Modify the preath plugin interface so that a plugin's context is

global to all the modules within a plugin.  Also, change the
client-side interface so that the preauth plugin context (once
created) lives the lifetime of a krb5_context.  This will allow
future changes that can set plugin parameters.  The client side
request context lives the lifetime of a call to krb5_get_init_creds().

Make the sample preauth plugins buildable outside the source tree.

Fix minor memory leak in sort_krb5_padata_sequence().

Add a prototype for krb5_do_preauth_tryagain() and change the plugin
interface.

Incorporates fixes from Nalin Dahyabhai <nalin@redhat.com> for leaks
of the function table pointers (rt #4566) and fix KDC crash (rt #4567)

ticket: 4566
ticket: 4567
ticket: 4587
Target_Version: 1.6
Tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18754 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 35 insertions, 21 deletions

diff --git a/src/include/krb5/preauth_plugin.h b/src/include/krb5/preauth_plugin.h
index 63600fead2..d164192aff 100644
--- a/src/include/krb5/preauth_plugin.h
+++ b/src/include/krb5/preauth_plugin.h
@@ -157,20 +157,27 @@ typedef struct krb5plugin_preauth_client_ftable_v0 {
      * to add support for. */
     krb5_enctype *enctype_list;
 
-    /* Per-module initialization/cleanup.  The init function is called
-     * by libkrb5 when the module is loaded, and the fini function is
-     * called before the module is unloaded.  Both are optional and
-     * may be called multiple times in case the module is used in
-     * multiple contexts.*/
-    krb5_error_code (*init)(krb5_context, krb5_preauthtype, void **);
-    void (*fini)(krb5_context, krb5_preauthtype, void *);
+    /* Per-plugin initialization/cleanup.  The init function is called
+     * by libkrb5 when the plugin is loaded, and the fini function is
+     * called before the plugin is unloaded.  Both are optional and
+     * may be called multiple times in case the plugin is used in
+     * multiple contexts.  The returned context lives the lifetime of
+     * the krb5_context */
+    krb5_error_code (*init)(krb5_context context, void **plugin_context);
+    void (*fini)(krb5_context context, void *plugin_context);
     /* A callback which returns flags indicating if the module is a "real" or
      * an "info" mechanism, and so on.  This function is called for each entry
      * in the client_pa_type_list. */
-    int (*flags)(krb5_context, krb5_preauthtype);
-    /* Clean up a client context.  Can be NULL. */
-    void (*cleanup)(krb5_context context, void *module_context,
+    int (*flags)(krb5_context context, krb5_preauthtype pa_type);
+    /* Per-request initialization/cleanup.  The request_init function is
+     * called when beginning to process a get_init_creds request and the
+     * request_fini function is called when processing of the request is
+     * complete.  This is optional.  It may be called multiple times in
+     * the lifetime of a krb5_context. */
+    void (*request_init)(krb5_context context, void *plugin_context,
 		    void **request_context);
+    void (*request_fini)(krb5_context context, void *plugin_context,
+		    void *request_context);
     /* Client function which processes server-supplied data in pa_data,
      * returns created data in out_pa_data, storing any of its own state in
      * client_context if data for the associated preauthentication type is
@@ -180,8 +187,8 @@ typedef struct krb5plugin_preauth_client_ftable_v0 {
      * function is called, because it is expected to only ever contain the data
      * obtained from a previous call to this function. */
     krb5_error_code (*process)(krb5_context context,
-			       void *module_context,
-			       void **request_context,
+			       void *plugin_context,
+			       void *request_context,
 			       krb5_kdc_req *request,
 			       krb5_data *encoded_request_body,
 			       krb5_data *encoded_previous_request,
@@ -189,8 +196,8 @@ typedef struct krb5plugin_preauth_client_ftable_v0 {
 			       krb5_prompter_fct prompter,
 			       void *prompter_data,
 			       preauth_get_as_key_proc gak_fct,
-			       krb5_data *salt, krb5_data *s2kparams,
 			       void *gak_data,
+			       krb5_data *salt, krb5_data *s2kparams,
 			       krb5_keyblock *as_key,
 			       krb5_pa_data **out_pa_data);
     /* Client function which can attempt to use e-data in the error response to
@@ -198,12 +205,19 @@ typedef struct krb5plugin_preauth_client_ftable_v0 {
      * it stores data in out_pa_data which is different data from the contents
      * of in_pa_data, then the client library will retransmit the request. */
     krb5_error_code (*tryagain)(krb5_context context,
-				void *module_context,
-				void **request_context,
+				void *plugin_context,
+				void *request_context,
 				krb5_kdc_req *request,
 				krb5_data *encoded_request_body,
-				krb5_error *error,
+				krb5_data *encoded_previous_request,
 				krb5_pa_data *in_pa_data,
+				krb5_error *error,
+				krb5_prompter_fct prompter,
+				void *prompter_data,
+				preauth_get_as_key_proc gak_fct,
+				void *gak_data,
+				krb5_data *salt, krb5_data *s2kparams,
+				krb5_keyblock *as_key,
 				krb5_pa_data **out_pa_data);
 } krb5plugin_preauth_client_ftable_v0;
 
@@ -223,11 +237,11 @@ typedef struct krb5plugin_preauth_server_ftable_v0 {
      * provide services for. */
     krb5_preauthtype *pa_type_list;
 
-    /* Per-module initialization/cleanup.  The init function is called by the
-     * KDC when the module is loaded, and the fini function is called before
-     * the module is unloaded.  Both are optional. */
-    krb5_error_code (*init_proc)(krb5_context, krb5_preauthtype, void **);
-    void (*fini_proc)(krb5_context, krb5_preauthtype, void *);
+    /* Per-plugin initialization/cleanup.  The init function is called by the
+     * KDC when the plugin is loaded, and the fini function is called before
+     * the plugin is unloaded.  Both are optional. */
+    krb5_error_code (*init_proc)(krb5_context, void **);
+    void (*fini_proc)(krb5_context, void *);
     /* Return the flags which the KDC should use for this module.  This is a
      * callback instead of a static value because the module may or may not
      * wish to count itself as a hardware preauthentication module (in other