Constrained delegation without PAC support

Merge Luke's users/lhoward/s4u2proxy branch to trunk.  Implements a
Heimdal-compatible mechanism for allowing constrained delegation
without back-end support for PACs.  Back-end support exists in LDAP
only (via a new krbAllowedToDelegateTo attribute), not DB2.

ticket: 6580

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23160 dc483132-0cff-0310-8789-dd5450dbe970

9 files changed, 220 insertions, 0 deletions

diff --git a/src/tests/asn.1/krb5_decode_leak.c b/src/tests/asn.1/krb5_decode_leak.c
index 1b90bf769..9f68fb085 100644
--- a/src/tests/asn.1/krb5_decode_leak.c
+++ b/src/tests/asn.1/krb5_decode_leak.c
@@ -680,6 +680,30 @@ main(int argc, char **argv)
                   krb5_free_ad_kdcissued);
         ktest_empty_ad_kdcissued(&kdci);
     }
+#if 0
+    /****************************************************************/
+    /* encode_krb5_ad_signedpath_data */
+    {
+        krb5_ad_signedpath_data spd, *tmp;
+        setup(spd, "ad_signedpath_data",
+              ktest_make_sample_ad_signedpath_data);
+        leak_test(spd, encode_krb5_ad_signedpath_data,
+                  decode_krb5_ad_signedpath_data,
+                  NULL);
+        ktest_empty_ad_signedpath_data(&spd);
+    }
+#endif
+    /****************************************************************/
+    /* encode_krb5_ad_signedpath */
+    {
+        krb5_ad_signedpath sp, *tmp;
+        setup(sp, "ad_signedpath",
+              ktest_make_sample_ad_signedpath);
+        leak_test(sp, encode_krb5_ad_signedpath,
+                  decode_krb5_ad_signedpath,
+                  krb5_free_ad_signedpath);
+        ktest_empty_ad_signedpath(&sp);
+    }
     krb5_free_context(test_context);
     return 0;
 }
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index 903697292..d99698180 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -907,6 +907,14 @@ int main(argc, argv)
 	ktest_empty_ad_kdcissued(&ref);
     }
 
+    /****************************************************************/
+    /* decode_ad_signedpath */
+    {
+	setup(krb5_ad_signedpath,"krb5_ad_signedpath",ktest_make_sample_ad_signedpath);
+	decode_run("ad_signedpath","","30 3E A0 03 02 01 01 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61",decode_krb5_ad_signedpath,ktest_equal_ad_signedpath,krb5_free_ad_signedpath);
+	ktest_empty_ad_signedpath(&ref);
+    }
+
 #ifdef ENABLE_LDAP
     /* ldap sequence_of_keys */
     {
diff --git a/src/tests/asn.1/krb5_encode_test.c b/src/tests/asn.1/krb5_encode_test.c
index db99f1080..3716eb477 100644
--- a/src/tests/asn.1/krb5_encode_test.c
+++ b/src/tests/asn.1/krb5_encode_test.c
@@ -717,6 +717,28 @@ main(argc, argv)
 		   encode_krb5_ad_kdcissued);
 	ktest_empty_ad_kdcissued(&kdci);
     }
+    /****************************************************************/
+    /* encode_krb5_ad_signedpath_data */
+    {
+	krb5_ad_signedpath_data spd;
+	setup(spd,krb5_ad_signedpath_data,"ad_signedpath_data",
+	      ktest_make_sample_ad_signedpath_data);
+	encode_run(spd,krb5_ad_signedpath_data,
+		   "ad_signedpath_data","",
+		   encode_krb5_ad_signedpath_data);
+	ktest_empty_ad_signedpath_data(&spd);
+    }
+    /****************************************************************/
+    /* encode_krb5_ad_signedpath */
+    {
+	krb5_ad_signedpath sp;
+	setup(sp,krb5_ad_signedpath,"ad_signedpath",
+	      ktest_make_sample_ad_signedpath);
+	encode_run(sp,krb5_ad_signedpath,
+		   "ad_signedpath","",
+		   encode_krb5_ad_signedpath);
+	ktest_empty_ad_signedpath(&sp);
+    }
 #ifdef ENABLE_LDAP
     {
 	ldap_seqof_key_data skd;
diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c
index 6ca9652ab..64c4fbdba 100644
--- a/src/tests/asn.1/ktest.c
+++ b/src/tests/asn.1/ktest.c
@@ -855,6 +855,42 @@ krb5_error_code ktest_make_sample_ad_kdcissued(p)
     return retval;
 }
 
+krb5_error_code ktest_make_sample_ad_signedpath_data(p)
+    krb5_ad_signedpath_data *p;
+{
+    krb5_error_code retval;
+    retval = ktest_make_sample_principal(&p->client);
+    if (retval) return retval;
+    p->authtime = SAMPLE_TIME;
+    p->delegated = k5alloc((2 * sizeof(krb5_principal)), &retval);
+    if (retval) return retval;
+    retval = ktest_make_sample_principal(&p->delegated[0]);
+    if (retval) return retval;
+    p->delegated[1] = NULL;
+    retval = ktest_make_sample_principal(&p->client);
+    if (retval) return retval;
+    retval = ktest_make_sample_authorization_data(&p->authorization_data);
+    if (retval) return retval;
+    retval = ktest_make_sample_pa_data_array(&p->method_data);
+    if (retval) return retval;
+    return retval;
+}
+
+krb5_error_code ktest_make_sample_ad_signedpath(p)
+    krb5_ad_signedpath*p;
+{
+    krb5_error_code retval;
+    p->enctype = 1;
+    retval = ktest_make_sample_checksum(&p->checksum);
+    if (retval) return retval;
+    p->delegated = k5alloc((2 * sizeof(krb5_principal)), &retval);
+    if (retval) return retval;
+    p->delegated[1] = NULL;
+    retval = ktest_make_sample_pa_data_array(&p->method_data);
+    if (retval) return retval;
+    return retval;
+}
+
 #ifdef ENABLE_LDAP
 static krb5_error_code ktest_make_sample_key_data(krb5_key_data *p, int i)
 {
@@ -1466,6 +1502,37 @@ void ktest_empty_ad_kdcissued(p)
     ktest_destroy_authorization_data(&p->elements);
 }
 
+void ktest_empty_ad_signedpath_data(p)
+    krb5_ad_signedpath_data *p;
+{
+    int i;
+    ktest_destroy_principal(&p->client);
+    if (p->delegated != NULL) {
+        for (i = 0; p->delegated[i] != NULL; i++) {
+	    krb5_principal princ = p->delegated[i];
+            ktest_destroy_principal(&princ);
+	}
+        free(p->delegated);
+    }
+    ktest_destroy_pa_data_array(&p->method_data);
+    ktest_destroy_authorization_data(&p->authorization_data);
+}
+
+void ktest_empty_ad_signedpath(p)
+    krb5_ad_signedpath *p;
+{
+    int i;
+    if (p->checksum.contents) free(p->checksum.contents);
+    if (p->delegated != NULL) {
+        for (i = 0; p->delegated[i] != NULL; i++) {
+	    krb5_principal princ = p->delegated[i];
+            ktest_destroy_principal(&princ);
+	}
+        free(p->delegated);
+    }
+    ktest_destroy_pa_data_array(&p->method_data);
+}
+
 #ifdef ENABLE_LDAP
 void ktest_empty_ldap_seqof_key_data(ctx, p)
     krb5_context ctx;
diff --git a/src/tests/asn.1/ktest.h b/src/tests/asn.1/ktest.h
index fa33ceffd..5f9b5ca38 100644
--- a/src/tests/asn.1/ktest.h
+++ b/src/tests/asn.1/ktest.h
@@ -107,6 +107,8 @@ krb5_error_code ktest_make_sample_predicted_sam_response(krb5_predicted_sam_resp
 krb5_error_code ktest_make_sample_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p);
 krb5_error_code ktest_make_sample_pa_s4u_x509_user(krb5_pa_s4u_x509_user *p);
 krb5_error_code ktest_make_sample_ad_kdcissued(krb5_ad_kdcissued *p);
+krb5_error_code ktest_make_sample_ad_signedpath_data(krb5_ad_signedpath_data *p);
+krb5_error_code ktest_make_sample_ad_signedpath(krb5_ad_signedpath *p);
 
 #ifdef ENABLE_LDAP
 krb5_error_code ktest_make_sample_ldap_seqof_key_data(ldap_seqof_key_data * p);
@@ -217,6 +219,8 @@ void ktest_empty_sam_response_2(krb5_sam_response_2 *p);
 void ktest_empty_enc_sam_response_enc_2(krb5_enc_sam_response_enc_2 *p);
 void ktest_empty_pa_s4u_x509_user(krb5_pa_s4u_x509_user *p);
 void ktest_empty_ad_kdcissued(krb5_ad_kdcissued *p);
+void ktest_empty_ad_signedpath_data(krb5_ad_signedpath_data *p);
+void ktest_empty_ad_signedpath(krb5_ad_signedpath *p);
 
 #ifdef ENABLE_LDAP
 void ktest_empty_ldap_seqof_key_data(krb5_context, ldap_seqof_key_data *p);
diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c
index 5479f8047..67c8d7e4f 100644
--- a/src/tests/asn.1/ktest_equal.c
+++ b/src/tests/asn.1/ktest_equal.c
@@ -570,6 +570,35 @@ int ktest_equal_ad_kdcissued(ref, var)
     return p;
 }
 
+int ktest_equal_ad_signedpath_data(ref, var)
+    krb5_ad_signedpath_data *ref;
+    krb5_ad_signedpath_data *var;
+{
+    int p = TRUE;
+    if (ref == var) return TRUE;
+    else if (ref == NULL || var == NULL) return FALSE;
+    p=p&&ptr_equal(client,ktest_equal_principal_data);
+    p=p&&scalar_equal(authtime);
+    p=p&&ptr_equal(delegated,ktest_equal_sequence_of_principal);
+    p=p&&ptr_equal(method_data,ktest_equal_sequence_of_pa_data);
+    p=p&&ptr_equal(authorization_data,ktest_equal_authorization_data);
+    return p;
+}
+
+int ktest_equal_ad_signedpath(ref, var)
+    krb5_ad_signedpath* ref;
+    krb5_ad_signedpath* var;
+{
+    int p = TRUE;
+    if (ref == var) return TRUE;
+    else if (ref == NULL || var == NULL) return FALSE;
+    p=p&&scalar_equal(enctype);
+    p=p&&struct_equal(checksum,ktest_equal_checksum);
+    p=p&&ptr_equal(delegated,ktest_equal_sequence_of_principal);
+    p=p&&ptr_equal(method_data,ktest_equal_sequence_of_pa_data);
+    return p;
+}
+
 #ifdef ENABLE_LDAP
 static int equal_key_data(ref, var)
     krb5_key_data *ref;
@@ -721,6 +750,13 @@ int ktest_equal_sequence_of_cred_info(ref, var)
     array_compare(ktest_equal_cred_info);
 }
 
+int ktest_equal_sequence_of_principal(ref, var)
+    krb5_principal * ref;
+    krb5_principal * var;
+{
+    array_compare(ktest_equal_principal_data);
+}
+
 int ktest_equal_array_of_passwd_phrase_element(ref, var)
     passwd_phrase_element ** ref;
     passwd_phrase_element ** var;
diff --git a/src/tests/asn.1/ktest_equal.h b/src/tests/asn.1/ktest_equal.h
index 1464ebb50..80c38b639 100644
--- a/src/tests/asn.1/ktest_equal.h
+++ b/src/tests/asn.1/ktest_equal.h
@@ -69,6 +69,8 @@ int ktest_equal_sequence_of_pa_data
 	(krb5_pa_data **ref, krb5_pa_data **var);
 int ktest_equal_sequence_of_cred_info
 	(krb5_cred_info **ref, krb5_cred_info **var);
+int ktest_equal_sequence_of_principal
+	(krb5_principal *ref, krb5_principal *var);
 
 len_array(ktest_equal_array_of_enctype,krb5_enctype);
 len_array(ktest_equal_array_of_data,krb5_data);
@@ -98,6 +100,12 @@ int ktest_equal_pa_s4u_x509_user
 int ktest_equal_ad_kdcissued
     (krb5_ad_kdcissued *ref,
 		    krb5_ad_kdcissued *var);
+int ktest_equal_ad_signedpath_data
+    (krb5_ad_signedpath_data *ref,
+		    krb5_ad_signedpath_data *var);
+int ktest_equal_ad_signedpath
+    (krb5_ad_signedpath *ref,
+		    krb5_ad_signedpath *var);
 
 int ktest_equal_ldap_sequence_of_keys(ldap_seqof_key_data *ref,
 				      ldap_seqof_key_data *var);
diff --git a/src/tests/asn.1/reference_encode.out b/src/tests/asn.1/reference_encode.out
index 952e69c77..c6bcf619c 100644
--- a/src/tests/asn.1/reference_encode.out
+++ b/src/tests/asn.1/reference_encode.out
@@ -58,3 +58,5 @@ encode_krb5_sam_response_2: 30 42 A0 03 02 01 2B A1 07 03 05 00 80 00 00 00 A2 0
 encode_krb5_enc_sam_response_enc_2: 30 1F A0 03 02 01 58 A1 18 04 16 65 6E 63 5F 73 61 6D 5F 72 65 73 70 6F 6E 73 65 5F 65 6E 63 5F 32
 encode_krb5_pa_s4u_x509_user: 30 68 A0 55 30 53 A0 06 02 04 00 CA 14 9A A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 12 04 10 70 61 5F 73 34 75 5F 78 35 30 39 5F 75 73 65 72 A4 07 03 05 00 80 00 00 00 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34
 encode_krb5_ad_kdcissued: 30 65 A0 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72
+encode_krb5_ad_signedpath_data: 30 81 C7 A0 30 30 2E A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 32 30 30 30 2E A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72
+encode_krb5_ad_signedpath: 30 3E A0 03 02 01 01 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61
diff --git a/src/tests/asn.1/trval_reference.out b/src/tests/asn.1/trval_reference.out
index b19ca747e..38e5b99ad 100644
--- a/src/tests/asn.1/trval_reference.out
+++ b/src/tests/asn.1/trval_reference.out
@@ -1283,3 +1283,52 @@ encode_krb5_ad_kdcissued:
 .  .  .  [0] [Integer] 1
 .  .  .  [1] [Octet String] "foobar"
 
+encode_krb5_ad_signedpath_data:
+
+[Sequence/Sequence Of] 
+.  [0] [Sequence/Sequence Of] 
+.  .  [0] [Sequence/Sequence Of] 
+.  .  .  [0] [Integer] 1
+.  .  .  [1] [Sequence/Sequence Of] 
+.  .  .  .  [General string] "hftsai"
+.  .  .  .  [General string] "extra"
+.  .  [1] [General string] "ATHENA.MIT.EDU"
+.  [1] [Generalized Time] "19940610060317Z"
+.  [2] [Sequence/Sequence Of] 
+.  .  [Sequence/Sequence Of] 
+.  .  .  [0] [Sequence/Sequence Of] 
+.  .  .  .  [0] [Integer] 1
+.  .  .  .  [1] [Sequence/Sequence Of] 
+.  .  .  .  .  [General string] "hftsai"
+.  .  .  .  .  [General string] "extra"
+.  .  .  [1] [General string] "ATHENA.MIT.EDU"
+.  [3] [Sequence/Sequence Of] 
+.  .  [Sequence/Sequence Of] 
+.  .  .  [1] [Integer] 13
+.  .  .  [2] [Octet String] "pa-data"
+.  .  [Sequence/Sequence Of] 
+.  .  .  [1] [Integer] 13
+.  .  .  [2] [Octet String] "pa-data"
+.  [4] [Sequence/Sequence Of] 
+.  .  [Sequence/Sequence Of] 
+.  .  .  [0] [Integer] 1
+.  .  .  [1] [Octet String] "foobar"
+.  .  [Sequence/Sequence Of] 
+.  .  .  [0] [Integer] 1
+.  .  .  [1] [Octet String] "foobar"
+
+encode_krb5_ad_signedpath:
+
+[Sequence/Sequence Of] 
+.  [0] [Integer] 1
+.  [1] [Sequence/Sequence Of] 
+.  .  [0] [Integer] 1
+.  .  [1] [Octet String] "1234"
+.  [3] [Sequence/Sequence Of] 
+.  .  [Sequence/Sequence Of] 
+.  .  .  [1] [Integer] 13
+.  .  .  [2] [Octet String] "pa-data"
+.  .  [Sequence/Sequence Of] 
+.  .  .  [1] [Integer] 13
+.  .  .  [2] [Octet String] "pa-data"
+