diff options
Diffstat (limited to 'src/plugins/preauth/wpse')
-rw-r--r-- | src/plugins/preauth/wpse/wpse_main.c | 285 |
1 files changed, 143 insertions, 142 deletions
diff --git a/src/plugins/preauth/wpse/wpse_main.c b/src/plugins/preauth/wpse/wpse_main.c index 655f2b9496..5576a0837b 100644 --- a/src/plugins/preauth/wpse/wpse_main.c +++ b/src/plugins/preauth/wpse/wpse_main.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 2006 Red Hat, Inc. * All rights reserved. @@ -64,7 +65,7 @@ client_init(krb5_context kcontext, void **ctx) pctx = malloc(sizeof(int)); if (pctx == NULL) - return ENOMEM; + return ENOMEM; *pctx = 0; *ctx = pctx; return 0; @@ -86,22 +87,22 @@ client_fini(krb5_context kcontext, void *ctx) static krb5_error_code client_process(krb5_context kcontext, - void *plugin_context, - void *request_context, - krb5_get_init_creds_opt *opt, - preauth_get_client_data_proc client_get_data_proc, - struct _krb5_preauth_client_rock *rock, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *pa_data, - krb5_prompter_fct prompter, - void *prompter_data, - preauth_get_as_key_proc gak_fct, - void *gak_data, - krb5_data *salt, krb5_data *s2kparams, - krb5_keyblock *as_key, - krb5_pa_data ***out_pa_data) + void *plugin_context, + void *request_context, + krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc client_get_data_proc, + struct _krb5_preauth_client_rock *rock, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *pa_data, + krb5_prompter_fct prompter, + void *prompter_data, + preauth_get_as_key_proc gak_fct, + void *gak_data, + krb5_data *salt, krb5_data *s2kparams, + krb5_keyblock *as_key, + krb5_pa_data ***out_pa_data) { krb5_pa_data **send_pa; krb5_int32 nnonce, enctype; @@ -111,58 +112,58 @@ client_process(krb5_context kcontext, #ifdef DEBUG fprintf(stderr, "%d bytes of preauthentication data (type %d)\n", - pa_data->length, pa_data->pa_type); + pa_data->length, pa_data->pa_type); #endif pctx = plugin_context; if (pctx) { - (*pctx)++; + (*pctx)++; } if (pa_data->length == 0) { - /* Create preauth data. */ - send_pa = malloc(2 * sizeof(krb5_pa_data *)); - if (send_pa == NULL) - return ENOMEM; - send_pa[1] = NULL; /* Terminate list */ - send_pa[0] = malloc(sizeof(krb5_pa_data)); - if (send_pa[0] == NULL) { - free(send_pa); - return ENOMEM; - } - send_pa[0]->pa_type = KRB5_PADATA_WPSE_REQ; - send_pa[0]->length = 4; - send_pa[0]->contents = malloc(4); - if (send_pa[0]->contents == NULL) { - free(send_pa[0]); - free(send_pa); - return ENOMEM; - } - /* Store the preauth data. */ - nnonce = htonl(request->nonce); - memcpy(send_pa[0]->contents, &nnonce, 4); - *out_pa_data = send_pa; + /* Create preauth data. */ + send_pa = malloc(2 * sizeof(krb5_pa_data *)); + if (send_pa == NULL) + return ENOMEM; + send_pa[1] = NULL; /* Terminate list */ + send_pa[0] = malloc(sizeof(krb5_pa_data)); + if (send_pa[0] == NULL) { + free(send_pa); + return ENOMEM; + } + send_pa[0]->pa_type = KRB5_PADATA_WPSE_REQ; + send_pa[0]->length = 4; + send_pa[0]->contents = malloc(4); + if (send_pa[0]->contents == NULL) { + free(send_pa[0]); + free(send_pa); + return ENOMEM; + } + /* Store the preauth data. */ + nnonce = htonl(request->nonce); + memcpy(send_pa[0]->contents, &nnonce, 4); + *out_pa_data = send_pa; } else { - /* A reply from the KDC. Conventionally this would be - * indicated by a different preauthentication type, but this - * mechanism/implementation doesn't do that. */ - if (pa_data->length > 4) { - memcpy(&enctype, pa_data->contents, 4); - kb = NULL; - status = krb5_init_keyblock(kcontext, ntohl(enctype), - pa_data->length - 4, &kb); - if (status != 0) - return status; - memcpy(kb->contents, pa_data->contents + 4, pa_data->length - 4); + /* A reply from the KDC. Conventionally this would be + * indicated by a different preauthentication type, but this + * mechanism/implementation doesn't do that. */ + if (pa_data->length > 4) { + memcpy(&enctype, pa_data->contents, 4); + kb = NULL; + status = krb5_init_keyblock(kcontext, ntohl(enctype), + pa_data->length - 4, &kb); + if (status != 0) + return status; + memcpy(kb->contents, pa_data->contents + 4, pa_data->length - 4); #ifdef DEBUG - fprintf(stderr, "Recovered key type=%d, length=%d.\n", - kb->enctype, kb->length); + fprintf(stderr, "Recovered key type=%d, length=%d.\n", + kb->enctype, kb->length); #endif - status = krb5_copy_keyblock_contents(kcontext, kb, as_key); - krb5_free_keyblock(kcontext, kb); - return status; - } - return KRB5KRB_ERR_GENERIC; + status = krb5_copy_keyblock_contents(kcontext, kb, as_key); + krb5_free_keyblock(kcontext, kb); + return status; + } + return KRB5KRB_ERR_GENERIC; } return 0; } @@ -185,7 +186,7 @@ client_req_init(krb5_context kcontext, void *plugin_context, void **req_context_ * do per-request cleanup. */ ctx = (wpse_req_ctx *) malloc(sizeof(*ctx)); if (ctx == NULL) - return; + return; ctx->magic = WPSE_MAGIC; ctx->value = 0xc0dec0de; @@ -199,31 +200,31 @@ client_req_cleanup(krb5_context kcontext, void *plugin_context, void *req_contex if (ctx) { #ifdef DEBUG - fprintf(stderr, "client_req_cleanup: req_ctx at %p has magic %x and value %x\n", - ctx, ctx->magic, ctx->value); + fprintf(stderr, "client_req_cleanup: req_ctx at %p has magic %x and value %x\n", + ctx, ctx->magic, ctx->value); #endif - if (ctx->magic != WPSE_MAGIC) { + if (ctx->magic != WPSE_MAGIC) { #ifdef DEBUG - fprintf(stderr, "client_req_cleanup: req_context at %p has bad magic value %x\n", - ctx, ctx->magic); + fprintf(stderr, "client_req_cleanup: req_context at %p has bad magic value %x\n", + ctx, ctx->magic); #endif - return; - } - free(ctx); + return; + } + free(ctx); } return; } static krb5_error_code client_gic_opt(krb5_context kcontext, - void *plugin_context, - krb5_get_init_creds_opt *opt, - const char *attr, - const char *value) + void *plugin_context, + krb5_get_init_creds_opt *opt, + const char *attr, + const char *value) { #ifdef DEBUG fprintf(stderr, "(wpse) client_gic_opt: received '%s' = '%s'\n", - attr, value); + attr, value); #endif return 0; } @@ -232,11 +233,11 @@ client_gic_opt(krb5_context kcontext, /* Free state. */ static krb5_error_code server_free_pa_request_context(krb5_context kcontext, void *plugin_context, - void **request_context) + void **request_context) { if (*request_context != NULL) { - free(*request_context); - *request_context = NULL; + free(*request_context); + *request_context = NULL; } return 0; } @@ -245,12 +246,12 @@ server_free_pa_request_context(krb5_context kcontext, void *plugin_context, * client) which matches type data->pa_type. */ static krb5_error_code server_get_edata(krb5_context kcontext, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - krb5_pa_data *data) + krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + krb5_pa_data *data) { /* Return zero bytes of data. */ data->length = 0; @@ -261,16 +262,16 @@ server_get_edata(krb5_context kcontext, /* Verify a request from a client. */ static krb5_error_code server_verify(krb5_context kcontext, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - void **pa_request_context, - krb5_data **e_data, - krb5_authdata ***authz_data) + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *data, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + void **pa_request_context, + krb5_data **e_data, + krb5_authdata ***authz_data) { krb5_int32 nnonce; krb5_data *test_edata; @@ -281,18 +282,18 @@ server_verify(krb5_context kcontext, #endif /* Verify the preauth data. */ if (data->length != 4) - return KRB5KDC_ERR_PREAUTH_FAILED; + return KRB5KDC_ERR_PREAUTH_FAILED; memcpy(&nnonce, data->contents, 4); nnonce = ntohl(nnonce); if (memcmp(&nnonce, &request->nonce, 4) != 0) - return KRB5KDC_ERR_PREAUTH_FAILED; + return KRB5KDC_ERR_PREAUTH_FAILED; /* Note that preauthentication succeeded. */ enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; enc_tkt_reply->flags |= TKT_FLG_HW_AUTH; /* Allocate a context. Useful for verifying that we do in fact do * per-request cleanup. */ if (*pa_request_context == NULL) - *pa_request_context = malloc(4); + *pa_request_context = malloc(4); /* * Return some junk authorization data just to exercise the @@ -334,8 +335,8 @@ server_verify(krb5_context kcontext, my_authz_data[0]->length = AD_ALLOC_SIZE; memcpy(my_authz_data[0]->contents, ad_header, sizeof(ad_header)); snprintf(my_authz_data[0]->contents + sizeof(ad_header), - AD_ALLOC_SIZE - sizeof(ad_header), - "wpse authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); + AD_ALLOC_SIZE - sizeof(ad_header), + "wpse authorization data: %d bytes worth!\n", AD_ALLOC_SIZE); *authz_data = my_authz_data; #ifdef DEBUG fprintf(stderr, "Returning %d bytes of authorization data\n", @@ -346,14 +347,14 @@ server_verify(krb5_context kcontext, /* Return edata to exercise code that handles edata... */ test_edata = malloc(sizeof(*test_edata)); if (test_edata != NULL) { - test_edata->data = malloc(20); - if (test_edata->data == NULL) { - free(test_edata); - } else { - test_edata->length = 20; - memset(test_edata->data, '#', 20); /* fill it with junk */ - *e_data = test_edata; - } + test_edata->data = malloc(20); + if (test_edata->data == NULL) { + free(test_edata); + } else { + test_edata->length = 20; + memset(test_edata->data, '#', 20); /* fill it with junk */ + *e_data = test_edata; + } } return 0; } @@ -361,17 +362,17 @@ server_verify(krb5_context kcontext, /* Create the response for a client. */ static krb5_error_code server_return(krb5_context kcontext, - krb5_pa_data *padata, - struct _krb5_db_entry_new *client, - krb5_data *req_pkt, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - struct _krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - preauth_get_entry_data_proc server_get_entry_data, - void *pa_module_context, - void **pa_request_context) + krb5_pa_data *padata, + struct _krb5_db_entry_new *client, + krb5_data *req_pkt, + krb5_kdc_req *request, + krb5_kdc_rep *reply, + struct _krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, + preauth_get_entry_data_proc server_get_entry_data, + void *pa_module_context, + void **pa_request_context) { /* This module does a couple of dumb things. It tags its reply with * the same type as the initial challenge (expecting the client to sort @@ -385,39 +386,39 @@ server_return(krb5_context kcontext, /* We'll want a key with the first supported enctype. */ for (i = 0; i < request->nktypes; i++) { - kb = NULL; - if (krb5_init_keyblock(kcontext, request->ktype[i], 0, &kb) == 0) { - break; - } + kb = NULL; + if (krb5_init_keyblock(kcontext, request->ktype[i], 0, &kb) == 0) { + break; + } } if (i >= request->nktypes) { - /* No matching cipher type found. */ - return 0; + /* No matching cipher type found. */ + return 0; } /* Randomize a key and save it for the client. */ if (krb5_c_make_random_key(kcontext, request->ktype[i], kb) != 0) { - krb5_free_keyblock(kcontext, kb); - return 0; + krb5_free_keyblock(kcontext, kb); + return 0; } #ifdef DEBUG fprintf(stderr, "Generated random key, type=%d, length=%d.\n", - kb->enctype, kb->length); + kb->enctype, kb->length); #endif *send_pa = malloc(sizeof(krb5_pa_data)); if (*send_pa == NULL) { - krb5_free_keyblock(kcontext, kb); - return ENOMEM; + krb5_free_keyblock(kcontext, kb); + return ENOMEM; } (*send_pa)->pa_type = KRB5_PADATA_WPSE_REQ; (*send_pa)->length = 4 + kb->length; (*send_pa)->contents = malloc(4 + kb->length); if ((*send_pa)->contents == NULL) { - free(*send_pa); - *send_pa = NULL; - krb5_free_keyblock(kcontext, kb); - return ENOMEM; + free(*send_pa); + *send_pa = NULL; + krb5_free_keyblock(kcontext, kb); + return ENOMEM; } /* Store the preauth data. */ @@ -444,17 +445,17 @@ static krb5_preauthtype supported_client_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0}; static krb5_preauthtype supported_server_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0}; struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = { - "wpse", /* name */ - &supported_client_pa_types[0], /* pa_type_list */ - NULL, /* enctype_list */ - client_init, /* plugin init function */ - client_fini, /* plugin fini function */ - client_get_flags, /* get flags function */ - client_req_init, /* request init function */ - client_req_cleanup, /* request fini function */ - client_process, /* process function */ - NULL, /* try_again function */ - client_gic_opt /* get init creds opts function */ + "wpse", /* name */ + &supported_client_pa_types[0], /* pa_type_list */ + NULL, /* enctype_list */ + client_init, /* plugin init function */ + client_fini, /* plugin fini function */ + client_get_flags, /* get flags function */ + client_req_init, /* request init function */ + client_req_cleanup, /* request fini function */ + client_process, /* process function */ + NULL, /* try_again function */ + client_gic_opt /* get init creds opts function */ }; struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = { |