Skip to content

Commit

Permalink
Use krb5_init_creds_context as clpreauth rock
Browse files Browse the repository at this point in the history 
The clpreauth rock had become a collection of alias pointers into the
init_creds context structure.  Get rid of it and just pass the context
(suitably casted) to clpreauth modules.  Simplify the signatures of
k5_preauth(), k5_preauth_tryagain(), process_pa_data(), and
fill_response_items() by referencing fields from the init_creds
context.

Since we can't use the non-nullity of rock->selected_preauth_type to
determine whether to record the selected preauth type, k5_preauth now
reports it in an output parameter, and get_in_tkt.c decides whether or
not to record it.
  • Loading branch information
@greghudson
greghudson committed Dec 22, 2012
1 parent 90e4362 commit af26a3e
Show file tree
Hide file tree
Showing 5 changed files with 160 additions and 234 deletions.
62 changes: 15 additions & 47 deletions src/lib/krb5/krb/get_in_tkt.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -684,7 +684,6 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
code = krb5int_fast_make_state(context, &ctx->fast_state);
if (code != 0)
goto cleanup;
ctx->preauth_rock.fast_state = ctx->fast_state;
k5_preauth_request_context_init(context);
if (ctx->outer_request_body) {
krb5_free_data(context, ctx->outer_request_body);
Expand Down Expand Up @@ -820,23 +819,6 @@ krb5_init_creds_init(krb5_context context,

opte = ctx->opte;

ctx->preauth_rock.magic = CLIENT_ROCK_MAGIC;
ctx->preauth_rock.etype = &ctx->etype;
ctx->preauth_rock.as_key = &ctx->as_key;
ctx->preauth_rock.gak_fct = &ctx->gak_fct;
ctx->preauth_rock.gak_data = &ctx->gak_data;
ctx->preauth_rock.default_salt = &ctx->default_salt;
ctx->preauth_rock.salt = &ctx->salt;
ctx->preauth_rock.s2kparams = &ctx->s2kparams;
ctx->preauth_rock.rctx = ctx->rctx;
ctx->preauth_rock.client = client;
ctx->preauth_rock.prompter = prompter;
ctx->preauth_rock.prompter_data = data;
ctx->preauth_rock.allowed_preauth_type = &ctx->allowed_preauth_type;
ctx->preauth_rock.selected_preauth_type = &ctx->selected_preauth_type;
ctx->preauth_rock.cc_config_in = &ctx->cc_config_in;
ctx->preauth_rock.cc_config_out = &ctx->cc_config_out;

/* Initialise request parameters as per krb5_get_init_creds() */
ctx->request->kdc_options = context->kdc_default_options;

Expand Down Expand Up @@ -1262,11 +1244,9 @@ init_creds_step_request(krb5_context context,

if (ctx->err_reply == NULL) {
/* either our first attempt, or retrying after PREAUTH_NEEDED */
code = k5_preauth(context, ctx->opte, &ctx->preauth_rock, ctx->request,
ctx->inner_request_body,
ctx->encoded_previous_request, ctx->preauth_to_use,
ctx->prompter, ctx->prompter_data,
ctx->preauth_required, &ctx->request->padata);
code = k5_preauth(context, ctx, ctx->preauth_to_use,
ctx->preauth_required, &ctx->request->padata,
&ctx->selected_preauth_type);
if (code != 0)
goto cleanup;
} else {
Expand All @@ -1275,12 +1255,7 @@ init_creds_step_request(krb5_context context,
* Retry after an error other than PREAUTH_NEEDED,
* using ctx->err_padata to figure out what to change.
*/
code = k5_preauth_tryagain(context, ctx->opte, &ctx->preauth_rock,
ctx->request, ctx->inner_request_body,
ctx->encoded_previous_request,
ctx->preauth_to_use, ctx->err_reply,
ctx->err_padata, ctx->prompter,
ctx->prompter_data,
code = k5_preauth_tryagain(context, ctx, ctx->preauth_to_use,
&ctx->request->padata);
} else {
/* No preauth supplied, so can't query the plugins. */
Expand Down Expand Up @@ -1391,17 +1366,17 @@ check_reply_enctype(krb5_init_creds_context ctx)
/* Note the difference between the KDC's time, as reported to us in a
* preauth-required error, and the current time. */
static void
note_req_timestamp(krb5_context kcontext, krb5_clpreauth_rock rock,
note_req_timestamp(krb5_context context, krb5_init_creds_context ctx,
krb5_timestamp kdc_time, krb5_int32 kdc_usec)
{
krb5_timestamp now;
krb5_int32 usec;

if (k5_time_with_offset(0, 0, &now, &usec) != 0)
return;
rock->pa_offset = kdc_time - now;
rock->pa_offset_usec = kdc_usec - usec;
rock->pa_offset_state = (rock->fast_state->armor_key != NULL) ?
ctx->pa_offset = kdc_time - now;
ctx->pa_offset_usec = kdc_usec - usec;
ctx->pa_offset_state = (ctx->fast_state->armor_key != NULL) ?
AUTH_OFFSET : UNAUTH_OFFSET;
}

Expand All @@ -1412,6 +1387,7 @@ init_creds_step_reply(krb5_context context,
{
krb5_error_code code;
krb5_pa_data **kdc_padata = NULL;
krb5_preauthtype kdc_pa_type;
krb5_boolean retry = FALSE;
int canon_flag = 0;
krb5_keyblock *strengthen_key = NULL;
Expand Down Expand Up @@ -1452,8 +1428,8 @@ init_creds_step_reply(krb5_context context,
krb5_free_pa_data(context, ctx->preauth_to_use);
ctx->preauth_to_use = ctx->err_padata;
ctx->err_padata = NULL;
note_req_timestamp(context, &ctx->preauth_rock,
ctx->err_reply->stime, ctx->err_reply->susec);
note_req_timestamp(context, ctx, ctx->err_reply->stime,
ctx->err_reply->susec);
/* This will trigger a new call to k5_preauth(). */
krb5_free_error(context, ctx->err_reply);
ctx->err_reply = NULL;
Expand Down Expand Up @@ -1520,19 +1496,11 @@ init_creds_step_reply(krb5_context context,

ctx->etype = ctx->reply->enc_part.enctype;

/*
* At this point, allow whichever preauth plugin that can handle the KDC's
* reply padata to do so, regardless of that data's padata type. We don't
* want to record the type of padata in the reply, so set the pointer for
* that data to NULL.
*/
/* Process the final reply padata. Don't restrict the preauth types or
* record a selected preauth type. */
ctx->allowed_preauth_type = KRB5_PADATA_NONE;
ctx->preauth_rock.selected_preauth_type = NULL;

code = k5_preauth(context, ctx->opte, &ctx->preauth_rock, ctx->request,
ctx->inner_request_body, ctx->encoded_previous_request,
ctx->reply->padata, ctx->prompter, ctx->prompter_data,
FALSE, &kdc_padata);
code = k5_preauth(context, ctx, ctx->reply->padata, FALSE, &kdc_padata,
&kdc_pa_type);
if (code != 0)
goto cleanup;

Expand Down
54 changes: 4 additions & 50 deletions src/lib/krb5/krb/init_creds_ctx.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,55 +5,6 @@

#include "k5-json.h"

#define CLIENT_ROCK_MAGIC 0x4352434b
/*
* This structure is passed into the clpreauth methods and passed back to
* clpreauth callbacks so that they can locate the requested information. It
* is opaque to the plugin code and can be expanded in the future as new types
* of requests are defined which may require other things to be passed through.
* All pointer fields are aliases and should not be freed.
*/
struct krb5_clpreauth_rock_st {
krb5_magic magic;
krb5_enctype *etype;
struct krb5int_fast_request_state *fast_state;

/*
* These fields allow gak_fct to be called via the rock. The
* gak_fct and gak_data fields have an extra level of indirection
* since they can change in the init_creds context.
*/
krb5_keyblock *as_key;
krb5_gic_get_as_key_fct *gak_fct;
void **gak_data;
krb5_boolean *default_salt;
krb5_data *salt;
krb5_data *s2kparams;
krb5_principal client;
krb5_prompter_fct prompter;
void *prompter_data;

/* Discovered offset of server time during preauth */
krb5_timestamp pa_offset;
krb5_int32 pa_offset_usec;
enum { NO_OFFSET = 0, UNAUTH_OFFSET, AUTH_OFFSET } pa_offset_state;
struct krb5_responder_context_st rctx;

/*
* Configuration information read from an in_ccache, actually stored in the
* containing context structure, but needed by callbacks which currently
* only get a pointer to the rock.
*/

/* The allowed preauth type (number) that we might use, equal to
* KRB5_PADATA_NONE if none was set. */
krb5_preauthtype *allowed_preauth_type;
krb5_preauthtype *selected_preauth_type;
/* Preauth configuration data which can help us make some decisions. */
k5_json_value *cc_config_in;
k5_json_value *cc_config_out;
};

struct _krb5_init_creds_context {
krb5_gic_opt_ext *opte;
char *in_tkt_service;
Expand Down Expand Up @@ -92,7 +43,6 @@ struct _krb5_init_creds_context {
krb5_data s2kparams;
krb5_keyblock as_key;
krb5_enctype etype;
struct krb5_clpreauth_rock_st preauth_rock;
krb5_boolean enc_pa_rep_permitted;
krb5_boolean have_restarted;
krb5_boolean sent_nontrivial_preauth;
Expand All @@ -102,6 +52,10 @@ struct _krb5_init_creds_context {
krb5_preauthtype allowed_preauth_type;
void *cc_config_in;
void *cc_config_out;
/* Discovered offset of server time during preauth */
krb5_timestamp pa_offset;
krb5_int32 pa_offset_usec;
enum { NO_OFFSET = 0, UNAUTH_OFFSET, AUTH_OFFSET } pa_offset_state;
};

krb5_error_code
Expand Down
16 changes: 5 additions & 11 deletions src/lib/krb5/krb/int-proto.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,19 +204,13 @@ k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
int *use_master);

krb5_error_code
k5_preauth(krb5_context context, krb5_gic_opt_ext *opte,
krb5_clpreauth_rock rock, krb5_kdc_req *req,
krb5_data *req_body, krb5_data *prev_req, krb5_pa_data **in_padata,
krb5_prompter_fct prompter, void *prompter_data,
krb5_boolean must_preauth, krb5_pa_data ***padata_out);
k5_preauth(krb5_context context, krb5_init_creds_context ctx,
krb5_pa_data **in_padata, krb5_boolean must_preauth,
krb5_pa_data ***padata_out, krb5_preauthtype *pa_type_out);

krb5_error_code
k5_preauth_tryagain(krb5_context context, krb5_gic_opt_ext *opte,
krb5_clpreauth_rock rock, krb5_kdc_req *req,
krb5_data *req_body, krb5_data *prev_req,
krb5_pa_data **in_padata, krb5_error *err_reply,
krb5_pa_data **err_padata, krb5_prompter_fct prompter,
void *prompter_data, krb5_pa_data ***padata_out);
k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx,
krb5_pa_data **in_padata, krb5_pa_data ***padata_out);

void
k5_init_preauth_context(krb5_context context);
Expand Down

0 comments on commit af26a3e

Please sign in to comment.