Use an opaque handle in the kdcpreauth callback
authorGreg Hudson <ghudson@mit.edu>
Wed, 5 Oct 2011 17:27:15 +0000 (17:27 +0000)
committerGreg Hudson <ghudson@mit.edu>
Wed, 5 Oct 2011 17:27:15 +0000 (17:27 +0000)
Instead of passing a request and entry to the kdcpreauth get_data
callback, pass an opaque handle.  Remove DB entry and key data
parameters from kdcpreauth methods (but keep the request, since that's
transparent).

The SecurID plugin links against libkdb5 and needs access to the client
DB entry.  Rather than continue to pass a DB entry to kdcpreauth
methods, add a get_data callback to get the client DB entry for the few
plugins which might need it.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25300 dc483132-0cff-0310-8789-dd5450dbe970

17 files changed:
src/include/fast_factor.h
src/include/krb5/krb5.hin
src/include/krb5/preauth_plugin.h
src/kdc/do_as_req.c
src/kdc/fast_util.c
src/kdc/kdc_preauth.c
src/kdc/kdc_preauth_ec.c
src/kdc/kdc_util.h
src/lib/krb5/asn.1/krb5_decode_kdc.c
src/lib/krb5/krb/kfree.c
src/plugins/preauth/cksum_body/cksum_body_main.c
src/plugins/preauth/fast_factor.h [deleted file]
src/plugins/preauth/pkinit/deps
src/plugins/preauth/pkinit/pkinit_clnt.c
src/plugins/preauth/pkinit/pkinit_srv.c
src/plugins/preauth/securid_sam2/securid_sam2_main.c
src/plugins/preauth/wpse/wpse_main.c

index 42f1b27a7f85063fd86712bbdd9254a03a277eeb..734d377797cdb2818244e30e4d2196c88e71e719 100644 (file)
@@ -47,20 +47,17 @@ fast_get_armor_key(krb5_context context, krb5_clpreauth_get_data_fn get_data,
 
 static inline krb5_error_code
 fast_kdc_get_armor_key(krb5_context context,
-                       krb5_kdcpreauth_get_data_fn get_entry,
-                       krb5_kdc_req *request,
-                       struct _krb5_db_entry_new *client,
+                       krb5_kdcpreauth_get_data_fn get_data,
+                       krb5_kdcpreauth_rock rock,
                        krb5_keyblock **armor_key)
 {
     krb5_error_code retval;
     krb5_data *data;
-    retval = get_entry(context, request, client, krb5_kdcpreauth_fast_armor,
-                       &data);
+    retval = (*get_data)(context, rock, krb5_kdcpreauth_fast_armor, &data);
     if (retval == 0) {
         *armor_key = (krb5_keyblock *) data->data;
         data->data = NULL;
-        get_entry(context, request, client,
-                  krb5_kdcpreauth_free_fast_armor, &data);
+        (*get_data)(context, rock, krb5_kdcpreauth_free_fast_armor, &data);
     }
     return retval;
 }
@@ -69,8 +66,8 @@ fast_kdc_get_armor_key(krb5_context context,
 
 static inline krb5_error_code
 fast_kdc_replace_reply_key(krb5_context context,
-                           krb5_kdcpreauth_get_data_fn get_data,
-                           krb5_kdc_req *request)
+                           krb5_kdcpreauth_get_data_fn get,
+                           krb5_kdcpreauth_rock rock)
 {
     return 0;
 }
index 935ac864053fd9cd860787630fcd178261540919..3d9dbbfb7ec54fbd2f04a991c3066b4e581ec45a 100644 (file)
@@ -2012,13 +2012,6 @@ typedef struct _krb5_kdc_req {
     krb5_enc_data authorization_data;  /**< Encrypted authz data (optional) */
     krb5_authdata **unenc_authdata;    /**< Unencrypted authz data */
     krb5_ticket **second_ticket;       /**< Second ticket array (optional) */
-    /*
-     * The following field is added in March 2009; it is a hack so that FAST
-     * state can be carried to pre-authentication plugins.  A new plugin
-     * interface may be a better long-term approach.  It is believed to be safe
-     * to extend this structure because it is not found in any public APIs.
-     */
-    void *kdc_state;
 } krb5_kdc_req;
 
 /**
index 3f9dfcc351de3801caa125b677be64714026847d..c64cc369977f9054efa01b41735dc8133e99695d 100644 (file)
@@ -324,10 +324,8 @@ typedef struct krb5_clpreauth_vtable_st {
  * kdcpreauth plugin interface definition.
  */
 
-/* While arguments of these types are passed in, they are opaque to kdcpreauth
- * modules. */
-struct _krb5_db_entry_new;
-struct _krb5_key_data;
+/* Abstract type for a KDC callback data handle. */
+typedef struct krb5_kdcpreauth_rock_st *krb5_kdcpreauth_rock;
 
 /* Abstract type for module data and per-request module data. */
 typedef struct krb5_kdcpreauth_moddata_st *krb5_kdcpreauth_moddata;
@@ -346,8 +344,9 @@ enum krb5_kdcpreauth_request_type {
     krb5_kdcpreauth_max_time_skew = 2,
     /*
      * The returned krb5_data_item holds an array of krb5_keyblock structures,
-     * terminated by an entry with key type = 0.  Each keyblock should have its
-     * contents freed in turn, and then the data item itself should be freed.
+     * containing the client keys, terminated by an entry with key type = 0.
+     * Each keyblock should have its contents freed in turn, and then the data
+     * item itself should be freed.
      */
     krb5_kdcpreauth_keys = 3,
     /*
@@ -368,13 +367,16 @@ enum krb5_kdcpreauth_request_type {
      * the keyblock using krb5_free_keyblock; in that case, this function
      * simply frees the data.
      */
-    krb5_kdcpreauth_free_fast_armor = 6
+    krb5_kdcpreauth_free_fast_armor = 6,
+    /*
+     * The returned krb5_data contains a pointer to the client DB entry.  The
+     * pointer is an alias and should not be freed.
+     */
+    krb5_kdcpreauth_get_client = 7
 };
 typedef krb5_error_code
-(*krb5_kdcpreauth_get_data_fn)(krb5_context context, krb5_kdc_req *request,
-                               struct _krb5_db_entry_new *entry,
-                               krb5_int32 request_type,
-                               krb5_data **);
+(*krb5_kdcpreauth_get_data_fn)(krb5_context context, krb5_kdcpreauth_rock rock,
+                               krb5_int32 request_type, krb5_data **);
 
 /* Optional: preauth plugin initialization function. */
 typedef krb5_error_code
@@ -411,9 +413,8 @@ typedef int
  */
 typedef krb5_error_code
 (*krb5_kdcpreauth_edata_fn)(krb5_context context, krb5_kdc_req *request,
-                            struct _krb5_db_entry_new *client,
-                            struct _krb5_db_entry_new *server,
                             krb5_kdcpreauth_get_data_fn get_data,
+                            krb5_kdcpreauth_rock rock,
                             krb5_kdcpreauth_moddata moddata,
                             krb5_pa_data *pa_out);
 
@@ -441,11 +442,11 @@ typedef void
  */
 typedef void
 (*krb5_kdcpreauth_verify_fn)(krb5_context context,
-                             struct _krb5_db_entry_new *client,
                              krb5_data *req_pkt, krb5_kdc_req *request,
                              krb5_enc_tkt_part *enc_tkt_reply,
                              krb5_pa_data *data,
                              krb5_kdcpreauth_get_data_fn get_data,
+                             krb5_kdcpreauth_rock rock,
                              krb5_kdcpreauth_moddata moddata,
                              krb5_kdcpreauth_verify_respond_fn respond,
                              void *arg);
@@ -458,14 +459,13 @@ typedef void
 typedef krb5_error_code
 (*krb5_kdcpreauth_return_fn)(krb5_context context,
                              krb5_pa_data *padata,
-                             struct _krb5_db_entry_new *client,
                              krb5_data *req_pkt,
                              krb5_kdc_req *request,
                              krb5_kdc_rep *reply,
-                             struct _krb5_key_data *client_keys,
                              krb5_keyblock *encrypting_key,
                              krb5_pa_data **send_pa_out,
                              krb5_kdcpreauth_get_data_fn get_data,
+                             krb5_kdcpreauth_rock rock,
                              krb5_kdcpreauth_moddata moddata,
                              krb5_kdcpreauth_modreq modreq);
 
index 9102e26a060a62ec4bc2735554abd227ac36596a..8419a8cfc993cc5579add571f8a84638a3d035ef 100644 (file)
@@ -110,6 +110,7 @@ struct as_req_state {
     krb5_db_entry *client;
     krb5_db_entry *server;
     krb5_kdc_req *request;
+    struct krb5_kdcpreauth_rock_st rock;
     const char *status;
     krb5_pa_data **e_data;
     krb5_boolean typed_e_data;
@@ -156,8 +157,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
                                             &state->enc_tkt_reply);
     if (state->status) {
         errcode = KRB5KDC_ERR_PREAUTH_REQUIRED;
-        get_preauth_hint_list(state->request, state->client,
-                              state->server, &state->e_data);
+        get_preauth_hint_list(state->request, &state->rock, &state->e_data);
         goto egress;
     }
 
@@ -216,6 +216,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
         errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
         goto egress;
     }
+    state->rock.client_key = client_key;
 
     /* convert client.key_data into a real key */
     if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
@@ -254,8 +255,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
     /* Fetch the padata info to be returned (do this before
      *  authdata to handle possible replacement of reply key
      */
-    errcode = return_padata(kdc_context, state->client, state->req_pkt,
-                            state->request, &state->reply, client_key,
+    errcode = return_padata(kdc_context, &state->rock, state->req_pkt,
+                            state->request, &state->reply,
                             &state->client_keyblock, &state->pa_context);
     if (errcode) {
         state->status = "KDC_RETURN_PADATA";
@@ -409,7 +410,6 @@ egress:
 
     krb5_free_pa_data(kdc_context, state->e_data);
     kdc_free_rstate(state->rstate);
-    state->request->kdc_state = NULL;
     krb5_free_kdc_req(kdc_context, state->request);
     assert(did_log != 0);
 
@@ -424,8 +424,8 @@ finish_preauth(void *arg, krb5_error_code errcode)
 
     if (errcode) {
         if (errcode == KRB5KDC_ERR_PREAUTH_FAILED)
-            get_preauth_hint_list(state->request, state->client,
-                                  state->server, &state->e_data);
+            get_preauth_hint_list(state->request, &state->rock,
+                                  &state->e_data);
 
         state->status = "PREAUTH_FAILED";
         if (vague_errors)
@@ -475,6 +475,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     state->cname = 0;
     state->pa_context = NULL;
     state->from = from;
+    memset(&state->rock, 0, sizeof(state->rock));
 
 #if APPLE_PKINIT
     asReqDebug("process_as_req top realm %s name %s\n",
@@ -503,7 +504,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         state->status = "error decoding FAST";
         goto errout;
     }
-    state->request->kdc_state = state->rstate;
+    state->rock.request = state->request;
+    state->rock.rstate = state->rstate;
     if (!state->request->client) {
         state->status = "NULL_CLIENT";
         errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
@@ -560,6 +562,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         state->status = "LOOKING_UP_CLIENT";
         goto errout;
     }
+    state->rock.client = state->client;
 
     /*
      * If the backend returned a principal that is not in the local
@@ -749,11 +752,12 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
         state->enc_tkt_reply.client = state->request->client;
         setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
     }
+
     /*
      * Check the preauthentication if it is there.
      */
     if (state->request->padata) {
-        check_padata(kdc_context, state->client, state->req_pkt,
+        check_padata(kdc_context, &state->rock, state->req_pkt,
                      state->request, &state->enc_tkt_reply, &state->pa_context,
                      &state->e_data, &state->typed_e_data, finish_preauth,
                      state);
index 52eb997224da4166d57235c32884565c8c606b64..96c8c1394a9bb449391975253027640383afb5f5 100644 (file)
@@ -223,8 +223,6 @@ kdc_find_fast(krb5_kdc_req **requestptr,
                                          KRB5_PADATA_FX_COOKIE);
         if (retval == 0) {
             state->fast_options = fast_req->fast_options;
-            if (request->kdc_state == state)
-                request->kdc_state = NULL;
             krb5_free_kdc_req( kdc_context, request);
             *requestptr = fast_req->req_body;
             fast_req->req_body = NULL;
index c94d9fefb7858a5b4a9c3f8daabffd4daf19de6a..87586d7005a4968cb764216bd1d39f977c7f825a 100644 (file)
@@ -105,30 +105,26 @@ typedef struct preauth_system_st {
 } preauth_system;
 
 static void
-verify_enc_timestamp(krb5_context, krb5_db_entry *client, krb5_data *req_pkt,
-                     krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
-                     krb5_pa_data *data,
-                     krb5_kdcpreauth_get_data_fn get_entry_data,
+verify_enc_timestamp(krb5_context, krb5_data *req_pkt, krb5_kdc_req *request,
+                     krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data,
+                     krb5_kdcpreauth_get_data_fn get,
+                     krb5_kdcpreauth_rock rock,
                      krb5_kdcpreauth_moddata moddata,
-                     krb5_kdcpreauth_verify_respond_fn respond,
-                     void *arg);
+                     krb5_kdcpreauth_verify_respond_fn respond, void *arg);
 
 static krb5_error_code
 get_enc_ts(krb5_context context, krb5_kdc_req *request,
-           krb5_db_entry *client, krb5_db_entry *server,
-           krb5_kdcpreauth_get_data_fn get_entry_data,
+           krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
            krb5_kdcpreauth_moddata modata, krb5_pa_data *data);
 
 static krb5_error_code
 get_etype_info(krb5_context context, krb5_kdc_req *request,
-               krb5_db_entry *client, krb5_db_entry *server,
-               krb5_kdcpreauth_get_data_fn get_entry_data,
+               krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
                krb5_kdcpreauth_moddata moddata, krb5_pa_data *data);
 
 static krb5_error_code
 get_etype_info2(krb5_context context, krb5_kdc_req *request,
-                krb5_db_entry *client, krb5_db_entry *server,
-                krb5_kdcpreauth_get_data_fn get_entry_data,
+                krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
                 krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data);
 
 static krb5_error_code
@@ -141,31 +137,27 @@ etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata,
                          int etype_info2);
 
 static krb5_error_code
-return_etype_info(krb5_context, krb5_pa_data *padata, krb5_db_entry *client,
+return_etype_info(krb5_context, krb5_pa_data *padata,
                   krb5_data *req_pkt, krb5_kdc_req *request,
-                  krb5_kdc_rep *reply, krb5_key_data *client_key,
-                  krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
-                  krb5_kdcpreauth_get_data_fn get_entry_data,
-                  krb5_kdcpreauth_moddata moddata,
+                  krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+                  krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+                  krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
                   krb5_kdcpreauth_modreq modreq);
 
 static krb5_error_code
-return_etype_info2(krb5_context, krb5_pa_data *padata, krb5_db_entry *client,
+return_etype_info2(krb5_context, krb5_pa_data *padata,
                    krb5_data *req_pkt, krb5_kdc_req *request,
-                   krb5_kdc_rep *reply, krb5_key_data *client_key,
-                   krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
-                   krb5_kdcpreauth_get_data_fn get_entry_data,
-                   krb5_kdcpreauth_moddata moddata,
+                   krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+                   krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+                   krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
                    krb5_kdcpreauth_modreq modreq);
 
 static krb5_error_code
-return_pw_salt(krb5_context, krb5_pa_data *padata, krb5_db_entry *client,
+return_pw_salt(krb5_context, krb5_pa_data *padata,
                krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
-               krb5_key_data *client_key, krb5_keyblock *encrypting_key,
-               krb5_pa_data **send_pa,
-               krb5_kdcpreauth_get_data_fn get_entry_data,
-               krb5_kdcpreauth_moddata moddata,
-               krb5_kdcpreauth_modreq modreq);
+               krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
+               krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
+               krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq);
 
 
 #if APPLE_PKINIT
@@ -547,7 +539,7 @@ get_entry_tl_data(krb5_context context, krb5_db_entry *entry,
 }
 
 /*
- * Retrieve a specific piece of information pertaining to the entry or the
+ * Retrieve a specific piece of information pertaining to the client entry or
  * request and return it in a new krb5_data item which the caller must free.
  *
  * This may require massaging data into a contrived format, but it will
@@ -555,8 +547,8 @@ get_entry_tl_data(krb5_context context, krb5_db_entry *entry,
  * modules.
  */
 static krb5_error_code
-get_entry_data(krb5_context context, krb5_kdc_req *request,
-               krb5_db_entry *entry, krb5_int32 type, krb5_data **result)
+get_data(krb5_context context, krb5_kdcpreauth_rock rock, krb5_int32 type,
+         krb5_data **result)
 {
     int i, k;
     krb5_data *ret;
@@ -564,12 +556,14 @@ get_entry_data(krb5_context context, krb5_kdc_req *request,
     krb5_keyblock *keys;
     krb5_key_data *entry_key;
     krb5_error_code error;
-    struct kdc_request_state *state = request->kdc_state;
+    krb5_kdc_req *request = rock->request;
+    struct kdc_request_state *state = rock->rstate;
+    krb5_db_entry *client = rock->client;
 
     switch (type) {
     case krb5_kdcpreauth_request_certificate:
-        return get_entry_tl_data(context, entry,
-                                 KRB5_TL_USER_CERTIFICATE, result);
+        return get_entry_tl_data(context, client, KRB5_TL_USER_CERTIFICATE,
+                                 result);
         break;
     case krb5_kdcpreauth_max_time_skew:
         ret = malloc(sizeof(krb5_data));
@@ -601,7 +595,7 @@ get_entry_data(krb5_context context, krb5_kdc_req *request,
         k = 0;
         for (i = 0; i < request->nktypes; i++) {
             entry_key = NULL;
-            if (krb5_dbe_find_enctype(context, entry, request->ktype[i],
+            if (krb5_dbe_find_enctype(context, client, request->ktype[i],
                                       -1, 0, &entry_key) != 0)
                 continue;
             if (krb5_dbe_decrypt_key_data(context, NULL, entry_key,
@@ -654,6 +648,14 @@ get_entry_data(krb5_context context, krb5_kdc_req *request,
         }
         free(*result);
         return 0;
+    case krb5_kdcpreauth_get_client:
+        ret = malloc(sizeof(krb5_data));
+        if (ret == NULL)
+            return ENOMEM;
+        ret->data = (char *)&rock->client;
+        ret->length = sizeof(rock->client);
+        *result = ret;
+        return 0;
     default:
         break;
     }
@@ -820,8 +822,8 @@ const char *missing_required_preauth(krb5_db_entry *client,
 }
 
 void
-get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client,
-                      krb5_db_entry *server, krb5_pa_data ***e_data_out)
+get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock,
+                      krb5_pa_data ***e_data_out)
 {
     int hw_only;
     preauth_system *ap;
@@ -830,7 +832,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client,
 
     *e_data_out = NULL;
 
-    hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH);
+    hw_only = isflagset(rock->client->attributes, KRB5_KDB_REQUIRES_HW_AUTH);
     /* Allocate two extra entries for the cookie and the terminator. */
     pa_data = calloc(n_preauth_systems + 2, sizeof(krb5_pa_data *));
     if (pa_data == 0)
@@ -849,8 +851,8 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client,
         (*pa)->magic = KV5M_PA_DATA;
         (*pa)->pa_type = ap->type;
         if (ap->get_edata) {
-            retval = ap->get_edata(kdc_context, request, client, server,
-                                   get_entry_data, ap->moddata, *pa);
+            retval = ap->get_edata(kdc_context, request, get_data, rock,
+                                   ap->moddata, *pa);
             if (retval) {
                 /* just failed on this type, continue */
                 free(*pa);
@@ -869,7 +871,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client,
      * If we fail to get the cookie it is probably
      * still reasonable to continue with the response
      */
-    kdc_preauth_get_cookie(request->kdc_state, pa);
+    kdc_preauth_get_cookie(rock->rstate, pa);
 
     *e_data_out = pa_data;
     pa_data = NULL;
@@ -937,7 +939,7 @@ struct padata_state {
     krb5_pa_data **padata;
     int pa_found;
     krb5_context context;
-    krb5_db_entry *client;
+    krb5_kdcpreauth_rock rock;
     krb5_data *req_pkt;
     krb5_kdc_req *request;
     krb5_enc_tkt_part *enc_tkt_reply;
@@ -1135,11 +1137,11 @@ next_padata(struct padata_state *state)
         goto next;
 
     state->pa_found++;
-    state->pa_sys->verify_padata(state->context, state->client,
-                                 state->req_pkt, state->request,
-                                 state->enc_tkt_reply, *state->padata,
-                                 get_entry_data, state->pa_sys->moddata,
-                                 finish_verify_padata, state);
+    state->pa_sys->verify_padata(state->context, state->req_pkt,
+                                 state->request, state->enc_tkt_reply,
+                                 *state->padata, get_data, state->rock,
+                                 state->pa_sys->moddata, finish_verify_padata,
+                                 state);
     return;
 
 next:
@@ -1155,11 +1157,11 @@ next:
  */
 
 void
-check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
-              krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
-              void **padata_context, krb5_pa_data ***e_data,
-              krb5_boolean *typed_e_data, kdc_preauth_respond_fn respond,
-              void *arg)
+check_padata(krb5_context context, krb5_kdcpreauth_rock rock,
+             krb5_data *req_pkt, krb5_kdc_req *request,
+             krb5_enc_tkt_part *enc_tkt_reply, void **padata_context,
+             krb5_pa_data ***e_data, krb5_boolean *typed_e_data,
+             kdc_preauth_respond_fn respond, void *arg)
 {
     struct padata_state *state;
 
@@ -1182,7 +1184,7 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
     state->respond = respond;
     state->arg = arg;
     state->context = context;
-    state->client = client;
+    state->rock = rock;
     state->req_pkt = req_pkt;
     state->request = request;
     state->enc_tkt_reply = enc_tkt_reply;
@@ -1203,10 +1205,9 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
  * structures which should be returned by the KDC to the client
  */
 krb5_error_code
-return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
-              krb5_kdc_req *request, krb5_kdc_rep *reply,
-              krb5_key_data *client_key, krb5_keyblock *encrypting_key,
-              void **padata_context)
+return_padata(krb5_context context, krb5_kdcpreauth_rock rock,
+              krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
+              krb5_keyblock *encrypting_key, void **padata_context)
 {
     krb5_error_code             retval;
     krb5_pa_data **             padata;
@@ -1280,13 +1281,11 @@ return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
                 }
             }
         }
-        if ((retval = ap->return_padata(context, pa, client, req_pkt,
-                                        request, reply,
-                                        client_key, encrypting_key, send_pa,
-                                        get_entry_data, ap->moddata,
-                                        *modreq_ptr))) {
+        retval = ap->return_padata(context, pa, req_pkt, request, reply,
+                                   encrypting_key, send_pa, get_data, rock,
+                                   ap->moddata, *modreq_ptr);
+        if (retval)
             goto cleanup;
-        }
 
         if (*send_pa)
             send_pa++;
@@ -1322,22 +1321,20 @@ request_contains_enctype(krb5_context context,  const krb5_kdc_req *request,
 
 static krb5_error_code
 get_enc_ts(krb5_context context, krb5_kdc_req *request,
-           krb5_db_entry *client, krb5_db_entry *server,
-           krb5_kdcpreauth_get_data_fn get_entry_data_proc,
+           krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
            krb5_kdcpreauth_moddata moddata, krb5_pa_data *data)
 {
-    struct kdc_request_state *state = request->kdc_state;
-    if (state->armor_key)
+    if (rock->rstate->armor_key != NULL)
         return ENOENT;
     return 0;
 }
 
 
 static void
-verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
-                     krb5_data *req_pkt, krb5_kdc_req *request,
-                     krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa,
-                     krb5_kdcpreauth_get_data_fn ets_get_entry_data,
+verify_enc_timestamp(krb5_context context, krb5_data *req_pkt,
+                     krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
+                     krb5_pa_data *pa, krb5_kdcpreauth_get_data_fn get,
+                     krb5_kdcpreauth_rock rock,
                      krb5_kdcpreauth_moddata moddata,
                      krb5_kdcpreauth_verify_respond_fn respond,
                      void *arg)
@@ -1368,7 +1365,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
     start = 0;
     decrypt_err = 0;
     while (1) {
-        if ((retval = krb5_dbe_search_enctype(context, client,
+        if ((retval = krb5_dbe_search_enctype(context, rock->client,
                                               &start, enc_data->enctype,
                                               -1, 0, &client_key)))
             goto cleanup;
@@ -1492,8 +1489,8 @@ fail:
  */
 static krb5_error_code
 etype_info_helper(krb5_context context, krb5_kdc_req *request,
-                  krb5_db_entry *client, krb5_db_entry *server,
-                  krb5_pa_data *pa_data, int etype_info2)
+                  krb5_db_entry *client, krb5_pa_data *pa_data,
+                  int etype_info2)
 {
     krb5_etype_info_entry **    entry = 0;
     krb5_key_data               *client_key;
@@ -1579,8 +1576,7 @@ cleanup:
 
 static krb5_error_code
 get_etype_info(krb5_context context, krb5_kdc_req *request,
-               krb5_db_entry *client, krb5_db_entry *server,
-               krb5_kdcpreauth_get_data_fn etype_get_entry_data,
+               krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
                krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data)
 {
     int i;
@@ -1590,16 +1586,15 @@ get_etype_info(krb5_context context, krb5_kdc_req *request,
                                                         * skip this
                                                         * type*/
     }
-    return etype_info_helper(context, request, client, server, pa_data, 0);
+    return etype_info_helper(context, request, rock->client, pa_data, 0);
 }
 
 static krb5_error_code
 get_etype_info2(krb5_context context, krb5_kdc_req *request,
-                krb5_db_entry *client, krb5_db_entry *server,
-                krb5_kdcpreauth_get_data_fn etype_get_entry_data,
+                krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
                 krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data)
 {
-    return etype_info_helper( context, request, client, server, pa_data, 1);
+    return etype_info_helper(context, request, rock->client, pa_data, 1);
 }
 
 static krb5_error_code
@@ -1681,51 +1676,43 @@ cleanup:
 
 static krb5_error_code
 return_etype_info2(krb5_context context, krb5_pa_data * padata,
-                   krb5_db_entry *client,
-                   krb5_data *req_pkt,
-                   krb5_kdc_req *request, krb5_kdc_rep *reply,
-                   krb5_key_data *client_key,
-                   krb5_keyblock *encrypting_key,
-                   krb5_pa_data **send_pa,
-                   krb5_kdcpreauth_get_data_fn etype_get_entry_data,
-                   krb5_kdcpreauth_moddata moddata,
+                   krb5_data *req_pkt, krb5_kdc_req *request,
+                   krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+                   krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+                   krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
                    krb5_kdcpreauth_modreq modreq)
 {
-    return etype_info_as_rep_helper(context, padata, client, request, reply,
-                                    client_key, encrypting_key, send_pa, 1);
+    return etype_info_as_rep_helper(context, padata, rock->client, request,
+                                    reply, rock->client_key, encrypting_key,
+                                    send_pa, 1);
 }
 
 
 static krb5_error_code
-return_etype_info(krb5_context context, krb5_pa_data * padata,
-                  krb5_db_entry *client,
-                  krb5_data *req_pkt,
-                  krb5_kdc_req *request, krb5_kdc_rep *reply,
-                  krb5_key_data *client_key,
-                  krb5_keyblock *encrypting_key,
-                  krb5_pa_data **send_pa,
-                  krb5_kdcpreauth_get_data_fn etypeget_entry_data,
-                  krb5_kdcpreauth_moddata moddata,
+return_etype_info(krb5_context context, krb5_pa_data *padata,
+                  krb5_data *req_pkt, krb5_kdc_req *request,
+                  krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+                  krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+                  krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
                   krb5_kdcpreauth_modreq modreq)
 {
-    return etype_info_as_rep_helper(context, padata, client, request, reply,
-                                    client_key, encrypting_key, send_pa, 0);
+    return etype_info_as_rep_helper(context, padata, rock->client, request,
+                                    reply, rock->client_key, encrypting_key,
+                                    send_pa, 0);
 }
 
 static krb5_error_code
 return_pw_salt(krb5_context context, krb5_pa_data *in_padata,
-               krb5_db_entry *client, krb5_data *req_pkt,
-               krb5_kdc_req *request, krb5_kdc_rep *reply,
-               krb5_key_data *client_key, krb5_keyblock *encrypting_key,
-               krb5_pa_data **send_pa,
-               krb5_kdcpreauth_get_data_fn etype_get_entry_data,
-               krb5_kdcpreauth_moddata moddata,
-               krb5_kdcpreauth_modreq modreq)
+               krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
+               krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
+               krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
+               krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq)
 {
     krb5_error_code     retval;
     krb5_pa_data *      padata;
     krb5_data *         scratch;
     krb5_data           salt_data;
+    krb5_key_data *     client_key = rock->client_key;
     int i;
 
     for (i = 0; i < request->nktypes; i++) {
index 24b6675078981ea41bd20aa03dd0bdf09216d007..62fa615e01fb09a6f2f3a06319fcfd00890b02f8 100644 (file)
 
 static krb5_error_code
 kdc_include_padata(krb5_context context, krb5_kdc_req *request,
-                   struct _krb5_db_entry_new *client,
-                   struct _krb5_db_entry_new *server,
-                   krb5_kdcpreauth_get_data_fn get_data_proc,
+                   krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
                    krb5_kdcpreauth_moddata moddata, krb5_pa_data *data)
 {
     krb5_error_code retval = 0;
     krb5_keyblock *armor_key = NULL;
-    retval = fast_kdc_get_armor_key(context, get_data_proc, request, client,
-                                    &armor_key);
+    retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
     if (retval)
         return retval;
     if (armor_key == 0)
@@ -54,11 +51,10 @@ kdc_include_padata(krb5_context context, krb5_kdc_req *request,
 }
 
 static void
-kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
-                   krb5_data *req_pkt, krb5_kdc_req *request,
-                   krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data,
-                   krb5_kdcpreauth_get_data_fn get_entry_proc,
-                   krb5_kdcpreauth_moddata moddata,
+kdc_verify_preauth(krb5_context context, krb5_data *req_pkt,
+                   krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
+                   krb5_pa_data *data, krb5_kdcpreauth_get_data_fn get,
+                   krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
                    krb5_kdcpreauth_verify_respond_fn respond,
                    void *arg)
 {
@@ -77,7 +73,7 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
 
     plain.data = NULL;
 
-    retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key);
+    retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
     if (retval == 0 &&armor_key == NULL) {
         retval = ENOENT;
         krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel");
@@ -93,8 +89,7 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
             retval = ENOMEM;
     }
     if (retval == 0)
-        retval = get_entry_proc(context, request, client,
-                                krb5_kdcpreauth_keys, &client_data);
+        retval = (*get)(context, rock, krb5_kdcpreauth_keys, &client_data);
     if (retval == 0) {
         client_keys = (krb5_keyblock *) client_data->data;
         for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) {
@@ -138,7 +133,7 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
              * may cause the client to fail, but at this point the KDC has
              * considered this a success, so the return value is ignored.
              */
-            fast_kdc_replace_reply_key(context, get_entry_proc, request);
+            fast_kdc_replace_reply_key(context, get, rock);
             if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
                                      &client_keys[i], "challengelongterm",
                                      &kdc_challenge_key) == 0)
@@ -166,12 +161,10 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
 
 static krb5_error_code
 kdc_return_preauth(krb5_context context, krb5_pa_data *padata,
-                   struct _krb5_db_entry_new *client, krb5_data *req_pkt,
-                   krb5_kdc_req *request, krb5_kdc_rep *reply,
-                   struct _krb5_key_data *client_keys,
-                   krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
-                   krb5_kdcpreauth_get_data_fn get_entry_proc,
-                   krb5_kdcpreauth_moddata moddata,
+                   krb5_data *req_pkt, krb5_kdc_req *request,
+                   krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+                   krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+                   krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
                    krb5_kdcpreauth_modreq modreq)
 {
     krb5_error_code retval = 0;
index e0be83fe6135d63594c6edb84be908166e97c590..6d91822ff09aea191eee97d879e117a3cd012fe0 100644 (file)
@@ -167,10 +167,8 @@ missing_required_preauth (krb5_db_entry *client,
                           krb5_db_entry *server,
                           krb5_enc_tkt_part *enc_tkt_reply);
 void
-get_preauth_hint_list (krb5_kdc_req * request,
-                       krb5_db_entry *client,
-                       krb5_db_entry *server,
-                       krb5_pa_data ***e_data_out);
+get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock,
+                      krb5_pa_data ***e_data_out);
 void
 load_preauth_plugins(krb5_context context);
 void
@@ -179,18 +177,16 @@ unload_preauth_plugins(krb5_context context);
 typedef void (*kdc_preauth_respond_fn)(void *arg, krb5_error_code code);
 
 void
-check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
-              krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
-              void **padata_context, krb5_pa_data ***e_data,
-              krb5_boolean *typed_e_data, kdc_preauth_respond_fn respond,
-              void *state);
+check_padata(krb5_context context, krb5_kdcpreauth_rock rock,
+             krb5_data *req_pkt, krb5_kdc_req *request,
+             krb5_enc_tkt_part *enc_tkt_reply, void **padata_context,
+             krb5_pa_data ***e_data, krb5_boolean *typed_e_data,
+             kdc_preauth_respond_fn respond, void *state);
 
 krb5_error_code
-return_padata (krb5_context context, krb5_db_entry *client,
-               krb5_data *req_pkt, krb5_kdc_req *request,
-               krb5_kdc_rep *reply,
-               krb5_key_data *client_key, krb5_keyblock *encrypting_key,
-               void **padata_context);
+return_padata(krb5_context context, krb5_kdcpreauth_rock rock,
+              krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
+              krb5_keyblock *encrypting_key, void **padata_context);
 
 void
 free_padata_context(krb5_context context, void *padata_context);
@@ -380,6 +376,13 @@ krb5_error_code
 krb5int_get_domain_realm_mapping(krb5_context context,
                                  const char *host, char ***realmsp);
 
+/* Information handle for kdcpreauth callbacks.  All pointers are aliases. */
+struct krb5_kdcpreauth_rock_st {
+    krb5_kdc_req *request;
+    krb5_db_entry *client;
+    krb5_key_data *client_key;
+    struct kdc_request_state *rstate;
+};
 
 #define isflagset(flagfield, flag) (flagfield & (flag))
 #define setflag(flagfield, flag) (flagfield |= (flag))
index ac6ef20569d333aaec15be02898a743f10b9d51e..4f1c91d87771c4ad8d33379b97e10f564c86034e 100644 (file)
@@ -41,7 +41,6 @@ decode_krb5_as_req(const krb5_data *code, krb5_kdc_req **repptr)
     clear_field(rep,authorization_data.ciphertext.data);
     clear_field(rep,unenc_authdata);
     clear_field(rep,second_ticket);
-    clear_field(rep, kdc_state);
 
     check_apptag(10);
     retval = asn1_decode_kdc_req(&buf,rep);
@@ -69,7 +68,6 @@ decode_krb5_tgs_req(const krb5_data *code, krb5_kdc_req **repptr)
     clear_field(rep,authorization_data.ciphertext.data);
     clear_field(rep,unenc_authdata);
     clear_field(rep,second_ticket);
-    clear_field(rep, kdc_state);
 
     check_apptag(12);
     retval = asn1_decode_kdc_req(&buf,rep);
index 071a9772845086019a0355865f64cddc9bdcbd05..2a323ec6f14896d1e2b2de9a2b56e9cebb273be5 100644 (file)
@@ -339,7 +339,6 @@ krb5_free_kdc_req(krb5_context context, krb5_kdc_req *val)
 {
     if (val == NULL)
         return;
-    assert( val->kdc_state == NULL);
     krb5_free_pa_data(context, val->padata);
     krb5_free_principal(context, val->client);
     krb5_free_principal(context, val->server);
index 06ba14d5a96e5a6e60f801dafa48b82f17d0624d..144ab6d961ab616f27ac0715535f8958f768f602 100644 (file)
@@ -272,13 +272,9 @@ server_fini(krb5_context kcontext, krb5_kdcpreauth_moddata moddata)
 /* Obtain and return any preauthentication data (which is destined for the
  * client) which matches type data->pa_type. */
 static krb5_error_code
-server_get_edata(krb5_context kcontext,
-                 krb5_kdc_req *request,
-                 struct _krb5_db_entry_new *client,
-                 struct _krb5_db_entry_new *server,
-                 krb5_kdcpreauth_get_data_fn server_get_entry_data,
-                 krb5_kdcpreauth_moddata moddata,
-                 krb5_pa_data *data)
+server_get_edata(krb5_context kcontext, krb5_kdc_req *request,
+                 krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
+                 krb5_kdcpreauth_moddata moddata, krb5_pa_data *data)
 {
     krb5_data *key_data;
     krb5_keyblock *keys, *key;
@@ -287,8 +283,7 @@ server_get_edata(krb5_context kcontext,
 
     /* Retrieve the client's keys. */
     key_data = NULL;
-    if ((*server_get_entry_data)(kcontext, request, client,
-                                 krb5_kdcpreauth_keys, &key_data) != 0) {
+    if ((*get)(kcontext, rock, krb5_kdcpreauth_keys, &key_data) != 0) {
 #ifdef DEBUG
         fprintf(stderr, "Error retrieving client keys.\n");
 #endif
@@ -331,12 +326,12 @@ server_get_edata(krb5_context kcontext,
 /* Verify a request from a client. */
 static void
 server_verify(krb5_context kcontext,
-              struct _krb5_db_entry_new *client,
               krb5_data *req_pkt,
               krb5_kdc_req *request,
               krb5_enc_tkt_part *enc_tkt_reply,
               krb5_pa_data *data,
-              krb5_kdcpreauth_get_data_fn server_get_entry_data,
+              krb5_kdcpreauth_get_data_fn get,
+              krb5_kdcpreauth_rock rock,
               krb5_kdcpreauth_moddata moddata,
               krb5_kdcpreauth_verify_respond_fn respond,
               void *arg)
@@ -394,8 +389,7 @@ server_verify(krb5_context kcontext,
 
     /* Pull up the client's keys. */
     key_data = NULL;
-    if ((*server_get_entry_data)(kcontext, request, client,
-                                 krb5_kdcpreauth_keys, &key_data) != 0) {
+    if ((*get)(kcontext, rock, krb5_kdcpreauth_keys, &key_data) != 0) {
 #ifdef DEBUG
         fprintf(stderr, "Error retrieving client keys.\n");
 #endif
@@ -454,9 +448,7 @@ server_verify(krb5_context kcontext,
      * extract the structure directly from the req_pkt structure.  This
      * will probably work if it's us on both ends, though. */
     req_body = NULL;
-    if ((*server_get_entry_data)(kcontext, request, client,
-                                 krb5_kdcpreauth_request_body,
-                                 &req_body) != 0) {
+    if ((*get)(kcontext, rock, krb5_kdcpreauth_request_body, &req_body) != 0) {
         krb5_free_keyblock(kcontext, key);
         stats->failures++;
         (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL);
@@ -593,14 +585,13 @@ server_verify(krb5_context kcontext,
 static krb5_error_code
 server_return(krb5_context kcontext,
               krb5_pa_data *padata,
-              struct _krb5_db_entry_new *client,
               krb5_data *req_pkt,
               krb5_kdc_req *request,
               krb5_kdc_rep *reply,
-              struct _krb5_key_data *client_key,
               krb5_keyblock *encrypting_key,
               krb5_pa_data **send_pa,
-              krb5_kdcpreauth_get_data_fn server_get_entry_data,
+              krb5_kdcpreauth_get_data_fn get,
+              krb5_kdcpreauth_rock rock,
               krb5_kdcpreauth_moddata moddata,
               krb5_kdcpreauth_modreq modreq)
 {
diff --git a/src/plugins/preauth/fast_factor.h b/src/plugins/preauth/fast_factor.h
deleted file mode 100644 (file)
index f585bc2..0000000
+++ /dev/null
@@ -1,58 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-
-/*
- * Returns success with a null armor_key if FAST is available but not in use.
- * Returns failure if the client library does not support FAST.
- */
-static inline krb5_error_code
-fast_get_armor_key(krb5_context context, krb5_clpreauth_get_data_fn get_data,
-                   krb5_clpreauth_rock rock, krb5_keyblock **armor_key)
-{
-    krb5_error_code retval = 0;
-    krb5_data *data;
-    retval = get_data(context, rock, krb5_clpreauth_fast_armor, &data);
-    if (retval == 0) {
-        *armor_key = (krb5_keyblock *) data->data;
-        data->data = NULL;
-        get_data(context, rock, krb5_clpreauth_free_fast_armor, &data);
-    }
-    return retval;
-}
-
-static inline krb5_error_code
-fast_kdc_get_armor_key(krb5_context context,
-                       krb5_kdcpreauth_get_data_fn get_entry,
-                       krb5_kdc_req *request,
-                       struct _krb5_db_entry_new *client,
-                       krb5_keyblock **armor_key)
-{
-    krb5_error_code retval;
-    krb5_data *data;
-    retval = get_entry(context, request, client, krb5_kdcpreauth_fast_armor,
-                       &data);
-    if (retval == 0) {
-        *armor_key = (krb5_keyblock *) data->data;
-        data->data = NULL;
-        get_entry(context, request, client,
-                  krb5_kdcpreauth_free_fast_armor, &data);
-    }
-    return retval;
-}
-
-
-
-static inline krb5_error_code
-fast_kdc_replace_reply_key(krb5_context context,
-                           krb5_kdcpreauth_get_data_fn get_data,
-                           krb5_kdc_req *request)
-{
-    return 0;
-}
-
-static inline krb5_error_code
-fast_set_kdc_verified(krb5_context context,
-                      krb5_clpreauth_get_data_fn get_data,
-                      krb5_clpreauth_rock rock)
-{
-    return 0;
-}
index 8ad6b14dba36f7f1533f212535295004267329d9..ceff74918ce694d541dc0dcb84df8405489def6f 100644 (file)
@@ -16,16 +16,16 @@ pkinit_accessor.so pkinit_accessor.po $(OUTPRE)pkinit_accessor.$(OBJEXT): \
 pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
-  $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h $(top_srcdir)/include/k5-buf.h \
-  $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
-  $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
-  $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
-  $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
-  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
-  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
-  $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
-  pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \
-  pkinit_srv.c
+  $(COM_ERR_DEPS) $(top_srcdir)/include/fast_factor.h \
+  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
+  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+  $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+  $(top_srcdir)/include/socket-utils.h pkcs11.h pkinit.h \
+  pkinit_accessor.h pkinit_crypto.h pkinit_srv.c
 pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
@@ -49,7 +49,7 @@ pkinit_kdf_constants.so pkinit_kdf_constants.po $(OUTPRE)pkinit_kdf_constants.$(
   pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_kdf_constants.c
 pkinit_clnt.so pkinit_clnt.po $(OUTPRE)pkinit_clnt.$(OBJEXT): \
   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
-  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h \
+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/fast_factor.h \
   $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-platform.h \
   $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5/plugin.h \
   $(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \
index 4860e0712e28f4da73b628f6cb897cc6acfc4136..f8cfac5ad7251bb22221deb9bcdfa98df4861628 100644 (file)
@@ -42,7 +42,7 @@
 #include "pkinit.h"
 
 /* Remove when FAST PKINIT is settled. */
-#include "../fast_factor.h"
+#include "fast_factor.h"
 
 /*
  * It is anticipated that all the special checks currently
index 2fbc243913136405a6131b7cfa028841ba1fcf50..a79b25c29592d7041aa763ee6380be564fbba66c 100644 (file)
@@ -38,7 +38,7 @@
 #include "pkinit.h"
 
 /* Remove when FAST PKINIT is settled. */
-#include "../fast_factor.h"
+#include "fast_factor.h"
 
 static krb5_error_code
 pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob);
@@ -101,9 +101,8 @@ cleanup:
 static krb5_error_code
 pkinit_server_get_edata(krb5_context context,
                         krb5_kdc_req *request,
-                        struct _krb5_db_entry_new *client,
-                        struct _krb5_db_entry_new *server,
-                        krb5_kdcpreauth_get_data_fn server_get_entry_data,
+                        krb5_kdcpreauth_get_data_fn get,
+                        krb5_kdcpreauth_rock rock,
                         krb5_kdcpreauth_moddata moddata,
                         krb5_pa_data *data)
 {
@@ -114,8 +113,7 @@ pkinit_server_get_edata(krb5_context context,
     pkiDebug("pkinit_server_get_edata: entered!\n");
 
     /* Remove (along with armor_key) when FAST PKINIT is settled. */
-    retval = fast_kdc_get_armor_key(context, server_get_entry_data, request,
-                                    client, &armor_key);
+    retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
     if (retval == 0 && armor_key != NULL) {
         /* Don't advertise PKINIT if the client used FAST. */
         krb5_free_keyblock(context, armor_key);
@@ -289,12 +287,12 @@ out:
 
 static void
 pkinit_server_verify_padata(krb5_context context,
-                            struct _krb5_db_entry_new * client,
                             krb5_data *req_pkt,
                             krb5_kdc_req * request,
                             krb5_enc_tkt_part * enc_tkt_reply,
                             krb5_pa_data * data,
-                            krb5_kdcpreauth_get_data_fn server_get_entry_data,
+                            krb5_kdcpreauth_get_data_fn get,
+                            krb5_kdcpreauth_rock rock,
                             krb5_kdcpreauth_moddata moddata,
                             krb5_kdcpreauth_verify_respond_fn respond,
                             void *arg)
@@ -324,8 +322,7 @@ pkinit_server_verify_padata(krb5_context context,
     }
 
     /* Remove (along with armor_key) when FAST PKINIT is settled. */
-    retval = fast_kdc_get_armor_key(context, server_get_entry_data, request,
-                                    client, &armor_key);
+    retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
     if (retval == 0 && armor_key != NULL) {
         /* Don't allow PKINIT if the client used FAST. */
         krb5_free_keyblock(context, armor_key);
@@ -697,14 +694,13 @@ cleanup:
 static krb5_error_code
 pkinit_server_return_padata(krb5_context context,
                             krb5_pa_data * padata,
-                            struct _krb5_db_entry_new * client,
                             krb5_data *req_pkt,
                             krb5_kdc_req * request,
                             krb5_kdc_rep * reply,
-                            struct _krb5_key_data * client_key,
                             krb5_keyblock * encrypting_key,
                             krb5_pa_data ** send_pa,
-                            krb5_kdcpreauth_get_data_fn server_get_entry_data,
+                            krb5_kdcpreauth_get_data_fn get,
+                            krb5_kdcpreauth_rock rock,
                             krb5_kdcpreauth_moddata moddata,
                             krb5_kdcpreauth_modreq modreq)
 {
index 700cd59f9cc1d21dfe5038eaf29f6fdf723ab4a3..5ed59c811172450f009714c2019e7d35f9557bb9 100644 (file)
@@ -50,6 +50,19 @@ static struct {
     { 0, 0 },
 };
 
+static krb5_db_entry *
+get_client_entry(krb5_context context, krb5_kdcpreauth_get_data_fn get,
+                 krb5_kdcpreauth_rock rock)
+{
+    krb5_data *data;
+    krb5_db_entry *client;
+
+    (*get)(context, rock, krb5_kdcpreauth_get_client, &data);
+    client = *(krb5_db_entry **)data->data;
+    free(data);
+    return client;
+}
+
 krb5_error_code
 sam_get_db_entry(krb5_context context, krb5_principal client,
                  int *sam_type, struct _krb5_db_entry_new **db_entry)
@@ -114,9 +127,7 @@ cleanup:
 
 static krb5_error_code
 kdc_include_padata(krb5_context context, krb5_kdc_req *request,
-                   struct _krb5_db_entry_new *client,
-                   struct _krb5_db_entry_new *server,
-                   krb5_kdcpreauth_get_data_fn get_entry_proc,
+                   krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
                    krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data)
 {
     krb5_error_code retval;
@@ -125,7 +136,7 @@ kdc_include_padata(krb5_context context, krb5_kdc_req *request,
     krb5_sam_challenge_2 sc2;
     krb5_sam_challenge_2_body sc2b;
     int sam_type = 0;             /* unknown */
-    krb5_db_entry *sam_db_entry = NULL;
+    krb5_db_entry *sam_db_entry = NULL, *client;
     krb5_data *encoded_challenge = NULL;
 
     memset(&sc2, 0, sizeof(sc2));
@@ -133,12 +144,12 @@ kdc_include_padata(krb5_context context, krb5_kdc_req *request,
     sc2b.magic = KV5M_SAM_CHALLENGE_2;
     sc2b.sam_type = sam_type;
 
+    client = get_client_entry(context, get, rock);
     retval = sam_get_db_entry(context, client->princ, &sam_type,
                               &sam_db_entry);
     if (retval)
         return retval;
-    retval = get_entry_proc(context, request, client,
-                            krb5_kdcpreauth_keys, &client_keys_data);
+    retval = (*get)(context, rock, krb5_kdcpreauth_keys, &client_keys_data);
     if (retval)
         goto cleanup;
     client_key = (krb5_keyblock *) client_keys_data->data;
@@ -203,19 +214,18 @@ cleanup:
 }
 
 static void
-kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
-                   krb5_data *req_pkt, krb5_kdc_req *request,
-                   krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa_data,
-                   krb5_kdcpreauth_get_data_fn get_entry_proc,
-                   krb5_kdcpreauth_moddata moddata,
-                   krb5_kdcpreauth_verify_respond_fn respond,
-                   void *arg)
+kdc_verify_preauth(krb5_context context, krb5_data *req_pkt,
+                   krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
+                   krb5_pa_data *pa_data, krb5_kdcpreauth_get_data_fn get,
+                   krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
+                   krb5_kdcpreauth_verify_respond_fn respond, void *arg)
 {
     krb5_error_code retval, saved_retval = 0;
     krb5_sam_response_2 *sr2 = NULL;
     krb5_data scratch, *scratch2, *e_data = NULL;
     char *client_name = NULL;
     krb5_sam_challenge_2 *out_sc2 = NULL;
+    krb5_db_entry *client = get_client_entry(context, get, rock);
 
     scratch.data = (char *) pa_data->contents;
     scratch.length = pa_data->length;
index 3c10e14162eea8a5f51cd17e6ff0ab39e4ac443d..e3f5d87824131fe3025976a8373012bdd6a2ceda 100644 (file)
@@ -246,9 +246,8 @@ server_free_modreq(krb5_context kcontext,
 static krb5_error_code
 server_get_edata(krb5_context kcontext,
                  krb5_kdc_req *request,
-                 struct _krb5_db_entry_new *client,
-                 struct _krb5_db_entry_new *server,
-                 krb5_kdcpreauth_get_data_fn server_get_entry_data,
+                 krb5_kdcpreauth_get_data_fn get,
+                 krb5_kdcpreauth_rock rock,
                  krb5_kdcpreauth_moddata moddata,
                  krb5_pa_data *data)
 {
@@ -261,12 +260,12 @@ server_get_edata(krb5_context kcontext,
 /* Verify a request from a client. */
 static void
 server_verify(krb5_context kcontext,
-              struct _krb5_db_entry_new *client,
               krb5_data *req_pkt,
               krb5_kdc_req *request,
               krb5_enc_tkt_part *enc_tkt_reply,
               krb5_pa_data *data,
-              krb5_kdcpreauth_get_data_fn server_get_entry_data,
+              krb5_kdcpreauth_get_data_fn get,
+              krb5_kdcpreauth_rock rock,
               krb5_kdcpreauth_moddata moddata,
               krb5_kdcpreauth_verify_respond_fn respond,
               void *arg)
@@ -370,14 +369,13 @@ server_verify(krb5_context kcontext,
 static krb5_error_code
 server_return(krb5_context kcontext,
               krb5_pa_data *padata,
-              struct _krb5_db_entry_new *client,
               krb5_data *req_pkt,
               krb5_kdc_req *request,
               krb5_kdc_rep *reply,
-              struct _krb5_key_data *client_key,
               krb5_keyblock *encrypting_key,
               krb5_pa_data **send_pa,
-              krb5_kdcpreauth_get_data_fn server_get_entry_data,
+              krb5_kdcpreauth_get_data_fn get,
+              krb5_kdcpreauth_rock rock,
               krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq)
 {
     /* This module does a couple of dumb things.  It tags its reply with