From 4902dd11b115320f252f73d59a692db9ad7dd600 Mon Sep 17 00:00:00 2001 From: Greg Hudson <ghudson@mit.edu> Date: Wed, 5 Oct 2011 17:27:15 +0000 Subject: [PATCH] Use an opaque handle in the kdcpreauth callback Instead of passing a request and entry to the kdcpreauth get_data callback, pass an opaque handle. Remove DB entry and key data parameters from kdcpreauth methods (but keep the request, since that's transparent). The SecurID plugin links against libkdb5 and needs access to the client DB entry. Rather than continue to pass a DB entry to kdcpreauth methods, add a get_data callback to get the client DB entry for the few plugins which might need it. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25300 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/fast_factor.h | 15 +- src/include/krb5/krb5.hin | 7 - src/include/krb5/preauth_plugin.h | 32 +-- src/kdc/do_as_req.c | 22 +- src/kdc/fast_util.c | 2 - src/kdc/kdc_preauth.c | 203 ++++++++---------- src/kdc/kdc_preauth_ec.c | 33 ++- src/kdc/kdc_util.h | 31 +-- src/lib/krb5/asn.1/krb5_decode_kdc.c | 2 - src/lib/krb5/krb/kfree.c | 1 - .../preauth/cksum_body/cksum_body_main.c | 29 +-- src/plugins/preauth/fast_factor.h | 58 ----- src/plugins/preauth/pkinit/deps | 22 +- src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +- src/plugins/preauth/pkinit/pkinit_srv.c | 22 +- .../preauth/securid_sam2/securid_sam2_main.c | 36 ++-- src/plugins/preauth/wpse/wpse_main.c | 14 +- 17 files changed, 220 insertions(+), 311 deletions(-) delete mode 100644 src/plugins/preauth/fast_factor.h diff --git a/src/include/fast_factor.h b/src/include/fast_factor.h index 42f1b27a7..734d37779 100644 --- a/src/include/fast_factor.h +++ b/src/include/fast_factor.h @@ -47,20 +47,17 @@ fast_get_armor_key(krb5_context context, krb5_clpreauth_get_data_fn get_data, static inline krb5_error_code fast_kdc_get_armor_key(krb5_context context, - krb5_kdcpreauth_get_data_fn get_entry, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, + krb5_kdcpreauth_get_data_fn get_data, + krb5_kdcpreauth_rock rock, krb5_keyblock **armor_key) { krb5_error_code retval; krb5_data *data; - retval = get_entry(context, request, client, krb5_kdcpreauth_fast_armor, - &data); + retval = (*get_data)(context, rock, krb5_kdcpreauth_fast_armor, &data); if (retval == 0) { *armor_key = (krb5_keyblock *) data->data; data->data = NULL; - get_entry(context, request, client, - krb5_kdcpreauth_free_fast_armor, &data); + (*get_data)(context, rock, krb5_kdcpreauth_free_fast_armor, &data); } return retval; } @@ -69,8 +66,8 @@ fast_kdc_get_armor_key(krb5_context context, static inline krb5_error_code fast_kdc_replace_reply_key(krb5_context context, - krb5_kdcpreauth_get_data_fn get_data, - krb5_kdc_req *request) + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock) { return 0; } diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 935ac8640..3d9dbbfb7 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -2012,13 +2012,6 @@ typedef struct _krb5_kdc_req { krb5_enc_data authorization_data; /**< Encrypted authz data (optional) */ krb5_authdata **unenc_authdata; /**< Unencrypted authz data */ krb5_ticket **second_ticket; /**< Second ticket array (optional) */ - /* - * The following field is added in March 2009; it is a hack so that FAST - * state can be carried to pre-authentication plugins. A new plugin - * interface may be a better long-term approach. It is believed to be safe - * to extend this structure because it is not found in any public APIs. - */ - void *kdc_state; } krb5_kdc_req; /** diff --git a/src/include/krb5/preauth_plugin.h b/src/include/krb5/preauth_plugin.h index 3f9dfcc35..c64cc3699 100644 --- a/src/include/krb5/preauth_plugin.h +++ b/src/include/krb5/preauth_plugin.h @@ -324,10 +324,8 @@ typedef struct krb5_clpreauth_vtable_st { * kdcpreauth plugin interface definition. */ -/* While arguments of these types are passed in, they are opaque to kdcpreauth - * modules. */ -struct _krb5_db_entry_new; -struct _krb5_key_data; +/* Abstract type for a KDC callback data handle. */ +typedef struct krb5_kdcpreauth_rock_st *krb5_kdcpreauth_rock; /* Abstract type for module data and per-request module data. */ typedef struct krb5_kdcpreauth_moddata_st *krb5_kdcpreauth_moddata; @@ -346,8 +344,9 @@ enum krb5_kdcpreauth_request_type { krb5_kdcpreauth_max_time_skew = 2, /* * The returned krb5_data_item holds an array of krb5_keyblock structures, - * terminated by an entry with key type = 0. Each keyblock should have its - * contents freed in turn, and then the data item itself should be freed. + * containing the client keys, terminated by an entry with key type = 0. + * Each keyblock should have its contents freed in turn, and then the data + * item itself should be freed. */ krb5_kdcpreauth_keys = 3, /* @@ -368,13 +367,16 @@ enum krb5_kdcpreauth_request_type { * the keyblock using krb5_free_keyblock; in that case, this function * simply frees the data. */ - krb5_kdcpreauth_free_fast_armor = 6 + krb5_kdcpreauth_free_fast_armor = 6, + /* + * The returned krb5_data contains a pointer to the client DB entry. The + * pointer is an alias and should not be freed. + */ + krb5_kdcpreauth_get_client = 7 }; typedef krb5_error_code -(*krb5_kdcpreauth_get_data_fn)(krb5_context context, krb5_kdc_req *request, - struct _krb5_db_entry_new *entry, - krb5_int32 request_type, - krb5_data **); +(*krb5_kdcpreauth_get_data_fn)(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_int32 request_type, krb5_data **); /* Optional: preauth plugin initialization function. */ typedef krb5_error_code @@ -411,9 +413,8 @@ typedef int */ typedef krb5_error_code (*krb5_kdcpreauth_edata_fn)(krb5_context context, krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, krb5_kdcpreauth_get_data_fn get_data, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_out); @@ -441,11 +442,11 @@ typedef void */ typedef void (*krb5_kdcpreauth_verify_fn)(krb5_context context, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, krb5_kdcpreauth_get_data_fn get_data, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg); @@ -458,14 +459,13 @@ typedef void typedef krb5_error_code (*krb5_kdcpreauth_return_fn)(krb5_context context, krb5_pa_data *padata, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, - struct _krb5_key_data *client_keys, krb5_keyblock *encrypting_key, krb5_pa_data **send_pa_out, krb5_kdcpreauth_get_data_fn get_data, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq); diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 9102e26a0..8419a8cfc 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -110,6 +110,7 @@ struct as_req_state { krb5_db_entry *client; krb5_db_entry *server; krb5_kdc_req *request; + struct krb5_kdcpreauth_rock_st rock; const char *status; krb5_pa_data **e_data; krb5_boolean typed_e_data; @@ -156,8 +157,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) &state->enc_tkt_reply); if (state->status) { errcode = KRB5KDC_ERR_PREAUTH_REQUIRED; - get_preauth_hint_list(state->request, state->client, - state->server, &state->e_data); + get_preauth_hint_list(state->request, &state->rock, &state->e_data); goto egress; } @@ -216,6 +216,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) errcode = KRB5KDC_ERR_ETYPE_NOSUPP; goto egress; } + state->rock.client_key = client_key; /* convert client.key_data into a real key */ if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, @@ -254,8 +255,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) /* Fetch the padata info to be returned (do this before * authdata to handle possible replacement of reply key */ - errcode = return_padata(kdc_context, state->client, state->req_pkt, - state->request, &state->reply, client_key, + errcode = return_padata(kdc_context, &state->rock, state->req_pkt, + state->request, &state->reply, &state->client_keyblock, &state->pa_context); if (errcode) { state->status = "KDC_RETURN_PADATA"; @@ -409,7 +410,6 @@ egress: krb5_free_pa_data(kdc_context, state->e_data); kdc_free_rstate(state->rstate); - state->request->kdc_state = NULL; krb5_free_kdc_req(kdc_context, state->request); assert(did_log != 0); @@ -424,8 +424,8 @@ finish_preauth(void *arg, krb5_error_code errcode) if (errcode) { if (errcode == KRB5KDC_ERR_PREAUTH_FAILED) - get_preauth_hint_list(state->request, state->client, - state->server, &state->e_data); + get_preauth_hint_list(state->request, &state->rock, + &state->e_data); state->status = "PREAUTH_FAILED"; if (vague_errors) @@ -475,6 +475,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->cname = 0; state->pa_context = NULL; state->from = from; + memset(&state->rock, 0, sizeof(state->rock)); #if APPLE_PKINIT asReqDebug("process_as_req top realm %s name %s\n", @@ -503,7 +504,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->status = "error decoding FAST"; goto errout; } - state->request->kdc_state = state->rstate; + state->rock.request = state->request; + state->rock.rstate = state->rstate; if (!state->request->client) { state->status = "NULL_CLIENT"; errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; @@ -560,6 +562,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->status = "LOOKING_UP_CLIENT"; goto errout; } + state->rock.client = state->client; /* * If the backend returned a principal that is not in the local @@ -749,11 +752,12 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->enc_tkt_reply.client = state->request->client; setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH); } + /* * Check the preauthentication if it is there. */ if (state->request->padata) { - check_padata(kdc_context, state->client, state->req_pkt, + check_padata(kdc_context, &state->rock, state->req_pkt, state->request, &state->enc_tkt_reply, &state->pa_context, &state->e_data, &state->typed_e_data, finish_preauth, state); diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index 52eb99722..96c8c1394 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -223,8 +223,6 @@ kdc_find_fast(krb5_kdc_req **requestptr, KRB5_PADATA_FX_COOKIE); if (retval == 0) { state->fast_options = fast_req->fast_options; - if (request->kdc_state == state) - request->kdc_state = NULL; krb5_free_kdc_req( kdc_context, request); *requestptr = fast_req->req_body; fast_req->req_body = NULL; diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index c94d9fefb..87586d700 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -105,30 +105,26 @@ typedef struct preauth_system_st { } preauth_system; static void -verify_enc_timestamp(krb5_context, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - krb5_kdcpreauth_get_data_fn get_entry_data, +verify_enc_timestamp(krb5_context, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_verify_respond_fn respond, - void *arg); + krb5_kdcpreauth_verify_respond_fn respond, void *arg); static krb5_error_code get_enc_ts(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_kdcpreauth_get_data_fn get_entry_data, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata modata, krb5_pa_data *data); static krb5_error_code get_etype_info(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_kdcpreauth_get_data_fn get_entry_data, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *data); static krb5_error_code get_etype_info2(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_kdcpreauth_get_data_fn get_entry_data, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data); static krb5_error_code @@ -141,31 +137,27 @@ etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata, int etype_info2); static krb5_error_code -return_etype_info(krb5_context, krb5_pa_data *padata, krb5_db_entry *client, +return_etype_info(krb5_context, krb5_pa_data *padata, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_kdc_rep *reply, krb5_key_data *client_key, - krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn get_entry_data, - krb5_kdcpreauth_moddata moddata, + krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq); static krb5_error_code -return_etype_info2(krb5_context, krb5_pa_data *padata, krb5_db_entry *client, +return_etype_info2(krb5_context, krb5_pa_data *padata, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_kdc_rep *reply, krb5_key_data *client_key, - krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn get_entry_data, - krb5_kdcpreauth_moddata moddata, + krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq); static krb5_error_code -return_pw_salt(krb5_context, krb5_pa_data *padata, krb5_db_entry *client, +return_pw_salt(krb5_context, krb5_pa_data *padata, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn get_entry_data, - krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_modreq modreq); + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, + krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq); #if APPLE_PKINIT @@ -547,7 +539,7 @@ get_entry_tl_data(krb5_context context, krb5_db_entry *entry, } /* - * Retrieve a specific piece of information pertaining to the entry or the + * Retrieve a specific piece of information pertaining to the client entry or * request and return it in a new krb5_data item which the caller must free. * * This may require massaging data into a contrived format, but it will @@ -555,8 +547,8 @@ get_entry_tl_data(krb5_context context, krb5_db_entry *entry, * modules. */ static krb5_error_code -get_entry_data(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *entry, krb5_int32 type, krb5_data **result) +get_data(krb5_context context, krb5_kdcpreauth_rock rock, krb5_int32 type, + krb5_data **result) { int i, k; krb5_data *ret; @@ -564,12 +556,14 @@ get_entry_data(krb5_context context, krb5_kdc_req *request, krb5_keyblock *keys; krb5_key_data *entry_key; krb5_error_code error; - struct kdc_request_state *state = request->kdc_state; + krb5_kdc_req *request = rock->request; + struct kdc_request_state *state = rock->rstate; + krb5_db_entry *client = rock->client; switch (type) { case krb5_kdcpreauth_request_certificate: - return get_entry_tl_data(context, entry, - KRB5_TL_USER_CERTIFICATE, result); + return get_entry_tl_data(context, client, KRB5_TL_USER_CERTIFICATE, + result); break; case krb5_kdcpreauth_max_time_skew: ret = malloc(sizeof(krb5_data)); @@ -601,7 +595,7 @@ get_entry_data(krb5_context context, krb5_kdc_req *request, k = 0; for (i = 0; i < request->nktypes; i++) { entry_key = NULL; - if (krb5_dbe_find_enctype(context, entry, request->ktype[i], + if (krb5_dbe_find_enctype(context, client, request->ktype[i], -1, 0, &entry_key) != 0) continue; if (krb5_dbe_decrypt_key_data(context, NULL, entry_key, @@ -654,6 +648,14 @@ get_entry_data(krb5_context context, krb5_kdc_req *request, } free(*result); return 0; + case krb5_kdcpreauth_get_client: + ret = malloc(sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + ret->data = (char *)&rock->client; + ret->length = sizeof(rock->client); + *result = ret; + return 0; default: break; } @@ -820,8 +822,8 @@ const char *missing_required_preauth(krb5_db_entry *client, } void -get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client, - krb5_db_entry *server, krb5_pa_data ***e_data_out) +get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock, + krb5_pa_data ***e_data_out) { int hw_only; preauth_system *ap; @@ -830,7 +832,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client, *e_data_out = NULL; - hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH); + hw_only = isflagset(rock->client->attributes, KRB5_KDB_REQUIRES_HW_AUTH); /* Allocate two extra entries for the cookie and the terminator. */ pa_data = calloc(n_preauth_systems + 2, sizeof(krb5_pa_data *)); if (pa_data == 0) @@ -849,8 +851,8 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client, (*pa)->magic = KV5M_PA_DATA; (*pa)->pa_type = ap->type; if (ap->get_edata) { - retval = ap->get_edata(kdc_context, request, client, server, - get_entry_data, ap->moddata, *pa); + retval = ap->get_edata(kdc_context, request, get_data, rock, + ap->moddata, *pa); if (retval) { /* just failed on this type, continue */ free(*pa); @@ -869,7 +871,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client, * If we fail to get the cookie it is probably * still reasonable to continue with the response */ - kdc_preauth_get_cookie(request->kdc_state, pa); + kdc_preauth_get_cookie(rock->rstate, pa); *e_data_out = pa_data; pa_data = NULL; @@ -937,7 +939,7 @@ struct padata_state { krb5_pa_data **padata; int pa_found; krb5_context context; - krb5_db_entry *client; + krb5_kdcpreauth_rock rock; krb5_data *req_pkt; krb5_kdc_req *request; krb5_enc_tkt_part *enc_tkt_reply; @@ -1135,11 +1137,11 @@ next_padata(struct padata_state *state) goto next; state->pa_found++; - state->pa_sys->verify_padata(state->context, state->client, - state->req_pkt, state->request, - state->enc_tkt_reply, *state->padata, - get_entry_data, state->pa_sys->moddata, - finish_verify_padata, state); + state->pa_sys->verify_padata(state->context, state->req_pkt, + state->request, state->enc_tkt_reply, + *state->padata, get_data, state->rock, + state->pa_sys->moddata, finish_verify_padata, + state); return; next: @@ -1155,11 +1157,11 @@ next: */ void -check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, - void **padata_context, krb5_pa_data ***e_data, - krb5_boolean *typed_e_data, kdc_preauth_respond_fn respond, - void *arg) +check_padata(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, void **padata_context, + krb5_pa_data ***e_data, krb5_boolean *typed_e_data, + kdc_preauth_respond_fn respond, void *arg) { struct padata_state *state; @@ -1182,7 +1184,7 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, state->respond = respond; state->arg = arg; state->context = context; - state->client = client; + state->rock = rock; state->req_pkt = req_pkt; state->request = request; state->enc_tkt_reply = enc_tkt_reply; @@ -1203,10 +1205,9 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, * structures which should be returned by the KDC to the client */ krb5_error_code -return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, krb5_keyblock *encrypting_key, - void **padata_context) +return_padata(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_keyblock *encrypting_key, void **padata_context) { krb5_error_code retval; krb5_pa_data ** padata; @@ -1280,13 +1281,11 @@ return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, } } } - if ((retval = ap->return_padata(context, pa, client, req_pkt, - request, reply, - client_key, encrypting_key, send_pa, - get_entry_data, ap->moddata, - *modreq_ptr))) { + retval = ap->return_padata(context, pa, req_pkt, request, reply, + encrypting_key, send_pa, get_data, rock, + ap->moddata, *modreq_ptr); + if (retval) goto cleanup; - } if (*send_pa) send_pa++; @@ -1322,22 +1321,20 @@ request_contains_enctype(krb5_context context, const krb5_kdc_req *request, static krb5_error_code get_enc_ts(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_kdcpreauth_get_data_fn get_entry_data_proc, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { - struct kdc_request_state *state = request->kdc_state; - if (state->armor_key) + if (rock->rstate->armor_key != NULL) return ENOENT; return 0; } static void -verify_enc_timestamp(krb5_context context, krb5_db_entry *client, - krb5_data *req_pkt, krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa, - krb5_kdcpreauth_get_data_fn ets_get_entry_data, +verify_enc_timestamp(krb5_context context, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *pa, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) @@ -1368,7 +1365,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, start = 0; decrypt_err = 0; while (1) { - if ((retval = krb5_dbe_search_enctype(context, client, + if ((retval = krb5_dbe_search_enctype(context, rock->client, &start, enc_data->enctype, -1, 0, &client_key))) goto cleanup; @@ -1492,8 +1489,8 @@ fail: */ static krb5_error_code etype_info_helper(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_pa_data *pa_data, int etype_info2) + krb5_db_entry *client, krb5_pa_data *pa_data, + int etype_info2) { krb5_etype_info_entry ** entry = 0; krb5_key_data *client_key; @@ -1579,8 +1576,7 @@ cleanup: static krb5_error_code get_etype_info(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_kdcpreauth_get_data_fn etype_get_entry_data, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data) { int i; @@ -1590,16 +1586,15 @@ get_etype_info(krb5_context context, krb5_kdc_req *request, * skip this * type*/ } - return etype_info_helper(context, request, client, server, pa_data, 0); + return etype_info_helper(context, request, rock->client, pa_data, 0); } static krb5_error_code get_etype_info2(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_kdcpreauth_get_data_fn etype_get_entry_data, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data) { - return etype_info_helper( context, request, client, server, pa_data, 1); + return etype_info_helper(context, request, rock->client, pa_data, 1); } static krb5_error_code @@ -1681,51 +1676,43 @@ cleanup: static krb5_error_code return_etype_info2(krb5_context context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn etype_get_entry_data, - krb5_kdcpreauth_moddata moddata, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { - return etype_info_as_rep_helper(context, padata, client, request, reply, - client_key, encrypting_key, send_pa, 1); + return etype_info_as_rep_helper(context, padata, rock->client, request, + reply, rock->client_key, encrypting_key, + send_pa, 1); } static krb5_error_code -return_etype_info(krb5_context context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn etypeget_entry_data, - krb5_kdcpreauth_moddata moddata, +return_etype_info(krb5_context context, krb5_pa_data *padata, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { - return etype_info_as_rep_helper(context, padata, client, request, reply, - client_key, encrypting_key, send_pa, 0); + return etype_info_as_rep_helper(context, padata, rock->client, request, + reply, rock->client_key, encrypting_key, + send_pa, 0); } static krb5_error_code return_pw_salt(krb5_context context, krb5_pa_data *in_padata, - krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn etype_get_entry_data, - krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_modreq modreq) + krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, + krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { krb5_error_code retval; krb5_pa_data * padata; krb5_data * scratch; krb5_data salt_data; + krb5_key_data * client_key = rock->client_key; int i; for (i = 0; i < request->nktypes; i++) { diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c index 24b667507..62fa615e0 100644 --- a/src/kdc/kdc_preauth_ec.c +++ b/src/kdc/kdc_preauth_ec.c @@ -36,15 +36,12 @@ static krb5_error_code kdc_include_padata(krb5_context context, krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn get_data_proc, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { krb5_error_code retval = 0; krb5_keyblock *armor_key = NULL; - retval = fast_kdc_get_armor_key(context, get_data_proc, request, client, - &armor_key); + retval = fast_kdc_get_armor_key(context, get, rock, &armor_key); if (retval) return retval; if (armor_key == 0) @@ -54,11 +51,10 @@ kdc_include_padata(krb5_context context, krb5_kdc_req *request, } static void -kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, - krb5_data *req_pkt, krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, - krb5_kdcpreauth_get_data_fn get_entry_proc, - krb5_kdcpreauth_moddata moddata, +kdc_verify_preauth(krb5_context context, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *data, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) { @@ -77,7 +73,7 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, plain.data = NULL; - retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); + retval = fast_kdc_get_armor_key(context, get, rock, &armor_key); if (retval == 0 &&armor_key == NULL) { retval = ENOENT; krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel"); @@ -93,8 +89,7 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, retval = ENOMEM; } if (retval == 0) - retval = get_entry_proc(context, request, client, - krb5_kdcpreauth_keys, &client_data); + retval = (*get)(context, rock, krb5_kdcpreauth_keys, &client_data); if (retval == 0) { client_keys = (krb5_keyblock *) client_data->data; for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) { @@ -138,7 +133,7 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, * may cause the client to fail, but at this point the KDC has * considered this a success, so the return value is ignored. */ - fast_kdc_replace_reply_key(context, get_entry_proc, request); + fast_kdc_replace_reply_key(context, get, rock); if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", &client_keys[i], "challengelongterm", &kdc_challenge_key) == 0) @@ -166,12 +161,10 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, static krb5_error_code kdc_return_preauth(krb5_context context, krb5_pa_data *padata, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - struct _krb5_key_data *client_keys, - krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn get_entry_proc, - krb5_kdcpreauth_moddata moddata, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { krb5_error_code retval = 0; diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index e0be83fe6..6d91822ff 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -167,10 +167,8 @@ missing_required_preauth (krb5_db_entry *client, krb5_db_entry *server, krb5_enc_tkt_part *enc_tkt_reply); void -get_preauth_hint_list (krb5_kdc_req * request, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_pa_data ***e_data_out); +get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock, + krb5_pa_data ***e_data_out); void load_preauth_plugins(krb5_context context); void @@ -179,18 +177,16 @@ unload_preauth_plugins(krb5_context context); typedef void (*kdc_preauth_respond_fn)(void *arg, krb5_error_code code); void -check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, - void **padata_context, krb5_pa_data ***e_data, - krb5_boolean *typed_e_data, kdc_preauth_respond_fn respond, - void *state); +check_padata(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, void **padata_context, + krb5_pa_data ***e_data, krb5_boolean *typed_e_data, + kdc_preauth_respond_fn respond, void *state); krb5_error_code -return_padata (krb5_context context, krb5_db_entry *client, - krb5_data *req_pkt, krb5_kdc_req *request, - krb5_kdc_rep *reply, - krb5_key_data *client_key, krb5_keyblock *encrypting_key, - void **padata_context); +return_padata(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_keyblock *encrypting_key, void **padata_context); void free_padata_context(krb5_context context, void *padata_context); @@ -380,6 +376,13 @@ krb5_error_code krb5int_get_domain_realm_mapping(krb5_context context, const char *host, char ***realmsp); +/* Information handle for kdcpreauth callbacks. All pointers are aliases. */ +struct krb5_kdcpreauth_rock_st { + krb5_kdc_req *request; + krb5_db_entry *client; + krb5_key_data *client_key; + struct kdc_request_state *rstate; +}; #define isflagset(flagfield, flag) (flagfield & (flag)) #define setflag(flagfield, flag) (flagfield |= (flag)) diff --git a/src/lib/krb5/asn.1/krb5_decode_kdc.c b/src/lib/krb5/asn.1/krb5_decode_kdc.c index ac6ef2056..4f1c91d87 100644 --- a/src/lib/krb5/asn.1/krb5_decode_kdc.c +++ b/src/lib/krb5/asn.1/krb5_decode_kdc.c @@ -41,7 +41,6 @@ decode_krb5_as_req(const krb5_data *code, krb5_kdc_req **repptr) clear_field(rep,authorization_data.ciphertext.data); clear_field(rep,unenc_authdata); clear_field(rep,second_ticket); - clear_field(rep, kdc_state); check_apptag(10); retval = asn1_decode_kdc_req(&buf,rep); @@ -69,7 +68,6 @@ decode_krb5_tgs_req(const krb5_data *code, krb5_kdc_req **repptr) clear_field(rep,authorization_data.ciphertext.data); clear_field(rep,unenc_authdata); clear_field(rep,second_ticket); - clear_field(rep, kdc_state); check_apptag(12); retval = asn1_decode_kdc_req(&buf,rep); diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c index 071a97728..2a323ec6f 100644 --- a/src/lib/krb5/krb/kfree.c +++ b/src/lib/krb5/krb/kfree.c @@ -339,7 +339,6 @@ krb5_free_kdc_req(krb5_context context, krb5_kdc_req *val) { if (val == NULL) return; - assert( val->kdc_state == NULL); krb5_free_pa_data(context, val->padata); krb5_free_principal(context, val->client); krb5_free_principal(context, val->server); diff --git a/src/plugins/preauth/cksum_body/cksum_body_main.c b/src/plugins/preauth/cksum_body/cksum_body_main.c index 06ba14d5a..144ab6d96 100644 --- a/src/plugins/preauth/cksum_body/cksum_body_main.c +++ b/src/plugins/preauth/cksum_body/cksum_body_main.c @@ -272,13 +272,9 @@ server_fini(krb5_context kcontext, krb5_kdcpreauth_moddata moddata) /* Obtain and return any preauthentication data (which is destined for the * client) which matches type data->pa_type. */ static krb5_error_code -server_get_edata(krb5_context kcontext, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn server_get_entry_data, - krb5_kdcpreauth_moddata moddata, - krb5_pa_data *data) +server_get_edata(krb5_context kcontext, krb5_kdc_req *request, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, + krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { krb5_data *key_data; krb5_keyblock *keys, *key; @@ -287,8 +283,7 @@ server_get_edata(krb5_context kcontext, /* Retrieve the client's keys. */ key_data = NULL; - if ((*server_get_entry_data)(kcontext, request, client, - krb5_kdcpreauth_keys, &key_data) != 0) { + if ((*get)(kcontext, rock, krb5_kdcpreauth_keys, &key_data) != 0) { #ifdef DEBUG fprintf(stderr, "Error retrieving client keys.\n"); #endif @@ -331,12 +326,12 @@ server_get_edata(krb5_context kcontext, /* Verify a request from a client. */ static void server_verify(krb5_context kcontext, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) @@ -394,8 +389,7 @@ server_verify(krb5_context kcontext, /* Pull up the client's keys. */ key_data = NULL; - if ((*server_get_entry_data)(kcontext, request, client, - krb5_kdcpreauth_keys, &key_data) != 0) { + if ((*get)(kcontext, rock, krb5_kdcpreauth_keys, &key_data) != 0) { #ifdef DEBUG fprintf(stderr, "Error retrieving client keys.\n"); #endif @@ -454,9 +448,7 @@ server_verify(krb5_context kcontext, * extract the structure directly from the req_pkt structure. This * will probably work if it's us on both ends, though. */ req_body = NULL; - if ((*server_get_entry_data)(kcontext, request, client, - krb5_kdcpreauth_request_body, - &req_body) != 0) { + if ((*get)(kcontext, rock, krb5_kdcpreauth_request_body, &req_body) != 0) { krb5_free_keyblock(kcontext, key); stats->failures++; (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); @@ -593,14 +585,13 @@ server_verify(krb5_context kcontext, static krb5_error_code server_return(krb5_context kcontext, krb5_pa_data *padata, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, - struct _krb5_key_data *client_key, krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { diff --git a/src/plugins/preauth/fast_factor.h b/src/plugins/preauth/fast_factor.h deleted file mode 100644 index f585bc22c..000000000 --- a/src/plugins/preauth/fast_factor.h +++ /dev/null @@ -1,58 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ - -/* - * Returns success with a null armor_key if FAST is available but not in use. - * Returns failure if the client library does not support FAST. - */ -static inline krb5_error_code -fast_get_armor_key(krb5_context context, krb5_clpreauth_get_data_fn get_data, - krb5_clpreauth_rock rock, krb5_keyblock **armor_key) -{ - krb5_error_code retval = 0; - krb5_data *data; - retval = get_data(context, rock, krb5_clpreauth_fast_armor, &data); - if (retval == 0) { - *armor_key = (krb5_keyblock *) data->data; - data->data = NULL; - get_data(context, rock, krb5_clpreauth_free_fast_armor, &data); - } - return retval; -} - -static inline krb5_error_code -fast_kdc_get_armor_key(krb5_context context, - krb5_kdcpreauth_get_data_fn get_entry, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - krb5_keyblock **armor_key) -{ - krb5_error_code retval; - krb5_data *data; - retval = get_entry(context, request, client, krb5_kdcpreauth_fast_armor, - &data); - if (retval == 0) { - *armor_key = (krb5_keyblock *) data->data; - data->data = NULL; - get_entry(context, request, client, - krb5_kdcpreauth_free_fast_armor, &data); - } - return retval; -} - - - -static inline krb5_error_code -fast_kdc_replace_reply_key(krb5_context context, - krb5_kdcpreauth_get_data_fn get_data, - krb5_kdc_req *request) -{ - return 0; -} - -static inline krb5_error_code -fast_set_kdc_verified(krb5_context context, - krb5_clpreauth_get_data_fn get_data, - krb5_clpreauth_rock rock) -{ - return 0; -} diff --git a/src/plugins/preauth/pkinit/deps b/src/plugins/preauth/pkinit/deps index 8ad6b14db..ceff74918 100644 --- a/src/plugins/preauth/pkinit/deps +++ b/src/plugins/preauth/pkinit/deps @@ -16,16 +16,16 @@ pkinit_accessor.so pkinit_accessor.po $(OUTPRE)pkinit_accessor.$(OBJEXT): \ pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \ - pkinit_srv.c + $(COM_ERR_DEPS) $(top_srcdir)/include/fast_factor.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h pkcs11.h pkinit.h \ + pkinit_accessor.h pkinit_crypto.h pkinit_srv.c pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \ @@ -49,7 +49,7 @@ pkinit_kdf_constants.so pkinit_kdf_constants.po $(OUTPRE)pkinit_kdf_constants.$( pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_kdf_constants.c pkinit_clnt.so pkinit_clnt.po $(OUTPRE)pkinit_clnt.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/fast_factor.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-platform.h \ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \ diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 4860e0712..f8cfac5ad 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -42,7 +42,7 @@ #include "pkinit.h" /* Remove when FAST PKINIT is settled. */ -#include "../fast_factor.h" +#include "fast_factor.h" /* * It is anticipated that all the special checks currently diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 2fbc24391..a79b25c29 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -38,7 +38,7 @@ #include "pkinit.h" /* Remove when FAST PKINIT is settled. */ -#include "../fast_factor.h" +#include "fast_factor.h" static krb5_error_code pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob); @@ -101,9 +101,8 @@ cleanup: static krb5_error_code pkinit_server_get_edata(krb5_context context, krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { @@ -114,8 +113,7 @@ pkinit_server_get_edata(krb5_context context, pkiDebug("pkinit_server_get_edata: entered!\n"); /* Remove (along with armor_key) when FAST PKINIT is settled. */ - retval = fast_kdc_get_armor_key(context, server_get_entry_data, request, - client, &armor_key); + retval = fast_kdc_get_armor_key(context, get, rock, &armor_key); if (retval == 0 && armor_key != NULL) { /* Don't advertise PKINIT if the client used FAST. */ krb5_free_keyblock(context, armor_key); @@ -289,12 +287,12 @@ out: static void pkinit_server_verify_padata(krb5_context context, - struct _krb5_db_entry_new * client, krb5_data *req_pkt, krb5_kdc_req * request, krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data * data, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) @@ -324,8 +322,7 @@ pkinit_server_verify_padata(krb5_context context, } /* Remove (along with armor_key) when FAST PKINIT is settled. */ - retval = fast_kdc_get_armor_key(context, server_get_entry_data, request, - client, &armor_key); + retval = fast_kdc_get_armor_key(context, get, rock, &armor_key); if (retval == 0 && armor_key != NULL) { /* Don't allow PKINIT if the client used FAST. */ krb5_free_keyblock(context, armor_key); @@ -697,14 +694,13 @@ cleanup: static krb5_error_code pkinit_server_return_padata(krb5_context context, krb5_pa_data * padata, - struct _krb5_db_entry_new * client, krb5_data *req_pkt, krb5_kdc_req * request, krb5_kdc_rep * reply, - struct _krb5_key_data * client_key, krb5_keyblock * encrypting_key, krb5_pa_data ** send_pa, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { diff --git a/src/plugins/preauth/securid_sam2/securid_sam2_main.c b/src/plugins/preauth/securid_sam2/securid_sam2_main.c index 700cd59f9..5ed59c811 100644 --- a/src/plugins/preauth/securid_sam2/securid_sam2_main.c +++ b/src/plugins/preauth/securid_sam2/securid_sam2_main.c @@ -50,6 +50,19 @@ static struct { { 0, 0 }, }; +static krb5_db_entry * +get_client_entry(krb5_context context, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock) +{ + krb5_data *data; + krb5_db_entry *client; + + (*get)(context, rock, krb5_kdcpreauth_get_client, &data); + client = *(krb5_db_entry **)data->data; + free(data); + return client; +} + krb5_error_code sam_get_db_entry(krb5_context context, krb5_principal client, int *sam_type, struct _krb5_db_entry_new **db_entry) @@ -114,9 +127,7 @@ cleanup: static krb5_error_code kdc_include_padata(krb5_context context, krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn get_entry_proc, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data) { krb5_error_code retval; @@ -125,7 +136,7 @@ kdc_include_padata(krb5_context context, krb5_kdc_req *request, krb5_sam_challenge_2 sc2; krb5_sam_challenge_2_body sc2b; int sam_type = 0; /* unknown */ - krb5_db_entry *sam_db_entry = NULL; + krb5_db_entry *sam_db_entry = NULL, *client; krb5_data *encoded_challenge = NULL; memset(&sc2, 0, sizeof(sc2)); @@ -133,12 +144,12 @@ kdc_include_padata(krb5_context context, krb5_kdc_req *request, sc2b.magic = KV5M_SAM_CHALLENGE_2; sc2b.sam_type = sam_type; + client = get_client_entry(context, get, rock); retval = sam_get_db_entry(context, client->princ, &sam_type, &sam_db_entry); if (retval) return retval; - retval = get_entry_proc(context, request, client, - krb5_kdcpreauth_keys, &client_keys_data); + retval = (*get)(context, rock, krb5_kdcpreauth_keys, &client_keys_data); if (retval) goto cleanup; client_key = (krb5_keyblock *) client_keys_data->data; @@ -203,19 +214,18 @@ cleanup: } static void -kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, - krb5_data *req_pkt, krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa_data, - krb5_kdcpreauth_get_data_fn get_entry_proc, - krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_verify_respond_fn respond, - void *arg) +kdc_verify_preauth(krb5_context context, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *pa_data, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, + krb5_kdcpreauth_verify_respond_fn respond, void *arg) { krb5_error_code retval, saved_retval = 0; krb5_sam_response_2 *sr2 = NULL; krb5_data scratch, *scratch2, *e_data = NULL; char *client_name = NULL; krb5_sam_challenge_2 *out_sc2 = NULL; + krb5_db_entry *client = get_client_entry(context, get, rock); scratch.data = (char *) pa_data->contents; scratch.length = pa_data->length; diff --git a/src/plugins/preauth/wpse/wpse_main.c b/src/plugins/preauth/wpse/wpse_main.c index 3c10e1416..e3f5d8782 100644 --- a/src/plugins/preauth/wpse/wpse_main.c +++ b/src/plugins/preauth/wpse/wpse_main.c @@ -246,9 +246,8 @@ server_free_modreq(krb5_context kcontext, static krb5_error_code server_get_edata(krb5_context kcontext, krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { @@ -261,12 +260,12 @@ server_get_edata(krb5_context kcontext, /* Verify a request from a client. */ static void server_verify(krb5_context kcontext, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) @@ -370,14 +369,13 @@ server_verify(krb5_context kcontext, static krb5_error_code server_return(krb5_context kcontext, krb5_pa_data *padata, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, - struct _krb5_key_data *client_key, krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { /* This module does a couple of dumb things. It tags its reply with -- 2.26.2