Anonymous support for Kerberos

This ticket implements Project/Anonymous pkinit from k5wiki.  Provides
support for completely anonymous principals and untested client
support for realm-exposed anonymous authentication.

* Introduce kinit -n
* Introduce kadmin -n
* krb5_get_init_creds_opt_set_out_ccache aliases the supplied ccache
* No longer generate ad-initial-verified-cas in pkinit
* Fix pkinit interactions with non-TGT authentication

Merge remote branch 'anonymous' into trunk

Conflicts:
	src/lib/krb5/krb/gic_opt.c

ticket: 6607
Tags: enhancement

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23527 dc483132-0cff-0310-8789-dd5450dbe970

5 files changed, 60 insertions, 22 deletions

diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
index 4196a19..8fad111 100644
--- a/src/lib/kadm5/admin.h
+++ b/src/lib/kadm5/admin.h
@@ -338,6 +338,13 @@ kadm5_ret_t    kadm5_init(krb5_context context, char *client_name,
                           krb5_ui_4 api_version,
                           char **db_args,
                           void **server_handle);
+kadm5_ret_t kadm5_init_anonymous(krb5_context context, char *client_name,
+                                 char *service_name,
+                                 kadm5_config_params *params,
+                                 krb5_ui_4 struct_version,
+                                 krb5_ui_4 api_version,
+                                 char **db_args,
+                                 void **server_handle);
 kadm5_ret_t    kadm5_init_with_password(krb5_context context,
                                         char *client_name,
                                         char *pass,
diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c
index 95c4954..82033e9 100644
--- a/src/lib/kadm5/clnt/client_init.c
+++ b/src/lib/kadm5/clnt/client_init.c
@@ -59,7 +59,7 @@
 
 #define ADM_CCACHE  "/tmp/ovsec_adm.XXXXXX"
 
-enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS };
+enum init_type { INIT_PASS, INIT_SKEY, INIT_CREDS , INIT_ANONYMOUS};
 
 static kadm5_ret_t _kadm5_init_any(krb5_context context,
                                    char *client_name,
@@ -129,6 +129,19 @@ kadm5_ret_t kadm5_init_with_password(krb5_context context, char *client_name,
                            api_version, db_args, server_handle);
 }
 
+kadm5_ret_t kadm5_init_anonymous(krb5_context context, char *client_name,
+                                 char *service_name,
+                                 kadm5_config_params *params,
+                                 krb5_ui_4 struct_version,
+                                 krb5_ui_4 api_version,
+                                 char **db_args,
+                                 void **server_handle)
+{
+    return _kadm5_init_any(context, client_name, INIT_ANONYMOUS, NULL, NULL,
+                           service_name, params, struct_version,
+                           api_version, db_args, server_handle);
+}
+
 kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass,
                        char *service_name,
                        kadm5_config_params *params,
@@ -343,7 +356,8 @@ static kadm5_ret_t _kadm5_init_any(krb5_context context, char *client_name,
      * The RPC connection is open; establish the GSS-API
      * authentication context.
      */
-    code = kadm5_setup_gss(handle, params_in, client_name, full_svcname);
+    code = kadm5_setup_gss(handle, params_in, (init_type == INIT_CREDS)?client_name:NULL,
+                           full_svcname);
     if (code)
         goto error;
 
@@ -490,7 +504,7 @@ kadm5_get_init_creds(kadm5_server_handle_t handle,
                           full_svcname, full_svcname_len);
     if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
          || code == KRB5_CC_NOTFOUND) && svcname_in == NULL) {
-        /* Retry with old host-independent service princpal. */
+        /* Retry with old host-independent service principal. */
         code = kadm5_gic_iter(handle, init_type, ccache,
                               client, pass,
                               KADM5_ADMIN_SERVICE, realm,
@@ -525,7 +539,7 @@ kadm5_gic_iter(kadm5_server_handle_t handle,
     kadm5_ret_t code;
     krb5_context ctx;
     krb5_keytab kt;
-    krb5_get_init_creds_opt opt;
+    krb5_get_init_creds_opt *opt = NULL;
     krb5_creds mcreds, outcreds;
     int n;
 
@@ -540,29 +554,32 @@ kadm5_gic_iter(kadm5_server_handle_t handle,
     if (realm) {
         n = snprintf(full_svcname, full_svcname_len, "%s@%s",
                      svcname, realm);
-        if (n < 0 || n >= full_svcname_len)
+        if (n < 0 || n >= (int) full_svcname_len)
             goto error;
     } else {
         /* krb5_princ_realm(client) is not null terminated */
         n = snprintf(full_svcname, full_svcname_len, "%s@%.*s",
                      svcname, krb5_princ_realm(ctx, client)->length,
                      krb5_princ_realm(ctx, client)->data);
-        if (n < 0 || n >= full_svcname_len)
+        if (n < 0 || n >= (int) full_svcname_len)
             goto error;
     }
 
     /* Credentials for kadmin don't need to be forwardable or proxiable. */
     if (init_type != INIT_CREDS) {
-        krb5_get_init_creds_opt_init(&opt);
-        krb5_get_init_creds_opt_set_forwardable(&opt, 0);
-        krb5_get_init_creds_opt_set_proxiable(&opt, 0);
+        code = krb5_get_init_creds_opt_alloc(ctx, &opt);
+        krb5_get_init_creds_opt_set_forwardable(opt, 0);
+        krb5_get_init_creds_opt_set_proxiable(opt, 0);
+        krb5_get_init_creds_opt_set_out_ccache(ctx, opt, ccache);
+        if (init_type == INIT_ANONYMOUS)
+            krb5_get_init_creds_opt_set_anonymous(opt, 1);
     }
 
-    if (init_type == INIT_PASS) {
+    if (init_type == INIT_PASS || init_type == INIT_ANONYMOUS) {
         code = krb5_get_init_creds_password(ctx, &outcreds, client, pass,
                                             krb5_prompter_posix,
                                             NULL, 0,
-                                            full_svcname, &opt);
+                                            full_svcname, opt);
         if (code)
             goto error;
     } else if (init_type == INIT_SKEY) {
@@ -572,7 +589,7 @@ kadm5_gic_iter(kadm5_server_handle_t handle,
                 goto error;
         }
         code = krb5_get_init_creds_keytab(ctx, &outcreds, client, kt,
-                                          0, full_svcname, &opt);
+                                          0, full_svcname, opt);
         if (pass)
             krb5_kt_close(ctx, kt);
         if (code)
@@ -588,14 +605,10 @@ kadm5_gic_iter(kadm5_server_handle_t handle,
         if (code)
             goto error;
     }
-    if (init_type != INIT_CREDS) {
-        /* Caller has initialized ccache. */
-        code = krb5_cc_store_cred(ctx, ccache, &outcreds);
-        if (code)
-            goto error;
-    }
 error:
     krb5_free_cred_contents(ctx, &outcreds);
+    if (opt)
+        krb5_get_init_creds_opt_free(ctx, opt);
     return code;
 }
 
@@ -644,10 +657,13 @@ kadm5_setup_gss(kadm5_server_handle_t handle,
         goto error;
     }
 
-    buf.value = client_name;
-    buf.length = strlen((char *)buf.value) + 1;
-    gssstat = gss_import_name(&minor_stat, &buf,
-                              (gss_OID) gss_nt_krb5_name, &gss_client);
+    if (client_name) {
+        buf.value = client_name;
+        buf.length = strlen((char *)buf.value) + 1;
+        gssstat = gss_import_name(&minor_stat, &buf,
+                                  (gss_OID) gss_nt_krb5_name, &gss_client);
+    } else gss_client = GSS_C_NO_NAME;
+
     if (gssstat != GSS_S_COMPLETE) {
         code = KADM5_GSS_ERROR;
         goto error;
diff --git a/src/lib/kadm5/clnt/libkadm5clnt.exports b/src/lib/kadm5/clnt/libkadm5clnt.exports
index 6174847..5e81580 100644
--- a/src/lib/kadm5/clnt/libkadm5clnt.exports
+++ b/src/lib/kadm5/clnt/libkadm5clnt.exports
@@ -24,6 +24,7 @@ kadm5_get_principal
 kadm5_get_principals
 kadm5_get_privs
 kadm5_init
+kadm5_init_anonymous
 kadm5_init_krb5_context
 kadm5_init_with_creds
 kadm5_init_with_password
diff --git a/src/lib/kadm5/srv/libkadm5srv.exports b/src/lib/kadm5/srv/libkadm5srv.exports
index 35745be..d8d3b22 100644
--- a/src/lib/kadm5/srv/libkadm5srv.exports
+++ b/src/lib/kadm5/srv/libkadm5srv.exports
@@ -40,6 +40,7 @@ kadm5_get_principal_keys
 kadm5_get_principals
 kadm5_get_privs
 kadm5_init
+kadm5_init_anonymous
 kadm5_init_krb5_context
 kadm5_init_with_creds
 kadm5_init_with_password
diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c
index ed71cbf..557ef0a 100644
--- a/src/lib/kadm5/srv/server_init.c
+++ b/src/lib/kadm5/srv/server_init.c
@@ -104,6 +104,19 @@ kadm5_ret_t kadm5_init_with_password(krb5_context context, char *client_name,
                       server_handle);
 }
 
+kadm5_ret_t kadm5_init_anonymous(krb5_context context, char *client_name,
+                                 char *service_name,
+                                 kadm5_config_params *params,
+                                 krb5_ui_4 struct_version,
+                                 krb5_ui_4 api_version,
+                                 char **db_args,
+                                 void **server_handle)
+{
+    return kadm5_init(context, client_name, NULL, service_name, params,
+                      struct_version, api_version, db_args,
+                      server_handle);
+}
+
 kadm5_ret_t kadm5_init_with_creds(krb5_context context,
                                   char *client_name,
                                   krb5_ccache ccache,