diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-10-05 17:27:15 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-10-05 17:27:15 +0000 |
| commit | 4902dd11b115320f252f73d59a692db9ad7dd600 (patch) | |
| tree | 2c05d6c2742979f5829012ec16c1b224e4f8cfc9 /src/plugins | |
| parent | 57a52177feee207d8b3f4bd0fbf7a3d7ee09c070 (diff) | |
| download | krb5-4902dd11b115320f252f73d59a692db9ad7dd600.tar.gz krb5-4902dd11b115320f252f73d59a692db9ad7dd600.tar.xz krb5-4902dd11b115320f252f73d59a692db9ad7dd600.zip | |
Use an opaque handle in the kdcpreauth callback
Instead of passing a request and entry to the kdcpreauth get_data
callback, pass an opaque handle. Remove DB entry and key data
parameters from kdcpreauth methods (but keep the request, since that's
transparent).
The SecurID plugin links against libkdb5 and needs access to the client
DB entry. Rather than continue to pass a DB entry to kdcpreauth
methods, add a get_data callback to get the client DB entry for the few
plugins which might need it.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25300 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/preauth/cksum_body/cksum_body_main.c | 29 | ||||
| -rw-r--r-- | src/plugins/preauth/fast_factor.h | 58 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/deps | 22 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 2 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_srv.c | 22 | ||||
| -rw-r--r-- | src/plugins/preauth/securid_sam2/securid_sam2_main.c | 36 | ||||
| -rw-r--r-- | src/plugins/preauth/wpse/wpse_main.c | 14 |
7 files changed, 60 insertions, 123 deletions
diff --git a/src/plugins/preauth/cksum_body/cksum_body_main.c b/src/plugins/preauth/cksum_body/cksum_body_main.c index 06ba14d5a..144ab6d96 100644 --- a/src/plugins/preauth/cksum_body/cksum_body_main.c +++ b/src/plugins/preauth/cksum_body/cksum_body_main.c @@ -272,13 +272,9 @@ server_fini(krb5_context kcontext, krb5_kdcpreauth_moddata moddata) /* Obtain and return any preauthentication data (which is destined for the * client) which matches type data->pa_type. */ static krb5_error_code -server_get_edata(krb5_context kcontext, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn server_get_entry_data, - krb5_kdcpreauth_moddata moddata, - krb5_pa_data *data) +server_get_edata(krb5_context kcontext, krb5_kdc_req *request, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, + krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { krb5_data *key_data; krb5_keyblock *keys, *key; @@ -287,8 +283,7 @@ server_get_edata(krb5_context kcontext, /* Retrieve the client's keys. */ key_data = NULL; - if ((*server_get_entry_data)(kcontext, request, client, - krb5_kdcpreauth_keys, &key_data) != 0) { + if ((*get)(kcontext, rock, krb5_kdcpreauth_keys, &key_data) != 0) { #ifdef DEBUG fprintf(stderr, "Error retrieving client keys.\n"); #endif @@ -331,12 +326,12 @@ server_get_edata(krb5_context kcontext, /* Verify a request from a client. */ static void server_verify(krb5_context kcontext, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) @@ -394,8 +389,7 @@ server_verify(krb5_context kcontext, /* Pull up the client's keys. */ key_data = NULL; - if ((*server_get_entry_data)(kcontext, request, client, - krb5_kdcpreauth_keys, &key_data) != 0) { + if ((*get)(kcontext, rock, krb5_kdcpreauth_keys, &key_data) != 0) { #ifdef DEBUG fprintf(stderr, "Error retrieving client keys.\n"); #endif @@ -454,9 +448,7 @@ server_verify(krb5_context kcontext, * extract the structure directly from the req_pkt structure. This * will probably work if it's us on both ends, though. */ req_body = NULL; - if ((*server_get_entry_data)(kcontext, request, client, - krb5_kdcpreauth_request_body, - &req_body) != 0) { + if ((*get)(kcontext, rock, krb5_kdcpreauth_request_body, &req_body) != 0) { krb5_free_keyblock(kcontext, key); stats->failures++; (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); @@ -593,14 +585,13 @@ server_verify(krb5_context kcontext, static krb5_error_code server_return(krb5_context kcontext, krb5_pa_data *padata, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, - struct _krb5_key_data *client_key, krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { diff --git a/src/plugins/preauth/fast_factor.h b/src/plugins/preauth/fast_factor.h deleted file mode 100644 index f585bc22c..000000000 --- a/src/plugins/preauth/fast_factor.h +++ /dev/null @@ -1,58 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ - -/* - * Returns success with a null armor_key if FAST is available but not in use. - * Returns failure if the client library does not support FAST. - */ -static inline krb5_error_code -fast_get_armor_key(krb5_context context, krb5_clpreauth_get_data_fn get_data, - krb5_clpreauth_rock rock, krb5_keyblock **armor_key) -{ - krb5_error_code retval = 0; - krb5_data *data; - retval = get_data(context, rock, krb5_clpreauth_fast_armor, &data); - if (retval == 0) { - *armor_key = (krb5_keyblock *) data->data; - data->data = NULL; - get_data(context, rock, krb5_clpreauth_free_fast_armor, &data); - } - return retval; -} - -static inline krb5_error_code -fast_kdc_get_armor_key(krb5_context context, - krb5_kdcpreauth_get_data_fn get_entry, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - krb5_keyblock **armor_key) -{ - krb5_error_code retval; - krb5_data *data; - retval = get_entry(context, request, client, krb5_kdcpreauth_fast_armor, - &data); - if (retval == 0) { - *armor_key = (krb5_keyblock *) data->data; - data->data = NULL; - get_entry(context, request, client, - krb5_kdcpreauth_free_fast_armor, &data); - } - return retval; -} - - - -static inline krb5_error_code -fast_kdc_replace_reply_key(krb5_context context, - krb5_kdcpreauth_get_data_fn get_data, - krb5_kdc_req *request) -{ - return 0; -} - -static inline krb5_error_code -fast_set_kdc_verified(krb5_context context, - krb5_clpreauth_get_data_fn get_data, - krb5_clpreauth_rock rock) -{ - return 0; -} diff --git a/src/plugins/preauth/pkinit/deps b/src/plugins/preauth/pkinit/deps index 8ad6b14db..ceff74918 100644 --- a/src/plugins/preauth/pkinit/deps +++ b/src/plugins/preauth/pkinit/deps @@ -16,16 +16,16 @@ pkinit_accessor.so pkinit_accessor.po $(OUTPRE)pkinit_accessor.$(OBJEXT): \ pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \ - pkinit_srv.c + $(COM_ERR_DEPS) $(top_srcdir)/include/fast_factor.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h pkcs11.h pkinit.h \ + pkinit_accessor.h pkinit_crypto.h pkinit_srv.c pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \ @@ -49,7 +49,7 @@ pkinit_kdf_constants.so pkinit_kdf_constants.po $(OUTPRE)pkinit_kdf_constants.$( pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_kdf_constants.c pkinit_clnt.so pkinit_clnt.po $(OUTPRE)pkinit_clnt.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/fast_factor.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-platform.h \ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \ diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 4860e0712..f8cfac5ad 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -42,7 +42,7 @@ #include "pkinit.h" /* Remove when FAST PKINIT is settled. */ -#include "../fast_factor.h" +#include "fast_factor.h" /* * It is anticipated that all the special checks currently diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 2fbc24391..a79b25c29 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -38,7 +38,7 @@ #include "pkinit.h" /* Remove when FAST PKINIT is settled. */ -#include "../fast_factor.h" +#include "fast_factor.h" static krb5_error_code pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob); @@ -101,9 +101,8 @@ cleanup: static krb5_error_code pkinit_server_get_edata(krb5_context context, krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { @@ -114,8 +113,7 @@ pkinit_server_get_edata(krb5_context context, pkiDebug("pkinit_server_get_edata: entered!\n"); /* Remove (along with armor_key) when FAST PKINIT is settled. */ - retval = fast_kdc_get_armor_key(context, server_get_entry_data, request, - client, &armor_key); + retval = fast_kdc_get_armor_key(context, get, rock, &armor_key); if (retval == 0 && armor_key != NULL) { /* Don't advertise PKINIT if the client used FAST. */ krb5_free_keyblock(context, armor_key); @@ -289,12 +287,12 @@ out: static void pkinit_server_verify_padata(krb5_context context, - struct _krb5_db_entry_new * client, krb5_data *req_pkt, krb5_kdc_req * request, krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data * data, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) @@ -324,8 +322,7 @@ pkinit_server_verify_padata(krb5_context context, } /* Remove (along with armor_key) when FAST PKINIT is settled. */ - retval = fast_kdc_get_armor_key(context, server_get_entry_data, request, - client, &armor_key); + retval = fast_kdc_get_armor_key(context, get, rock, &armor_key); if (retval == 0 && armor_key != NULL) { /* Don't allow PKINIT if the client used FAST. */ krb5_free_keyblock(context, armor_key); @@ -697,14 +694,13 @@ cleanup: static krb5_error_code pkinit_server_return_padata(krb5_context context, krb5_pa_data * padata, - struct _krb5_db_entry_new * client, krb5_data *req_pkt, krb5_kdc_req * request, krb5_kdc_rep * reply, - struct _krb5_key_data * client_key, krb5_keyblock * encrypting_key, krb5_pa_data ** send_pa, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { diff --git a/src/plugins/preauth/securid_sam2/securid_sam2_main.c b/src/plugins/preauth/securid_sam2/securid_sam2_main.c index 700cd59f9..5ed59c811 100644 --- a/src/plugins/preauth/securid_sam2/securid_sam2_main.c +++ b/src/plugins/preauth/securid_sam2/securid_sam2_main.c @@ -50,6 +50,19 @@ static struct { { 0, 0 }, }; +static krb5_db_entry * +get_client_entry(krb5_context context, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock) +{ + krb5_data *data; + krb5_db_entry *client; + + (*get)(context, rock, krb5_kdcpreauth_get_client, &data); + client = *(krb5_db_entry **)data->data; + free(data); + return client; +} + krb5_error_code sam_get_db_entry(krb5_context context, krb5_principal client, int *sam_type, struct _krb5_db_entry_new **db_entry) @@ -114,9 +127,7 @@ cleanup: static krb5_error_code kdc_include_padata(krb5_context context, krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn get_entry_proc, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data) { krb5_error_code retval; @@ -125,7 +136,7 @@ kdc_include_padata(krb5_context context, krb5_kdc_req *request, krb5_sam_challenge_2 sc2; krb5_sam_challenge_2_body sc2b; int sam_type = 0; /* unknown */ - krb5_db_entry *sam_db_entry = NULL; + krb5_db_entry *sam_db_entry = NULL, *client; krb5_data *encoded_challenge = NULL; memset(&sc2, 0, sizeof(sc2)); @@ -133,12 +144,12 @@ kdc_include_padata(krb5_context context, krb5_kdc_req *request, sc2b.magic = KV5M_SAM_CHALLENGE_2; sc2b.sam_type = sam_type; + client = get_client_entry(context, get, rock); retval = sam_get_db_entry(context, client->princ, &sam_type, &sam_db_entry); if (retval) return retval; - retval = get_entry_proc(context, request, client, - krb5_kdcpreauth_keys, &client_keys_data); + retval = (*get)(context, rock, krb5_kdcpreauth_keys, &client_keys_data); if (retval) goto cleanup; client_key = (krb5_keyblock *) client_keys_data->data; @@ -203,19 +214,18 @@ cleanup: } static void -kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, - krb5_data *req_pkt, krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa_data, - krb5_kdcpreauth_get_data_fn get_entry_proc, - krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_verify_respond_fn respond, - void *arg) +kdc_verify_preauth(krb5_context context, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *pa_data, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, + krb5_kdcpreauth_verify_respond_fn respond, void *arg) { krb5_error_code retval, saved_retval = 0; krb5_sam_response_2 *sr2 = NULL; krb5_data scratch, *scratch2, *e_data = NULL; char *client_name = NULL; krb5_sam_challenge_2 *out_sc2 = NULL; + krb5_db_entry *client = get_client_entry(context, get, rock); scratch.data = (char *) pa_data->contents; scratch.length = pa_data->length; diff --git a/src/plugins/preauth/wpse/wpse_main.c b/src/plugins/preauth/wpse/wpse_main.c index 3c10e1416..e3f5d8782 100644 --- a/src/plugins/preauth/wpse/wpse_main.c +++ b/src/plugins/preauth/wpse/wpse_main.c @@ -246,9 +246,8 @@ server_free_modreq(krb5_context kcontext, static krb5_error_code server_get_edata(krb5_context kcontext, krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { @@ -261,12 +260,12 @@ server_get_edata(krb5_context kcontext, /* Verify a request from a client. */ static void server_verify(krb5_context kcontext, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) @@ -370,14 +369,13 @@ server_verify(krb5_context kcontext, static krb5_error_code server_return(krb5_context kcontext, krb5_pa_data *padata, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, - struct _krb5_key_data *client_key, krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { /* This module does a couple of dumb things. It tags its reply with |