static inline krb5_error_code
fast_kdc_get_armor_key(krb5_context context,
- krb5_kdcpreauth_get_data_fn get_entry,
- krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
+ krb5_kdcpreauth_get_data_fn get_data,
+ krb5_kdcpreauth_rock rock,
krb5_keyblock **armor_key)
{
krb5_error_code retval;
krb5_data *data;
- retval = get_entry(context, request, client, krb5_kdcpreauth_fast_armor,
- &data);
+ retval = (*get_data)(context, rock, krb5_kdcpreauth_fast_armor, &data);
if (retval == 0) {
*armor_key = (krb5_keyblock *) data->data;
data->data = NULL;
- get_entry(context, request, client,
- krb5_kdcpreauth_free_fast_armor, &data);
+ (*get_data)(context, rock, krb5_kdcpreauth_free_fast_armor, &data);
}
return retval;
}
static inline krb5_error_code
fast_kdc_replace_reply_key(krb5_context context,
- krb5_kdcpreauth_get_data_fn get_data,
- krb5_kdc_req *request)
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock)
{
return 0;
}
krb5_enc_data authorization_data; /**< Encrypted authz data (optional) */
krb5_authdata **unenc_authdata; /**< Unencrypted authz data */
krb5_ticket **second_ticket; /**< Second ticket array (optional) */
- /*
- * The following field is added in March 2009; it is a hack so that FAST
- * state can be carried to pre-authentication plugins. A new plugin
- * interface may be a better long-term approach. It is believed to be safe
- * to extend this structure because it is not found in any public APIs.
- */
- void *kdc_state;
} krb5_kdc_req;
/**
* kdcpreauth plugin interface definition.
*/
-/* While arguments of these types are passed in, they are opaque to kdcpreauth
- * modules. */
-struct _krb5_db_entry_new;
-struct _krb5_key_data;
+/* Abstract type for a KDC callback data handle. */
+typedef struct krb5_kdcpreauth_rock_st *krb5_kdcpreauth_rock;
/* Abstract type for module data and per-request module data. */
typedef struct krb5_kdcpreauth_moddata_st *krb5_kdcpreauth_moddata;
krb5_kdcpreauth_max_time_skew = 2,
/*
* The returned krb5_data_item holds an array of krb5_keyblock structures,
- * terminated by an entry with key type = 0. Each keyblock should have its
- * contents freed in turn, and then the data item itself should be freed.
+ * containing the client keys, terminated by an entry with key type = 0.
+ * Each keyblock should have its contents freed in turn, and then the data
+ * item itself should be freed.
*/
krb5_kdcpreauth_keys = 3,
/*
* the keyblock using krb5_free_keyblock; in that case, this function
* simply frees the data.
*/
- krb5_kdcpreauth_free_fast_armor = 6
+ krb5_kdcpreauth_free_fast_armor = 6,
+ /*
+ * The returned krb5_data contains a pointer to the client DB entry. The
+ * pointer is an alias and should not be freed.
+ */
+ krb5_kdcpreauth_get_client = 7
};
typedef krb5_error_code
-(*krb5_kdcpreauth_get_data_fn)(krb5_context context, krb5_kdc_req *request,
- struct _krb5_db_entry_new *entry,
- krb5_int32 request_type,
- krb5_data **);
+(*krb5_kdcpreauth_get_data_fn)(krb5_context context, krb5_kdcpreauth_rock rock,
+ krb5_int32 request_type, krb5_data **);
/* Optional: preauth plugin initialization function. */
typedef krb5_error_code
*/
typedef krb5_error_code
(*krb5_kdcpreauth_edata_fn)(krb5_context context, krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
krb5_kdcpreauth_get_data_fn get_data,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_pa_data *pa_out);
*/
typedef void
(*krb5_kdcpreauth_verify_fn)(krb5_context context,
- struct _krb5_db_entry_new *client,
krb5_data *req_pkt, krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply,
krb5_pa_data *data,
krb5_kdcpreauth_get_data_fn get_data,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond,
void *arg);
typedef krb5_error_code
(*krb5_kdcpreauth_return_fn)(krb5_context context,
krb5_pa_data *padata,
- struct _krb5_db_entry_new *client,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_kdc_rep *reply,
- struct _krb5_key_data *client_keys,
krb5_keyblock *encrypting_key,
krb5_pa_data **send_pa_out,
krb5_kdcpreauth_get_data_fn get_data,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq);
krb5_db_entry *client;
krb5_db_entry *server;
krb5_kdc_req *request;
+ struct krb5_kdcpreauth_rock_st rock;
const char *status;
krb5_pa_data **e_data;
krb5_boolean typed_e_data;
&state->enc_tkt_reply);
if (state->status) {
errcode = KRB5KDC_ERR_PREAUTH_REQUIRED;
- get_preauth_hint_list(state->request, state->client,
- state->server, &state->e_data);
+ get_preauth_hint_list(state->request, &state->rock, &state->e_data);
goto egress;
}
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
goto egress;
}
+ state->rock.client_key = client_key;
/* convert client.key_data into a real key */
if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
/* Fetch the padata info to be returned (do this before
* authdata to handle possible replacement of reply key
*/
- errcode = return_padata(kdc_context, state->client, state->req_pkt,
- state->request, &state->reply, client_key,
+ errcode = return_padata(kdc_context, &state->rock, state->req_pkt,
+ state->request, &state->reply,
&state->client_keyblock, &state->pa_context);
if (errcode) {
state->status = "KDC_RETURN_PADATA";
krb5_free_pa_data(kdc_context, state->e_data);
kdc_free_rstate(state->rstate);
- state->request->kdc_state = NULL;
krb5_free_kdc_req(kdc_context, state->request);
assert(did_log != 0);
if (errcode) {
if (errcode == KRB5KDC_ERR_PREAUTH_FAILED)
- get_preauth_hint_list(state->request, state->client,
- state->server, &state->e_data);
+ get_preauth_hint_list(state->request, &state->rock,
+ &state->e_data);
state->status = "PREAUTH_FAILED";
if (vague_errors)
state->cname = 0;
state->pa_context = NULL;
state->from = from;
+ memset(&state->rock, 0, sizeof(state->rock));
#if APPLE_PKINIT
asReqDebug("process_as_req top realm %s name %s\n",
state->status = "error decoding FAST";
goto errout;
}
- state->request->kdc_state = state->rstate;
+ state->rock.request = state->request;
+ state->rock.rstate = state->rstate;
if (!state->request->client) {
state->status = "NULL_CLIENT";
errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
state->status = "LOOKING_UP_CLIENT";
goto errout;
}
+ state->rock.client = state->client;
/*
* If the backend returned a principal that is not in the local
state->enc_tkt_reply.client = state->request->client;
setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
}
+
/*
* Check the preauthentication if it is there.
*/
if (state->request->padata) {
- check_padata(kdc_context, state->client, state->req_pkt,
+ check_padata(kdc_context, &state->rock, state->req_pkt,
state->request, &state->enc_tkt_reply, &state->pa_context,
&state->e_data, &state->typed_e_data, finish_preauth,
state);
KRB5_PADATA_FX_COOKIE);
if (retval == 0) {
state->fast_options = fast_req->fast_options;
- if (request->kdc_state == state)
- request->kdc_state = NULL;
krb5_free_kdc_req( kdc_context, request);
*requestptr = fast_req->req_body;
fast_req->req_body = NULL;
} preauth_system;
static void
-verify_enc_timestamp(krb5_context, krb5_db_entry *client, krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
- krb5_pa_data *data,
- krb5_kdcpreauth_get_data_fn get_entry_data,
+verify_enc_timestamp(krb5_context, krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
- krb5_kdcpreauth_verify_respond_fn respond,
- void *arg);
+ krb5_kdcpreauth_verify_respond_fn respond, void *arg);
static krb5_error_code
get_enc_ts(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_kdcpreauth_get_data_fn get_entry_data,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata modata, krb5_pa_data *data);
static krb5_error_code
get_etype_info(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_kdcpreauth_get_data_fn get_entry_data,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *data);
static krb5_error_code
get_etype_info2(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_kdcpreauth_get_data_fn get_entry_data,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data);
static krb5_error_code
int etype_info2);
static krb5_error_code
-return_etype_info(krb5_context, krb5_pa_data *padata, krb5_db_entry *client,
+return_etype_info(krb5_context, krb5_pa_data *padata,
krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_kdc_rep *reply, krb5_key_data *client_key,
- krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn get_entry_data,
- krb5_kdcpreauth_moddata moddata,
+ krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq);
static krb5_error_code
-return_etype_info2(krb5_context, krb5_pa_data *padata, krb5_db_entry *client,
+return_etype_info2(krb5_context, krb5_pa_data *padata,
krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_kdc_rep *reply, krb5_key_data *client_key,
- krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn get_entry_data,
- krb5_kdcpreauth_moddata moddata,
+ krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq);
static krb5_error_code
-return_pw_salt(krb5_context, krb5_pa_data *padata, krb5_db_entry *client,
+return_pw_salt(krb5_context, krb5_pa_data *padata,
krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key, krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn get_entry_data,
- krb5_kdcpreauth_moddata moddata,
- krb5_kdcpreauth_modreq modreq);
+ krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
+ krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq);
#if APPLE_PKINIT
}
/*
- * Retrieve a specific piece of information pertaining to the entry or the
+ * Retrieve a specific piece of information pertaining to the client entry or
* request and return it in a new krb5_data item which the caller must free.
*
* This may require massaging data into a contrived format, but it will
* modules.
*/
static krb5_error_code
-get_entry_data(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *entry, krb5_int32 type, krb5_data **result)
+get_data(krb5_context context, krb5_kdcpreauth_rock rock, krb5_int32 type,
+ krb5_data **result)
{
int i, k;
krb5_data *ret;
krb5_keyblock *keys;
krb5_key_data *entry_key;
krb5_error_code error;
- struct kdc_request_state *state = request->kdc_state;
+ krb5_kdc_req *request = rock->request;
+ struct kdc_request_state *state = rock->rstate;
+ krb5_db_entry *client = rock->client;
switch (type) {
case krb5_kdcpreauth_request_certificate:
- return get_entry_tl_data(context, entry,
- KRB5_TL_USER_CERTIFICATE, result);
+ return get_entry_tl_data(context, client, KRB5_TL_USER_CERTIFICATE,
+ result);
break;
case krb5_kdcpreauth_max_time_skew:
ret = malloc(sizeof(krb5_data));
k = 0;
for (i = 0; i < request->nktypes; i++) {
entry_key = NULL;
- if (krb5_dbe_find_enctype(context, entry, request->ktype[i],
+ if (krb5_dbe_find_enctype(context, client, request->ktype[i],
-1, 0, &entry_key) != 0)
continue;
if (krb5_dbe_decrypt_key_data(context, NULL, entry_key,
}
free(*result);
return 0;
+ case krb5_kdcpreauth_get_client:
+ ret = malloc(sizeof(krb5_data));
+ if (ret == NULL)
+ return ENOMEM;
+ ret->data = (char *)&rock->client;
+ ret->length = sizeof(rock->client);
+ *result = ret;
+ return 0;
default:
break;
}
}
void
-get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client,
- krb5_db_entry *server, krb5_pa_data ***e_data_out)
+get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock,
+ krb5_pa_data ***e_data_out)
{
int hw_only;
preauth_system *ap;
*e_data_out = NULL;
- hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH);
+ hw_only = isflagset(rock->client->attributes, KRB5_KDB_REQUIRES_HW_AUTH);
/* Allocate two extra entries for the cookie and the terminator. */
pa_data = calloc(n_preauth_systems + 2, sizeof(krb5_pa_data *));
if (pa_data == 0)
(*pa)->magic = KV5M_PA_DATA;
(*pa)->pa_type = ap->type;
if (ap->get_edata) {
- retval = ap->get_edata(kdc_context, request, client, server,
- get_entry_data, ap->moddata, *pa);
+ retval = ap->get_edata(kdc_context, request, get_data, rock,
+ ap->moddata, *pa);
if (retval) {
/* just failed on this type, continue */
free(*pa);
* If we fail to get the cookie it is probably
* still reasonable to continue with the response
*/
- kdc_preauth_get_cookie(request->kdc_state, pa);
+ kdc_preauth_get_cookie(rock->rstate, pa);
*e_data_out = pa_data;
pa_data = NULL;
krb5_pa_data **padata;
int pa_found;
krb5_context context;
- krb5_db_entry *client;
+ krb5_kdcpreauth_rock rock;
krb5_data *req_pkt;
krb5_kdc_req *request;
krb5_enc_tkt_part *enc_tkt_reply;
goto next;
state->pa_found++;
- state->pa_sys->verify_padata(state->context, state->client,
- state->req_pkt, state->request,
- state->enc_tkt_reply, *state->padata,
- get_entry_data, state->pa_sys->moddata,
- finish_verify_padata, state);
+ state->pa_sys->verify_padata(state->context, state->req_pkt,
+ state->request, state->enc_tkt_reply,
+ *state->padata, get_data, state->rock,
+ state->pa_sys->moddata, finish_verify_padata,
+ state);
return;
next:
*/
void
-check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
- void **padata_context, krb5_pa_data ***e_data,
- krb5_boolean *typed_e_data, kdc_preauth_respond_fn respond,
- void *arg)
+check_padata(krb5_context context, krb5_kdcpreauth_rock rock,
+ krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_enc_tkt_part *enc_tkt_reply, void **padata_context,
+ krb5_pa_data ***e_data, krb5_boolean *typed_e_data,
+ kdc_preauth_respond_fn respond, void *arg)
{
struct padata_state *state;
state->respond = respond;
state->arg = arg;
state->context = context;
- state->client = client;
+ state->rock = rock;
state->req_pkt = req_pkt;
state->request = request;
state->enc_tkt_reply = enc_tkt_reply;
* structures which should be returned by the KDC to the client
*/
krb5_error_code
-return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key, krb5_keyblock *encrypting_key,
- void **padata_context)
+return_padata(krb5_context context, krb5_kdcpreauth_rock rock,
+ krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_keyblock *encrypting_key, void **padata_context)
{
krb5_error_code retval;
krb5_pa_data ** padata;
}
}
}
- if ((retval = ap->return_padata(context, pa, client, req_pkt,
- request, reply,
- client_key, encrypting_key, send_pa,
- get_entry_data, ap->moddata,
- *modreq_ptr))) {
+ retval = ap->return_padata(context, pa, req_pkt, request, reply,
+ encrypting_key, send_pa, get_data, rock,
+ ap->moddata, *modreq_ptr);
+ if (retval)
goto cleanup;
- }
if (*send_pa)
send_pa++;
static krb5_error_code
get_enc_ts(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_kdcpreauth_get_data_fn get_entry_data_proc,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *data)
{
- struct kdc_request_state *state = request->kdc_state;
- if (state->armor_key)
+ if (rock->rstate->armor_key != NULL)
return ENOENT;
return 0;
}
static void
-verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
- krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa,
- krb5_kdcpreauth_get_data_fn ets_get_entry_data,
+verify_enc_timestamp(krb5_context context, krb5_data *req_pkt,
+ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
+ krb5_pa_data *pa, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond,
void *arg)
start = 0;
decrypt_err = 0;
while (1) {
- if ((retval = krb5_dbe_search_enctype(context, client,
+ if ((retval = krb5_dbe_search_enctype(context, rock->client,
&start, enc_data->enctype,
-1, 0, &client_key)))
goto cleanup;
*/
static krb5_error_code
etype_info_helper(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_pa_data *pa_data, int etype_info2)
+ krb5_db_entry *client, krb5_pa_data *pa_data,
+ int etype_info2)
{
krb5_etype_info_entry ** entry = 0;
krb5_key_data *client_key;
static krb5_error_code
get_etype_info(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_kdcpreauth_get_data_fn etype_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data)
{
int i;
* skip this
* type*/
}
- return etype_info_helper(context, request, client, server, pa_data, 0);
+ return etype_info_helper(context, request, rock->client, pa_data, 0);
}
static krb5_error_code
get_etype_info2(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_kdcpreauth_get_data_fn etype_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data)
{
- return etype_info_helper( context, request, client, server, pa_data, 1);
+ return etype_info_helper(context, request, rock->client, pa_data, 1);
}
static krb5_error_code
static krb5_error_code
return_etype_info2(krb5_context context, krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn etype_get_entry_data,
- krb5_kdcpreauth_moddata moddata,
+ krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq)
{
- return etype_info_as_rep_helper(context, padata, client, request, reply,
- client_key, encrypting_key, send_pa, 1);
+ return etype_info_as_rep_helper(context, padata, rock->client, request,
+ reply, rock->client_key, encrypting_key,
+ send_pa, 1);
}
static krb5_error_code
-return_etype_info(krb5_context context, krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn etypeget_entry_data,
- krb5_kdcpreauth_moddata moddata,
+return_etype_info(krb5_context context, krb5_pa_data *padata,
+ krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq)
{
- return etype_info_as_rep_helper(context, padata, client, request, reply,
- client_key, encrypting_key, send_pa, 0);
+ return etype_info_as_rep_helper(context, padata, rock->client, request,
+ reply, rock->client_key, encrypting_key,
+ send_pa, 0);
}
static krb5_error_code
return_pw_salt(krb5_context context, krb5_pa_data *in_padata,
- krb5_db_entry *client, krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key, krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn etype_get_entry_data,
- krb5_kdcpreauth_moddata moddata,
- krb5_kdcpreauth_modreq modreq)
+ krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
+ krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq)
{
krb5_error_code retval;
krb5_pa_data * padata;
krb5_data * scratch;
krb5_data salt_data;
+ krb5_key_data * client_key = rock->client_key;
int i;
for (i = 0; i < request->nktypes; i++) {
static krb5_error_code
kdc_include_padata(krb5_context context, krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
- krb5_kdcpreauth_get_data_fn get_data_proc,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *data)
{
krb5_error_code retval = 0;
krb5_keyblock *armor_key = NULL;
- retval = fast_kdc_get_armor_key(context, get_data_proc, request, client,
- &armor_key);
+ retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
if (retval)
return retval;
if (armor_key == 0)
}
static void
-kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
- krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data,
- krb5_kdcpreauth_get_data_fn get_entry_proc,
- krb5_kdcpreauth_moddata moddata,
+kdc_verify_preauth(krb5_context context, krb5_data *req_pkt,
+ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
+ krb5_pa_data *data, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond,
void *arg)
{
plain.data = NULL;
- retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key);
+ retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
if (retval == 0 &&armor_key == NULL) {
retval = ENOENT;
krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel");
retval = ENOMEM;
}
if (retval == 0)
- retval = get_entry_proc(context, request, client,
- krb5_kdcpreauth_keys, &client_data);
+ retval = (*get)(context, rock, krb5_kdcpreauth_keys, &client_data);
if (retval == 0) {
client_keys = (krb5_keyblock *) client_data->data;
for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) {
* may cause the client to fail, but at this point the KDC has
* considered this a success, so the return value is ignored.
*/
- fast_kdc_replace_reply_key(context, get_entry_proc, request);
+ fast_kdc_replace_reply_key(context, get, rock);
if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
&client_keys[i], "challengelongterm",
&kdc_challenge_key) == 0)
static krb5_error_code
kdc_return_preauth(krb5_context context, krb5_pa_data *padata,
- struct _krb5_db_entry_new *client, krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- struct _krb5_key_data *client_keys,
- krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn get_entry_proc,
- krb5_kdcpreauth_moddata moddata,
+ krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq)
{
krb5_error_code retval = 0;
krb5_db_entry *server,
krb5_enc_tkt_part *enc_tkt_reply);
void
-get_preauth_hint_list (krb5_kdc_req * request,
- krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_pa_data ***e_data_out);
+get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock,
+ krb5_pa_data ***e_data_out);
void
load_preauth_plugins(krb5_context context);
void
typedef void (*kdc_preauth_respond_fn)(void *arg, krb5_error_code code);
void
-check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
- void **padata_context, krb5_pa_data ***e_data,
- krb5_boolean *typed_e_data, kdc_preauth_respond_fn respond,
- void *state);
+check_padata(krb5_context context, krb5_kdcpreauth_rock rock,
+ krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_enc_tkt_part *enc_tkt_reply, void **padata_context,
+ krb5_pa_data ***e_data, krb5_boolean *typed_e_data,
+ kdc_preauth_respond_fn respond, void *state);
krb5_error_code
-return_padata (krb5_context context, krb5_db_entry *client,
- krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_kdc_rep *reply,
- krb5_key_data *client_key, krb5_keyblock *encrypting_key,
- void **padata_context);
+return_padata(krb5_context context, krb5_kdcpreauth_rock rock,
+ krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_keyblock *encrypting_key, void **padata_context);
void
free_padata_context(krb5_context context, void *padata_context);
krb5int_get_domain_realm_mapping(krb5_context context,
const char *host, char ***realmsp);
+/* Information handle for kdcpreauth callbacks. All pointers are aliases. */
+struct krb5_kdcpreauth_rock_st {
+ krb5_kdc_req *request;
+ krb5_db_entry *client;
+ krb5_key_data *client_key;
+ struct kdc_request_state *rstate;
+};
#define isflagset(flagfield, flag) (flagfield & (flag))
#define setflag(flagfield, flag) (flagfield |= (flag))
clear_field(rep,authorization_data.ciphertext.data);
clear_field(rep,unenc_authdata);
clear_field(rep,second_ticket);
- clear_field(rep, kdc_state);
check_apptag(10);
retval = asn1_decode_kdc_req(&buf,rep);
clear_field(rep,authorization_data.ciphertext.data);
clear_field(rep,unenc_authdata);
clear_field(rep,second_ticket);
- clear_field(rep, kdc_state);
check_apptag(12);
retval = asn1_decode_kdc_req(&buf,rep);
{
if (val == NULL)
return;
- assert( val->kdc_state == NULL);
krb5_free_pa_data(context, val->padata);
krb5_free_principal(context, val->client);
krb5_free_principal(context, val->server);
/* Obtain and return any preauthentication data (which is destined for the
* client) which matches type data->pa_type. */
static krb5_error_code
-server_get_edata(krb5_context kcontext,
- krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
- krb5_kdcpreauth_moddata moddata,
- krb5_pa_data *data)
+server_get_edata(krb5_context kcontext, krb5_kdc_req *request,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
+ krb5_kdcpreauth_moddata moddata, krb5_pa_data *data)
{
krb5_data *key_data;
krb5_keyblock *keys, *key;
/* Retrieve the client's keys. */
key_data = NULL;
- if ((*server_get_entry_data)(kcontext, request, client,
- krb5_kdcpreauth_keys, &key_data) != 0) {
+ if ((*get)(kcontext, rock, krb5_kdcpreauth_keys, &key_data) != 0) {
#ifdef DEBUG
fprintf(stderr, "Error retrieving client keys.\n");
#endif
/* Verify a request from a client. */
static void
server_verify(krb5_context kcontext,
- struct _krb5_db_entry_new *client,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply,
krb5_pa_data *data,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond,
void *arg)
/* Pull up the client's keys. */
key_data = NULL;
- if ((*server_get_entry_data)(kcontext, request, client,
- krb5_kdcpreauth_keys, &key_data) != 0) {
+ if ((*get)(kcontext, rock, krb5_kdcpreauth_keys, &key_data) != 0) {
#ifdef DEBUG
fprintf(stderr, "Error retrieving client keys.\n");
#endif
* extract the structure directly from the req_pkt structure. This
* will probably work if it's us on both ends, though. */
req_body = NULL;
- if ((*server_get_entry_data)(kcontext, request, client,
- krb5_kdcpreauth_request_body,
- &req_body) != 0) {
+ if ((*get)(kcontext, rock, krb5_kdcpreauth_request_body, &req_body) != 0) {
krb5_free_keyblock(kcontext, key);
stats->failures++;
(*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL);
static krb5_error_code
server_return(krb5_context kcontext,
krb5_pa_data *padata,
- struct _krb5_db_entry_new *client,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_kdc_rep *reply,
- struct _krb5_key_data *client_key,
krb5_keyblock *encrypting_key,
krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq)
{
+++ /dev/null
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-
-/*
- * Returns success with a null armor_key if FAST is available but not in use.
- * Returns failure if the client library does not support FAST.
- */
-static inline krb5_error_code
-fast_get_armor_key(krb5_context context, krb5_clpreauth_get_data_fn get_data,
- krb5_clpreauth_rock rock, krb5_keyblock **armor_key)
-{
- krb5_error_code retval = 0;
- krb5_data *data;
- retval = get_data(context, rock, krb5_clpreauth_fast_armor, &data);
- if (retval == 0) {
- *armor_key = (krb5_keyblock *) data->data;
- data->data = NULL;
- get_data(context, rock, krb5_clpreauth_free_fast_armor, &data);
- }
- return retval;
-}
-
-static inline krb5_error_code
-fast_kdc_get_armor_key(krb5_context context,
- krb5_kdcpreauth_get_data_fn get_entry,
- krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- krb5_keyblock **armor_key)
-{
- krb5_error_code retval;
- krb5_data *data;
- retval = get_entry(context, request, client, krb5_kdcpreauth_fast_armor,
- &data);
- if (retval == 0) {
- *armor_key = (krb5_keyblock *) data->data;
- data->data = NULL;
- get_entry(context, request, client,
- krb5_kdcpreauth_free_fast_armor, &data);
- }
- return retval;
-}
-
-
-
-static inline krb5_error_code
-fast_kdc_replace_reply_key(krb5_context context,
- krb5_kdcpreauth_get_data_fn get_data,
- krb5_kdc_req *request)
-{
- return 0;
-}
-
-static inline krb5_error_code
-fast_set_kdc_verified(krb5_context context,
- krb5_clpreauth_get_data_fn get_data,
- krb5_clpreauth_rock rock)
-{
- return 0;
-}
pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \
- pkinit_srv.c
+ $(COM_ERR_DEPS) $(top_srcdir)/include/fast_factor.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h pkcs11.h pkinit.h \
+ pkinit_accessor.h pkinit_crypto.h pkinit_srv.c
pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_kdf_constants.c
pkinit_clnt.so pkinit_clnt.po $(OUTPRE)pkinit_clnt.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/fast_factor.h \
$(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-platform.h \
$(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5/plugin.h \
$(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \
#include "pkinit.h"
/* Remove when FAST PKINIT is settled. */
-#include "../fast_factor.h"
+#include "fast_factor.h"
/*
* It is anticipated that all the special checks currently
#include "pkinit.h"
/* Remove when FAST PKINIT is settled. */
-#include "../fast_factor.h"
+#include "fast_factor.h"
static krb5_error_code
pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob);
static krb5_error_code
pkinit_server_get_edata(krb5_context context,
krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_pa_data *data)
{
pkiDebug("pkinit_server_get_edata: entered!\n");
/* Remove (along with armor_key) when FAST PKINIT is settled. */
- retval = fast_kdc_get_armor_key(context, server_get_entry_data, request,
- client, &armor_key);
+ retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
if (retval == 0 && armor_key != NULL) {
/* Don't advertise PKINIT if the client used FAST. */
krb5_free_keyblock(context, armor_key);
static void
pkinit_server_verify_padata(krb5_context context,
- struct _krb5_db_entry_new * client,
krb5_data *req_pkt,
krb5_kdc_req * request,
krb5_enc_tkt_part * enc_tkt_reply,
krb5_pa_data * data,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond,
void *arg)
}
/* Remove (along with armor_key) when FAST PKINIT is settled. */
- retval = fast_kdc_get_armor_key(context, server_get_entry_data, request,
- client, &armor_key);
+ retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
if (retval == 0 && armor_key != NULL) {
/* Don't allow PKINIT if the client used FAST. */
krb5_free_keyblock(context, armor_key);
static krb5_error_code
pkinit_server_return_padata(krb5_context context,
krb5_pa_data * padata,
- struct _krb5_db_entry_new * client,
krb5_data *req_pkt,
krb5_kdc_req * request,
krb5_kdc_rep * reply,
- struct _krb5_key_data * client_key,
krb5_keyblock * encrypting_key,
krb5_pa_data ** send_pa,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq)
{
{ 0, 0 },
};
+static krb5_db_entry *
+get_client_entry(krb5_context context, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock)
+{
+ krb5_data *data;
+ krb5_db_entry *client;
+
+ (*get)(context, rock, krb5_kdcpreauth_get_client, &data);
+ client = *(krb5_db_entry **)data->data;
+ free(data);
+ return client;
+}
+
krb5_error_code
sam_get_db_entry(krb5_context context, krb5_principal client,
int *sam_type, struct _krb5_db_entry_new **db_entry)
static krb5_error_code
kdc_include_padata(krb5_context context, krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
- krb5_kdcpreauth_get_data_fn get_entry_proc,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data)
{
krb5_error_code retval;
krb5_sam_challenge_2 sc2;
krb5_sam_challenge_2_body sc2b;
int sam_type = 0; /* unknown */
- krb5_db_entry *sam_db_entry = NULL;
+ krb5_db_entry *sam_db_entry = NULL, *client;
krb5_data *encoded_challenge = NULL;
memset(&sc2, 0, sizeof(sc2));
sc2b.magic = KV5M_SAM_CHALLENGE_2;
sc2b.sam_type = sam_type;
+ client = get_client_entry(context, get, rock);
retval = sam_get_db_entry(context, client->princ, &sam_type,
&sam_db_entry);
if (retval)
return retval;
- retval = get_entry_proc(context, request, client,
- krb5_kdcpreauth_keys, &client_keys_data);
+ retval = (*get)(context, rock, krb5_kdcpreauth_keys, &client_keys_data);
if (retval)
goto cleanup;
client_key = (krb5_keyblock *) client_keys_data->data;
}
static void
-kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
- krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa_data,
- krb5_kdcpreauth_get_data_fn get_entry_proc,
- krb5_kdcpreauth_moddata moddata,
- krb5_kdcpreauth_verify_respond_fn respond,
- void *arg)
+kdc_verify_preauth(krb5_context context, krb5_data *req_pkt,
+ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
+ krb5_pa_data *pa_data, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
+ krb5_kdcpreauth_verify_respond_fn respond, void *arg)
{
krb5_error_code retval, saved_retval = 0;
krb5_sam_response_2 *sr2 = NULL;
krb5_data scratch, *scratch2, *e_data = NULL;
char *client_name = NULL;
krb5_sam_challenge_2 *out_sc2 = NULL;
+ krb5_db_entry *client = get_client_entry(context, get, rock);
scratch.data = (char *) pa_data->contents;
scratch.length = pa_data->length;
static krb5_error_code
server_get_edata(krb5_context kcontext,
krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_pa_data *data)
{
/* Verify a request from a client. */
static void
server_verify(krb5_context kcontext,
- struct _krb5_db_entry_new *client,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply,
krb5_pa_data *data,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond,
void *arg)
static krb5_error_code
server_return(krb5_context kcontext,
krb5_pa_data *padata,
- struct _krb5_db_entry_new *client,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_kdc_rep *reply,
- struct _krb5_key_data *client_key,
krb5_keyblock *encrypting_key,
krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq)
{
/* This module does a couple of dumb things. It tags its reply with