diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-10-06 16:18:56 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-10-06 16:18:56 +0000 |
| commit | 7003d3dbdfd0a7f4f6843068affb290c844ccb65 (patch) | |
| tree | 2b31a19ce468926f02f471597b68cb60d3bffe82 /src/kdc/kdc_preauth_ec.c | |
| parent | 72dc9d3ca51e6b54f088f7dc6a68c38504cde1d9 (diff) | |
| download | krb5-7003d3dbdfd0a7f4f6843068affb290c844ccb65.tar.gz krb5-7003d3dbdfd0a7f4f6843068affb290c844ccb65.tar.xz krb5-7003d3dbdfd0a7f4f6843068affb290c844ccb65.zip | |
Use type-safe callbacks in preauth interface
Replace the generic get_data functions in clpreauth and kdcpreauth
with structures containing callback functions. Each structure has a
minor version number to allow adding new callbacks.
For simplicity, the new fast armor key callbacks return aliases, which
is how we would supply the armor key as a function parameter. The new
client keys callback is paired with a free_keys callback to reduce the
amount of cleanup code needed in modules.
ticket: 6971
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25315 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc/kdc_preauth_ec.c')
| -rw-r--r-- | src/kdc/kdc_preauth_ec.c | 44 |
1 files changed, 11 insertions, 33 deletions
diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c index 62fa615e01..b52d03620c 100644 --- a/src/kdc/kdc_preauth_ec.c +++ b/src/kdc/kdc_preauth_ec.c @@ -36,24 +36,18 @@ static krb5_error_code kdc_include_padata(krb5_context context, krb5_kdc_req *request, - krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, + krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { - krb5_error_code retval = 0; - krb5_keyblock *armor_key = NULL; - retval = fast_kdc_get_armor_key(context, get, rock, &armor_key); - if (retval) - return retval; - if (armor_key == 0) - return ENOENT; - krb5_free_keyblock(context, armor_key); - return 0; + krb5_keyblock *armor_key = cb->fast_armor(context, rock); + + return (armor_key == NULL) ? ENOENT : 0; } static void kdc_verify_preauth(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, krb5_kdcpreauth_get_data_fn get, + krb5_pa_data *data, krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) @@ -62,10 +56,9 @@ kdc_verify_preauth(krb5_context context, krb5_data *req_pkt, krb5_timestamp now; krb5_enc_data *enc = NULL; krb5_data scratch, plain; - krb5_keyblock *armor_key = NULL; + krb5_keyblock *armor_key = cb->fast_armor(context, rock); krb5_pa_enc_ts *ts = NULL; krb5_keyblock *client_keys = NULL; - krb5_data *client_data = NULL; krb5_keyblock *challenge_key = NULL; krb5_keyblock *kdc_challenge_key; krb5_kdcpreauth_modreq modreq = NULL; @@ -73,8 +66,7 @@ kdc_verify_preauth(krb5_context context, krb5_data *req_pkt, plain.data = NULL; - retval = fast_kdc_get_armor_key(context, get, rock, &armor_key); - if (retval == 0 &&armor_key == NULL) { + if (armor_key == NULL) { retval = ENOENT; krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel"); } @@ -89,9 +81,8 @@ kdc_verify_preauth(krb5_context context, krb5_data *req_pkt, retval = ENOMEM; } if (retval == 0) - retval = (*get)(context, rock, krb5_kdcpreauth_keys, &client_data); + retval = cb->client_keys(context, rock, &client_keys); if (retval == 0) { - client_keys = (krb5_keyblock *) client_data->data; for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) { retval = krb5_c_fx_cf2_simple(context, armor_key, "clientchallengearmor", @@ -108,18 +99,11 @@ kdc_verify_preauth(krb5_context context, krb5_data *req_pkt, break; /*We failed to decrypt. Try next key*/ retval = 0; - krb5_free_keyblock_contents(context, &client_keys[i]); } if (client_keys[i].enctype == 0) { retval = KRB5KDC_ERR_PREAUTH_FAILED; krb5_set_error_message(context, retval, "Incorrect password in encrypted challenge"); - } else { /*not run out of keys*/ - int j; - assert (retval == 0); - for (j = i+1; client_keys[j].enctype; j++) - krb5_free_keyblock_contents(context, &client_keys[j]); } - } if (retval == 0) retval = decode_krb5_pa_enc_ts(&plain, &ts); @@ -133,7 +117,7 @@ kdc_verify_preauth(krb5_context context, krb5_data *req_pkt, * may cause the client to fail, but at this point the KDC has * considered this a success, so the return value is ignored. */ - fast_kdc_replace_reply_key(context, get, rock); + fast_kdc_replace_reply_key(context, cb, rock); if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", &client_keys[i], "challengelongterm", &kdc_challenge_key) == 0) @@ -142,13 +126,7 @@ kdc_verify_preauth(krb5_context context, krb5_data *req_pkt, retval = KRB5KRB_AP_ERR_SKEW; } } - if (client_keys) { - if (client_keys[i].enctype) - krb5_free_keyblock_contents(context, &client_keys[i]); - krb5_free_data(context, client_data); - } - if (armor_key) - krb5_free_keyblock(context, armor_key); + cb->free_keys(context, rock, client_keys); if (plain.data) free(plain.data); if (enc) @@ -163,7 +141,7 @@ static krb5_error_code kdc_return_preauth(krb5_context context, krb5_pa_data *padata, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get, + krb5_pa_data **send_pa, krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { |