From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 4 Jun 2015 18:08:06 +0000 (-0400)
Subject: Add client_keyblock kdcpreauth callback
X-Git-Tag: krb5-1.14-alpha1~78
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b12eb4757f8dd05b79c9b49d4289f0caf1f6eec;p=thirdparty%2Fkrb5.git

Add client_keyblock kdcpreauth callback

Add a new kdcpreauth callback which gets the selected client key.
This callback can be used by preauth mechs which need to use the
singular reply key in a challenge sent by the KDC, now that we send
only one etype-info entry in PREAUTH_REQUIRED errors.

ticket: 8200 (new)
---

diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
index 9abe76f634..2f41158390 100644
--- a/src/include/krb5/kdcpreauth_plugin.h
+++ b/src/include/krb5/kdcpreauth_plugin.h
@@ -34,7 +34,7 @@
  * Declarations for kdcpreauth plugin module implementors.
  *
  * The kdcpreauth interface has a single supported major version, which is 1.
- * Major version 1 has a current minor version of 2.  kdcpreauth modules should
+ * Major version 1 has a current minor version of 3.  kdcpreauth modules should
  * define a function named kdcpreauth_<modulename>_initvt, matching the
  * signature:
  *
@@ -181,6 +181,19 @@ typedef struct krb5_kdcpreauth_callbacks_st {
 
     /* End of version 2 kdcpreauth callbacks. */
 
+    /*
+     * Get the decrypted client long-term key chosen according to the request
+     * enctype list, or NULL if no matching key was found.  The returned
+     * pointer is an alias and should not be freed.  If invoked from
+     * return_padata, the result will be the same as the encrypting_key
+     * parameter if it is not NULL, and will therefore reflect the modified
+     * reply key if a return_padata handler has replaced the reply key.
+     */
+    const krb5_keyblock *(*client_keyblock)(krb5_context context,
+                                            krb5_kdcpreauth_rock rock);
+
+    /* End of version 3 kdcpreauth callbacks. */
+
 } *krb5_kdcpreauth_callbacks;
 
 /* Optional: preauth plugin initialization function. */
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 0a5d8f4d40..d76d4af169 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -536,8 +536,14 @@ have_client_keys(krb5_context context, krb5_kdcpreauth_rock rock)
     return FALSE;
 }
 
+static const krb5_keyblock *
+client_keyblock(krb5_context context, krb5_kdcpreauth_rock rock)
+{
+    return rock->client_keyblock;
+}
+
 static struct krb5_kdcpreauth_callbacks_st callbacks = {
-    2,
+    3,
     max_time_skew,
     client_keys,
     free_keys,
@@ -547,7 +553,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = {
     free_string,
     client_entry,
     event_context,
-    have_client_keys
+    have_client_keys,
+    client_keyblock
 };
 
 static krb5_error_code