diff options
| author | Greg Hudson <ghudson@mit.edu> | 2013-04-26 15:50:05 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2013-05-03 16:11:28 -0400 |
| commit | e50482720a805ecd8c160e4a8f4a846e6327dca2 (patch) | |
| tree | 9614b63f7a7c003e60332be49f3900dd1c9752de /src | |
| parent | 8c4db8f776c65b50fe3af82fd62a67022dd9a6d5 (diff) | |
| download | krb5-e50482720a805ecd8c160e4a8f4a846e6327dca2.tar.gz krb5-e50482720a805ecd8c160e4a8f4a846e6327dca2.tar.xz krb5-e50482720a805ecd8c160e4a8f4a846e6327dca2.zip | |
Add kdcpreauth callback to check for client keys
Add a new have_client_keys callback to the kdcpreauth interface,
allowing modules to efficiently check whether the client DB entry has
any keys matching the request enctypes.
ticket: 7630
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/krb5/kdcpreauth_plugin.h | 8 | ||||
| -rw-r--r-- | src/kdc/kdc_preauth.c | 20 |
2 files changed, 26 insertions, 2 deletions
diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h index e673d40035..9abe76f634 100644 --- a/src/include/krb5/kdcpreauth_plugin.h +++ b/src/include/krb5/kdcpreauth_plugin.h @@ -173,6 +173,14 @@ typedef struct krb5_kdcpreauth_callbacks_st { krb5_kdcpreauth_rock rock); /* End of version 1 kdcpreauth callbacks. */ + + /* Return true if the client DB entry contains any keys matching the + * request enctypes. */ + krb5_boolean (*have_client_keys)(krb5_context context, + krb5_kdcpreauth_rock rock); + + /* End of version 2 kdcpreauth callbacks. */ + } *krb5_kdcpreauth_callbacks; /* Optional: preauth plugin initialization function. */ diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index c2bcab9f3b..b7f9e15144 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -542,8 +542,23 @@ event_context(krb5_context context, krb5_kdcpreauth_rock rock) return rock->vctx; } +static krb5_boolean +have_client_keys(krb5_context context, krb5_kdcpreauth_rock rock) +{ + krb5_kdc_req *request = rock->request; + krb5_key_data *kd; + int i; + + for (i = 0; i < request->nktypes; i++) { + if (krb5_dbe_find_enctype(context, rock->client, request->ktype[i], + -1, 0, &kd) == 0) + return TRUE; + } + return FALSE; +} + static struct krb5_kdcpreauth_callbacks_st callbacks = { - 1, + 2, max_time_skew, client_keys, free_keys, @@ -552,7 +567,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = { get_string, free_string, client_entry, - event_context + event_context, + have_client_keys }; static krb5_error_code |