diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-10-03 19:14:05 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-10-03 19:14:05 +0000 |
| commit | 1329c7742c951596efbf06186828a14155194993 (patch) | |
| tree | fba87b0a350a2b71a6b1f0912ca2b1f563cfce90 /src/plugins/preauth | |
| parent | e10f8035338e23009c042ef2fd188f351794b43e (diff) | |
| download | krb5-1329c7742c951596efbf06186828a14155194993.tar.gz krb5-1329c7742c951596efbf06186828a14155194993.tar.xz krb5-1329c7742c951596efbf06186828a14155194993.zip | |
Make kdcpreauth verify respond via callback
From npmccallum@redhat.com with changes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25294 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/preauth')
| -rw-r--r-- | src/plugins/preauth/cksum_body/cksum_body_main.c | 46 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_srv.c | 46 | ||||
| -rw-r--r-- | src/plugins/preauth/securid_sam2/securid_sam2_main.c | 13 | ||||
| -rw-r--r-- | src/plugins/preauth/wpse/wpse_main.c | 34 |
4 files changed, 76 insertions, 63 deletions
diff --git a/src/plugins/preauth/cksum_body/cksum_body_main.c b/src/plugins/preauth/cksum_body/cksum_body_main.c index e79b84a12a..06ba14d5a9 100644 --- a/src/plugins/preauth/cksum_body/cksum_body_main.c +++ b/src/plugins/preauth/cksum_body/cksum_body_main.c @@ -329,7 +329,7 @@ server_get_edata(krb5_context kcontext, } /* Verify a request from a client. */ -static krb5_error_code +static void server_verify(krb5_context kcontext, struct _krb5_db_entry_new *client, krb5_data *req_pkt, @@ -338,9 +338,8 @@ server_verify(krb5_context kcontext, krb5_pa_data *data, krb5_kdcpreauth_get_data_fn server_get_entry_data, krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_modreq *modreq_out, - krb5_data **e_data, - krb5_authdata ***authz_data) + krb5_kdcpreauth_verify_respond_fn respond, + void *arg) { krb5_int32 cksumtype; krb5_checksum checksum; @@ -365,7 +364,8 @@ server_verify(krb5_context kcontext, /* Verify the preauth data. Start with the checksum type. */ if (data->length < 4) { stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); + return; } memcpy(&cksumtype, data->contents, 4); memset(&checksum, 0, sizeof(checksum)); @@ -379,14 +379,16 @@ server_verify(krb5_context kcontext, "Is it supported?\n", checksum.checksum_type); #endif stats->failures++; - return KRB5KDC_ERR_SUMTYPE_NOSUPP; + (*respond)(arg, KRB5KDC_ERR_SUMTYPE_NOSUPP, NULL, NULL, NULL); + return; } if (data->length - 4 != length) { #ifdef DEBUG fprintf(stderr, "Checksum size doesn't match client packet size.\n"); #endif stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); + return; } checksum.length = length; @@ -398,7 +400,8 @@ server_verify(krb5_context kcontext, fprintf(stderr, "Error retrieving client keys.\n"); #endif stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); + return; } /* Find the key which would have been used to generate the checksum. */ @@ -429,7 +432,8 @@ server_verify(krb5_context kcontext, krb5_free_keyblock_contents(kcontext, &keys[i]); krb5_free_data(kcontext, key_data); stats->failures++; - return KRB5KDC_ERR_SUMTYPE_NOSUPP; + (*respond)(arg, KRB5KDC_ERR_SUMTYPE_NOSUPP, NULL, NULL, NULL); + return; } /* Save a copy of the key. */ @@ -438,7 +442,8 @@ server_verify(krb5_context kcontext, krb5_free_keyblock_contents(kcontext, &keys[i]); krb5_free_data(kcontext, key_data); stats->failures++; - return KRB5KDC_ERR_SUMTYPE_NOSUPP; + (*respond)(arg, KRB5KDC_ERR_SUMTYPE_NOSUPP, NULL, NULL, NULL); + return; } for (i = 0; keys[i].enctype != 0; i++) krb5_free_keyblock_contents(kcontext, &keys[i]); @@ -454,7 +459,8 @@ server_verify(krb5_context kcontext, &req_body) != 0) { krb5_free_keyblock(kcontext, key); stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); + return; } #ifdef DEBUG @@ -488,14 +494,15 @@ server_verify(krb5_context kcontext, test_edata->data = malloc(20); if (test_edata->data == NULL) { free(test_edata); + test_edata = NULL; } else { test_edata->length = 20; memset(test_edata->data, 'F', 20); /* fill it with junk */ - *e_data = test_edata; } } stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, test_edata, NULL); + return; } /* @@ -527,13 +534,15 @@ server_verify(krb5_context kcontext, my_authz_data[0] = malloc(sizeof(krb5_authdata)); if (my_authz_data[0] == NULL) { free(my_authz_data); - return ENOMEM; + (*respond)(arg, ENOMEM, NULL, NULL, NULL); + return; } my_authz_data[0]->contents = malloc(AD_ALLOC_SIZE); if (my_authz_data[0]->contents == NULL) { free(my_authz_data[0]); free(my_authz_data); - return ENOMEM; + (*respond)(arg, ENOMEM, NULL, NULL, NULL); + return; } memset(my_authz_data[0]->contents, '\0', AD_ALLOC_SIZE); my_authz_data[0]->magic = KV5M_AUTHDATA; @@ -543,7 +552,6 @@ server_verify(krb5_context kcontext, snprintf(my_authz_data[0]->contents + sizeof(ad_header), AD_ALLOC_SIZE - sizeof(ad_header), "cksum authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); - *authz_data = my_authz_data; #ifdef DEBUG fprintf(stderr, "Returning %d bytes of authorization data\n", AD_ALLOC_SIZE); @@ -556,10 +564,10 @@ server_verify(krb5_context kcontext, test_edata->data = malloc(20); if (test_edata->data == NULL) { free(test_edata); + test_edata = NULL; } else { test_edata->length = 20; memset(test_edata->data, 'S', 20); /* fill it with junk */ - *e_data = test_edata; } } @@ -573,12 +581,12 @@ server_verify(krb5_context kcontext, svr_req_ctx); #endif } - *modreq_out = (krb5_kdcpreauth_modreq)svr_req_ctx; /* Note that preauthentication succeeded. */ enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; stats->successes++; - return 0; + (*respond)(arg, 0, (krb5_kdcpreauth_modreq)svr_req_ctx, test_edata, + my_authz_data); } /* Create the response for a client. */ diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index c76359e7b6..1967ea65c8 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -287,7 +287,7 @@ out: return retval; } -static krb5_error_code +static void pkinit_server_verify_padata(krb5_context context, struct _krb5_db_entry_new * client, krb5_data *req_pkt, @@ -296,9 +296,8 @@ pkinit_server_verify_padata(krb5_context context, krb5_pa_data * data, krb5_kdcpreauth_get_data_fn server_get_entry_data, krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_modreq *modreq_out, - krb5_data **e_data, - krb5_authdata ***authz_data) + krb5_kdcpreauth_verify_respond_fn respond, + void *arg) { krb5_error_code retval = 0; krb5_octet_data authp_data = {0, 0, NULL}, krb5_authz = {0, 0, NULL}; @@ -315,10 +314,14 @@ pkinit_server_verify_padata(krb5_context context, krb5_data k5data; int is_signed = 1; krb5_keyblock *armor_key; + krb5_data *e_data = NULL; + krb5_kdcpreauth_modreq modreq = NULL; pkiDebug("pkinit_verify_padata: entered!\n"); - if (data == NULL || data->length <= 0 || data->contents == NULL) - return 0; + if (data == NULL || data->length <= 0 || data->contents == NULL) { + (*respond)(arg, 0, NULL, NULL, NULL); + return; + } /* Remove (along with armor_key) when FAST PKINIT is settled. */ retval = fast_kdc_get_armor_key(context, server_get_entry_data, request, @@ -326,15 +329,20 @@ pkinit_server_verify_padata(krb5_context context, if (retval == 0 && armor_key != NULL) { /* Don't allow PKINIT if the client used FAST. */ krb5_free_keyblock(context, armor_key); - return EINVAL; + (*respond)(arg, EINVAL, NULL, NULL, NULL); + return; } - if (moddata == NULL || e_data == NULL) - return EINVAL; + if (moddata == NULL) { + (*respond)(arg, EINVAL, NULL, NULL, NULL); + return; + } plgctx = pkinit_find_realm_context(context, moddata, request->server); - if (plgctx == NULL) - return 0; + if (plgctx == NULL) { + (*respond)(arg, 0, NULL, NULL, NULL); + return; + } #ifdef DEBUG_ASN1 print_buffer_bin(data->contents, data->length, "/tmp/kdc_as_req"); @@ -548,26 +556,16 @@ pkinit_server_verify_padata(krb5_context context, break; } - /* - * This code used to generate ad-initial-verified-cas authorization data. - * However that has been removed until the ad-kdc-issued discussion can - * happen in the working group. Dec 2009 - */ - /* return authorization data to be included in the ticket */ - switch ((int)data->pa_type) { - default: - *authz_data = NULL; - } /* remember to set the PREAUTH flag in the reply */ enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; - *modreq_out = (krb5_kdcpreauth_modreq)reqctx; + modreq = (krb5_kdcpreauth_modreq)reqctx; reqctx = NULL; cleanup: if (retval && data->pa_type == KRB5_PADATA_PK_AS_REQ) { pkiDebug("pkinit_verify_padata failed: creating e-data\n"); if (pkinit_create_edata(context, plgctx->cryptoctx, reqctx->cryptoctx, - plgctx->idctx, plgctx->opts, retval, e_data)) + plgctx->idctx, plgctx->opts, retval, &e_data)) pkiDebug("pkinit_create_edata failed\n"); } @@ -593,7 +591,7 @@ cleanup: if (auth_pack9 != NULL) free_krb5_auth_pack_draft9(context, &auth_pack9); - return retval; + (*respond)(arg, retval, modreq, e_data, NULL); } static krb5_error_code return_pkinit_kx(krb5_context context, krb5_kdc_req *request, diff --git a/src/plugins/preauth/securid_sam2/securid_sam2_main.c b/src/plugins/preauth/securid_sam2/securid_sam2_main.c index 0c420d2263..700cd59f9c 100644 --- a/src/plugins/preauth/securid_sam2/securid_sam2_main.c +++ b/src/plugins/preauth/securid_sam2/securid_sam2_main.c @@ -202,18 +202,18 @@ cleanup: return retval; } -static krb5_error_code +static void kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa_data, krb5_kdcpreauth_get_data_fn get_entry_proc, krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_modreq *modreq_out, - krb5_data **e_data, krb5_authdata ***authz_data) + krb5_kdcpreauth_verify_respond_fn respond, + void *arg) { krb5_error_code retval, saved_retval = 0; krb5_sam_response_2 *sr2 = NULL; - krb5_data scratch, *scratch2; + krb5_data scratch, *scratch2, *e_data = NULL; char *client_name = NULL; krb5_sam_challenge_2 *out_sc2 = NULL; @@ -276,7 +276,7 @@ cleanup: goto encode_error; pa_out.contents = (krb5_octet *) scratch2->data; pa_out.length = scratch2->length; - retval = encode_krb5_padata_sequence(pa_array, e_data); + retval = encode_krb5_padata_sequence(pa_array, &e_data); krb5_free_data(context, scratch2); } encode_error: @@ -284,7 +284,8 @@ encode_error: free(client_name); if (retval == 0) retval = saved_retval; - return retval; + + (*respond)(arg, retval, NULL, NULL, NULL); } diff --git a/src/plugins/preauth/wpse/wpse_main.c b/src/plugins/preauth/wpse/wpse_main.c index 866286c1bc..3c10e14162 100644 --- a/src/plugins/preauth/wpse/wpse_main.c +++ b/src/plugins/preauth/wpse/wpse_main.c @@ -259,7 +259,7 @@ server_get_edata(krb5_context kcontext, } /* Verify a request from a client. */ -static krb5_error_code +static void server_verify(krb5_context kcontext, struct _krb5_db_entry_new *client, krb5_data *req_pkt, @@ -268,30 +268,34 @@ server_verify(krb5_context kcontext, krb5_pa_data *data, krb5_kdcpreauth_get_data_fn server_get_entry_data, krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_modreq *modreq_out, - krb5_data **e_data, - krb5_authdata ***authz_data) + krb5_kdcpreauth_verify_respond_fn respond, + void *arg) { krb5_int32 nnonce; krb5_data *test_edata; krb5_authdata **my_authz_data; + krb5_kdcpreauth_modreq modreq; #ifdef DEBUG fprintf(stderr, "wpse: server_verify()!\n"); #endif /* Verify the preauth data. */ - if (data->length != 4) - return KRB5KDC_ERR_PREAUTH_FAILED; + if (data->length != 4) { + (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); + return; + } memcpy(&nnonce, data->contents, 4); nnonce = ntohl(nnonce); - if (memcmp(&nnonce, &request->nonce, 4) != 0) - return KRB5KDC_ERR_PREAUTH_FAILED; + if (memcmp(&nnonce, &request->nonce, 4) != 0) { + (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); + return; + } /* Note that preauthentication succeeded. */ enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; enc_tkt_reply->flags |= TKT_FLG_HW_AUTH; /* Allocate a context. Useful for verifying that we do in fact do * per-request cleanup. */ - *modreq_out = malloc(4); + modreq = malloc(4); /* * Return some junk authorization data just to exercise the @@ -322,13 +326,15 @@ server_verify(krb5_context kcontext, my_authz_data[0] = malloc(sizeof(krb5_authdata)); if (my_authz_data[0] == NULL) { free(my_authz_data); - return ENOMEM; + (*respond)(arg, ENOMEM, modreq, NULL, NULL); + return; } my_authz_data[0]->contents = malloc(AD_ALLOC_SIZE); if (my_authz_data[0]->contents == NULL) { free(my_authz_data[0]); free(my_authz_data); - return ENOMEM; + (*respond)(arg, ENOMEM, modreq, NULL, NULL); + return; } memset(my_authz_data[0]->contents, '\0', AD_ALLOC_SIZE); my_authz_data[0]->magic = KV5M_AUTHDATA; @@ -338,7 +344,6 @@ server_verify(krb5_context kcontext, snprintf(my_authz_data[0]->contents + sizeof(ad_header), AD_ALLOC_SIZE - sizeof(ad_header), "wpse authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); - *authz_data = my_authz_data; #ifdef DEBUG fprintf(stderr, "Returning %d bytes of authorization data\n", AD_ALLOC_SIZE); @@ -351,13 +356,14 @@ server_verify(krb5_context kcontext, test_edata->data = malloc(20); if (test_edata->data == NULL) { free(test_edata); + test_edata = NULL; } else { test_edata->length = 20; memset(test_edata->data, '#', 20); /* fill it with junk */ - *e_data = test_edata; } } - return 0; + + (*respond)(arg, 0, modreq, test_edata, my_authz_data); } /* Create the response for a client. */ |