Create e_data as pa_data in KDC interfaces

All current known uses of e_data are encoded as pa-data or typed-data.
FAST requires that e_data be expressed as pa-data.  Change the DAL and
kdcpreauth interfaces so that e_data is returned as a sequence of
pa-data elements.  Add a preauth module flag to indicate that the
sequence should be encoded as typed-data in non-FAST errors.

ticket: 6969

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25298 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 26 insertions, 12 deletions

diff --git a/src/include/kdb.h b/src/include/kdb.h
index 809722eda3..78f786f3b9 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -69,7 +69,7 @@
 
 /* This version will be incremented when incompatible changes are made to the
  * KDB API, and will be kept in sync with the libkdb major version. */
-#define KRB5_KDB_API_VERSION 5
+#define KRB5_KDB_API_VERSION 6
 
 /* Salt types */
 #define KRB5_KDB_SALTTYPE_NORMAL        0
@@ -640,14 +640,14 @@ krb5_error_code krb5_db_check_policy_as(krb5_context kcontext,
                                         krb5_db_entry *server,
                                         krb5_timestamp kdc_time,
                                         const char **status,
-                                        krb5_data *e_data);
+                                        krb5_pa_data ***e_data);
 
 krb5_error_code krb5_db_check_policy_tgs(krb5_context kcontext,
                                          krb5_kdc_req *request,
                                          krb5_db_entry *server,
                                          krb5_ticket *ticket,
                                          const char **status,
-                                         krb5_data *e_data);
+                                         krb5_pa_data ***e_data);
 
 void krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request,
                           krb5_db_entry *client, krb5_db_entry *server,
@@ -796,7 +796,7 @@ krb5_dbe_free_string(krb5_context, char *);
  * This number indicates the date of the last incompatible change to the DAL.
  * The maj_ver field of the module's vtable structure must match this version.
  */
-#define KRB5_KDB_DAL_MAJOR_VERSION 2
+#define KRB5_KDB_DAL_MAJOR_VERSION 3
 
 /*
  * A krb5_context can hold one database object.  Modules should use
@@ -1269,7 +1269,7 @@ typedef struct _kdb_vftabl {
                                        krb5_db_entry *server,
                                        krb5_timestamp kdc_time,
                                        const char **status,
-                                       krb5_data *e_data);
+                                       krb5_pa_data ***e_data);
 
     /*
      * Optional: Perform a policy check on a TGS request, in addition to the
@@ -1286,7 +1286,7 @@ typedef struct _kdb_vftabl {
                                         krb5_db_entry *server,
                                         krb5_ticket *ticket,
                                         const char **status,
-                                        krb5_data *e_data);
+                                        krb5_pa_data ***e_data);
 
     /*
      * Optional: This method informs the module of a successful or unsuccessful
diff --git a/src/include/krb5/preauth_plugin.h b/src/include/krb5/preauth_plugin.h
index c620d6cdb4..3f9dfcc351 100644
--- a/src/include/krb5/preauth_plugin.h
+++ b/src/include/krb5/preauth_plugin.h
@@ -126,6 +126,11 @@
  */
 #define PA_PSEUDO       0x00000080
 
+/*
+ * For kdcpreauth mechanisms, indicates that e_data in non-FAST errors should
+ * be encoded as typed data instead of padata.
+ */
+#define PA_TYPED_E_DATA 0x00000100
 
 /*
  * clpreauth plugin interface definition.
@@ -413,18 +418,27 @@ typedef krb5_error_code
                             krb5_pa_data *pa_out);
 
 /*
- * Optional: verify preauthentication data sent by the client, setting the
- * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
- * field as appropriate, and returning nonzero on failure.  Can create
- * per-request module data for consumption by the return_fn or free_modreq_fn
- * below.
+ * Responder for krb5_kdcpreauth_verify_fn.  Invoke with the arg parameter
+ * supplied to verify, the error code (0 for success), an optional module
+ * request state object to be consumed by return_fn or free_modreq_fn, optional
+ * e_data to be passed to the caller if code is nonzero, and optional
+ * authorization data to be included in the ticket.  In non-FAST replies,
+ * e_data will be encoded as typed-data if the module sets the PA_TYPED_E_DATA
+ * flag, and as pa-data otherwise.  e_data and authz_data will be freed by the
+ * KDC.
  */
 typedef void
 (*krb5_kdcpreauth_verify_respond_fn)(void *arg, krb5_error_code code,
                                      krb5_kdcpreauth_modreq modreq,
-                                     krb5_data *e_data,
+                                     krb5_pa_data **e_data,
                                      krb5_authdata **authz_data);
 
+/*
+ * Optional: verify preauthentication data sent by the client, setting the
+ * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
+ * field as appropriate.  The implementation must invoke the respond function
+ * when complete, whether successful or not.
+ */
 typedef void
 (*krb5_kdcpreauth_verify_fn)(krb5_context context,
                              struct _krb5_db_entry_new *client,