From b87d9d3c376c2623ae9eb0cfc8da50985c7bb592 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 14 Nov 2011 21:45:33 +0000
Subject: Simplify and fix kdcpreauth request_body callback

Alter the contract for the kdcpreauth request_body callback so that it
returns an alias to the encoded body instead of a fresh copy.  At the
beginning of AS request processing, save a copy of the encoded request
body, or the encoded inner request body for FAST requests.  Previously
the request_body callback would re-encode the request structure, which
in some cases has been modified by the AS request code.

No kdcpreauth modules currently use the request_body callback, but
PKINIT will need to start using it in order to handle FAST requests
correctly.

ticket: 7017
target_version: 1.10
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25473 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/include/krb5/preauth_plugin.h | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

(limited to 'src/include')

diff --git a/src/include/krb5/preauth_plugin.h b/src/include/krb5/preauth_plugin.h
index 869ebd5cd..cbc57f147 100644
--- a/src/include/krb5/preauth_plugin.h
+++ b/src/include/krb5/preauth_plugin.h
@@ -351,15 +351,12 @@ typedef struct krb5_kdcpreauth_callbacks_st {
                       krb5_keyblock *keys);
 
     /*
-     * Get the request structure, re-encoded using DER.  Unless the client
-     * implementation is the same as the server implementation, there's a good
-     * chance that the result will not match what the client sent, so don't
-     * create any fatal errors if it doesn't match up.  Free the resulting data
-     * object with krb5_free_data.
+     * Get the encoded request body, which is sometimes needed for checksums.
+     * For a FAST request this is the encoded inner request body.  The returned
+     * pointer is an alias and should not be freed.
      */
-    krb5_error_code (*request_body)(krb5_context context,
-                                    krb5_kdcpreauth_rock rock,
-                                    krb5_data **body_out);
+    krb5_data *(*request_body)(krb5_context context,
+                               krb5_kdcpreauth_rock rock);
 
     /* Get a pointer to the FAST armor key, or NULL if the request did not use
      * FAST.  The returned pointer is an alias and should not be freed. */
-- 
cgit