From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 22 Dec 2014 17:44:08 +0000 (-0500)
Subject: Add kdcpreauth callback for auth indicators
X-Git-Tag: krb5-1.14-alpha1~58
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd95e18f5cfa426db0f265172202debd257f3cdb;p=thirdparty%2Fkrb5.git

Add kdcpreauth callback for auth indicators

Add a new kdcpreauth callback add_auth_indicator, which adds an
authentication indicator string.  This commit doesn't do anything with
the asserted authentication indicators; they are tracked in the
auth_indicators field of struct as_req_state to be used later.

ticket: 8157
---

diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h
index 2f41158390..356004fa8b 100644
--- a/src/include/krb5/kdcpreauth_plugin.h
+++ b/src/include/krb5/kdcpreauth_plugin.h
@@ -192,6 +192,12 @@ typedef struct krb5_kdcpreauth_callbacks_st {
     const krb5_keyblock *(*client_keyblock)(krb5_context context,
                                             krb5_kdcpreauth_rock rock);
 
+    /* Assert an authentication indicator in the AS-REP authdata.  Duplicate
+     * indicators will be ignored. */
+    krb5_error_code (*add_auth_indicator)(krb5_context context,
+                                          krb5_kdcpreauth_rock rock,
+                                          const char *indicator);
+
     /* End of version 3 kdcpreauth callbacks. */
 
 } *krb5_kdcpreauth_callbacks;
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 3e18e7ca44..121d027b91 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -161,6 +161,7 @@ struct as_req_state {
     char *sname, *cname;
     void *pa_context;
     const krb5_fulladdr *from;
+    krb5_data **auth_indicators;
 
     krb5_error_code preauth_err;
 
@@ -430,6 +431,7 @@ egress:
     krb5_free_data(kdc_context, state->inner_body);
     kdc_free_rstate(state->rstate);
     krb5_free_kdc_req(kdc_context, state->request);
+    k5_free_data_ptr_list(state->auth_indicators);
     assert(did_log != 0);
 
     free(state);
@@ -556,6 +558,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     state->rock.inner_body = state->inner_body;
     state->rock.rstate = state->rstate;
     state->rock.vctx = vctx;
+    state->rock.auth_indicators = &state->auth_indicators;
     if (!state->request->client) {
         state->status = "NULL_CLIENT";
         errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index e121c5d42b..b8d6e43ba1 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -542,6 +542,13 @@ client_keyblock(krb5_context context, krb5_kdcpreauth_rock rock)
     return rock->client_keyblock;
 }
 
+static krb5_error_code
+add_auth_indicator(krb5_context context, krb5_kdcpreauth_rock rock,
+                   const char *indicator)
+{
+    return authind_add(context, indicator, rock->auth_indicators);
+}
+
 static struct krb5_kdcpreauth_callbacks_st callbacks = {
     3,
     max_time_skew,
@@ -554,7 +561,8 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = {
     client_entry,
     event_context,
     have_client_keys,
-    client_keyblock
+    client_keyblock,
+    add_auth_indicator
 };
 
 static krb5_error_code
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index da9bf33e1e..bc98fbffb9 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -421,6 +421,7 @@ struct krb5_kdcpreauth_rock_st {
     krb5_keyblock *client_keyblock;
     struct kdc_request_state *rstate;
     verto_ctx *vctx;
+    krb5_data ***auth_indicators;
 };
 
 #define isflagset(flagfield, flag) (flagfield & (flag))