diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-10-15 16:06:03 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-10-15 16:06:03 +0000 |
| commit | e389f7a0e7d682a06bc8d2814ad0d86398e815b9 (patch) | |
| tree | a9e405a56727e7855222dd940acbdbca6933dd60 /src/plugins | |
| parent | 249e5254d4d4cff2bda07deafc25d7d87ea5ac0f (diff) | |
| download | krb5-e389f7a0e7d682a06bc8d2814ad0d86398e815b9.tar.gz krb5-e389f7a0e7d682a06bc8d2814ad0d86398e815b9.tar.xz krb5-e389f7a0e7d682a06bc8d2814ad0d86398e815b9.zip | |
Hide gak_fct interface and arguments in clpreauth
Remove the gak_fct, gak_data, salt, s2kparams, and as_key arguments
of krb5_clpreauth_process_fn and krb5_clpreauth_tryagain_fn. To
replace them, add two callbacks: one which gets the AS key using the
previously selected etype-info2 information, and a second which lets
the module replace the AS key with one it has computed.
This changes limits module flexibility in a few ways. Modules cannot
check whether the AS key was already obtained before asking for it,
and they cannot use the etype-info2 salt and s2kparams for purposes
other than getting the password-based AS key. It is believed that
of existing preauth mechanisms, only SAM-2 preauth needs more
flexibility than the new interfaces provide, and as an internal legacy
mechanism it can cheat. Future mechanisms should be okay since the
current IETF philosophy is that etype-info2 information should not be
used for other purposes.
ticket: 6976
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25351 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/preauth/cksum_body/cksum_body_main.c | 44 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 14 | ||||
| -rw-r--r-- | src/plugins/preauth/wpse/wpse_main.c | 6 |
3 files changed, 13 insertions, 51 deletions
diff --git a/src/plugins/preauth/cksum_body/cksum_body_main.c b/src/plugins/preauth/cksum_body/cksum_body_main.c index 6643e8e04..c0a438f75 100644 --- a/src/plugins/preauth/cksum_body/cksum_body_main.c +++ b/src/plugins/preauth/cksum_body/cksum_body_main.c @@ -91,21 +91,17 @@ client_process(krb5_context kcontext, krb5_pa_data *pa_data, krb5_prompter_fct prompter, void *prompter_data, - krb5_clpreauth_get_as_key_fn gak_fct, - void *gak_data, - krb5_data *salt, krb5_data *s2kparams, - krb5_keyblock *as_key, krb5_pa_data ***out_pa_data) { krb5_pa_data **send_pa; krb5_checksum checksum; - krb5_enctype enctype; krb5_cksumtype *cksumtypes; krb5_error_code status = 0; - krb5_int32 cksumtype, *enctypes; - unsigned int i, n_enctypes, cksumtype_count; + krb5_int32 cksumtype; + unsigned int i, cksumtype_count; int num_gic_info = 0; krb5_gic_opt_pa_data *gic_info; + krb5_keyblock *as_key; status = krb5_get_init_creds_opt_get_pa(kcontext, opt, &num_gic_info, &gic_info); @@ -128,37 +124,9 @@ client_process(krb5_context kcontext, memset(&checksum, 0, sizeof(checksum)); - /* Get the user's long-term key if we haven't asked for it yet. Try - * all of the encryption types which the server supports. */ - if (as_key->length == 0) { - if ((pa_data != NULL) && (pa_data->length >= 4)) { -#ifdef DEBUG - fprintf(stderr, "%d bytes of preauth data.\n", pa_data->length); -#endif - n_enctypes = pa_data->length / 4; - enctypes = (krb5_int32*) pa_data->contents; - } else { - n_enctypes = request->nktypes; - } - for (i = 0; i < n_enctypes; i++) { - if ((pa_data != NULL) && (pa_data->length >= 4)) { - memcpy(&enctype, pa_data->contents + 4 * i, 4); - enctype = ntohl(enctype); - } else { - enctype = request->ktype[i]; - } -#ifdef DEBUG - fprintf(stderr, "Asking for AS key (type = %d).\n", enctype); -#endif - status = (*gak_fct)(kcontext, request->client, enctype, - prompter, prompter_data, - salt, s2kparams, as_key, gak_data); - if (status == 0) - break; - } - if (status != 0) - return status; - } + status = cb->get_as_key(kcontext, rock, &as_key); + if (status != 0) + return status; #ifdef DEBUG fprintf(stderr, "Got AS key (type = %d).\n", as_key->enctype); #endif diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 95a645c2b..6155b1063 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -1022,16 +1022,14 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata, krb5_data *encoded_previous_request, krb5_pa_data *in_padata, krb5_prompter_fct prompter, void *prompter_data, - krb5_clpreauth_get_as_key_fn gak_fct, void *gak_data, - krb5_data *salt, krb5_data *s2kparams, - krb5_keyblock *as_key, krb5_pa_data ***out_padata) + krb5_pa_data ***out_padata) { krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; krb5_enctype enctype = -1; int processing_request = 0; pkinit_context plgctx = (pkinit_context)moddata; pkinit_req_context reqctx = (pkinit_req_context)modreq; - krb5_keyblock *armor_key = cb->fast_armor(context, rock); + krb5_keyblock *armor_key = cb->fast_armor(context, rock), as_key; pkiDebug("pkinit_client_process %p %p %p %p\n", context, plgctx, reqctx, request); @@ -1094,8 +1092,10 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata, */ enctype = cb->get_etype(context, rock); retval = pa_pkinit_parse_rep(context, plgctx, reqctx, request, - in_padata, enctype, as_key, + in_padata, enctype, &as_key, encoded_previous_request); + if (retval == 0) + retval = cb->set_as_key(context, rock, &as_key); } pkiDebug("pkinit_client_process: returning %d (%s)\n", @@ -1112,9 +1112,7 @@ pkinit_client_tryagain(krb5_context context, krb5_clpreauth_moddata moddata, krb5_data *encoded_previous_request, krb5_pa_data *in_padata, krb5_error *err_reply, krb5_prompter_fct prompter, void *prompter_data, - krb5_clpreauth_get_as_key_fn gak_fct, void *gak_data, - krb5_data *salt, krb5_data *s2kparams, - krb5_keyblock *as_key, krb5_pa_data ***out_padata) + krb5_pa_data ***out_padata) { krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; pkinit_context plgctx = (pkinit_context)moddata; diff --git a/src/plugins/preauth/wpse/wpse_main.c b/src/plugins/preauth/wpse/wpse_main.c index 4f603474d..c14ec753d 100644 --- a/src/plugins/preauth/wpse/wpse_main.c +++ b/src/plugins/preauth/wpse/wpse_main.c @@ -98,10 +98,6 @@ client_process(krb5_context kcontext, krb5_pa_data *pa_data, krb5_prompter_fct prompter, void *prompter_data, - krb5_clpreauth_get_as_key_fn gak_fct, - void *gak_data, - krb5_data *salt, krb5_data *s2kparams, - krb5_keyblock *as_key, krb5_pa_data ***out_pa_data) { krb5_pa_data **send_pa; @@ -159,7 +155,7 @@ client_process(krb5_context kcontext, fprintf(stderr, "Recovered key type=%d, length=%d.\n", kb->enctype, kb->length); #endif - status = krb5_copy_keyblock_contents(kcontext, kb, as_key); + status = cb->set_as_key(kcontext, rock, kb); krb5_free_keyblock(kcontext, kb); return status; } |