diff options
| author | Greg Hudson <ghudson@mit.edu> | 2012-10-27 15:29:48 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-12-19 14:24:23 -0500 |
| commit | f730fddc59265ee1621ec39f847ea047116a2127 (patch) | |
| tree | 0bcf1af7f7a2342e2928762f3ca9236d6226129d /src/lib | |
| parent | 5fa526b9db4940a221606f36e25e36ca525a47ab (diff) | |
| download | krb5-f730fddc59265ee1621ec39f847ea047116a2127.tar.gz krb5-f730fddc59265ee1621ec39f847ea047116a2127.tar.xz krb5-f730fddc59265ee1621ec39f847ea047116a2127.zip | |
Rename internal preauth functions
The preauth functions are internal to libkrb5, so use the k5_ prefix,
don't use KRB5_CALLCONV, and prototype them in int-proto.h. Also
remove krb5_do_preauth from the Unix libkrb5 export list.
Reorder the k5_preauth() and k5_preauth_tryagain() arguments for more
consistency with the clpreauth interface, and put the output padata
arguments at the end.
Rename any remaining uses of "kcontext" to "context" in preauth2.c.
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 68 | ||||
| -rw-r--r-- | src/lib/krb5/krb/int-proto.h | 34 | ||||
| -rw-r--r-- | src/lib/krb5/krb/preauth2.c | 117 | ||||
| -rw-r--r-- | src/lib/krb5/libkrb5.exports | 1 | ||||
| -rw-r--r-- | src/lib/krb5/os/init_os_ctx.c | 3 |
5 files changed, 120 insertions, 103 deletions
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index bcfc22e5d..377773e1c 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -685,7 +685,7 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, if (code != 0) goto cleanup; ctx->preauth_rock.fast_state = ctx->fast_state; - krb5_preauth_request_context_init(context); + k5_preauth_request_context_init(context); if (ctx->outer_request_body) { krb5_free_data(context, ctx->outer_request_body); ctx->outer_request_body = NULL; @@ -732,7 +732,7 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, goto cleanup; } /* give the preauth plugins a chance to prep the request body */ - krb5_preauth_prepare_request(context, ctx->opte, ctx->request); + k5_preauth_prepare_request(context, ctx->opte, ctx->request); /* Omit request start time in the common case. MIT and Heimdal KDCs will * ignore it for non-postdated tickets anyway. */ @@ -1017,7 +1017,7 @@ krb5_init_creds_set_service(krb5_context context, free(ctx->in_tkt_service); ctx->in_tkt_service = s; - krb5_preauth_request_context_fini(context); + k5_preauth_request_context_fini(context); return restart_init_creds_loop(context, ctx, NULL); } @@ -1263,17 +1263,11 @@ init_creds_step_request(krb5_context context, if (ctx->err_reply == NULL) { /* either our first attempt, or retrying after PREAUTH_NEEDED */ - code = krb5_do_preauth(context, - ctx->request, - ctx->inner_request_body, - ctx->encoded_previous_request, - ctx->preauth_to_use, - &ctx->request->padata, - ctx->prompter, - ctx->prompter_data, - &ctx->preauth_rock, - ctx->opte, - &got_real); + code = k5_preauth(context, ctx->opte, &ctx->preauth_rock, ctx->request, + ctx->inner_request_body, + ctx->encoded_previous_request, ctx->preauth_to_use, + ctx->prompter, ctx->prompter_data, + &ctx->request->padata, &got_real); if (code == 0 && !got_real && ctx->preauth_required) code = KRB5_PREAUTH_FAILED; if (code != 0) @@ -1284,18 +1278,13 @@ init_creds_step_request(krb5_context context, * Retry after an error other than PREAUTH_NEEDED, * using ctx->err_padata to figure out what to change. */ - code = krb5_do_preauth_tryagain(context, - ctx->request, - ctx->inner_request_body, - ctx->encoded_previous_request, - ctx->preauth_to_use, - &ctx->request->padata, - ctx->err_reply, - ctx->err_padata, - ctx->prompter, - ctx->prompter_data, - &ctx->preauth_rock, - ctx->opte); + code = k5_preauth_tryagain(context, ctx->opte, &ctx->preauth_rock, + ctx->request, ctx->inner_request_body, + ctx->encoded_previous_request, + ctx->preauth_to_use, ctx->err_reply, + ctx->err_padata, ctx->prompter, + ctx->prompter_data, + &ctx->request->padata); } else { /* No preauth supplied, so can't query the plugins. */ code = KRB5KRB_ERR_GENERIC; @@ -1452,7 +1441,7 @@ init_creds_step_reply(krb5_context context, goto cleanup; if (negotiation_requests_restart(context, ctx, ctx->err_padata)) { ctx->have_restarted = 1; - krb5_preauth_request_context_fini(context); + k5_preauth_request_context_fini(context); if ((ctx->fast_state->fast_state_flags & KRB5INT_FAST_DO_FAST) ==0) ctx->enc_pa_rep_permitted = 0; code = restart_init_creds_loop(context, ctx, ctx->err_padata); @@ -1468,7 +1457,7 @@ init_creds_step_reply(krb5_context context, ctx->err_padata = NULL; note_req_timestamp(context, &ctx->preauth_rock, ctx->err_reply->stime, ctx->err_reply->susec); - /* this will trigger a new call to krb5_do_preauth() */ + /* This will trigger a new call to k5_preauth(). */ krb5_free_error(context, ctx->err_reply); ctx->err_reply = NULL; code = sort_krb5_padata_sequence(context, @@ -1488,10 +1477,10 @@ init_creds_step_reply(krb5_context context, code = krb5int_copy_data_contents(context, &ctx->err_reply->client->realm, &ctx->request->client->realm); - /* this will trigger a new call to krb5_do_preauth() */ + /* This will trigger a new call to k5_preauth(). */ krb5_free_error(context, ctx->err_reply); ctx->err_reply = NULL; - krb5_preauth_request_context_fini(context); + k5_preauth_request_context_fini(context); /* Permit another negotiation based restart. */ ctx->have_restarted = 0; ctx->sent_nontrivial_preauth = 0; @@ -1521,7 +1510,7 @@ init_creds_step_reply(krb5_context context, goto cleanup; /* process any preauth data in the as_reply */ - krb5_clear_preauth_context_use_counts(context); + k5_reset_preauth_types_tried(context); code = krb5int_fast_process_response(context, ctx->fast_state, ctx->reply, &strengthen_key); if (code != 0) @@ -1543,17 +1532,10 @@ init_creds_step_reply(krb5_context context, ctx->allowed_preauth_type = KRB5_PADATA_NONE; ctx->preauth_rock.selected_preauth_type = NULL; - code = krb5_do_preauth(context, - ctx->request, - ctx->inner_request_body, - ctx->encoded_previous_request, - ctx->reply->padata, - &kdc_padata, - ctx->prompter, - ctx->prompter_data, - &ctx->preauth_rock, - ctx->opte, - &got_real); + code = k5_preauth(context, ctx->opte, &ctx->preauth_rock, ctx->request, + ctx->inner_request_body, ctx->encoded_previous_request, + ctx->reply->padata, ctx->prompter, ctx->prompter_data, + &kdc_padata, &got_real); if (code != 0) goto cleanup; @@ -1671,7 +1653,7 @@ init_creds_step_reply(krb5_context context, } } - krb5_preauth_request_context_fini(context); + k5_preauth_request_context_fini(context); /* success */ code = 0; diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h index a45291551..12bee3398 100644 --- a/src/lib/krb5/krb/int-proto.h +++ b/src/lib/krb5/krb/int-proto.h @@ -204,6 +204,40 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx, int *use_master); krb5_error_code +k5_preauth(krb5_context context, krb5_gic_opt_ext *opte, + krb5_clpreauth_rock rock, krb5_kdc_req *req, + krb5_data *req_body, krb5_data *prev_req, krb5_pa_data **in_padata, + krb5_prompter_fct prompter, void *prompter_data, + krb5_pa_data ***padata_out, krb5_boolean *got_real_out); + +krb5_error_code +k5_preauth_tryagain(krb5_context context, krb5_gic_opt_ext *opte, + krb5_clpreauth_rock rock, krb5_kdc_req *req, + krb5_data *req_body, krb5_data *prev_req, + krb5_pa_data **in_padata, krb5_error *err_reply, + krb5_pa_data **err_padata, krb5_prompter_fct prompter, + void *prompter_data, krb5_pa_data ***padata_out); + +void +k5_init_preauth_context(krb5_context context); + +void +k5_free_preauth_context(krb5_context context); + +void +k5_reset_preauth_types_tried(krb5_context context); + +void +k5_preauth_prepare_request(krb5_context context, krb5_gic_opt_ext *opte, + krb5_kdc_req *request); + +void +k5_preauth_request_context_init(krb5_context context); + +void +k5_preauth_request_context_fini(krb5_context context); + +krb5_error_code k5_response_items_new(k5_response_items **ri_out); void diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index d25a3a98e..be560b2c4 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -88,8 +88,8 @@ find_module(clpreauth_handle *handles, krb5_preauthtype pa_type) } /* Initialize the preauth state for a krb5 context. */ -void KRB5_CALLCONV -krb5_init_preauth_context(krb5_context kcontext) +void +k5_init_preauth_context(krb5_context context) { krb5_plugin_initvt_fn *modules = NULL, *mod; clpreauth_handle *list = NULL, h, h2; @@ -97,25 +97,25 @@ krb5_init_preauth_context(krb5_context kcontext) krb5_preauthtype *tp; /* Only do this once for each krb5_context */ - if (kcontext->preauth_context != NULL) + if (context->preauth_context != NULL) return; /* Auto-register built-in modules. */ - k5_plugin_register_dyn(kcontext, PLUGIN_INTERFACE_CLPREAUTH, "pkinit", + k5_plugin_register_dyn(context, PLUGIN_INTERFACE_CLPREAUTH, "pkinit", "preauth"); - k5_plugin_register(kcontext, PLUGIN_INTERFACE_CLPREAUTH, + k5_plugin_register(context, PLUGIN_INTERFACE_CLPREAUTH, "encrypted_challenge", clpreauth_encrypted_challenge_initvt); - k5_plugin_register(kcontext, PLUGIN_INTERFACE_CLPREAUTH, + k5_plugin_register(context, PLUGIN_INTERFACE_CLPREAUTH, "encrypted_timestamp", clpreauth_encrypted_timestamp_initvt); - k5_plugin_register(kcontext, PLUGIN_INTERFACE_CLPREAUTH, "sam2", + k5_plugin_register(context, PLUGIN_INTERFACE_CLPREAUTH, "sam2", clpreauth_sam2_initvt); - k5_plugin_register(kcontext, PLUGIN_INTERFACE_CLPREAUTH, "otp", + k5_plugin_register(context, PLUGIN_INTERFACE_CLPREAUTH, "otp", clpreauth_otp_initvt); /* Get all available clpreauth vtables. */ - if (k5_plugin_load_all(kcontext, PLUGIN_INTERFACE_CLPREAUTH, &modules)) + if (k5_plugin_load_all(context, PLUGIN_INTERFACE_CLPREAUTH, &modules)) return; /* Allocate a large enough list of handles. */ @@ -132,7 +132,7 @@ krb5_init_preauth_context(krb5_context kcontext) goto cleanup; /* Initialize the handle vtable. */ - if ((*mod)(kcontext, 1, 1, (krb5_plugin_vtable)&h->vt) != 0) { + if ((*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt) != 0) { free(h); continue; } @@ -141,7 +141,7 @@ krb5_init_preauth_context(krb5_context kcontext) for (tp = h->vt.pa_type_list; *tp != 0; tp++) { h2 = find_module(list, *tp); if (h2 != NULL) { - TRACE_PREAUTH_CONFLICT(kcontext, h->vt.name, h2->vt.name, *tp); + TRACE_PREAUTH_CONFLICT(context, h->vt.name, h2->vt.name, *tp); break; } } @@ -150,7 +150,7 @@ krb5_init_preauth_context(krb5_context kcontext) /* Initialize the module data. */ h->data = NULL; - if (h->vt.init != NULL && h->vt.init(kcontext, &h->data) != 0) { + if (h->vt.init != NULL && h->vt.init(context, &h->data) != 0) { free(h); continue; } @@ -160,23 +160,25 @@ krb5_init_preauth_context(krb5_context kcontext) list[count] = NULL; /* Place the constructed preauth context into the krb5 context. */ - kcontext->preauth_context = malloc(sizeof(struct krb5_preauth_context_st)); - if (kcontext->preauth_context == NULL) + context->preauth_context = malloc(sizeof(struct krb5_preauth_context_st)); + if (context->preauth_context == NULL) goto cleanup; - kcontext->preauth_context->tried = NULL; - kcontext->preauth_context->handles = list; + context->preauth_context->tried = NULL; + context->preauth_context->handles = list; list = NULL; cleanup: - k5_plugin_free_modules(kcontext, modules); - free_handles(kcontext, list); + k5_plugin_free_modules(context, modules); + free_handles(context, list); } -/* Zero the use counts for the modules herein. Usually used before we - * start processing any data from the server, at which point every module - * will again be able to take a crack at whatever the server sent. */ -void KRB5_CALLCONV -krb5_clear_preauth_context_use_counts(krb5_context context) +/* + * Reset the memory of which preauth types we have already tried, because we + * are entering a new phase of padata processing (such as the padata in an + * AS-REP). + */ +void +k5_reset_preauth_types_tried(krb5_context context) { struct krb5_preauth_context_st *pctx = context->preauth_context; @@ -190,8 +192,8 @@ krb5_clear_preauth_context_use_counts(krb5_context context) /* Free the per-krb5_context preauth_context. This means clearing any * plugin-specific context which may have been created, and then * freeing the context itself. */ -void KRB5_CALLCONV -krb5_free_preauth_context(krb5_context context) +void +k5_free_preauth_context(krb5_context context) { struct krb5_preauth_context_st *pctx = context->preauth_context; @@ -205,19 +207,19 @@ krb5_free_preauth_context(krb5_context context) /* Initialize the per-AS-REQ context. This means calling the client_req_init * function to give the plugin a chance to allocate a per-request context. */ -void KRB5_CALLCONV -krb5_preauth_request_context_init(krb5_context context) +void +k5_preauth_request_context_init(krb5_context context) { struct krb5_preauth_context_st *pctx = context->preauth_context; clpreauth_handle *hp, h; if (pctx == NULL) { - krb5_init_preauth_context(context); + k5_init_preauth_context(context); pctx = context->preauth_context; if (pctx == NULL) return; } - krb5_clear_preauth_context_use_counts(context); + k5_reset_preauth_types_tried(context); for (hp = pctx->handles; *hp != NULL; hp++) { h = *hp; if (h->vt.request_init != NULL) @@ -227,8 +229,8 @@ krb5_preauth_request_context_init(krb5_context context) /* Free the per-AS-REQ context. This means clearing any request-specific * context which the plugin may have created. */ -void KRB5_CALLCONV -krb5_preauth_request_context_fini(krb5_context context) +void +k5_preauth_request_context_fini(krb5_context context) { struct krb5_preauth_context_st *pctx = context->preauth_context; clpreauth_handle *hp, h; @@ -489,12 +491,11 @@ static struct krb5_clpreauth_callbacks_st callbacks = { /* Tweak the request body, for now adding any enctypes which the module claims * to add support for to the list, but in the future perhaps doing more * involved things. */ -void KRB5_CALLCONV -krb5_preauth_prepare_request(krb5_context kcontext, - krb5_gic_opt_ext *opte, - krb5_kdc_req *request) +void +k5_preauth_prepare_request(krb5_context context, krb5_gic_opt_ext *opte, + krb5_kdc_req *req) { - struct krb5_preauth_context_st *pctx = kcontext->preauth_context; + struct krb5_preauth_context_st *pctx = context->preauth_context; clpreauth_handle *hp, h; krb5_enctype *ep; @@ -508,7 +509,7 @@ krb5_preauth_prepare_request(krb5_context kcontext, if (h->vt.enctype_list == NULL) continue; for (ep = h->vt.enctype_list; *ep != ENCTYPE_NULL; ep++) - grow_ktypes(&request->ktype, &request->nktypes, *ep); + grow_ktypes(&req->ktype, &req->nktypes, *ep); } } @@ -840,13 +841,13 @@ add_s4u_x509_user_padata(krb5_context context, krb5_s4u_userid *userid, * err_reply, return 0. If it's the sort of correction which requires that we * ask the user another question, we let the calling application deal with it. */ -krb5_error_code KRB5_CALLCONV -krb5_do_preauth_tryagain(krb5_context context, krb5_kdc_req *req, - krb5_data *req_body, krb5_data *prev_req, - krb5_pa_data **in_padata, krb5_pa_data ***out_padata, - krb5_error *err_reply, krb5_pa_data **err_padata, - krb5_prompter_fct prompter, void *prompter_data, - krb5_clpreauth_rock rock, krb5_gic_opt_ext *opte) +krb5_error_code +k5_preauth_tryagain(krb5_context context, krb5_gic_opt_ext *opte, + krb5_clpreauth_rock rock, krb5_kdc_req *req, + krb5_data *req_body, krb5_data *prev_req, + krb5_pa_data **in_padata, krb5_error *err_reply, + krb5_pa_data **err_padata, krb5_prompter_fct prompter, + void *prompter_data, krb5_pa_data ***padata_out) { struct krb5_preauth_context_st *pctx = context->preauth_context; krb5_error_code ret; @@ -855,14 +856,13 @@ krb5_do_preauth_tryagain(krb5_context context, krb5_kdc_req *req, clpreauth_handle h; int i; - *out_padata = NULL; + *padata_out = NULL; if (pctx == NULL) return KRB5KRB_ERR_GENERIC; TRACE_PREAUTH_TRYAGAIN_INPUT(context, in_padata); for (i = 0; in_padata[i] != NULL; i++) { - out_padata = NULL; h = find_module(pctx->handles, in_padata[i]->pa_type); if (h == NULL) continue; @@ -873,7 +873,7 @@ krb5_do_preauth_tryagain(krb5_context context, krb5_kdc_req *req, prompter_data, &mod_pa); if (ret == 0 && mod_pa != NULL) { TRACE_PREAUTH_TRYAGAIN_OUTPUT(context, mod_pa); - *out_padata = mod_pa; + *padata_out = mod_pa; return 0; } } @@ -910,12 +910,12 @@ fill_response_items(krb5_context context, krb5_get_init_creds_opt *opt, return 0; } -krb5_error_code KRB5_CALLCONV -krb5_do_preauth(krb5_context context, krb5_kdc_req *req, krb5_data *req_body, - krb5_data *prev_req, krb5_pa_data **in_padata, - krb5_pa_data ***out_padata, krb5_prompter_fct prompter, - void *prompter_data, krb5_clpreauth_rock rock, - krb5_gic_opt_ext *opte, krb5_boolean *got_real_out) +krb5_error_code +k5_preauth(krb5_context context, krb5_gic_opt_ext *opte, + krb5_clpreauth_rock rock, krb5_kdc_req *req, + krb5_data *req_body, krb5_data *prev_req, krb5_pa_data **in_padata, + krb5_prompter_fct prompter, void *prompter_data, + krb5_pa_data ***padata_out, krb5_boolean *got_real_out) { int out_pa_list_size = 0; krb5_pa_data **out_pa_list = NULL; @@ -923,7 +923,7 @@ krb5_do_preauth(krb5_context context, krb5_kdc_req *req, krb5_data *req_body, krb5_responder_fn responder = opte->opt_private->responder; krb5_get_init_creds_opt *opt = (krb5_get_init_creds_opt *)opte; - *out_padata = NULL; + *padata_out = NULL; *got_real_out = FALSE; if (in_padata == NULL) @@ -951,9 +951,10 @@ krb5_do_preauth(krb5_context context, krb5_kdc_req *req, krb5_data *req_body, } /* If we can't initialize the preauth context, stop with what we have. */ - krb5_init_preauth_context(context); + k5_init_preauth_context(context); if (context->preauth_context == NULL) { - *out_padata = out_pa_list; + *padata_out = out_pa_list; + out_pa_list = NULL; goto error; } @@ -978,7 +979,7 @@ krb5_do_preauth(krb5_context context, krb5_kdc_req *req, krb5_data *req_body, goto error; TRACE_PREAUTH_OUTPUT(context, out_pa_list); - *out_padata = out_pa_list; + *padata_out = out_pa_list; return 0; error: @@ -1001,7 +1002,7 @@ krb5_preauth_supply_preauth_data(krb5_context context, krb5_gic_opt_ext *opte, const char *emsg = NULL; if (pctx == NULL) { - krb5_init_preauth_context(context); + k5_init_preauth_context(context); pctx = context->preauth_context; if (pctx == NULL) { krb5_set_error_message(context, EINVAL, diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 078c02048..eb3eb79c8 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -256,7 +256,6 @@ krb5_decrypt_tkt_part krb5_default_pwd_prompt1 krb5_default_pwd_prompt2 krb5_deltat_to_string -krb5_do_preauth krb5_encode_authdata_container krb5_encode_kdc_rep krb5_encrypt_helper diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c index c4bf3019c..56b8d92f7 100644 --- a/src/lib/krb5/os/init_os_ctx.c +++ b/src/lib/krb5/os/init_os_ctx.c @@ -28,6 +28,7 @@ #include "k5-int.h" #include "os-proto.h" +#include "../krb/int-proto.h" #include "prof_int.h" /* XXX for profile_copy, not public yet */ #if defined(_WIN32) @@ -517,7 +518,7 @@ krb5_os_free_context(krb5_context ctx) } if (ctx->preauth_context) { - krb5_free_preauth_context(ctx); + k5_free_preauth_context(ctx); ctx->preauth_context = NULL; } krb5int_close_plugin_dirs (&ctx->libkrb5_plugins); |