krb5 commit: Convey realm names to certauth modules
ghudson at mit.edu
ghudson at mit.edu
Tue Apr 11 01:19:31 EDT 2023
https://github.com/krb5/krb5/commit/2928f4f1682ee6245cec1f3c6d9d4b9bf30f8ee1
commit 2928f4f1682ee6245cec1f3c6d9d4b9bf30f8ee1
Author: Greg Hudson <ghudson at mit.edu>
Date: Wed Mar 29 10:15:35 2023 -0400
Convey realm names to certauth modules
In the certauth pluggable interface, add an extended init method which
receives the realm list.
ticket: 9090 (new)
src/include/krb5/certauth_plugin.h | 13 ++++++++++++-
src/plugins/preauth/pkinit/pkinit_srv.c | 20 +++++++++++---------
2 files changed, 23 insertions(+), 10 deletions(-)
diff --git a/src/include/krb5/certauth_plugin.h b/src/include/krb5/certauth_plugin.h
index bba09b155..bc8c88ac9 100644
--- a/src/include/krb5/certauth_plugin.h
+++ b/src/include/krb5/certauth_plugin.h
@@ -35,7 +35,7 @@
*
* The certauth pluggable interface currently has only one supported major
* version, which is 1. Major version 1 has a current minor version number of
- * 1.
+ * 2.
*
* certauth plugin modules should define a function named
* certauth_<modulename>_initvt, matching the signature:
@@ -78,6 +78,13 @@ typedef krb5_error_code
(*krb5_certauth_init_fn)(krb5_context context,
krb5_certauth_moddata *moddata_out);
+/*
+ * Optional: Initialize module data. Supersedes init if present.
+ */
+typedef krb5_error_code
+(*krb5_certauth_init_ex_fn)(krb5_context context, const char *const *realmlist,
+ krb5_certauth_moddata *moddata_out);
+
/*
* Optional: Clean up the module data.
*/
@@ -132,6 +139,10 @@ typedef struct krb5_certauth_vtable_st {
krb5_certauth_fini_fn fini;
krb5_certauth_authorize_fn authorize;
krb5_certauth_free_indicator_fn free_ind;
+ /* Minor version 1 ends here. */
+
+ krb5_certauth_init_ex_fn init_ex;
+ /* Minor version 2 ends here. */
} *krb5_certauth_vtable;
#endif /* KRB5_CERTAUTH_PLUGIN_H */
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 0ac9ca065..1b3bf6d4d 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1400,7 +1400,8 @@ certauth_dbmatch_initvt(krb5_context context, int maj_ver, int min_ver,
}
static krb5_error_code
-load_certauth_plugins(krb5_context context, certauth_handle **handle_out)
+load_certauth_plugins(krb5_context context, const char *const *realmnames,
+ certauth_handle **handle_out)
{
krb5_error_code ret;
krb5_plugin_initvt_fn *modules = NULL, *mod;
@@ -1440,20 +1441,21 @@ load_certauth_plugins(krb5_context context, certauth_handle **handle_out)
if (h == NULL)
goto cleanup;
- ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt);
+ ret = (*mod)(context, 1, 2, (krb5_plugin_vtable)&h->vt);
if (ret) {
TRACE_CERTAUTH_VTINIT_FAIL(context, ret);
free(h);
continue;
}
h->moddata = NULL;
- if (h->vt.init != NULL) {
+ if (h->vt.init_ex != NULL)
+ ret = h->vt.init_ex(context, realmnames, &h->moddata);
+ else if (h->vt.init != NULL)
ret = h->vt.init(context, &h->moddata);
- if (ret) {
- TRACE_CERTAUTH_INIT_FAIL(context, h->vt.name, ret);
- free(h);
- continue;
- }
+ if (ret) {
+ TRACE_CERTAUTH_INIT_FAIL(context, h->vt.name, ret);
+ free(h);
+ continue;
}
list[count++] = h;
list[count] = NULL;
@@ -1516,7 +1518,7 @@ pkinit_server_plugin_init(krb5_context context,
goto errout;
}
- retval = load_certauth_plugins(context, &certauth_modules);
+ retval = load_certauth_plugins(context, realmnames, &certauth_modules);
if (retval)
goto errout;
More information about the cvs-krb5
mailing list