Add libkdc wrappers for heimbase object accessors so plugins can use audit and
request attribute APIs without consuming libheimbase. Exposed API surface is
minimal and is limited to reading array collections, and reading/creating base
and custom types.
Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
an additional context member in hdb_entry which is managed by the free_entry
method in HDB).
Decorate HDB_entry with context and move free_entry callback into HDB structure
itself. Requires updating hdb_free_entry() signature to include HDB parameter.
A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry
member) into hdb_entry.
Remove the outpadata field from astgs_request_t, because it's not something we
wish to expose publically (yet it is something that Samba needs in the
client_access plugin API, to add Windows error information).
Instead, allocate rep->padata at the start of AS/TGS request handling, and
ensure it is valid for the lifetime of the request until it is encoded (at
which point it will be freed and set to NULL if zero length, to avoid sending a
zero length METHOD-DATA to the client).
(The previous approach of setting rep->padata to point to &r->outpadata was
fragile, because it required clearing the pointer before freeing the KDC-REP.)
Update the sample GSS pre-authentication authorizer plugin to allow the PAC to
be pinned to the authenticating user's SID.
There is still a race condition between the time the user authenticates and the
time the SID is looked up via LDAP, but it should be sufficient as an example;
if more security is required, then users should be enrolled with their SIDs.
RFC4120 says KRB5KDC_ERR_SUMTYPE_NOSUPP should be returned if the KDC does not
support a given checksum type. Return this instead of KRB5_PROG_SUMTYPE_NOSUPP
by introducing a new wrapper function, _kdc_verify_checksum().
When validating the KDC-REQ-BODY checksum introduced in 0ed4d90a, don't leak
the sec_context_token retrieved from the FX-COOKIE if checksum verifications
fails.
Whilst channel bindings are used to bind the KDC-REQ-BODY to the GSS-API
context, we need to also bind the KDC-REQ-BODY across multiple requests in a
pre-authentication conversation.
Do this by making a digest of the first KDC-REQ-BODY (with the nonce zeroed, as
this may change), and verifying it in each subsequent request.
This reverts commit 34b374b5e4.
We are revising the GSS-API pre-authentication draft to include the nonce from
the first request in the GSS channel bindings, to avoid re-encoding issues that
may surface with Kerberos implementations that do not correctly implement DER.
Zero nonce before encoding KDC-REQ-BODY to be used as channel binding
application data in GSS-API pre-authentication. This is because the nonce may
change between AS-REQs and the channel binding data should be invariant between
calls to GSS_Init_sec_context().
If GSS_Accept_sec_context() returns an error status and error token, ensure we
include the error token in the PA-GSS padata in the KRB-ERROR reply, rather
than bailing out early.
The target (acceptor) name for GSS-API pre-authentication should be the name of
the TGS, not the server name in the AS-REQ, as it is the KDC which is being
mutually authenticated. If the client is not requesting a TGT, they may differ.
Add support for GSS-API pre-authentication to the KDC, using a simplified
variation of draft-perez-krb-wg-gss-preauth-02 that encodes GSS-API context
tokens directly in PADATA, and uses FX-COOKIE for state management.
More information on the protocol and implementation may be found in
lib/gssapi/preauth/README.md.
