Anonymous support for Kerberos

This ticket implements Project/Anonymous pkinit from k5wiki.  Provides
support for completely anonymous principals and untested client
support for realm-exposed anonymous authentication.

* Introduce kinit -n
* Introduce kadmin -n
* krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache
* No longer generate ad-initial-verified-cas in pkinit
* Fix pkinit interactions with non-TGT authentication

Merge remote branch 'anonymous' into trunk

Conflicts:
	src/lib/krb5/krb/gic_opt.c

ticket: 6607
Tags: enhancement

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970

3 files changed, 42 insertions, 17 deletions

diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h
index 77bd260ff..8dcbd5d4f 100644
--- a/src/include/k5-int-pkinit.h
+++ b/src/include/k5-int-pkinit.h
@@ -283,4 +283,15 @@ decode_krb5_td_dh_parameters(const krb5_data *, krb5_algorithm_identifier ***);
 
 void krb5_free_typed_data(krb5_context, krb5_typed_data **);
 
+krb5_error_code
+encode_krb5_enc_data(const krb5_enc_data *, krb5_data **);
+
+krb5_error_code
+encode_krb5_encryption_key(const krb5_keyblock *rep, krb5_data **code);
+
+krb5_error_code
+krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key,
+                    krb5_keyusage keyusage, const krb5_data *plain,
+                    krb5_enc_data *cipher);
+
 #endif /* _KRB5_INT_PKINIT_H */
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index f1b48c0af..a70eae9c5 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -807,11 +807,6 @@ krb5_error_code krb5_crypto_us_timeofday(krb5_int32 *, krb5_int32 *);
 /* this helper fct is in libkrb5, but it makes sense declared here. */
 
 krb5_error_code
-krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key,
-                    krb5_keyusage keyusage, const krb5_data *plain,
-                    krb5_enc_data *cipher);
-
-krb5_error_code
 krb5_encrypt_keyhelper(krb5_context context, krb5_key key,
                        krb5_keyusage keyusage, const krb5_data *plain,
                        krb5_enc_data *cipher);
@@ -1532,7 +1527,7 @@ void KRB5_CALLCONV krb5_free_priv_enc_part(krb5_context, krb5_priv_enc_part *);
 /* allow either constructed or primitive encoding, so check for bit 6
    set or reset */
 #define krb5int_is_app_tag(dat,tag)                     \
-    ((dat) && (dat)->length &&                          \
+    ((dat != NULL) && (dat)->length &&                  \
      ((((dat)->data[0] & ~0x20) == ((tag) | 0x40))))
 #define krb5_is_krb_ticket(dat)               krb5int_is_app_tag(dat, 1)
 #define krb5_is_krb_authenticator(dat)        krb5int_is_app_tag(dat, 2)
@@ -1572,9 +1567,6 @@ krb5_error_code
 encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code);
 
 krb5_error_code
-encode_krb5_encryption_key(const krb5_keyblock *rep, krb5_data **code);
-
-krb5_error_code
 encode_krb5_enc_tkt_part(const krb5_enc_tkt_part *rep, krb5_data **code);
 
 krb5_error_code
@@ -1660,9 +1652,6 @@ krb5_error_code
 encode_krb5_etype_info2(krb5_etype_info_entry *const *, krb5_data **code);
 
 krb5_error_code
-encode_krb5_enc_data(const krb5_enc_data *, krb5_data **);
-
-krb5_error_code
 encode_krb5_pa_enc_ts(const krb5_pa_enc_ts *, krb5_data **);
 
 krb5_error_code
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 7f7b56dd8..470ca4d50 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -261,6 +261,8 @@ typedef krb5_principal_data * krb5_principal;
 #define KRB5_NT_SMTP_NAME               7
 /* Windows 2000 UPN */
 #define KRB5_NT_ENTERPRISE_PRINCIPAL    10
+#define KRB5_NT_WELLKNOWN 11
+#define KRB5_WELLKNOWN_NAMESTR "WELLKNOWN" /*first component of NT_WELLKNOWN principals*/
 /* Windows 2000 UPN and SID */
 #define KRB5_NT_MS_PRINCIPAL            -128
 /* NT 4 style name */
@@ -293,6 +295,14 @@ typedef const krb5_principal_data *krb5_const_principal;
  */
 krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(const krb5_data *);
 
+/*Both these functions return constant storage that must not be freed*/
+
+const krb5_data *KRB5_CALLCONV
+krb5_anonymous_realm(void);
+krb5_const_principal KRB5_CALLCONV
+krb5_anonymous_principal(void);
+#define KRB5_ANONYMOUS_REALMSTR "WELLKNOWN:ANONYMOUS"
+#define KRB5_ANONYMOUS_PRINCSTR "ANONYMOUS" /*wellknown name type*/
 /*
  * end "base-defs.h"
  */
@@ -628,7 +638,7 @@ krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype,
 #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY    27 /* XXX note conflict with above */
 
 #define KRB5_KEYUSAGE_AD_SIGNEDPATH             -21
-
+#define KRB5_KEYUSAGE_PA_PKINIT_KX 44
 /* define in draft-ietf-krb-wg-preauth-framework*/
 #define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50
 #define KRB5_KEYUSAGE_FAST_ENC 51
@@ -838,10 +848,9 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
 /* #define      KDC_OPT_RESERVED        0x00100000 */
 /* #define      KDC_OPT_RESERVED        0x00080000 */
 /* #define      KDC_OPT_RESERVED        0x00040000 */
-#define KDC_OPT_REQUEST_ANONYMOUS       0x00020000
 #define KDC_OPT_CNAME_IN_ADDL_TKT       0x00020000
 #define KDC_OPT_CANONICALIZE            0x00010000
-/* #define      KDC_OPT_RESERVED        0x00008000 */
+#define KDC_OPT_REQUEST_ANONYMOUS       0x00008000
 /* #define      KDC_OPT_RESERVED        0x00004000 */
 /* #define      KDC_OPT_RESERVED        0x00002000 */
 /* #define      KDC_OPT_RESERVED        0x00001000 */
@@ -929,9 +938,8 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
 #define TKT_FLG_HW_AUTH                 0x00100000
 #define TKT_FLG_TRANSIT_POLICY_CHECKED  0x00080000
 #define TKT_FLG_OK_AS_DELEGATE          0x00040000
-#define TKT_FLG_ANONYMOUS               0x00020000
 #define TKT_FLG_ENC_PA_REP              0x00010000
-/* #define      TKT_FLG_RESERVED        0x00008000 */
+#define      TKT_FLG_ANONYMOUS        0x00008000
 /* #define      TKT_FLG_RESERVED        0x00004000 */
 /* #define      TKT_FLG_RESERVED        0x00002000 */
 /* #define      TKT_FLG_RESERVED        0x00001000 */
@@ -1033,6 +1041,7 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype,
 #define KRB5_PADATA_FX_FAST  136
 #define KRB5_PADATA_FX_ERROR 137
 #define KRB5_PADATA_ENCRYPTED_CHALLENGE 138
+#define KRB5_PADATA_PKINIT_KX 147
 #define KRB5_ENCPADATA_REQ_ENC_PA_REP 149
 
 #define KRB5_SAM_USE_SAD_AS_KEY         0x80000000
@@ -2196,6 +2205,7 @@ typedef struct _krb5_get_init_creds_opt {
 #define KRB5_GET_INIT_CREDS_OPT_SALT            0x0080
 #define KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT   0x0100
 #define KRB5_GET_INIT_CREDS_OPT_CANONICALIZE    0x0200
+#define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0400
 
 
 krb5_error_code KRB5_CALLCONV
@@ -2229,6 +2239,21 @@ void KRB5_CALLCONV
 krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opt,
                                          int canonicalize);
 
+/**
+ * Request anonymous credentials from the KDC.  If the  client name looks like
+ * "@REALM" (an empty principal name), then fully anonymous credentials are
+ * requested.  If the client name looks like "name@REALM," then credentials
+ * tied to a specific realm are requested.
+ *
+ * Credentials tied to a specific realm are not supported in this version.
+ *
+ * Note that anonymous credentials are only a request; clients must verify that
+ * credentials are anonymous if that is a requirement.
+ */
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt,
+                                      int anonymous);
+
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
                                        krb5_enctype *etype_list,