svn rev #25300: trunk/src/ include/ include/krb5/ kdc/ lib/krb5/asn.1/ lib/krb5/krb/ ...
ghudson@MIT.EDU
ghudson at MIT.EDU
Wed Oct 5 13:27:15 EDT 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=25300
Commit By: ghudson
Log Message:
Use an opaque handle in the kdcpreauth callback.
Instead of passing a request and entry to the kdcpreauth get_data
callback, pass an opaque handle. Remove DB entry and key data
parameters from kdcpreauth methods (but keep the request, since that's
transparent).
The SecurID plugin links against libkdb5 and needs access to the client
DB entry. Rather than continue to pass a DB entry to kdcpreauth
methods, add a get_data callback to get the client DB entry for the few
plugins which might need it.
Changed Files:
U trunk/src/include/fast_factor.h
U trunk/src/include/krb5/krb5.hin
U trunk/src/include/krb5/preauth_plugin.h
U trunk/src/kdc/do_as_req.c
U trunk/src/kdc/fast_util.c
U trunk/src/kdc/kdc_preauth.c
U trunk/src/kdc/kdc_preauth_ec.c
U trunk/src/kdc/kdc_util.h
U trunk/src/lib/krb5/asn.1/krb5_decode_kdc.c
U trunk/src/lib/krb5/krb/kfree.c
U trunk/src/plugins/preauth/cksum_body/cksum_body_main.c
D trunk/src/plugins/preauth/fast_factor.h
U trunk/src/plugins/preauth/pkinit/deps
U trunk/src/plugins/preauth/pkinit/pkinit_clnt.c
U trunk/src/plugins/preauth/pkinit/pkinit_srv.c
U trunk/src/plugins/preauth/securid_sam2/securid_sam2_main.c
U trunk/src/plugins/preauth/wpse/wpse_main.c
Modified: trunk/src/include/fast_factor.h
===================================================================
--- trunk/src/include/fast_factor.h 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/include/fast_factor.h 2011-10-05 17:27:15 UTC (rev 25300)
@@ -47,20 +47,17 @@
static inline krb5_error_code
fast_kdc_get_armor_key(krb5_context context,
- krb5_kdcpreauth_get_data_fn get_entry,
- krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
+ krb5_kdcpreauth_get_data_fn get_data,
+ krb5_kdcpreauth_rock rock,
krb5_keyblock **armor_key)
{
krb5_error_code retval;
krb5_data *data;
- retval = get_entry(context, request, client, krb5_kdcpreauth_fast_armor,
- &data);
+ retval = (*get_data)(context, rock, krb5_kdcpreauth_fast_armor, &data);
if (retval == 0) {
*armor_key = (krb5_keyblock *) data->data;
data->data = NULL;
- get_entry(context, request, client,
- krb5_kdcpreauth_free_fast_armor, &data);
+ (*get_data)(context, rock, krb5_kdcpreauth_free_fast_armor, &data);
}
return retval;
}
@@ -69,8 +66,8 @@
static inline krb5_error_code
fast_kdc_replace_reply_key(krb5_context context,
- krb5_kdcpreauth_get_data_fn get_data,
- krb5_kdc_req *request)
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock)
{
return 0;
}
Modified: trunk/src/include/krb5/krb5.hin
===================================================================
--- trunk/src/include/krb5/krb5.hin 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/include/krb5/krb5.hin 2011-10-05 17:27:15 UTC (rev 25300)
@@ -2012,13 +2012,6 @@
krb5_enc_data authorization_data; /**< Encrypted authz data (optional) */
krb5_authdata **unenc_authdata; /**< Unencrypted authz data */
krb5_ticket **second_ticket; /**< Second ticket array (optional) */
- /*
- * The following field is added in March 2009; it is a hack so that FAST
- * state can be carried to pre-authentication plugins. A new plugin
- * interface may be a better long-term approach. It is believed to be safe
- * to extend this structure because it is not found in any public APIs.
- */
- void *kdc_state;
} krb5_kdc_req;
/**
Modified: trunk/src/include/krb5/preauth_plugin.h
===================================================================
--- trunk/src/include/krb5/preauth_plugin.h 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/include/krb5/preauth_plugin.h 2011-10-05 17:27:15 UTC (rev 25300)
@@ -324,10 +324,8 @@
* kdcpreauth plugin interface definition.
*/
-/* While arguments of these types are passed in, they are opaque to kdcpreauth
- * modules. */
-struct _krb5_db_entry_new;
-struct _krb5_key_data;
+/* Abstract type for a KDC callback data handle. */
+typedef struct krb5_kdcpreauth_rock_st *krb5_kdcpreauth_rock;
/* Abstract type for module data and per-request module data. */
typedef struct krb5_kdcpreauth_moddata_st *krb5_kdcpreauth_moddata;
@@ -346,8 +344,9 @@
krb5_kdcpreauth_max_time_skew = 2,
/*
* The returned krb5_data_item holds an array of krb5_keyblock structures,
- * terminated by an entry with key type = 0. Each keyblock should have its
- * contents freed in turn, and then the data item itself should be freed.
+ * containing the client keys, terminated by an entry with key type = 0.
+ * Each keyblock should have its contents freed in turn, and then the data
+ * item itself should be freed.
*/
krb5_kdcpreauth_keys = 3,
/*
@@ -368,13 +367,16 @@
* the keyblock using krb5_free_keyblock; in that case, this function
* simply frees the data.
*/
- krb5_kdcpreauth_free_fast_armor = 6
+ krb5_kdcpreauth_free_fast_armor = 6,
+ /*
+ * The returned krb5_data contains a pointer to the client DB entry. The
+ * pointer is an alias and should not be freed.
+ */
+ krb5_kdcpreauth_get_client = 7
};
typedef krb5_error_code
-(*krb5_kdcpreauth_get_data_fn)(krb5_context context, krb5_kdc_req *request,
- struct _krb5_db_entry_new *entry,
- krb5_int32 request_type,
- krb5_data **);
+(*krb5_kdcpreauth_get_data_fn)(krb5_context context, krb5_kdcpreauth_rock rock,
+ krb5_int32 request_type, krb5_data **);
/* Optional: preauth plugin initialization function. */
typedef krb5_error_code
@@ -411,9 +413,8 @@
*/
typedef krb5_error_code
(*krb5_kdcpreauth_edata_fn)(krb5_context context, krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
krb5_kdcpreauth_get_data_fn get_data,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_pa_data *pa_out);
@@ -441,11 +442,11 @@
*/
typedef void
(*krb5_kdcpreauth_verify_fn)(krb5_context context,
- struct _krb5_db_entry_new *client,
krb5_data *req_pkt, krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply,
krb5_pa_data *data,
krb5_kdcpreauth_get_data_fn get_data,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond,
void *arg);
@@ -458,14 +459,13 @@
typedef krb5_error_code
(*krb5_kdcpreauth_return_fn)(krb5_context context,
krb5_pa_data *padata,
- struct _krb5_db_entry_new *client,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_kdc_rep *reply,
- struct _krb5_key_data *client_keys,
krb5_keyblock *encrypting_key,
krb5_pa_data **send_pa_out,
krb5_kdcpreauth_get_data_fn get_data,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq);
Modified: trunk/src/kdc/do_as_req.c
===================================================================
--- trunk/src/kdc/do_as_req.c 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/kdc/do_as_req.c 2011-10-05 17:27:15 UTC (rev 25300)
@@ -110,6 +110,7 @@
krb5_db_entry *client;
krb5_db_entry *server;
krb5_kdc_req *request;
+ struct krb5_kdcpreauth_rock_st rock;
const char *status;
krb5_pa_data **e_data;
krb5_boolean typed_e_data;
@@ -156,8 +157,7 @@
&state->enc_tkt_reply);
if (state->status) {
errcode = KRB5KDC_ERR_PREAUTH_REQUIRED;
- get_preauth_hint_list(state->request, state->client,
- state->server, &state->e_data);
+ get_preauth_hint_list(state->request, &state->rock, &state->e_data);
goto egress;
}
@@ -216,6 +216,7 @@
errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
goto egress;
}
+ state->rock.client_key = client_key;
/* convert client.key_data into a real key */
if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL,
@@ -254,8 +255,8 @@
/* Fetch the padata info to be returned (do this before
* authdata to handle possible replacement of reply key
*/
- errcode = return_padata(kdc_context, state->client, state->req_pkt,
- state->request, &state->reply, client_key,
+ errcode = return_padata(kdc_context, &state->rock, state->req_pkt,
+ state->request, &state->reply,
&state->client_keyblock, &state->pa_context);
if (errcode) {
state->status = "KDC_RETURN_PADATA";
@@ -409,7 +410,6 @@
krb5_free_pa_data(kdc_context, state->e_data);
kdc_free_rstate(state->rstate);
- state->request->kdc_state = NULL;
krb5_free_kdc_req(kdc_context, state->request);
assert(did_log != 0);
@@ -424,8 +424,8 @@
if (errcode) {
if (errcode == KRB5KDC_ERR_PREAUTH_FAILED)
- get_preauth_hint_list(state->request, state->client,
- state->server, &state->e_data);
+ get_preauth_hint_list(state->request, &state->rock,
+ &state->e_data);
state->status = "PREAUTH_FAILED";
if (vague_errors)
@@ -475,6 +475,7 @@
state->cname = 0;
state->pa_context = NULL;
state->from = from;
+ memset(&state->rock, 0, sizeof(state->rock));
#if APPLE_PKINIT
asReqDebug("process_as_req top realm %s name %s\n",
@@ -503,7 +504,8 @@
state->status = "error decoding FAST";
goto errout;
}
- state->request->kdc_state = state->rstate;
+ state->rock.request = state->request;
+ state->rock.rstate = state->rstate;
if (!state->request->client) {
state->status = "NULL_CLIENT";
errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
@@ -560,6 +562,7 @@
state->status = "LOOKING_UP_CLIENT";
goto errout;
}
+ state->rock.client = state->client;
/*
* If the backend returned a principal that is not in the local
@@ -749,11 +752,12 @@
state->enc_tkt_reply.client = state->request->client;
setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
}
+
/*
* Check the preauthentication if it is there.
*/
if (state->request->padata) {
- check_padata(kdc_context, state->client, state->req_pkt,
+ check_padata(kdc_context, &state->rock, state->req_pkt,
state->request, &state->enc_tkt_reply, &state->pa_context,
&state->e_data, &state->typed_e_data, finish_preauth,
state);
Modified: trunk/src/kdc/fast_util.c
===================================================================
--- trunk/src/kdc/fast_util.c 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/kdc/fast_util.c 2011-10-05 17:27:15 UTC (rev 25300)
@@ -223,8 +223,6 @@
KRB5_PADATA_FX_COOKIE);
if (retval == 0) {
state->fast_options = fast_req->fast_options;
- if (request->kdc_state == state)
- request->kdc_state = NULL;
krb5_free_kdc_req( kdc_context, request);
*requestptr = fast_req->req_body;
fast_req->req_body = NULL;
Modified: trunk/src/kdc/kdc_preauth.c
===================================================================
--- trunk/src/kdc/kdc_preauth.c 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/kdc/kdc_preauth.c 2011-10-05 17:27:15 UTC (rev 25300)
@@ -105,30 +105,26 @@
} preauth_system;
static void
-verify_enc_timestamp(krb5_context, krb5_db_entry *client, krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
- krb5_pa_data *data,
- krb5_kdcpreauth_get_data_fn get_entry_data,
+verify_enc_timestamp(krb5_context, krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
- krb5_kdcpreauth_verify_respond_fn respond,
- void *arg);
+ krb5_kdcpreauth_verify_respond_fn respond, void *arg);
static krb5_error_code
get_enc_ts(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_kdcpreauth_get_data_fn get_entry_data,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata modata, krb5_pa_data *data);
static krb5_error_code
get_etype_info(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_kdcpreauth_get_data_fn get_entry_data,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *data);
static krb5_error_code
get_etype_info2(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_kdcpreauth_get_data_fn get_entry_data,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data);
static krb5_error_code
@@ -141,31 +137,27 @@
int etype_info2);
static krb5_error_code
-return_etype_info(krb5_context, krb5_pa_data *padata, krb5_db_entry *client,
+return_etype_info(krb5_context, krb5_pa_data *padata,
krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_kdc_rep *reply, krb5_key_data *client_key,
- krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn get_entry_data,
- krb5_kdcpreauth_moddata moddata,
+ krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq);
static krb5_error_code
-return_etype_info2(krb5_context, krb5_pa_data *padata, krb5_db_entry *client,
+return_etype_info2(krb5_context, krb5_pa_data *padata,
krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_kdc_rep *reply, krb5_key_data *client_key,
- krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn get_entry_data,
- krb5_kdcpreauth_moddata moddata,
+ krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq);
static krb5_error_code
-return_pw_salt(krb5_context, krb5_pa_data *padata, krb5_db_entry *client,
+return_pw_salt(krb5_context, krb5_pa_data *padata,
krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key, krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn get_entry_data,
- krb5_kdcpreauth_moddata moddata,
- krb5_kdcpreauth_modreq modreq);
+ krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
+ krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq);
#if APPLE_PKINIT
@@ -547,7 +539,7 @@
}
/*
- * Retrieve a specific piece of information pertaining to the entry or the
+ * Retrieve a specific piece of information pertaining to the client entry or
* request and return it in a new krb5_data item which the caller must free.
*
* This may require massaging data into a contrived format, but it will
@@ -555,8 +547,8 @@
* modules.
*/
static krb5_error_code
-get_entry_data(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *entry, krb5_int32 type, krb5_data **result)
+get_data(krb5_context context, krb5_kdcpreauth_rock rock, krb5_int32 type,
+ krb5_data **result)
{
int i, k;
krb5_data *ret;
@@ -564,12 +556,14 @@
krb5_keyblock *keys;
krb5_key_data *entry_key;
krb5_error_code error;
- struct kdc_request_state *state = request->kdc_state;
+ krb5_kdc_req *request = rock->request;
+ struct kdc_request_state *state = rock->rstate;
+ krb5_db_entry *client = rock->client;
switch (type) {
case krb5_kdcpreauth_request_certificate:
- return get_entry_tl_data(context, entry,
- KRB5_TL_USER_CERTIFICATE, result);
+ return get_entry_tl_data(context, client, KRB5_TL_USER_CERTIFICATE,
+ result);
break;
case krb5_kdcpreauth_max_time_skew:
ret = malloc(sizeof(krb5_data));
@@ -601,7 +595,7 @@
k = 0;
for (i = 0; i < request->nktypes; i++) {
entry_key = NULL;
- if (krb5_dbe_find_enctype(context, entry, request->ktype[i],
+ if (krb5_dbe_find_enctype(context, client, request->ktype[i],
-1, 0, &entry_key) != 0)
continue;
if (krb5_dbe_decrypt_key_data(context, NULL, entry_key,
@@ -654,6 +648,14 @@
}
free(*result);
return 0;
+ case krb5_kdcpreauth_get_client:
+ ret = malloc(sizeof(krb5_data));
+ if (ret == NULL)
+ return ENOMEM;
+ ret->data = (char *)&rock->client;
+ ret->length = sizeof(rock->client);
+ *result = ret;
+ return 0;
default:
break;
}
@@ -820,8 +822,8 @@
}
void
-get_preauth_hint_list(krb5_kdc_req *request, krb5_db_entry *client,
- krb5_db_entry *server, krb5_pa_data ***e_data_out)
+get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock,
+ krb5_pa_data ***e_data_out)
{
int hw_only;
preauth_system *ap;
@@ -830,7 +832,7 @@
*e_data_out = NULL;
- hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH);
+ hw_only = isflagset(rock->client->attributes, KRB5_KDB_REQUIRES_HW_AUTH);
/* Allocate two extra entries for the cookie and the terminator. */
pa_data = calloc(n_preauth_systems + 2, sizeof(krb5_pa_data *));
if (pa_data == 0)
@@ -849,8 +851,8 @@
(*pa)->magic = KV5M_PA_DATA;
(*pa)->pa_type = ap->type;
if (ap->get_edata) {
- retval = ap->get_edata(kdc_context, request, client, server,
- get_entry_data, ap->moddata, *pa);
+ retval = ap->get_edata(kdc_context, request, get_data, rock,
+ ap->moddata, *pa);
if (retval) {
/* just failed on this type, continue */
free(*pa);
@@ -869,7 +871,7 @@
* If we fail to get the cookie it is probably
* still reasonable to continue with the response
*/
- kdc_preauth_get_cookie(request->kdc_state, pa);
+ kdc_preauth_get_cookie(rock->rstate, pa);
*e_data_out = pa_data;
pa_data = NULL;
@@ -937,7 +939,7 @@
krb5_pa_data **padata;
int pa_found;
krb5_context context;
- krb5_db_entry *client;
+ krb5_kdcpreauth_rock rock;
krb5_data *req_pkt;
krb5_kdc_req *request;
krb5_enc_tkt_part *enc_tkt_reply;
@@ -1135,11 +1137,11 @@
goto next;
state->pa_found++;
- state->pa_sys->verify_padata(state->context, state->client,
- state->req_pkt, state->request,
- state->enc_tkt_reply, *state->padata,
- get_entry_data, state->pa_sys->moddata,
- finish_verify_padata, state);
+ state->pa_sys->verify_padata(state->context, state->req_pkt,
+ state->request, state->enc_tkt_reply,
+ *state->padata, get_data, state->rock,
+ state->pa_sys->moddata, finish_verify_padata,
+ state);
return;
next:
@@ -1155,11 +1157,11 @@
*/
void
-check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
- void **padata_context, krb5_pa_data ***e_data,
- krb5_boolean *typed_e_data, kdc_preauth_respond_fn respond,
- void *arg)
+check_padata(krb5_context context, krb5_kdcpreauth_rock rock,
+ krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_enc_tkt_part *enc_tkt_reply, void **padata_context,
+ krb5_pa_data ***e_data, krb5_boolean *typed_e_data,
+ kdc_preauth_respond_fn respond, void *arg)
{
struct padata_state *state;
@@ -1182,7 +1184,7 @@
state->respond = respond;
state->arg = arg;
state->context = context;
- state->client = client;
+ state->rock = rock;
state->req_pkt = req_pkt;
state->request = request;
state->enc_tkt_reply = enc_tkt_reply;
@@ -1203,10 +1205,9 @@
* structures which should be returned by the KDC to the client
*/
krb5_error_code
-return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key, krb5_keyblock *encrypting_key,
- void **padata_context)
+return_padata(krb5_context context, krb5_kdcpreauth_rock rock,
+ krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_keyblock *encrypting_key, void **padata_context)
{
krb5_error_code retval;
krb5_pa_data ** padata;
@@ -1280,13 +1281,11 @@
}
}
}
- if ((retval = ap->return_padata(context, pa, client, req_pkt,
- request, reply,
- client_key, encrypting_key, send_pa,
- get_entry_data, ap->moddata,
- *modreq_ptr))) {
+ retval = ap->return_padata(context, pa, req_pkt, request, reply,
+ encrypting_key, send_pa, get_data, rock,
+ ap->moddata, *modreq_ptr);
+ if (retval)
goto cleanup;
- }
if (*send_pa)
send_pa++;
@@ -1322,22 +1321,20 @@
static krb5_error_code
get_enc_ts(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_kdcpreauth_get_data_fn get_entry_data_proc,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *data)
{
- struct kdc_request_state *state = request->kdc_state;
- if (state->armor_key)
+ if (rock->rstate->armor_key != NULL)
return ENOENT;
return 0;
}
static void
-verify_enc_timestamp(krb5_context context, krb5_db_entry *client,
- krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa,
- krb5_kdcpreauth_get_data_fn ets_get_entry_data,
+verify_enc_timestamp(krb5_context context, krb5_data *req_pkt,
+ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
+ krb5_pa_data *pa, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond,
void *arg)
@@ -1368,7 +1365,7 @@
start = 0;
decrypt_err = 0;
while (1) {
- if ((retval = krb5_dbe_search_enctype(context, client,
+ if ((retval = krb5_dbe_search_enctype(context, rock->client,
&start, enc_data->enctype,
-1, 0, &client_key)))
goto cleanup;
@@ -1492,8 +1489,8 @@
*/
static krb5_error_code
etype_info_helper(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_pa_data *pa_data, int etype_info2)
+ krb5_db_entry *client, krb5_pa_data *pa_data,
+ int etype_info2)
{
krb5_etype_info_entry ** entry = 0;
krb5_key_data *client_key;
@@ -1579,8 +1576,7 @@
static krb5_error_code
get_etype_info(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_kdcpreauth_get_data_fn etype_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data)
{
int i;
@@ -1590,16 +1586,15 @@
* skip this
* type*/
}
- return etype_info_helper(context, request, client, server, pa_data, 0);
+ return etype_info_helper(context, request, rock->client, pa_data, 0);
}
static krb5_error_code
get_etype_info2(krb5_context context, krb5_kdc_req *request,
- krb5_db_entry *client, krb5_db_entry *server,
- krb5_kdcpreauth_get_data_fn etype_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data)
{
- return etype_info_helper( context, request, client, server, pa_data, 1);
+ return etype_info_helper(context, request, rock->client, pa_data, 1);
}
static krb5_error_code
@@ -1681,51 +1676,43 @@
static krb5_error_code
return_etype_info2(krb5_context context, krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn etype_get_entry_data,
- krb5_kdcpreauth_moddata moddata,
+ krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq)
{
- return etype_info_as_rep_helper(context, padata, client, request, reply,
- client_key, encrypting_key, send_pa, 1);
+ return etype_info_as_rep_helper(context, padata, rock->client, request,
+ reply, rock->client_key, encrypting_key,
+ send_pa, 1);
}
static krb5_error_code
-return_etype_info(krb5_context context, krb5_pa_data * padata,
- krb5_db_entry *client,
- krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key,
- krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn etypeget_entry_data,
- krb5_kdcpreauth_moddata moddata,
+return_etype_info(krb5_context context, krb5_pa_data *padata,
+ krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq)
{
- return etype_info_as_rep_helper(context, padata, client, request, reply,
- client_key, encrypting_key, send_pa, 0);
+ return etype_info_as_rep_helper(context, padata, rock->client, request,
+ reply, rock->client_key, encrypting_key,
+ send_pa, 0);
}
static krb5_error_code
return_pw_salt(krb5_context context, krb5_pa_data *in_padata,
- krb5_db_entry *client, krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- krb5_key_data *client_key, krb5_keyblock *encrypting_key,
- krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn etype_get_entry_data,
- krb5_kdcpreauth_moddata moddata,
- krb5_kdcpreauth_modreq modreq)
+ krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
+ krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq)
{
krb5_error_code retval;
krb5_pa_data * padata;
krb5_data * scratch;
krb5_data salt_data;
+ krb5_key_data * client_key = rock->client_key;
int i;
for (i = 0; i < request->nktypes; i++) {
Modified: trunk/src/kdc/kdc_preauth_ec.c
===================================================================
--- trunk/src/kdc/kdc_preauth_ec.c 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/kdc/kdc_preauth_ec.c 2011-10-05 17:27:15 UTC (rev 25300)
@@ -36,15 +36,12 @@
static krb5_error_code
kdc_include_padata(krb5_context context, krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
- krb5_kdcpreauth_get_data_fn get_data_proc,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *data)
{
krb5_error_code retval = 0;
krb5_keyblock *armor_key = NULL;
- retval = fast_kdc_get_armor_key(context, get_data_proc, request, client,
- &armor_key);
+ retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
if (retval)
return retval;
if (armor_key == 0)
@@ -54,11 +51,10 @@
}
static void
-kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
- krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data,
- krb5_kdcpreauth_get_data_fn get_entry_proc,
- krb5_kdcpreauth_moddata moddata,
+kdc_verify_preauth(krb5_context context, krb5_data *req_pkt,
+ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
+ krb5_pa_data *data, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond,
void *arg)
{
@@ -77,7 +73,7 @@
plain.data = NULL;
- retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key);
+ retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
if (retval == 0 &&armor_key == NULL) {
retval = ENOENT;
krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel");
@@ -93,8 +89,7 @@
retval = ENOMEM;
}
if (retval == 0)
- retval = get_entry_proc(context, request, client,
- krb5_kdcpreauth_keys, &client_data);
+ retval = (*get)(context, rock, krb5_kdcpreauth_keys, &client_data);
if (retval == 0) {
client_keys = (krb5_keyblock *) client_data->data;
for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) {
@@ -138,7 +133,7 @@
* may cause the client to fail, but at this point the KDC has
* considered this a success, so the return value is ignored.
*/
- fast_kdc_replace_reply_key(context, get_entry_proc, request);
+ fast_kdc_replace_reply_key(context, get, rock);
if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor",
&client_keys[i], "challengelongterm",
&kdc_challenge_key) == 0)
@@ -166,12 +161,10 @@
static krb5_error_code
kdc_return_preauth(krb5_context context, krb5_pa_data *padata,
- struct _krb5_db_entry_new *client, krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_kdc_rep *reply,
- struct _krb5_key_data *client_keys,
- krb5_keyblock *encrypting_key, krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn get_entry_proc,
- krb5_kdcpreauth_moddata moddata,
+ krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_kdc_rep *reply, krb5_keyblock *encrypting_key,
+ krb5_pa_data **send_pa, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq)
{
krb5_error_code retval = 0;
Modified: trunk/src/kdc/kdc_util.h
===================================================================
--- trunk/src/kdc/kdc_util.h 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/kdc/kdc_util.h 2011-10-05 17:27:15 UTC (rev 25300)
@@ -167,10 +167,8 @@
krb5_db_entry *server,
krb5_enc_tkt_part *enc_tkt_reply);
void
-get_preauth_hint_list (krb5_kdc_req * request,
- krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_pa_data ***e_data_out);
+get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock,
+ krb5_pa_data ***e_data_out);
void
load_preauth_plugins(krb5_context context);
void
@@ -179,18 +177,16 @@
typedef void (*kdc_preauth_respond_fn)(void *arg, krb5_error_code code);
void
-check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
- krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
- void **padata_context, krb5_pa_data ***e_data,
- krb5_boolean *typed_e_data, kdc_preauth_respond_fn respond,
- void *state);
+check_padata(krb5_context context, krb5_kdcpreauth_rock rock,
+ krb5_data *req_pkt, krb5_kdc_req *request,
+ krb5_enc_tkt_part *enc_tkt_reply, void **padata_context,
+ krb5_pa_data ***e_data, krb5_boolean *typed_e_data,
+ kdc_preauth_respond_fn respond, void *state);
krb5_error_code
-return_padata (krb5_context context, krb5_db_entry *client,
- krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_kdc_rep *reply,
- krb5_key_data *client_key, krb5_keyblock *encrypting_key,
- void **padata_context);
+return_padata(krb5_context context, krb5_kdcpreauth_rock rock,
+ krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
+ krb5_keyblock *encrypting_key, void **padata_context);
void
free_padata_context(krb5_context context, void *padata_context);
@@ -380,6 +376,13 @@
krb5int_get_domain_realm_mapping(krb5_context context,
const char *host, char ***realmsp);
+/* Information handle for kdcpreauth callbacks. All pointers are aliases. */
+struct krb5_kdcpreauth_rock_st {
+ krb5_kdc_req *request;
+ krb5_db_entry *client;
+ krb5_key_data *client_key;
+ struct kdc_request_state *rstate;
+};
#define isflagset(flagfield, flag) (flagfield & (flag))
#define setflag(flagfield, flag) (flagfield |= (flag))
Modified: trunk/src/lib/krb5/asn.1/krb5_decode_kdc.c
===================================================================
--- trunk/src/lib/krb5/asn.1/krb5_decode_kdc.c 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/lib/krb5/asn.1/krb5_decode_kdc.c 2011-10-05 17:27:15 UTC (rev 25300)
@@ -41,7 +41,6 @@
clear_field(rep,authorization_data.ciphertext.data);
clear_field(rep,unenc_authdata);
clear_field(rep,second_ticket);
- clear_field(rep, kdc_state);
check_apptag(10);
retval = asn1_decode_kdc_req(&buf,rep);
@@ -69,7 +68,6 @@
clear_field(rep,authorization_data.ciphertext.data);
clear_field(rep,unenc_authdata);
clear_field(rep,second_ticket);
- clear_field(rep, kdc_state);
check_apptag(12);
retval = asn1_decode_kdc_req(&buf,rep);
Modified: trunk/src/lib/krb5/krb/kfree.c
===================================================================
--- trunk/src/lib/krb5/krb/kfree.c 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/lib/krb5/krb/kfree.c 2011-10-05 17:27:15 UTC (rev 25300)
@@ -339,7 +339,6 @@
{
if (val == NULL)
return;
- assert( val->kdc_state == NULL);
krb5_free_pa_data(context, val->padata);
krb5_free_principal(context, val->client);
krb5_free_principal(context, val->server);
Modified: trunk/src/plugins/preauth/cksum_body/cksum_body_main.c
===================================================================
--- trunk/src/plugins/preauth/cksum_body/cksum_body_main.c 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/plugins/preauth/cksum_body/cksum_body_main.c 2011-10-05 17:27:15 UTC (rev 25300)
@@ -272,13 +272,9 @@
/* Obtain and return any preauthentication data (which is destined for the
* client) which matches type data->pa_type. */
static krb5_error_code
-server_get_edata(krb5_context kcontext,
- krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
- krb5_kdcpreauth_moddata moddata,
- krb5_pa_data *data)
+server_get_edata(krb5_context kcontext, krb5_kdc_req *request,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
+ krb5_kdcpreauth_moddata moddata, krb5_pa_data *data)
{
krb5_data *key_data;
krb5_keyblock *keys, *key;
@@ -287,8 +283,7 @@
/* Retrieve the client's keys. */
key_data = NULL;
- if ((*server_get_entry_data)(kcontext, request, client,
- krb5_kdcpreauth_keys, &key_data) != 0) {
+ if ((*get)(kcontext, rock, krb5_kdcpreauth_keys, &key_data) != 0) {
#ifdef DEBUG
fprintf(stderr, "Error retrieving client keys.\n");
#endif
@@ -331,12 +326,12 @@
/* Verify a request from a client. */
static void
server_verify(krb5_context kcontext,
- struct _krb5_db_entry_new *client,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply,
krb5_pa_data *data,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond,
void *arg)
@@ -394,8 +389,7 @@
/* Pull up the client's keys. */
key_data = NULL;
- if ((*server_get_entry_data)(kcontext, request, client,
- krb5_kdcpreauth_keys, &key_data) != 0) {
+ if ((*get)(kcontext, rock, krb5_kdcpreauth_keys, &key_data) != 0) {
#ifdef DEBUG
fprintf(stderr, "Error retrieving client keys.\n");
#endif
@@ -454,9 +448,7 @@
* extract the structure directly from the req_pkt structure. This
* will probably work if it's us on both ends, though. */
req_body = NULL;
- if ((*server_get_entry_data)(kcontext, request, client,
- krb5_kdcpreauth_request_body,
- &req_body) != 0) {
+ if ((*get)(kcontext, rock, krb5_kdcpreauth_request_body, &req_body) != 0) {
krb5_free_keyblock(kcontext, key);
stats->failures++;
(*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL);
@@ -593,14 +585,13 @@
static krb5_error_code
server_return(krb5_context kcontext,
krb5_pa_data *padata,
- struct _krb5_db_entry_new *client,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_kdc_rep *reply,
- struct _krb5_key_data *client_key,
krb5_keyblock *encrypting_key,
krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq)
{
Modified: trunk/src/plugins/preauth/pkinit/deps
===================================================================
--- trunk/src/plugins/preauth/pkinit/deps 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/plugins/preauth/pkinit/deps 2011-10-05 17:27:15 UTC (rev 25300)
@@ -16,16 +16,16 @@
pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \
- $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h $(top_srcdir)/include/k5-buf.h \
- $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
- $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
- $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
- $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
- $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
- $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \
- $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
- pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \
- pkinit_srv.c
+ $(COM_ERR_DEPS) $(top_srcdir)/include/fast_factor.h \
+ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \
+ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \
+ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \
+ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \
+ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
+ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
+ $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h pkcs11.h pkinit.h \
+ pkinit_accessor.h pkinit_crypto.h pkinit_srv.c
pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \
@@ -49,7 +49,7 @@
pkinit.h pkinit_accessor.h pkinit_crypto.h pkinit_kdf_constants.c
pkinit_clnt.so pkinit_clnt.po $(OUTPRE)pkinit_clnt.$(OBJEXT): \
$(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \
- $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../fast_factor.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/fast_factor.h \
$(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-platform.h \
$(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5/plugin.h \
$(top_srcdir)/include/krb5/preauth_plugin.h pkcs11.h \
Modified: trunk/src/plugins/preauth/pkinit/pkinit_clnt.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_clnt.c 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/plugins/preauth/pkinit/pkinit_clnt.c 2011-10-05 17:27:15 UTC (rev 25300)
@@ -42,7 +42,7 @@
#include "pkinit.h"
/* Remove when FAST PKINIT is settled. */
-#include "../fast_factor.h"
+#include "fast_factor.h"
/*
* It is anticipated that all the special checks currently
Modified: trunk/src/plugins/preauth/pkinit/pkinit_srv.c
===================================================================
--- trunk/src/plugins/preauth/pkinit/pkinit_srv.c 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/plugins/preauth/pkinit/pkinit_srv.c 2011-10-05 17:27:15 UTC (rev 25300)
@@ -38,7 +38,7 @@
#include "pkinit.h"
/* Remove when FAST PKINIT is settled. */
-#include "../fast_factor.h"
+#include "fast_factor.h"
static krb5_error_code
pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob);
@@ -101,9 +101,8 @@
static krb5_error_code
pkinit_server_get_edata(krb5_context context,
krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_pa_data *data)
{
@@ -114,8 +113,7 @@
pkiDebug("pkinit_server_get_edata: entered!\n");
/* Remove (along with armor_key) when FAST PKINIT is settled. */
- retval = fast_kdc_get_armor_key(context, server_get_entry_data, request,
- client, &armor_key);
+ retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
if (retval == 0 && armor_key != NULL) {
/* Don't advertise PKINIT if the client used FAST. */
krb5_free_keyblock(context, armor_key);
@@ -289,12 +287,12 @@
static void
pkinit_server_verify_padata(krb5_context context,
- struct _krb5_db_entry_new * client,
krb5_data *req_pkt,
krb5_kdc_req * request,
krb5_enc_tkt_part * enc_tkt_reply,
krb5_pa_data * data,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond,
void *arg)
@@ -324,8 +322,7 @@
}
/* Remove (along with armor_key) when FAST PKINIT is settled. */
- retval = fast_kdc_get_armor_key(context, server_get_entry_data, request,
- client, &armor_key);
+ retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
if (retval == 0 && armor_key != NULL) {
/* Don't allow PKINIT if the client used FAST. */
krb5_free_keyblock(context, armor_key);
@@ -697,14 +694,13 @@
static krb5_error_code
pkinit_server_return_padata(krb5_context context,
krb5_pa_data * padata,
- struct _krb5_db_entry_new * client,
krb5_data *req_pkt,
krb5_kdc_req * request,
krb5_kdc_rep * reply,
- struct _krb5_key_data * client_key,
krb5_keyblock * encrypting_key,
krb5_pa_data ** send_pa,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_modreq modreq)
{
Modified: trunk/src/plugins/preauth/securid_sam2/securid_sam2_main.c
===================================================================
--- trunk/src/plugins/preauth/securid_sam2/securid_sam2_main.c 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/plugins/preauth/securid_sam2/securid_sam2_main.c 2011-10-05 17:27:15 UTC (rev 25300)
@@ -50,6 +50,19 @@
{ 0, 0 },
};
+static krb5_db_entry *
+get_client_entry(krb5_context context, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock)
+{
+ krb5_data *data;
+ krb5_db_entry *client;
+
+ (*get)(context, rock, krb5_kdcpreauth_get_client, &data);
+ client = *(krb5_db_entry **)data->data;
+ free(data);
+ return client;
+}
+
krb5_error_code
sam_get_db_entry(krb5_context context, krb5_principal client,
int *sam_type, struct _krb5_db_entry_new **db_entry)
@@ -114,9 +127,7 @@
static krb5_error_code
kdc_include_padata(krb5_context context, krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
- krb5_kdcpreauth_get_data_fn get_entry_proc,
+ krb5_kdcpreauth_get_data_fn get, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data)
{
krb5_error_code retval;
@@ -125,7 +136,7 @@
krb5_sam_challenge_2 sc2;
krb5_sam_challenge_2_body sc2b;
int sam_type = 0; /* unknown */
- krb5_db_entry *sam_db_entry = NULL;
+ krb5_db_entry *sam_db_entry = NULL, *client;
krb5_data *encoded_challenge = NULL;
memset(&sc2, 0, sizeof(sc2));
@@ -133,12 +144,12 @@
sc2b.magic = KV5M_SAM_CHALLENGE_2;
sc2b.sam_type = sam_type;
+ client = get_client_entry(context, get, rock);
retval = sam_get_db_entry(context, client->princ, &sam_type,
&sam_db_entry);
if (retval)
return retval;
- retval = get_entry_proc(context, request, client,
- krb5_kdcpreauth_keys, &client_keys_data);
+ retval = (*get)(context, rock, krb5_kdcpreauth_keys, &client_keys_data);
if (retval)
goto cleanup;
client_key = (krb5_keyblock *) client_keys_data->data;
@@ -203,19 +214,18 @@
}
static void
-kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
- krb5_data *req_pkt, krb5_kdc_req *request,
- krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa_data,
- krb5_kdcpreauth_get_data_fn get_entry_proc,
- krb5_kdcpreauth_moddata moddata,
- krb5_kdcpreauth_verify_respond_fn respond,
- void *arg)
+kdc_verify_preauth(krb5_context context, krb5_data *req_pkt,
+ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
+ krb5_pa_data *pa_data, krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
+ krb5_kdcpreauth_verify_respond_fn respond, void *arg)
{
krb5_error_code retval, saved_retval = 0;
krb5_sam_response_2 *sr2 = NULL;
krb5_data scratch, *scratch2, *e_data = NULL;
char *client_name = NULL;
krb5_sam_challenge_2 *out_sc2 = NULL;
+ krb5_db_entry *client = get_client_entry(context, get, rock);
scratch.data = (char *) pa_data->contents;
scratch.length = pa_data->length;
Modified: trunk/src/plugins/preauth/wpse/wpse_main.c
===================================================================
--- trunk/src/plugins/preauth/wpse/wpse_main.c 2011-10-04 22:40:10 UTC (rev 25299)
+++ trunk/src/plugins/preauth/wpse/wpse_main.c 2011-10-05 17:27:15 UTC (rev 25300)
@@ -246,9 +246,8 @@
static krb5_error_code
server_get_edata(krb5_context kcontext,
krb5_kdc_req *request,
- struct _krb5_db_entry_new *client,
- struct _krb5_db_entry_new *server,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_pa_data *data)
{
@@ -261,12 +260,12 @@
/* Verify a request from a client. */
static void
server_verify(krb5_context kcontext,
- struct _krb5_db_entry_new *client,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply,
krb5_pa_data *data,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond,
void *arg)
@@ -370,14 +369,13 @@
static krb5_error_code
server_return(krb5_context kcontext,
krb5_pa_data *padata,
- struct _krb5_db_entry_new *client,
krb5_data *req_pkt,
krb5_kdc_req *request,
krb5_kdc_rep *reply,
- struct _krb5_key_data *client_key,
krb5_keyblock *encrypting_key,
krb5_pa_data **send_pa,
- krb5_kdcpreauth_get_data_fn server_get_entry_data,
+ krb5_kdcpreauth_get_data_fn get,
+ krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq)
{
/* This module does a couple of dumb things. It tags its reply with
More information about the cvs-krb5
mailing list