Add client_keyblock kdcpreauth callback

Add a new kdcpreauth callback which gets the selected client key.
This callback can be used by preauth mechs which need to use the
singular reply key in a challenge sent by the KDC, now that we send
only one etype-info entry in PREAUTH_REQUIRED errors.

ticket: 8200 (new)

diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
index 9abe76f6345136f11c02456c05877d310d268200..2f41158390e5b8e1deec71ef5c5134801d498d65 100644 (file)
--- a/src/include/krb5/kdcpreauth_plugin.h
+++ b/src/include/krb5/kdcpreauth_plugin.h
@@ -34,7 +34,7 @@
  * Declarations for kdcpreauth plugin module implementors.
  *
  * The kdcpreauth interface has a single supported major version, which is 1.
- * Major version 1 has a current minor version of 2.  kdcpreauth modules should
+ * Major version 1 has a current minor version of 3.  kdcpreauth modules should
  * define a function named kdcpreauth_<modulename>_initvt, matching the
  * signature:
  *
@@ -181,6 +181,19 @@ typedef struct krb5_kdcpreauth_callbacks_st {
 
     /* End of version 2 kdcpreauth callbacks. */
 
+    /*
+     * Get the decrypted client long-term key chosen according to the request
+     * enctype list, or NULL if no matching key was found.  The returned
+     * pointer is an alias and should not be freed.  If invoked from
+     * return_padata, the result will be the same as the encrypting_key
+     * parameter if it is not NULL, and will therefore reflect the modified
+     * reply key if a return_padata handler has replaced the reply key.
+     */
+    const krb5_keyblock *(*client_keyblock)(krb5_context context,
+                                            krb5_kdcpreauth_rock rock);
+
+    /* End of version 3 kdcpreauth callbacks. */
+
 } *krb5_kdcpreauth_callbacks;
 
 /* Optional: preauth plugin initialization function. */

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 0a5d8f4d40a06e9728036701d017b4fefeb1dd76..d76d4af1697d60df9d25f978918a585f14a6d81c 100644 (file)
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -536,8 +536,14 @@ have_client_keys(krb5_context context, krb5_kdcpreauth_rock rock)
     return FALSE;
 }
 
+static const krb5_keyblock *
+client_keyblock(krb5_context context, krb5_kdcpreauth_rock rock)
+{
+    return rock->client_keyblock;
+}
+
 static struct krb5_kdcpreauth_callbacks_st callbacks = {
-    2,
+    3,
     max_time_skew,
     client_keys,
     free_keys,
@@ -547,7 +553,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = {
     free_string,
     client_entry,
     event_context,
-    have_client_keys
+    have_client_keys,
+    client_keyblock
 };
 
 static krb5_error_code