krb5 commit: Add client_keyblock kdcpreauth callback

Wed Jul 8 18:24:57 EDT 2015

https://github.com/krb5/krb5/commit/7b12eb4757f8dd05b79c9b49d4289f0caf1f6eec
commit 7b12eb4757f8dd05b79c9b49d4289f0caf1f6eec
Author: Greg Hudson <ghudson at mit.edu>
Date:   Thu Jun 4 14:08:06 2015 -0400

    Add client_keyblock kdcpreauth callback
    
    Add a new kdcpreauth callback which gets the selected client key.
    This callback can be used by preauth mechs which need to use the
    singular reply key in a challenge sent by the KDC, now that we send
    only one etype-info entry in PREAUTH_REQUIRED errors.
    
    ticket: 8200 (new)

 src/include/krb5/kdcpreauth_plugin.h |   15 ++++++++++++++-
 src/kdc/kdc_preauth.c                |   11 +++++++++--
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
index 9abe76f..2f41158 100644
--- a/src/include/krb5/kdcpreauth_plugin.h
+++ b/src/include/krb5/kdcpreauth_plugin.h
@@ -34,7 +34,7 @@
  * Declarations for kdcpreauth plugin module implementors.
  *
  * The kdcpreauth interface has a single supported major version, which is 1.
- * Major version 1 has a current minor version of 2.  kdcpreauth modules should
+ * Major version 1 has a current minor version of 3.  kdcpreauth modules should
  * define a function named kdcpreauth_<modulename>_initvt, matching the
  * signature:
  *
@@ -181,6 +181,19 @@ typedef struct krb5_kdcpreauth_callbacks_st {
 
     /* End of version 2 kdcpreauth callbacks. */
 
+    /*
+     * Get the decrypted client long-term key chosen according to the request
+     * enctype list, or NULL if no matching key was found.  The returned
+     * pointer is an alias and should not be freed.  If invoked from
+     * return_padata, the result will be the same as the encrypting_key
+     * parameter if it is not NULL, and will therefore reflect the modified
+     * reply key if a return_padata handler has replaced the reply key.
+     */
+    const krb5_keyblock *(*client_keyblock)(krb5_context context,
+                                            krb5_kdcpreauth_rock rock);
+
+    /* End of version 3 kdcpreauth callbacks. */
+
 } *krb5_kdcpreauth_callbacks;
 
 /* Optional: preauth plugin initialization function. */
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 0a5d8f4..d76d4af 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -536,8 +536,14 @@ have_client_keys(krb5_context context, krb5_kdcpreauth_rock rock)
     return FALSE;
 }
 
+static const krb5_keyblock *
+client_keyblock(krb5_context context, krb5_kdcpreauth_rock rock)
+{
+    return rock->client_keyblock;
+}
+
 static struct krb5_kdcpreauth_callbacks_st callbacks = {
-    2,
+    3,
     max_time_skew,
     client_keys,
     free_keys,
@@ -547,7 +553,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = {
     free_string,
     client_entry,
     event_context,
-    have_client_keys
+    have_client_keys,
+    client_keyblock
 };
 
 static krb5_error_code
