Add kdcpreauth callback for auth indicators

Add a new kdcpreauth callback add_auth_indicator, which adds an
authentication indicator string.  This commit doesn't do anything with
the asserted authentication indicators; they are tracked in the
auth_indicators field of struct as_req_state to be used later.

ticket: 8157

diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
index 2f41158390e5b8e1deec71ef5c5134801d498d65..356004fa8b5f2ee6b68036b94b83911b8bd65aa8 100644 (file)
--- a/src/include/krb5/kdcpreauth_plugin.h
+++ b/src/include/krb5/kdcpreauth_plugin.h
@@ -192,6 +192,12 @@ typedef struct krb5_kdcpreauth_callbacks_st {
     const krb5_keyblock *(*client_keyblock)(krb5_context context,
                                             krb5_kdcpreauth_rock rock);
 
+    /* Assert an authentication indicator in the AS-REP authdata.  Duplicate
+     * indicators will be ignored. */
+    krb5_error_code (*add_auth_indicator)(krb5_context context,
+                                          krb5_kdcpreauth_rock rock,
+                                          const char *indicator);
+
     /* End of version 3 kdcpreauth callbacks. */
 
 } *krb5_kdcpreauth_callbacks;

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 3e18e7ca441319615503308d9d2ae55dc50c766c..121d027b919e49f8dc7b056cfcb3eff2d3d9455a 100644 (file)
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -161,6 +161,7 @@ struct as_req_state {
     char *sname, *cname;
     void *pa_context;
     const krb5_fulladdr *from;
+    krb5_data **auth_indicators;
 
     krb5_error_code preauth_err;
 
@@ -430,6 +431,7 @@ egress:
     krb5_free_data(kdc_context, state->inner_body);
     kdc_free_rstate(state->rstate);
     krb5_free_kdc_req(kdc_context, state->request);
+    k5_free_data_ptr_list(state->auth_indicators);
     assert(did_log != 0);
 
     free(state);
@@ -556,6 +558,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     state->rock.inner_body = state->inner_body;
     state->rock.rstate = state->rstate;
     state->rock.vctx = vctx;
+    state->rock.auth_indicators = &state->auth_indicators;
     if (!state->request->client) {
         state->status = "NULL_CLIENT";
         errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index e121c5d42b3dca2090f8e019e02ef2a67fc33434..b8d6e43ba15b37e0159b168425a8a924f8743712 100644 (file)
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -542,6 +542,13 @@ client_keyblock(krb5_context context, krb5_kdcpreauth_rock rock)
     return rock->client_keyblock;
 }
 
+static krb5_error_code
+add_auth_indicator(krb5_context context, krb5_kdcpreauth_rock rock,
+                   const char *indicator)
+{
+    return authind_add(context, indicator, rock->auth_indicators);
+}
+
 static struct krb5_kdcpreauth_callbacks_st callbacks = {
     3,
     max_time_skew,
@@ -554,7 +561,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = {
     client_entry,
     event_context,
     have_client_keys,
-    client_keyblock
+    client_keyblock,
+    add_auth_indicator
 };
 
 static krb5_error_code

diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index da9bf33e1ef0128c6e325e061c2608cdf218a14e..bc98fbffb9c912f8e30545e970237e836d5d9826 100644 (file)
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -421,6 +421,7 @@ struct krb5_kdcpreauth_rock_st {
     krb5_keyblock *client_keyblock;
     struct kdc_request_state *rstate;
     verto_ctx *vctx;
+    krb5_data ***auth_indicators;
 };
 
 #define isflagset(flagfield, flag) (flagfield & (flag))