diff options
| author | Greg Hudson <ghudson@mit.edu> | 2015-08-12 11:58:17 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2015-08-26 11:14:49 -0400 |
| commit | 4e15c03b54464b661c6578f78de3bd348163fc07 (patch) | |
| tree | 016186cdeceb26a05f34730ef2675306ff562709 /src/include/krb5 | |
| parent | 312b3bc29a0c52a0a82055f566241964532c2128 (diff) | |
| download | krb5-4e15c03b54464b661c6578f78de3bd348163fc07.zip krb5-4e15c03b54464b661c6578f78de3bd348163fc07.tar.gz krb5-4e15c03b54464b661c6578f78de3bd348163fc07.tar.bz2 | |
Add secure cookie support
Remove the existing support for creating trivial cookies. Add new
functions to fast_util.c for reading and generating secure cookies.
Add new kdcpreauth callbacks "get_cookie" and "set_cookie" to allow
preauth mechs to retrieve and set cookie values.
Based on a patch by Nathaniel McCallum.
ticket: 8233 (new)
Diffstat (limited to 'src/include/krb5')
| -rw-r--r-- | src/include/krb5/kdcpreauth_plugin.h | 21 | ||||
| -rw-r--r-- | src/include/krb5/krb5.hin | 2 |
2 files changed, 23 insertions, 0 deletions
diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h index 356004f..f455eff 100644 --- a/src/include/krb5/kdcpreauth_plugin.h +++ b/src/include/krb5/kdcpreauth_plugin.h @@ -198,6 +198,27 @@ typedef struct krb5_kdcpreauth_callbacks_st { krb5_kdcpreauth_rock rock, const char *indicator); + /* + * Read a data value for pa_type from the request cookie, placing it in + * *out. The value placed there is an alias and must not be freed. + * Returns true if a value for pa_type was retrieved, false if not. + */ + krb5_boolean (*get_cookie)(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_preauthtype pa_type, krb5_data *out); + + /* + * Set a data value for pa_type to be sent in a secure cookie in the next + * error response. If pa_type is already present, the value is ignored. + * If the preauth mechanism has different preauth types for requests and + * responses, use the request type. Secure cookies are encrypted in a key + * known only to the KDCs, but can be replayed within a short time window + * for requests using the same client principal. + */ + krb5_error_code (*set_cookie)(krb5_context context, + krb5_kdcpreauth_rock rock, + krb5_preauthtype pa_type, + const krb5_data *data); + /* End of version 3 kdcpreauth callbacks. */ } *krb5_kdcpreauth_callbacks; diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 55fa88e..0d19a65 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -1007,6 +1007,8 @@ krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, #define KRB5_KEYUSAGE_ENC_CHALLENGE_KDC 55 #define KRB5_KEYUSAGE_AS_REQ 56 #define KRB5_KEYUSAGE_CAMMAC 64 + +#define KRB5_KEYUSAGE_PA_FX_COOKIE 513 /**< Used for encrypted FAST cookies */ /** @} */ /* end of KRB5_KEYUSAGE group */ /** |