krb5 commit: Add kdcpreauth callback for auth indicators
Greg Hudson
ghudson at mit.edu
Wed Jul 22 13:29:37 EDT 2015
https://github.com/krb5/krb5/commit/dd95e18f5cfa426db0f265172202debd257f3cdb
commit dd95e18f5cfa426db0f265172202debd257f3cdb
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Dec 22 12:44:08 2014 -0500
Add kdcpreauth callback for auth indicators
Add a new kdcpreauth callback add_auth_indicator, which adds an
authentication indicator string. This commit doesn't do anything with
the asserted authentication indicators; they are tracked in the
auth_indicators field of struct as_req_state to be used later.
ticket: 8157
src/include/krb5/kdcpreauth_plugin.h | 6 ++++++
src/kdc/do_as_req.c | 3 +++
src/kdc/kdc_preauth.c | 10 +++++++++-
src/kdc/kdc_util.h | 1 +
4 files changed, 19 insertions(+), 1 deletions(-)
diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
index 2f41158..356004f 100644
--- a/src/include/krb5/kdcpreauth_plugin.h
+++ b/src/include/krb5/kdcpreauth_plugin.h
@@ -192,6 +192,12 @@ typedef struct krb5_kdcpreauth_callbacks_st {
const krb5_keyblock *(*client_keyblock)(krb5_context context,
krb5_kdcpreauth_rock rock);
+ /* Assert an authentication indicator in the AS-REP authdata. Duplicate
+ * indicators will be ignored. */
+ krb5_error_code (*add_auth_indicator)(krb5_context context,
+ krb5_kdcpreauth_rock rock,
+ const char *indicator);
+
/* End of version 3 kdcpreauth callbacks. */
} *krb5_kdcpreauth_callbacks;
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 3e18e7c..121d027 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -161,6 +161,7 @@ struct as_req_state {
char *sname, *cname;
void *pa_context;
const krb5_fulladdr *from;
+ krb5_data **auth_indicators;
krb5_error_code preauth_err;
@@ -430,6 +431,7 @@ egress:
krb5_free_data(kdc_context, state->inner_body);
kdc_free_rstate(state->rstate);
krb5_free_kdc_req(kdc_context, state->request);
+ k5_free_data_ptr_list(state->auth_indicators);
assert(did_log != 0);
free(state);
@@ -556,6 +558,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
state->rock.inner_body = state->inner_body;
state->rock.rstate = state->rstate;
state->rock.vctx = vctx;
+ state->rock.auth_indicators = &state->auth_indicators;
if (!state->request->client) {
state->status = "NULL_CLIENT";
errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index e121c5d..b8d6e43 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -542,6 +542,13 @@ client_keyblock(krb5_context context, krb5_kdcpreauth_rock rock)
return rock->client_keyblock;
}
+static krb5_error_code
+add_auth_indicator(krb5_context context, krb5_kdcpreauth_rock rock,
+ const char *indicator)
+{
+ return authind_add(context, indicator, rock->auth_indicators);
+}
+
static struct krb5_kdcpreauth_callbacks_st callbacks = {
3,
max_time_skew,
@@ -554,7 +561,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = {
client_entry,
event_context,
have_client_keys,
- client_keyblock
+ client_keyblock,
+ add_auth_indicator
};
static krb5_error_code
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index da9bf33..bc98fbf 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -421,6 +421,7 @@ struct krb5_kdcpreauth_rock_st {
krb5_keyblock *client_keyblock;
struct kdc_request_state *rstate;
verto_ctx *vctx;
+ krb5_data ***auth_indicators;
};
#define isflagset(flagfield, flag) (flagfield & (flag))
More information about the cvs-krb5
mailing list