Implement FAST from draft-ietf-krb-wg-preauth-framework

Merge fast branch at 22146 onto trunk

Implement the kerberos pre-authentication framework FAST feature per
Projects/FAST on the wiki.

ticket: 6436
Target_Version: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22149 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 55 insertions, 7 deletions

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 69fb038ce..bf8c29c59 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -631,7 +631,15 @@ krb5_error_code KRB5_CALLCONV
 
 /* Defined in KDC referrals draft */
 #define KRB5_KEYUSAGE_PA_REFERRAL		26 /* XXX note conflict with above */
-
+/* define in draft-ietf-krb-wg-preauth-framework*/
+#define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50
+#define KRB5_KEYUSAGE_FAST_ENC 51
+#define KRB5_KEYUSAGE_FAST_REP 52
+#define KRB5_KEYUSAGE_FAST_FINISHED 53
+#define KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT 54
+#define KRB5_KEYUSAGE_ENC_CHALLENGE_KDC 55
+
+#define KRB5_KEYUSAGE_FAST_REP 52
 krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype
 	(krb5_enctype ktype);
 krb5_boolean KRB5_CALLCONV krb5_c_valid_cksumtype
@@ -982,6 +990,11 @@ krb5_error_code KRB5_CALLCONV krb5_verify_checksum
 #define KRB5_PADATA_PAC_REQUEST		128 /* include Windows PAC */
 #define KRB5_PADATA_FOR_USER		129 /* username protocol transition request */
 #define KRB5_PADATA_S4U_X509_USER	130 /* certificate protocol transition request */
+#define KRB5_PADATA_FX_COOKIE 133
+#define KRB5_PADATA_FX_FAST  136
+#define KRB5_PADATA_FX_ERROR 137
+#define KRB5_PADATA_ENCRYPTED_CHALLENGE 138
+
 #define	KRB5_SAM_USE_SAD_AS_KEY		0x80000000
 #define	KRB5_SAM_SEND_ENCRYPTED_SAD	0x40000000
 #define	KRB5_SAM_MUST_PK_ENCRYPT_SAD	0x20000000 /* currently must be zero */
@@ -1005,7 +1018,7 @@ krb5_error_code KRB5_CALLCONV krb5_verify_checksum
 #define KRB5_AUTHDATA_SESAME	65
 #define KRB5_AUTHDATA_WIN2K_PAC	128
 #define KRB5_AUTHDATA_ETYPE_NEGOTIATION	129	/* RFC 4537 */
-
+#define KRB5_AUTHDATA_FX_ARMOR 71
 /* password change constants */
 
 #define KRB5_KPASSWD_SUCCESS		0
@@ -1142,6 +1155,13 @@ typedef struct _krb5_kdc_req {
     krb5_authdata **unenc_authdata; /* unencrypted auth data,
 					   if available */
     krb5_ticket **second_ticket;/* second ticket array; OPTIONAL */
+    /* the following field is added in March 2009; it is a hack so
+     * that FAST state can be carried to pre-authentication plugins.
+     * A new plugin interface may be a better long-term approach.  It
+     * is believed to be safe to extend this structure because it is
+     * not found in any public APIs.
+     */
+    void * kdc_state;
 } krb5_kdc_req;
 
 typedef struct _krb5_enc_kdc_rep_part {
@@ -2393,6 +2413,15 @@ krb5_get_init_creds_opt_set_pa
 		const char *attr,
 		const char *value);
 
+krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name
+(krb5_context context, krb5_get_init_creds_opt *opt,
+ const char * fast_ccache_name);
+    /*   This API sets a ccache name that will contain some TGT on
+	 calls to get_init_creds functions.   If set, this ccache will
+	 be used for FAST (draft-ietf-krb-wg-preauth-framework) to
+	 protect the AS-REQ from observation and active attack.  If
+	 the fast_ccache_name is set, then FAST may be required by the
+	 client library.  In this version FAST is required.*/
 krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_password
 (krb5_context context,
diff --git a/src/include/krb5/preauth_plugin.h b/src/include/krb5/preauth_plugin.h
index 242956076..e11913e3f 100644
--- a/src/include/krb5/preauth_plugin.h
+++ b/src/include/krb5/preauth_plugin.h
@@ -123,11 +123,22 @@ typedef krb5_error_code
  * information to enable it to process a request.
  */
 enum krb5plugin_preauth_client_request_type {
-    /* The returned krb5_data item holds the enctype used to encrypt the
-     * encrypted portion of the AS_REP packet. */
+    /* The returned krb5_data item holds the enctype expected to be  used to encrypt the
+     * encrypted portion of the AS_REP packet. When handling a
+     * PREAUTH_REQUIRED error, this typically comes from etype-info2.
+     * When handling an AS reply, it is initialized from the AS reply itself.*/
     krb5plugin_preauth_client_get_etype = 1,
     /* Free the data returned from krb5plugin_preauth_client_req_get_etype */
-    krb5plugin_preauth_client_free_etype = 2
+    krb5plugin_preauth_client_free_etype = 2,
+    /* The returned krb5_data contains the FAST armor key in a
+     * krb5_keyblock.  Returns success with a NULL data item in the
+     * krb5_data if the client library supports FAST but is not using it.*/
+    krb5plugin_preauth_client_fast_armor = 3,
+    /* Frees return from KRB5PLUGIN_PREAUTH_CLIENT_FAST_ARMOR.  It is
+     * acceptable to set data to NULL and free the keyblock using
+     * krb5_free_keyblock; in that case, this frees the krb5_data
+     * only.*/
+krb5plugin_preauth_client_free_fast_armor = 4,
 };
 typedef krb5_error_code
 (*preauth_get_client_data_proc)(krb5_context,
@@ -326,8 +337,16 @@ enum krb5plugin_preauth_entry_request_type {
      * implementation, there's a good chance that the result will not match
      * what the client sent, so don't go creating any fatal errors if it
      * doesn't match up. */
-    krb5plugin_preauth_request_body = 4
-};
+    krb5plugin_preauth_request_body = 4,
+    /* The returned krb5_data contains a krb5_keyblock with the FAST
+       armor key.  The data member is NULL if this method is not part
+       of a FAST tunnel */
+    krb5plugin_preauth_fast_armor = 5,
+    /* Frees a fast armor key; it is acceptable to set data to NULL
+       and free the keyblock using krb5_free_keyblock; in that  case,
+       this function simply frees the data*/
+    krb5plugin_preauth_free_fast_armor = 6,
+       };
 
 typedef krb5_error_code
 (*preauth_get_entry_data_proc)(krb5_context,