kdc: support for GSS-API pre-authentication

Add support for GSS-API pre-authentication to the KDC, using a simplified variation of draft-perez-krb-wg-gss-preauth-02 that encodes GSS-API context tokens directly in PADATA, and uses FX-COOKIE for state management. More information on the protocol and implementation may be found in lib/gssapi/preauth/README.md.
2021-07-29 12:56:10 +10:00
parent 15c82996a4
commit 49f3f5bd99
40 changed files with 3132 additions and 90 deletions
--- a/tests/kdc/check-fast.in
+++ b/tests/kdc/check-fast.in
@@ -136,6 +136,29 @@ echo "Getting service ticket"
 ${kgetcred} ${server}@${R} || { exit 1; }
 ${kdestroy}

+#
+# Test GSS-API pre-authentication using SAnon. It will only succeed where there
+# is FAST armor to authenticate the KDC, otherwise it will fail as SAnon does
+# not provide mutual authentication (GSS_C_MUTUAL_FLAG).
+#
+
+for mech in sanon-x25519 spnego ; do
+    echo "Trying ${mech} pre-authentication with FAST armor"; > messages.log
+    ${kinit} --fast-armor-cache=${acache} \
+	--anonymous --gss-mech=${mech} @$R 2>/dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+
+    echo "Trying ${mech} pre-authentication with anonymous FAST armor"; > messages.log
+    ${kinit} --pk-anon-fast-armor \
+	--anonymous --gss-mech=${mech} @$R 2>/dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+
+    echo "Trying ${mech} pre-authentication with no FAST armor"; > messages.log
+    ${kinit} \
+	--anonymous --gss-mech=${mech} @$R 2>/dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+done
+
 #
 # Use MIT client tools
 #
--- a/tests/kdc/krb5.conf.in
+++ b/tests/kdc/krb5.conf.in
@@ -83,6 +83,10 @@
 	enable-http = true

        synthetic_clients = true
+
+	enable_gss_preauth = true
+	gss_mechanisms_allowed = sanon-x25519
+
 	enable-pkinit = true
 	pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
 	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt