kdc: move Services for User implementation out of krb5tgs.c

Move the Services for User (SFU/S4U) implementation -- protocol transition and constrained delegation -- into its own compilation unit, with an interface that only takes an astgs_request_t, so it can be easily factored out into a plugin module in the future. This refactoring is also careful to update all client names in the request structure after the SFU/S4U validation has successfully completed.
2021-12-24 13:49:55 +11:00
parent 06f8985c55
commit 0287558838
6 changed files with 670 additions and 482 deletions
--- a/kdc/kdc.h
+++ b/kdc/kdc.h
@@ -131,20 +131,29 @@ typedef struct krb5_kdc_configuration {
 #define ASTGS_REQUEST_DESC_COMMON_ELEMENTS			\
    HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS;			\
 								\
+    /* AS-REQ or TGS-REQ */					\
    KDC_REQ req;						\
 								\
+    /* AS-REP or TGS-REP */					\
    KDC_REP rep;						\
    EncTicketPart et;						\
    EncKDCRepPart ek;						\
 								\
-    /* princ requested by client (AS) or canon princ (TGT) */	\
+    /* client principal (AS) or TGT/S4U principal (TGS) */	\
    krb5_principal client_princ;				\
    hdb_entry_ex *client;					\
    HDB *clientdb;						\
+    krb5_principal canon_client_princ;				\
 								\
+    /* server principal */					\
    krb5_principal server_princ;				\
    hdb_entry_ex *server;					\
 								\
+    /* presented ticket in TGS-REQ (unused by AS) */		\
+    krb5_principal *krbtgt_princ;				\
+    hdb_entry_ex *krbtgt;					\
+    krb5_ticket *ticket;					\
+								\
    krb5_keyblock reply_key;					\
 								\
    krb5_pac pac;						\