Anonymous support for Kerberos

This ticket implements Project/Anonymous pkinit from k5wiki. Provides support for completely anonymous principals and untested client support for realm-exposed anonymous authentication. * Introduce kinit -n * Introduce kadmin -n * krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache * No longer generate ad-initial-verified-cas in pkinit * Fix pkinit interactions with non-TGT authentication Merge remote branch 'anonymous' into trunk Conflicts: src/lib/krb5/krb/gic_opt.c ticket: 6607 Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970
author: Sam Hartman <hartmans@mit.edu> 2009-12-28 17:15:30 +0000
committer: Sam Hartman <hartmans@mit.edu> 2009-12-28 17:15:30 +0000
commit: ec49e6e673ab229462ef18aa2986167eaa643643 (patch)
tree: 625dba55e939a0073cf69f7b79c8c0010df991eb /src/include/krb5
parent: c5479d0c5b29430a49cf3683513c1223a173ac4e (diff)
1 files changed, 30 insertions, 5 deletions
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 7f7b56dd8..470ca4d50 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -261,6 +261,8 @@ typedef krb5_principal_data * krb5_principal;
 #define KRB5_NT_SMTP_NAME               7
 /* Windows 2000 UPN */
 #define KRB5_NT_ENTERPRISE_PRINCIPAL    10
+#define KRB5_NT_WELLKNOWN 11
+#define KRB5_WELLKNOWN_NAMESTR "WELLKNOWN" /*first component of NT_WELLKNOWN principals*/
 /* Windows 2000 UPN and SID */
 #define KRB5_NT_MS_PRINCIPAL            -128
 /* NT 4 style name */
@@ -293,6 +295,14 @@ typedef const krb5_principal_data *krb5_const_principal;
  */
 krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(const krb5_data *);
 
+/*Both these functions return constant storage that must not be freed*/
+
+const krb5_data *KRB5_CALLCONV
+krb5_anonymous_realm(void);
+krb5_const_principal KRB5_CALLCONV
+krb5_anonymous_principal(void);
+#define KRB5_ANONYMOUS_REALMSTR "WELLKNOWN:ANONYMOUS"
+#define KRB5_ANONYMOUS_PRINCSTR "ANONYMOUS" /*wellknown name type*/
 /*
  * end "base-defs.h"
  */
@@ -628,7 +638,7 @@ krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype,
 #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY    27 /* XXX note conflict with above */
 
 #define KRB5_KEYUSAGE_AD_SIGNEDPATH             -21
-
+#define KRB5_KEYUSAGE_PA_PKINIT_KX 44
 /* define in draft-ietf-krb-wg-preauth-framework*/
 #define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50
 #define KRB5_KEYUSAGE_FAST_ENC 51
@@ -838,10 +848,9 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
 /* #define      KDC_OPT_RESERVED        0x00100000 */
 /* #define      KDC_OPT_RESERVED        0x00080000 */
 /* #define      KDC_OPT_RESERVED        0x00040000 */
-#define KDC_OPT_REQUEST_ANONYMOUS       0x00020000
 #define KDC_OPT_CNAME_IN_ADDL_TKT       0x00020000
 #define KDC_OPT_CANONICALIZE            0x00010000
-/* #define      KDC_OPT_RESERVED        0x00008000 */
+#define KDC_OPT_REQUEST_ANONYMOUS       0x00008000
 /* #define      KDC_OPT_RESERVED        0x00004000 */
 /* #define      KDC_OPT_RESERVED        0x00002000 */
 /* #define      KDC_OPT_RESERVED        0x00001000 */
@@ -929,9 +938,8 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
 #define TKT_FLG_HW_AUTH                 0x00100000
 #define TKT_FLG_TRANSIT_POLICY_CHECKED  0x00080000
 #define TKT_FLG_OK_AS_DELEGATE          0x00040000
-#define TKT_FLG_ANONYMOUS               0x00020000
 #define TKT_FLG_ENC_PA_REP              0x00010000
-/* #define      TKT_FLG_RESERVED        0x00008000 */
+#define      TKT_FLG_ANONYMOUS        0x00008000
 /* #define      TKT_FLG_RESERVED        0x00004000 */
 /* #define      TKT_FLG_RESERVED        0x00002000 */
 /* #define      TKT_FLG_RESERVED        0x00001000 */
@@ -1033,6 +1041,7 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
 #define KRB5_PADATA_FX_FAST  136
 #define KRB5_PADATA_FX_ERROR 137
 #define KRB5_PADATA_ENCRYPTED_CHALLENGE 138
+#define KRB5_PADATA_PKINIT_KX 147
 #define KRB5_ENCPADATA_REQ_ENC_PA_REP 149
 
 #define KRB5_SAM_USE_SAD_AS_KEY         0x80000000
@@ -2196,6 +2205,7 @@ typedef struct _krb5_get_init_creds_opt {
 #define KRB5_GET_INIT_CREDS_OPT_SALT            0x0080
 #define KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT   0x0100
 #define KRB5_GET_INIT_CREDS_OPT_CANONICALIZE    0x0200
+#define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0400
 
 
 krb5_error_code KRB5_CALLCONV
@@ -2229,6 +2239,21 @@ void KRB5_CALLCONV
 krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opt,
                                          int canonicalize);
 
+/**
+ * Request anonymous credentials from the KDC.  If the  client name looks like
+ * "@REALM" (an empty principal name), then fully anonymous credentials are
+ * requested.  If the client name looks like "name@REALM," then credentials
+ * tied to a specific realm are requested.
+ *
+ * Credentials tied to a specific realm are not supported in this version.
+ *
+ * Note that anonymous credentials are only a request; clients must verify that
+ * credentials are anonymous if that is a requirement.
+ */
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt,
+                                      int anonymous);
+
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
                                        krb5_enctype *etype_list,
author	Sam Hartman <hartmans@mit.edu>	2009-12-28 17:15:30 +0000
committer	Sam Hartman <hartmans@mit.edu>	2009-12-28 17:15:30 +0000
commit	ec49e6e673ab229462ef18aa2986167eaa643643 (patch)
tree	625dba55e939a0073cf69f7b79c8c0010df991eb /src/include/krb5
parent	c5479d0c5b29430a49cf3683513c1223a173ac4e (diff)