summaryrefslogtreecommitdiffstats
path: root/src/lib/krb5
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2011-10-15 16:06:03 +0000
committerGreg Hudson <ghudson@mit.edu>2011-10-15 16:06:03 +0000
commite389f7a0e7d682a06bc8d2814ad0d86398e815b9 (patch)
treea9e405a56727e7855222dd940acbdbca6933dd60 /src/lib/krb5
parent249e5254d4d4cff2bda07deafc25d7d87ea5ac0f (diff)
downloadkrb5-e389f7a0e7d682a06bc8d2814ad0d86398e815b9.tar.gz
krb5-e389f7a0e7d682a06bc8d2814ad0d86398e815b9.tar.xz
krb5-e389f7a0e7d682a06bc8d2814ad0d86398e815b9.zip
Hide gak_fct interface and arguments in clpreauth
Remove the gak_fct, gak_data, salt, s2kparams, and as_key arguments of krb5_clpreauth_process_fn and krb5_clpreauth_tryagain_fn. To replace them, add two callbacks: one which gets the AS key using the previously selected etype-info2 information, and a second which lets the module replace the AS key with one it has computed. This changes limits module flexibility in a few ways. Modules cannot check whether the AS key was already obtained before asking for it, and they cannot use the etype-info2 salt and s2kparams for purposes other than getting the password-based AS key. It is believed that of existing preauth mechanisms, only SAM-2 preauth needs more flexibility than the new interfaces provide, and as an internal legacy mechanism it can cheat. Future mechanisms should be okay since the current IETF philosophy is that etype-info2 information should not be used for other purposes. ticket: 6976 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25351 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5')
-rw-r--r--src/lib/krb5/krb/get_in_tkt.c26
-rw-r--r--src/lib/krb5/krb/preauth2.c96
-rw-r--r--src/lib/krb5/krb/preauth_ec.c13
-rw-r--r--src/lib/krb5/krb/preauth_encts.c23
4 files changed, 69 insertions, 89 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 2968bd7ba..6794986d4 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -839,6 +839,14 @@ krb5_init_creds_init(krb5_context context,
ctx->preauth_rock.magic = CLIENT_ROCK_MAGIC;
ctx->preauth_rock.etype = &ctx->etype;
+ ctx->preauth_rock.as_key = &ctx->as_key;
+ ctx->preauth_rock.gak_fct = &ctx->gak_fct;
+ ctx->preauth_rock.gak_data = &ctx->gak_data;
+ ctx->preauth_rock.salt = &ctx->salt;
+ ctx->preauth_rock.s2kparams = &ctx->s2kparams;
+ ctx->preauth_rock.client = client;
+ ctx->preauth_rock.prompter = prompter;
+ ctx->preauth_rock.prompter_data = data;
/* Initialise request parameters as per krb5_get_init_creds() */
ctx->request->kdc_options = context->kdc_default_options;
@@ -1108,14 +1116,8 @@ init_creds_step_request(krb5_context context,
ctx->encoded_previous_request,
ctx->preauth_to_use,
&ctx->request->padata,
- &ctx->salt,
- &ctx->s2kparams,
- &ctx->etype,
- &ctx->as_key,
ctx->prompter,
ctx->prompter_data,
- ctx->gak_fct,
- ctx->gak_data,
&ctx->preauth_rock,
ctx->opte);
if (code != 0)
@@ -1133,14 +1135,8 @@ init_creds_step_request(krb5_context context,
ctx->preauth_to_use,
&ctx->request->padata,
ctx->err_reply,
- &ctx->salt,
- &ctx->s2kparams,
- &ctx->etype,
- &ctx->as_key,
ctx->prompter,
ctx->prompter_data,
- ctx->gak_fct,
- ctx->gak_data,
&ctx->preauth_rock,
ctx->opte);
} else {
@@ -1365,14 +1361,8 @@ init_creds_step_reply(krb5_context context,
ctx->encoded_previous_request,
ctx->reply->padata,
&kdc_padata,
- &ctx->salt,
- &ctx->s2kparams,
- &ctx->etype,
- &ctx->as_key,
ctx->prompter,
ctx->prompter_data,
- ctx->gak_fct,
- ctx->gak_data,
&ctx->preauth_rock,
ctx->opte);
if (code != 0)
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index f2ead9361..fd5c63536 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -387,10 +387,37 @@ fast_armor(krb5_context context, krb5_clpreauth_rock rock)
return rock->fast_state->armor_key;
}
+static krb5_error_code
+get_as_key(krb5_context context, krb5_clpreauth_rock rock,
+ krb5_keyblock **keyblock)
+{
+ krb5_error_code ret;
+
+ if (rock->as_key->length == 0) {
+ ret = (*rock->gak_fct)(context, rock->client, *rock->etype,
+ rock->prompter, rock->prompter_data, rock->salt,
+ rock->s2kparams, rock->as_key, *rock->gak_data);
+ if (ret)
+ return ret;
+ }
+ *keyblock = rock->as_key;
+ return 0;
+}
+
+static krb5_error_code
+set_as_key(krb5_context context, krb5_clpreauth_rock rock,
+ const krb5_keyblock *keyblock)
+{
+ krb5_free_keyblock_contents(context, rock->as_key);
+ return krb5_copy_keyblock_contents(context, keyblock, rock->as_key);
+}
+
static struct krb5_clpreauth_callbacks_st callbacks = {
1,
get_etype,
- fast_armor
+ fast_armor,
+ get_as_key,
+ set_as_key
};
/* Tweak the request body, for now adding any enctypes which the module claims
@@ -432,12 +459,7 @@ run_preauth_plugins(krb5_context kcontext,
krb5_pa_data *in_padata,
krb5_prompter_fct prompter,
void *prompter_data,
- krb5_clpreauth_get_as_key_fn gak_fct,
- krb5_data *salt,
- krb5_data *s2kparams,
- void *gak_data,
krb5_clpreauth_rock preauth_rock,
- krb5_keyblock *as_key,
krb5_pa_data ***out_pa_list,
int *out_pa_list_size,
int *module_ret,
@@ -481,9 +503,7 @@ run_preauth_plugins(krb5_context kcontext,
&callbacks, preauth_rock,
request, encoded_request_body,
encoded_previous_request, in_padata,
- prompter, prompter_data, gak_fct,
- gak_data, salt, s2kparams, as_key,
- &out_pa_data);
+ prompter, prompter_data, &out_pa_data);
TRACE_PREAUTH_PROCESS(kcontext, module->name, module->pa_type,
module->flags, ret);
/* Make note of the module's flags and status. */
@@ -1350,11 +1370,7 @@ krb5_do_preauth_tryagain(krb5_context kcontext,
krb5_pa_data **padata,
krb5_pa_data ***return_padata,
krb5_error *err_reply,
- krb5_data *salt, krb5_data *s2kparams,
- krb5_enctype *etype,
- krb5_keyblock *as_key,
krb5_prompter_fct prompter, void *prompter_data,
- krb5_gic_get_as_key_fct gak_fct, void *gak_data,
krb5_clpreauth_rock preauth_rock,
krb5_gic_opt_ext *opte)
{
@@ -1396,8 +1412,6 @@ krb5_do_preauth_tryagain(krb5_context kcontext,
padata[i],
err_reply,
prompter, prompter_data,
- gak_fct, gak_data, salt, s2kparams,
- as_key,
&out_padata) == 0) {
if (out_padata != NULL) {
int k;
@@ -1415,17 +1429,12 @@ krb5_do_preauth_tryagain(krb5_context kcontext,
}
krb5_error_code KRB5_CALLCONV
-krb5_do_preauth(krb5_context context,
- krb5_kdc_req *request,
+krb5_do_preauth(krb5_context context, krb5_kdc_req *request,
krb5_data *encoded_request_body,
krb5_data *encoded_previous_request,
krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
- krb5_data *salt, krb5_data *s2kparams,
- krb5_enctype *etype,
- krb5_keyblock *as_key,
krb5_prompter_fct prompter, void *prompter_data,
- krb5_gic_get_as_key_fct gak_fct, void *gak_data,
- krb5_clpreauth_rock preauth_rock, krb5_gic_opt_ext *opte)
+ krb5_clpreauth_rock rock, krb5_gic_opt_ext *opte)
{
unsigned int h;
int i, j, out_pa_list_size;
@@ -1525,19 +1534,24 @@ krb5_do_preauth(krb5_context context,
}
scratch.data = (char *) etype_info[l]->salt;
scratch.length = etype_info[l]->length;
- krb5_free_data_contents(context, salt);
+ krb5_free_data_contents(context, rock->salt);
if (scratch.length == KRB5_ETYPE_NO_SALT)
- salt->data = NULL;
- else
- if ((ret = krb5int_copy_data_contents( context, &scratch, salt)) != 0)
+ rock->salt->data = NULL;
+ else {
+ ret = krb5int_copy_data_contents(context, &scratch,
+ rock->salt);
+ if (ret)
goto cleanup;
- *etype = etype_info[l]->etype;
- krb5_free_data_contents(context, s2kparams);
- if ((ret = krb5int_copy_data_contents(context,
- &etype_info[l]->s2kparams,
- s2kparams)) != 0)
+ }
+ *rock->etype = etype_info[l]->etype;
+ krb5_free_data_contents(context, rock->s2kparams);
+ ret = krb5int_copy_data_contents(context,
+ &etype_info[l]->s2kparams,
+ rock->s2kparams);
+ if (ret)
goto cleanup;
- TRACE_PREAUTH_ETYPE_INFO(context, *etype, salt, s2kparams);
+ TRACE_PREAUTH_ETYPE_INFO(context, *rock->etype, rock->salt,
+ rock->s2kparams);
break;
}
case KRB5_PADATA_PW_SALT:
@@ -1558,11 +1572,13 @@ krb5_do_preauth(krb5_context context,
#endif
out_pa = NULL;
- if ((ret = ((*pa_types[j].fct)(context, request,
- in_padata[i], &out_pa,
- salt, s2kparams, etype, as_key,
- prompter, prompter_data,
- gak_fct, gak_data)))) {
+ ret = pa_types[j].fct(context, request, in_padata[i],
+ &out_pa, rock->salt,
+ rock->s2kparams, rock->etype,
+ rock->as_key, prompter,
+ prompter_data, *rock->gak_fct,
+ *rock->gak_data);
+ if (ret) {
if (paorder[h] == PA_INFO) {
TRACE_PREAUTH_INFO_FAIL(context,
in_padata[i]->pa_type,
@@ -1601,11 +1617,7 @@ krb5_do_preauth(krb5_context context,
in_padata[i],
prompter,
prompter_data,
- gak_fct,
- salt, s2kparams,
- gak_data,
- preauth_rock,
- as_key,
+ rock,
&out_pa_list,
&out_pa_list_size,
&module_ret,
diff --git a/src/lib/krb5/krb/preauth_ec.c b/src/lib/krb5/krb/preauth_ec.c
index 3fcea374b..7e7565b6f 100644
--- a/src/lib/krb5/krb/preauth_ec.c
+++ b/src/lib/krb5/krb/preauth_ec.c
@@ -47,22 +47,13 @@ ec_process(krb5_context context, krb5_clpreauth_moddata moddata,
krb5_data *encoded_request_body,
krb5_data *encoded_previous_request, krb5_pa_data *padata,
krb5_prompter_fct prompter, void *prompter_data,
- krb5_clpreauth_get_as_key_fn gak_fct, void *gak_data,
- krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key,
krb5_pa_data ***out_padata)
{
krb5_error_code retval = 0;
- krb5_enctype enctype;
- krb5_keyblock *challenge_key = NULL, *armor_key;
+ krb5_keyblock *challenge_key = NULL, *armor_key, *as_key;
armor_key = cb->fast_armor(context, rock);
- enctype = cb->get_etype(context, rock);
- if (as_key->length == 0 ||as_key->enctype != enctype) {
- retval = gak_fct(context, request->client,
- enctype, prompter, prompter_data,
- salt, s2kparams,
- as_key, gak_data);
- }
+ retval = cb->get_as_key(context, rock, &as_key);
if (retval == 0 && padata->length) {
krb5_enc_data *enc = NULL;
krb5_data scratch;
diff --git a/src/lib/krb5/krb/preauth_encts.c b/src/lib/krb5/krb/preauth_encts.c
index 6e3268603..63e4259eb 100644
--- a/src/lib/krb5/krb/preauth_encts.c
+++ b/src/lib/krb5/krb/preauth_encts.c
@@ -42,8 +42,6 @@ encts_process(krb5_context context, krb5_clpreauth_moddata moddata,
krb5_kdc_req *request, krb5_data *encoded_request_body,
krb5_data *encoded_previous_request, krb5_pa_data *padata,
krb5_prompter_fct prompter, void *prompter_data,
- krb5_clpreauth_get_as_key_fn gak_fct, void *gak_data,
- krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key,
krb5_pa_data ***out_padata)
{
krb5_error_code ret;
@@ -51,25 +49,14 @@ encts_process(krb5_context context, krb5_clpreauth_moddata moddata,
krb5_data *ts = NULL, *enc_ts = NULL;
krb5_enc_data enc_data;
krb5_pa_data **pa = NULL;
- krb5_enctype etype = cb->get_etype(context, rock);
+ krb5_keyblock *as_key;
enc_data.ciphertext = empty_data();
- if (as_key->length == 0) {
-#ifdef DEBUG
- fprintf (stderr, "%s:%d: salt len=%d", __FILE__, __LINE__,
- salt->length);
- if ((int) salt->length > 0)
- fprintf (stderr, " '%.*s'", salt->length, salt->data);
- fprintf (stderr, "; *etype=%d request->ktype[0]=%d\n",
- etype, request->ktype[0]);
-#endif
- ret = (*gak_fct)(context, request->client, etype, prompter,
- prompter_data, salt, s2kparams, as_key, gak_data);
- if (ret)
- goto cleanup;
- TRACE_PREAUTH_ENC_TS_KEY_GAK(context, as_key);
- }
+ ret = cb->get_as_key(context, rock, &as_key);
+ if (ret)
+ goto cleanup;
+ TRACE_PREAUTH_ENC_TS_KEY_GAK(context, as_key);
/* now get the time of day, and encrypt it accordingly */
ret = krb5_us_timeofday(context, &pa_enc.patimestamp, &pa_enc.pausec);