kdc: support for GSS-API pre-authentication

Add support for GSS-API pre-authentication to the KDC, using a simplified variation of draft-perez-krb-wg-gss-preauth-02 that encodes GSS-API context tokens directly in PADATA, and uses FX-COOKIE for state management. More information on the protocol and implementation may be found in lib/gssapi/preauth/README.md.
2021-07-29 12:56:10 +10:00
parent 15c82996a4
commit 49f3f5bd99
40 changed files with 3132 additions and 90 deletions
--- a/lib/krb5/principal.c
+++ b/lib/krb5/principal.c
@@ -1312,6 +1312,28 @@ krb5_principal_is_anonymous(krb5_context context,
    return strcmp(p->realm, KRB5_ANON_REALM) != 0;
 }

+/**
+ * Returns true iff name is WELLKNOWN/FEDERATED
+ *
+ * @ingroup krb5_principal
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_principal_is_federated(krb5_context context,
+			     krb5_const_principal p)
+{
+    if (p->name.name_type != KRB5_NT_WELLKNOWN &&
+	p->name.name_type != KRB5_NT_UNKNOWN)
+	return FALSE;
+
+    if (p->name.name_string.len != 2 ||
+        strcmp(p->name.name_string.val[0], KRB5_WELLKNOWN_NAME) != 0 ||
+        strcmp(p->name.name_string.val[1], KRB5_FEDERATED_NAME) != 0)
+        return FALSE;
+
+    return TRUE;
+}
+
 static int
 tolower_ascii(int c)
 {