Modify the preath plugin interface so that a plugin's context is

global to all the modules within a plugin.  Also, change the
client-side interface so that the preauth plugin context (once
created) lives the lifetime of a krb5_context.  This will allow
future changes that can set plugin parameters.  The client side
request context lives the lifetime of a call to krb5_get_init_creds().

Make the sample preauth plugins buildable outside the source tree.

Fix minor memory leak in sort_krb5_padata_sequence().

Add a prototype for krb5_do_preauth_tryagain() and change the plugin
interface.

Incorporates fixes from Nalin Dahyabhai <nalin@redhat.com> for leaks
of the function table pointers (rt #4566) and fix KDC crash (rt #4567)

ticket: 4566
ticket: 4567
ticket: 4587
Target_Version: 1.6
Tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18754 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 98 insertions, 66 deletions

diff --git a/src/plugins/preauth/cksum_body/Makefile.in b/src/plugins/preauth/cksum_body/Makefile.in
index ddac24dca..83d7cdb5b 100644
--- a/src/plugins/preauth/cksum_body/Makefile.in
+++ b/src/plugins/preauth/cksum_body/Makefile.in
@@ -9,7 +9,7 @@ PROG_RPATH=$(KRB5_LIBDIR)
 MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR)
 DEFS=@DEFS@
 
-LOCALINCLUDES = -I../../../include/krb5
+LOCALINCLUDES = -I../../../include/krb5 -I.
 
 LIBBASE=cksum_body
 LIBMAJOR=0
@@ -25,9 +25,9 @@ SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS)
 SHLIB_DIRS=-L$(TOPLIBD)
 SHLIB_RDIRS=$(KRB5_LIBDIR)
 STOBJLISTS=OBJS.ST
-STLIBOBJS=src/cksum_body.o
+STLIBOBJS=cksum_body_main.o
 
-SRCS= $(srcdir)/src/cksum_body.c
+SRCS= $(srcdir)/cksum_body_main.c
 
 all-unix:: $(LIBBASE)$(SO_EXT)
 install-unix:: install-libs
diff --git a/src/plugins/preauth/cksum_body/src/cksum_body.c b/src/plugins/preauth/cksum_body/cksum_body_main.c
index 31ecaf839..abf019a75 100644
--- a/src/plugins/preauth/cksum_body/src/cksum_body.c
+++ b/src/plugins/preauth/cksum_body/cksum_body_main.c
@@ -44,7 +44,7 @@
 #ident "$Id$"
 
 #ifdef HAVE_CONFIG_H
-#include "../config.h"
+#include "config.h"
 #endif
 
 #ifdef HAVE_ERRNO_H
@@ -76,8 +76,8 @@ client_get_flags(krb5_context kcontext, krb5_preauthtype pa_type)
 
 static krb5_error_code
 client_process(krb5_context kcontext,
-	       void *client_module_context,
-	       void **client_request_context,
+	       void *client_plugin_context,
+	       void *client_request_context,
 	       krb5_kdc_req *request,
 	       krb5_data *encoded_request_body,
 	       krb5_data *encoded_previous_request,
@@ -85,8 +85,8 @@ client_process(krb5_context kcontext,
 	       krb5_prompter_fct prompter,
 	       void *prompter_data,
 	       preauth_get_as_key_proc gak_fct,
-	       krb5_data *salt, krb5_data *s2kparams,
 	       void *gak_data,
+	       krb5_data *salt, krb5_data *s2kparams,
 	       krb5_keyblock *as_key,
 	       krb5_pa_data **out_pa_data)
 {
@@ -94,7 +94,7 @@ client_process(krb5_context kcontext,
     krb5_checksum checksum;
     krb5_enctype enctype;
     krb5_cksumtype *cksumtypes;
-    krb5_error_code status;
+    krb5_error_code status = 0;
     krb5_int32 cksumtype, *enctypes;
     unsigned int i, n_enctypes, cksumtype_count;
 
@@ -193,8 +193,7 @@ client_process(krb5_context kcontext,
 
 /* Initialize and tear down the server-side module, and do stat tracking. */
 static krb5_error_code
-server_init(krb5_context kcontext, krb5_preauthtype pa_type,
-	    void **module_context)
+server_init(krb5_context kcontext, void **module_context)
 {
     struct server_stats *stats;
     stats = malloc(sizeof(struct server_stats));
@@ -206,15 +205,14 @@ server_init(krb5_context kcontext, krb5_preauthtype pa_type,
     return 0;
 }
 static void
-server_fini(krb5_context kcontext, krb5_preauthtype pa_type,
-	    void *module_context)
+server_fini(krb5_context kcontext, void *module_context)
 {
     struct server_stats *stats;
     stats = module_context;
     if (stats != NULL) {
 #ifdef DEBUG
-	fprintf(stderr, "Total %d clients failed pa_type %d, %d succeeded.\n",
-		stats->failures, pa_type, stats->successes);
+	fprintf(stderr, "Total: %d clients failed, %d succeeded.\n",
+		stats->failures, stats->successes);
 #endif
 	free(stats);
     }
@@ -254,7 +252,7 @@ server_get_edata(krb5_context kcontext,
 	krb5_free_keyblock_contents(kcontext, &keys[i]);
 
     /* Return the list of encryption types. */
-    enctypes = malloc(i * 4);
+    enctypes = malloc((unsigned)i * 4);
     if (enctypes == NULL) {
 	krb5_free_data(kcontext, key_data);
 	return ENOMEM;
@@ -469,15 +467,16 @@ static krb5_preauthtype supported_server_pa_types[] = {
 };
 
 struct krb5plugin_preauth_client_ftable_v0 preauthentication_client_0 = {
-    "cksum_body",
-    &supported_client_pa_types[0],
-    NULL,
-    NULL,
-    NULL,
-    client_get_flags,
-    NULL,
-    client_process,
-    NULL,
+    "cksum_body",			    /* name */
+    &supported_client_pa_types[0],	    /* pa_type_list */
+    NULL,				    /* enctype_list */
+    NULL,				    /* plugin init function */
+    NULL,				    /* plugin fini function */
+    client_get_flags,			    /* get flags function */
+    NULL,				    /* request init function */
+    NULL,				    /* request fini function */
+    client_process,			    /* process function */
+    NULL,				    /* try_again function */
 };
 
 struct krb5plugin_preauth_server_ftable_v0 preauthentication_server_0 = {
diff --git a/src/plugins/preauth/wpse/Makefile.in b/src/plugins/preauth/wpse/Makefile.in
index 6b18a7c06..6c2830f50 100644
--- a/src/plugins/preauth/wpse/Makefile.in
+++ b/src/plugins/preauth/wpse/Makefile.in
@@ -9,7 +9,7 @@ PROG_RPATH=$(KRB5_LIBDIR)
 MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR)
 DEFS=@DEFS@
 
-LOCALINCLUDES = -I../../../include/krb5
+LOCALINCLUDES = -I../../../include/krb5 -I.
 
 LIBBASE=wpse
 LIBMAJOR=0
@@ -25,9 +25,9 @@ SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS)
 SHLIB_DIRS=-L$(TOPLIBD)
 SHLIB_RDIRS=$(KRB5_LIBDIR)
 STOBJLISTS=OBJS.ST
-STLIBOBJS=src/wpse.o
+STLIBOBJS=wpse_main.o
 
-SRCS= $(srcdir)/src/wpse.c
+SRCS=wpse_main.c
 
 all-unix:: $(LIBBASE)$(SO_EXT)
 install-unix:: install-libs
diff --git a/src/plugins/preauth/wpse/src/wpse.c b/src/plugins/preauth/wpse/wpse_main.c
index 07c52d95a..e7d7b6d55 100644
--- a/src/plugins/preauth/wpse/src/wpse.c
+++ b/src/plugins/preauth/wpse/wpse_main.c
@@ -33,7 +33,7 @@
 #ident "$Id$"
 
 #ifdef HAVE_CONFIG_H
-#include "../config.h"
+#include "config.h"
 #endif
 
 #ifdef HAVE_ERRNO_H
@@ -60,36 +60,36 @@ client_get_flags(krb5_context kcontext, krb5_preauthtype pa_type)
 }
 
 static krb5_error_code
-client_init(krb5_context kcontext, krb5_preauthtype pa_type, void **ctx)
+client_init(krb5_context kcontext, void **ctx)
 {
-    int *mctx;
+    int *pctx;
 
-    mctx = malloc(sizeof(int));
-    if (mctx == NULL)
+    pctx = malloc(sizeof(int));
+    if (pctx == NULL)
 	return ENOMEM;
-    *mctx = 0;
-    *ctx = mctx;
+    *pctx = 0;
+    *ctx = pctx;
     return 0;
 }
 
 static void
-client_fini(krb5_context kcontext, krb5_preauthtype pa_type, void *ctx)
+client_fini(krb5_context kcontext, void *ctx)
 {
-    int *mctx;
+    int *pctx;
 
-    mctx = ctx;
-    if (mctx) {
+    pctx = ctx;
+    if (pctx) {
 #ifdef DEBUG
-        fprintf(stderr, "wpse module called total of %d times\n", *mctx);
+        fprintf(stderr, "wpse module called total of %d times\n", *pctx);
 #endif
-        free(mctx);
+        free(pctx);
     }
 }
 
 static krb5_error_code
 client_process(krb5_context kcontext,
-	       void *module_context,
-	       void **request_context,
+	       void *plugin_context,
+	       void *request_context,
 	       krb5_kdc_req *request,
 	       krb5_data *encoded_request_body,
 	       krb5_data *encoded_previous_request,
@@ -97,8 +97,8 @@ client_process(krb5_context kcontext,
 	       krb5_prompter_fct prompter,
 	       void *prompter_data,
 	       preauth_get_as_key_proc gak_fct,
-	       krb5_data *salt, krb5_data *s2kparams,
 	       void *gak_data,
+	       krb5_data *salt, krb5_data *s2kparams,
 	       krb5_keyblock *as_key,
 	       krb5_pa_data **out_pa_data)
 {
@@ -106,16 +106,16 @@ client_process(krb5_context kcontext,
     krb5_int32 nnonce, enctype;
     krb5_keyblock *kb;
     krb5_error_code status;
-    int *mctx;
+    int *pctx;
 
 #ifdef DEBUG
     fprintf(stderr, "%d bytes of preauthentication data (type %d)\n",
 	    pa_data->length, pa_data->pa_type);
 #endif
 
-    mctx = module_context;
-    if (mctx) {
-	(*mctx)++;
+    pctx = plugin_context;
+    if (pctx) {
+	(*pctx)++;
     }
 
     if (pa_data->length == 0) {
@@ -134,10 +134,6 @@ client_process(krb5_context kcontext,
 	nnonce = htonl(request->nonce);
 	memcpy(send_pa->contents, &nnonce, 4);
 	*out_pa_data = send_pa;
-	/* Allocate a context. Useful for verifying that we do in fact
-	 * do per-request cleanup. */
-	if (*request_context == NULL)
-	    *request_context = malloc(4);
     } else {
 	/* A reply from the KDC.  Conventionally this would be
 	 * indicated by a different preauthentication type, but this
@@ -163,20 +159,56 @@ client_process(krb5_context kcontext,
     return 0;
 }
 
+#define WPSE_MAGIC 0x77707365
+typedef struct _wpse_req_ctx
+{
+    int magic;
+    int value;
+} wpse_req_ctx;
+
 static void
-client_cleanup(krb5_context kcontext, void *module_context,
-	       void **request_context)
+client_req_init(krb5_context kcontext, void *plugin_context, void **req_context_p)
 {
-    if (*request_context != NULL) {
-	free(*request_context);
-	*request_context = NULL;
+    wpse_req_ctx *ctx;
+
+    *req_context_p = NULL;
+
+    /* Allocate a request context. Useful for verifying that we do in fact
+     * do per-request cleanup. */
+    ctx = (wpse_req_ctx *) malloc(sizeof(*ctx));
+    if (ctx == NULL)
+	return;
+    ctx->magic = WPSE_MAGIC;
+    ctx->value = 0xc0dec0de;
+
+    *req_context_p = ctx;
+}
+
+static void
+client_req_cleanup(krb5_context kcontext, void *plugin_context, void *req_context)
+{
+    wpse_req_ctx *ctx = (wpse_req_ctx *)req_context;
+
+    if (ctx) {
+#ifdef DEBUG
+	fprintf(stderr, "client_req_cleanup: req_ctx at %p has magic %x and value %x\n",
+		ctx, ctx->magic, ctx->value);
+#endif
+	if (ctx->magic != WPSE_MAGIC) {
+#ifdef DEBUG
+	    fprintf(stderr, "client_req_cleanup: req_context at %p has bad magic value %x\n",
+		    ctx, ctx->magic);
+#endif
+	    return;
+	}
+	free(ctx);
     }
     return;
 }
 
 /* Free state. */
 static krb5_error_code
-server_free_pa_request_context(krb5_context kcontext, void *module_context,
+server_free_pa_request_context(krb5_context kcontext, void *plugin_context,
 			       void **request_context)
 {
     if (*request_context != NULL) {
@@ -317,15 +349,16 @@ static krb5_preauthtype supported_client_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0};
 static krb5_preauthtype supported_server_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0};
 
 struct krb5plugin_preauth_client_ftable_v0 preauthentication_client_0 = {
-    "wpse",
-    &supported_client_pa_types[0],
-    NULL,
-    client_init,
-    client_fini,
-    client_get_flags,
-    client_cleanup,
-    client_process,
-    NULL,
+    "wpse",				    /* name */
+    &supported_client_pa_types[0],	    /* pa_type_list */
+    NULL,				    /* enctype_list */
+    client_init,			    /* plugin init function */
+    client_fini,			    /* plugin fini function */
+    client_get_flags,			    /* get flags function */
+    client_req_init,			    /* request init function */
+    client_req_cleanup,			    /* request fini function */
+    client_process,			    /* process function */
+    NULL,				    /* try_again function */
 };
 
 struct krb5plugin_preauth_server_ftable_v0 preauthentication_server_0 = {