From: Ken Raeburn Date: Mon, 25 Aug 2008 19:43:03 +0000 (+0000) Subject: Incorporate Apple's patch X-Git-Tag: krb5-1.7-alpha1~459 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=2f2343584826983a4920fbad2a0248a42b584cf8;p=krb5.git Incorporate Apple's patch Add a test authorization data scheme, in both built-in and plugin forms; built-in version is #ifdef'ed out. Update configury to create the build directory for the plugin, but don't build or install it by default. Create the new (and normally empty) authorization data plugin directory at install time. Add some (normally disabled) code to log authz data from rd_req. Fix up some comments that still refer to preauth plugins. Add some details in comments on the API, and why it's private for now. Make the plugin init context support work, by not passing null pointers. ticket: 5565 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20691 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/Makefile.in b/src/Makefile.in index 3fbc95026..fceeaa468 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -3,7 +3,12 @@ datadir=@datadir@ thisconfigdir=. myfulldir=. mydir=. -# Don't build sample by default: plugins/locate/python plugins/preauth/wpse plugins/preauth/cksum_body +# Don't build sample by default, and definitely don't install them +# for production use: +# plugins/locate/python +# plugins/preauth/wpse +# plugins/preauth/cksum_body +# plugins/authdata/greet SUBDIRS=util include lib @krb524@ kdc kadmin @ldap_plugin_dir@ slave clients \ plugins/kdb/db2 \ plugins/preauth/pkinit \ @@ -78,6 +83,7 @@ INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROOT) $(KRB5OTHERMKDIRS) \ $(ADMIN_MANDIR) $(SERVER_MANDIR) $(CLIENT_MANDIR) \ $(FILE_MANDIR) $(KRB5_LIBDIR) $(KRB5_INCDIR) \ $(KRB5_DB_MODULE_DIR) $(KRB5_PA_MODULE_DIR) \ + $(KRB5_AD_MODULE_DIR) \ $(KRB5_LIBKRB5_MODULE_DIR) \ @localstatedir@ @localstatedir@/krb5kdc \ $(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) diff --git a/src/config/pre.in b/src/config/pre.in index 5c7e31409..c4a5722a3 100644 --- a/src/config/pre.in +++ b/src/config/pre.in @@ -216,6 +216,7 @@ KRB5_INCDIR = @includedir@ MODULE_DIR = @libdir@/krb5/plugins KRB5_DB_MODULE_DIR = $(MODULE_DIR)/kdb KRB5_PA_MODULE_DIR = $(MODULE_DIR)/preauth +KRB5_AD_MODULE_DIR = $(MODULE_DIR)/authdata KRB5_LIBKRB5_MODULE_DIR = $(MODULE_DIR)/libkrb5 KRB5_INCSUBDIRS = \ $(KRB5_INCDIR)/krb5 \ diff --git a/src/configure.in b/src/configure.in index cb12875e1..4c176d38c 100644 --- a/src/configure.in +++ b/src/configure.in @@ -1126,6 +1126,7 @@ V5_AC_OUTPUT_MAKEFILE(. plugins/kdb/db2/libdb2/test plugins/preauth/cksum_body plugins/preauth/wpse + plugins/authdata/greet clients clients/klist clients/kinit clients/kvno clients/kdestroy clients/kpasswd clients/ksu diff --git a/src/include/krb5/authdata_plugin.h b/src/include/krb5/authdata_plugin.h new file mode 100644 index 000000000..b2e33f3c4 --- /dev/null +++ b/src/include/krb5/authdata_plugin.h @@ -0,0 +1,111 @@ +/* + * krb5/authdata_plugin.h + * + * Copyright (C) 2007 Apple Inc. All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * AuthorizationData plugin definitions for Kerberos 5. + */ + +/* + * This is considered an INTERNAL interface at this time. + * + * Some work is needed before exporting it: + * + * + Documentation. + * + Sample code. + * + Test cases (preferably automated testing under "make check"). + * + Hook into TGS exchange too; will change API. + * + Examine memory management issues, especially for Windows; may + * change API. + * + * Other changes that would be nice to have, but not necessarily + * before making this interface public: + * + * + Library support for AD-IF-RELEVANT and similar wrappers. (We can + * make the plugin construct them if it wants them.) + * + KDC could combine/optimize wrapped AD elements provided by + * multiple plugins, e.g., two IF-RELEVANT sequences could be + * merged. (The preauth plugin API also has this bug, we're going + * to need a general fix.) + */ + +#ifndef KRB5_AUTHDATA_PLUGIN_H_INCLUDED +#define KRB5_AUTHDATA_PLUGIN_H_INCLUDED +#include + +/* + * While arguments of these types are passed-in, for the most part a + * authorization data module can treat them as opaque. If we need + * keying data, we can ask for it directly. + */ +struct _krb5_db_entry_new; + +/* + * The function table / structure which an authdata server module must export as + * "authdata_server_0". NOTE: replace "0" with "1" for the type and + * variable names if this gets picked up by upstream. If the interfaces work + * correctly, future versions of the table will add either more callbacks or + * more arguments to callbacks, and in both cases we'll be able to wrap the v0 + * functions. + */ +/* extern krb5plugin_authdata_ftable_v0 authdata_server_0; */ +typedef struct krb5plugin_authdata_ftable_v0 { + /* Not-usually-visible name. */ + char *name; + + /* + * Per-plugin initialization/cleanup. The init function is called + * by the KDC when the plugin is loaded, and the fini function is + * called before the plugin is unloaded. Both are optional. + */ + krb5_error_code (*init_proc)(krb5_context, void **); + void (*fini_proc)(krb5_context, void *); + /* + * Actual authorization data handling function. If this field + * holds a null pointer, this mechanism will be skipped, and the + * init/fini functions will not be run. + * + * This function should only modify the field + * enc_tkt_reply->authorization_data. All other values should be + * considered inputs only. And, it should *modify* the field, not + * overwrite it and assume that there are no other authdata + * plugins in use. + * + * Memory management: authorization_data is a malloc-allocated, + * null-terminated sequence of malloc-allocated pointers to + * authorization data structures. This plugin code currently + * assumes the libraries, KDC, and plugin all use the same malloc + * pool, which may be a problem if/when we get the KDC code + * running on Windows. + * + * If this function returns a non-zero error code, a message + * is logged, but no other action is taken. Other authdata + * plugins will be called, and a response will be sent to the + * client (barring other problems). + */ + krb5_error_code (*authdata_proc)(krb5_context, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply); +} krb5plugin_authdata_ftable_v0; +#endif /* KRB5_AUTHDATA_PLUGIN_H_INCLUDED */ diff --git a/src/include/osconf.hin b/src/include/osconf.hin index 11e721b37..e6a48f87a 100644 --- a/src/include/osconf.hin +++ b/src/include/osconf.hin @@ -52,6 +52,7 @@ #define DEFAULT_PROFILE_PATH ("~/Library/Preferences/edu.mit.Kerberos" ":" DEFAULT_SECURE_PROFILE_PATH) #define KRB5_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosFrameworkPlugins" #define KDB5_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosDatabasePlugins" +#define KRB5_AUTHDATA_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosAuthDataPlugins" #else #define DEFAULT_SECURE_PROFILE_PATH "/etc/krb5.conf:@SYSCONFDIR/krb5.conf" #define DEFAULT_PROFILE_PATH DEFAULT_SECURE_PROFILE_PATH diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index c300f82cc..8806ec929 100644 --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -33,6 +33,7 @@ SRCS= \ $(srcdir)/policy.c \ $(srcdir)/extern.c \ $(srcdir)/replay.c \ + $(srcdir)/kdc_authdata.c \ $(srcdir)/kerberos_v4.c OBJS= \ @@ -47,6 +48,7 @@ OBJS= \ policy.o \ extern.o \ replay.o \ + kdc_authdata.o \ kerberos_v4.o RT_OBJS= rtest.o \ diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 5dbf7acc2..afd02109f 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -1,6 +1,7 @@ /* * kdc/do_as_req.c * + * Portions Copyright (C) 2007 Apple Inc. * Copyright 1990,1991,2007 by the Massachusetts Institute of Technology. * All Rights Reserved. * @@ -314,6 +315,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, goto errout; } + errcode = handle_authdata(kdc_context, &client, req_pkt, request, &enc_tkt_reply); + if (errcode) { + krb5_klog_syslog(LOG_INFO, "AS_REQ : handle_authdata (%d)", errcode); + } + ticket_reply.enc_part2 = &enc_tkt_reply; /* diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c new file mode 100644 index 000000000..9c7fdfaad --- /dev/null +++ b/src/kdc/kdc_authdata.c @@ -0,0 +1,298 @@ +/* + * kdc/kdc_authdata.c + * + * Copyright (C) 2007 Apple Inc. All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * AuthorizationData routines for the KDC. + */ + +#include "k5-int.h" +#include "kdc_util.h" +#include "extern.h" +#include +#include "adm_proto.h" + +#include + +#include +#include "../include/krb5/authdata_plugin.h" + +#if TARGET_OS_MAC +static const char *objdirs[] = { KRB5_AUTHDATA_PLUGIN_BUNDLE_DIR, LIBDIR "/krb5/plugins/authdata", NULL }; /* should be a list */ +#else +static const char *objdirs[] = { LIBDIR "/krb5/plugins/authdata", NULL }; +#endif + +typedef krb5_error_code (*authdata_proc) + (krb5_context, krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part * enc_tkt_reply); + +typedef krb5_error_code (*init_proc) + (krb5_context, void **); +typedef void (*fini_proc) + (krb5_context, void *); + +typedef struct _krb5_authdata_systems { + const char *name; + int type; + int flags; + void *plugin_context; + init_proc init; + fini_proc fini; + authdata_proc handle_authdata; +} krb5_authdata_systems; + +#undef GREET_PREAUTH + +#ifdef GREET_PREAUTH +static krb5_error_code +greet_init(krb5_context ctx, void **blob) +{ + *blob = "hello"; + return 0; +} + +static void +greet_fini(krb5_context ctx, void *blob) +{ +} + +static krb5_error_code +greet_authdata(krb5_context ctx, krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part * enc_tkt_reply) +{ +#define GREET_SIZE (20) + + char *p; + krb5_authdata *a; + size_t count; + krb5_authdata **new_ad; + + krb5_klog_syslog (LOG_DEBUG, "in greet_authdata"); + + p = calloc(1, GREET_SIZE); + a = calloc(1, sizeof(*a)); + + if (p == NULL || a == NULL) { + free(p); + free(a); + return ENOMEM; + } + strcpy(p, "hello"); + a->magic = KV5M_AUTHDATA; + a->ad_type = -42; + a->length = GREET_SIZE; + a->contents = p; + if (enc_tkt_reply->authorization_data == 0) { + count = 0; + } else { + for (count = 0; enc_tkt_reply->authorization_data[count] != 0; count++) + ; + } + new_ad = realloc(enc_tkt_reply->authorization_data, + (count+2) * sizeof(krb5_authdata *)); + if (new_ad == NULL) { + free(p); + free(a); + return ENOMEM; + } + enc_tkt_reply->authorization_data = new_ad; + new_ad[count] = a; + new_ad[count+1] = NULL; + return 0; +} +#endif + +static krb5_authdata_systems static_authdata_systems[] = { +#ifdef GREET_PREAUTH + { "greeting", 0, 0, 0, greet_init, greet_fini, greet_authdata }, +#endif + { "[end]", -1,} +}; + +static krb5_authdata_systems *authdata_systems; +static int n_authdata_systems; +static struct plugin_dir_handle authdata_plugins; + +krb5_error_code +load_authdata_plugins(krb5_context context) +{ + struct errinfo err; + void **authdata_plugins_ftables = NULL; + struct krb5plugin_authdata_ftable_v0 *ftable = NULL; + size_t module_count; + int i, k; + init_proc server_init_proc = NULL; + + memset(&err, 0, sizeof(err)); + + /* Attempt to load all of the authdata plugins we can find. */ + PLUGIN_DIR_INIT(&authdata_plugins); + if (PLUGIN_DIR_OPEN(&authdata_plugins) == 0) { + if (krb5int_open_plugin_dirs(objdirs, NULL, + &authdata_plugins, &err) != 0) { + return KRB5_PLUGIN_NO_HANDLE; + } + } + + /* Get the method tables provided by the loaded plugins. */ + authdata_plugins_ftables = NULL; + n_authdata_systems = 0; + if (krb5int_get_plugin_dir_data(&authdata_plugins, + "authdata_server_0", + &authdata_plugins_ftables, &err) != 0) { + return KRB5_PLUGIN_NO_HANDLE; + } + + /* Count the valid modules. */ + module_count = sizeof(static_authdata_systems) + / sizeof(static_authdata_systems[0]); + if (authdata_plugins_ftables != NULL) { + for (i = 0; authdata_plugins_ftables[i] != NULL; i++) { + ftable = authdata_plugins_ftables[i]; + if ((ftable->authdata_proc != NULL)) { + module_count++; + } + } + } + + /* Build the complete list of supported authdata options, and + * leave room for a terminator entry. */ + authdata_systems = calloc(module_count + 1, sizeof(krb5_authdata_systems)); + if (authdata_systems == NULL) { + krb5int_free_plugin_dir_data(authdata_plugins_ftables); + return ENOMEM; + } + + /* Add the locally-supplied mechanisms to the dynamic list first. */ + for (i = 0, k = 0; + i < sizeof(static_authdata_systems) / sizeof(static_authdata_systems[0]); + i++) { + if (static_authdata_systems[i].type == -1) + break; + authdata_systems[k] = static_authdata_systems[i]; + /* Try to initialize the authdata system. If it fails, we'll remove it + * from the list of systems we'll be using. */ + server_init_proc = static_authdata_systems[i].init; + if ((server_init_proc != NULL) && + ((*server_init_proc)(context, &authdata_systems[k].plugin_context) != 0)) { + memset(&authdata_systems[k], 0, sizeof(authdata_systems[k])); + continue; + } + k++; + } + + /* Now add the dynamically-loaded mechanisms to the list. */ + if (authdata_plugins_ftables != NULL) { + for (i = 0; authdata_plugins_ftables[i] != NULL; i++) { + krb5_error_code initerr; + void *pctx = NULL; + + ftable = authdata_plugins_ftables[i]; + if ((ftable->authdata_proc == NULL)) { + continue; + } + server_init_proc = ftable->init_proc; + if ((server_init_proc != NULL) && + ((initerr = (*server_init_proc)(context, &pctx)) != 0)) { + const char *emsg; + emsg = krb5_get_error_message(context, initerr); + if (emsg) { + krb5_klog_syslog(LOG_ERR, + "authdata %s failed to initialize: %s", + ftable->name, emsg); + krb5_free_error_message(context, emsg); + } + memset(&authdata_systems[k], 0, sizeof(authdata_systems[k])); + + continue; + } + + authdata_systems[k].name = ftable->name; + authdata_systems[k].init = server_init_proc; + authdata_systems[k].fini = ftable->fini_proc; + authdata_systems[k].handle_authdata = ftable->authdata_proc; + authdata_systems[k].plugin_context = pctx; + k++; + } + } + n_authdata_systems = k; + /* Add the end-of-list marker. */ + authdata_systems[k].name = "[end]"; + authdata_systems[k].type = -1; + return 0; +} + +krb5_error_code +unload_authdata_plugins(krb5_context context) +{ + int i; + if (authdata_systems != NULL) { + for (i = 0; i < n_authdata_systems; i++) { + if (authdata_systems[i].fini != NULL) { + (*authdata_systems[i].fini)(context, + authdata_systems[i].plugin_context); + } + memset(&authdata_systems[i], 0, sizeof(authdata_systems[i])); + } + free(authdata_systems); + authdata_systems = NULL; + n_authdata_systems = 0; + krb5int_close_plugin_dirs(&authdata_plugins); + } + return 0; +} + +krb5_error_code +handle_authdata (krb5_context context, krb5_db_entry *client, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply) +{ + krb5_error_code retval = 0; + int i; + const char *emsg; + + krb5_klog_syslog (LOG_DEBUG, "handling authdata"); + + for (i = 0; i < n_authdata_systems; i++) { + const krb5_authdata_systems *asys = &authdata_systems[i]; + if (asys->handle_authdata && asys->type != -1) { + retval = asys->handle_authdata(context, client, req_pkt, + request, enc_tkt_reply); + if (retval) { + emsg = krb5_get_error_message (context, retval); + krb5_klog_syslog (LOG_INFO, + "authdata (%s) handling failure: %s", + asys->name, emsg); + krb5_free_error_message (context, emsg); + } else { + krb5_klog_syslog (LOG_DEBUG, ".. .. ok"); + } + } + } + + return 0; +} diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index e3982254c..b535acd81 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -1,6 +1,7 @@ /* * kdc/kdc_util.h * + * Portions Copyright (C) 2007 Apple Inc. * Copyright 1990, 2007 by the Massachusetts Institute of Technology. * * Export of this software from the United States of America may @@ -163,6 +164,14 @@ krb5_error_code return_padata krb5_error_code free_padata_context (krb5_context context, void **padata_context); +/* kdc_authdata.c */ +krb5_error_code load_authdata_plugins(krb5_context context); +krb5_error_code unload_authdata_plugins(krb5_context context); + +krb5_error_code handle_authdata (krb5_context context, krb5_db_entry *client, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply); + /* replay.c */ krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **); void kdc_insert_lookaside (krb5_data *, krb5_data *); diff --git a/src/kdc/main.c b/src/kdc/main.c index ff47c0088..9416cbbd8 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -1,6 +1,7 @@ /* * kdc/main.c * + * Portions Copyright (C) 2007 Apple Inc. * Copyright 1990,2001,2008 by the Massachusetts Institute of Technology. * * Export of this software from the United States of America may @@ -713,6 +714,7 @@ int main(int argc, char **argv) setup_signal_handlers(); load_preauth_plugins(kcontext); + load_authdata_plugins(kcontext); retval = setup_sam(); if (retval) { @@ -742,6 +744,7 @@ int main(int argc, char **argv) } krb5_klog_syslog(LOG_INFO, "shutting down"); unload_preauth_plugins(kcontext); + unload_authdata_plugins(kcontext); krb5_klog_close(kdc_context); finish_realms(argv[0]); if (kdc_realmlist) diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index ed707d11e..e93551a54 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -103,6 +103,30 @@ krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req, return retval; } +#if 0 +#include +static void +debug_log_authz_data(const char *which, krb5_authdata **a) +{ + if (a) { + syslog(LOG_ERR|LOG_DAEMON, "%s authz data:", which); + while (*a) { + syslog(LOG_ERR|LOG_DAEMON, " ad_type:%d length:%d '%.*s'", + (*a)->ad_type, (*a)->length, (*a)->length, + (char *) (*a)->contents); + a++; + } + syslog(LOG_ERR|LOG_DAEMON, " [end]"); + } else + syslog(LOG_ERR|LOG_DAEMON, "no %s authz data", which); +} +#else +static void +debug_log_authz_data(const char *which, krb5_authdata **a) +{ +} +#endif + static krb5_error_code krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, @@ -143,7 +167,7 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, if ((*auth_context)->keyblock) { /* User to User authentication */ if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock, req->ticket))) -goto cleanup; + goto cleanup; krb5_free_keyblock(context, (*auth_context)->keyblock); (*auth_context)->keyblock = NULL; } else { @@ -368,6 +392,8 @@ goto cleanup; &((*auth_context)->keyblock)))) goto cleanup; + debug_log_authz_data("ticket", req->ticket->enc_part2->authorization_data); + /* * If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used * then the default sequence number is the one's complement of the @@ -457,6 +483,7 @@ free(scratch.data);} /* now decode the decrypted stuff */ if (!(retval = decode_krb5_authenticator(&scratch, &local_auth))) { *authpp = local_auth; + debug_log_authz_data("authenticator", local_auth->authorization_data); } clean_scratch(); return retval; diff --git a/src/plugins/authdata/greet/Makefile.in b/src/plugins/authdata/greet/Makefile.in new file mode 100644 index 000000000..ef5f903c0 --- /dev/null +++ b/src/plugins/authdata/greet/Makefile.in @@ -0,0 +1,47 @@ +thisconfigdir=../../.. +myfulldir=plugins/authdata/greet +mydir=plugins/authdata/greet +BUILDTOP=$(REL)..$(S)..$(S).. +KRB5_RUN_ENV = @KRB5_RUN_ENV@ +KRB5_CONFIG_SETUP = KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf ; export KRB5_CONFIG ; +PROG_LIBPATH=-L$(TOPLIBD) +PROG_RPATH=$(KRB5_LIBDIR) +MODULE_INSTALL_DIR = $(KRB5_AD_MODULE_DIR) +DEFS=@DEFS@ + +LOCALINCLUDES = -I../../../include/krb5 + +LIBBASE=greet +LIBMAJOR=0 +LIBMINOR=0 +SO_EXT=.so +#RELDIR=../plugins/preauth/wpse +# Depends on nothing +SHLIB_EXPDEPS = +SHLIB_EXPLIBS= + +SHLIB_DIRS=-L$(TOPLIBD) +SHLIB_RDIRS=$(KRB5_LIBDIR) +STOBJLISTS=OBJS.ST +STLIBOBJS= greet_auth.o + +SRCS= greet_auth.c + +all-unix:: $(LIBBASE)$(SO_EXT) +install-unix:: install-libs +clean-unix:: clean-libs clean-libobjs + +clean:: + $(RM) lib$(LIBBASE)$(SO_EXT) + +@libnover_frag@ +@libobj_frag@ + +# +++ Dependency line eater +++ +# +# Makefile dependencies follow. This must be the last section in +# the Makefile.in file +# +greet_auth.so greet_auth.po $(OUTPRE)greet_auth.$(OBJEXT): \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/krb5/authdata_plugin.h \ + greet_auth.c diff --git a/src/plugins/authdata/greet/greet.exports b/src/plugins/authdata/greet/greet.exports new file mode 100644 index 000000000..1189effc3 --- /dev/null +++ b/src/plugins/authdata/greet/greet.exports @@ -0,0 +1 @@ +authdata_server_0 diff --git a/src/plugins/authdata/greet/greet_auth.c b/src/plugins/authdata/greet/greet_auth.c new file mode 100644 index 000000000..a9d359eaa --- /dev/null +++ b/src/plugins/authdata/greet/greet_auth.c @@ -0,0 +1,97 @@ +/* + * plugins/authdata/greet/ + * + * Copyright 2008 by the Massachusetts Institute of Technology. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * Sample authorization data plugin + */ + +#include +#include +#include + +typedef struct krb5_db_entry krb5_db_entry; + +static krb5_error_code +greet_init(krb5_context ctx, void **blob) +{ + *blob = "hello"; + return 0; +} + +static void +greet_fini(krb5_context ctx, void *blob) +{ +} + +static krb5_error_code +greet_authdata(krb5_context ctx, krb5_db_entry *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part * enc_tkt_reply) +{ +#define GREET_SIZE (20) + + char *p; + krb5_authdata *a; + size_t count; + krb5_authdata **new_ad; + + p = calloc(1, GREET_SIZE); + a = calloc(1, sizeof(*a)); + + if (p == NULL || a == NULL) { + free(p); + free(a); + return ENOMEM; + } + strcpy(p, "hello there"); + a->magic = KV5M_AUTHDATA; + a->ad_type = -42; + a->length = GREET_SIZE; + a->contents = p; + if (enc_tkt_reply->authorization_data == 0) { + count = 0; + } else { + for (count = 0; enc_tkt_reply->authorization_data[count] != 0; count++) + ; + } + new_ad = realloc(enc_tkt_reply->authorization_data, + (count+2) * sizeof(krb5_authdata *)); + if (new_ad == NULL) { + free(p); + free(a); + return ENOMEM; + } + enc_tkt_reply->authorization_data = new_ad; + new_ad[count] = a; + new_ad[count+1] = NULL; + return 0; +} + +krb5plugin_authdata_ftable_v0 authdata_server_0 = { + "greet", + greet_init, + greet_fini, + greet_authdata, +};