Add FAST encrypted challenge auth indicator

During ec_verify(), look up an authentication indicator string by the
profile realm option "encrypted_challenge_indicator".  If found, add
an indicator to the reply upon succesful creation of the challenge
key.  Add a test to t_authind.py.  Document the option in
kdc_conf.rst.

ticket: 8575 (new)

diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 13077ecf4bc2900d2a9e7f3585873ebedbdc5ee7..d57723d129a2dc086e8b5875d79284c94b79f905 100644 (file)
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -198,6 +198,11 @@ The following tags may be specified in a [realms] subsection:
     if there is no policy assigned to the principal, no dictionary
     checks of passwords will be performed.
 
+**encrypted_challenge_indicator**
+    (String.)  Specifies the authentication indicator value that the KDC
+    asserts into tickets obtained using FAST encrypted challenge
+    pre-authentication.  New in 1.16.
+
 **host_based_services**
     (Whitespace- or comma-separated list.)  Lists services which will
     get host-based referral processing even if the server principal is

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 78ebaf3aa093f4d59a592f1e0313840d77af5b8e..360e08839b576639acc5173703eec99b35bbc155 100644 (file)
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -212,6 +212,7 @@ typedef unsigned char   u_char;
 #define KRB5_CONF_DNS_URI_LOOKUP               "dns_uri_lookup"
 #define KRB5_CONF_DOMAIN_REALM                 "domain_realm"
 #define KRB5_CONF_ENABLE_ONLY                  "enable_only"
+#define KRB5_CONF_ENCRYPTED_CHALLENGE_INDICATOR "encrypted_challenge_indicator"
 #define KRB5_CONF_ERR_FMT                      "err_fmt"
 #define KRB5_CONF_EXTRA_ADDRESSES              "extra_addresses"
 #define KRB5_CONF_FORWARDABLE                  "forwardable"

diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
index feef3683141cea393a756a83c2ea3bfb79b2d7c3..d29ab5381889f3d74c7d15baec35d8677f7c4b10 100644 (file)
--- a/src/kdc/kdc_preauth_ec.c
+++ b/src/kdc/kdc_preauth_ec.c
@@ -66,6 +66,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
     krb5_keyblock *kdc_challenge_key;
     krb5_kdcpreauth_modreq modreq = NULL;
     int i = 0;
+    char *ai = NULL, *realmstr = NULL;
+    krb5_data realm = request->server->realm;
 
     plain.data = NULL;
 
@@ -84,6 +86,15 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
         if (plain.data == NULL)
             retval = ENOMEM;
     }
+
+    /* Check for a configured FAST ec auth indicator. */
+    realmstr = k5memdup0(realm.data, realm.length, &retval);
+    if (realmstr != NULL)
+        retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
+                                    realmstr,
+                                    KRB5_CONF_ENCRYPTED_CHALLENGE_INDICATOR,
+                                    NULL, &ai);
+
     if (retval == 0)
         retval = cb->client_keys(context, rock, &client_keys);
     if (retval == 0) {
@@ -124,8 +135,11 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
              */
             if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
                                      &client_keys[i], "challengelongterm",
-                                     &kdc_challenge_key) == 0)
+                                     &kdc_challenge_key) == 0) {
                 modreq = (krb5_kdcpreauth_modreq)kdc_challenge_key;
+                if (ai != NULL)
+                    cb->add_auth_indicator(context, rock, ai);
+            }
         } else { /*skew*/
             retval = KRB5KRB_AP_ERR_SKEW;
         }
@@ -137,6 +151,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
         krb5_free_enc_data(context, enc);
     if (ts)
         krb5_free_pa_enc_ts(context, ts);
+    free(realmstr);
+    free(ai);
 
     (*respond)(arg, retval, modreq, NULL, NULL);
 }

diff --git a/src/tests/gssapi/t_authind.py b/src/tests/gssapi/t_authind.py
index dfd0a9a04cc541776e01f6ae128b67921d79ed44..84793beb623f786a2e06b44e20156727be29d52a 100644 (file)
--- a/src/tests/gssapi/t_authind.py
+++ b/src/tests/gssapi/t_authind.py
@@ -33,5 +33,20 @@ out = realm.run(['./t_srcattrs', 'p:service/2'])
 if '6f6e65' not in out or '74776f' not in out:
     fail('Expected auth indicator not seen in name attributes')
 
+realm.stop()
+
+# Test the FAST encrypted challenge auth indicator.
+kdcconf = {'realms': {'$realm': {'encrypted_challenge_indicator': 'fast'}}}
+realm = K5Realm(kdc_conf=kdcconf)
+realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ])
+realm.run([kadminl, 'xst', realm.host_princ])
+realm.kinit(realm.user_princ, password('user'))
+realm.kinit(realm.user_princ, password('user'), ['-T', realm.ccache])
+out = realm.run(['./t_srcattrs', 'p:' + realm.host_princ])
+if ('Attribute auth-indicators Authenticated Complete') not in out:
+    fail('Expected attribute type not seen')
+if '66617374' not in out:
+    fail('Expected auth indicator not seen in name attributes')
+
 realm.stop()
 success('GSSAPI auth indicator tests')