From acd672680307a3f1bad828e6573fa34bd7779203 Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartmans@mit.edu>
Date: Mon, 14 Dec 2009 18:28:16 +0000
Subject: fast negotiation projec

Merge branches/fast-negotiate into trunk.
This implements http://k5wiki.kerberos.org/wiki/Projects/Fast_negotiation

Additional changes:
* krb5_c_make_checksum with checksum type 0 uses mandatory checksum for given key enctype

Conflicts:
	src/lib/crypto/krb/make_checksum.c

ticket: 6595
Tags: enhancement

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23465 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/include/k5-int.h      |  7 ++++++
 src/include/krb5/krb5.hin | 61 ++++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 60 insertions(+), 8 deletions(-)

(limited to 'src/include')

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index e0637e69d4..f1b48c0afd 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -257,6 +257,7 @@ typedef INT64_TYPE krb5_int64;
 #define KRB5_CONF_V4_INSTANCE_CONVERT         "v4_instance_convert"
 #define KRB5_CONF_V4_REALM                    "v4_realm"
 #define KRB5_CONF_ASTERISK                    "*"
+#define KRB5_CONF_FAST_AVAIL                  "fast_avail"
 
 /* Error codes used in KRB_ERROR protocol messages.
    Return values of library routines are based on a different error table
@@ -1129,6 +1130,8 @@ typedef struct _krb5_gic_opt_private {
     int num_preauth_data;
     krb5_gic_opt_pa_data *preauth_data;
     char * fast_ccache_name;
+    krb5_ccache out_ccache;
+    krb5_flags fast_flags;
 } krb5_gic_opt_private;
 
 /*
@@ -1623,6 +1626,8 @@ encode_krb5_enc_priv_part(const krb5_priv_enc_part *rep, krb5_data **code);
 
 krb5_error_code
 encode_krb5_cred(const krb5_cred *rep, krb5_data **code);
+krb5_error_code
+encode_krb5_checksum(const krb5_checksum *, krb5_data **);
 
 krb5_error_code
 encode_krb5_enc_cred_part(const krb5_cred_enc_part *rep, krb5_data **code);
@@ -1851,6 +1856,8 @@ decode_krb5_priv(const krb5_data *output, krb5_priv **rep);
 
 krb5_error_code
 decode_krb5_enc_priv_part(const krb5_data *output, krb5_priv_enc_part **rep);
+krb5_error_code
+decode_krb5_checksum(const krb5_data *, krb5_checksum **);
 
 krb5_error_code
 decode_krb5_cred(const krb5_data *output, krb5_cred **rep);
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 675917052b..9e5c3853f5 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -636,8 +636,8 @@ krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype,
 #define KRB5_KEYUSAGE_FAST_FINISHED 53
 #define KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT 54
 #define KRB5_KEYUSAGE_ENC_CHALLENGE_KDC 55
+#define KRB5_KEYUSAGE_AS_REQ 56
 
-#define KRB5_KEYUSAGE_FAST_REP 52
 krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype(krb5_enctype ktype);
 krb5_boolean KRB5_CALLCONV krb5_c_valid_cksumtype(krb5_cksumtype ctype);
 krb5_boolean KRB5_CALLCONV krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype);
@@ -930,7 +930,7 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
 #define TKT_FLG_TRANSIT_POLICY_CHECKED  0x00080000
 #define TKT_FLG_OK_AS_DELEGATE          0x00040000
 #define TKT_FLG_ANONYMOUS               0x00020000
-/* #define      TKT_FLG_RESERVED        0x00010000 */
+#define TKT_FLG_ENC_PA_REP              0x00010000
 /* #define      TKT_FLG_RESERVED        0x00008000 */
 /* #define      TKT_FLG_RESERVED        0x00004000 */
 /* #define      TKT_FLG_RESERVED        0x00002000 */
@@ -1033,6 +1033,7 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
 #define KRB5_PADATA_FX_FAST  136
 #define KRB5_PADATA_FX_ERROR 137
 #define KRB5_PADATA_ENCRYPTED_CHALLENGE 138
+#define KRB5_ENCPADATA_REQ_ENC_PA_REP 149
 
 #define KRB5_SAM_USE_SAD_AS_KEY         0x80000000
 #define KRB5_SAM_SEND_ENCRYPTED_SAD     0x40000000
@@ -1835,6 +1836,20 @@ krb5_cc_default(krb5_context, krb5_ccache *);
 krb5_error_code KRB5_CALLCONV
 krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc);
 
+krb5_error_code KRB5_CALLCONV
+krb5_cc_get_config(krb5_context, krb5_ccache,
+                   krb5_const_principal,
+                   const char *, krb5_data *);
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_set_config(krb5_context, krb5_ccache,
+                   krb5_const_principal,
+                   const char *, krb5_data *);
+
+krb5_boolean KRB5_CALLCONV
+krb5_is_config_principal(krb5_context,
+                         krb5_const_principal);
+
 /* krb5_free.c */
 void KRB5_CALLCONV krb5_free_principal(krb5_context, krb5_principal );
 void KRB5_CALLCONV krb5_free_authenticator(krb5_context,
@@ -2255,17 +2270,47 @@ krb5_get_init_creds_opt_set_pa(krb5_context context,
                                krb5_get_init_creds_opt *opt, const char *attr,
                                const char *value);
 
+/**
+ * This API sets a ccache name that will contain some TGT on calls to
+ * t_init_creds functions.  If set, this ccache will be used for FAST
+ * (draft-ietf-krb-wg-preauth-framework) to protect the AS-REQ from observation
+ * and active attack.  If the fast_ccache_name is set, then FAST may be
+ * required by the client library.  In this and future versions, FAST will be
+ * used if available; krb5_get_init_creds_opt_set_fast_flags() may be used to
+ * require that the request fail is FAST is unavailable.  In MIT Kerberos 1.7
+ * setting the fast ccache at all required that FAST be present or the request
+ * would fail.
+ */
 krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context,
                                              krb5_get_init_creds_opt *opt,
                                              const char *fast_ccache_name);
 
-/*   This API sets a ccache name that will contain some TGT on
-     calls to get_init_creds functions.   If set, this ccache will
-     be used for FAST (draft-ietf-krb-wg-preauth-framework) to
-     protect the AS-REQ from observation and active attack.  If
-     the fast_ccache_name is set, then FAST may be required by the
-     client library.  In this version FAST is required.*/
+/**
+ * Set a ccache where resulting credentials will be stored.  If set, then the
+ * krb5_get_init_creds family of APIs will write out credentials to the given
+ * ccache.  Setting an output ccache is desirable both because it simplifies
+ * calling code and because it permits the krb5_get_init_creds APIs to write
+ * out configuration information about the realm to the ccache.
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_out_ccache(krb5_context context,
+                                       krb5_get_init_creds_opt *opt,
+                                       krb5_ccache ccache);
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_fast_flags(krb5_context context,
+                                       krb5_get_init_creds_opt *opt,
+                                       krb5_flags flags);
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_get_fast_flags(krb5_context context,
+                                       krb5_get_init_creds_opt *opt,
+                                       krb5_flags *out_flags);
+
+/* Fast flags*/
+#define KRB5_FAST_REQUIRED 1l<<0 /*!< Require KDC to support FAST*/
+
 krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_password(krb5_context context, krb5_creds *creds,
                              krb5_principal client, char *password,
-- 
cgit