summaryrefslogtreecommitdiffstats
path: root/src/plugins
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2011-06-17 13:44:33 +0000
committerGreg Hudson <ghudson@mit.edu>2011-06-17 13:44:33 +0000
commit6099f525eb64772557927760d8a7ff1e75f79ff7 (patch)
treeb896034e189e06cc58f8162816b45c712635fcc3 /src/plugins
parent6d2780e121d8305c3acf43c56730884396990854 (diff)
downloadkrb5-6099f525eb64772557927760d8a7ff1e75f79ff7.tar.gz
krb5-6099f525eb64772557927760d8a7ff1e75f79ff7.tar.xz
krb5-6099f525eb64772557927760d8a7ff1e75f79ff7.zip
Convert preauth_plugin.h to new plugin framework
The preauth plugin interface was introduced in 1.6 but was never made a public API. In preparation for making it public in 1.10, convert it to use the new plugin framework. This will require changes to any existing preauth plugins. A number of symbols were renamed for namespace cleanliness, and abstract types were introduced for module data and module per-request data for better type safety. On the consumer end (preauth2.c and kdc_preauth.c), this is a pretty rough conversion. Eventually we should create proper consumer APIs with module handles, and the flat lists of preauth types should hold pointers to module handles rather than copies of the vtables. The built-in preauth type handlers should then be converted to built-in module providers linked into the consumer code (as should encrypted challenge, since it has no external dependencies). None of this will impact the provider API for preauth plugins, so it can wait. ticket: 6921 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24970 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins')
-rw-r--r--src/plugins/preauth/cksum_body/cksum_body.exports4
-rw-r--r--src/plugins/preauth/cksum_body/cksum_body_main.c140
-rw-r--r--src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports4
-rw-r--r--src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c113
-rw-r--r--src/plugins/preauth/fast_factor.h22
-rw-r--r--src/plugins/preauth/pkinit/pkinit.exports4
-rw-r--r--src/plugins/preauth/pkinit/pkinit_clnt.c140
-rw-r--r--src/plugins/preauth/pkinit/pkinit_srv.c108
-rw-r--r--src/plugins/preauth/securid_sam2/securid_sam2_main.c42
-rw-r--r--src/plugins/preauth/wpse/wpse.exports4
-rw-r--r--src/plugins/preauth/wpse/wpse_main.c136
11 files changed, 389 insertions, 328 deletions
diff --git a/src/plugins/preauth/cksum_body/cksum_body.exports b/src/plugins/preauth/cksum_body/cksum_body.exports
index 98e96c399b..df335ca64b 100644
--- a/src/plugins/preauth/cksum_body/cksum_body.exports
+++ b/src/plugins/preauth/cksum_body/cksum_body.exports
@@ -1,2 +1,2 @@
-preauthentication_client_1
-preauthentication_server_1
+clpreauth_cksum_body_initvt
+kdcpreauth_cksum_body_initvt
diff --git a/src/plugins/preauth/cksum_body/cksum_body_main.c b/src/plugins/preauth/cksum_body/cksum_body_main.c
index 2759045b09..e79b84a12a 100644
--- a/src/plugins/preauth/cksum_body/cksum_body_main.c
+++ b/src/plugins/preauth/cksum_body/cksum_body_main.c
@@ -80,18 +80,18 @@ client_get_flags(krb5_context kcontext, krb5_preauthtype pa_type)
static krb5_error_code
client_process(krb5_context kcontext,
- void *client_plugin_context,
- void *client_request_context,
+ krb5_clpreauth_moddata moddata,
+ krb5_clpreauth_modreq modreq,
krb5_get_init_creds_opt *opt,
- preauth_get_client_data_proc client_get_data_proc,
- struct _krb5_preauth_client_rock *rock,
+ krb5_clpreauth_get_data_fn client_get_data_proc,
+ krb5_clpreauth_rock rock,
krb5_kdc_req *request,
krb5_data *encoded_request_body,
krb5_data *encoded_previous_request,
krb5_pa_data *pa_data,
krb5_prompter_fct prompter,
void *prompter_data,
- preauth_get_as_key_proc gak_fct,
+ krb5_clpreauth_get_as_key_fn gak_fct,
void *gak_data,
krb5_data *salt, krb5_data *s2kparams,
krb5_keyblock *as_key,
@@ -229,7 +229,7 @@ client_process(krb5_context kcontext,
static krb5_error_code
client_gic_opt(krb5_context kcontext,
- void *plugin_context,
+ krb5_clpreauth_moddata moddata,
krb5_get_init_creds_opt *opt,
const char *attr,
const char *value)
@@ -243,7 +243,8 @@ client_gic_opt(krb5_context kcontext,
/* Initialize and tear down the server-side module, and do stat tracking. */
static krb5_error_code
-server_init(krb5_context kcontext, void **module_context, const char **realmnames)
+server_init(krb5_context kcontext, krb5_kdcpreauth_moddata *moddata_out,
+ const char **realmnames)
{
struct server_stats *stats;
stats = malloc(sizeof(struct server_stats));
@@ -251,14 +252,14 @@ server_init(krb5_context kcontext, void **module_context, const char **realmname
return ENOMEM;
stats->successes = 0;
stats->failures = 0;
- *module_context = stats;
+ *moddata_out = (krb5_kdcpreauth_moddata)stats;
return 0;
}
static void
-server_fini(krb5_context kcontext, void *module_context)
+server_fini(krb5_context kcontext, krb5_kdcpreauth_moddata moddata)
{
struct server_stats *stats;
- stats = module_context;
+ stats = (struct server_stats *)moddata;
if (stats != NULL) {
#ifdef DEBUG
fprintf(stderr, "Total: %d clients failed, %d succeeded.\n",
@@ -275,8 +276,8 @@ server_get_edata(krb5_context kcontext,
krb5_kdc_req *request,
struct _krb5_db_entry_new *client,
struct _krb5_db_entry_new *server,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_module_context,
+ krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_moddata moddata,
krb5_pa_data *data)
{
krb5_data *key_data;
@@ -287,7 +288,7 @@ server_get_edata(krb5_context kcontext,
/* Retrieve the client's keys. */
key_data = NULL;
if ((*server_get_entry_data)(kcontext, request, client,
- krb5plugin_preauth_keys, &key_data) != 0) {
+ krb5_kdcpreauth_keys, &key_data) != 0) {
#ifdef DEBUG
fprintf(stderr, "Error retrieving client keys.\n");
#endif
@@ -335,9 +336,9 @@ server_verify(krb5_context kcontext,
krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply,
krb5_pa_data *data,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_module_context,
- void **pa_request_context,
+ krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_moddata moddata,
+ krb5_kdcpreauth_modreq *modreq_out,
krb5_data **e_data,
krb5_authdata ***authz_data)
{
@@ -356,7 +357,7 @@ server_verify(krb5_context kcontext,
test_svr_req_ctx *svr_req_ctx;
krb5_authdata **my_authz_data = NULL;
- stats = pa_module_context;
+ stats = (struct server_stats *)moddata;
#ifdef DEBUG
fprintf(stderr, "cksum_body: server_verify\n");
@@ -392,7 +393,7 @@ server_verify(krb5_context kcontext,
/* Pull up the client's keys. */
key_data = NULL;
if ((*server_get_entry_data)(kcontext, request, client,
- krb5plugin_preauth_keys, &key_data) != 0) {
+ krb5_kdcpreauth_keys, &key_data) != 0) {
#ifdef DEBUG
fprintf(stderr, "Error retrieving client keys.\n");
#endif
@@ -449,7 +450,7 @@ server_verify(krb5_context kcontext,
* will probably work if it's us on both ends, though. */
req_body = NULL;
if ((*server_get_entry_data)(kcontext, request, client,
- krb5plugin_preauth_request_body,
+ krb5_kdcpreauth_request_body,
&req_body) != 0) {
krb5_free_keyblock(kcontext, key);
stats->failures++;
@@ -572,7 +573,7 @@ server_verify(krb5_context kcontext,
svr_req_ctx);
#endif
}
- *pa_request_context = svr_req_ctx;
+ *modreq_out = (krb5_kdcpreauth_modreq)svr_req_ctx;
/* Note that preauthentication succeeded. */
enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
@@ -591,9 +592,9 @@ server_return(krb5_context kcontext,
struct _krb5_key_data *client_key,
krb5_keyblock *encrypting_key,
krb5_pa_data **send_pa,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_module_context,
- void **pa_request_context)
+ krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_moddata moddata,
+ krb5_kdcpreauth_modreq modreq)
{
/* We don't need to send data back on the return trip. */
*send_pa = NULL;
@@ -601,34 +602,32 @@ server_return(krb5_context kcontext,
}
/* Test server request context freeing */
-static krb5_error_code
-server_free_reqctx(krb5_context kcontext,
- void *pa_module_context,
- void **pa_request_context)
+static void
+server_free_modreq(krb5_context kcontext,
+ krb5_kdcpreauth_moddata moddata,
+ krb5_kdcpreauth_modreq modreq)
{
test_svr_req_ctx *svr_req_ctx;
#ifdef DEBUG
- fprintf(stderr, "server_free_reqctx: entered!\n");
+ fprintf(stderr, "server_free_modreq: entered!\n");
#endif
- if (pa_request_context == NULL)
- return 0;
+ if (modreq == NULL)
+ return;
- svr_req_ctx = *pa_request_context;
+ svr_req_ctx = (test_svr_req_ctx *)modreq;
if (svr_req_ctx == NULL)
- return 0;
+ return;
if (svr_req_ctx->value1 != 111111 || svr_req_ctx->value2 != 222222) {
- fprintf(stderr, "server_free_reqctx: got invalid req context "
+ fprintf(stderr, "server_free_modreq: got invalid req context "
"at %p with values %d and %d\n",
svr_req_ctx, svr_req_ctx->value1, svr_req_ctx->value2);
- return EINVAL;
+ return;
}
#ifdef DEBUG
- fprintf(stderr, "server_free_reqctx: freeing context at %p\n", svr_req_ctx);
+ fprintf(stderr, "server_free_modreq: freeing context at %p\n", svr_req_ctx);
#endif
free(svr_req_ctx);
- *pa_request_context = NULL;
- return 0;
}
static int
@@ -644,28 +643,47 @@ static krb5_preauthtype supported_server_pa_types[] = {
KRB5_PADATA_CKSUM_BODY_REQ, 0,
};
-struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = {
- "cksum_body", /* name */
- &supported_client_pa_types[0], /* pa_type_list */
- NULL, /* enctype_list */
- NULL, /* plugin init function */
- NULL, /* plugin fini function */
- client_get_flags, /* get flags function */
- NULL, /* request init function */
- NULL, /* request fini function */
- client_process, /* process function */
- NULL, /* try_again function */
- client_gic_opt /* get init creds opt function */
-};
+krb5_error_code
+clpreauth_cksum_body_initvt(krb5_context context, int maj_ver,
+ int min_ver, krb5_plugin_vtable vtable);
+krb5_error_code
+kdcpreauth_cksum_body_initvt(krb5_context context, int maj_ver,
+ int min_ver, krb5_plugin_vtable vtable);
-struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = {
- "cksum_body",
- &supported_server_pa_types[0],
- server_init,
- server_fini,
- server_get_flags,
- server_get_edata,
- server_verify,
- server_return,
- server_free_reqctx
-};
+krb5_error_code
+clpreauth_cksum_body_initvt(krb5_context context, int maj_ver,
+ int min_ver, krb5_plugin_vtable vtable)
+{
+ krb5_clpreauth_vtable vt;
+
+ if (maj_ver != 1)
+ return KRB5_PLUGIN_VER_NOTSUPP;
+ vt = (krb5_clpreauth_vtable)vtable;
+ vt->name = "cksum_body";
+ vt->pa_type_list = supported_client_pa_types;
+ vt->flags = client_get_flags;
+ vt->process = client_process;
+ vt->gic_opts = client_gic_opt;
+ return 0;
+}
+
+krb5_error_code
+kdcpreauth_cksum_body_initvt(krb5_context context, int maj_ver,
+ int min_ver, krb5_plugin_vtable vtable)
+{
+ krb5_kdcpreauth_vtable vt;
+
+ if (maj_ver != -1)
+ return KRB5_PLUGIN_VER_NOTSUPP;
+ vt = (krb5_kdcpreauth_vtable)vtable;
+ vt->name = "cksum_body";
+ vt->pa_type_list = supported_server_pa_types;
+ vt->init = server_init;
+ vt->fini = server_fini;
+ vt->flags = server_get_flags;
+ vt->edata = server_get_edata;
+ vt->verify = server_verify;
+ vt->return_padata = server_return;
+ vt->free_modreq = server_free_modreq;
+ return 0;
+}
diff --git a/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports b/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports
index 98e96c399b..651dcea1c4 100644
--- a/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports
+++ b/src/plugins/preauth/encrypted_challenge/encrypted_challenge.exports
@@ -1,2 +1,2 @@
-preauthentication_client_1
-preauthentication_server_1
+clpreauth_encrypted_challenge_initvt
+kdcpreauth_encrypted_challenge_initvt
diff --git a/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c b/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c
index 833385c637..58a659246d 100644
--- a/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c
+++ b/src/plugins/preauth/encrypted_challenge/encrypted_challenge_main.c
@@ -41,14 +41,14 @@ preauth_flags(krb5_context context, krb5_preauthtype pa_type)
}
static krb5_error_code
-process_preauth(krb5_context context, void *plugin_context,
- void *request_context, krb5_get_init_creds_opt *opt,
- preauth_get_client_data_proc get_data_proc,
- struct _krb5_preauth_client_rock *rock, krb5_kdc_req *request,
+process_preauth(krb5_context context, krb5_clpreauth_moddata moddata,
+ krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt,
+ krb5_clpreauth_get_data_fn get_data_proc,
+ krb5_clpreauth_rock rock, krb5_kdc_req *request,
krb5_data *encoded_request_body,
krb5_data *encoded_previous_request, krb5_pa_data *padata,
krb5_prompter_fct prompter, void *prompter_data,
- preauth_get_as_key_proc gak_fct, void *gak_data,
+ krb5_clpreauth_get_as_key_fn gak_fct, void *gak_data,
krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key,
krb5_pa_data ***out_padata)
{
@@ -63,7 +63,8 @@ process_preauth(krb5_context context, void *plugin_context,
retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key);
if (retval || armor_key == NULL)
return 0;
- retval = get_data_proc(context, rock, krb5plugin_preauth_client_get_etype, &etype_data);
+ retval = get_data_proc(context, rock, krb5_clpreauth_get_etype,
+ &etype_data);
if (retval == 0) {
enctype = *((krb5_enctype *)etype_data->data);
if (as_key->length == 0 ||as_key->enctype != enctype)
@@ -163,8 +164,7 @@ process_preauth(krb5_context context, void *plugin_context,
if (armor_key)
krb5_free_keyblock(context, armor_key);
if (etype_data != NULL)
- get_data_proc(context, rock, krb5plugin_preauth_client_free_etype,
- &etype_data);
+ get_data_proc(context, rock, krb5_clpreauth_free_etype, &etype_data);
return retval;
}
@@ -173,12 +173,13 @@ static krb5_error_code
kdc_include_padata(krb5_context context, krb5_kdc_req *request,
struct _krb5_db_entry_new *client,
struct _krb5_db_entry_new *server,
- preauth_get_entry_data_proc get_entry_proc,
- void *pa_module_context, krb5_pa_data *data)
+ krb5_kdcpreauth_get_data_fn get_data_proc,
+ krb5_kdcpreauth_moddata moddata, krb5_pa_data *data)
{
krb5_error_code retval = 0;
krb5_keyblock *armor_key = NULL;
- retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key);
+ retval = fast_kdc_get_armor_key(context, get_data_proc, request, client,
+ &armor_key);
if (retval)
return retval;
if (armor_key == 0)
@@ -191,8 +192,9 @@ static krb5_error_code
kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
krb5_data *req_pkt, krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data,
- preauth_get_entry_data_proc get_entry_proc,
- void *pa_module_context, void **pa_request_context,
+ krb5_kdcpreauth_get_data_fn get_entry_proc,
+ krb5_kdcpreauth_moddata moddata,
+ krb5_kdcpreauth_modreq *modreq_out,
krb5_data **e_data, krb5_authdata ***authz_data)
{
krb5_error_code retval = 0;
@@ -205,6 +207,7 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
krb5_keyblock *client_keys = NULL;
krb5_data *client_data = NULL;
krb5_keyblock *challenge_key = NULL;
+ krb5_keyblock *kdc_challenge_key;
int i = 0;
plain.data = NULL;
@@ -228,7 +231,7 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
}
if (retval == 0)
retval = get_entry_proc(context, request, client,
- krb5plugin_preauth_keys, &client_data);
+ krb5_kdcpreauth_keys, &client_data);
if (retval == 0) {
client_keys = (krb5_keyblock *) client_data->data;
for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) {
@@ -273,9 +276,10 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
* considered this a success, so the return value is ignored.
*/
fast_kdc_replace_reply_key(context, get_entry_proc, request);
- krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
- &client_keys[i], "challengelongterm",
- (krb5_keyblock **) pa_request_context);
+ if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
+ &client_keys[i], "challengelongterm",
+ &kdc_challenge_key) == 0)
+ *modreq_out = (krb5_kdcpreauth_modreq)kdc_challenge_key;
} else { /*skew*/
retval = KRB5KRB_AP_ERR_SKEW;
}
@@ -302,11 +306,12 @@ kdc_return_preauth(krb5_context context, krb5_pa_data *padata,
krb5_kdc_req *request, krb5_kdc_rep *reply,
struct _krb5_key_data *client_keys,
krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
- preauth_get_entry_data_proc get_entry_proc,
- void *pa_module_context, void **pa_request_context)
+ krb5_kdcpreauth_get_data_fn get_entry_proc,
+ krb5_kdcpreauth_moddata moddata,
+ krb5_kdcpreauth_modreq modreq)
{
krb5_error_code retval = 0;
- krb5_keyblock *challenge_key = *pa_request_context;
+ krb5_keyblock *challenge_key = (krb5_keyblock *)modreq;
krb5_pa_enc_ts ts;
krb5_data *plain = NULL;
krb5_enc_data enc;
@@ -318,8 +323,6 @@ kdc_return_preauth(krb5_context context, krb5_pa_data *padata,
return 0;
if (challenge_key == NULL)
return 0;
- * pa_request_context = NULL; /*this function will free the
- * challenge key*/
enc.ciphertext.data = NULL; /* In case of error pass through */
retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec);
@@ -355,37 +358,45 @@ kdc_return_preauth(krb5_context context, krb5_pa_data *padata,
return retval;
}
-static int
-kdc_preauth_flags(krb5_context context, krb5_preauthtype patype)
+krb5_preauthtype supported_pa_types[] = {
+ KRB5_PADATA_ENCRYPTED_CHALLENGE, 0};
+
+krb5_error_code
+kdcpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
+ int min_ver, krb5_plugin_vtable vtable);
+krb5_error_code
+clpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
+ int min_ver, krb5_plugin_vtable vtable);
+
+krb5_error_code
+kdcpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
+ int min_ver, krb5_plugin_vtable vtable)
{
+ krb5_kdcpreauth_vtable vt;
+
+ if (maj_ver != 1)
+ return KRB5_PLUGIN_VER_NOTSUPP;
+ vt = (krb5_kdcpreauth_vtable)vtable;
+ vt->name = "encrypted_challenge";
+ vt->pa_type_list = supported_pa_types;
+ vt->edata = kdc_include_padata;
+ vt->verify = kdc_verify_preauth;
+ vt->return_padata = kdc_return_preauth;
return 0;
}
-krb5_preauthtype supported_pa_types[] = {
- KRB5_PADATA_ENCRYPTED_CHALLENGE, 0};
-
-struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = {
- "Encrypted challenge",
- &supported_pa_types[0],
- NULL,
- NULL,
- kdc_preauth_flags,
- kdc_include_padata,
- kdc_verify_preauth,
- kdc_return_preauth,
- NULL
-};
+krb5_error_code
+clpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver,
+ int min_ver, krb5_plugin_vtable vtable)
+{
+ krb5_clpreauth_vtable vt;
-struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = {
- "Encrypted Challenge", /* name */
- &supported_pa_types[0], /* pa_type_list */
- NULL, /* enctype_list */
- NULL, /* plugin init function */
- NULL, /* plugin fini function */
- preauth_flags, /* get flags function */
- NULL, /* request init function */
- NULL, /* request fini function */
- process_preauth, /* process function */
- NULL, /* try_again function */
- NULL /* get init creds opt function */
-};
+ if (maj_ver != 1)
+ return KRB5_PLUGIN_VER_NOTSUPP;
+ vt = (krb5_clpreauth_vtable)vtable;
+ vt->name = "encrypted_challenge";
+ vt->pa_type_list = supported_pa_types;
+ vt->flags = preauth_flags;
+ vt->process = process_preauth;
+ return 0;
+}
diff --git a/src/plugins/preauth/fast_factor.h b/src/plugins/preauth/fast_factor.h
index 52f4fa2e82..f585bc22c3 100644
--- a/src/plugins/preauth/fast_factor.h
+++ b/src/plugins/preauth/fast_factor.h
@@ -5,38 +5,36 @@
* Returns failure if the client library does not support FAST.
*/
static inline krb5_error_code
-fast_get_armor_key(krb5_context context, preauth_get_client_data_proc get_data,
- struct _krb5_preauth_client_rock *rock,
- krb5_keyblock **armor_key)
+fast_get_armor_key(krb5_context context, krb5_clpreauth_get_data_fn get_data,
+ krb5_clpreauth_rock rock, krb5_keyblock **armor_key)
{
krb5_error_code retval = 0;
krb5_data *data;
- retval = get_data(context, rock, krb5plugin_preauth_client_fast_armor, &data);
+ retval = get_data(context, rock, krb5_clpreauth_fast_armor, &data);
if (retval == 0) {
*armor_key = (krb5_keyblock *) data->data;
data->data = NULL;
- get_data(context, rock, krb5plugin_preauth_client_free_fast_armor,
- &data);
+ get_data(context, rock, krb5_clpreauth_free_fast_armor, &data);
}
return retval;
}
static inline krb5_error_code
fast_kdc_get_armor_key(krb5_context context,
- preauth_get_entry_data_proc get_entry,
+ krb5_kdcpreauth_get_data_fn get_entry,
krb5_kdc_req *request,
struct _krb5_db_entry_new *client,
krb5_keyblock **armor_key)
{
krb5_error_code retval;
krb5_data *data;
- retval = get_entry(context, request, client, krb5plugin_preauth_fast_armor,
+ retval = get_entry(context, request, client, krb5_kdcpreauth_fast_armor,
&data);
if (retval == 0) {
*armor_key = (krb5_keyblock *) data->data;
data->data = NULL;
get_entry(context, request, client,
- krb5plugin_preauth_free_fast_armor, &data);
+ krb5_kdcpreauth_free_fast_armor, &data);
}
return retval;
}
@@ -45,7 +43,7 @@ fast_kdc_get_armor_key(krb5_context context,
static inline krb5_error_code
fast_kdc_replace_reply_key(krb5_context context,
- preauth_get_entry_data_proc get_data,
+ krb5_kdcpreauth_get_data_fn get_data,
krb5_kdc_req *request)
{
return 0;
@@ -53,8 +51,8 @@ fast_kdc_replace_reply_key(krb5_context context,
static inline krb5_error_code
fast_set_kdc_verified(krb5_context context,
- preauth_get_client_data_proc get_data,
- struct _krb5_preauth_client_rock *rock)
+ krb5_clpreauth_get_data_fn get_data,
+ krb5_clpreauth_rock rock)
{
return 0;
}
diff --git a/src/plugins/preauth/pkinit/pkinit.exports b/src/plugins/preauth/pkinit/pkinit.exports
index 98e96c399b..e77fa3ef0b 100644
--- a/src/plugins/preauth/pkinit/pkinit.exports
+++ b/src/plugins/preauth/pkinit/pkinit.exports
@@ -1,2 +1,2 @@
-preauthentication_client_1
-preauthentication_server_1
+clpreauth_pkinit_initvt
+kdcpreauth_pkinit_initvt
diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 6888c1b07b..cf95bd57b2 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -71,7 +71,8 @@ pkinit_as_rep_parse(krb5_context context, pkinit_context plgctx,
krb5_kdc_req *request, const krb5_data *as_rep,
krb5_keyblock *key_block, krb5_enctype etype, krb5_data *);
-static void pkinit_client_plugin_fini(krb5_context context, void *blob);
+static void pkinit_client_plugin_fini(krb5_context context,
+ krb5_clpreauth_moddata moddata);
static krb5_error_code
pa_pkinit_gen_req(krb5_context context,
@@ -975,31 +976,25 @@ pkinit_client_profile(krb5_context context,
}
static krb5_error_code
-pkinit_client_process(krb5_context context,
- void *plugin_context,
- void *request_context,
+pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata,
+ krb5_clpreauth_modreq modreq,
krb5_get_init_creds_opt *gic_opt,
- preauth_get_client_data_proc get_data_proc,
- struct _krb5_preauth_client_rock *rock,
- krb5_kdc_req *request,
+ krb5_clpreauth_get_data_fn get_data_proc,
+ krb5_clpreauth_rock rock, krb5_kdc_req *request,
krb5_data *encoded_request_body,
krb5_data *encoded_previous_request,
krb5_pa_data *in_padata,
- krb5_prompter_fct prompter,
- void *prompter_data,
- preauth_get_as_key_proc gak_fct,
- void *gak_data,
- krb5_data *salt,
- krb5_data *s2kparams,
- krb5_keyblock *as_key,
- krb5_pa_data ***out_padata)
+ krb5_prompter_fct prompter, void *prompter_data,
+ krb5_clpreauth_get_as_key_fn gak_fct, void *gak_data,
+ krb5_data *salt, krb5_data *s2kparams,
+ krb5_keyblock *as_key, krb5_pa_data ***out_padata)
{
krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;
krb5_enctype enctype = -1;
krb5_data *cdata = NULL;
int processing_request = 0;
- pkinit_context plgctx = (pkinit_context)plugin_context;
- pkinit_req_context reqctx = (pkinit_req_context)request_context;
+ pkinit_context plgctx = (pkinit_context)moddata;
+ pkinit_req_context reqctx = (pkinit_req_context)modreq;
krb5_keyblock *armor_key = NULL;
pkiDebug("pkinit_client_process %p %p %p %p\n",
@@ -1061,16 +1056,15 @@ pkinit_client_process(krb5_context context,
/*
* Get the enctype of the reply.
*/
- retval = (*get_data_proc)(context, rock,
- krb5plugin_preauth_client_get_etype, &cdata);
+ retval = (*get_data_proc)(context, rock, krb5_clpreauth_get_etype,
+ &cdata);
if (retval) {
pkiDebug("get_data_proc returned %d (%s)\n",
retval, error_message(retval));
return retval;
}
enctype = *((krb5_enctype *)cdata->data);
- (*get_data_proc)(context, rock,
- krb5plugin_preauth_client_free_etype, &cdata);
+ (*get_data_proc)(context, rock, krb5_clpreauth_free_etype, &cdata);
retval = pa_pkinit_parse_rep(context, plgctx, reqctx, request,
in_padata, enctype, as_key,
encoded_previous_request);
@@ -1082,29 +1076,22 @@ pkinit_client_process(krb5_context context,
}
static krb5_error_code
-pkinit_client_tryagain(krb5_context context,
- void *plugin_context,
- void *request_context,
+pkinit_client_tryagain(krb5_context context, krb5_clpreauth_moddata moddata,
+ krb5_clpreauth_modreq modreq,
krb5_get_init_creds_opt *gic_opt,
- preauth_get_client_data_proc get_data_proc,
- struct _krb5_preauth_client_rock *rock,
- krb5_kdc_req *request,
+ krb5_clpreauth_get_data_fn get_data_proc,
+ krb5_clpreauth_rock rock, krb5_kdc_req *request,
krb5_data *encoded_request_body,
krb5_data *encoded_previous_request,
- krb5_pa_data *in_padata,
- krb5_error *err_reply,
- krb5_prompter_fct prompter,
- void *prompter_data,
- preauth_get_as_key_proc gak_fct,
- void *gak_data,
- krb5_data *salt,
- krb5_data *s2kparams,
- krb5_keyblock *as_key,
- krb5_pa_data ***out_padata)
+ krb5_pa_data *in_padata, krb5_error *err_reply,
+ krb5_prompter_fct prompter, void *prompter_data,
+ krb5_clpreauth_get_as_key_fn gak_fct, void *gak_data,
+ krb5_data *salt, krb5_data *s2kparams,
+ krb5_keyblock *as_key, krb5_pa_data ***out_padata)
{
krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED;
- pkinit_context plgctx = (pkinit_context)plugin_context;
- pkinit_req_context reqctx = (pkinit_req_context)request_context;
+ pkinit_context plgctx = (pkinit_context)moddata;
+ pkinit_req_context reqctx = (pkinit_req_context)modreq;
krb5_typed_data **typed_data = NULL;
krb5_data scratch;
krb5_external_principal_identifier **krb5_trusted_certifiers = NULL;
@@ -1202,14 +1189,14 @@ static krb5_preauthtype supported_client_pa_types[] = {
static void
pkinit_client_req_init(krb5_context context,
- void *plugin_context,
- void **request_context)
+ krb5_clpreauth_moddata moddata,
+ krb5_clpreauth_modreq *modreq_out)
{
krb5_error_code retval = ENOMEM;
pkinit_req_context reqctx = NULL;
- pkinit_context plgctx = plugin_context;
+ pkinit_context plgctx = (pkinit_context)moddata;
- *request_context = NULL;
+ *modreq_out = NULL;
reqctx = malloc(sizeof(*reqctx));
if (reqctx == NULL)
@@ -1244,7 +1231,7 @@ pkinit_client_req_init(krb5_context context,
if (retval)
goto cleanup;
- *request_context = (void *) reqctx;
+ *modreq_out = (krb5_clpreauth_modreq)reqctx;
pkiDebug("%s: returning reqctx at %p\n", __FUNCTION__, reqctx);
cleanup:
@@ -1264,11 +1251,10 @@ cleanup:
}
static void
-pkinit_client_req_fini(krb5_context context,
- void *plugin_context,
- void *request_context)
+pkinit_client_req_fini(krb5_context context, krb5_clpreauth_moddata moddata,
+ krb5_clpreauth_modreq modreq)
{
- pkinit_req_context reqctx = request_context;
+ pkinit_req_context reqctx = (pkinit_req_context)modreq;
pkiDebug("%s: received reqctx at %p\n", __FUNCTION__, reqctx);
if (reqctx == NULL)
@@ -1295,7 +1281,8 @@ pkinit_client_req_fini(krb5_context context,
}
static int
-pkinit_client_plugin_init(krb5_context context, void **blob)
+pkinit_client_plugin_init(krb5_context context,
+ krb5_clpreauth_moddata *moddata_out)
{
krb5_error_code retval = ENOMEM;
pkinit_context ctx = NULL;
@@ -1325,21 +1312,21 @@ pkinit_client_plugin_init(krb5_context context, void **blob)
if (retval)
goto errout;
- *blob = ctx;
+ *moddata_out = (krb5_clpreauth_moddata)ctx;
pkiDebug("%s: returning plgctx at %p\n", __FUNCTION__, ctx);
errout:
if (retval)
- pkinit_client_plugin_fini(context, ctx);
+ pkinit_client_plugin_fini(context, (krb5_clpreauth_moddata)ctx);
return retval;
}
static void
-pkinit_client_plugin_fini(krb5_context context, void *blob)
+pkinit_client_plugin_fini(krb5_context context, krb5_clpreauth_moddata moddata)
{
- pkinit_context ctx = blob;
+ pkinit_context ctx = (pkinit_context)moddata;
if (ctx == NULL || ctx->magic != PKINIT_CTX_MAGIC) {
pkiDebug("pkinit_lib_fini: got bad plgctx (%p)!\n", ctx);
@@ -1425,14 +1412,13 @@ handle_gic_opt(krb5_context context,
}
static krb5_error_code
-pkinit_client_gic_opt(krb5_context context,
- void *plugin_context,
+pkinit_client_gic_opt(krb5_context context, krb5_clpreauth_moddata moddata,
krb5_get_init_creds_opt *gic_opt,
const char *attr,
const char *value)
{
krb5_error_code retval;
- pkinit_context plgctx = plugin_context;
+ pkinit_context plgctx = (pkinit_context)moddata;
pkiDebug("(pkinit) received '%s' = '%s'\n", attr, value);
retval = handle_gic_opt(context, plgctx, attr, value);
@@ -1442,20 +1428,28 @@ pkinit_client_gic_opt(krb5_context context,
return 0;
}
-/* Only necessary for static plugin linking support. */
-#include "k5-plugin.h"
-
-struct krb5plugin_preauth_client_ftable_v1
-PLUGIN_SYMBOL_NAME(krb5_preauth, preauthentication_client_1) = {
- "pkinit", /* name */
- supported_client_pa_types, /* pa_type_list */
- NULL, /* enctype_list */
- pkinit_client_plugin_init, /* (*init) */
- pkinit_client_plugin_fini, /* (*fini) */
- pkinit_client_get_flags, /* (*flags) */
- pkinit_client_req_init, /* (*client_req_init) */
- pkinit_client_req_fini, /* (*client_req_fini) */
- pkinit_client_process, /* (*process) */
- pkinit_client_tryagain, /* (*tryagain) */
- pkinit_client_gic_opt /* (*gic_opt) */
-};
+krb5_error_code
+clpreauth_pkinit_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+
+krb5_error_code
+clpreauth_pkinit_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable)
+{
+ krb5_clpreauth_vtable vt;
+
+ if (maj_ver != 1)
+ return KRB5_PLUGIN_VER_NOTSUPP;
+ vt = (krb5_clpreauth_vtable)vtable;
+ vt->name = "pkinit";
+ vt->pa_type_list = supported_client_pa_types;
+ vt->init = pkinit_client_plugin_init;
+ vt->fini = pkinit_client_plugin_fini;
+ vt->flags = pkinit_client_get_flags;
+ vt->request_init = pkinit_client_req_init;
+ vt->request_fini = pkinit_client_req_fini;
+ vt->process = pkinit_client_process;
+ vt->tryagain = pkinit_client_tryagain;
+ vt->gic_opts = pkinit_client_gic_opt;
+ return 0;
+}
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 2a33e93311..d87d570315 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -50,10 +50,12 @@ pkinit_server_plugin_fini_realm(krb5_context context,
pkinit_kdc_context plgctx);
static void
-pkinit_server_plugin_fini(krb5_context context, void *blob);
+pkinit_server_plugin_fini(krb5_context context,
+ krb5_kdcpreauth_moddata moddata);
static pkinit_kdc_context
-pkinit_find_realm_context(krb5_context context, void *pa_plugin_context,
+pkinit_find_realm_context(krb5_context context,
+ krb5_kdcpreauth_moddata moddata,
krb5_principal princ);
static krb5_error_code
@@ -97,12 +99,12 @@ cleanup:
static krb5_error_code
pkinit_server_get_edata(krb5_context context,
- krb5_kdc_req * request,
- struct _krb5_db_entry_new * client,
- struct _krb5_db_entry_new * server,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_plugin_context,
- krb5_pa_data * data)
+ krb5_kdc_req *request,
+ struct _krb5_db_entry_new *client,
+ struct _krb5_db_entry_new *server,
+ krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_moddata moddata,
+ krb5_pa_data *data)
{
krb5_error_code retval = 0;
pkinit_kdc_context plgctx = NULL;
@@ -123,8 +125,7 @@ pkinit_server_get_edata(krb5_context context,
* If we don't have a realm context for the given realm,
* don't tell the client that we support pkinit!
*/
- plgctx = pkinit_find_realm_context(context, pa_plugin_context,
- request->server);
+ plgctx = pkinit_find_realm_context(context, moddata, request->server);
if (plgctx == NULL)
retval = EINVAL;
@@ -292,9 +293,9 @@ pkinit_server_verify_padata(krb5_context context,
krb5_kdc_req * request,
krb5_enc_tkt_part * enc_tkt_reply,
krb5_pa_data * data,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_plugin_context,
- void **pa_request_context,
+ krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_moddata moddata,
+ krb5_kdcpreauth_modreq *modreq_out,
krb5_data **e_data,
krb5_authdata ***authz_data)
{
@@ -328,11 +329,10 @@ pkinit_server_verify_padata(krb5_context context,
return EINVAL;
}
- if (pa_plugin_context == NULL || e_data == NULL)
+ if (moddata == NULL || e_data == NULL)
return EINVAL;
- plgctx = pkinit_find_realm_context(context, pa_plugin_context,
- request->server);
+ plgctx = pkinit_find_realm_context(context, moddata, request->server);
if (plgctx == NULL)
return 0;
@@ -562,7 +562,7 @@ pkinit_server_verify_padata(krb5_context context,
}
/* remember to set the PREAUTH flag in the reply */
enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
- *pa_request_context = reqctx;
+ *modreq_out = (krb5_kdcpreauth_modreq)reqctx;
reqctx = NULL;
cleanup:
@@ -668,9 +668,9 @@ pkinit_server_return_padata(krb5_context context,
struct _krb5_key_data * client_key,
krb5_keyblock * encrypting_key,
krb5_pa_data ** send_pa,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_plugin_context,
- void **pa_request_context)
+ krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_moddata moddata,
+ krb5_kdcpreauth_modreq modreq)
{
krb5_error_code retval = 0;
krb5_data scratch = {0, 0, NULL};
@@ -708,20 +708,19 @@ pkinit_server_return_padata(krb5_context context,
if (padata->length <= 0 || padata->contents == NULL)
return 0;
- if (pa_request_context == NULL || *pa_request_context == NULL) {
+ if (modreq == NULL) {
pkiDebug("missing request context \n");
return EINVAL;
}
- plgctx = pkinit_find_realm_context(context, pa_plugin_context,
- request->server);
+ plgctx = pkinit_find_realm_context(context, moddata, request->server);
if (plgctx == NULL) {
pkiDebug("Unable to locate correct realm context\n");
return ENOENT;
}
pkiDebug("pkinit_return_padata: entered!\n");
- reqctx = (pkinit_kdc_req_context)*pa_request_context;
+ reqctx = (pkinit_kdc_req_context)modreq;
if (encrypting_key->contents) {
free(encrypting_key->contents);
@@ -1169,13 +1168,14 @@ errout:
}
static pkinit_kdc_context
-pkinit_find_realm_context(krb5_context context, void *pa_plugin_context,
+pkinit_find_realm_context(krb5_context context,
+ krb5_kdcpreauth_moddata moddata,
krb5_principal princ)
{
int i;
- pkinit_kdc_context *realm_contexts = pa_plugin_context;
+ pkinit_kdc_context *realm_contexts = (pkinit_kdc_context *)moddata;
- if (pa_plugin_context == NULL)
+ if (moddata == NULL)
return NULL;
for (i = 0; realm_contexts[i] != NULL; i++) {
@@ -1254,7 +1254,8 @@ errout:
}
static int
-pkinit_server_plugin_init(krb5_context context, void **blob,
+pkinit_server_plugin_init(krb5_context context,
+ krb5_kdcpreauth_moddata *moddata_out,
const char **realmnames)
{
krb5_error_code retval = ENOMEM;
@@ -1289,13 +1290,15 @@ pkinit_server_plugin_init(krb5_context context, void **blob,
goto errout;
}
- *blob = realm_contexts;
+ *moddata_out = (krb5_kdcpreauth_moddata)realm_contexts;
retval = 0;
pkiDebug("%s: returning context at %p\n", __FUNCTION__, realm_contexts);
errout:
- if (retval)
- pkinit_server_plugin_fini(context, realm_contexts);
+ if (retval) {
+ pkinit_server_plugin_fini(context,
+ (krb5_kdcpreauth_moddata)realm_contexts);
+ }
return retval;
}
@@ -1316,9 +1319,10 @@ pkinit_server_plugin_fini_realm(krb5_context context, pkinit_kdc_context plgctx)
}
static void
-pkinit_server_plugin_fini(krb5_context context, void *blob)
+pkinit_server_plugin_fini(krb5_context context,
+ krb5_kdcpreauth_moddata moddata)
{
- pkinit_kdc_context *realm_contexts = blob;
+ pkinit_kdc_context *realm_contexts = (pkinit_kdc_context *)moddata;
int i;
if (realm_contexts == NULL)
@@ -1379,18 +1383,26 @@ pkinit_fini_kdc_req_context(krb5_context context, void *ctx)
free(reqctx);
}
-/* Only necessary for static plugin linking support. */
-#include "k5-plugin.h"
-
-struct krb5plugin_preauth_server_ftable_v1
-PLUGIN_SYMBOL_NAME(krb5_pkinit, preauthentication_server_1) = {
- "pkinit", /* name */
- supported_server_pa_types, /* pa_type_list */
- pkinit_server_plugin_init, /* (*init_proc) */
- pkinit_server_plugin_fini, /* (*fini_proc) */
- pkinit_server_get_flags, /* (*flags_proc) */
- pkinit_server_get_edata, /* (*edata_proc) */
- pkinit_server_verify_padata,/* (*verify_proc) */
- pkinit_server_return_padata,/* (*return_proc) */
- NULL, /* (*freepa_reqcontext_proc) */
-};
+krb5_error_code
+kdcpreauth_pkinit_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+
+krb5_error_code
+kdcpreauth_pkinit_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable)
+{
+ krb5_kdcpreauth_vtable vt;
+
+ if (maj_ver != 1)
+ return KRB5_PLUGIN_VER_NOTSUPP;
+ vt = (krb5_kdcpreauth_vtable)vtable;
+ vt->name = "pkinit";
+ vt->pa_type_list = supported_server_pa_types;
+ vt->init = pkinit_server_plugin_init;
+ vt->fini = pkinit_server_plugin_fini;
+ vt->flags = pkinit_server_get_flags;
+ vt->edata = pkinit_server_get_edata;
+ vt->verify = pkinit_server_verify_padata;
+ vt->return_padata = pkinit_server_return_padata;
+ return 0;
+}
diff --git a/src/plugins/preauth/securid_sam2/securid_sam2_main.c b/src/plugins/preauth/securid_sam2/securid_sam2_main.c
index 49b497ef0e..6bc65e85ee 100644
--- a/src/plugins/preauth/securid_sam2/securid_sam2_main.c
+++ b/src/plugins/preauth/securid_sam2/securid_sam2_main.c
@@ -116,8 +116,8 @@ static krb5_error_code
kdc_include_padata(krb5_context context, krb5_kdc_req *request,
struct _krb5_db_entry_new *client,
struct _krb5_db_entry_new *server,
- preauth_get_entry_data_proc get_entry_proc,
- void *pa_module_context, krb5_pa_data *pa_data)
+ krb5_kdcpreauth_get_data_fn get_entry_proc,
+ krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data)
{
krb5_error_code retval;
krb5_data *client_keys_data = NULL;
@@ -138,7 +138,7 @@ kdc_include_padata(krb5_context context, krb5_kdc_req *request,
if (retval)
return retval;
retval = get_entry_proc(context, request, client,
- krb5plugin_preauth_keys, &client_keys_data);
+ krb5_kdcpreauth_keys, &client_keys_data);
if (retval)
goto cleanup;
client_key = (krb5_keyblock *) client_keys_data->data;
@@ -206,8 +206,9 @@ static krb5_error_code
kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
krb5_data *req_pkt, krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa_data,
- preauth_get_entry_data_proc get_entry_proc,
- void *pa_module_context, void **opaque,
+ krb5_kdcpreauth_get_data_fn get_entry_proc,
+ krb5_kdcpreauth_moddata moddata,
+ krb5_kdcpreauth_modreq *modreq_out,
krb5_data **e_data, krb5_authdata ***authz_data)
{
krb5_error_code retval, saved_retval = 0;
@@ -294,14 +295,23 @@ kdc_preauth_flags(krb5_context context, krb5_preauthtype patype)
krb5_preauthtype supported_pa_types[] = {
KRB5_PADATA_SAM_RESPONSE_2, 0};
-struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = {
- "SAM2",
- &supported_pa_types[0],
- NULL,
- NULL,
- kdc_preauth_flags,
- kdc_include_padata,
- kdc_verify_preauth,
- NULL,
- NULL
-};
+krb5_error_code
+kdcpreauth_securid_sam2_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+
+krb5_error_code
+kdcpreauth_securid_sam2_initvt(krb5_context context, int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable)
+{
+ krb5_kdcpreauth_vtable vt;
+
+ if (maj_ver != 1)
+ return KRB5_PLUGIN_VER_NOTSUPP;
+ vt = (krb5_kdcpreauth_vtable)vtable;
+ vt->name = "securid_sam2";
+ vt->pa_type_list = supported_pa_types;
+ vt->flags = kdc_preauth_flags;
+ vt->edata = kdc_include_padata;
+ vt->verify = kdc_verify_preauth;
+ return 0;
+}
diff --git a/src/plugins/preauth/wpse/wpse.exports b/src/plugins/preauth/wpse/wpse.exports
index 98e96c399b..4cc48a8831 100644
--- a/src/plugins/preauth/wpse/wpse.exports
+++ b/src/plugins/preauth/wpse/wpse.exports
@@ -1,2 +1,2 @@
-preauthentication_client_1
-preauthentication_server_1
+clpreauth_wpse_initvt
+kdcpreauth_wpse_initvt
diff --git a/src/plugins/preauth/wpse/wpse_main.c b/src/plugins/preauth/wpse/wpse_main.c
index 14e994d420..866286c1bc 100644
--- a/src/plugins/preauth/wpse/wpse_main.c
+++ b/src/plugins/preauth/wpse/wpse_main.c
@@ -59,7 +59,7 @@ client_get_flags(krb5_context kcontext, krb5_preauthtype pa_type)
}
static krb5_error_code
-client_init(krb5_context kcontext, void **ctx)
+client_init(krb5_context kcontext, krb5_clpreauth_moddata *moddata_out)
{
int *pctx;
@@ -67,16 +67,16 @@ client_init(krb5_context kcontext, void **ctx)
if (pctx == NULL)
return ENOMEM;
*pctx = 0;
- *ctx = pctx;
+ *moddata_out = (krb5_clpreauth_moddata)pctx;
return 0;
}
static void
-client_fini(krb5_context kcontext, void *ctx)
+client_fini(krb5_context kcontext, krb5_clpreauth_moddata moddata)
{
int *pctx;
- pctx = ctx;
+ pctx = (int *)moddata;
if (pctx) {
#ifdef DEBUG
fprintf(stderr, "wpse module called total of %d times\n", *pctx);
@@ -87,18 +87,18 @@ client_fini(krb5_context kcontext, void *ctx)
static krb5_error_code
client_process(krb5_context kcontext,
- void *plugin_context,
- void *request_context,
+ krb5_clpreauth_moddata moddata,
+ krb5_clpreauth_modreq modreq,
krb5_get_init_creds_opt *opt,
- preauth_get_client_data_proc client_get_data_proc,
- struct _krb5_preauth_client_rock *rock,
+ krb5_clpreauth_get_data_fn client_get_data_proc,
+ krb5_clpreauth_rock rock,
krb5_kdc_req *request,
krb5_data *encoded_request_body,
krb5_data *encoded_previous_request,
krb5_pa_data *pa_data,
krb5_prompter_fct prompter,
void *prompter_data,
- preauth_get_as_key_proc gak_fct,
+ krb5_clpreauth_get_as_key_fn gak_fct,
void *gak_data,
krb5_data *salt, krb5_data *s2kparams,
krb5_keyblock *as_key,
@@ -115,7 +115,7 @@ client_process(krb5_context kcontext,
pa_data->length, pa_data->pa_type);
#endif
- pctx = plugin_context;
+ pctx = (int *)moddata;
if (pctx) {
(*pctx)++;
}
@@ -176,11 +176,12 @@ typedef struct _wpse_req_ctx
} wpse_req_ctx;
static void
-client_req_init(krb5_context kcontext, void *plugin_context, void **req_context_p)
+client_req_init(krb5_context kcontext, krb5_clpreauth_moddata moddata,
+ krb5_clpreauth_modreq *modreq_out)
{
wpse_req_ctx *ctx;
- *req_context_p = NULL;
+ *modreq_out = NULL;
/* Allocate a request context. Useful for verifying that we do in fact
* do per-request cleanup. */
@@ -190,13 +191,14 @@ client_req_init(krb5_context kcontext, void *plugin_context, void **req_context_
ctx->magic = WPSE_MAGIC;
ctx->value = 0xc0dec0de;
- *req_context_p = ctx;
+ *modreq_out = (krb5_clpreauth_modreq)ctx;
}
static void
-client_req_cleanup(krb5_context kcontext, void *plugin_context, void *req_context)
+client_req_cleanup(krb5_context kcontext, krb5_clpreauth_moddata moddata,
+ krb5_clpreauth_modreq modreq)
{
- wpse_req_ctx *ctx = (wpse_req_ctx *)req_context;
+ wpse_req_ctx *ctx = (wpse_req_ctx *)modreq;
if (ctx) {
#ifdef DEBUG
@@ -217,7 +219,7 @@ client_req_cleanup(krb5_context kcontext, void *plugin_context, void *req_contex
static krb5_error_code
client_gic_opt(krb5_context kcontext,
- void *plugin_context,
+ krb5_clpreauth_moddata moddata,
krb5_get_init_creds_opt *opt,
const char *attr,
const char *value)
@@ -231,15 +233,12 @@ client_gic_opt(krb5_context kcontext,
/* Free state. */
-static krb5_error_code
-server_free_pa_request_context(krb5_context kcontext, void *plugin_context,
- void **request_context)
+static void
+server_free_modreq(krb5_context kcontext,
+ krb5_kdcpreauth_moddata moddata,
+ krb5_kdcpreauth_modreq modreq)
{
- if (*request_context != NULL) {
- free(*request_context);
- *request_context = NULL;
- }
- return 0;
+ free(modreq);
}
/* Obtain and return any preauthentication data (which is destined for the
@@ -249,8 +248,8 @@ server_get_edata(krb5_context kcontext,
krb5_kdc_req *request,
struct _krb5_db_entry_new *client,
struct _krb5_db_entry_new *server,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_module_context,
+ krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_moddata moddata,
krb5_pa_data *data)
{
/* Return zero bytes of data. */
@@ -267,9 +266,9 @@ server_verify(krb5_context kcontext,
krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply,
krb5_pa_data *data,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_module_context,
- void **pa_request_context,
+ krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_moddata moddata,
+ krb5_kdcpreauth_modreq *modreq_out,
krb5_data **e_data,
krb5_authdata ***authz_data)
{
@@ -292,8 +291,7 @@ server_verify(krb5_context kcontext,
enc_tkt_reply->flags |= TKT_FLG_HW_AUTH;
/* Allocate a context. Useful for verifying that we do in fact do
* per-request cleanup. */
- if (*pa_request_context == NULL)
- *pa_request_context = malloc(4);
+ *modreq_out = malloc(4);
/*
* Return some junk authorization data just to exercise the
@@ -373,9 +371,8 @@ server_return(krb5_context kcontext,
struct _krb5_key_data *client_key,
krb5_keyblock *encrypting_key,
krb5_pa_data **send_pa,
- preauth_get_entry_data_proc server_get_entry_data,
- void *pa_module_context,
- void **pa_request_context)
+ krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq)
{
/* This module does a couple of dumb things. It tags its reply with
* the same type as the initial challenge (expecting the client to sort
@@ -447,28 +444,49 @@ server_get_flags(krb5_context kcontext, krb5_preauthtype pa_type)
static krb5_preauthtype supported_client_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0};
static krb5_preauthtype supported_server_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0};
-struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = {
- "wpse", /* name */
- &supported_client_pa_types[0], /* pa_type_list */
- NULL, /* enctype_list */
- client_init, /* plugin init function */
- client_fini, /* plugin fini function */
- client_get_flags, /* get flags function */
- client_req_init, /* request init function */
- client_req_cleanup, /* request fini function */
- client_process, /* process function */
- NULL, /* try_again function */
- client_gic_opt /* get init creds opts function */
-};
-
-struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = {
- "wpse",
- &supported_server_pa_types[0],
- NULL,
- NULL,
- server_get_flags,
- server_get_edata,
- server_verify,
- server_return,
- server_free_pa_request_context,
-};
+krb5_error_code
+clpreauth_wpse_initvt(krb5_context context, int maj_ver,
+ int min_ver, krb5_plugin_vtable vtable);
+krb5_error_code
+kdcpreauth_wpse_initvt(krb5_context context, int maj_ver,
+ int min_ver, krb5_plugin_vtable vtable);
+
+krb5_error_code
+clpreauth_wpse_initvt(krb5_context context, int maj_ver,
+ int min_ver, krb5_plugin_vtable vtable)
+{
+ krb5_clpreauth_vtable vt;
+
+ if (maj_ver != 1)
+ return KRB5_PLUGIN_VER_NOTSUPP;
+ vt = (krb5_clpreauth_vtable)vtable;
+ vt->name = "wpse";
+ vt->pa_type_list = supported_client_pa_types;
+ vt->init = client_init;
+ vt->fini = client_fini;
+ vt->flags = client_get_flags;
+ vt->request_init = client_req_init;
+ vt->request_fini = client_req_cleanup;
+ vt->process = client_process;
+ vt->gic_opts = client_gic_opt;
+ return 0;
+}
+
+krb5_error_code
+kdcpreauth_wpse_initvt(krb5_context context, int maj_ver,
+ int min_ver, krb5_plugin_vtable vtable)
+{
+ krb5_kdcpreauth_vtable vt;
+
+ if (maj_ver != -1)
+ return KRB5_PLUGIN_VER_NOTSUPP;
+ vt = (krb5_kdcpreauth_vtable)vtable;
+ vt->name = "wpse";
+ vt->pa_type_list = supported_server_pa_types;
+ vt->flags = server_get_flags;
+ vt->edata = server_get_edata;
+ vt->verify = server_verify;
+ vt->return_padata = server_return;
+ vt->free_modreq = server_free_modreq;
+ return 0;
+}
generated by cgit (git 2.34.1) at 2026-01-09 06:51:46 +0000