From b03f83736fd68369070f2a7600aff8e4e3eed74f Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Fri, 23 Sep 2011 14:35:34 +0000 Subject: [PATCH] Recast encrypted challenge as linked built-ins Since it has no external dependencies, split up encrypted preauth into clpreauth and kdcpreauth chunks and link them directly into the consumers. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25227 dc483132-0cff-0310-8789-dd5450dbe970 --- src/Makefile.in | 2 - src/configure.in | 2 +- src/include/fast_factor.h | 86 ++++++++ src/kdc/Makefile.in | 2 + src/kdc/kdc_preauth.c | 7 +- .../kdc_preauth_ec.c} | 164 +-------------- src/kdc/kdc_util.h | 5 + src/lib/krb5/krb/Makefile.in | 3 + src/lib/krb5/krb/int-proto.h | 4 + src/lib/krb5/krb/preauth2.c | 7 +- src/lib/krb5/krb/preauth_ec.c | 189 ++++++++++++++++++ .../preauth/encrypted_challenge/Makefile.in | 39 ---- src/plugins/preauth/encrypted_challenge/deps | 15 -- .../encrypted_challenge.exports | 2 - 14 files changed, 301 insertions(+), 226 deletions(-) create mode 100644 src/include/fast_factor.h rename src/{plugins/preauth/encrypted_challenge/encrypted_challenge_main.c => kdc/kdc_preauth_ec.c} (59%) create mode 100644 src/lib/krb5/krb/preauth_ec.c delete mode 100644 src/plugins/preauth/encrypted_challenge/Makefile.in delete mode 100644 src/plugins/preauth/encrypted_challenge/deps delete mode 100644 src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports diff --git a/src/Makefile.in b/src/Makefile.in index 2d97c5717..9e048ad7a 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -13,7 +13,6 @@ SUBDIRS=util include lib \ plugins/kdb/db2 \ @ldap_plugin_dir@ \ plugins/preauth/pkinit \ - plugins/preauth/encrypted_challenge \ kdc kadmin slave clients appl tests \ config-files gen-manpages @po@ WINSUBDIRS=include util lib ccapi windows clients appl @@ -89,7 +88,6 @@ fake-install: runenv.py (w=`pwd`; cd util && $(MAKE) install DESTDIR="$$w/util/fakedest") (w=`pwd`; cd lib && $(MAKE) install DESTDIR="$$w/util/fakedest") (w=`pwd`; cd plugins/kdb/db2 && $(MAKE) install DESTDIR="$$w/util/fakedest") - (w=`pwd`; cd plugins/preauth/encrypted_challenge && $(MAKE) install DESTDIR="$$w/util/fakedest") if test -r plugins/preauth/pkinit/Makefile; then \ (w=`pwd`; cd plugins/preauth/pkinit && $(MAKE) install DESTDIR="$$w/util/fakedest"); \ fi diff --git a/src/configure.in b/src/configure.in index 961f80967..6c3eebcc4 100644 --- a/src/configure.in +++ b/src/configure.in @@ -1231,7 +1231,7 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test plugins/kdb/db2/libdb2/recno plugins/kdb/db2/libdb2/test plugins/kdb/hdb - plugins/preauth/cksum_body plugins/preauth/encrypted_challenge + plugins/preauth/cksum_body plugins/preauth/securid_sam2 plugins/preauth/wpse plugins/authdata/greet diff --git a/src/include/fast_factor.h b/src/include/fast_factor.h new file mode 100644 index 000000000..42f1b27a7 --- /dev/null +++ b/src/include/fast_factor.h @@ -0,0 +1,86 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* include/fast_factor.h - Convenience inline functions for FAST factors */ +/* + * Copyright (C) 2011 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#ifndef FAST_FACTOR_H + +/* + * Returns success with a null armor_key if FAST is available but not in use. + * Returns failure if the client library does not support FAST. + */ +static inline krb5_error_code +fast_get_armor_key(krb5_context context, krb5_clpreauth_get_data_fn get_data, + krb5_clpreauth_rock rock, krb5_keyblock **armor_key) +{ + krb5_error_code retval = 0; + krb5_data *data; + retval = get_data(context, rock, krb5_clpreauth_fast_armor, &data); + if (retval == 0) { + *armor_key = (krb5_keyblock *) data->data; + data->data = NULL; + get_data(context, rock, krb5_clpreauth_free_fast_armor, &data); + } + return retval; +} + +static inline krb5_error_code +fast_kdc_get_armor_key(krb5_context context, + krb5_kdcpreauth_get_data_fn get_entry, + krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + krb5_keyblock **armor_key) +{ + krb5_error_code retval; + krb5_data *data; + retval = get_entry(context, request, client, krb5_kdcpreauth_fast_armor, + &data); + if (retval == 0) { + *armor_key = (krb5_keyblock *) data->data; + data->data = NULL; + get_entry(context, request, client, + krb5_kdcpreauth_free_fast_armor, &data); + } + return retval; +} + + + +static inline krb5_error_code +fast_kdc_replace_reply_key(krb5_context context, + krb5_kdcpreauth_get_data_fn get_data, + krb5_kdc_req *request) +{ + return 0; +} + +static inline krb5_error_code +fast_set_kdc_verified(krb5_context context, + krb5_clpreauth_get_data_fn get_data, + krb5_clpreauth_rock rock) +{ + return 0; +} + +#endif /* FAST_FACTOR_H */ diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index 1c7bbf961..68f1a5b8f 100644 --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -20,6 +20,7 @@ SRCS= \ $(srcdir)/fast_util.c \ $(srcdir)/kdc_util.c \ $(srcdir)/kdc_preauth.c \ + $(srcdir)/kdc_preauth_ec.c \ $(srcdir)/main.c \ $(srcdir)/policy.c \ $(srcdir)/extern.c \ @@ -34,6 +35,7 @@ OBJS= \ fast_util.o \ kdc_util.o \ kdc_preauth.o \ + kdc_preauth_ec.o \ main.o \ policy.o \ extern.o \ diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 69b1e2cf5..dabc9c159 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -318,11 +318,12 @@ get_plugin_vtables(krb5_context context, *vtables_out = NULL; *n_tables_out = *n_systems_out = 0; - /* Auto-register pkinit and encrypted challenge if possible. */ + /* Auto-register encrypted challenge and (if possible) pkinit. */ k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "pkinit", "preauth"); - k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, - "encrypted_challenge", "preauth"); + k5_plugin_register(context, PLUGIN_INTERFACE_KDCPREAUTH, + "encrypted_challenge", + kdcpreauth_encrypted_challenge_initvt); if (k5_plugin_load_all(context, PLUGIN_INTERFACE_KDCPREAUTH, &plugins)) return; diff --git a/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c b/src/kdc/kdc_preauth_ec.c similarity index 59% rename from src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c rename to src/kdc/kdc_preauth_ec.c index 58a659246..3419c831a 100644 --- a/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c +++ b/src/kdc/kdc_preauth_ec.c @@ -1,5 +1,5 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* plugins/preauth/encrypted_challenge/encrypted_challenge_main.c */ +/* kdc/kdc_preauth_ec.c - Encrypted challenge kdcpreauth module */ /* * Copyright (C) 2009 by the Massachusetts Institute of Technology. * All rights reserved. @@ -30,144 +30,9 @@ */ #include -#include "../fast_factor.h" - #include - -static int -preauth_flags(krb5_context context, krb5_preauthtype pa_type) -{ - return PA_REAL; -} - -static krb5_error_code -process_preauth(krb5_context context, krb5_clpreauth_moddata moddata, - krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt, - krb5_clpreauth_get_data_fn get_data_proc, - krb5_clpreauth_rock rock, krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, krb5_pa_data *padata, - krb5_prompter_fct prompter, void *prompter_data, - krb5_clpreauth_get_as_key_fn gak_fct, void *gak_data, - krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key, - krb5_pa_data ***out_padata) -{ - krb5_error_code retval = 0; - krb5_enctype enctype = 0; - krb5_keyblock *challenge_key = NULL, *armor_key = NULL; - krb5_data *etype_data = NULL; - krb5int_access kaccess; - - if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) - return 0; - retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key); - if (retval || armor_key == NULL) - return 0; - retval = get_data_proc(context, rock, krb5_clpreauth_get_etype, - &etype_data); - if (retval == 0) { - enctype = *((krb5_enctype *)etype_data->data); - if (as_key->length == 0 ||as_key->enctype != enctype) - retval = gak_fct(context, request->client, - enctype, prompter, prompter_data, - salt, s2kparams, - as_key, gak_data); - } - if (retval == 0 && padata->length) { - krb5_enc_data *enc = NULL; - krb5_data scratch; - scratch.length = padata->length; - scratch.data = (char *) padata->contents; - retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor", - as_key, "challengelongterm", - &challenge_key); - if (retval == 0) - retval =kaccess.decode_enc_data(&scratch, &enc); - scratch.data = NULL; - if (retval == 0) { - scratch.data = malloc(enc->ciphertext.length); - scratch.length = enc->ciphertext.length; - if (scratch.data == NULL) - retval = ENOMEM; - } - if (retval == 0) - retval = krb5_c_decrypt(context, challenge_key, - KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL, - enc, &scratch); - /* - * Per draft 11 of the preauth framework, the client MAY but is not - * required to actually check the timestamp from the KDC other than to - * confirm it decrypts. This code does not perform that check. - */ - if (scratch.data) - krb5_free_data_contents(context, &scratch); - if (retval == 0) - fast_set_kdc_verified(context, get_data_proc, rock); - if (enc) - kaccess.free_enc_data(context, enc); - } else if (retval == 0) { /*No padata; we send*/ - krb5_enc_data enc; - krb5_pa_data *pa = NULL; - krb5_pa_data **pa_array = NULL; - krb5_data *encoded_ts = NULL; - krb5_pa_enc_ts ts; - enc.ciphertext.data = NULL; - retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); - if (retval == 0) - retval = kaccess.encode_enc_ts(&ts, &encoded_ts); - if (retval == 0) - retval = krb5_c_fx_cf2_simple(context, - armor_key, "clientchallengearmor", - as_key, "challengelongterm", - &challenge_key); - if (retval == 0) - retval = kaccess.encrypt_helper(context, challenge_key, - KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, - encoded_ts, &enc); - if (encoded_ts) - krb5_free_data(context, encoded_ts); - encoded_ts = NULL; - if (retval == 0) { - retval = kaccess.encode_enc_data(&enc, &encoded_ts); - krb5_free_data_contents(context, &enc.ciphertext); - } - if (retval == 0) { - pa = calloc(1, sizeof(krb5_pa_data)); - if (pa == NULL) - retval = ENOMEM; - } - if (retval == 0) { - pa_array = calloc(2, sizeof(krb5_pa_data *)); - if (pa_array == NULL) - retval = ENOMEM; - } - if (retval == 0) { - pa->length = encoded_ts->length; - pa->contents = (unsigned char *) encoded_ts->data; - pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; - free(encoded_ts); - encoded_ts = NULL; - pa_array[0] = pa; - pa = NULL; - *out_padata = pa_array; - pa_array = NULL; - } - if (pa) - free(pa); - if (encoded_ts) - krb5_free_data(context, encoded_ts); - if (pa_array) - free(pa_array); - } - if (challenge_key) - krb5_free_keyblock(context, challenge_key); - if (armor_key) - krb5_free_keyblock(context, armor_key); - if (etype_data != NULL) - get_data_proc(context, rock, krb5_clpreauth_free_etype, &etype_data); - return retval; -} - +#include "fast_factor.h" +#include "kdc_util.h" static krb5_error_code kdc_include_padata(krb5_context context, krb5_kdc_req *request, @@ -361,13 +226,6 @@ kdc_return_preauth(krb5_context context, krb5_pa_data *padata, krb5_preauthtype supported_pa_types[] = { KRB5_PADATA_ENCRYPTED_CHALLENGE, 0}; -krb5_error_code -kdcpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver, - int min_ver, krb5_plugin_vtable vtable); -krb5_error_code -clpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver, - int min_ver, krb5_plugin_vtable vtable); - krb5_error_code kdcpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable) @@ -384,19 +242,3 @@ kdcpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver, vt->return_padata = kdc_return_preauth; return 0; } - -krb5_error_code -clpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver, - int min_ver, krb5_plugin_vtable vtable) -{ - krb5_clpreauth_vtable vt; - - if (maj_ver != 1) - return KRB5_PLUGIN_VER_NOTSUPP; - vt = (krb5_clpreauth_vtable)vtable; - vt->name = "encrypted_challenge"; - vt->pa_type_list = supported_pa_types; - vt->flags = preauth_flags; - vt->process = process_preauth; - return 0; -} diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index e2790e23d..dbc51501a 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -201,6 +201,11 @@ add_pa_data_element (krb5_context context, krb5_pa_data ***out_padata, krb5_boolean copy); +/* kdc_preauth_ec.c */ +krb5_error_code +kdcpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver, + int min_ver, krb5_plugin_vtable vtable); + /* kdc_authdata.c */ krb5_error_code load_authdata_plugins(krb5_context context); diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in index 33f31fd38..ddef9e29a 100644 --- a/src/lib/krb5/krb/Makefile.in +++ b/src/lib/krb5/krb/Makefile.in @@ -77,6 +77,7 @@ STLIBOBJS= \ plugin.o \ pr_to_salt.o \ preauth2.o \ + preauth_ec.o \ gic_opt_set_pa.o \ princ_comp.o \ privsafe.o \ @@ -180,6 +181,7 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \ $(OUTPRE)plugin.$(OBJEXT) \ $(OUTPRE)pr_to_salt.$(OBJEXT) \ $(OUTPRE)preauth2.$(OBJEXT) \ + $(OUTPRE)preauth_ec.$(OBJEXT) \ $(OUTPRE)gic_opt_set_pa.$(OBJEXT) \ $(OUTPRE)princ_comp.$(OBJEXT) \ $(OUTPRE)privsafe.$(OBJEXT) \ @@ -283,6 +285,7 @@ SRCS= $(srcdir)/addr_comp.c \ $(srcdir)/plugin.c \ $(srcdir)/pr_to_salt.c \ $(srcdir)/preauth2.c \ + $(srcdir)/preauth_ec.c \ $(srcdir)/gic_opt_set_pa.c \ $(srcdir)/princ_comp.c \ $(srcdir)/privsafe.c \ diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h index 9b975ab4a..7aebdb162 100644 --- a/src/lib/krb5/krb/int-proto.h +++ b/src/lib/krb5/krb/int-proto.h @@ -53,6 +53,10 @@ krb5_preauth_supply_preauth_data(krb5_context context, const char *attr, const char *value); +krb5_error_code +clpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver, + int min_ver, krb5_plugin_vtable vtable); + krb5_error_code krb5int_construct_matching_creds(krb5_context context, krb5_flags options, krb5_creds *in_creds, krb5_creds *mcreds, diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index ef866b1a2..ed411e5dd 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -120,11 +120,12 @@ krb5_init_preauth_context(krb5_context kcontext) if (kcontext->preauth_context != NULL) return; - /* Auto-register pkinit and encrypted challenge if possible. */ + /* Auto-register encrypted challenge and (if possible) pkinit. */ k5_plugin_register_dyn(kcontext, PLUGIN_INTERFACE_CLPREAUTH, "pkinit", "preauth"); - k5_plugin_register_dyn(kcontext, PLUGIN_INTERFACE_CLPREAUTH, - "encrypted_challenge", "preauth"); + k5_plugin_register(kcontext, PLUGIN_INTERFACE_CLPREAUTH, + "encrypted_challenge", + clpreauth_encrypted_challenge_initvt); /* Get all available clpreauth vtables. */ if (k5_plugin_load_all(kcontext, PLUGIN_INTERFACE_CLPREAUTH, &plugins)) diff --git a/src/lib/krb5/krb/preauth_ec.c b/src/lib/krb5/krb/preauth_ec.c new file mode 100644 index 000000000..e56807a3a --- /dev/null +++ b/src/lib/krb5/krb/preauth_ec.c @@ -0,0 +1,189 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* lib/krb5/krb/preauth_ec.c - Encrypted Challenge clpreauth module */ +/* + * Copyright (C) 2009, 2011 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +/* + * Implement Encrypted Challenge fast factor from + * draft-ietf-krb-wg-preauth-framework + */ + +#include +#include +#include "fast_factor.h" +#include "int-proto.h" + +static int +preauth_flags(krb5_context context, krb5_preauthtype pa_type) +{ + return PA_REAL; +} + +static krb5_error_code +process_preauth(krb5_context context, krb5_clpreauth_moddata moddata, + krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt, + krb5_clpreauth_get_data_fn get_data_proc, + krb5_clpreauth_rock rock, krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, krb5_pa_data *padata, + krb5_prompter_fct prompter, void *prompter_data, + krb5_clpreauth_get_as_key_fn gak_fct, void *gak_data, + krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key, + krb5_pa_data ***out_padata) +{ + krb5_error_code retval = 0; + krb5_enctype enctype = 0; + krb5_keyblock *challenge_key = NULL, *armor_key = NULL; + krb5_data *etype_data = NULL; + krb5int_access kaccess; + + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) + return 0; + retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key); + if (retval || armor_key == NULL) + return 0; + retval = get_data_proc(context, rock, krb5_clpreauth_get_etype, + &etype_data); + if (retval == 0) { + enctype = *((krb5_enctype *)etype_data->data); + if (as_key->length == 0 ||as_key->enctype != enctype) + retval = gak_fct(context, request->client, + enctype, prompter, prompter_data, + salt, s2kparams, + as_key, gak_data); + } + if (retval == 0 && padata->length) { + krb5_enc_data *enc = NULL; + krb5_data scratch; + scratch.length = padata->length; + scratch.data = (char *) padata->contents; + retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor", + as_key, "challengelongterm", + &challenge_key); + if (retval == 0) + retval =kaccess.decode_enc_data(&scratch, &enc); + scratch.data = NULL; + if (retval == 0) { + scratch.data = malloc(enc->ciphertext.length); + scratch.length = enc->ciphertext.length; + if (scratch.data == NULL) + retval = ENOMEM; + } + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL, + enc, &scratch); + /* + * Per draft 11 of the preauth framework, the client MAY but is not + * required to actually check the timestamp from the KDC other than to + * confirm it decrypts. This code does not perform that check. + */ + if (scratch.data) + krb5_free_data_contents(context, &scratch); + if (retval == 0) + fast_set_kdc_verified(context, get_data_proc, rock); + if (enc) + kaccess.free_enc_data(context, enc); + } else if (retval == 0) { /*No padata; we send*/ + krb5_enc_data enc; + krb5_pa_data *pa = NULL; + krb5_pa_data **pa_array = NULL; + krb5_data *encoded_ts = NULL; + krb5_pa_enc_ts ts; + enc.ciphertext.data = NULL; + retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); + if (retval == 0) + retval = kaccess.encode_enc_ts(&ts, &encoded_ts); + if (retval == 0) + retval = krb5_c_fx_cf2_simple(context, + armor_key, "clientchallengearmor", + as_key, "challengelongterm", + &challenge_key); + if (retval == 0) + retval = kaccess.encrypt_helper(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, + encoded_ts, &enc); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + encoded_ts = NULL; + if (retval == 0) { + retval = kaccess.encode_enc_data(&enc, &encoded_ts); + krb5_free_data_contents(context, &enc.ciphertext); + } + if (retval == 0) { + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa_array = calloc(2, sizeof(krb5_pa_data *)); + if (pa_array == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa->length = encoded_ts->length; + pa->contents = (unsigned char *) encoded_ts->data; + pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; + free(encoded_ts); + encoded_ts = NULL; + pa_array[0] = pa; + pa = NULL; + *out_padata = pa_array; + pa_array = NULL; + } + if (pa) + free(pa); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + if (pa_array) + free(pa_array); + } + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + if (armor_key) + krb5_free_keyblock(context, armor_key); + if (etype_data != NULL) + get_data_proc(context, rock, krb5_clpreauth_free_etype, &etype_data); + return retval; +} + + +krb5_preauthtype supported_pa_types[] = { + KRB5_PADATA_ENCRYPTED_CHALLENGE, 0}; + +krb5_error_code +clpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver, + int min_ver, krb5_plugin_vtable vtable) +{ + krb5_clpreauth_vtable vt; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + vt = (krb5_clpreauth_vtable)vtable; + vt->name = "encrypted_challenge"; + vt->pa_type_list = supported_pa_types; + vt->flags = preauth_flags; + vt->process = process_preauth; + return 0; +} diff --git a/src/plugins/preauth/encrypted_challenge/Makefile.in b/src/plugins/preauth/encrypted_challenge/Makefile.in deleted file mode 100644 index 963e4d4bb..000000000 --- a/src/plugins/preauth/encrypted_challenge/Makefile.in +++ /dev/null @@ -1,39 +0,0 @@ -mydir=plugins$(S)preauth$(S)encrypted_challenge -BUILDTOP=$(REL)..$(S)..$(S).. -KRB5_RUN_ENV = @KRB5_RUN_ENV@ -KRB5_CONFIG_SETUP = KRB5_CONFIG=$(top_srcdir)/config-files/krb5.conf ; export KRB5_CONFIG ; -PROG_LIBPATH=-L$(TOPLIBD) -PROG_RPATH=$(KRB5_LIBDIR) -MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR) -DEFS=@DEFS@ - -LOCALINCLUDES = -I../../../include/krb5 -I. - -LIBBASE=encrypted_challenge -LIBMAJOR=0 -LIBMINOR=0 -SO_EXT=.so -RELDIR=../plugins/preauth/encrypted_challenge -# Depends on libk5crypto and libkrb5 -SHLIB_EXPDEPS = \ - $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ - $(TOPLIBD)/libkrb5$(SHLIBEXT) -SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS) - -SHLIB_DIRS=-L$(TOPLIBD) -SHLIB_RDIRS=$(KRB5_LIBDIR) -STOBJLISTS=OBJS.ST -STLIBOBJS=encrypted_challenge_main.o - -SRCS= $(srcdir)/encrypted_challenge_main.c - -all-unix:: all-liblinks -install-unix:: install-libs -clean-unix:: clean-libs clean-libobjs - -clean:: - $(RM) lib$(LIBBASE)$(SO_EXT) - -@libnover_frag@ -@libobj_frag@ - diff --git a/src/plugins/preauth/encrypted_challenge/deps b/src/plugins/preauth/encrypted_challenge/deps deleted file mode 100644 index 7f36e01eb..000000000 --- a/src/plugins/preauth/encrypted_challenge/deps +++ /dev/null @@ -1,15 +0,0 @@ -# -# Generated makefile dependencies follow. -# -encrypted_challenge_main.so encrypted_challenge_main.po \ - $(OUTPRE)encrypted_challenge_main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h encrypted_challenge_main.c diff --git a/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports b/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports deleted file mode 100644 index 651dcea1c..000000000 --- a/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports +++ /dev/null @@ -1,2 +0,0 @@ -clpreauth_encrypted_challenge_initvt -kdcpreauth_encrypted_challenge_initvt -- 2.26.2