]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
lessen distinction between importing and verifying authdata
authorLuke Howard <lukeh@padl.com>
Tue, 25 Aug 2009 23:01:59 +0000 (23:01 +0000)
committerLuke Howard <lukeh@padl.com>
Tue, 25 Aug 2009 23:01:59 +0000 (23:01 +0000)
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/authdata@22608 dc483132-0cff-0310-8789-dd5450dbe970

src/include/k5-int.h
src/include/krb5/authdata_plugin.h
src/lib/krb5/krb/authdata.c
src/lib/krb5/krb/authdata.h
src/lib/krb5/krb/pac.c
src/lib/krb5/krb/rd_req_dec.c
src/lib/krb5/libkrb5.exports
src/tests/gssapi/t_namingexts.c

index dde605718fe98d089ac27837f201b7327bdc11e5..363dcee1ec2b33ce2d6d2af9bf470a7e5462b793 100644 (file)
@@ -1387,6 +1387,12 @@ krb5_authdata_delete_attribute
  krb5_authdata_context context,
  const krb5_data *attribute);
 
+krb5_error_code KRB5_CALLCONV krb5_authdata_import_attributes
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ krb5_authdata **pauthdata);
+
 krb5_error_code KRB5_CALLCONV krb5_authdata_export_attributes
 (krb5_context kcontext,
  krb5_authdata_context context,
index 1e9957b1e22f22c5440bff70535d4817485d0698..66e3f8ebf9c46115658d6d056f6928e35295e57b 100644 (file)
@@ -186,14 +186,13 @@ typedef void
                                     void *request_context);
 
 typedef krb5_error_code
-(*authdata_client_request_verify_proc)(krb5_context context,
-                                      void *plugin_context,
-                                      void *request_context,
-                                      const krb5_auth_context *auth_context,
-                                      const krb5_keyblock *key,
-                                      const krb5_ap_req *req,
-                                      krb5_flags flags,
-                                      krb5_authdata **authdata);
+(*authdata_client_import_attributes_proc)(krb5_context context,
+                                         void *plugin_context,
+                                         void *request_context,
+                                         const krb5_auth_context *auth_context,
+                                         const krb5_keyblock *key,
+                                         const krb5_ap_req *req,
+                                         krb5_authdata **authdata);
 
 typedef krb5_error_code
 (*authdata_client_get_attribute_types_proc)(krb5_context context,
@@ -261,11 +260,11 @@ typedef struct krb5plugin_authdata_client_ftable_v0 {
     authdata_client_plugin_flags_proc flags;
     authdata_client_request_init_proc request_init;
     authdata_client_request_fini_proc request_fini;
-    authdata_client_request_verify_proc request_verify;
     authdata_client_get_attribute_types_proc get_attribute_types;
     authdata_client_get_attribute_proc get_attribute;
     authdata_client_set_attribute_proc set_attribute;
     authdata_client_delete_attribute_proc delete_attribute;
+    authdata_client_import_attributes_proc import_attributes;
     authdata_client_export_attributes_proc export_attributes;
     authdata_client_export_internal_proc export_internal;
     authdata_client_free_internal_proc free_internal;
index c2140a2b83b31c59acab054aac83ba02c4f8e1e2..3b21c9956fac94bab6d8d2e7c01fae47d0bb305e 100644 (file)
@@ -309,29 +309,38 @@ request_context_fini(krb5_context kcontext,
 }
 #endif
 
-krb5_error_code
-krb5int_verify_authdata(krb5_context kcontext,
-                        krb5_authdata_context context,
-                        const krb5_auth_context *auth_context,
-                        const krb5_keyblock *key,
-                        const krb5_ap_req *ap_req,
-                        krb5_flags flags)
+static krb5_error_code
+import_verify_authdata_attributes(krb5_context kcontext,
+                                  krb5_authdata_context context,
+                                  krb5_flags usage,
+                                  const krb5_auth_context *auth_context,
+                                  const krb5_keyblock *key,
+                                  const krb5_ap_req *ap_req,
+                                  krb5_authdata **ticket_authdata)
 {
     int i;
     krb5_error_code code;
-    krb5_ticket *ticket = ap_req->ticket;
-    krb5_authenticator *authenticator = (*auth_context)->authentp;
+    krb5_authdata **authen_authdata = NULL;
+
+    if (auth_context != NULL)
+        authen_authdata = (*auth_context)->authentp->authorization_data;
+
+    if (ticket_authdata == NULL)
+        ticket_authdata = ap_req->ticket->enc_part2->authorization_data;
 
     for (i = 0; i < context->n_modules; i++) {
         struct _krb5_authdata_context_module *module = &context->modules[i];
         krb5_authdata **authdata;
 
-        if (module->ftable->request_verify == NULL)
+        if ((module->flags & usage) == 0)
+            continue;
+
+        if (module->ftable->import_attributes == NULL)
             continue;
 
         code = krb5int_find_authdata(kcontext,
-                                     ticket->enc_part2->authorization_data,
-                                     authenticator->authorization_data,
+                                     ticket_authdata,
+                                     authen_authdata,
                                      module->ad_type,
                                      &authdata);
         if (code != 0 || authdata == NULL)
@@ -339,14 +348,13 @@ krb5int_verify_authdata(krb5_context kcontext,
 
         assert(authdata[0] != NULL);
 
-        code = (*module->ftable->request_verify)(kcontext,
-                                                 module->plugin_context,
-                                                 *(module->request_context_pp),
-                                                 auth_context,
-                                                 key,
-                                                 ap_req,
-                                                 flags,
-                                                 authdata);
+        code = (*module->ftable->import_attributes)(kcontext,
+                                                    module->plugin_context,
+                                                    *(module->request_context_pp),
+                                                    auth_context,
+                                                    key,
+                                                    ap_req,
+                                                    authdata);
         if (code != 0 && (module->flags & AD_INFORMATIONAL))
             code = 0;
         krb5_free_authdata(kcontext, authdata);
@@ -357,6 +365,28 @@ krb5int_verify_authdata(krb5_context kcontext,
     return code;
 }
 
+krb5_error_code KRB5_CALLCONV
+krb5_authdata_import_attributes(krb5_context kcontext,
+                                krb5_authdata_context context,
+                                krb5_flags usage,
+                                krb5_authdata **authdata)
+{
+    return import_verify_authdata_attributes(kcontext, context, usage,
+                                             NULL, NULL, NULL, authdata);
+}
+
+krb5_error_code
+krb5int_authdata_verify(krb5_context kcontext,
+                        krb5_authdata_context context,
+                        krb5_flags usage,
+                        const krb5_auth_context *auth_context,
+                        const krb5_keyblock *key,
+                        const krb5_ap_req *ap_req)
+{
+    return import_verify_authdata_attributes(kcontext, context, usage,
+                                             auth_context, key, ap_req, NULL);
+}
+
 static krb5_error_code
 merge_data_array_nocopy(krb5_data **dst, krb5_data *src, unsigned int *len)
 {
index 9090c4cf8518c5987e0204397c9b683c47a7ae68..9e4dcceb07a1e069f9779eae0a3f8c2ab43d3ee7 100644 (file)
 
 /* authdata.c */
 krb5_error_code
-krb5int_verify_authdata(krb5_context context,
-                        krb5_authdata_context,
-                        const krb5_auth_context *auth_context,
-                        const krb5_keyblock *key,
-                        const krb5_ap_req *ap_req,
-                        krb5_flags flags);
+krb5int_authdata_verify(krb5_context context,
+                       krb5_authdata_context,
+                       krb5_flags usage,
+                       const krb5_auth_context *auth_context,
+                       const krb5_keyblock *key,
+                       const krb5_ap_req *ap_req);
 
 /* pac.c */
 extern krb5plugin_authdata_client_ftable_v0 krb5int_mspac_authdata_client_ftable;
index eb2c88761dd68896860d6a4bc084e230d565bb44..40bb6e58474f2d09b77bce3b2633cc26b790d076 100644 (file)
@@ -973,14 +973,13 @@ mspac_request_init(krb5_context context,
 }
 
 static krb5_error_code
-mspac_request_verify(krb5_context context,
-                  void *plugin_context,
-                  void *request_context,
-                  const krb5_auth_context *auth_context,
-                  const krb5_keyblock *key,
-                  const krb5_ap_req *req,
-                  krb5_flags flags,
-                  krb5_authdata **authdata)
+mspac_import_attributes(krb5_context context,
+                        void *plugin_context,
+                       void *request_context,
+                       const krb5_auth_context *auth_context,
+                       const krb5_keyblock *key,
+                       const krb5_ap_req *req,
+                       krb5_authdata **authdata)
 {
     krb5_error_code code;
     struct mspac_context *pacctx = (struct mspac_context *)request_context;
@@ -998,12 +997,16 @@ mspac_request_verify(krb5_context context,
     if (code != 0)
        return code;
 
-    code = krb5_pac_verify(context,
-                          pacctx->pac,
-                          req->ticket->enc_part2->times.authtime,
-                          req->ticket->enc_part2->client,
-                          key,
-                          NULL);
+    if (req != NULL) {
+        assert(key != NULL);
+
+        code = krb5_pac_verify(context,
+                              pacctx->pac,
+                              req->ticket->enc_part2->times.authtime,
+                              req->ticket->enc_part2->client,
+                              key,
+                              NULL);
+    }
 
 #if 0
     /*
@@ -1014,8 +1017,6 @@ mspac_request_verify(krb5_context context,
         assert(pacctx->pac->verified == FALSE);
         code = 0;
     }
-#else
-    if (pacctx->pac->verified == TRUE || code != 0);
 #endif
 
     return code;
@@ -1386,11 +1387,11 @@ krb5plugin_authdata_client_ftable_v0 krb5int_mspac_authdata_client_ftable = {
     mspac_flags,
     mspac_request_init,
     mspac_request_fini,
-    mspac_request_verify,
     mspac_get_attribute_types,
     mspac_get_attribute,
     mspac_set_attribute,
     NULL, /* delete_attribute_proc */
+    mspac_import_attributes,
     mspac_export_attributes,
     mspac_export_internal,
     mspac_free_internal,
index cf0671b966ed2d0b66591a612d75747df692242d..49df0a5b36a02a41f81a13666dbd8b062a4f1908 100644 (file)
@@ -397,12 +397,12 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
       if ((retval = krb5_authdata_context_init(context,
                                               &(*auth_context)->ad_context)))
        goto cleanup;
-      if ((retval = krb5int_verify_authdata(context,
+      if ((retval = krb5int_authdata_verify(context,
                                            (*auth_context)->ad_context,
+                                           AD_USAGE_AP_REQ,
                                            auth_context,
                                            &decrypt_key,
-                                           req,
-                                           0)))
+                                           req)))
         goto cleanup;
     }
 
index 5c7d40bda12abbeeb12b7a6511fce9d0c5115db2..51e9739d817d939d31b5c62189d71614f410906d 100644 (file)
@@ -145,6 +145,7 @@ krb5_authdata_set_attribute
 krb5_authdata_export_attributes
 krb5_authdata_export_internal
 krb5_authdata_free_internal
+krb5_authdata_import_attributes
 krb5_build_principal
 krb5_build_principal_ext
 krb5_build_principal_va
index d799c17aa5f89b831165c212f88c3567b75432d4..3a21b719de0db50d6e0842d65683701cb11ddb77 100644 (file)
@@ -149,6 +149,9 @@ enumerateAttributes(OM_uint32 *minor,
     gss_buffer_set_t asserted = GSS_C_NO_BUFFER_SET;
     gss_buffer_set_t complete = GSS_C_NO_BUFFER_SET;
     unsigned int i;
+    gss_buffer_desc exported_name;
+
+    exported_name.value = NULL;
 
     major = gss_inquire_name(minor,
                              name,
@@ -175,7 +178,26 @@ enumerateAttributes(OM_uint32 *minor,
             dumpAttribute(minor, name, &complete->elements[i]);
     }
 
+    major = gss_export_name_composite(minor,
+                                      name,
+                                      &exported_name);
+    if (GSS_ERROR(major)) {
+        displayStatus("gss_export_name_composite", major, minor);
+        goto cleanup;
+    }
+
+    printf("Exported name:\n");
+
+    for (i = 0; i < exported_name.length; i++) {
+        if ((i % 32) == 0)
+            printf("\n");
+        printf("%02x", ((char *)exported_name.value)[i] & 0xFF);
+    }
+
+    printf("\n");
+
 cleanup:
+    gss_release_buffer(&tmp, &exported_name);
     gss_release_oid(&tmp, &mech);
     gss_release_buffer_set(&tmp, &authenticated);
     gss_release_buffer_set(&tmp, &asserted);