diff options
| author | Ken Hornstein <kenh@cmf.nrl.navy.mil> | 2002-10-24 06:49:59 +0000 |
|---|---|---|
| committer | Ken Hornstein <kenh@cmf.nrl.navy.mil> | 2002-10-24 06:49:59 +0000 |
| commit | 5ffe972e2c0e6c3748b6b6a33a4f5f68736a6dc7 (patch) | |
| tree | bea2ed9545782a2999e54a0da60d51c5741fa7c3 /src/include | |
| parent | a706a2d0d05ecea7a844db7d291493a5d282ed57 (diff) | |
| download | krb5-5ffe972e2c0e6c3748b6b6a33a4f5f68736a6dc7.tar.gz krb5-5ffe972e2c0e6c3748b6b6a33a4f5f68736a6dc7.tar.xz krb5-5ffe972e2c0e6c3748b6b6a33a4f5f68736a6dc7.zip | |
Client code lacks support for draft-ietf-krb-wg-kerberos-sam-01.txt
This widely-spread commit implements support for the so-called "new"
hardware preauth protocol, defined in the IETF internet-draft
draft-ietf-krb-wg-kerberos-sam-01.txt. Note that this code is client-side
only.
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14939 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/ChangeLog | 5 | ||||
| -rw-r--r-- | src/include/k5-int.h | 81 | ||||
| -rw-r--r-- | src/include/krb5.hin | 8 |
3 files changed, 94 insertions, 0 deletions
diff --git a/src/include/ChangeLog b/src/include/ChangeLog index 6aeda6d41..bf8dbf6b3 100644 --- a/src/include/ChangeLog +++ b/src/include/ChangeLog @@ -1,3 +1,8 @@ +2002-10-24 Ken Hornstein <kenh@cmf.nrl.navy.mil> + + * k5-int.h, krb5.hin: Add new protocols, definitions, and + data structures for new hardware preauthentication protocol. + 2002-10-23 Ken Hornstein <kenh@cmf.nrl.navy.mil> * krb5.hin: Add new LRQ type for password expiration diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 3f9c330c7..0ee5dd9a8 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -387,6 +387,39 @@ typedef struct _krb5_sam_response { krb5_timestamp sam_patimestamp; } krb5_sam_response; +typedef struct _krb5_sam_challenge_2 { + krb5_data sam_challenge_2_body; + krb5_checksum **sam_cksum; /* Array of checksums */ +} krb5_sam_challenge_2; + +typedef struct _krb5_sam_challenge_2_body { + krb5_magic magic; + krb5_int32 sam_type; /* information */ + krb5_flags sam_flags; /* KRB5_SAM_* values */ + krb5_data sam_type_name; + krb5_data sam_track_id; + krb5_data sam_challenge_label; + krb5_data sam_challenge; + krb5_data sam_response_prompt; + krb5_data sam_pk_for_sad; + krb5_int32 sam_nonce; + krb5_enctype sam_etype; +} krb5_sam_challenge_2_body; + +typedef struct _krb5_sam_response_2 { + krb5_magic magic; + krb5_int32 sam_type; /* informational */ + krb5_flags sam_flags; /* KRB5_SAM_* values */ + krb5_data sam_track_id; /* copied */ + krb5_enc_data sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */ + krb5_int32 sam_nonce; +} krb5_sam_response_2; + +typedef struct _krb5_enc_sam_response_enc_2 { + krb5_magic magic; + krb5_int32 sam_nonce; + krb5_data sam_sad; +} krb5_enc_sam_response_enc_2; /* * Begin "ext-proto.h" @@ -648,6 +681,14 @@ krb5_error_code krb5int_default_free_state (krb5_data *state); +/* + * Combine two keys (normally used by the hardware preauth mechanism) + */ +krb5_error_code krb5int_c_combine_keys +(krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2, + krb5_keyblock *outkey); + + /* * These declarations are here, so both krb5 and k5crypto * can get to them. @@ -954,20 +995,36 @@ krb5_error_code krb5_do_preauth void KRB5_CALLCONV krb5_free_sam_challenge (krb5_context, krb5_sam_challenge * ); +void KRB5_CALLCONV krb5_free_sam_challenge_2 + (krb5_context, krb5_sam_challenge_2 * ); +void KRB5_CALLCONV krb5_free_sam_challenge_2_body + (krb5_context, krb5_sam_challenge_2_body *); void KRB5_CALLCONV krb5_free_sam_response (krb5_context, krb5_sam_response * ); +void KRB5_CALLCONV krb5_free_sam_response_2 + (krb5_context, krb5_sam_response_2 * ); void KRB5_CALLCONV krb5_free_predicted_sam_response (krb5_context, krb5_predicted_sam_response * ); void KRB5_CALLCONV krb5_free_enc_sam_response_enc (krb5_context, krb5_enc_sam_response_enc * ); +void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2 + (krb5_context, krb5_enc_sam_response_enc_2 * ); void KRB5_CALLCONV krb5_free_sam_challenge_contents (krb5_context, krb5_sam_challenge * ); +void KRB5_CALLCONV krb5_free_sam_challenge_2_contents + (krb5_context, krb5_sam_challenge_2 * ); +void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents + (krb5_context, krb5_sam_challenge_2_body * ); void KRB5_CALLCONV krb5_free_sam_response_contents (krb5_context, krb5_sam_response * ); +void KRB5_CALLCONV krb5_free_sam_response_2_contents + (krb5_context, krb5_sam_response_2 *); void KRB5_CALLCONV krb5_free_predicted_sam_response_contents (krb5_context, krb5_predicted_sam_response * ); void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents (krb5_context, krb5_enc_sam_response_enc * ); +void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents + (krb5_context, krb5_enc_sam_response_enc_2 * ); void KRB5_CALLCONV krb5_free_pa_enc_ts (krb5_context, krb5_pa_enc_ts *); @@ -1243,6 +1300,18 @@ krb5_error_code encode_krb5_enc_sam_response_enc krb5_error_code encode_krb5_sam_response (const krb5_sam_response * , krb5_data **); +krb5_error_code encode_krb5_sam_challenge_2 + (const krb5_sam_challenge_2 * , krb5_data **); + +krb5_error_code encode_krb5_sam_challenge_2_body + (const krb5_sam_challenge_2_body * , krb5_data **); + +krb5_error_code encode_krb5_enc_sam_response_enc_2 + (const krb5_enc_sam_response_enc_2 * , krb5_data **); + +krb5_error_code encode_krb5_sam_response_2 + (const krb5_sam_response_2 * , krb5_data **); + krb5_error_code encode_krb5_predicted_sam_response (const krb5_predicted_sam_response * , krb5_data **); @@ -1280,6 +1349,18 @@ krb5_error_code decode_krb5_sam_response krb5_error_code decode_krb5_predicted_sam_response (const krb5_data *, krb5_predicted_sam_response **); +krb5_error_code decode_krb5_sam_challenge_2 + (const krb5_data *, krb5_sam_challenge_2 **); + +krb5_error_code decode_krb5_sam_challenge_2_body + (const krb5_data *, krb5_sam_challenge_2_body **); + +krb5_error_code decode_krb5_enc_sam_response_enc_2 + (const krb5_data *, krb5_enc_sam_response_enc_2 **); + +krb5_error_code decode_krb5_sam_response_2 + (const krb5_data *, krb5_sam_response_2 **); + /************************************************************************* * Prototypes for krb5_decode.c diff --git a/src/include/krb5.hin b/src/include/krb5.hin index 345660253..5b8cb2c60 100644 --- a/src/include/krb5.hin +++ b/src/include/krb5.hin @@ -543,6 +543,12 @@ krb5_error_code KRB5_CALLCONV #define KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG 23 #define KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV 24 +/* Defined in hardware preauth draft */ + +#define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM 25 +#define KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID 26 +#define KRB5_KEYUSAGE_PA_SAM_RESPONSE 27 + krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype (krb5_enctype ktype); krb5_boolean KRB5_CALLCONV krb5_c_valid_cksumtype @@ -860,6 +866,8 @@ krb5_error_code krb5_decrypt_data #define KRB5_PADATA_ETYPE_INFO 11 /* Etype info for preauth */ #define KRB5_PADATA_SAM_CHALLENGE 12 /* draft challenge system */ #define KRB5_PADATA_SAM_RESPONSE 13 /* draft challenge system response */ +#define KRB5_PADATA_SAM_CHALLENGE_2 14 /* draft challenge system, updated */ +#define KRB5_PADATA_SAM_RESPONSE_2 15 /* draft challenge system, updated */ #define KRB5_SAM_USE_SAD_AS_KEY 0x80000000 #define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000 |