Add client_keyblock kdcpreauth callback

Add a new kdcpreauth callback which gets the selected client key.
This callback can be used by preauth mechs which need to use the
singular reply key in a challenge sent by the KDC, now that we send
only one etype-info entry in PREAUTH_REQUIRED errors.

ticket: 8200 (new)

1 files changed, 14 insertions, 1 deletions

diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
index 9abe76f..2f41158 100644
--- a/src/include/krb5/kdcpreauth_plugin.h
+++ b/src/include/krb5/kdcpreauth_plugin.h
@@ -34,7 +34,7 @@
  * Declarations for kdcpreauth plugin module implementors.
  *
  * The kdcpreauth interface has a single supported major version, which is 1.
- * Major version 1 has a current minor version of 2.  kdcpreauth modules should
+ * Major version 1 has a current minor version of 3.  kdcpreauth modules should
  * define a function named kdcpreauth_<modulename>_initvt, matching the
  * signature:
  *
@@ -181,6 +181,19 @@ typedef struct krb5_kdcpreauth_callbacks_st {
 
     /* End of version 2 kdcpreauth callbacks. */
 
+    /*
+     * Get the decrypted client long-term key chosen according to the request
+     * enctype list, or NULL if no matching key was found.  The returned
+     * pointer is an alias and should not be freed.  If invoked from
+     * return_padata, the result will be the same as the encrypting_key
+     * parameter if it is not NULL, and will therefore reflect the modified
+     * reply key if a return_padata handler has replaced the reply key.
+     */
+    const krb5_keyblock *(*client_keyblock)(krb5_context context,
+                                            krb5_kdcpreauth_rock rock);
+
+    /* End of version 3 kdcpreauth callbacks. */
+
 } *krb5_kdcpreauth_callbacks;
 
 /* Optional: preauth plugin initialization function. */