diff options
| author | Kevin Coffman <kwc@citi.umich.edu> | 2006-12-08 20:28:03 +0000 |
|---|---|---|
| committer | Kevin Coffman <kwc@citi.umich.edu> | 2006-12-08 20:28:03 +0000 |
| commit | fe2a14e0a81b62e4eb6a4600650908e7f1ae5bd5 (patch) | |
| tree | 6969d756b31679e7c7945ea9cb6d83e0a5e34307 | |
| parent | d7bb1eea9a2b1bd16674b0b9fd36d9834a606e2b (diff) | |
| download | krb5-fe2a14e0a81b62e4eb6a4600650908e7f1ae5bd5.zip krb5-fe2a14e0a81b62e4eb6a4600650908e7f1ae5bd5.tar.gz krb5-fe2a14e0a81b62e4eb6a4600650908e7f1ae5bd5.tar.bz2 | |
Update to use the simplified interface for krb5_get_init_creds_opt_set_pa()
Add code in kinit to process "-X" options as preauth options and pass
them along.
git-svn-id: svn://anonsvn.mit.edu/krb5/users/coffman/gic_opt_ext@18934 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/clients/kinit/kinit.c | 179 | ||||
| -rw-r--r-- | src/include/k5-int.h | 10 | ||||
| -rw-r--r-- | src/include/krb5/krb5.hin | 20 | ||||
| -rw-r--r-- | src/include/krb5/preauth_plugin.h | 29 | ||||
| -rw-r--r-- | src/lib/krb5/krb/gic_opt.c | 216 | ||||
| -rw-r--r-- | src/lib/krb5/krb/preauth2.c | 105 | ||||
| -rw-r--r-- | src/plugins/preauth/cksum_body/cksum_body_main.c | 19 | ||||
| -rw-r--r-- | src/plugins/preauth/wpse/wpse_main.c | 17 |
8 files changed, 196 insertions, 399 deletions
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c index bedb699..f8e5b77 100644 --- a/src/clients/kinit/kinit.c +++ b/src/clients/kinit/kinit.c @@ -38,6 +38,7 @@ #include <string.h> #include <stdio.h> #include <time.h> +#include <errno.h> #include <com_err.h> #ifdef GETOPT_LONG @@ -143,6 +144,9 @@ struct k_opts char* k4_cache_name; action_type action; + + int num_pa_opts; + krb5_gic_opt_pa_data *pa_opts; }; struct k5_data @@ -283,6 +287,37 @@ static void extended_com_err_fn (const char *myprog, errcode_t code, fprintf (stderr, "\n"); } +static int +add_preauth_opt(struct k_opts *opts, char *av) +{ + char *sep, *v; + krb5_gic_opt_pa_data *p, *x; + + if (opts->num_pa_opts == 0) { + opts->pa_opts = malloc(sizeof(krb5_gic_opt_pa_data)); + if (opts->pa_opts == NULL) + return ENOMEM; + } else { + size_t newsize = (opts->num_pa_opts + 1) * sizeof(krb5_gic_opt_pa_data); + x = realloc(opts->pa_opts, newsize); + if (x == NULL) + return ENOMEM; + opts->pa_opts = x; + } + p = &opts->pa_opts[opts->num_pa_opts]; + sep = strchr(av, '='); + if (sep) { + *sep = '\0'; + v = ++sep; + p->value = v; + } else { + p->value = "yes"; + } + p->attr = av; + opts->num_pa_opts++; + return 0; +} + static char * parse_options(argc, argv, opts, progname) int argc; @@ -296,7 +331,7 @@ parse_options(argc, argv, opts, progname) int use_k5 = 0; int i; - while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:v")) + while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:")) != -1) { switch (i) { case 'V': @@ -380,6 +415,14 @@ parse_options(argc, argv, opts, progname) opts->k5_cache_name = optarg; } break; + case 'X': + code = add_preauth_opt(opts, optarg); + if (code) + { + com_err(progname, code, "while adding preauth option"); + errflg++; + } + break; #if 0 /* A little more work is needed before we can enable this @@ -753,8 +796,7 @@ k5_kinit(opts, k5) krb5_creds my_creds; krb5_error_code code = 0; krb5_get_init_creds_opt *options = NULL; -#define NUM_TEST_PA 10 - krb5_gic_opt_pa_data pa[NUM_TEST_PA]; + int i; if (!got_k5) return 0; @@ -804,111 +846,35 @@ k5_kinit(opts, k5) } } - pa[0].pa_type = 130; - pa[0].attr = "cksum_attr1"; - pa[0].value = "cksum_attr1_value"; - - pa[1].pa_type = 130; - pa[1].attr = "cksum_attr2"; - pa[1].value = "cksum_attr2_value"; - - pa[2].pa_type = 131; - pa[2].attr = "wpse_attr1"; - pa[2].value = "wpse_attr1_value"; - - pa[3].pa_type = 131; - pa[3].attr = "wpse_attr2"; - pa[3].value = "wpse_attr2_value"; - - pa[4].pa_type = KRB5_PADATA_PK_AS_REQ; - pa[4].attr = "client_cert"; - pa[4].value = "/tmp/x509up_u20010"; - - pa[5].pa_type = KRB5_PADATA_PK_AS_REQ; - pa[5].attr = "client_key"; - pa[5].value = "/tmp/x509up_u20010"; - - pa[6].pa_type = KRB5_PADATA_PK_AS_REQ; - pa[6].attr = "client_ca_dir"; - pa[6].value = "/etc/grid-security/certificates"; - - pa[7].pa_type = KRB5_PADATA_PK_AS_REQ; - pa[7].attr = "client_bundle"; - pa[7].value = "/etc/grid-security/certificates/ca-bundle.crt"; - - pa[8].pa_type = KRB5_PADATA_PK_AS_REQ; - pa[8].attr = "common_attr1"; - pa[8].value = "common_attr1_value"; - - pa[9].pa_type = KRB5_PADATA_SAM_CHALLENGE_2; - pa[9].attr = "unhandled_attr1"; - pa[9].value = "unhandled_attr1_value"; - - code = krb5_get_init_creds_opt_set_pa(k5->ctx, options, NULL, - NULL, kinit_prompter, NULL, - NUM_TEST_PA, pa); - if (code != 0) { - com_err(progname, code, "while setting preauth options - first time"); - goto cleanup; - } - - pa[0].pa_type = 130; - pa[0].attr = "cksum_attr1-2"; - pa[0].value = "cksum_attr1_value-2"; - - pa[1].pa_type = 130; - pa[1].attr = "cksum_attr2-2"; - pa[1].value = "cksum_attr2_value-2"; - - pa[2].pa_type = 131; - pa[2].attr = "wpse_attr1-2"; - pa[2].value = "wpse_attr1_value-2"; - - pa[3].pa_type = 131; - pa[3].attr = "wpse_attr2-2"; - pa[3].value = "wpse_attr2_value-2"; - - pa[4].pa_type = KRB5_PADATA_PK_AS_REQ; - pa[4].attr = "pkinit_attr1-2"; - pa[4].value = "pkinit_attr1_value-2"; - - pa[5].pa_type = KRB5_PADATA_PK_AS_REQ; - pa[5].attr = "pkinit_attr2-2"; - pa[5].value = "pkinit_attr2_value-2"; - - pa[6].pa_type = KRB5_PADATA_PK_AS_REQ; - pa[6].attr = "pkinit_attr3-2"; - pa[6].value = "pkinit_attr3_value-2"; - - pa[7].pa_type = KRB5_PADATA_PK_AS_REQ; - pa[7].attr = "pkinit_attr4-2"; - pa[7].value = "pkinit_attr4_value-2"; - - pa[8].pa_type = KRB5_PADATA_PK_AS_REQ; - pa[8].attr = "common_attr1-2"; - pa[8].value = "common_attr1_value-2"; - - pa[9].pa_type = 666; - pa[9].attr = "unhandled_attr1-2"; - pa[9].value = "unhandled_attr1_value-2"; - - code = krb5_get_init_creds_opt_set_pa(k5->ctx, options, NULL, - NULL, kinit_prompter, NULL, - NUM_TEST_PA, pa); - if (code != 0) { - com_err(progname, code, "while setting preauth options - second time"); - goto cleanup; + for (i = 0; i < opts->num_pa_opts; i++) { + code = krb5_get_init_creds_opt_set_pa(k5->ctx, options, + opts->pa_opts[i].attr, + opts->pa_opts[i].value); + if (code != 0) { + com_err(progname, code, "while setting '%s'='%s'", + opts->pa_opts[i].attr, opts->pa_opts[i].value); + goto cleanup; + } } - code = krb5_get_init_creds_opt_set_pkinit(k5->ctx, options, NULL, - "FILE:/tmp/x509up_u20010,/tmp/x509up_u20010", - "DIR:/etc/grid-security/certificates", - NULL, NULL, 2, kinit_prompter, NULL, NULL); - if (code != 0) { - com_err(progname, code, "while setting pkinit-specific options"); +#if 0 /* XXX Testing... */ + code = krb5_get_init_creds_opt_set_pkinit( + k5->ctx, /* context */ + options, /* get_init_creds_opt */ + NULL, /* principal */ + "/tmp/x509up_u20010", /* X509_user_identity */ + "/etc/grid-security/certificates", /* X509_anchors */ + NULL, /* X509_chain_list */ + NULL, /* X509_revoke_list */ + 0, /* flags */ + NULL, /* prompter_fct */ + NULL, /* prompter_data */ + NULL); /* password */ + if (code) { + com_err(progname, code, "while setting pkinit options"); goto cleanup; } - +#endif switch (opts->action) { case INIT_PW: code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, @@ -990,6 +956,11 @@ k5_kinit(opts, k5) if (my_creds.client == k5->me) { my_creds.client = 0; } + if (opts->pa_opts) { + free(opts->pa_opts); + opts->pa_opts = NULL; + opts->num_pa_opts = 0; + } krb5_free_cred_contents(k5->ctx, &my_creds); if (keytab) krb5_kt_close(k5->ctx, keytab); diff --git a/src/include/k5-int.h b/src/include/k5-int.h index afac7e3..28f26d9 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -910,15 +910,7 @@ typedef struct _krb5_preauth_context { krb5_data *s2kparams, krb5_keyblock *as_key, krb5_pa_data **new_pa_data); - krb5_error_code (*client_supply_gic_opts)(krb5_context context, - void *plugin_context, - krb5_get_init_creds_opt *opt, - krb5_principal principal, - const char *password, - krb5_prompter_fct prompter, - void *prompter_data, - int num_preauth_data, - krb5_gic_opt_pa_data *preauth_data); + supply_gic_opts_proc client_supply_gic_opts; void (*client_req_init)(krb5_context context, void *plugin_context, void **request_context); void (*client_req_fini)(krb5_context context, void *plugin_context, diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index f73169c..4209782 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -2490,7 +2490,6 @@ krb5_get_init_creds_opt_set_salt /* Generic preauth option attribute/value pairs */ typedef struct _krb5_gic_opt_pa_data { - krb5_preauthtype pa_type; /* pa_type this option applies to */ char *attr; char *value; } krb5_gic_opt_pa_data; @@ -2498,8 +2497,8 @@ typedef struct _krb5_gic_opt_pa_data { /* * This function allows the caller to supply options to preauth * plugins. Preauth plugin modules are given a chance to look - * at the options at the time this function is called to check - * the validity of its options. + * at each option at the time this function is called in ordre + * to check the validity of the option. * The 'opt' pointer supplied to this function must have been * obtained using krb5_get_init_creds_opt_alloc() */ @@ -2507,19 +2506,14 @@ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_pa (krb5_context context, krb5_get_init_creds_opt *opt, - krb5_principal principal, - const char *password, - krb5_prompter_fct prompter, - void *prompter_data, - int num_preauth_data, - krb5_gic_opt_pa_data *preauth_data); + const char *attr, + const char *value); /* * This function allows a preauth plugin to obtain preauth - * options. Only options which are applicable to the pa_types - * which the plugin module claims to support (pa_types) are - * returned. The preauth_data returned from this function + * options. The preauth_data returned from this function * should be freed by calling krb5_get_init_creds_opt_free_pa(). + * * The 'opt' pointer supplied to this function must have been * obtained using krb5_get_init_creds_opt_alloc() */ @@ -2527,8 +2521,6 @@ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_get_pa (krb5_context context, krb5_get_init_creds_opt *opt, - int num_pa_types, - krb5_preauthtype *pa_types, int *num_preauth_data, krb5_gic_opt_pa_data **preauth_data); diff --git a/src/include/krb5/preauth_plugin.h b/src/include/krb5/preauth_plugin.h index da0c764..194e531 100644 --- a/src/include/krb5/preauth_plugin.h +++ b/src/include/krb5/preauth_plugin.h @@ -159,22 +159,15 @@ typedef krb5_error_code /* * Client function which receives krb5_get_init_creds_opt information. - * It may also receive specific preauthentication information for the - * pa_types that it supports. - * The information supplied in {num_preauth_data,preauth_data} should - * be copied locally by the module if it wishes to reference it after - * returning from this call. + * The attr and value information supplied should be copied locally by + * the module if it wishes to reference it after returning from this call. */ typedef krb5_error_code -(*supply_gic_opts_fct)(krb5_context context, - void *plugin_context, - krb5_get_init_creds_opt *opt, - krb5_principal principal, - const char *password, - krb5_prompter_fct prompter, - void *prompter_data, - int num_preauth_data, - krb5_gic_opt_pa_data *preauth_data); +(*supply_gic_opts_proc)(krb5_context context, + void *plugin_context, + krb5_get_init_creds_opt *opt, + const char *attr, + const char *value); /* * The function table / structure which a preauth client module must export as * "preauthentication_client_0". If the interfaces work correctly, future @@ -261,8 +254,12 @@ typedef struct krb5plugin_preauth_client_ftable_v0 { krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key, krb5_pa_data **out_pa_data); - /* Function that gets krb5_get_init_creds_opt and other preauth options */ - supply_gic_opts_fct gic_opts; + /* + * Client function which receives krb5_get_init_creds_opt information. + * The attr and value information supplied should be copied locally by + * the module if it wishes to reference it after returning from this call. + */ + supply_gic_opts_proc gic_opts; } krb5plugin_preauth_client_ftable_v0; /* diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c index aa337f8..3ac7c52 100644 --- a/src/lib/krb5/krb/gic_opt.c +++ b/src/lib/krb5/krb/gic_opt.c @@ -263,15 +263,15 @@ free_gic_opt_ext_preauth_data(krb5_context context, static krb5_error_code add_gic_opt_ext_preauth_data(krb5_context context, krb5_gic_opt_ext *opte, - int num_preauth_data, - krb5_gic_opt_pa_data *preauth_data) + const char *attr, + const char *value) { size_t newsize; - int i, j; + int i; krb5_gic_opt_pa_data *newpad; - newsize = opte->opt_private->num_preauth_data + num_preauth_data; - newsize = newsize * sizeof(*preauth_data); + newsize = opte->opt_private->num_preauth_data + 1; + newsize = newsize * sizeof(*opte->opt_private->preauth_data); if (opte->opt_private->preauth_data == NULL) newpad = malloc(newsize); else @@ -279,136 +279,95 @@ add_gic_opt_ext_preauth_data(krb5_context context, if (newpad == NULL) return ENOMEM; - j = opte->opt_private->num_preauth_data; - for (i = 0; i < num_preauth_data; i++) { - newpad[j+i].pa_type = -1; - newpad[j+i].attr = NULL; - newpad[j+i].value = NULL; - } - for (i = 0; i < num_preauth_data; i++) { - newpad[j+i].pa_type = preauth_data[i].pa_type; - newpad[j+i].attr = strdup(preauth_data[i].attr); - newpad[j+i].value = strdup(preauth_data[i].value); - if (newpad[j+i].attr == NULL || newpad[j+i].value == NULL) - goto cleanup; + i = opte->opt_private->num_preauth_data; + newpad[i].attr = strdup(attr); + if (newpad[i].attr == NULL) + return ENOMEM; + newpad[i].value = strdup(value); + if (newpad[i].value == NULL) { + free(newpad[i].attr); + return ENOMEM; } - opte->opt_private->num_preauth_data = j+i; + opte->opt_private->num_preauth_data += 1; opte->opt_private->preauth_data = newpad; return 0; - -cleanup: - for (i = num_preauth_data; i >= 0; i--) { - if (newpad[j+i].value != NULL) - free(newpad[j+i].value); - if (newpad[j+i].attr != NULL) - free(newpad[j+i].attr); - } - return ENOMEM; } /* * This function allows the caller to supply options to preauth * plugins. Preauth plugin modules are given a chance to look - * at the options at the time this function is called to check - * the validity of its options. + * at each option at the time this function is called in ordre + * to check the validity of the option. * The 'opt' pointer supplied to this function must have been * obtained using krb5_get_init_creds_opt_alloc() */ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_pa(krb5_context context, krb5_get_init_creds_opt *opt, - krb5_principal principal, - const char *password, - krb5_prompter_fct prompter, - void *prompter_data, - int num_preauth_data, - krb5_gic_opt_pa_data *preauth_data) + const char *attr, + const char *value) { krb5_error_code retval; krb5_gic_opt_ext *opte; retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, - "krb5_get_init_creds_opt_set_pkinit"); + "krb5_get_init_creds_opt_set_pa"); if (retval) return retval; - if (num_preauth_data <= 0) { - retval = EINVAL; - krb5int_set_error(&context->err, retval, - "krb5_get_init_creds_opt_set_pa: " - "num_preauth_data of %d is invalid", num_preauth_data); - return retval; - } - /* - * Copy all the options into the extended get_init_creds_opt structure + * Copy the option into the extended get_init_creds_opt structure */ - retval = add_gic_opt_ext_preauth_data(context, opte, - num_preauth_data, preauth_data); + retval = add_gic_opt_ext_preauth_data(context, opte, attr, value); if (retval) return retval; /* - * Give the plugins a chance at the options now. Note that only - * the new options are passed to the plugins. They should have - * already had a chance at any pre-existing options. + * Give the plugins a chance to look at the option now. */ - retval = krb5_preauth_supply_preauth_data(context, opte, principal, - password, prompter, - prompter_data, num_preauth_data, - preauth_data); + retval = krb5_preauth_supply_preauth_data(context, opte, attr, value); return retval; } -static int -pa_data_applies(krb5_context context, int num_pa_types, - krb5_preauthtype *pa_types, krb5_gic_opt_pa_data *preauth_data) -{ - int i; - for (i = 0; i < num_pa_types; i++) { - if (preauth_data->pa_type == pa_types[i]) - return 1; - } - return 0; -} - /* * This function allows a preauth plugin to obtain preauth - * options. Only options which are applicable to the pa_types - * which the plugin module claims to support (pa_types) are - * returned. The preauth_data returned from this function + * options. The preauth_data returned from this function * should be freed by calling krb5_get_init_creds_opt_free_pa(). + * * The 'opt' pointer supplied to this function must have been * obtained using krb5_get_init_creds_opt_alloc() */ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_get_pa(krb5_context context, krb5_get_init_creds_opt *opt, - int num_pa_types, - krb5_preauthtype *pa_types, int *num_preauth_data, krb5_gic_opt_pa_data **preauth_data) { - krb5_error_code retval = ENOMEM; + krb5_error_code retval; krb5_gic_opt_ext *opte; krb5_gic_opt_pa_data *p = NULL; - int i, j; + int i; size_t allocsize; retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, - "krb5_get_init_creds_opt_get_pkinit"); + "krb5_get_init_creds_opt_get_pa"); if (retval) return retval; + if (num_preauth_data == NULL || preauth_data == NULL) + return EINVAL; + *num_preauth_data = 0; *preauth_data = NULL; - /* The most we could return is all of them */ + if (opte->opt_private->num_preauth_data == 0) + return 0; + allocsize = opte->opt_private->num_preauth_data * sizeof(krb5_gic_opt_pa_data); p = malloc(allocsize); if (p == NULL) - return retval; + return ENOMEM; /* Init these to make cleanup easier */ for (i = 0; i < opte->opt_private->num_preauth_data; i++) { @@ -416,23 +375,13 @@ krb5_get_init_creds_opt_get_pa(krb5_context context, p[i].value = NULL; } - j = 0; for (i = 0; i < opte->opt_private->num_preauth_data; i++) { - if (pa_data_applies(context, num_pa_types, pa_types, - &opte->opt_private->preauth_data[i])) { - p[j].pa_type = opte->opt_private->preauth_data[i].pa_type; - p[j].attr = strdup(opte->opt_private->preauth_data[i].attr); - p[j].value = strdup(opte->opt_private->preauth_data[i].value); - if (p[j].attr == NULL || p[j].value == NULL) - goto cleanup; - j++; - } - } - if (j == 0) { - retval = ENOENT; - goto cleanup; + p[i].attr = strdup(opte->opt_private->preauth_data[i].attr); + p[i].value = strdup(opte->opt_private->preauth_data[i].value); + if (p[i].attr == NULL || p[i].value == NULL) + goto cleanup; } - *num_preauth_data = j; + *num_preauth_data = i; *preauth_data = p; return 0; cleanup: @@ -443,7 +392,7 @@ cleanup: free(p[i].value); } free(p); - return retval; + return ENOMEM; } /* @@ -470,6 +419,11 @@ krb5_get_init_creds_opt_free_pa(krb5_context context, } +/* + * This function is provided for compatibility with Heimdal's + * function of the same name. We ignore the principal, + * password, and prompter parameters. + */ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_pkinit(krb5_context context, krb5_get_init_creds_opt *opt, @@ -483,76 +437,46 @@ krb5_get_init_creds_opt_set_pkinit(krb5_context context, void *prompter_data, char *password) { - krb5_gic_opt_pa_data *pad; - int num_pad = 0; - int i, j; + int i; krb5_error_code retval; - /* Figure out how many preauth data structs we'll need */ - if (x509_user_identity != NULL) - num_pad++; - if (x509_anchors != NULL) - num_pad++; - if (x509_chain_list != NULL) - for (j = 0; x509_chain_list[j] != NULL; j++) - num_pad++; - if (x509_revoke_list != NULL) - for (j = 0; x509_revoke_list[j] != NULL; j++) - num_pad++; - if (flags != 0) { - /* XXX should be more generic? What other flags are there? */ -#define PKINIT_RSA_PROTOCOL 0x00000002 - if (flags & PKINIT_RSA_PROTOCOL) - num_pad++; - } - - - /* Allocate the krb5_gic_opt_pa_data structures and populate */ - pad = malloc(num_pad * sizeof(krb5_gic_opt_pa_data)); - if (pad == NULL) - return ENOMEM; +#define PKINIT_RSA_PROTOCOL 0x00000002 /* XXX */ - i = 0; if (x509_user_identity != NULL) { - pad[i].pa_type = KRB5_PADATA_PK_AS_REQ; - pad[i].attr = "X509_user_identity"; - pad[i].value = x509_user_identity; - i++; + retval = krb5_get_init_creds_opt_set_pa(context, opt, + "X509_user_identity", x509_user_identity); + if (retval) + return retval; } if (x509_anchors != NULL) { - pad[i].pa_type = KRB5_PADATA_PK_AS_REQ; - pad[i].attr = "X509_anchors"; - pad[i].value = x509_anchors; - i++; + retval = krb5_get_init_creds_opt_set_pa(context, opt, + "X509_anchors", x509_anchors); + if (retval) + return retval; } if (x509_chain_list != NULL) { - for (j = 0; x509_chain_list[j] != NULL; j++) { - pad[i].pa_type = KRB5_PADATA_PK_AS_REQ; - pad[i].attr = "X509_chain_list"; - pad[i].value = x509_chain_list[j]; - i++; + for (i = 0; x509_chain_list[i] != NULL; i++) { + retval = krb5_get_init_creds_opt_set_pa(context, opt, + "X509_chain_list", x509_chain_list[i]); + if (retval) + return retval; } } if (x509_revoke_list != NULL) { - for (j = 0; x509_revoke_list[j] != NULL; j++) { - pad[i].pa_type = KRB5_PADATA_PK_AS_REQ; - pad[i].attr = "X509_revoke_list"; - pad[i].value = x509_revoke_list[j]; - i++; + for (i = 0; x509_revoke_list[i] != NULL; i++) { + retval = krb5_get_init_creds_opt_set_pa(context, opt, + "X509_revoke_list", x509_revoke_list[i]); + if (retval) + return retval; } } if (flags != 0) { if (flags & PKINIT_RSA_PROTOCOL) { - pad[i].pa_type = KRB5_PADATA_PK_AS_REQ; - pad[i].attr = "flag_RSA_PROTOCOL"; - pad[i].value = "yes"; - i++; + retval = krb5_get_init_creds_opt_set_pa(context, opt, + "flag_RSA_PROTOCOL", "yes"); + if (retval) + return retval; } } - - retval = krb5_get_init_creds_opt_set_pa(context, opt, principal, password, - prompter, prompter_data, i, pad); - - free(pad); return retval; } diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index 67981e3..80467be 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -161,7 +161,10 @@ krb5_init_preauth_context(krb5_context kcontext) context->modules[k].use_count = 0; context->modules[k].client_process = table->process; context->modules[k].client_tryagain = table->tryagain; - context->modules[k].client_supply_gic_opts = table->gic_opts; + if (j == 0) + context->modules[k].client_supply_gic_opts = table->gic_opts; + else + context->modules[k].client_supply_gic_opts = NULL; context->modules[k].request_context = NULL; /* * Only call request_init and request_fini once per plugin. @@ -210,40 +213,20 @@ krb5_clear_preauth_context_use_counts(krb5_context context) } } -#if 0 -static int -pa_data_applies(krb5_context context, - struct _krb5_preauth_context_module *module, - krb5_gic_opt_pa_data *preauth_data) -{ - int i; - for (i = 0; i < preauth_data->num_pa_types; i++) { - if (preauth_data->pa_types[i] == module->pa_type) - return 1; - } - return 0; -} -#endif - -/* Give all the preauth plugins a look at the preauth data which is - * appropriate for the pa_types which they support */ - +/* + * Give all the preauth plugins a look at the preauth option which + * has just been set + */ krb5_error_code krb5_preauth_supply_preauth_data(krb5_context context, krb5_gic_opt_ext *opte, - krb5_principal principal, - const char *password, - krb5_prompter_fct prompter, - void *prompter_data, - int num_preauth_data, - krb5_gic_opt_pa_data *preauth_data) + const char *attr, + const char *value) { krb5_error_code retval; - int i, j, m; + int i; void *pctx; - krb5_gic_opt_pa_data *p = NULL; - size_t allocsize = num_preauth_data * sizeof(krb5_gic_opt_pa_data); - int called_one = 0; + const char *emsg = NULL; if (context->preauth_context == NULL) krb5_init_preauth_context(context); @@ -254,69 +237,25 @@ krb5_preauth_supply_preauth_data(krb5_context context, "Unable to initialize preauth context"); return retval; } - /* - * Create the array to supply to the plugin. - * The most we could need is num_preauth_data - */ - p = malloc(allocsize); - if (p == NULL) - return ENOMEM; /* - * Go down the list of preauth modules, for each module, supply - * it with the data appropriate for its pa_type. - * (Plugins that support more than one pa_type may be called - * with the same data more than once.) + * Go down the list of preauth modules, and supply them with the + * attribute/value pair. */ for (i = 0; i < context->preauth_context->n_modules; i++) { - m = 0; - memset(p, 0, allocsize); - for (j = 0; j < num_preauth_data; j++) { - /* Send the plugin a shallow copy of the relevant entries */ - if (context->preauth_context->modules[i].pa_type == - preauth_data[j].pa_type) { - p[m++] = preauth_data[j]; - } - } - /* Call only plugins that have relevant data */ - if (m == 0) - continue; - /* - * If there is a module that *could* handle this option but it - * doesn't handle the client_supply_gic_opts function, don't - * fail below when we check if we called a module. The module - * may wait until it is called to "process" to look at the - * preauth_data. - */ - called_one++; if (context->preauth_context->modules[i].client_supply_gic_opts == NULL) continue; - pctx = context->preauth_context->modules[i].plugin_context; retval = (*context->preauth_context->modules[i].client_supply_gic_opts) - (context, - pctx, - (krb5_get_init_creds_opt *)opte, - principal, - password, - prompter, - prompter_data, - m, - p); - if (retval) - goto outerr; + (context, pctx, + (krb5_get_init_creds_opt *)opte, attr, value); + if (retval) { + emsg = krb5_get_error_message(context, retval); + krb5int_set_error(&context->err, retval, "Preauth plugin %s: %s", + context->preauth_context->modules[i].name, emsg); + break; + } } - /* If no modules are loaded that handle the option, then return an error */ - if (!called_one) { - retval = EINVAL; - krb5int_set_error(&context->err, retval, - "krb5_preauth_supply_preauth_data: " - "No modules are loaded that handle the given options"); - } else - retval = 0; -outerr: - if (p) - free(p); return retval; } diff --git a/src/plugins/preauth/cksum_body/cksum_body_main.c b/src/plugins/preauth/cksum_body/cksum_body_main.c index db1c12b..cd19daf 100644 --- a/src/plugins/preauth/cksum_body/cksum_body_main.c +++ b/src/plugins/preauth/cksum_body/cksum_body_main.c @@ -100,11 +100,10 @@ client_process(krb5_context kcontext, krb5_error_code status = 0; krb5_int32 cksumtype, *enctypes; unsigned int i, n_enctypes, cksumtype_count; - krb5_preauthtype patype = KRB5_PADATA_CKSUM_BODY_REQ; int num_gic_info = 0; krb5_gic_opt_pa_data *gic_info; - status = krb5_get_init_creds_opt_get_pa(kcontext, opt, 1, &patype, + status = krb5_get_init_creds_opt_get_pa(kcontext, opt, &num_gic_info, &gic_info); if (status && status != ENOENT) { #ifdef DEBUG @@ -220,20 +219,12 @@ static krb5_error_code client_gic_opt(krb5_context kcontext, void *plugin_context, krb5_get_init_creds_opt *opt, - krb5_principal principal, - const char *password, - krb5_prompter_fct prompter, - void *prompter_data, - int num_preauth_data, - krb5_gic_opt_pa_data *preauth_data) + const char *attr, + const char *value) { - int i; #ifdef DEBUG - fprintf(stderr, "(cksum_body) client_gic_opt: received %d preauth_data items\n", num_preauth_data); - for (i = 0; i < num_preauth_data; i++) { - fprintf(stderr, " %3d: attribute '%s', value '%s'\n", - i, preauth_data[i].attr, preauth_data[i].value); - } + fprintf(stderr, "(cksum_body) client_gic_opt: received '%s' = '%s'\n", + attr, value); #endif return 0; } diff --git a/src/plugins/preauth/wpse/wpse_main.c b/src/plugins/preauth/wpse/wpse_main.c index ec64f03..f858063 100644 --- a/src/plugins/preauth/wpse/wpse_main.c +++ b/src/plugins/preauth/wpse/wpse_main.c @@ -213,21 +213,12 @@ static krb5_error_code client_gic_opt(krb5_context kcontext, void *plugin_context, krb5_get_init_creds_opt *opt, - krb5_principal principal, - const char *password, - krb5_prompter_fct prompter, - void *prompter_data, - int num_preauth_data, - krb5_gic_opt_pa_data *preauth_data) + const char *attr, + const char *value) { - int i; #ifdef DEBUG - fprintf(stderr, "(wpse) client_gic_opt: received %d preauth_data items\n", - num_preauth_data); - for (i = 0; i < num_preauth_data; i++) { - fprintf(stderr, " %3d: attribute '%s', value '%s'\n", - i, preauth_data[i].attr, preauth_data[i].value); - } + fprintf(stderr, "(wpse) client_gic_opt: received '%s' = '%s'\n", + attr, value); #endif return 0; } |