From baea9a7a27d781581505f0bb6d0ac4e4f24053aa Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 30 Apr 2010 21:22:48 +0000 Subject: Add IAKERB mechanism and gss_acquire_cred_with_password Merge branches/iakerb to trunk. Includes the following: * New IAKERB mechanism. * New gss_acquire_cred_with_password mechglue function. * ASN.1 encoders and decoders for IAKERB structures (with tests). * New shortcuts in gss-sample client and server. * Tests to exercise SPNEGO and IAKERB using gss-sample application. ticket: 6712 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23960 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/k5-int.h | 28 ++++++++++++++++++++++++++++ src/include/krb5/krb5.hin | 1 + 2 files changed, 29 insertions(+) (limited to 'src/include') diff --git a/src/include/k5-int.h b/src/include/k5-int.h index fde8e6660..9a23a7e68 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -358,6 +358,10 @@ typedef INT64_TYPE krb5_int64; #define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79 /* missing paChecksum in PA-PK-AS-REQ */ #define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */ #define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81 +#define KRB_AP_ERR_IAKERB_KDC_NOT_FOUND 85 /* The IAKERB proxy could +not find a KDC */ +#define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE 86 /* The KDC did not respond +to the IAKERB proxy */ /* * This structure is returned in the e-data field of the KRB-ERROR @@ -1032,6 +1036,15 @@ typedef struct _krb5_ad_signedpath { krb5_pa_data **method_data; } krb5_ad_signedpath; +typedef struct _krb5_iakerb_header { + krb5_data target_realm; + krb5_data *cookie; +} krb5_iakerb_header; + +typedef struct _krb5_iakerb_finished { + krb5_checksum checksum; +} krb5_iakerb_finished; + typedef krb5_error_code (*krb5_preauth_obtain_proc)(krb5_context, krb5_pa_data *, krb5_etype_info, krb5_keyblock *, @@ -1329,6 +1342,9 @@ void KRB5_CALLCONV krb5_free_fast_finished(krb5_context, krb5_fast_finished *); void KRB5_CALLCONV krb5_free_fast_response(krb5_context, krb5_fast_response *); void KRB5_CALLCONV krb5_free_ad_kdcissued(krb5_context, krb5_ad_kdcissued *); void KRB5_CALLCONV krb5_free_ad_signedpath(krb5_context, krb5_ad_signedpath *); +void KRB5_CALLCONV krb5_free_iakerb_header(krb5_context, krb5_iakerb_header *); +void KRB5_CALLCONV krb5_free_iakerb_finished(krb5_context, + krb5_iakerb_finished *); /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */ #include "com_err.h" @@ -1741,6 +1757,12 @@ encode_krb5_fast_req(const krb5_fast_req *, krb5_data **); krb5_error_code encode_krb5_pa_fx_fast_reply(const krb5_enc_data *, krb5_data **); +krb5_error_code +encode_krb5_iakerb_header(const krb5_iakerb_header *, krb5_data **); + +krb5_error_code +encode_krb5_iakerb_finished(const krb5_iakerb_finished *, krb5_data **); + krb5_error_code encode_krb5_fast_response(const krb5_fast_response *, krb5_data **); @@ -1939,6 +1961,12 @@ decode_krb5_ad_kdcissued(const krb5_data *, krb5_ad_kdcissued **); krb5_error_code decode_krb5_ad_signedpath(const krb5_data *, krb5_ad_signedpath **); +krb5_error_code +decode_krb5_iakerb_header(const krb5_data *, krb5_iakerb_header **); + +krb5_error_code +decode_krb5_iakerb_finished(const krb5_data *, krb5_iakerb_finished **); + struct _krb5_key_data; /* kdb.h */ struct ldap_seqof_key_data { diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 98ffb70b8..1c89f9e92 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -637,6 +637,7 @@ krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, #define KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY 27 /* XXX note conflict with above */ #define KRB5_KEYUSAGE_AD_SIGNEDPATH -21 +#define KRB5_KEYUSAGE_IAKERB_FINISHED 42 #define KRB5_KEYUSAGE_PA_PKINIT_KX 44 /* define in draft-ietf-krb-wg-preauth-framework*/ #define KRB5_KEYUSAGE_FAST_REQ_CHKSUM 50 -- cgit