Recast encrypted challenge as linked built-ins
authorGreg Hudson <ghudson@mit.edu>
Fri, 23 Sep 2011 14:35:34 +0000 (14:35 +0000)
committerGreg Hudson <ghudson@mit.edu>
Fri, 23 Sep 2011 14:35:34 +0000 (14:35 +0000)
Since it has no external dependencies, split up encrypted preauth into
clpreauth and kdcpreauth chunks and link them directly into the
consumers.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25227 dc483132-0cff-0310-8789-dd5450dbe970

14 files changed:
src/Makefile.in
src/configure.in
src/include/fast_factor.h [new file with mode: 0644]
src/kdc/Makefile.in
src/kdc/kdc_preauth.c
src/kdc/kdc_preauth_ec.c [moved from src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c with 59% similarity]
src/kdc/kdc_util.h
src/lib/krb5/krb/Makefile.in
src/lib/krb5/krb/int-proto.h
src/lib/krb5/krb/preauth2.c
src/lib/krb5/krb/preauth_ec.c [new file with mode: 0644]
src/plugins/preauth/encrypted_challenge/Makefile.in [deleted file]
src/plugins/preauth/encrypted_challenge/deps [deleted file]
src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports [deleted file]

index 2d97c5717c38d3c2639e18e4ffcd12acac9ac5aa..9e048ad7ab675476912c80186e031540eed5904b 100644 (file)
@@ -13,7 +13,6 @@ SUBDIRS=util include lib \
        plugins/kdb/db2 \
        @ldap_plugin_dir@ \
        plugins/preauth/pkinit \
-       plugins/preauth/encrypted_challenge \
        kdc kadmin slave clients appl tests \
        config-files gen-manpages @po@
 WINSUBDIRS=include util lib ccapi windows clients appl
@@ -89,7 +88,6 @@ fake-install: runenv.py
        (w=`pwd`; cd util && $(MAKE) install DESTDIR="$$w/util/fakedest")
        (w=`pwd`; cd lib && $(MAKE) install DESTDIR="$$w/util/fakedest")
        (w=`pwd`; cd plugins/kdb/db2 && $(MAKE) install DESTDIR="$$w/util/fakedest")
-       (w=`pwd`; cd plugins/preauth/encrypted_challenge && $(MAKE) install DESTDIR="$$w/util/fakedest")
        if test -r plugins/preauth/pkinit/Makefile; then \
          (w=`pwd`; cd plugins/preauth/pkinit && $(MAKE) install DESTDIR="$$w/util/fakedest"); \
        fi
index 961f80967b817a865463e2ac05cb77ba63f0842c..6c3eebcc4471c26fe058b9480f09b61e94c27bc0 100644 (file)
@@ -1231,7 +1231,7 @@ dnl       ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test
        plugins/kdb/db2/libdb2/recno
        plugins/kdb/db2/libdb2/test
        plugins/kdb/hdb
-       plugins/preauth/cksum_body plugins/preauth/encrypted_challenge
+       plugins/preauth/cksum_body
        plugins/preauth/securid_sam2
        plugins/preauth/wpse
        plugins/authdata/greet
diff --git a/src/include/fast_factor.h b/src/include/fast_factor.h
new file mode 100644 (file)
index 0000000..42f1b27
--- /dev/null
@@ -0,0 +1,86 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* include/fast_factor.h - Convenience inline functions for FAST factors */
+/*
+ * Copyright (C) 2011 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifndef FAST_FACTOR_H
+
+/*
+ * Returns success with a null armor_key if FAST is available but not in use.
+ * Returns failure if the client library does not support FAST.
+ */
+static inline krb5_error_code
+fast_get_armor_key(krb5_context context, krb5_clpreauth_get_data_fn get_data,
+                   krb5_clpreauth_rock rock, krb5_keyblock **armor_key)
+{
+    krb5_error_code retval = 0;
+    krb5_data *data;
+    retval = get_data(context, rock, krb5_clpreauth_fast_armor, &data);
+    if (retval == 0) {
+        *armor_key = (krb5_keyblock *) data->data;
+        data->data = NULL;
+        get_data(context, rock, krb5_clpreauth_free_fast_armor, &data);
+    }
+    return retval;
+}
+
+static inline krb5_error_code
+fast_kdc_get_armor_key(krb5_context context,
+                       krb5_kdcpreauth_get_data_fn get_entry,
+                       krb5_kdc_req *request,
+                       struct _krb5_db_entry_new *client,
+                       krb5_keyblock **armor_key)
+{
+    krb5_error_code retval;
+    krb5_data *data;
+    retval = get_entry(context, request, client, krb5_kdcpreauth_fast_armor,
+                       &data);
+    if (retval == 0) {
+        *armor_key = (krb5_keyblock *) data->data;
+        data->data = NULL;
+        get_entry(context, request, client,
+                  krb5_kdcpreauth_free_fast_armor, &data);
+    }
+    return retval;
+}
+
+
+
+static inline krb5_error_code
+fast_kdc_replace_reply_key(krb5_context context,
+                           krb5_kdcpreauth_get_data_fn get_data,
+                           krb5_kdc_req *request)
+{
+    return 0;
+}
+
+static inline krb5_error_code
+fast_set_kdc_verified(krb5_context context,
+                      krb5_clpreauth_get_data_fn get_data,
+                      krb5_clpreauth_rock rock)
+{
+    return 0;
+}
+
+#endif /* FAST_FACTOR_H */
index 1c7bbf9611f2f583005fa8a505ef45ad30f8fcb6..68f1a5b8f50d149ace6bc92d0d78df73a076cbda 100644 (file)
@@ -20,6 +20,7 @@ SRCS= \
        $(srcdir)/fast_util.c \
        $(srcdir)/kdc_util.c \
        $(srcdir)/kdc_preauth.c \
+       $(srcdir)/kdc_preauth_ec.c \
        $(srcdir)/main.c \
        $(srcdir)/policy.c \
        $(srcdir)/extern.c \
@@ -34,6 +35,7 @@ OBJS= \
        fast_util.o \
        kdc_util.o \
        kdc_preauth.o \
+       kdc_preauth_ec.o \
        main.o \
        policy.o \
        extern.o \
index 69b1e2cf5fee904ebddec295fc8faecbfdd37b0d..dabc9c159dccb500b9ce33745e6c7aa4b4504f3f 100644 (file)
@@ -318,11 +318,12 @@ get_plugin_vtables(krb5_context context,
     *vtables_out = NULL;
     *n_tables_out = *n_systems_out = 0;
 
-    /* Auto-register pkinit and encrypted challenge if possible. */
+    /* Auto-register encrypted challenge and (if possible) pkinit. */
     k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "pkinit",
                            "preauth");
-    k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH,
-                           "encrypted_challenge", "preauth");
+    k5_plugin_register(context, PLUGIN_INTERFACE_KDCPREAUTH,
+                       "encrypted_challenge",
+                       kdcpreauth_encrypted_challenge_initvt);
 
     if (k5_plugin_load_all(context, PLUGIN_INTERFACE_KDCPREAUTH, &plugins))
         return;
similarity index 59%
rename from src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c
rename to src/kdc/kdc_preauth_ec.c
index 58a659246d31c0f907a63a3bd363c26e2aacfef1..3419c831aec5949ad99ffe07bc9e2daad3a06dd5 100644 (file)
@@ -1,5 +1,5 @@
 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-/* plugins/preauth/encrypted_challenge/encrypted_challenge_main.c */
+/* kdc/kdc_preauth_ec.c - Encrypted challenge kdcpreauth module */
 /*
  * Copyright (C) 2009 by the Massachusetts Institute of Technology.
  * All rights reserved.
  */
 
 #include <k5-int.h>
-#include "../fast_factor.h"
-
 #include <krb5/preauth_plugin.h>
-
-static int
-preauth_flags(krb5_context context, krb5_preauthtype pa_type)
-{
-    return PA_REAL;
-}
-
-static krb5_error_code
-process_preauth(krb5_context context, krb5_clpreauth_moddata moddata,
-                krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt,
-                krb5_clpreauth_get_data_fn get_data_proc,
-                krb5_clpreauth_rock rock, krb5_kdc_req *request,
-                krb5_data *encoded_request_body,
-                krb5_data *encoded_previous_request, krb5_pa_data *padata,
-                krb5_prompter_fct prompter, void *prompter_data,
-                krb5_clpreauth_get_as_key_fn gak_fct, void *gak_data,
-                krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key,
-                krb5_pa_data ***out_padata)
-{
-    krb5_error_code retval = 0;
-    krb5_enctype enctype = 0;
-    krb5_keyblock *challenge_key = NULL, *armor_key = NULL;
-    krb5_data *etype_data = NULL;
-    krb5int_access kaccess;
-
-    if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0)
-        return 0;
-    retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key);
-    if (retval || armor_key == NULL)
-        return 0;
-    retval = get_data_proc(context, rock, krb5_clpreauth_get_etype,
-                           &etype_data);
-    if (retval == 0) {
-        enctype = *((krb5_enctype *)etype_data->data);
-        if (as_key->length == 0 ||as_key->enctype != enctype)
-            retval = gak_fct(context, request->client,
-                             enctype, prompter, prompter_data,
-                             salt, s2kparams,
-                             as_key, gak_data);
-    }
-    if (retval == 0 && padata->length) {
-        krb5_enc_data *enc = NULL;
-        krb5_data scratch;
-        scratch.length = padata->length;
-        scratch.data = (char *) padata->contents;
-        retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor",
-                                      as_key, "challengelongterm",
-                                      &challenge_key);
-        if (retval == 0)
-            retval =kaccess.decode_enc_data(&scratch, &enc);
-        scratch.data = NULL;
-        if (retval == 0) {
-            scratch.data = malloc(enc->ciphertext.length);
-            scratch.length = enc->ciphertext.length;
-            if (scratch.data == NULL)
-                retval = ENOMEM;
-        }
-        if (retval == 0)
-            retval = krb5_c_decrypt(context, challenge_key,
-                                    KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL,
-                                    enc, &scratch);
-        /*
-         * Per draft 11 of the preauth framework, the client MAY but is not
-         * required to actually check the timestamp from the KDC other than to
-         * confirm it decrypts. This code does not perform that check.
-         */
-        if (scratch.data)
-            krb5_free_data_contents(context, &scratch);
-        if (retval == 0)
-            fast_set_kdc_verified(context, get_data_proc, rock);
-        if (enc)
-            kaccess.free_enc_data(context, enc);
-    } else if (retval == 0) { /*No padata; we send*/
-        krb5_enc_data enc;
-        krb5_pa_data *pa = NULL;
-        krb5_pa_data **pa_array = NULL;
-        krb5_data *encoded_ts = NULL;
-        krb5_pa_enc_ts ts;
-        enc.ciphertext.data = NULL;
-        retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec);
-        if (retval == 0)
-            retval = kaccess.encode_enc_ts(&ts, &encoded_ts);
-        if (retval == 0)
-            retval = krb5_c_fx_cf2_simple(context,
-                                          armor_key, "clientchallengearmor",
-                                          as_key, "challengelongterm",
-                                          &challenge_key);
-        if (retval == 0)
-            retval = kaccess.encrypt_helper(context, challenge_key,
-                                            KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT,
-                                            encoded_ts, &enc);
-        if (encoded_ts)
-            krb5_free_data(context, encoded_ts);
-        encoded_ts = NULL;
-        if (retval == 0) {
-            retval = kaccess.encode_enc_data(&enc, &encoded_ts);
-            krb5_free_data_contents(context, &enc.ciphertext);
-        }
-        if (retval == 0) {
-            pa = calloc(1, sizeof(krb5_pa_data));
-            if (pa == NULL)
-                retval = ENOMEM;
-        }
-        if (retval == 0) {
-            pa_array = calloc(2, sizeof(krb5_pa_data *));
-            if (pa_array == NULL)
-                retval = ENOMEM;
-        }
-        if (retval == 0) {
-            pa->length = encoded_ts->length;
-            pa->contents = (unsigned char *) encoded_ts->data;
-            pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE;
-            free(encoded_ts);
-            encoded_ts = NULL;
-            pa_array[0] = pa;
-            pa = NULL;
-            *out_padata = pa_array;
-            pa_array = NULL;
-        }
-        if (pa)
-            free(pa);
-        if (encoded_ts)
-            krb5_free_data(context, encoded_ts);
-        if (pa_array)
-            free(pa_array);
-    }
-    if (challenge_key)
-        krb5_free_keyblock(context, challenge_key);
-    if (armor_key)
-        krb5_free_keyblock(context, armor_key);
-    if (etype_data != NULL)
-        get_data_proc(context, rock, krb5_clpreauth_free_etype, &etype_data);
-    return retval;
-}
-
+#include "fast_factor.h"
+#include "kdc_util.h"
 
 static krb5_error_code
 kdc_include_padata(krb5_context context, krb5_kdc_req *request,
@@ -361,13 +226,6 @@ kdc_return_preauth(krb5_context context, krb5_pa_data *padata,
 krb5_preauthtype supported_pa_types[] = {
     KRB5_PADATA_ENCRYPTED_CHALLENGE, 0};
 
-krb5_error_code
-kdcpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
-                                      int min_ver, krb5_plugin_vtable vtable);
-krb5_error_code
-clpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
-                                     int min_ver, krb5_plugin_vtable vtable);
-
 krb5_error_code
 kdcpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
                                       int min_ver, krb5_plugin_vtable vtable)
@@ -384,19 +242,3 @@ kdcpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
     vt->return_padata = kdc_return_preauth;
     return 0;
 }
-
-krb5_error_code
-clpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
-                                     int min_ver, krb5_plugin_vtable vtable)
-{
-    krb5_clpreauth_vtable vt;
-
-    if (maj_ver != 1)
-        return KRB5_PLUGIN_VER_NOTSUPP;
-    vt = (krb5_clpreauth_vtable)vtable;
-    vt->name = "encrypted_challenge";
-    vt->pa_type_list = supported_pa_types;
-    vt->flags = preauth_flags;
-    vt->process = process_preauth;
-    return 0;
-}
index e2790e23dd6fb37a2bea0ee91c0e6cb2d24b7bb7..dbc51501a72a43bc3007c595fce281eca98e53ac 100644 (file)
@@ -201,6 +201,11 @@ add_pa_data_element (krb5_context context,
                      krb5_pa_data ***out_padata,
                      krb5_boolean copy);
 
+/* kdc_preauth_ec.c */
+krb5_error_code
+kdcpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
+                                      int min_ver, krb5_plugin_vtable vtable);
+
 /* kdc_authdata.c */
 krb5_error_code
 load_authdata_plugins(krb5_context context);
index 33f31fd380e571ff7f165ce701fb186db44de1f5..ddef9e29a3b06b155fc17ecd50d0271a9ac58019 100644 (file)
@@ -77,6 +77,7 @@ STLIBOBJS= \
        plugin.o        \
        pr_to_salt.o    \
        preauth2.o      \
+       preauth_ec.o    \
        gic_opt_set_pa.o        \
        princ_comp.o    \
        privsafe.o      \
@@ -180,6 +181,7 @@ OBJS=       $(OUTPRE)addr_comp.$(OBJEXT)    \
        $(OUTPRE)plugin.$(OBJEXT)       \
        $(OUTPRE)pr_to_salt.$(OBJEXT)   \
        $(OUTPRE)preauth2.$(OBJEXT)     \
+       $(OUTPRE)preauth_ec.$(OBJEXT)   \
        $(OUTPRE)gic_opt_set_pa.$(OBJEXT)       \
        $(OUTPRE)princ_comp.$(OBJEXT)   \
        $(OUTPRE)privsafe.$(OBJEXT)     \
@@ -283,6 +285,7 @@ SRCS=       $(srcdir)/addr_comp.c   \
        $(srcdir)/plugin.c      \
        $(srcdir)/pr_to_salt.c  \
        $(srcdir)/preauth2.c    \
+       $(srcdir)/preauth_ec.c  \
        $(srcdir)/gic_opt_set_pa.c      \
        $(srcdir)/princ_comp.c  \
        $(srcdir)/privsafe.c    \
index 9b975ab4ace3cf27f2cb74e555a1db05865db7de..7aebdb1620190cd066e669360655252be60b9cb4 100644 (file)
@@ -53,6 +53,10 @@ krb5_preauth_supply_preauth_data(krb5_context context,
                                  const char *attr,
                                  const char *value);
 
+krb5_error_code
+clpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
+                                     int min_ver, krb5_plugin_vtable vtable);
+
 krb5_error_code
 krb5int_construct_matching_creds(krb5_context context, krb5_flags options,
                                  krb5_creds *in_creds, krb5_creds *mcreds,
index ef866b1a2437909d891ef94f0925af710647faac..ed411e5ddf1dbeedc675b8fe15024d7b07d600cb 100644 (file)
@@ -120,11 +120,12 @@ krb5_init_preauth_context(krb5_context kcontext)
     if (kcontext->preauth_context != NULL)
         return;
 
-    /* Auto-register pkinit and encrypted challenge if possible. */
+    /* Auto-register encrypted challenge and (if possible) pkinit. */
     k5_plugin_register_dyn(kcontext, PLUGIN_INTERFACE_CLPREAUTH, "pkinit",
                            "preauth");
-    k5_plugin_register_dyn(kcontext, PLUGIN_INTERFACE_CLPREAUTH,
-                           "encrypted_challenge", "preauth");
+    k5_plugin_register(kcontext, PLUGIN_INTERFACE_CLPREAUTH,
+                       "encrypted_challenge",
+                       clpreauth_encrypted_challenge_initvt);
 
     /* Get all available clpreauth vtables. */
     if (k5_plugin_load_all(kcontext, PLUGIN_INTERFACE_CLPREAUTH, &plugins))
diff --git a/src/lib/krb5/krb/preauth_ec.c b/src/lib/krb5/krb/preauth_ec.c
new file mode 100644 (file)
index 0000000..e56807a
--- /dev/null
@@ -0,0 +1,189 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* lib/krb5/krb/preauth_ec.c - Encrypted Challenge clpreauth module */
+/*
+ * Copyright (C) 2009, 2011 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * Implement Encrypted Challenge fast factor from
+ * draft-ietf-krb-wg-preauth-framework
+ */
+
+#include <k5-int.h>
+#include <krb5/preauth_plugin.h>
+#include "fast_factor.h"
+#include "int-proto.h"
+
+static int
+preauth_flags(krb5_context context, krb5_preauthtype pa_type)
+{
+    return PA_REAL;
+}
+
+static krb5_error_code
+process_preauth(krb5_context context, krb5_clpreauth_moddata moddata,
+                krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt,
+                krb5_clpreauth_get_data_fn get_data_proc,
+                krb5_clpreauth_rock rock, krb5_kdc_req *request,
+                krb5_data *encoded_request_body,
+                krb5_data *encoded_previous_request, krb5_pa_data *padata,
+                krb5_prompter_fct prompter, void *prompter_data,
+                krb5_clpreauth_get_as_key_fn gak_fct, void *gak_data,
+                krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key,
+                krb5_pa_data ***out_padata)
+{
+    krb5_error_code retval = 0;
+    krb5_enctype enctype = 0;
+    krb5_keyblock *challenge_key = NULL, *armor_key = NULL;
+    krb5_data *etype_data = NULL;
+    krb5int_access kaccess;
+
+    if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0)
+        return 0;
+    retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key);
+    if (retval || armor_key == NULL)
+        return 0;
+    retval = get_data_proc(context, rock, krb5_clpreauth_get_etype,
+                           &etype_data);
+    if (retval == 0) {
+        enctype = *((krb5_enctype *)etype_data->data);
+        if (as_key->length == 0 ||as_key->enctype != enctype)
+            retval = gak_fct(context, request->client,
+                             enctype, prompter, prompter_data,
+                             salt, s2kparams,
+                             as_key, gak_data);
+    }
+    if (retval == 0 && padata->length) {
+        krb5_enc_data *enc = NULL;
+        krb5_data scratch;
+        scratch.length = padata->length;
+        scratch.data = (char *) padata->contents;
+        retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor",
+                                      as_key, "challengelongterm",
+                                      &challenge_key);
+        if (retval == 0)
+            retval =kaccess.decode_enc_data(&scratch, &enc);
+        scratch.data = NULL;
+        if (retval == 0) {
+            scratch.data = malloc(enc->ciphertext.length);
+            scratch.length = enc->ciphertext.length;
+            if (scratch.data == NULL)
+                retval = ENOMEM;
+        }
+        if (retval == 0)
+            retval = krb5_c_decrypt(context, challenge_key,
+                                    KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL,
+                                    enc, &scratch);
+        /*
+         * Per draft 11 of the preauth framework, the client MAY but is not
+         * required to actually check the timestamp from the KDC other than to
+         * confirm it decrypts. This code does not perform that check.
+         */
+        if (scratch.data)
+            krb5_free_data_contents(context, &scratch);
+        if (retval == 0)
+            fast_set_kdc_verified(context, get_data_proc, rock);
+        if (enc)
+            kaccess.free_enc_data(context, enc);
+    } else if (retval == 0) { /*No padata; we send*/
+        krb5_enc_data enc;
+        krb5_pa_data *pa = NULL;
+        krb5_pa_data **pa_array = NULL;
+        krb5_data *encoded_ts = NULL;
+        krb5_pa_enc_ts ts;
+        enc.ciphertext.data = NULL;
+        retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec);
+        if (retval == 0)
+            retval = kaccess.encode_enc_ts(&ts, &encoded_ts);
+        if (retval == 0)
+            retval = krb5_c_fx_cf2_simple(context,
+                                          armor_key, "clientchallengearmor",
+                                          as_key, "challengelongterm",
+                                          &challenge_key);
+        if (retval == 0)
+            retval = kaccess.encrypt_helper(context, challenge_key,
+                                            KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT,
+                                            encoded_ts, &enc);
+        if (encoded_ts)
+            krb5_free_data(context, encoded_ts);
+        encoded_ts = NULL;
+        if (retval == 0) {
+            retval = kaccess.encode_enc_data(&enc, &encoded_ts);
+            krb5_free_data_contents(context, &enc.ciphertext);
+        }
+        if (retval == 0) {
+            pa = calloc(1, sizeof(krb5_pa_data));
+            if (pa == NULL)
+                retval = ENOMEM;
+        }
+        if (retval == 0) {
+            pa_array = calloc(2, sizeof(krb5_pa_data *));
+            if (pa_array == NULL)
+                retval = ENOMEM;
+        }
+        if (retval == 0) {
+            pa->length = encoded_ts->length;
+            pa->contents = (unsigned char *) encoded_ts->data;
+            pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE;
+            free(encoded_ts);
+            encoded_ts = NULL;
+            pa_array[0] = pa;
+            pa = NULL;
+            *out_padata = pa_array;
+            pa_array = NULL;
+        }
+        if (pa)
+            free(pa);
+        if (encoded_ts)
+            krb5_free_data(context, encoded_ts);
+        if (pa_array)
+            free(pa_array);
+    }
+    if (challenge_key)
+        krb5_free_keyblock(context, challenge_key);
+    if (armor_key)
+        krb5_free_keyblock(context, armor_key);
+    if (etype_data != NULL)
+        get_data_proc(context, rock, krb5_clpreauth_free_etype, &etype_data);
+    return retval;
+}
+
+
+krb5_preauthtype supported_pa_types[] = {
+    KRB5_PADATA_ENCRYPTED_CHALLENGE, 0};
+
+krb5_error_code
+clpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
+                                     int min_ver, krb5_plugin_vtable vtable)
+{
+    krb5_clpreauth_vtable vt;
+
+    if (maj_ver != 1)
+        return KRB5_PLUGIN_VER_NOTSUPP;
+    vt = (krb5_clpreauth_vtable)vtable;
+    vt->name = "encrypted_challenge";
+    vt->pa_type_list = supported_pa_types;
+    vt->flags = preauth_flags;
+    vt->process = process_preauth;
+    return 0;
+}
diff --git a/src/plugins/preauth/encrypted_challenge/Makefile.in b/src/plugins/preauth/encrypted_challenge/Makefile.in
deleted file mode 100644 (file)
index 963e4d4..0000000
+++ /dev/null
@@ -1,39 +0,0 @@
-mydir=plugins$(S)preauth$(S)encrypted_challenge
-BUILDTOP=$(REL)..$(S)..$(S)..
-KRB5_RUN_ENV = @KRB5_RUN_ENV@
-KRB5_CONFIG_SETUP = KRB5_CONFIG=$(top_srcdir)/config-files/krb5.conf ; export KRB5_CONFIG ;
-PROG_LIBPATH=-L$(TOPLIBD)
-PROG_RPATH=$(KRB5_LIBDIR)
-MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR)
-DEFS=@DEFS@
-
-LOCALINCLUDES = -I../../../include/krb5 -I.
-
-LIBBASE=encrypted_challenge
-LIBMAJOR=0
-LIBMINOR=0
-SO_EXT=.so
-RELDIR=../plugins/preauth/encrypted_challenge
-# Depends on libk5crypto and libkrb5
-SHLIB_EXPDEPS = \
-       $(TOPLIBD)/libk5crypto$(SHLIBEXT) \
-       $(TOPLIBD)/libkrb5$(SHLIBEXT)
-SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS)
-
-SHLIB_DIRS=-L$(TOPLIBD)
-SHLIB_RDIRS=$(KRB5_LIBDIR)
-STOBJLISTS=OBJS.ST
-STLIBOBJS=encrypted_challenge_main.o
-
-SRCS= $(srcdir)/encrypted_challenge_main.c
-
-all-unix:: all-liblinks
-install-unix:: install-libs
-clean-unix:: clean-libs clean-libobjs
-
-clean::
-       $(RM) lib$(LIBBASE)$(SO_EXT)
-
-@libnover_frag@
-@libobj_frag@
-
diff --git a/src/plugins/preauth/encrypted_challenge/deps b/src/plugins/preauth/encrypted_challenge/deps
deleted file mode 100644 (file)
index 7f36e01..0000000
+++ /dev/null
@@ -1,15 +0,0 @@
-# 
-# Generated makefile dependencies follow.
-#
-encrypted_challenge_main.so encrypted_challenge_main.po \
-  $(OUTPRE)encrypted_challenge_main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
-  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
-  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h \
-  $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
-  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
-  $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
-  $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
-  $(top_srcdir)/include/socket-utils.h encrypted_challenge_main.c
diff --git a/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports b/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports
deleted file mode 100644 (file)
index 651dcea..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
-clpreauth_encrypted_challenge_initvt
-kdcpreauth_encrypted_challenge_initvt