Convey realm names to certauth modules

In the certauth pluggable interface, add an extended init method which receives the realm list. ticket: 9090 (new)
krb5 · Apr 11, 2023 · 2928f4f · 2928f4f
1 parent 67de20e
commit 2928f4f
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 10 deletions.
diff --git a/src/include/krb5/certauth_plugin.h b/src/include/krb5/certauth_plugin.h
@@ -35,7 +35,7 @@
  *
  * The certauth pluggable interface currently has only one supported major
  * version, which is 1.  Major version 1 has a current minor version number of
- * 1.
+ * 2.
  *
  * certauth plugin modules should define a function named
  * certauth_<modulename>_initvt, matching the signature:
@@ -78,6 +78,13 @@ typedef krb5_error_code
 (*krb5_certauth_init_fn)(krb5_context context,
                          krb5_certauth_moddata *moddata_out);
 
+/*
+ * Optional: Initialize module data.  Supersedes init if present.
+ */
+typedef krb5_error_code
+(*krb5_certauth_init_ex_fn)(krb5_context context, const char *const *realmlist,
+                            krb5_certauth_moddata *moddata_out);
+
 /*
  * Optional: Clean up the module data.
  */
@@ -132,6 +139,10 @@ typedef struct krb5_certauth_vtable_st {
     krb5_certauth_fini_fn fini;
     krb5_certauth_authorize_fn authorize;
     krb5_certauth_free_indicator_fn free_ind;
+    /* Minor version 1 ends here. */
+
+    krb5_certauth_init_ex_fn init_ex;
+    /* Minor version 2 ends here. */
 } *krb5_certauth_vtable;
 
 #endif /* KRB5_CERTAUTH_PLUGIN_H */
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1400,7 +1400,8 @@ certauth_dbmatch_initvt(krb5_context context, int maj_ver, int min_ver,
 }
 
 static krb5_error_code
-load_certauth_plugins(krb5_context context, certauth_handle **handle_out)
+load_certauth_plugins(krb5_context context, const char *const *realmnames,
+                      certauth_handle **handle_out)
 {
     krb5_error_code ret;
     krb5_plugin_initvt_fn *modules = NULL, *mod;
@@ -1440,20 +1441,21 @@ load_certauth_plugins(krb5_context context, certauth_handle **handle_out)
         if (h == NULL)
             goto cleanup;
 
-        ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt);
+        ret = (*mod)(context, 1, 2, (krb5_plugin_vtable)&h->vt);
         if (ret) {
             TRACE_CERTAUTH_VTINIT_FAIL(context, ret);
             free(h);
             continue;
         }
         h->moddata = NULL;
-        if (h->vt.init != NULL) {
+        if (h->vt.init_ex != NULL)
+            ret = h->vt.init_ex(context, realmnames, &h->moddata);
+        else if (h->vt.init != NULL)
             ret = h->vt.init(context, &h->moddata);
-            if (ret) {
-                TRACE_CERTAUTH_INIT_FAIL(context, h->vt.name, ret);
-                free(h);
-                continue;
-            }
+        if (ret) {
+            TRACE_CERTAUTH_INIT_FAIL(context, h->vt.name, ret);
+            free(h);
+            continue;
         }
         list[count++] = h;
         list[count] = NULL;
@@ -1516,7 +1518,7 @@ pkinit_server_plugin_init(krb5_context context,
         goto errout;
     }
 
-    retval = load_certauth_plugins(context, &certauth_modules);
+    retval = load_certauth_plugins(context, realmnames, &certauth_modules);
     if (retval)
         goto errout;