kdc: support for GSS-API pre-authentication

Add support for GSS-API pre-authentication to the KDC, using a simplified variation of draft-perez-krb-wg-gss-preauth-02 that encodes GSS-API context tokens directly in PADATA, and uses FX-COOKIE for state management. More information on the protocol and implementation may be found in lib/gssapi/preauth/README.md.
2021-07-29 12:56:10 +10:00
parent 15c82996a4
commit 49f3f5bd99
40 changed files with 3132 additions and 90 deletions
--- a/lib/asn1/krb5.asn1
+++ b/lib/asn1/krb5.asn1
@@ -192,7 +192,9 @@ PADATA-TYPE ::= INTEGER {
 	KRB5-PADATA-PKINIT-KX(147),		-- krb-wg-anon
 	KRB5-PADATA-PKU2U-NAME(148),		-- zhu-pku2u
 	KRB5-PADATA-REQ-ENC-PA-REP(149),	--
-	KRB5-PADATA-SUPPORTED-ETYPES(165)	-- MS-KILE
+	KRB5-PADATA-SUPPORTED-ETYPES(165),	-- MS-KILE
+	KRB5-PADATA-GSS(655)			-- krb-wg-gss-preauth
+
 }

 AUTHDATA-TYPE ::= INTEGER {
@@ -221,8 +223,9 @@ AUTHDATA-TYPE ::= INTEGER {
 	KRB5-AUTHDATA-BEARER-TOKEN-JWT(581),  -- JWT token
 	KRB5-AUTHDATA-BEARER-TOKEN-SAML(582), -- SAML token
 	KRB5-AUTHDATA-BEARER-TOKEN-OIDC(583), -- OIDC token
-	KRB5-AUTHDATA-CSR-AUTHORIZED(584)     -- Proxy has authorized client
+	KRB5-AUTHDATA-CSR-AUTHORIZED(584),     -- Proxy has authorized client
                                              -- to requested exts in CSR
+	KRB5-AUTHDATA-GSS-COMPOSITE-NAME(655) -- gss_export_name_composite
 }

 -- checksumtypes
@@ -925,7 +928,6 @@ KERB-ARMOR-SERVICE-REPLY ::= SEQUENCE {
 	armor-key	[1] EncryptionKey
 }

-
 END

 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1