svn rev #24182: trunk/src/ include/ kdc/ lib/kdb/ plugins/kdb/db2/ plugins/kdb/ldap/

ghudson@MIT.EDU ghudson at MIT.EDU
Mon Jul 12 14:33:06 EDT 2010


http://src.mit.edu/fisheye/changelog/krb5/?cs=24182
Commit By: ghudson
Log Message:
ticket: 6749
status: open

Add sign_authdata to the DAL table with a corresponding libkdb5 API,
replacing the SIGN_AUTH_DATA method of db_invoke.



Changed Files:
U   trunk/src/include/kdb.h
U   trunk/src/kdc/kdc_authdata.c
U   trunk/src/kdc/kdc_util.c
U   trunk/src/kdc/kdc_util.h
U   trunk/src/lib/kdb/kdb5.c
U   trunk/src/lib/kdb/libkdb5.exports
U   trunk/src/plugins/kdb/db2/db2_exp.c
U   trunk/src/plugins/kdb/ldap/ldap_exp.c
Modified: trunk/src/include/kdb.h
===================================================================
--- trunk/src/include/kdb.h	2010-07-09 12:25:50 UTC (rev 24181)
+++ trunk/src/include/kdb.h	2010-07-12 18:33:05 UTC (rev 24182)
@@ -323,7 +323,6 @@
 #define KRB5_DB_LOCKMODE_PERMANENT    0x0008
 
 /* db_invoke methods */
-#define KRB5_KDB_METHOD_SIGN_AUTH_DATA                  0x00000010
 #define KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS          0x00000020
 #define KRB5_KDB_METHOD_CHECK_POLICY_AS                 0x00000030
 #define KRB5_KDB_METHOD_CHECK_POLICY_TGS                0x00000040
@@ -332,26 +331,6 @@
 #define KRB5_KDB_METHOD_REFRESH_POLICY                  0x00000070
 #define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE       0x00000080
 
-typedef struct _kdb_sign_auth_data_req {
-    krb5_magic magic;
-    unsigned int flags;                 /* KRB5_KDB flags */
-    krb5_const_principal client_princ;  /* Client name used in ticket */
-    krb5_db_entry *client;              /* DB entry for client principal */
-    krb5_db_entry *server;              /* DB entry for server principal */
-    krb5_db_entry *krbtgt;              /* DB entry for ticket granting service principal */
-    krb5_keyblock *client_key;          /* Reply key, valid for AS-REQ only */
-    krb5_keyblock *server_key;          /* Key used to generate server signature */
-    krb5_timestamp authtime;            /* Authtime of TGT */
-    krb5_authdata **auth_data;          /* Authorization data from TGT */
-    krb5_keyblock *session_key;         /* Reply session key */
-    krb5_keyblock *krbtgt_key;          /* Key used to decrypt TGT, valid for TGS-REQ only */
-} kdb_sign_auth_data_req;
-
-typedef struct _kdb_sign_auth_data_rep {
-    krb5_magic magic;
-    krb5_authdata **auth_data;          /* Signed authorization data */
-} kdb_sign_auth_data_rep;
-
 typedef struct _kdb_check_transited_realms_req {
     krb5_magic magic;
     const krb5_data *tr_contents;
@@ -659,12 +638,25 @@
                            int             count,
                            krb5_key_data * data);
 
+krb5_error_code krb5_db_sign_authdata(krb5_context kcontext,
+                                      unsigned int flags,
+                                      krb5_const_principal client_princ,
+                                      krb5_db_entry *client,
+                                      krb5_db_entry *server,
+                                      krb5_db_entry *krbtgt,
+                                      krb5_keyblock *client_key,
+                                      krb5_keyblock *server_key,
+                                      krb5_keyblock *krbtgt_key,
+                                      krb5_keyblock *session_key,
+                                      krb5_timestamp authtime,
+                                      krb5_authdata **tgt_auth_data,
+                                      krb5_authdata ***signed_auth_data);
+
 krb5_error_code krb5_db_invoke ( krb5_context kcontext,
                                  unsigned int method,
                                  const krb5_data *req,
                                  krb5_data *rep );
 
-
 /* default functions. Should not be directly called */
 /*
  *   Default functions prototype
@@ -796,7 +788,7 @@
  * DAL.  It is passed to init_library to allow KDB modules to detect when
  * they are being loaded by an incompatible version of the KDC.
  */
-#define KRB5_KDB_DAL_VERSION 20100702
+#define KRB5_KDB_DAL_VERSION 20100712
 
 /*
  * A krb5_context can hold one database object.  Modules should use
@@ -1202,19 +1194,72 @@
                                         int keyver, krb5_key_data *key_data);
 
     /*
+     * Optional: Generate signed authorization data, such as a Windows PAC, for
+     * the ticket to be returned to the client.  Place the signed authorization
+     * data, if any, in *signed_auth_data.  This function will be invoked for
+     * an AS request if the client included padata requesting a PAC.  This
+     * function will be invoked for a TGS request if there is authorization
+     * data in the TGT, if the client is from another realm, or if the TGS
+     * request is an S4U2Self or S4U2Proxy request.  This function will not be
+     * invoked during TGS requests if the server principal has the
+     * no_auth_data_required attribute set.  Input parameters are:
+     *
+     *   flags: The flags used to look up the client principal.
+     *
+     *   client_princ: For S4U2Proxy TGS requests, the client principal
+     *     requested by the service; for regular TGS requests, the
+     *     possibly-canonicalized client principal.
+     *
+     *   client: The DB entry of the client.  For S4U2Self, this will be the DB
+     *     entry for the client principal requested by the service).
+     *
+     *   server: The DB entry of the service principal.
+     *
+     *   krbtgt: For TGS requests, the DB entry of the (possibly foreign)
+     *     ticket granting service of the TGT.  For AS requests, the DB entry
+     *     of the service principal.
+     *
+     *   client_key: The reply key for the KDC request, before any FAST armor
+     *     is applied.  For AS requests, this may be the client's long-term key
+     *     or a key chosen by a preauth mechanism.  For TGS requests, this may
+     *     be the subkey found in the AP-REQ or the session key of the TGT.
+     *
+     *   server_key: The server key used to encrypt the returned ticket.
+     *
+     *   krbtgt_key: For TGS requests, the key of the (possibly foreign) ticket
+     *     granting service of the TGT.  for AS requests, the service
+     *     principal's key.
+     *
+     *   session_key: The session key of the ticket being granted to the
+     *     requestor.
+     *
+     *   authtime: The timestamp of the original client authentication time.
+     *     For AS requests, this is the current time.  For TGS requests, this
+     *     is the authtime of the subject ticket (TGT or S4U2Proxy evidence
+     *     ticket).
+     *
+     *   tgt_auth_data: For TGS requests, the authorization data present in the
+     *     subject ticket.  For AS requests, NULL.
+     */
+    krb5_error_code (*sign_authdata)(krb5_context kcontext,
+                                     unsigned int flags,
+                                     krb5_const_principal client_princ,
+                                     krb5_db_entry *client,
+                                     krb5_db_entry *server,
+                                     krb5_db_entry *krbtgt,
+                                     krb5_keyblock *client_key,
+                                     krb5_keyblock *server_key,
+                                     krb5_keyblock *krbtgt_key,
+                                     krb5_keyblock *session_key,
+                                     krb5_timestamp authtime,
+                                     krb5_authdata **tgt_auth_data,
+                                     krb5_authdata ***signed_auth_data);
+
+    /*
      * Optional: Perform an operation on input data req with output stored in
      * rep.  Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the
      * method.  Defined methods are:
      *
-     * KRB5_KDB_METHOD_SIGN_AUTH_DATA: req contains a krb5_sign_auth_data_req
-     *     structure.  Generate signed authorization data, such as a Windows
-     *     PAC, for the ticket to be returned to the client.  Place the signed
-     *     authorization data in rep using a krb5_sign_auth_data_rep structure.
-     *     This function will be invoked for an AS request if the client
-     *     included padata requesting a PAC.  This function will be invoked for
-     *     a TGS request if there is authorization data in the TGT, if the
-     *     client is from another realm, or if the TGS request is an S4U2Self
-     *     or S4U2Proxy request.
      *
      * KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS: req contains a
      *     kdb_check_transited_realms_req structure.  Perform a policy check on

Modified: trunk/src/kdc/kdc_authdata.c
===================================================================
--- trunk/src/kdc/kdc_authdata.c	2010-07-09 12:25:50 UTC (rev 24181)
+++ trunk/src/kdc/kdc_authdata.c	2010-07-12 18:33:05 UTC (rev 24182)
@@ -680,7 +680,7 @@
                      krb5_enc_tkt_part *enc_tkt_reply)
 {
     krb5_error_code code;
-    krb5_authdata **db_authdata = NULL;
+    krb5_authdata **tgt_authdata, **db_authdata = NULL;
     krb5_boolean tgs_req = (request->msg_type == KRB5_TGS_REQ);
     krb5_const_principal actual_client;
 
@@ -720,19 +720,12 @@
     else
         actual_client = enc_tkt_reply->client;
 
-    code = sign_db_authdata(context,
-                            flags,
-                            actual_client,
-                            client,
-                            server,
-                            krbtgt,
-                            client_key,
-                            server_key, /* U2U or server key */
-                            krbtgt_key,
-                            enc_tkt_reply->times.authtime,
-                            tgs_req ? enc_tkt_request->authorization_data : NULL,
-                            enc_tkt_reply->session,
-                            &db_authdata);
+    tgt_authdata = tgs_req ? enc_tkt_request->authorization_data : NULL;
+    code = krb5_db_sign_authdata(context, flags, actual_client, client,
+                                 server, krbtgt, client_key, server_key,
+                                 krbtgt_key, enc_tkt_reply->session,
+                                 enc_tkt_reply->times.authtime, tgt_authdata,
+                                 &db_authdata);
     if (code == 0) {
         code = merge_authdata(context,
                               db_authdata,

Modified: trunk/src/kdc/kdc_util.c
===================================================================
--- trunk/src/kdc/kdc_util.c	2010-07-09 12:25:50 UTC (rev 24181)
+++ trunk/src/kdc/kdc_util.c	2010-07-12 18:33:05 UTC (rev 24182)
@@ -1720,60 +1720,6 @@
     return;
 }
 
-krb5_error_code
-sign_db_authdata (krb5_context context,
-                  unsigned int flags,
-                  krb5_const_principal client_princ,
-                  krb5_db_entry *client,
-                  krb5_db_entry *server,
-                  krb5_db_entry *krbtgt,
-                  krb5_keyblock *client_key,
-                  krb5_keyblock *server_key,
-                  krb5_keyblock *krbtgt_key,
-                  krb5_timestamp authtime,
-                  krb5_authdata **tgs_authdata,
-                  krb5_keyblock *session_key,
-                  krb5_authdata ***ret_authdata)
-{
-    krb5_error_code code;
-    kdb_sign_auth_data_req req;
-    kdb_sign_auth_data_rep rep;
-    krb5_data req_data;
-    krb5_data rep_data;
-
-    *ret_authdata = NULL;
-
-    memset(&req, 0, sizeof(req));
-    memset(&rep, 0, sizeof(rep));
-
-    req.flags                   = flags;
-    req.client_princ            = client_princ;
-    req.client                  = client;
-    req.server                  = server;
-    req.krbtgt                  = krbtgt;
-    req.client_key              = client_key;
-    req.server_key              = server_key;
-    req.authtime                = authtime;
-    req.auth_data               = tgs_authdata;
-    req.session_key             = session_key;
-    req.krbtgt_key              = krbtgt_key;
-
-    req_data.data = (void *)&req;
-    req_data.length = sizeof(req);
-
-    rep_data.data = (void *)&rep;
-    rep_data.length = sizeof(rep);
-
-    code = krb5_db_invoke(context,
-                          KRB5_KDB_METHOD_SIGN_AUTH_DATA,
-                          &req_data,
-                          &rep_data);
-
-    *ret_authdata = rep.auth_data;
-
-    return code;
-}
-
 static krb5_error_code
 verify_for_user_checksum(krb5_context context,
                          krb5_keyblock *key,

Modified: trunk/src/kdc/kdc_util.h
===================================================================
--- trunk/src/kdc/kdc_util.h	2010-07-09 12:25:50 UTC (rev 24181)
+++ trunk/src/kdc/kdc_util.h	2010-07-12 18:33:05 UTC (rev 24182)
@@ -246,21 +246,6 @@
                   krb5_boolean is_referral);
 
 krb5_error_code
-sign_db_authdata (krb5_context context,
-                  unsigned int flags,
-                  krb5_const_principal client_princ,
-                  krb5_db_entry *client,
-                  krb5_db_entry *server,
-                  krb5_db_entry *krbtgt,
-                  krb5_keyblock *client_key,
-                  krb5_keyblock *server_key,
-                  krb5_keyblock *krbtgt_key,
-                  krb5_timestamp authtime,
-                  krb5_authdata **tgs_authdata,
-                  krb5_keyblock *session_key,
-                  krb5_authdata ***ret_authdata);
-
-krb5_error_code
 kdc_process_s4u2self_req (krb5_context context,
                           krb5_kdc_req *request,
                           krb5_const_principal client_princ,

Modified: trunk/src/lib/kdb/kdb5.c
===================================================================
--- trunk/src/lib/kdb/kdb5.c	2010-07-09 12:25:50 UTC (rev 24181)
+++ trunk/src/lib/kdb/kdb5.c	2010-07-12 18:33:05 UTC (rev 24182)
@@ -2223,6 +2223,30 @@
 }
 
 krb5_error_code
+krb5_db_sign_authdata(krb5_context kcontext, unsigned int flags,
+                      krb5_const_principal client_princ, krb5_db_entry *client,
+                      krb5_db_entry *server, krb5_db_entry *krbtgt,
+                      krb5_keyblock *client_key, krb5_keyblock *server_key,
+                      krb5_keyblock *krbtgt_key, krb5_keyblock *session_key,
+                      krb5_timestamp authtime, krb5_authdata **tgt_auth_data,
+                      krb5_authdata ***signed_auth_data)
+{
+    krb5_error_code status = 0;
+    kdb_vftabl *v;
+
+    *signed_auth_data = NULL;
+    status = get_vftabl(kcontext, &v);
+    if (status)
+        return status;
+    if (v->sign_authdata == NULL)
+        return KRB5_PLUGIN_OP_NOTSUPP;
+    return v->sign_authdata(kcontext, flags, client_princ, client, server,
+                            krbtgt, client_key, server_key, krbtgt_key,
+                            session_key, authtime, tgt_auth_data,
+                            signed_auth_data);
+}
+
+krb5_error_code
 krb5_db_invoke(krb5_context kcontext,
                unsigned int method,
                const krb5_data *req,

Modified: trunk/src/lib/kdb/libkdb5.exports
===================================================================
--- trunk/src/lib/kdb/libkdb5.exports	2010-07-09 12:25:50 UTC (rev 24181)
+++ trunk/src/lib/kdb/libkdb5.exports	2010-07-12 18:33:05 UTC (rev 24182)
@@ -23,6 +23,7 @@
 krb5_db_set_context
 krb5_db_set_mkey_list
 krb5_db_setup_mkey_name
+krb5_db_sign_authdata
 krb5_db_unlock
 krb5_db_store_master_key
 krb5_db_store_master_key_list

Modified: trunk/src/plugins/kdb/db2/db2_exp.c
===================================================================
--- trunk/src/plugins/kdb/db2/db2_exp.c	2010-07-09 12:25:50 UTC (rev 24181)
+++ trunk/src/plugins/kdb/db2/db2_exp.c	2010-07-12 18:33:05 UTC (rev 24182)
@@ -242,6 +242,6 @@
     /* get_master_key_list */           wrap_krb5_db2_get_mkey_list,
     /* blah blah blah */ 0,0,0,0,0,
     /* promote_db */                    wrap_krb5_db2_promote_db,
-    0, 0,
+    0, 0, 0,
     /* invoke */                        wrap_krb5_db2_invoke
 };

Modified: trunk/src/plugins/kdb/ldap/ldap_exp.c
===================================================================
--- trunk/src/plugins/kdb/ldap/ldap_exp.c	2010-07-09 12:25:50 UTC (rev 24181)
+++ trunk/src/plugins/kdb/ldap/ldap_exp.c	2010-07-12 18:33:05 UTC (rev 24182)
@@ -82,6 +82,7 @@
     /* promote_db */                        NULL,
     /* decrypt_key_data */                  NULL,
     /* encrypt_key_data */                  NULL,
+    /* sign_authdata */                     NULL,
     /* invoke */                            krb5_ldap_invoke,
 
 };




More information about the cvs-krb5 mailing list