diff options
| author | Greg Hudson <ghudson@mit.edu> | 2009-11-24 23:52:25 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2009-11-24 23:52:25 +0000 |
| commit | 1db2647c62d10cccadadabacba7224eb565ec042 (patch) | |
| tree | 850eea7750db1c0247652069637ce2df2d94396e /src/plugins/preauth | |
| parent | b4fef608040800e4927c10146d6d386f97335e06 (diff) | |
| download | krb5-1db2647c62d10cccadadabacba7224eb565ec042.tar.gz krb5-1db2647c62d10cccadadabacba7224eb565ec042.tar.xz krb5-1db2647c62d10cccadadabacba7224eb565ec042.zip | |
Mark and reindent plugins, except for pkinit, which needs a little
cleanup first.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23353 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins/preauth')
| -rw-r--r-- | src/plugins/preauth/cksum_body/cksum_body_main.c | 471 | ||||
| -rw-r--r-- | src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c | 266 | ||||
| -rw-r--r-- | src/plugins/preauth/fast_factor.h | 75 | ||||
| -rw-r--r-- | src/plugins/preauth/wpse/wpse_main.c | 285 |
4 files changed, 544 insertions, 553 deletions
diff --git a/src/plugins/preauth/cksum_body/cksum_body_main.c b/src/plugins/preauth/cksum_body/cksum_body_main.c index 77de0a8b65..b03a29a18d 100644 --- a/src/plugins/preauth/cksum_body/cksum_body_main.c +++ b/src/plugins/preauth/cksum_body/cksum_body_main.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 2006 Red Hat, Inc. * All rights reserved. @@ -79,22 +80,22 @@ client_get_flags(krb5_context kcontext, krb5_preauthtype pa_type) static krb5_error_code client_process(krb5_context kcontext, - void *client_plugin_context, - void *client_request_context, - krb5_get_init_creds_opt *opt, - preauth_get_client_data_proc client_get_data_proc, - struct _krb5_preauth_client_rock *rock, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *pa_data, - krb5_prompter_fct prompter, - void *prompter_data, - preauth_get_as_key_proc gak_fct, - void *gak_data, - krb5_data *salt, krb5_data *s2kparams, - krb5_keyblock *as_key, - krb5_pa_data ***out_pa_data) + void *client_plugin_context, + void *client_request_context, + krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc client_get_data_proc, + struct _krb5_preauth_client_rock *rock, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *pa_data, + krb5_prompter_fct prompter, + void *prompter_data, + preauth_get_as_key_proc gak_fct, + void *gak_data, + krb5_data *salt, krb5_data *s2kparams, + krb5_keyblock *as_key, + krb5_pa_data ***out_pa_data) { krb5_pa_data **send_pa; krb5_checksum checksum; @@ -107,20 +108,20 @@ client_process(krb5_context kcontext, krb5_gic_opt_pa_data *gic_info; status = krb5_get_init_creds_opt_get_pa(kcontext, opt, - &num_gic_info, &gic_info); + &num_gic_info, &gic_info); if (status && status != ENOENT) { #ifdef DEBUG - fprintf(stderr, "Error from krb5_get_init_creds_opt_get_pa: %s\n", - error_message(status)); + fprintf(stderr, "Error from krb5_get_init_creds_opt_get_pa: %s\n", + error_message(status)); #endif - return status; + return status; } #ifdef DEBUG fprintf(stderr, "(cksum_body) Got the following gic options:\n"); #endif for (i = 0; i < num_gic_info; i++) { #ifdef DEBUG - fprintf(stderr, " '%s' = '%s'\n", gic_info[i].attr, gic_info[i].value); + fprintf(stderr, " '%s' = '%s'\n", gic_info[i].attr, gic_info[i].value); #endif } krb5_get_init_creds_opt_free_pa(kcontext, num_gic_info, gic_info); @@ -130,33 +131,33 @@ client_process(krb5_context kcontext, /* Get the user's long-term key if we haven't asked for it yet. Try * all of the encryption types which the server supports. */ if (as_key->length == 0) { - if ((pa_data != NULL) && (pa_data->length >= 4)) { + if ((pa_data != NULL) && (pa_data->length >= 4)) { #ifdef DEBUG - fprintf(stderr, "%d bytes of preauth data.\n", pa_data->length); + fprintf(stderr, "%d bytes of preauth data.\n", pa_data->length); #endif - n_enctypes = pa_data->length / 4; - enctypes = (krb5_int32*) pa_data->contents; - } else { - n_enctypes = request->nktypes; - } - for (i = 0; i < n_enctypes; i++) { - if ((pa_data != NULL) && (pa_data->length >= 4)) { - memcpy(&enctype, pa_data->contents + 4 * i, 4); - enctype = ntohl(enctype); - } else { - enctype = request->ktype[i]; - } + n_enctypes = pa_data->length / 4; + enctypes = (krb5_int32*) pa_data->contents; + } else { + n_enctypes = request->nktypes; + } + for (i = 0; i < n_enctypes; i++) { + if ((pa_data != NULL) && (pa_data->length >= 4)) { + memcpy(&enctype, pa_data->contents + 4 * i, 4); + enctype = ntohl(enctype); + } else { + enctype = request->ktype[i]; + } #ifdef DEBUG - fprintf(stderr, "Asking for AS key (type = %d).\n", enctype); + fprintf(stderr, "Asking for AS key (type = %d).\n", enctype); #endif - status = (*gak_fct)(kcontext, request->client, enctype, - prompter, prompter_data, - salt, s2kparams, as_key, gak_data); - if (status == 0) - break; - } - if (status != 0) - return status; + status = (*gak_fct)(kcontext, request->client, enctype, + prompter, prompter_data, + salt, s2kparams, as_key, gak_data); + if (status == 0) + break; + } + if (status != 0) + return status; } #ifdef DEBUG fprintf(stderr, "Got AS key (type = %d).\n", as_key->enctype); @@ -166,53 +167,53 @@ client_process(krb5_context kcontext, cksumtype_count = 0; cksumtypes = NULL; status = krb5_c_keyed_checksum_types(kcontext, as_key->enctype, - &cksumtype_count, &cksumtypes); + &cksumtype_count, &cksumtypes); if (status != 0) - return status; + return status; /* Generate the checksum. */ for (i = 0; i < cksumtype_count; i++) { - status = krb5_c_make_checksum(kcontext, cksumtypes[i], as_key, - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - encoded_request_body, - &checksum); - if (status == 0) { + status = krb5_c_make_checksum(kcontext, cksumtypes[i], as_key, + KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + encoded_request_body, + &checksum); + if (status == 0) { #ifdef DEBUG - fprintf(stderr, "Made checksum (type = %d, %d bytes).\n", - checksum.checksum_type, encoded_request_body->length); + fprintf(stderr, "Made checksum (type = %d, %d bytes).\n", + checksum.checksum_type, encoded_request_body->length); #endif - break; - } + break; + } } cksumtype = htonl(cksumtypes[i]); krb5_free_cksumtypes(kcontext, cksumtypes); if (status != 0) { - if (checksum.length > 0) - krb5_free_checksum_contents(kcontext, &checksum); - return status; + if (checksum.length > 0) + krb5_free_checksum_contents(kcontext, &checksum); + return status; } /* Allocate the preauth data structure. */ send_pa = malloc(2 * sizeof(krb5_pa_data *)); if (send_pa == NULL) { - krb5_free_checksum_contents(kcontext, &checksum); - return ENOMEM; + krb5_free_checksum_contents(kcontext, &checksum); + return ENOMEM; } - send_pa[1] = NULL; /* Terminate list */ + send_pa[1] = NULL; /* Terminate list */ send_pa[0] = malloc(sizeof(krb5_pa_data)); if (send_pa[0] == NULL) { - krb5_free_checksum_contents(kcontext, &checksum); - free(send_pa); - return ENOMEM; + krb5_free_checksum_contents(kcontext, &checksum); + free(send_pa); + return ENOMEM; } send_pa[0]->pa_type = KRB5_PADATA_CKSUM_BODY_REQ; send_pa[0]->length = 4 + checksum.length; send_pa[0]->contents = malloc(4 + checksum.length); if (send_pa[0]->contents == NULL) { - krb5_free_checksum_contents(kcontext, &checksum); - free(send_pa[0]); - free(send_pa); - return ENOMEM; + krb5_free_checksum_contents(kcontext, &checksum); + free(send_pa[0]); + free(send_pa); + return ENOMEM; } /* Store the checksum. */ @@ -228,14 +229,14 @@ client_process(krb5_context kcontext, static krb5_error_code client_gic_opt(krb5_context kcontext, - void *plugin_context, - krb5_get_init_creds_opt *opt, - const char *attr, - const char *value) + void *plugin_context, + krb5_get_init_creds_opt *opt, + const char *attr, + const char *value) { #ifdef DEBUG fprintf(stderr, "(cksum_body) client_gic_opt: received '%s' = '%s'\n", - attr, value); + attr, value); #endif return 0; } @@ -247,7 +248,7 @@ server_init(krb5_context kcontext, void **module_context, const char **realmname struct server_stats *stats; stats = malloc(sizeof(struct server_stats)); if (stats == NULL) - return ENOMEM; + return ENOMEM; stats->successes = 0; stats->failures = 0; *module_context = stats; @@ -260,10 +261,10 @@ server_fini(krb5_context kcontext, void *module_context) stats = module_context; if (stats != NULL) { #ifdef DEBUG - fprintf(stderr, "Total: %d clients failed, %d succeeded.\n", - stats->failures, stats->successes); + fprintf(stderr, "Total: %d clients failed, %d succeeded.\n", + stats->failures, stats->successes); #endif - free(stats); + free(stats); } } @@ -271,12 +272,12 @@ server_fini(krb5_context kcontext, void *module_context) * client) which matches type data->pa_type. */ static krb5_error_code server_get_edata(krb5_context kcontext, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - krb5_pa_data *data) + krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + krb5_pa_data *data) { krb5_data *key_data; krb5_keyblock *keys, *key; @@ -286,11 +287,11 @@ server_get_edata(krb5_context kcontext, /* Retrieve the client's keys. */ key_data = NULL; if ((*server_get_entry_data)(kcontext, request, client, - krb5plugin_preauth_keys, &key_data) != 0) { + krb5plugin_preauth_keys, &key_data) != 0) { #ifdef DEBUG - fprintf(stderr, "Error retrieving client keys.\n"); + fprintf(stderr, "Error retrieving client keys.\n"); #endif - return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; + return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; } /* Count which types of keys we've got, freeing the contents, which we @@ -298,23 +299,23 @@ server_get_edata(krb5_context kcontext, keys = (krb5_keyblock *) key_data->data; key = NULL; for (i = 0; keys[i].enctype != 0; i++) - krb5_free_keyblock_contents(kcontext, &keys[i]); + krb5_free_keyblock_contents(kcontext, &keys[i]); /* Return the list of encryption types. */ enctypes = malloc((unsigned)i * 4); if (enctypes == NULL) { - krb5_free_data(kcontext, key_data); - return ENOMEM; + krb5_free_data(kcontext, key_data); + return ENOMEM; } #ifdef DEBUG fprintf(stderr, "Supported enctypes = {"); #endif for (i = 0; keys[i].enctype != 0; i++) { #ifdef DEBUG - fprintf(stderr, "%s%d", (i > 0) ? ", " : "", keys[i].enctype); + fprintf(stderr, "%s%d", (i > 0) ? ", " : "", keys[i].enctype); #endif - enctype = htonl(keys[i].enctype); - memcpy(&enctypes[i], &enctype, 4); + enctype = htonl(keys[i].enctype); + memcpy(&enctypes[i], &enctype, 4); } #ifdef DEBUG fprintf(stderr, "}.\n"); @@ -329,16 +330,16 @@ server_get_edata(krb5_context kcontext, /* Verify a request from a client. */ static krb5_error_code server_verify(krb5_context kcontext, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data) + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *data, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data) { krb5_int32 cksumtype; krb5_checksum checksum; @@ -362,8 +363,8 @@ server_verify(krb5_context kcontext, #endif /* Verify the preauth data. Start with the checksum type. */ if (data->length < 4) { - stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + stats->failures++; + return KRB5KDC_ERR_PREAUTH_FAILED; } memcpy(&cksumtype, data->contents, 4); memset(&checksum, 0, sizeof(checksum)); @@ -371,75 +372,75 @@ server_verify(krb5_context kcontext, /* Verify that the amount of data we have left is what we expect. */ if (krb5_c_checksum_length(kcontext, checksum.checksum_type, - &length) != 0) { + &length) != 0) { #ifdef DEBUG - fprintf(stderr, "Error determining checksum size (type = %d). " - "Is it supported?\n", checksum.checksum_type); + fprintf(stderr, "Error determining checksum size (type = %d). " + "Is it supported?\n", checksum.checksum_type); #endif - stats->failures++; - return KRB5KDC_ERR_SUMTYPE_NOSUPP; + stats->failures++; + return KRB5KDC_ERR_SUMTYPE_NOSUPP; } if (data->length - 4 != length) { #ifdef DEBUG - fprintf(stderr, "Checksum size doesn't match client packet size.\n"); + fprintf(stderr, "Checksum size doesn't match client packet size.\n"); #endif - stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + stats->failures++; + return KRB5KDC_ERR_PREAUTH_FAILED; } checksum.length = length; /* Pull up the client's keys. */ key_data = NULL; if ((*server_get_entry_data)(kcontext, request, client, - krb5plugin_preauth_keys, &key_data) != 0) { + krb5plugin_preauth_keys, &key_data) != 0) { #ifdef DEBUG - fprintf(stderr, "Error retrieving client keys.\n"); + fprintf(stderr, "Error retrieving client keys.\n"); #endif - stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + stats->failures++; + return KRB5KDC_ERR_PREAUTH_FAILED; } /* Find the key which would have been used to generate the checksum. */ keys = (krb5_keyblock *) key_data->data; key = NULL; for (i = 0; keys[i].enctype != 0; i++) { - key = &keys[i]; - cksumtypes_count = 0; - cksumtypes = NULL; - if (krb5_c_keyed_checksum_types(kcontext, key->enctype, - &cksumtypes_count, &cksumtypes) != 0) - continue; - for (j = 0; j < cksumtypes_count; j++) { - if (cksumtypes[j] == checksum.checksum_type) - break; - } - if (cksumtypes != NULL) - krb5_free_cksumtypes(kcontext, cksumtypes); - if (j < cksumtypes_count) { + key = &keys[i]; + cksumtypes_count = 0; + cksumtypes = NULL; + if (krb5_c_keyed_checksum_types(kcontext, key->enctype, + &cksumtypes_count, &cksumtypes) != 0) + continue; + for (j = 0; j < cksumtypes_count; j++) { + if (cksumtypes[j] == checksum.checksum_type) + break; + } + if (cksumtypes != NULL) + krb5_free_cksumtypes(kcontext, cksumtypes); + if (j < cksumtypes_count) { #ifdef DEBUG - fprintf(stderr, "Found checksum key.\n"); + fprintf(stderr, "Found checksum key.\n"); #endif - break; - } + break; + } } if ((key == NULL) || (key->enctype == 0)) { - for (i = 0; keys[i].enctype != 0; i++) - krb5_free_keyblock_contents(kcontext, &keys[i]); - krb5_free_data(kcontext, key_data); - stats->failures++; - return KRB5KDC_ERR_SUMTYPE_NOSUPP; + for (i = 0; keys[i].enctype != 0; i++) + krb5_free_keyblock_contents(kcontext, &keys[i]); + krb5_free_data(kcontext, key_data); + stats->failures++; + return KRB5KDC_ERR_SUMTYPE_NOSUPP; } /* Save a copy of the key. */ if (krb5_copy_keyblock(kcontext, &keys[i], &key) != 0) { - for (i = 0; keys[i].enctype != 0; i++) - krb5_free_keyblock_contents(kcontext, &keys[i]); - krb5_free_data(kcontext, key_data); - stats->failures++; - return KRB5KDC_ERR_SUMTYPE_NOSUPP; + for (i = 0; keys[i].enctype != 0; i++) + krb5_free_keyblock_contents(kcontext, &keys[i]); + krb5_free_data(kcontext, key_data); + stats->failures++; + return KRB5KDC_ERR_SUMTYPE_NOSUPP; } for (i = 0; keys[i].enctype != 0; i++) - krb5_free_keyblock_contents(kcontext, &keys[i]); + krb5_free_keyblock_contents(kcontext, &keys[i]); krb5_free_data(kcontext, key_data); /* Rebuild a copy of the client's request-body. If we were serious @@ -448,24 +449,24 @@ server_verify(krb5_context kcontext, * will probably work if it's us on both ends, though. */ req_body = NULL; if ((*server_get_entry_data)(kcontext, request, client, - krb5plugin_preauth_request_body, - &req_body) != 0) { - krb5_free_keyblock(kcontext, key); - stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + krb5plugin_preauth_request_body, + &req_body) != 0) { + krb5_free_keyblock(kcontext, key); + stats->failures++; + return KRB5KDC_ERR_PREAUTH_FAILED; } #ifdef DEBUG fprintf(stderr, "AS key type %d, checksum type %d, %d bytes.\n", - key->enctype, checksum.checksum_type, req_body->length); + key->enctype, checksum.checksum_type, req_body->length); #endif /* Verify the checksum itself. */ checksum.contents = data->contents + 4; valid = FALSE; status = krb5_c_verify_checksum(kcontext, key, - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - req_body, &checksum, &valid); + KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + req_body, &checksum, &valid); /* Clean up. */ krb5_free_data(kcontext, req_body); @@ -474,26 +475,26 @@ server_verify(krb5_context kcontext, /* Evaluate our results. */ if ((status != 0) || (!valid)) { #ifdef DEBUG - if (status != 0) { - fprintf(stderr, "Error in checksum verification.\n"); - } else { - fprintf(stderr, "Checksum mismatch.\n"); - } + if (status != 0) { + fprintf(stderr, "Error in checksum verification.\n"); + } else { + fprintf(stderr, "Checksum mismatch.\n"); + } #endif - /* Return edata to exercise code that handles edata... */ - test_edata = malloc(sizeof(*test_edata)); - if (test_edata != NULL) { - test_edata->data = malloc(20); - if (test_edata->data == NULL) { - free(test_edata); - } else { - test_edata->length = 20; - memset(test_edata->data, 'F', 20); /* fill it with junk */ - *e_data = test_edata; - } - } - stats->failures++; - return KRB5KDC_ERR_PREAUTH_FAILED; + /* Return edata to exercise code that handles edata... */ + test_edata = malloc(sizeof(*test_edata)); + if (test_edata != NULL) { + test_edata->data = malloc(20); + if (test_edata->data == NULL) { + free(test_edata); + } else { + test_edata->length = 20; + memset(test_edata->data, 'F', 20); /* fill it with junk */ + *e_data = test_edata; + } + } + stats->failures++; + return KRB5KDC_ERR_PREAUTH_FAILED; } /* @@ -518,54 +519,54 @@ server_verify(krb5_context kcontext, #endif my_authz_data = malloc(2 * sizeof(*my_authz_data)); if (my_authz_data != NULL) { - my_authz_data[1] = NULL; - my_authz_data[0] = malloc(sizeof(krb5_authdata)); - if (my_authz_data[0] == NULL) { - free(my_authz_data); - return ENOMEM; - } - my_authz_data[0]->contents = malloc(AD_ALLOC_SIZE); - if (my_authz_data[0]->contents == NULL) { - free(my_authz_data[0]); - free(my_authz_data); - return ENOMEM; - } - memset(my_authz_data[0]->contents, '\0', AD_ALLOC_SIZE); - my_authz_data[0]->magic = KV5M_AUTHDATA; - my_authz_data[0]->ad_type = 1; - my_authz_data[0]->length = AD_ALLOC_SIZE; - memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header)); - snprintf(my_authz_data[0]->contents + sizeof(ad_header), - AD_ALLOC_SIZE - sizeof(ad_header), - "cksum authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); - *authz_data = my_authz_data; + my_authz_data[1] = NULL; + my_authz_data[0] = malloc(sizeof(krb5_authdata)); + if (my_authz_data[0] == NULL) { + free(my_authz_data); + return ENOMEM; + } + my_authz_data[0]->contents = malloc(AD_ALLOC_SIZE); + if (my_authz_data[0]->contents == NULL) { + free(my_authz_data[0]); + free(my_authz_data); + return ENOMEM; + } + memset(my_authz_data[0]->contents, '\0', AD_ALLOC_SIZE); + my_authz_data[0]->magic = KV5M_AUTHDATA; + my_authz_data[0]->ad_type = 1; + my_authz_data[0]->length = AD_ALLOC_SIZE; + memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header)); + snprintf(my_authz_data[0]->contents + sizeof(ad_header), + AD_ALLOC_SIZE - sizeof(ad_header), + "cksum authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); + *authz_data = my_authz_data; #ifdef DEBUG - fprintf(stderr, "Returning %d bytes of authorization data\n", - AD_ALLOC_SIZE); + fprintf(stderr, "Returning %d bytes of authorization data\n", + AD_ALLOC_SIZE); #endif } /* Return edata to exercise code that handles edata... */ test_edata = malloc(sizeof(*test_edata)); if (test_edata != NULL) { - test_edata->data = malloc(20); - if (test_edata->data == NULL) { - free(test_edata); - } else { - test_edata->length = 20; - memset(test_edata->data, 'S', 20); /* fill it with junk */ - *e_data = test_edata; - } + test_edata->data = malloc(20); + if (test_edata->data == NULL) { + free(test_edata); + } else { + test_edata->length = 20; + memset(test_edata->data, 'S', 20); /* fill it with junk */ + *e_data = test_edata; + } } /* Return a request context to exercise code that handles it */ svr_req_ctx = malloc(sizeof(*svr_req_ctx)); if (svr_req_ctx != NULL) { - svr_req_ctx->value1 = 111111; - svr_req_ctx->value2 = 222222; + svr_req_ctx->value1 = 111111; + svr_req_ctx->value2 = 222222; #ifdef DEBUG - fprintf(stderr, "server_verify: returning context at %p\n", - svr_req_ctx); + fprintf(stderr, "server_verify: returning context at %p\n", + svr_req_ctx); #endif } *pa_request_context = svr_req_ctx; @@ -579,17 +580,17 @@ server_verify(krb5_context kcontext, /* Create the response for a client. */ static krb5_error_code server_return(krb5_context kcontext, - krb5_pa_data *padata, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - struct _krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - void **pa_request_context) + krb5_pa_data *padata, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_kdc_rep *reply, + struct _krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + void **pa_request_context) { /* We don't need to send data back on the return trip. */ *send_pa = NULL; @@ -599,25 +600,25 @@ server_return(krb5_context kcontext, /* Test server request context freeing */ static krb5_error_code server_free_reqctx(krb5_context kcontext, - void *pa_module_context, - void **pa_request_context) + void *pa_module_context, + void **pa_request_context) { test_svr_req_ctx *svr_req_ctx; #ifdef DEBUG fprintf(stderr, "server_free_reqctx: entered!\n"); #endif if (pa_request_context == NULL) - return 0; + return 0; svr_req_ctx = *pa_request_context; if (svr_req_ctx == NULL) - return 0; + return 0; if (svr_req_ctx->value1 != 111111 || svr_req_ctx->value2 != 222222) { - fprintf(stderr, "server_free_reqctx: got invalid req context " - "at %p with values %d and %d\n", - svr_req_ctx, svr_req_ctx->value1, svr_req_ctx->value2); - return EINVAL; + fprintf(stderr, "server_free_reqctx: got invalid req context " + "at %p with values %d and %d\n", + svr_req_ctx, svr_req_ctx->value1, svr_req_ctx->value2); + return EINVAL; } #ifdef DEBUG fprintf(stderr, "server_free_reqctx: freeing context at %p\n", svr_req_ctx); @@ -641,17 +642,17 @@ static krb5_preauthtype supported_server_pa_types[] = { }; struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = { - "cksum_body", /* name */ - &supported_client_pa_types[0], /* pa_type_list */ - NULL, /* enctype_list */ - NULL, /* plugin init function */ - NULL, /* plugin fini function */ - client_get_flags, /* get flags function */ - NULL, /* request init function */ - NULL, /* request fini function */ - client_process, /* process function */ - NULL, /* try_again function */ - client_gic_opt /* get init creds opt function */ + "cksum_body", /* name */ + &supported_client_pa_types[0], /* pa_type_list */ + NULL, /* enctype_list */ + NULL, /* plugin init function */ + NULL, /* plugin fini function */ + client_get_flags, /* get flags function */ + NULL, /* request init function */ + NULL, /* request fini function */ + client_process, /* process function */ + NULL, /* try_again function */ + client_gic_opt /* get init creds opt function */ }; struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = { diff --git a/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c b/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c index 45b309d8ba..614ee47f27 100644 --- a/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c +++ b/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * plugins/preauth/encrypted_challenge/encrypted_challenge.c * @@ -24,8 +25,8 @@ * or implied warranty. * * - * - * Implement EncryptedChallenge fast factor from draft-ietf-krb-wg-preauth-framework + * Implement Encrypted Challenge fast factor from + * draft-ietf-krb-wg-preauth-framework */ #include <k5-int.h> @@ -33,31 +34,23 @@ #include <krb5/preauth_plugin.h> -static int preauth_flags -(krb5_context context, krb5_preauthtype pa_type) +static int +preauth_flags(krb5_context context, krb5_preauthtype pa_type) { return PA_REAL; } -static krb5_error_code process_preauth -(krb5_context context, - void *plugin_context, - void *request_context, - krb5_get_init_creds_opt *opt, - preauth_get_client_data_proc get_data_proc, - struct _krb5_preauth_client_rock *rock, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *padata, - krb5_prompter_fct prompter, - void *prompter_data, - preauth_get_as_key_proc gak_fct, - void *gak_data, - krb5_data *salt, - krb5_data *s2kparams, - krb5_keyblock *as_key, - krb5_pa_data ***out_padata) +static krb5_error_code +process_preauth(krb5_context context, void *plugin_context, + void *request_context, krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc get_data_proc, + struct _krb5_preauth_client_rock *rock, krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, krb5_pa_data *padata, + krb5_prompter_fct prompter, void *prompter_data, + preauth_get_as_key_proc gak_fct, void *gak_data, + krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key, + krb5_pa_data ***out_padata) { krb5_error_code retval = 0; krb5_enctype enctype = 0; @@ -87,29 +80,30 @@ static krb5_error_code process_preauth if (retval == 0) retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor", as_key, "challengelongterm", &challenge_key); - if (retval == 0) - retval =kaccess.decode_enc_data(&scratch, &enc); - scratch.data = NULL; - if (retval == 0) { - scratch.data = malloc(enc->ciphertext.length); - scratch.length = enc->ciphertext.length; - if (scratch.data == NULL) - retval = ENOMEM; - } - if (retval == 0) - retval = krb5_c_decrypt(context, challenge_key, - KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL, - enc, &scratch); -/*Per draft 11 of the preauth framework, the client MAY but - * is not required to actually check the timestamp from the KDC other than - * to confirm it decrypts. This code does not perform that check. - */ - if (scratch.data) - krb5_free_data_contents(context, &scratch); - if (retval == 0) - fast_set_kdc_verified(context, get_data_proc, rock); - if (enc) - kaccess.free_enc_data(context, enc); + if (retval == 0) + retval =kaccess.decode_enc_data(&scratch, &enc); + scratch.data = NULL; + if (retval == 0) { + scratch.data = malloc(enc->ciphertext.length); + scratch.length = enc->ciphertext.length; + if (scratch.data == NULL) + retval = ENOMEM; + } + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL, + enc, &scratch); + /* + * Per draft 11 of the preauth framework, the client MAY but is not + * required to actually check the timestamp from the KDC other than to + * confirm it decrypts. This code does not perform that check. + */ + if (scratch.data) + krb5_free_data_contents(context, &scratch); + if (retval == 0) + fast_set_kdc_verified(context, get_data_proc, rock); + if (enc) + kaccess.free_enc_data(context, enc); } else { /*No padata; we send*/ krb5_enc_data enc; krb5_pa_data *pa = NULL; @@ -136,34 +130,34 @@ static krb5_error_code process_preauth if (retval == 0) { retval = kaccess.encode_enc_data(&enc, &encoded_ts); krb5_free_data_contents(context, &enc.ciphertext); - } - if (retval == 0) { - pa = calloc(1, sizeof(krb5_pa_data)); - if (pa == NULL) - retval = ENOMEM; - } - if (retval == 0) { - pa_array = calloc(2, sizeof(krb5_pa_data *)); - if (pa_array == NULL) - retval = ENOMEM; - } - if (retval == 0) { - pa->length = encoded_ts->length; - pa->contents = (unsigned char *) encoded_ts->data; - pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; - free(encoded_ts); - encoded_ts = NULL; - pa_array[0] = pa; - pa = NULL; - *out_padata = pa_array; - pa_array = NULL; - } - if (pa) - free(pa); - if (encoded_ts) - krb5_free_data(context, encoded_ts); - if (pa_array) - free(pa_array); + } + if (retval == 0) { + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa_array = calloc(2, sizeof(krb5_pa_data *)); + if (pa_array == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa->length = encoded_ts->length; + pa->contents = (unsigned char *) encoded_ts->data; + pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; + free(encoded_ts); + encoded_ts = NULL; + pa_array[0] = pa; + pa = NULL; + *out_padata = pa_array; + pa_array = NULL; + } + if (pa) + free(pa); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + if (pa_array) + free(pa_array); } if (challenge_key) krb5_free_keyblock(context, challenge_key); @@ -176,16 +170,12 @@ static krb5_error_code process_preauth } - - -static krb5_error_code kdc_include_padata -(krb5_context context, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - preauth_get_entry_data_proc get_entry_proc, - void *pa_module_context, - krb5_pa_data *data) +static krb5_error_code +kdc_include_padata(krb5_context context, krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, krb5_pa_data *data) { krb5_error_code retval = 0; krb5_keyblock *armor_key = NULL; @@ -198,18 +188,13 @@ static krb5_error_code kdc_include_padata return 0; } -static krb5_error_code kdc_verify_preauth -(krb5_context context, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - preauth_get_entry_data_proc get_entry_proc, - void *pa_module_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data) +static krb5_error_code +kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, void **pa_request_context, + krb5_data **e_data, krb5_authdata ***authz_data) { krb5_error_code retval = 0; krb5_timestamp now; @@ -230,7 +215,7 @@ static krb5_error_code kdc_verify_preauth retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); if (retval == 0 &&armor_key == NULL) { retval = ENOENT; - krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel"); + krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel"); } scratch.data = (char *) data->contents; scratch.length = data->length; @@ -252,28 +237,28 @@ static krb5_error_code kdc_verify_preauth armor_key, "clientchallengearmor", &client_keys[i], "challengelongterm", &challenge_key); - if (retval == 0) - retval = krb5_c_decrypt(context, challenge_key, - KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, - NULL, enc, &plain); - if (challenge_key) - krb5_free_keyblock(context, challenge_key); - challenge_key = NULL; - if (retval == 0) - break; - /*We failed to decrypt. Try next key*/ - retval = 0; - krb5_free_keyblock_contents(context, &client_keys[i]); - } - if (client_keys[i].enctype == 0) { - retval = KRB5KDC_ERR_PREAUTH_FAILED; - krb5_set_error_message(context, retval, "Incorrect password in encrypted challenge"); - } else { /*not run out of keys*/ - int j; - assert (retval == 0); - for (j = i+1; client_keys[j].enctype; j++) - krb5_free_keyblock_contents(context, &client_keys[j]); - } + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, + NULL, enc, &plain); + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + challenge_key = NULL; + if (retval == 0) + break; + /*We failed to decrypt. Try next key*/ + retval = 0; + krb5_free_keyblock_contents(context, &client_keys[i]); + } + if (client_keys[i].enctype == 0) { + retval = KRB5KDC_ERR_PREAUTH_FAILED; + krb5_set_error_message(context, retval, "Incorrect password in encrypted challenge"); + } else { /*not run out of keys*/ + int j; + assert (retval == 0); + for (j = i+1; client_keys[j].enctype; j++) + krb5_free_keyblock_contents(context, &client_keys[j]); + } } if (retval == 0) @@ -283,13 +268,15 @@ static krb5_error_code kdc_verify_preauth if (retval == 0) { if (labs(now-ts->patimestamp) < context->clockskew) { enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; - /*If this fails, we won't generate a reply to the client. That may - * cause the client to fail, but at this point the KDC has considered - * this a success, so the return value is ignored. */ + /* + * If this fails, we won't generate a reply to the client. That + * may cause the client to fail, but at this point the KDC has + * considered this a success, so the return value is ignored. + */ fast_kdc_replace_reply_key(context, get_entry_proc, request); krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", - &client_keys[i], "challengelongterm", - (krb5_keyblock **) pa_request_context); + &client_keys[i], "challengelongterm", + (krb5_keyblock **) pa_request_context); } else { /*skew*/ retval = KRB5KRB_AP_ERR_SKEW; } @@ -310,19 +297,14 @@ static krb5_error_code kdc_verify_preauth return retval; } -static krb5_error_code kdc_return_preauth -(krb5_context context, - krb5_pa_data * padata, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - struct _krb5_key_data *client_keys, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc get_entry_proc, - void *pa_module_context, - void **pa_request_context) +static krb5_error_code +kdc_return_preauth(krb5_context context, krb5_pa_data *padata, + struct _krb5_db_entry_new *client, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + struct _krb5_key_data *client_keys, + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, void **pa_request_context) { krb5_error_code retval = 0; krb5_keyblock *challenge_key = *pa_request_context; @@ -338,7 +320,7 @@ static krb5_error_code kdc_return_preauth if (challenge_key == NULL) return 0; * pa_request_context = NULL; /*this function will free the - * challenge key*/ + * challenge key*/ enc.ciphertext.data = NULL; /* In case of error pass through */ retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); @@ -352,8 +334,8 @@ static krb5_error_code kdc_return_preauth retval = kaccess.encode_enc_data(&enc, &encoded); if (retval == 0) { pa = calloc(1, sizeof(krb5_pa_data)); - if (pa == NULL) - retval = ENOMEM; + if (pa == NULL) + retval = ENOMEM; } if (retval == 0) { pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; @@ -374,8 +356,8 @@ static krb5_error_code kdc_return_preauth return retval; } -static int kdc_preauth_flags -(krb5_context context, krb5_preauthtype patype) +static int +kdc_preauth_flags(krb5_context context, krb5_preauthtype patype) { return 0; } diff --git a/src/plugins/preauth/fast_factor.h b/src/plugins/preauth/fast_factor.h index 1e7696f02c..0789c1ad18 100644 --- a/src/plugins/preauth/fast_factor.h +++ b/src/plugins/preauth/fast_factor.h @@ -1,53 +1,60 @@ -/*Returns success with a null armor_key if FAST is available but not in use. -Returns failure if the client library does not support FAST -*/ -static krb5_error_code fast_get_armor_key -(krb5_context context, preauth_get_client_data_proc get_data, - struct _krb5_preauth_client_rock *rock, - krb5_keyblock **armor_key) +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ + +/* + * Returns success with a null armor_key if FAST is available but not in use. + * Returns failure if the client library does not support FAST. + */ +static krb5_error_code +fast_get_armor_key(krb5_context context, preauth_get_client_data_proc get_data, + struct _krb5_preauth_client_rock *rock, + krb5_keyblock **armor_key) { krb5_error_code retval = 0; krb5_data *data; retval = get_data(context, rock, krb5plugin_preauth_client_fast_armor, &data); if (retval == 0) { - *armor_key = (krb5_keyblock *) data->data; - data->data = NULL; - get_data(context, rock, krb5plugin_preauth_client_free_fast_armor, - &data); + *armor_key = (krb5_keyblock *) data->data; + data->data = NULL; + get_data(context, rock, krb5plugin_preauth_client_free_fast_armor, + &data); } return retval; } -static krb5_error_code fast_kdc_get_armor_key -(krb5_context context, preauth_get_entry_data_proc get_entry, - krb5_kdc_req *request,struct _krb5_db_entry_new *client, - krb5_keyblock **armor_key) +static krb5_error_code +fast_kdc_get_armor_key(krb5_context context, + preauth_get_entry_data_proc get_entry, + krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + krb5_keyblock **armor_key) { krb5_error_code retval; krb5_data *data; - retval = get_entry(context, request, client, krb5plugin_preauth_fast_armor, - &data); - if (retval == 0) { - *armor_key = (krb5_keyblock *) data->data; - data->data = NULL; - get_entry(context, request, client, - krb5plugin_preauth_free_fast_armor, &data); - } - return retval; - } + retval = get_entry(context, request, client, krb5plugin_preauth_fast_armor, + &data); + if (retval == 0) { + *armor_key = (krb5_keyblock *) data->data; + data->data = NULL; + get_entry(context, request, client, + krb5plugin_preauth_free_fast_armor, &data); + } + return retval; +} - static krb5_error_code fast_kdc_replace_reply_key - (krb5_context context, preauth_get_entry_data_proc get_data, - krb5_kdc_req *request) - { - return 0; - } +static krb5_error_code +fast_kdc_replace_reply_key(krb5_context context, + preauth_get_entry_data_proc get_data, + krb5_kdc_req *request) +{ + return 0; +} -static krb5_error_code fast_set_kdc_verified -(krb5_context context, preauth_get_client_data_proc get_data, - struct _krb5_preauth_client_rock *rock) +static krb5_error_code +fast_set_kdc_verified(krb5_context context, + preauth_get_client_data_proc get_data, + struct _krb5_preauth_client_rock *rock) { return 0; } diff --git a/src/plugins/preauth/wpse/wpse_main.c b/src/plugins/preauth/wpse/wpse_main.c index 655f2b9496..5576a0837b 100644 --- a/src/plugins/preauth/wpse/wpse_main.c +++ b/src/plugins/preauth/wpse/wpse_main.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 2006 Red Hat, Inc. * All rights reserved. @@ -64,7 +65,7 @@ client_init(krb5_context kcontext, void **ctx) pctx = malloc(sizeof(int)); if (pctx == NULL) - return ENOMEM; + return ENOMEM; *pctx = 0; *ctx = pctx; return 0; @@ -86,22 +87,22 @@ client_fini(krb5_context kcontext, void *ctx) static krb5_error_code client_process(krb5_context kcontext, - void *plugin_context, - void *request_context, - krb5_get_init_creds_opt *opt, - preauth_get_client_data_proc client_get_data_proc, - struct _krb5_preauth_client_rock *rock, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *pa_data, - krb5_prompter_fct prompter, - void *prompter_data, - preauth_get_as_key_proc gak_fct, - void *gak_data, - krb5_data *salt, krb5_data *s2kparams, - krb5_keyblock *as_key, - krb5_pa_data ***out_pa_data) + void *plugin_context, + void *request_context, + krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc client_get_data_proc, + struct _krb5_preauth_client_rock *rock, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *pa_data, + krb5_prompter_fct prompter, + void *prompter_data, + preauth_get_as_key_proc gak_fct, + void *gak_data, + krb5_data *salt, krb5_data *s2kparams, + krb5_keyblock *as_key, + krb5_pa_data ***out_pa_data) { krb5_pa_data **send_pa; krb5_int32 nnonce, enctype; @@ -111,58 +112,58 @@ client_process(krb5_context kcontext, #ifdef DEBUG fprintf(stderr, "%d bytes of preauthentication data (type %d)\n", - pa_data->length, pa_data->pa_type); + pa_data->length, pa_data->pa_type); #endif pctx = plugin_context; if (pctx) { - (*pctx)++; + (*pctx)++; } if (pa_data->length == 0) { - /* Create preauth data. */ - send_pa = malloc(2 * sizeof(krb5_pa_data *)); - if (send_pa == NULL) - return ENOMEM; - send_pa[1] = NULL; /* Terminate list */ - send_pa[0] = malloc(sizeof(krb5_pa_data)); - if (send_pa[0] == NULL) { - free(send_pa); - return ENOMEM; - } - send_pa[0]->pa_type = KRB5_PADATA_WPSE_REQ; - send_pa[0]->length = 4; - send_pa[0]->contents = malloc(4); - if (send_pa[0]->contents == NULL) { - free(send_pa[0]); - free(send_pa); - return ENOMEM; - } - /* Store the preauth data. */ - nnonce = htonl(request->nonce); - memcpy(send_pa[0]->contents, &nnonce, 4); - *out_pa_data = send_pa; + /* Create preauth data. */ + send_pa = malloc(2 * sizeof(krb5_pa_data *)); + if (send_pa == NULL) + return ENOMEM; + send_pa[1] = NULL; /* Terminate list */ + send_pa[0] = malloc(sizeof(krb5_pa_data)); + if (send_pa[0] == NULL) { + free(send_pa); + return ENOMEM; + } + send_pa[0]->pa_type = KRB5_PADATA_WPSE_REQ; + send_pa[0]->length = 4; + send_pa[0]->contents = malloc(4); + if (send_pa[0]->contents == NULL) { + free(send_pa[0]); + free(send_pa); + return ENOMEM; + } + /* Store the preauth data. */ + nnonce = htonl(request->nonce); + memcpy(send_pa[0]->contents, &nnonce, 4); + *out_pa_data = send_pa; } else { - /* A reply from the KDC. Conventionally this would be - * indicated by a different preauthentication type, but this - * mechanism/implementation doesn't do that. */ - if (pa_data->length > 4) { - memcpy(&enctype, pa_data->contents, 4); - kb = NULL; - status = krb5_init_keyblock(kcontext, ntohl(enctype), - pa_data->length - 4, &kb); - if (status != 0) - return status; - memcpy(kb->contents, pa_data->contents + 4, pa_data->length - 4); + /* A reply from the KDC. Conventionally this would be + * indicated by a different preauthentication type, but this + * mechanism/implementation doesn't do that. */ + if (pa_data->length > 4) { + memcpy(&enctype, pa_data->contents, 4); + kb = NULL; + status = krb5_init_keyblock(kcontext, ntohl(enctype), + pa_data->length - 4, &kb); + if (status != 0) + return status; + memcpy(kb->contents, pa_data->contents + 4, pa_data->length - 4); #ifdef DEBUG - fprintf(stderr, "Recovered key type=%d, length=%d.\n", - kb->enctype, kb->length); + fprintf(stderr, "Recovered key type=%d, length=%d.\n", + kb->enctype, kb->length); #endif - status = krb5_copy_keyblock_contents(kcontext, kb, as_key); - krb5_free_keyblock(kcontext, kb); - return status; - } - return KRB5KRB_ERR_GENERIC; + status = krb5_copy_keyblock_contents(kcontext, kb, as_key); + krb5_free_keyblock(kcontext, kb); + return status; + } + return KRB5KRB_ERR_GENERIC; } return 0; } @@ -185,7 +186,7 @@ client_req_init(krb5_context kcontext, void *plugin_context, void **req_context_ * do per-request cleanup. */ ctx = (wpse_req_ctx *) malloc(sizeof(*ctx)); if (ctx == NULL) - return; + return; ctx->magic = WPSE_MAGIC; ctx->value = 0xc0dec0de; @@ -199,31 +200,31 @@ client_req_cleanup(krb5_context kcontext, void *plugin_context, void *req_contex if (ctx) { #ifdef DEBUG - fprintf(stderr, "client_req_cleanup: req_ctx at %p has magic %x and value %x\n", - ctx, ctx->magic, ctx->value); + fprintf(stderr, "client_req_cleanup: req_ctx at %p has magic %x and value %x\n", + ctx, ctx->magic, ctx->value); #endif - if (ctx->magic != WPSE_MAGIC) { + if (ctx->magic != WPSE_MAGIC) { #ifdef DEBUG - fprintf(stderr, "client_req_cleanup: req_context at %p has bad magic value %x\n", - ctx, ctx->magic); + fprintf(stderr, "client_req_cleanup: req_context at %p has bad magic value %x\n", + ctx, ctx->magic); #endif - return; - } - free(ctx); + return; + } + free(ctx); } return; } static krb5_error_code client_gic_opt(krb5_context kcontext, - void *plugin_context, - krb5_get_init_creds_opt *opt, - const char *attr, - const char *value) + void *plugin_context, + krb5_get_init_creds_opt *opt, + const char *attr, + const char *value) { #ifdef DEBUG fprintf(stderr, "(wpse) client_gic_opt: received '%s' = '%s'\n", - attr, value); + attr, value); #endif return 0; } @@ -232,11 +233,11 @@ client_gic_opt(krb5_context kcontext, /* Free state. */ static krb5_error_code server_free_pa_request_context(krb5_context kcontext, void *plugin_context, - void **request_context) + void **request_context) { if (*request_context != NULL) { - free(*request_context); - *request_context = NULL; + free(*request_context); + *request_context = NULL; } return 0; } @@ -245,12 +246,12 @@ server_free_pa_request_context(krb5_context kcontext, void *plugin_context, * client) which matches type data->pa_type. */ static krb5_error_code server_get_edata(krb5_context kcontext, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - krb5_pa_data *data) + krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + krb5_pa_data *data) { /* Return zero bytes of data. */ data->length = 0; @@ -261,16 +262,16 @@ server_get_edata(krb5_context kcontext, /* Verify a request from a client. */ static krb5_error_code server_verify(krb5_context kcontext, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data) + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *data, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data) { krb5_int32 nnonce; krb5_data *test_edata; @@ -281,18 +282,18 @@ server_verify(krb5_context kcontext, #endif /* Verify the preauth data. */ if (data->length != 4) - return KRB5KDC_ERR_PREAUTH_FAILED; + return KRB5KDC_ERR_PREAUTH_FAILED; memcpy(&nnonce, data->contents, 4); nnonce = ntohl(nnonce); if (memcmp(&nnonce, &request->nonce, 4) != 0) - return KRB5KDC_ERR_PREAUTH_FAILED; + return KRB5KDC_ERR_PREAUTH_FAILED; /* Note that preauthentication succeeded. */ enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; enc_tkt_reply->flags |= TKT_FLG_HW_AUTH; /* Allocate a context. Useful for verifying that we do in fact do * per-request cleanup. */ if (*pa_request_context == NULL) - *pa_request_context = malloc(4); + *pa_request_context = malloc(4); /* * Return some junk authorization data just to exercise the @@ -334,8 +335,8 @@ server_verify(krb5_context kcontext, my_authz_data[0]->length = AD_ALLOC_SIZE; memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header)); snprintf(my_authz_data[0]->contents + sizeof(ad_header), - AD_ALLOC_SIZE - sizeof(ad_header), - "wpse authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); + AD_ALLOC_SIZE - sizeof(ad_header), + "wpse authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); *authz_data = my_authz_data; #ifdef DEBUG fprintf(stderr, "Returning %d bytes of authorization data\n", @@ -346,14 +347,14 @@ server_verify(krb5_context kcontext, /* Return edata to exercise code that handles edata... */ test_edata = malloc(sizeof(*test_edata)); if (test_edata != NULL) { - test_edata->data = malloc(20); - if (test_edata->data == NULL) { - free(test_edata); - } else { - test_edata->length = 20; - memset(test_edata->data, '#', 20); /* fill it with junk */ - *e_data = test_edata; - } + test_edata->data = malloc(20); + if (test_edata->data == NULL) { + free(test_edata); + } else { + test_edata->length = 20; + memset(test_edata->data, '#', 20); /* fill it with junk */ + *e_data = test_edata; + } } return 0; } @@ -361,17 +362,17 @@ server_verify(krb5_context kcontext, /* Create the response for a client. */ static krb5_error_code server_return(krb5_context kcontext, - krb5_pa_data *padata, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - struct _krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - void **pa_request_context) + krb5_pa_data *padata, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_kdc_rep *reply, + struct _krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + void **pa_request_context) { /* This module does a couple of dumb things. It tags its reply with * the same type as the initial challenge (expecting the client to sort @@ -385,39 +386,39 @@ server_return(krb5_context kcontext, /* We'll want a key with the first supported enctype. */ for (i = 0; i < request->nktypes; i++) { - kb = NULL; - if (krb5_init_keyblock(kcontext, request->ktype[i], 0, &kb) == 0) { - break; - } + kb = NULL; + if (krb5_init_keyblock(kcontext, request->ktype[i], 0, &kb) == 0) { + break; + } } if (i >= request->nktypes) { - /* No matching cipher type found. */ - return 0; + /* No matching cipher type found. */ + return 0; } /* Randomize a key and save it for the client. */ if (krb5_c_make_random_key(kcontext, request->ktype[i], kb) != 0) { - krb5_free_keyblock(kcontext, kb); - return 0; + krb5_free_keyblock(kcontext, kb); + return 0; } #ifdef DEBUG fprintf(stderr, "Generated random key, type=%d, length=%d.\n", - kb->enctype, kb->length); + kb->enctype, kb->length); #endif *send_pa = malloc(sizeof(krb5_pa_data)); if (*send_pa == NULL) { - krb5_free_keyblock(kcontext, kb); - return ENOMEM; + krb5_free_keyblock(kcontext, kb); + return ENOMEM; } (*send_pa)->pa_type = KRB5_PADATA_WPSE_REQ; (*send_pa)->length = 4 + kb->length; (*send_pa)->contents = malloc(4 + kb->length); if ((*send_pa)->contents == NULL) { - free(*send_pa); - *send_pa = NULL; - krb5_free_keyblock(kcontext, kb); - return ENOMEM; + free(*send_pa); + *send_pa = NULL; + krb5_free_keyblock(kcontext, kb); + return ENOMEM; } /* Store the preauth data. */ @@ -444,17 +445,17 @@ static krb5_preauthtype supported_client_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0}; static krb5_preauthtype supported_server_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0}; struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = { - "wpse", /* name */ - &supported_client_pa_types[0], /* pa_type_list */ - NULL, /* enctype_list */ - client_init, /* plugin init function */ - client_fini, /* plugin fini function */ - client_get_flags, /* get flags function */ - client_req_init, /* request init function */ - client_req_cleanup, /* request fini function */ - client_process, /* process function */ - NULL, /* try_again function */ - client_gic_opt /* get init creds opts function */ + "wpse", /* name */ + &supported_client_pa_types[0], /* pa_type_list */ + NULL, /* enctype_list */ + client_init, /* plugin init function */ + client_fini, /* plugin fini function */ + client_get_flags, /* get flags function */ + client_req_init, /* request init function */ + client_req_cleanup, /* request fini function */ + client_process, /* process function */ + NULL, /* try_again function */ + client_gic_opt /* get init creds opts function */ }; struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = { |