diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-10-05 17:27:15 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-10-05 17:27:15 +0000 |
| commit | 4902dd11b115320f252f73d59a692db9ad7dd600 (patch) | |
| tree | 2c05d6c2742979f5829012ec16c1b224e4f8cfc9 /src/kdc | |
| parent | 57a52177feee207d8b3f4bd0fbf7a3d7ee09c070 (diff) | |
| download | krb5-4902dd11b115320f252f73d59a692db9ad7dd600.tar.gz krb5-4902dd11b115320f252f73d59a692db9ad7dd600.tar.xz krb5-4902dd11b115320f252f73d59a692db9ad7dd600.zip | |
Use an opaque handle in the kdcpreauth callback
Instead of passing a request and entry to the kdcpreauth get_data
callback, pass an opaque handle. Remove DB entry and key data
parameters from kdcpreauth methods (but keep the request, since that's
transparent).
The SecurID plugin links against libkdb5 and needs access to the client
DB entry. Rather than continue to pass a DB entry to kdcpreauth
methods, add a get_data callback to get the client DB entry for the few
plugins which might need it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25300 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc')
| -rw-r--r-- | src/kdc/do_as_req.c | 22 | ||||
| -rw-r--r-- | src/kdc/fast_util.c | 2 | ||||
| -rw-r--r-- | src/kdc/kdc_preauth.c | 203 | ||||
| -rw-r--r-- | src/kdc/kdc_preauth_ec.c | 33 | ||||
| -rw-r--r-- | src/kdc/kdc_util.h | 31 |
5 files changed, 138 insertions, 153 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 9102e26a0..8419a8cfc 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -110,6 +110,7 @@ struct as_req_state { krb5_db_entry *client; krb5_db_entry *server; krb5_kdc_req *request; + struct krb5_kdcpreauth_rock_st rock; const char *status; krb5_pa_data **e_data; krb5_boolean typed_e_data; @@ -156,8 +157,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) &state->enc_tkt_reply); if (state->status) { errcode = KRB5KDC_ERR_PREAUTH_REQUIRED; - get_preauth_hint_list(state->request, state->client, - state->server, &state->e_data); + get_preauth_hint_list(state->request, &state->rock, &state->e_data); goto egress; } @@ -216,6 +216,7 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) errcode = KRB5KDC_ERR_ETYPE_NOSUPP; goto egress; } + state->rock.client_key = client_key; /* convert client.key_data into a real key */ if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, @@ -254,8 +255,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) /* Fetch the padata info to be returned (do this before * authdata to handle possible replacement of reply key */ - errcode = return_padata(kdc_context, state->client, state->req_pkt, - state->request, &state->reply, client_key, + errcode = return_padata(kdc_context, &state->rock, state->req_pkt, + state->request, &state->reply, &state->client_keyblock, &state->pa_context); if (errcode) { state->status = "KDC_RETURN_PADATA"; @@ -409,7 +410,6 @@ egress: krb5_free_pa_data(kdc_context, state->e_data); kdc_free_rstate(state->rstate); - state->request->kdc_state = NULL; krb5_free_kdc_req(kdc_context, state->request); assert(did_log != 0); @@ -424,8 +424,8 @@ finish_preauth(void *arg, krb5_error_code errcode) if (errcode) { if (errcode == KRB5KDC_ERR_PREAUTH_FAILED) - get_preauth_hint_list(state->request, state->client, - state->server, &state->e_data); + get_preauth_hint_list(state->request, &state->rock, + &state->e_data); state->status = "PREAUTH_FAILED"; if (vague_errors) @@ -475,6 +475,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->cname = 0; state->pa_context = NULL; state->from = from; + memset(&state->rock, 0, sizeof(state->rock)); #if APPLE_PKINIT asReqDebug("process_as_req top realm %s name %s\n", @@ -503,7 +504,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->status = "error decoding FAST"; goto errout; } - state->request->kdc_state = state->rstate; + state->rock.request = state->request; + state->rock.rstate = state->rstate; if (!state->request->client) { state->status = "NULL_CLIENT"; errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; @@ -560,6 +562,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->status = "LOOKING_UP_CLIENT"; goto errout; } + state->rock.client = state->client; /* * If the backend returned a principal that is not in the local @@ -749,11 +752,12 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->enc_tkt_reply.client = state->request->client; setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH); } + /* * Check the preauthentication if it is there. */ if (state->request->padata) { - check_padata(kdc_context, state->client, state->req_pkt, + check_padata(kdc_context, &state->rock, state->req_pkt, state->request, &state->enc_tkt_reply, &state->pa_context, &state->e_data, &state->typed_e_data, finish_preauth, state); diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index 52eb99722..96c8c1394 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -223,8 +223,6 @@ kdc_find_fast(krb5_kdc_req **requestptr, KRB5_PADATA_FX_COOKIE); if (retval == 0) { state->fast_options = fast_req->fast_options; - if (request->kdc_state == state) - request->kdc_state = NULL; krb5_free_kdc_req( kdc_context, request); *requestptr = fast_req->req_body; fast_req->req_body = NULL; diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index c94d9fefb..87586d700 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -105,30 +105,26 @@ typedef struct preauth_system_st { } preauth_system; static void -verify_enc_timestamp(krb5_context, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, - krb5_pa_data *data, - krb5_kdcpreauth_get_data_fn get_entry_data, +verify_enc_timestamp(krb5_context, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_verify_respond_fn respond, - void *arg); + krb5_kdcpreauth_verify_respond_fn respond, void *arg); static krb5_error_code get_enc_ts(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_kdcpreauth_get_data_fn get_entry_data, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata modata, krb5_pa_data *data); static krb5_error_code get_etype_info(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_kdcpreauth_get_data_fn get_entry_data, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *data); static krb5_error_code get_etype_info2(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_kdcpreauth_get_data_fn get_entry_data, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data); static krb5_error_code @@ -141,31 +137,27 @@ etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata, int etype_info2); static krb5_error_code -return_etype_info(krb5_context, krb5_pa_data *padata, krb5_db_entry *client, +return_etype_info(krb5_context, krb5_pa_data *padata, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_kdc_rep *reply, krb5_key_data *client_key, - krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn get_entry_data, - krb5_kdcpreauth_moddata moddata, + krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq); static krb5_error_code -return_etype_info2(krb5_context, krb5_pa_data *padata, krb5_db_entry *client, +return_etype_info2(krb5_context, krb5_pa_data *padata, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_kdc_rep *reply, krb5_key_data *client_key, - krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn get_entry_data, - krb5_kdcpreauth_moddata moddata, + krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq); static krb5_error_code -return_pw_salt(krb5_context, krb5_pa_data *padata, krb5_db_entry *client, +return_pw_salt(krb5_context, krb5_pa_data *padata, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn get_entry_data, - krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_modreq modreq); + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, + krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq); #if APPLE_PKINIT @@ -547,7 +539,7 @@ get_entry_tl_data(krb5_context context, krb5_db_entry *entry, } /* - * Retrieve a specific piece of information pertaining to the entry or the + * Retrieve a specific piece of information pertaining to the client entry or * request and return it in a new krb5_data item which the caller must free. * * This may require massaging data into a contrived format, but it will @@ -555,8 +547,8 @@ get_entry_tl_data(krb5_context context, krb5_db_entry *entry, * modules. */ static krb5_error_code -get_entry_data(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *entry, krb5_int32 type, krb5_data **result) +get_data(krb5_context context, krb5_kdcpreauth_rock rock, krb5_int32 type, + krb5_data **result) { int i, k; krb5_data *ret; @@ -564,12 +556,14 @@ get_entry_data(krb5_context context, krb5_kdc_req *request, krb5_keyblock *keys; krb5_key_data *entry_key; krb5_error_code error; - struct kdc_request_state *state = request->kdc_state; + krb5_kdc_req *request = rock->request; + struct kdc_request_state *state = rock->rstate; + krb5_db_entry *client = rock->client; switch (type) { case krb5_kdcpreauth_request_certificate: - return get_entry_tl_data(context, entry, - KRB5_TL_USER_CERTIFICATE, result); + return get_entry_tl_data(context, client, KRB5_TL_USER_CERTIFICATE, + result); break; case krb5_kdcpreauth_max_time_skew: ret = malloc(sizeof(krb5_data)); @@ -601,7 +595,7 @@ get_entry_data(krb5_context context, krb5_kdc_req *request, k = 0; for (i = 0; i < request->nktypes; i++) { entry_key = NULL; - if (krb5_dbe_find_enctype(context, entry, request->ktype[i], + if (krb5_dbe_find_enctype(context, client, request->ktype[i], -1, 0, &entry_key) != 0) continue; if (krb5_dbe_decrypt_key_data(context, NULL, entry_key, @@ -654,6 +648,14 @@ get_entry_data(krb5_context context, krb5_kdc_req *request, } free(*result); return 0; + case krb5_kdcpreauth_get_client: + ret = malloc(sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + ret->data = (char *)&rock->client; + ret->length = sizeof(rock->client); + *result = ret; + return 0; default: break; } @@ -820,8 +822,8 @@ const char *missing_required_preauth(krb5_db_entry *client, } void -get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client, - krb5_db_entry *server, krb5_pa_data ***e_data_out) +get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock, + krb5_pa_data ***e_data_out) { int hw_only; preauth_system *ap; @@ -830,7 +832,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client, *e_data_out = NULL; - hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH); + hw_only = isflagset(rock->client->attributes, KRB5_KDB_REQUIRES_HW_AUTH); /* Allocate two extra entries for the cookie and the terminator. */ pa_data = calloc(n_preauth_systems + 2, sizeof(krb5_pa_data *)); if (pa_data == 0) @@ -849,8 +851,8 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client, (*pa)->magic = KV5M_PA_DATA; (*pa)->pa_type = ap->type; if (ap->get_edata) { - retval = ap->get_edata(kdc_context, request, client, server, - get_entry_data, ap->moddata, *pa); + retval = ap->get_edata(kdc_context, request, get_data, rock, + ap->moddata, *pa); if (retval) { /* just failed on this type, continue */ free(*pa); @@ -869,7 +871,7 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client, * If we fail to get the cookie it is probably * still reasonable to continue with the response */ - kdc_preauth_get_cookie(request->kdc_state, pa); + kdc_preauth_get_cookie(rock->rstate, pa); *e_data_out = pa_data; pa_data = NULL; @@ -937,7 +939,7 @@ struct padata_state { krb5_pa_data **padata; int pa_found; krb5_context context; - krb5_db_entry *client; + krb5_kdcpreauth_rock rock; krb5_data *req_pkt; krb5_kdc_req *request; krb5_enc_tkt_part *enc_tkt_reply; @@ -1135,11 +1137,11 @@ next_padata(struct padata_state *state) goto next; state->pa_found++; - state->pa_sys->verify_padata(state->context, state->client, - state->req_pkt, state->request, - state->enc_tkt_reply, *state->padata, - get_entry_data, state->pa_sys->moddata, - finish_verify_padata, state); + state->pa_sys->verify_padata(state->context, state->req_pkt, + state->request, state->enc_tkt_reply, + *state->padata, get_data, state->rock, + state->pa_sys->moddata, finish_verify_padata, + state); return; next: @@ -1155,11 +1157,11 @@ next: */ void -check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, - void **padata_context, krb5_pa_data ***e_data, - krb5_boolean *typed_e_data, kdc_preauth_respond_fn respond, - void *arg) +check_padata(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, void **padata_context, + krb5_pa_data ***e_data, krb5_boolean *typed_e_data, + kdc_preauth_respond_fn respond, void *arg) { struct padata_state *state; @@ -1182,7 +1184,7 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, state->respond = respond; state->arg = arg; state->context = context; - state->client = client; + state->rock = rock; state->req_pkt = req_pkt; state->request = request; state->enc_tkt_reply = enc_tkt_reply; @@ -1203,10 +1205,9 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, * structures which should be returned by the KDC to the client */ krb5_error_code -return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, krb5_keyblock *encrypting_key, - void **padata_context) +return_padata(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_keyblock *encrypting_key, void **padata_context) { krb5_error_code retval; krb5_pa_data ** padata; @@ -1280,13 +1281,11 @@ return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, } } } - if ((retval = ap->return_padata(context, pa, client, req_pkt, - request, reply, - client_key, encrypting_key, send_pa, - get_entry_data, ap->moddata, - *modreq_ptr))) { + retval = ap->return_padata(context, pa, req_pkt, request, reply, + encrypting_key, send_pa, get_data, rock, + ap->moddata, *modreq_ptr); + if (retval) goto cleanup; - } if (*send_pa) send_pa++; @@ -1322,22 +1321,20 @@ request_contains_enctype(krb5_context context, const krb5_kdc_req *request, static krb5_error_code get_enc_ts(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_kdcpreauth_get_data_fn get_entry_data_proc, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { - struct kdc_request_state *state = request->kdc_state; - if (state->armor_key) + if (rock->rstate->armor_key != NULL) return ENOENT; return 0; } static void -verify_enc_timestamp(krb5_context context, krb5_db_entry *client, - krb5_data *req_pkt, krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa, - krb5_kdcpreauth_get_data_fn ets_get_entry_data, +verify_enc_timestamp(krb5_context context, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *pa, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) @@ -1368,7 +1365,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, start = 0; decrypt_err = 0; while (1) { - if ((retval = krb5_dbe_search_enctype(context, client, + if ((retval = krb5_dbe_search_enctype(context, rock->client, &start, enc_data->enctype, -1, 0, &client_key))) goto cleanup; @@ -1492,8 +1489,8 @@ fail: */ static krb5_error_code etype_info_helper(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_pa_data *pa_data, int etype_info2) + krb5_db_entry *client, krb5_pa_data *pa_data, + int etype_info2) { krb5_etype_info_entry ** entry = 0; krb5_key_data *client_key; @@ -1579,8 +1576,7 @@ cleanup: static krb5_error_code get_etype_info(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_kdcpreauth_get_data_fn etype_get_entry_data, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data) { int i; @@ -1590,16 +1586,15 @@ get_etype_info(krb5_context context, krb5_kdc_req *request, * skip this * type*/ } - return etype_info_helper(context, request, client, server, pa_data, 0); + return etype_info_helper(context, request, rock->client, pa_data, 0); } static krb5_error_code get_etype_info2(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_kdcpreauth_get_data_fn etype_get_entry_data, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data) { - return etype_info_helper( context, request, client, server, pa_data, 1); + return etype_info_helper(context, request, rock->client, pa_data, 1); } static krb5_error_code @@ -1681,51 +1676,43 @@ cleanup: static krb5_error_code return_etype_info2(krb5_context context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn etype_get_entry_data, - krb5_kdcpreauth_moddata moddata, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { - return etype_info_as_rep_helper(context, padata, client, request, reply, - client_key, encrypting_key, send_pa, 1); + return etype_info_as_rep_helper(context, padata, rock->client, request, + reply, rock->client_key, encrypting_key, + send_pa, 1); } static krb5_error_code -return_etype_info(krb5_context context, krb5_pa_data * padata, - krb5_db_entry *client, - krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn etypeget_entry_data, - krb5_kdcpreauth_moddata moddata, +return_etype_info(krb5_context context, krb5_pa_data *padata, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { - return etype_info_as_rep_helper(context, padata, client, request, reply, - client_key, encrypting_key, send_pa, 0); + return etype_info_as_rep_helper(context, padata, rock->client, request, + reply, rock->client_key, encrypting_key, + send_pa, 0); } static krb5_error_code return_pw_salt(krb5_context context, krb5_pa_data *in_padata, - krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn etype_get_entry_data, - krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_modreq modreq) + krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, + krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { krb5_error_code retval; krb5_pa_data * padata; krb5_data * scratch; krb5_data salt_data; + krb5_key_data * client_key = rock->client_key; int i; for (i = 0; i < request->nktypes; i++) { diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c index 24b667507..62fa615e0 100644 --- a/src/kdc/kdc_preauth_ec.c +++ b/src/kdc/kdc_preauth_ec.c @@ -36,15 +36,12 @@ static krb5_error_code kdc_include_padata(krb5_context context, krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn get_data_proc, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { krb5_error_code retval = 0; krb5_keyblock *armor_key = NULL; - retval = fast_kdc_get_armor_key(context, get_data_proc, request, client, - &armor_key); + retval = fast_kdc_get_armor_key(context, get, rock, &armor_key); if (retval) return retval; if (armor_key == 0) @@ -54,11 +51,10 @@ kdc_include_padata(krb5_context context, krb5_kdc_req *request, } static void -kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, - krb5_data *req_pkt, krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, - krb5_kdcpreauth_get_data_fn get_entry_proc, - krb5_kdcpreauth_moddata moddata, +kdc_verify_preauth(krb5_context context, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *data, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) { @@ -77,7 +73,7 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, plain.data = NULL; - retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); + retval = fast_kdc_get_armor_key(context, get, rock, &armor_key); if (retval == 0 &&armor_key == NULL) { retval = ENOENT; krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel"); @@ -93,8 +89,7 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, retval = ENOMEM; } if (retval == 0) - retval = get_entry_proc(context, request, client, - krb5_kdcpreauth_keys, &client_data); + retval = (*get)(context, rock, krb5_kdcpreauth_keys, &client_data); if (retval == 0) { client_keys = (krb5_keyblock *) client_data->data; for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) { @@ -138,7 +133,7 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, * may cause the client to fail, but at this point the KDC has * considered this a success, so the return value is ignored. */ - fast_kdc_replace_reply_key(context, get_entry_proc, request); + fast_kdc_replace_reply_key(context, get, rock); if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", &client_keys[i], "challengelongterm", &kdc_challenge_key) == 0) @@ -166,12 +161,10 @@ kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, static krb5_error_code kdc_return_preauth(krb5_context context, krb5_pa_data *padata, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - struct _krb5_key_data *client_keys, - krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn get_entry_proc, - krb5_kdcpreauth_moddata moddata, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { krb5_error_code retval = 0; diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index e0be83fe6..6d91822ff 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -167,10 +167,8 @@ missing_required_preauth (krb5_db_entry *client, krb5_db_entry *server, krb5_enc_tkt_part *enc_tkt_reply); void -get_preauth_hint_list (krb5_kdc_req * request, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_pa_data ***e_data_out); +get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock, + krb5_pa_data ***e_data_out); void load_preauth_plugins(krb5_context context); void @@ -179,18 +177,16 @@ unload_preauth_plugins(krb5_context context); typedef void (*kdc_preauth_respond_fn)(void *arg, krb5_error_code code); void -check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, - void **padata_context, krb5_pa_data ***e_data, - krb5_boolean *typed_e_data, kdc_preauth_respond_fn respond, - void *state); +check_padata(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, void **padata_context, + krb5_pa_data ***e_data, krb5_boolean *typed_e_data, + kdc_preauth_respond_fn respond, void *state); krb5_error_code -return_padata (krb5_context context, krb5_db_entry *client, - krb5_data *req_pkt, krb5_kdc_req *request, - krb5_kdc_rep *reply, - krb5_key_data *client_key, krb5_keyblock *encrypting_key, - void **padata_context); +return_padata(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_keyblock *encrypting_key, void **padata_context); void free_padata_context(krb5_context context, void *padata_context); @@ -380,6 +376,13 @@ krb5_error_code krb5int_get_domain_realm_mapping(krb5_context context, const char *host, char ***realmsp); +/* Information handle for kdcpreauth callbacks. All pointers are aliases. */ +struct krb5_kdcpreauth_rock_st { + krb5_kdc_req *request; + krb5_db_entry *client; + krb5_key_data *client_key; + struct kdc_request_state *rstate; +}; #define isflagset(flagfield, flag) (flagfield & (flag)) #define setflag(flagfield, flag) (flagfield |= (flag)) |