get_init_creds_opt extensibility

 r18922@cathode-dark-space:  coffman | 2006-12-04 18:30:15 -0500
 First cut at making the get_init_creds_opt structure extendable
 and adding library functions to set options for preauthentication
 plugins.
 
 This does *not* include a compatibility function to work like
 Heimdal's krb5_get_init_creds_opt_set_pkinit() function.
 
 Hopefully, the test code that doesn't belong in kinit.c is
 obvious.
 
 
 r18929@cathode-dark-space:  coffman | 2006-12-07 10:01:20 -0500
 Remove extra "user_id" parameter.
 
 Add function which duplicates the Heimdal interface (if we can agree on
 what the matching attribute names should be).
 
 r18934@cathode-dark-space:  coffman | 2006-12-08 15:28:03 -0500
 Update to use the simplified interface for krb5_get_init_creds_opt_set_pa()
 
 Add code in kinit to process "-X" options as preauth options and pass
 them along.
 
 
 
 r18936@cathode-dark-space:  coffman | 2006-12-11 12:04:26 -0500
 Move prototypes for get_init_creds_opt_get_pa() and
 krb5_get_init_creds_opt_free_pa() into the
 preauth_plugin.h header rather than krb5.hin.
 
 

ticket: new
status: open
component: krb5-libs

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19127 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 78 insertions, 1 deletions

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 1c5f15738..ff0a31be7 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -2081,6 +2081,16 @@ typedef struct _krb5_get_init_creds_opt {
 #define KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT	0x0100
 
 
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_alloc
+(krb5_context context,
+		krb5_get_init_creds_opt **opt);
+
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_free
+(krb5_context context,
+		krb5_get_init_creds_opt *opt);
+
 void KRB5_CALLCONV
 krb5_get_init_creds_opt_init
 (krb5_get_init_creds_opt *opt);
@@ -2132,6 +2142,27 @@ krb5_get_init_creds_opt_set_change_password_prompt
 (krb5_get_init_creds_opt *opt,
 		int prompt);
 
+/* Generic preauth option attribute/value pairs */
+typedef struct _krb5_gic_opt_pa_data {
+    char *attr;
+    char *value;
+} krb5_gic_opt_pa_data;
+
+/*
+ * This function allows the caller to supply options to preauth
+ * plugins.  Preauth plugin modules are given a chance to look
+ * at each option at the time this function is called in ordre
+ * to check the validity of the option.
+ * The 'opt' pointer supplied to this function must have been
+ * obtained using krb5_get_init_creds_opt_alloc()
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_set_pa
+		(krb5_context context,
+		krb5_get_init_creds_opt *opt,
+		const char *attr,
+		const char *value);
+
 krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds_password
 (krb5_context context,
diff --git a/src/include/krb5/preauth_plugin.h b/src/include/krb5/preauth_plugin.h
index f8a9db1a1..7243a00b1 100644
--- a/src/include/krb5/preauth_plugin.h
+++ b/src/include/krb5/preauth_plugin.h
@@ -158,6 +158,17 @@ typedef krb5_error_code
 			   void *gak_data);
 
 /*
+ * Client function which receives krb5_get_init_creds_opt information.
+ * The attr and value information supplied should be copied locally by
+ * the module if it wishes to reference it after returning from this call.
+ */
+typedef krb5_error_code
+(*supply_gic_opts_proc)(krb5_context context,
+			void *plugin_context,
+			krb5_get_init_creds_opt *opt,
+			const char *attr,
+			const char *value);
+/*
  * The function table / structure which a preauth client module must export as
  * "preauthentication_client_0".  If the interfaces work correctly, future
  * versions of the table will add either more callbacks or more arguments to
@@ -207,6 +218,7 @@ typedef struct krb5plugin_preauth_client_ftable_v0 {
     krb5_error_code (*process)(krb5_context context,
 			       void *plugin_context,
 			       void *request_context,
+			       krb5_get_init_creds_opt *opt,
 			       preauth_get_client_data_proc get_data_proc,
 			       struct _krb5_preauth_client_rock *rock,
 			       krb5_kdc_req *request,
@@ -227,8 +239,9 @@ typedef struct krb5plugin_preauth_client_ftable_v0 {
     krb5_error_code (*tryagain)(krb5_context context,
 				void *plugin_context,
 				void *request_context,
+				krb5_get_init_creds_opt *opt,
 				preauth_get_client_data_proc get_data_proc,
-			        struct _krb5_preauth_client_rock *rock,
+				struct _krb5_preauth_client_rock *rock,
 				krb5_kdc_req *request,
 				krb5_data *encoded_request_body,
 				krb5_data *encoded_previous_request,
@@ -241,6 +254,12 @@ typedef struct krb5plugin_preauth_client_ftable_v0 {
 				krb5_data *salt, krb5_data *s2kparams,
 				krb5_keyblock *as_key,
 				krb5_pa_data **out_pa_data);
+    /*
+     * Client function which receives krb5_get_init_creds_opt information.
+     * The attr and value information supplied should be copied locally by
+     * the module if it wishes to reference it after returning from this call.
+     */
+    supply_gic_opts_proc gic_opts;
 } krb5plugin_preauth_client_ftable_v0;
 
 /*
@@ -323,4 +342,31 @@ typedef struct krb5plugin_preauth_server_ftable_v0 {
    					      void *pa_module_context,
 					      void **request_pa_context);
 } krb5plugin_preauth_server_ftable_v0;
+
+
+/*
+ * This function allows a preauth plugin to obtain preauth
+ * options.  The preauth_data returned from this function
+ * should be freed by calling krb5_get_init_creds_opt_free_pa().
+ *
+ * The 'opt' pointer supplied to this function must have been
+ * obtained using krb5_get_init_creds_opt_alloc()
+ */
+krb5_error_code KRB5_CALLCONV
+krb5_get_init_creds_opt_get_pa
+		(krb5_context context,
+		krb5_get_init_creds_opt *opt,
+		int *num_preauth_data,
+		krb5_gic_opt_pa_data **preauth_data);
+
+/*
+ * This function frees the preauth_data that was returned by
+ * krb5_get_init_creds_opt_get_pa().
+ */
+void KRB5_CALLCONV
+krb5_get_init_creds_opt_free_pa
+		(krb5_context context,
+		 int num_preauth_data,
+		 krb5_gic_opt_pa_data *preauth_data);
+
 #endif /* KRB5_PREAUTH_PLUGIN_H_INCLUDED */