From be321d5f49f8f48e4522903228fe2b4d327d6642 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Fri, 13 Oct 2006 18:50:40 +0000 Subject: [PATCH] Patch to split client plugin from server plugin ticket: 4377 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18693 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/krb5/preauth_plugin.h | 158 ++++++++++-------- src/kdc/kdc_preauth.c | 48 +++--- src/lib/krb5/krb/preauth2.c | 36 ++-- .../preauth/cksum_body/cksum_body.exports | 3 +- .../preauth/cksum_body/src/cksum_body.c | 8 +- src/plugins/preauth/wpse/src/wpse.c | 8 +- src/plugins/preauth/wpse/wpse.exports | 3 +- 7 files changed, 141 insertions(+), 123 deletions(-) diff --git a/src/include/krb5/preauth_plugin.h b/src/include/krb5/preauth_plugin.h index 52952fded..b2bca700e 100644 --- a/src/include/krb5/preauth_plugin.h +++ b/src/include/krb5/preauth_plugin.h @@ -140,40 +140,37 @@ typedef krb5_error_code void *gak_data); /* - * The function table / structure which a preauth module must export as - * "preauthentication0". NOTE: replace "0" with "1" for the type and variable - * names if this gets picked up by upstream. If the interfaces work correctly, - * future versions of the table will add either more callbacks or more - * arguments to callbacks, and in both cases we'll be able to wrap the v0 - * functions. + * The function table / structure which a preauth client module must export as + * "preauthentication_client_0". If the interfaces work correctly, future + * versions of the table will add either more callbacks or more arguments to + * callbacks, and in both cases we'll be able to wrap the v0 functions. */ -typedef struct krb5plugin_preauth_ftable_v0 { +typedef struct krb5plugin_preauth_client_ftable_v0 { /* Not-usually-visible name. */ char *name; - /* Pointer to zero-terminated lists of pa_types which this module can + /* Pointer to zero-terminated list of pa_types which this module can * provide services for. */ - krb5_preauthtype *client_pa_type_list; - krb5_preauthtype *server_pa_type_list; + krb5_preauthtype *pa_type_list; /* Pointer to zero-terminated list of enc_types which this module claims * to add support for. */ - krb5_enctype *client_enctype_list; + krb5_enctype *enctype_list; /* Per-module initialization/cleanup. The init function is called * by libkrb5 when the module is loaded, and the fini function is * called before the module is unloaded. Both are optional and * may be called multiple times in case the module is used in * multiple contexts.*/ - krb5_error_code (*client_init)(krb5_context, krb5_preauthtype, void **); - void (*client_fini)(krb5_context, krb5_preauthtype, void *); + krb5_error_code (*init)(krb5_context, krb5_preauthtype, void **); + void (*fini)(krb5_context, krb5_preauthtype, void *); /* A callback which returns flags indicating if the module is a "real" or * an "info" mechanism, and so on. This function is called for each entry * in the client_pa_type_list. */ - int (*client_flags)(krb5_context, krb5_preauthtype); + int (*flags)(krb5_context, krb5_preauthtype); /* Clean up a client context. Can be NULL. */ - void (*client_cleanup)(krb5_context context, void *module_context, - void **request_context); + void (*cleanup)(krb5_context context, void *module_context, + void **request_context); /* Client function which processes server-supplied data in pa_data, * returns created data in out_pa_data, storing any of its own state in * client_context if data for the associated preauthentication type is @@ -182,39 +179,55 @@ typedef struct krb5plugin_preauth_ftable_v0 { * NOTE! the encoded_previous_request will be NULL the first time this * function is called, because it is expected to only ever contain the data * obtained from a previous call to this function. */ - krb5_error_code (*client_process)(krb5_context context, - void *module_context, - void **request_context, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *pa_data, - krb5_prompter_fct prompter, - void *prompter_data, - preauth_get_as_key_proc gak_fct, - krb5_data *salt, krb5_data *s2kparams, - void *gak_data, - krb5_keyblock *as_key, - krb5_pa_data **out_pa_data); + krb5_error_code (*process)(krb5_context context, + void *module_context, + void **request_context, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *pa_data, + krb5_prompter_fct prompter, + void *prompter_data, + preauth_get_as_key_proc gak_fct, + krb5_data *salt, krb5_data *s2kparams, + void *gak_data, + krb5_keyblock *as_key, + krb5_pa_data **out_pa_data); /* Client function which can attempt to use e-data in the error response to * try to recover from the given error. If this function is not NULL, and * it stores data in out_pa_data which is different data from the contents * of in_pa_data, then the client library will retransmit the request. */ - krb5_error_code (*client_tryagain)(krb5_context context, - void *module_context, - void **request_context, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_error *error, - krb5_pa_data *in_pa_data, - krb5_pa_data **out_pa_data); + krb5_error_code (*tryagain)(krb5_context context, + void *module_context, + void **request_context, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_error *error, + krb5_pa_data *in_pa_data, + krb5_pa_data **out_pa_data); +} krb5plugin_preauth_client_ftable_v0; + +/* + * The function table / structure which a preauth server module must export as + * "preauthentication_server_0". NOTE: replace "0" with "1" for the type and + * variable names if this gets picked up by upstream. If the interfaces work + * correctly, future versions of the table will add either more callbacks or + * more arguments to callbacks, and in both cases we'll be able to wrap the v0 + * functions. + */ +typedef struct krb5plugin_preauth_server_ftable_v0 { + /* Not-usually-visible name. */ + char *name; + + /* Pointer to zero-terminated list of pa_types which this module can + * provide services for. */ + krb5_preauthtype *pa_type_list; /* Per-module initialization/cleanup. The init function is called by the * KDC when the module is loaded, and the fini function is called before * the module is unloaded. Both are optional. */ - krb5_error_code (*server_init_proc)(krb5_context, krb5_preauthtype, - void **); - void (*server_fini_proc)(krb5_context, krb5_preauthtype, void *); + krb5_error_code (*init_proc)(krb5_context, krb5_preauthtype, void **); + void (*fini_proc)(krb5_context, krb5_preauthtype, void *); /* Return the flags which the KDC should use for this module. This is a * callback instead of a static value because the module may or may not * wish to count itself as a hardware preauthentication module (in other @@ -222,7 +235,7 @@ typedef struct krb5plugin_preauth_ftable_v0 { * site administrator can force a particular preauthentication type to be * supported using only hardware). This function is called for each entry * entry in the server_pa_type_list. */ - int (*server_flags_proc)(krb5_context, krb5_preauthtype); + int (*flags_proc)(krb5_context, krb5_preauthtype); /* Get preauthentication data to send to the client as part of the "you * need to use preauthentication" error. The module doesn't need to * actually provide data if the protocol doesn't require it, but it should @@ -231,47 +244,46 @@ typedef struct krb5plugin_preauth_ftable_v0 { * to create a context because we have no guarantee that the client will * ever call again (or that it will hit this server if it does), in which * case a context might otherwise hang around forever. */ - krb5_error_code (*server_edata_proc)(krb5_context, krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - preauth_get_entry_data_proc, - void *pa_module_context, - krb5_pa_data *data); + krb5_error_code (*edata_proc)(krb5_context, krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc, + void *pa_module_context, + krb5_pa_data *data); /* Verify preauthentication data sent by the client, setting the * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags" * field as appropriate, and returning nonzero on failure. Can create * context data for consumption by the return_proc or freepa_proc below. */ - krb5_error_code (*server_verify_proc)(krb5_context, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - preauth_get_entry_data_proc, - void *pa_module_context, - void **pa_request_context); + krb5_error_code (*verify_proc)(krb5_context, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *data, + preauth_get_entry_data_proc, + void *pa_module_context, + void **pa_request_context); /* Generate preauthentication response data to send to the client as part * of the AS-REP. If it needs to override the key which is used to encrypt * the response, it can do so. The module is expected (but not required, * if a freepa_proc is also provided) to free any context data it saved in * "request_pa_context". */ - krb5_error_code (*server_return_proc)(krb5_context, krb5_pa_data * padata, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - struct _krb5_key_data *client_keys, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc, - void *pa_module_context, - void **pa_request_context); + krb5_error_code (*return_proc)(krb5_context, krb5_pa_data * padata, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_kdc_rep *reply, + struct _krb5_key_data *client_keys, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc, + void *pa_module_context, + void **pa_request_context); /* Free up the server-side per-request context, in cases where * server_return_proc() didn't or for whatever reason was not called. Can * be NULL. */ - krb5_error_code (*server_freepa_reqcontext_proc)(krb5_context, - void *pa_module_context, - void **request_pa_context); -} krb5plugin_preauth_ftable_v0; - + krb5_error_code (*freepa_reqcontext_proc)(krb5_context, + void *pa_module_context, + void **request_pa_context); +} krb5plugin_preauth_server_ftable_v0; #endif /* KRB5_PREAUTH_PLUGIN_H_INCLUDED */ diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 93bedf9c0..6306da381 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -299,7 +299,7 @@ load_preauth_plugins(krb5_context context) { struct errinfo err; void **preauth_plugins_ftables; - struct krb5plugin_preauth_ftable_v0 *ftable; + struct krb5plugin_preauth_server_ftable_v0 *ftable; int module_count, i, j, k; krb5_preauthtype pa_type; void *pa_sys_context; @@ -318,7 +318,8 @@ load_preauth_plugins(krb5_context context) /* Get the method tables provided by the loaded plugins. */ preauth_plugins_ftables = NULL; - if (krb5int_get_plugin_dir_data(&preauth_plugins, "preauthentication0", + if (krb5int_get_plugin_dir_data(&preauth_plugins, + "preauthentication_server_0", &preauth_plugins_ftables, &err) != 0) { return KRB5_PLUGIN_NO_HANDLE; } @@ -329,15 +330,15 @@ load_preauth_plugins(krb5_context context) if (preauth_plugins_ftables != NULL) { for (i = 0; preauth_plugins_ftables[i] != NULL; i++) { ftable = preauth_plugins_ftables[i]; - if ((ftable->server_flags_proc == NULL) && - (ftable->server_edata_proc == NULL) && - (ftable->server_verify_proc == NULL) && - (ftable->server_return_proc == NULL)) { + if ((ftable->flags_proc == NULL) && + (ftable->edata_proc == NULL) && + (ftable->verify_proc == NULL) && + (ftable->return_proc == NULL)) { continue; } for (j = 0; - ftable->server_pa_type_list != NULL && - ftable->server_pa_type_list[j] > 0; + ftable->pa_type_list != NULL && + ftable->pa_type_list[j] > 0; j++) { module_count++; } @@ -376,21 +377,21 @@ load_preauth_plugins(krb5_context context) if (preauth_plugins_ftables != NULL) { for (i = 0; preauth_plugins_ftables[i] != NULL; i++) { ftable = preauth_plugins_ftables[i]; - if ((ftable->server_flags_proc == NULL) && - (ftable->server_edata_proc == NULL) && - (ftable->server_verify_proc == NULL) && - (ftable->server_return_proc == NULL)) { + if ((ftable->flags_proc == NULL) && + (ftable->edata_proc == NULL) && + (ftable->verify_proc == NULL) && + (ftable->return_proc == NULL)) { continue; } for (j = 0; - ftable->server_pa_type_list != NULL && - ftable->server_pa_type_list[j] > 0; + ftable->pa_type_list != NULL && + ftable->pa_type_list[j] > 0; j++) { /* Try to initialize the module. If it fails, we'll remove it * from the list of modules we'll be using. */ pa_sys_context = NULL; - server_init_proc = ftable->server_init_proc; - pa_type = ftable->server_pa_type_list[j]; + server_init_proc = ftable->init_proc; + pa_type = ftable->pa_type_list[j]; if ((server_init_proc != NULL) && ((*server_init_proc)(context, pa_type, &pa_sys_context) != 0)) { @@ -398,18 +399,17 @@ load_preauth_plugins(krb5_context context) continue; } preauth_systems[k].name = ftable->name; - pa_type = ftable->server_pa_type_list[j]; + pa_type = ftable->pa_type_list[j]; preauth_systems[k].type = pa_type; - preauth_systems[k].flags = ftable->server_flags_proc(context, - pa_type); + preauth_systems[k].flags = ftable->flags_proc(context, pa_type); preauth_systems[k].pa_sys_context = pa_sys_context; preauth_systems[k].init = server_init_proc; - preauth_systems[k].fini = ftable->server_fini_proc; - preauth_systems[k].get_edata = ftable->server_edata_proc; - preauth_systems[k].verify_padata = ftable->server_verify_proc; - preauth_systems[k].return_padata = ftable->server_return_proc; + preauth_systems[k].fini = ftable->fini_proc; + preauth_systems[k].get_edata = ftable->edata_proc; + preauth_systems[k].verify_padata = ftable->verify_proc; + preauth_systems[k].return_padata = ftable->return_proc; preauth_systems[k].free_pa_request_context = - ftable->server_freepa_reqcontext_proc; + ftable->freepa_reqcontext_proc; k++; } } diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index c218389c7..deaf8e747 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -78,7 +78,7 @@ struct _krb5_preauth_context { void *module_context); /* The module's table, and some of its members, copied here for * convenience when we populated the list. */ - struct krb5plugin_preauth_ftable_v0 *ftable; + struct krb5plugin_preauth_client_ftable_v0 *ftable; const char *name; int flags, use_count; krb5_error_code (*client_process)(krb5_context context, @@ -124,7 +124,7 @@ krb5_init_preauth_context(krb5_context kcontext, { int n_modules, n_tables, i, j, k; void **tables; - struct krb5plugin_preauth_ftable_v0 *table; + struct krb5plugin_preauth_client_ftable_v0 *table; krb5_preauth_context *context; void *module_context; krb5_preauthtype pa_type; @@ -141,7 +141,7 @@ krb5_init_preauth_context(krb5_context kcontext, /* pull out the module function tables for all of the modules */ tables = NULL; if (krb5int_get_plugin_dir_data(&kcontext->preauth_plugins, - "preauthentication0", + "preauthentication_client_0", &tables, &kcontext->err) != 0) { return; @@ -157,9 +157,8 @@ krb5_init_preauth_context(krb5_context kcontext, (tables != NULL) && (tables[n_tables] != NULL); n_tables++) { table = tables[n_tables]; - if ((table->client_pa_type_list != NULL) && - (table->client_process != NULL)) { - for (j = 0; table->client_pa_type_list[j] > 0; j++) { + if ((table->pa_type_list != NULL) && (table->process != NULL)) { + for (j = 0; table->pa_type_list[j] > 0; j++) { n_modules++; } } @@ -182,14 +181,12 @@ krb5_init_preauth_context(krb5_context kcontext, k = 0; for (i = 0; i < n_tables; i++) { table = tables[i]; - if ((table->client_pa_type_list != NULL) && - (table->client_process != NULL)) { - for (j = 0; table->client_pa_type_list[j] > 0; j++) { - pa_type = table->client_pa_type_list[j]; + if ((table->pa_type_list != NULL) && (table->process != NULL)) { + for (j = 0; table->pa_type_list[j] > 0; j++) { + pa_type = table->pa_type_list[j]; module_context = NULL; - if ((table->client_init != NULL) && - ((*table->client_init)(kcontext, pa_type, - &module_context) != 0)) { + if ((table->init != NULL) && + ((*table->init)(kcontext, pa_type, &module_context) != 0)) { #ifdef DEBUG fprintf (stderr, "skip module \"%s\", pa_type %d\n", table->name, pa_type); @@ -197,17 +194,16 @@ krb5_init_preauth_context(krb5_context kcontext, continue; } context->modules[k].pa_type = pa_type; - context->modules[k].enctypes = table->client_enctype_list; + context->modules[k].enctypes = table->enctype_list; context->modules[k].module_context = module_context; - context->modules[k].client_fini = table->client_fini; + context->modules[k].client_fini = table->fini; context->modules[k].ftable = table; context->modules[k].name = table->name; - context->modules[k].flags = (*table->client_flags)(kcontext, - pa_type); + context->modules[k].flags = (*table->flags)(kcontext, pa_type); context->modules[k].use_count = 0; - context->modules[k].client_process = table->client_process; - context->modules[k].client_tryagain = table->client_tryagain; - context->modules[k].client_cleanup = table->client_cleanup; + context->modules[k].client_process = table->process; + context->modules[k].client_tryagain = table->tryagain; + context->modules[k].client_cleanup = table->cleanup; context->modules[k].request_context = NULL; #ifdef DEBUG fprintf (stderr, "init module \"%s\", pa_type %d, flag %d\n", diff --git a/src/plugins/preauth/cksum_body/cksum_body.exports b/src/plugins/preauth/cksum_body/cksum_body.exports index ff5e3f139..32e067ba9 100644 --- a/src/plugins/preauth/cksum_body/cksum_body.exports +++ b/src/plugins/preauth/cksum_body/cksum_body.exports @@ -1 +1,2 @@ -preauthentication0 +preauthentication_client_0 +preauthentication_server_0 diff --git a/src/plugins/preauth/cksum_body/src/cksum_body.c b/src/plugins/preauth/cksum_body/src/cksum_body.c index ff4cc847f..31ecaf839 100644 --- a/src/plugins/preauth/cksum_body/src/cksum_body.c +++ b/src/plugins/preauth/cksum_body/src/cksum_body.c @@ -468,10 +468,9 @@ static krb5_preauthtype supported_server_pa_types[] = { KRB5_PADATA_CKSUM_BODY_REQ, 0, }; -struct krb5plugin_preauth_ftable_v0 preauthentication0 = { +struct krb5plugin_preauth_client_ftable_v0 preauthentication_client_0 = { "cksum_body", &supported_client_pa_types[0], - &supported_server_pa_types[0], NULL, NULL, NULL, @@ -479,6 +478,11 @@ struct krb5plugin_preauth_ftable_v0 preauthentication0 = { NULL, client_process, NULL, +}; + +struct krb5plugin_preauth_server_ftable_v0 preauthentication_server_0 = { + "cksum_body", + &supported_server_pa_types[0], server_init, server_fini, server_get_flags, diff --git a/src/plugins/preauth/wpse/src/wpse.c b/src/plugins/preauth/wpse/src/wpse.c index 579c63b0c..07c52d95a 100644 --- a/src/plugins/preauth/wpse/src/wpse.c +++ b/src/plugins/preauth/wpse/src/wpse.c @@ -316,10 +316,9 @@ server_get_flags(krb5_context kcontext, krb5_preauthtype pa_type) static krb5_preauthtype supported_client_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0}; static krb5_preauthtype supported_server_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0}; -struct krb5plugin_preauth_ftable_v0 preauthentication0 = { +struct krb5plugin_preauth_client_ftable_v0 preauthentication_client_0 = { "wpse", &supported_client_pa_types[0], - &supported_server_pa_types[0], NULL, client_init, client_fini, @@ -327,6 +326,11 @@ struct krb5plugin_preauth_ftable_v0 preauthentication0 = { client_cleanup, client_process, NULL, +}; + +struct krb5plugin_preauth_server_ftable_v0 preauthentication_server_0 = { + "wpse", + &supported_server_pa_types[0], NULL, NULL, server_get_flags, diff --git a/src/plugins/preauth/wpse/wpse.exports b/src/plugins/preauth/wpse/wpse.exports index ff5e3f139..32e067ba9 100644 --- a/src/plugins/preauth/wpse/wpse.exports +++ b/src/plugins/preauth/wpse/wpse.exports @@ -1 +1,2 @@ -preauthentication0 +preauthentication_client_0 +preauthentication_server_0 -- 2.26.2