diff options
Diffstat (limited to 'Add-KDC-pre-send-and-post-receive-KDC-hooks.patch')
-rw-r--r-- | Add-KDC-pre-send-and-post-receive-KDC-hooks.patch | 314 |
1 files changed, 0 insertions, 314 deletions
diff --git a/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch b/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch deleted file mode 100644 index 17ecec6..0000000 --- a/Add-KDC-pre-send-and-post-receive-KDC-hooks.patch +++ /dev/null @@ -1,314 +0,0 @@ -From 21330cb3db69fc5a004844a1e4dec8998eb50068 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Thu, 3 Mar 2016 18:53:31 +0100 -Subject: [PATCH] Add KDC pre-send and post-receive KDC hooks - -Add two new APIs, krb5_set_kdc_send_hook() and -krb5_set_kdc_recv_hook(), which can be used to inspect and override -messages sent to KDCs. - -[ghudson@mit.edu: style and documentation changes] - -ticket: 8386 (new) ---- - doc/appdev/refs/api/index.rst | 2 + - doc/appdev/refs/types/index.rst | 2 + - src/include/k5-int.h | 6 +++ - src/include/krb5/krb5.hin | 104 ++++++++++++++++++++++++++++++++++++++++ - src/lib/krb5/libkrb5.exports | 2 + - src/lib/krb5/os/sendto_kdc.c | 56 +++++++++++++++++++++- - src/lib/krb5_32.def | 4 ++ - 7 files changed, 174 insertions(+), 2 deletions(-) - -diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst -index 8df351d..e97cbca 100644 ---- a/doc/appdev/refs/api/index.rst -+++ b/doc/appdev/refs/api/index.rst -@@ -268,6 +268,8 @@ Rarely used public interfaces - krb5_server_decrypt_ticket_keytab.rst - krb5_set_default_tgs_enctypes.rst - krb5_set_error_message.rst -+ krb5_set_kdc_recv_hook.rst -+ krb5_set_kdc_send_hook.rst - krb5_set_real_time.rst - krb5_string_to_cksumtype.rst - krb5_string_to_deltat.rst -diff --git a/doc/appdev/refs/types/index.rst b/doc/appdev/refs/types/index.rst -index 51c4093..dc414cf 100644 ---- a/doc/appdev/refs/types/index.rst -+++ b/doc/appdev/refs/types/index.rst -@@ -57,6 +57,8 @@ Public - krb5_pa_svr_referral_data.rst - krb5_pa_data.rst - krb5_pointer.rst -+ krb5_post_recv_fn.rst -+ krb5_pre_send_fn.rst - krb5_preauthtype.rst - krb5_principal.rst - krb5_principal_data.rst -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 6b7b2e3..045abfc 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -1238,6 +1238,12 @@ struct _krb5_context { - krb5_trace_callback trace_callback; - void *trace_callback_data; - -+ krb5_pre_send_fn kdc_send_hook; -+ void *kdc_send_hook_data; -+ -+ krb5_post_recv_fn kdc_recv_hook; -+ void *kdc_recv_hook_data; -+ - struct plugin_interface plugins[PLUGIN_NUM_INTERFACES]; - char *plugin_base_dir; - }; -diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index c93a0f2..2b0d59e 100644 ---- a/src/include/krb5/krb5.hin -+++ b/src/include/krb5/krb5.hin -@@ -8300,6 +8300,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, - krb5_error_code KRB5_CALLCONV - krb5_set_trace_filename(krb5_context context, const char *filename); - -+ -+/** -+ * Hook function for inspecting or modifying messages sent to KDCs. -+ * -+ * If the hook function returns an error code, the KDC communication will be -+ * aborted and the error code will be returned to the library operation which -+ * initiated the communication. -+ * -+ * If the hook function sets @a reply_out, @a message will not be sent to the -+ * KDC, and the given reply will used instead. -+ * -+ * If the hook function sets @a new_message_out, the given message will be sent -+ * to the KDC in place of @a message. -+ * -+ * If the hook function returns successfully without setting either output, -+ * @a message will be sent to the KDC normally. -+ * -+ * The hook function should use krb5_copy_data() to construct the value for -+ * @a new_message_out or @a reply_out, to ensure that it can be freed correctly -+ * by the library. -+ * -+ * @param [in] context Library context -+ * @param [in] data Callback data -+ * @param [in] realm The realm the message will be sent to -+ * @param [in] message The original message to be sent to the KDC -+ * @param [out] new_message_out Optional replacement message to be sent -+ * @param [out] reply_out Optional synthetic reply -+ * -+ * @retval 0 Success -+ * @return A Kerberos error code -+ */ -+typedef krb5_error_code -+(KRB5_CALLCONV *krb5_pre_send_fn)(krb5_context context, void *data, -+ const krb5_data *realm, -+ const krb5_data *message, -+ krb5_data **new_message_out, -+ krb5_data **new_reply_out); -+ -+/** -+ * Hook function for inspecting or overriding KDC replies. -+ * -+ * If @a code is zero, @a reply contains the reply received from the KDC. The -+ * hook function may return an error code to simulate an error, may synthesize -+ * a different reply by setting @a new_reply_out, or may simply return -+ * successfully to do nothing. -+ * -+ * If @a code is non-zero, KDC communication failed and @a reply should be -+ * ignored. The hook function may return @a code or a different error code, or -+ * may synthesize a reply by setting @a new_reply_out and return successfully. -+ * -+ * The hook function should use krb5_copy_data() to construct the value for -+ * @a new_reply_out, to ensure that it can be freed correctly by the library. -+ * -+ * @param [in] context Library context -+ * @param [in] data Callback data -+ * @param [in] code Status of KDC communication -+ * @param [in] realm The realm the reply was received from -+ * @param [in] message The message sent to the realm's KDC -+ * @param [in] reply The reply received from the KDC -+ * @param [out] new_reply_out Optional replacement reply -+ * -+ * @retval 0 Success -+ * @return A Kerberos error code -+ */ -+typedef krb5_error_code -+(KRB5_CALLCONV *krb5_post_recv_fn)(krb5_context context, void *data, -+ krb5_error_code code, -+ const krb5_data *realm, -+ const krb5_data *message, -+ const krb5_data *reply, -+ krb5_data **new_reply_out); -+ -+/** -+ * Set a KDC pre-send hook function. -+ * -+ * @a send_hook will be called before messages are sent to KDCs by library -+ * functions such as krb5_get_credentials(). The hook function may inspect, -+ * override, or synthesize its own reply to the message. -+ * -+ * @param [in] context Library context -+ * @param [in] send_hook Hook function (or NULL to disable the hook) -+ * @param [in] data Callback data to be passed to @a send_hook -+ */ -+void KRB5_CALLCONV -+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, -+ void *data); -+ -+/** -+ * Set a KDC post-receive hook function. -+ * -+ * @a recv_hook will be called after a reply is received from a KDC during a -+ * call to a library function such as krb5_get_credentials(). The hook -+ * function may inspect or override the reply. This hook will not be executed -+ * if the pre-send hook returns a synthetic reply. -+ * -+ * @param [in] context The library context. -+ * @param [in] recv_hook Hook function (or NULL to disable the hook) -+ * @param [in] data Callback data to be passed to @a recv_hook -+ */ -+void KRB5_CALLCONV -+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, -+ void *data); -+ -+ - #if TARGET_OS_MAC - # pragma pack(pop) - #endif -diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports -index c623409..ea6982d 100644 ---- a/src/lib/krb5/libkrb5.exports -+++ b/src/lib/krb5/libkrb5.exports -@@ -581,6 +581,8 @@ krb5_set_password - krb5_set_password_using_ccache - krb5_set_principal_realm - krb5_set_real_time -+krb5_set_kdc_send_hook -+krb5_set_kdc_recv_hook - krb5_set_time_offsets - krb5_set_trace_callback - krb5_set_trace_filename -diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c -index 6231de2..be00b8f 100644 ---- a/src/lib/krb5/os/sendto_kdc.c -+++ b/src/lib/krb5/os/sendto_kdc.c -@@ -403,6 +403,22 @@ check_for_svc_unavailable (krb5_context context, - return 1; - } - -+void -+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, -+ void *data) -+{ -+ context->kdc_send_hook = send_hook; -+ context->kdc_send_hook_data = data; -+} -+ -+void -+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, -+ void *data) -+{ -+ context->kdc_recv_hook = recv_hook; -+ context->kdc_recv_hook_data = data; -+} -+ - /* - * send the formatted request 'message' to a KDC for realm 'realm' and - * return the response (if any) in 'reply'. -@@ -416,13 +432,16 @@ check_for_svc_unavailable (krb5_context context, - - krb5_error_code - krb5_sendto_kdc(krb5_context context, const krb5_data *message, -- const krb5_data *realm, krb5_data *reply, int *use_master, -+ const krb5_data *realm, krb5_data *reply_out, int *use_master, - int no_udp) - { - krb5_error_code retval, err; - struct serverlist servers; - int server_used; - k5_transport_strategy strategy; -+ krb5_data reply = empty_data(), *hook_message = NULL, *hook_reply = NULL; -+ -+ *reply_out = empty_data(); - - /* - * find KDC location(s) for realm -@@ -467,9 +486,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, - if (retval) - return retval; - -+ if (context->kdc_send_hook != NULL) { -+ retval = context->kdc_send_hook(context, context->kdc_send_hook_data, -+ realm, message, &hook_message, -+ &hook_reply); -+ if (retval) -+ goto cleanup; -+ -+ if (hook_reply != NULL) { -+ *reply_out = *hook_reply; -+ free(hook_reply); -+ goto cleanup; -+ } -+ -+ if (hook_message != NULL) -+ message = hook_message; -+ } -+ - err = 0; - retval = k5_sendto(context, message, realm, &servers, strategy, NULL, -- reply, NULL, NULL, &server_used, -+ &reply, NULL, NULL, &server_used, - check_for_svc_unavailable, &err); - if (retval == KRB5_KDC_UNREACH) { - if (err == KDC_ERR_SVC_UNAVAILABLE) { -@@ -480,9 +516,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, - realm->length, realm->data); - } - } -+ -+ if (context->kdc_recv_hook != NULL) { -+ retval = context->kdc_recv_hook(context, context->kdc_recv_hook_data, -+ retval, realm, message, &reply, -+ &hook_reply); -+ } - if (retval) - goto cleanup; - -+ if (hook_reply != NULL) { -+ *reply_out = *hook_reply; -+ free(hook_reply); -+ } else { -+ *reply_out = reply; -+ reply = empty_data(); -+ } -+ - /* Set use_master to 1 if we ended up talking to a master when we didn't - * explicitly request to. */ - if (*use_master == 0) { -@@ -492,6 +542,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message, - } - - cleanup: -+ krb5_free_data(context, hook_message); -+ krb5_free_data_contents(context, &reply); - k5_free_serverlist(&servers); - return retval; - } -diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def -index 3734e9b..8d58ea1 100644 ---- a/src/lib/krb5_32.def -+++ b/src/lib/krb5_32.def -@@ -463,3 +463,7 @@ EXPORTS - krb5_vwrap_error_message @430 - krb5_c_prfplus @431 - krb5_c_derive_prfplus @432 -+ -+; new in 1.15 -+ krb5_set_kdc_send_hook @433 -+ krb5_set_kdc_recv_hook @434 --- -2.9.3 - |