
+    const krb5_s4u_userid *val = p;
+    unsigned int optional = 0;
+    if (val->user != NULL && val->user->length != 0)
+        optional |= (1u)<<1;
+    if (val->subject_cert.length != 0)
+        optional |= (1u)<<3;
+    if (val->options != 0)
+        optional |= (1u)<<4;
+    return optional;
+}
+
+DEFSEQTYPE(s4u_userid, krb5_s4u_userid, s4u_userid_fields, s4u_userid_optional);
+
+static const struct field_info pa_s4u_x509_user_fields[] = {
+    FIELDOF_NORM(krb5_pa_s4u_x509_user, s4u_userid, user_id, 0),
+    FIELDOF_NORM(krb5_pa_s4u_x509_user, checksum, cksum, 1),
+};
+
+DEFSEQTYPE(pa_s4u_x509_user, krb5_pa_s4u_x509_user, pa_s4u_x509_user_fields, 0);
+
 /* draft-ietf-krb-wg-kerberos-referrals Appendix A. */
 static const struct field_info pa_svr_referral_data_fields[] = {
     FIELDOF_NORM(krb5_pa_svr_referral_data, realm_of_principal, principal, 0),
@@ -1323,6 +1355,8 @@ MAKE_FULL_ENCODER(encode_krb5_predicted_sam_response,
                   predicted_sam_response);
 MAKE_FULL_ENCODER(encode_krb5_setpw_req, setpw_req);
 MAKE_FULL_ENCODER(encode_krb5_pa_for_user, pa_for_user);
+MAKE_FULL_ENCODER(encode_krb5_s4u_userid, s4u_userid);
+MAKE_FULL_ENCODER(encode_krb5_pa_s4u_x509_user, pa_s4u_x509_user);
 MAKE_FULL_ENCODER(encode_krb5_pa_svr_referral_data, pa_svr_referral_data);
 MAKE_FULL_ENCODER(encode_krb5_pa_server_referral_data, pa_server_referral_data);
 MAKE_FULL_ENCODER(encode_krb5_etype_list, etype_list);
diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c
index 7a08ec8884..a2e9c0a4dd 100644
--- a/src/lib/krb5/asn.1/krb5_decode.c
+++ b/src/lib/krb5/asn.1/krb5_decode.c
@@ -1061,6 +1061,18 @@ decode_krb5_pa_for_user(const krb5_data *code, krb5_pa_for_user **repptr)
 }
 
 krb5_error_code
+decode_krb5_pa_s4u_x509_user(const krb5_data *code, krb5_pa_s4u_x509_user **repptr)
+{
+    setup_buf_only(krb5_pa_s4u_x509_user *);
+    alloc_field(rep);
+
+    retval = asn1_decode_pa_s4u_x509_user(&buf, rep);
+    if (retval) clean_return(retval);
+
+    cleanup(free);
+}
+
+krb5_error_code
 decode_krb5_pa_pac_req(const krb5_data *code, krb5_pa_pac_req **repptr)
 {
     setup_buf_only(krb5_pa_pac_req *);