diff options
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/preauth/cksum_body/cksum_body_main.c | 29 | ||||
| -rw-r--r-- | src/plugins/preauth/fast_factor.h | 58 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/deps | 22 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_clnt.c | 2 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_srv.c | 22 | ||||
| -rw-r--r-- | src/plugins/preauth/securid_sam2/securid_sam2_main.c | 36 | ||||
| -rw-r--r-- | src/plugins/preauth/wpse/wpse_main.c | 14 |
7 files changed, 60 insertions, 123 deletions
diff --git a/src/plugins/preauth/cksum_body/cksum_body_main.c b/src/plugins/preauth/cksum_body/cksum_body_main.c index 06ba14d5a..144ab6d96 100644 --- a/src/plugins/preauth/cksum_body/cksum_body_main.c +++ b/src/plugins/preauth/cksum_body/cksum_body_main.c @@ -272,13 +272,9 @@ server_fini(krb5_context kcontext, krb5_kdcpreauth_moddata moddata) /* Obtain and return any preauthentication data (which is destined for the * client) which matches type data->pa_type. */ static krb5_error_code -server_get_edata(krb5_context kcontext, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn server_get_entry_data, - krb5_kdcpreauth_moddata moddata, - krb5_pa_data *data) +server_get_edata(krb5_context kcontext, krb5_kdc_req *request, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, + krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { krb5_data *key_data; krb5_keyblock *keys, *key; @@ -287,8 +283,7 @@ server_get_edata(krb5_context kcontext, /* Retrieve the client's keys. */ key_data = NULL; - if ((*server_get_entry_data)(kcontext, request, client, - krb5_kdcpreauth_keys, &key_data) != 0) { + if ((*get)(kcontext, rock, krb5_kdcpreauth_keys, &key_data) != 0) { #ifdef DEBUG fprintf(stderr, "Error retrieving client keys.\n"); #endif @@ -331,12 +326,12 @@ server_get_edata(krb5_context kcontext, /* Verify a request from a client. */ static void server_verify(krb5_context kcontext, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) @@ -394,8 +389,7 @@ server_verify(krb5_context kcontext, /* Pull up the client's keys. */ key_data = NULL; - if ((*server_get_entry_data)(kcontext, request, client, - krb5_kdcpreauth_keys, &key_data) != 0) { + if ((*get)(kcontext, rock, krb5_kdcpreauth_keys, &key_data) != 0) { #ifdef DEBUG fprintf(stderr, "Error retrieving client keys.\n"); #endif @@ -454,9 +448,7 @@ server_verify(krb5_context kcontext, * extract the structure directly from the req_pkt structure. This * will probably work if it's us on both ends, though. */ req_body = NULL; - if ((*server_get_entry_data)(kcontext, request, client, - krb5_kdcpreauth_request_body, - &req_body) != 0) { + if ((*get)(kcontext, rock, krb5_kdcpreauth_request_body, &req_body) != 0) { krb5_free_keyblock(kcontext, key); stats->failures++; (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); @@ -593,14 +585,13 @@ server_verify(krb5_context kcontext, static krb5_error_code server_return(krb5_context kcontext, krb5_pa_data *padata, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, - struct _krb5_key_data *client_key, krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { diff --git a/src/plugins/preauth/fast_factor.h b/src/plugins/preauth/fast_factor.h deleted file mode 100644 index f585bc22c..000000000 --- a/src/plugins/preauth/fast_factor.h +++ /dev/null @@ -1,58 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ - -/* - * Returns success with a null armor_key if FAST is available but not in use. - * Returns failure if the client library does not support FAST. - */ -static inline krb5_error_code -fast_get_armor_key(krb5_context context, krb5_clpreauth_get_data_fn get_data, - krb5_clpreauth_rock rock, krb5_keyblock **armor_key) -{ - krb5_error_code retval = 0; - krb5_data *data; - retval = get_data(context, rock, krb5_clpreauth_fast_armor, &data); - if (retval == 0) { - *armor_key = (krb5_keyblock *) data->data; - data->data = NULL; - get_data(context, rock, krb5_clpreauth_free_fast_armor, &data); - } - return retval; -} - -static inline krb5_error_code -fast_kdc_get_armor_key(krb5_context context, - krb5_kdcpreauth_get_data_fn get_entry, - krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - krb5_keyblock **armor_key) -{ - krb5_error_code retval; - krb5_data *data; - retval = get_entry(context, request, client, krb5_kdcpreauth_fast_armor, - &data); - if (retval == 0) { - *armor_key = (krb5_keyblock *) data->data; - data->data = NULL; - get_entry(context, request, client, - krb5_kdcpreauth_free_fast_armor, &data); - } - return retval; -} - - - -static inline krb5_error_code -fast_kdc_replace_reply_key(krb5_context context, - krb5_kdcpreauth_get_data_fn get_data, - krb5_kdc_req *request) -{ - return 0; -} - -static inline krb5_error_code -fast_set_kdc_verified(krb5_context context, - krb5_clpreauth_get_data_fn get_data, - krb5_clpreauth_rock rock) -{ - return 0; -} diff --git a/src/plugins/preauth/pkinit/deps b/src/plugins/preauth/pkinit/deps index 8ad6b14db..ceff74918 100644 --- a/src/plugins/preauth/pkinit/deps +++ b/src/plugins/preauth/pkinit/deps @@ -16,16 +16,16 @@ pkinit_accessor.so pkinit_accessor.po $(OUTPRE)pkinit_accessor.$(OBJEXT): \ pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \ - pkinit_srv.c + $(COM_ERR_DEPS) $(top_srcdir)/include/fast_factor.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h pkcs11.h pkinit.h \ + pkinit_accessor.h pkinit_crypto.h pkinit_srv.c pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \ @@ -49,7 +49,7 @@ pkinit_kdf_constants.so pkinit_kdf_constants.po $(OUTPRE)pkinit_kdf_constants.$( pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_kdf_constants.c pkinit_clnt.so pkinit_clnt.po $(OUTPRE)pkinit_clnt.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/fast_factor.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-platform.h \ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \ diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 4860e0712..f8cfac5ad 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -42,7 +42,7 @@ #include "pkinit.h" /* Remove when FAST PKINIT is settled. */ -#include "../fast_factor.h" +#include "fast_factor.h" /* * It is anticipated that all the special checks currently diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 2fbc24391..a79b25c29 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -38,7 +38,7 @@ #include "pkinit.h" /* Remove when FAST PKINIT is settled. */ -#include "../fast_factor.h" +#include "fast_factor.h" static krb5_error_code pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob); @@ -101,9 +101,8 @@ cleanup: static krb5_error_code pkinit_server_get_edata(krb5_context context, krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { @@ -114,8 +113,7 @@ pkinit_server_get_edata(krb5_context context, pkiDebug("pkinit_server_get_edata: entered!\n"); /* Remove (along with armor_key) when FAST PKINIT is settled. */ - retval = fast_kdc_get_armor_key(context, server_get_entry_data, request, - client, &armor_key); + retval = fast_kdc_get_armor_key(context, get, rock, &armor_key); if (retval == 0 && armor_key != NULL) { /* Don't advertise PKINIT if the client used FAST. */ krb5_free_keyblock(context, armor_key); @@ -289,12 +287,12 @@ out: static void pkinit_server_verify_padata(krb5_context context, - struct _krb5_db_entry_new * client, krb5_data *req_pkt, krb5_kdc_req * request, krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data * data, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) @@ -324,8 +322,7 @@ pkinit_server_verify_padata(krb5_context context, } /* Remove (along with armor_key) when FAST PKINIT is settled. */ - retval = fast_kdc_get_armor_key(context, server_get_entry_data, request, - client, &armor_key); + retval = fast_kdc_get_armor_key(context, get, rock, &armor_key); if (retval == 0 && armor_key != NULL) { /* Don't allow PKINIT if the client used FAST. */ krb5_free_keyblock(context, armor_key); @@ -697,14 +694,13 @@ cleanup: static krb5_error_code pkinit_server_return_padata(krb5_context context, krb5_pa_data * padata, - struct _krb5_db_entry_new * client, krb5_data *req_pkt, krb5_kdc_req * request, krb5_kdc_rep * reply, - struct _krb5_key_data * client_key, krb5_keyblock * encrypting_key, krb5_pa_data ** send_pa, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { diff --git a/src/plugins/preauth/securid_sam2/securid_sam2_main.c b/src/plugins/preauth/securid_sam2/securid_sam2_main.c index 700cd59f9..5ed59c811 100644 --- a/src/plugins/preauth/securid_sam2/securid_sam2_main.c +++ b/src/plugins/preauth/securid_sam2/securid_sam2_main.c @@ -50,6 +50,19 @@ static struct { { 0, 0 }, }; +static krb5_db_entry * +get_client_entry(krb5_context context, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock) +{ + krb5_data *data; + krb5_db_entry *client; + + (*get)(context, rock, krb5_kdcpreauth_get_client, &data); + client = *(krb5_db_entry **)data->data; + free(data); + return client; +} + krb5_error_code sam_get_db_entry(krb5_context context, krb5_principal client, int *sam_type, struct _krb5_db_entry_new **db_entry) @@ -114,9 +127,7 @@ cleanup: static krb5_error_code kdc_include_padata(krb5_context context, krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn get_entry_proc, + krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data) { krb5_error_code retval; @@ -125,7 +136,7 @@ kdc_include_padata(krb5_context context, krb5_kdc_req *request, krb5_sam_challenge_2 sc2; krb5_sam_challenge_2_body sc2b; int sam_type = 0; /* unknown */ - krb5_db_entry *sam_db_entry = NULL; + krb5_db_entry *sam_db_entry = NULL, *client; krb5_data *encoded_challenge = NULL; memset(&sc2, 0, sizeof(sc2)); @@ -133,12 +144,12 @@ kdc_include_padata(krb5_context context, krb5_kdc_req *request, sc2b.magic = KV5M_SAM_CHALLENGE_2; sc2b.sam_type = sam_type; + client = get_client_entry(context, get, rock); retval = sam_get_db_entry(context, client->princ, &sam_type, &sam_db_entry); if (retval) return retval; - retval = get_entry_proc(context, request, client, - krb5_kdcpreauth_keys, &client_keys_data); + retval = (*get)(context, rock, krb5_kdcpreauth_keys, &client_keys_data); if (retval) goto cleanup; client_key = (krb5_keyblock *) client_keys_data->data; @@ -203,19 +214,18 @@ cleanup: } static void -kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, - krb5_data *req_pkt, krb5_kdc_req *request, - krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa_data, - krb5_kdcpreauth_get_data_fn get_entry_proc, - krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_verify_respond_fn respond, - void *arg) +kdc_verify_preauth(krb5_context context, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, + krb5_pa_data *pa_data, krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, + krb5_kdcpreauth_verify_respond_fn respond, void *arg) { krb5_error_code retval, saved_retval = 0; krb5_sam_response_2 *sr2 = NULL; krb5_data scratch, *scratch2, *e_data = NULL; char *client_name = NULL; krb5_sam_challenge_2 *out_sc2 = NULL; + krb5_db_entry *client = get_client_entry(context, get, rock); scratch.data = (char *) pa_data->contents; scratch.length = pa_data->length; diff --git a/src/plugins/preauth/wpse/wpse_main.c b/src/plugins/preauth/wpse/wpse_main.c index 3c10e1416..e3f5d8782 100644 --- a/src/plugins/preauth/wpse/wpse_main.c +++ b/src/plugins/preauth/wpse/wpse_main.c @@ -246,9 +246,8 @@ server_free_modreq(krb5_context kcontext, static krb5_error_code server_get_edata(krb5_context kcontext, krb5_kdc_req *request, - struct _krb5_db_entry_new *client, - struct _krb5_db_entry_new *server, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_pa_data *data) { @@ -261,12 +260,12 @@ server_get_edata(krb5_context kcontext, /* Verify a request from a client. */ static void server_verify(krb5_context kcontext, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) @@ -370,14 +369,13 @@ server_verify(krb5_context kcontext, static krb5_error_code server_return(krb5_context kcontext, krb5_pa_data *padata, - struct _krb5_db_entry_new *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, - struct _krb5_key_data *client_key, krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_get_data_fn server_get_entry_data, + krb5_kdcpreauth_get_data_fn get, + krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) { /* This module does a couple of dumb things. It tags its reply with |