From: Luke Howard Date: Wed, 26 Aug 2009 06:30:22 +0000 (+0000) Subject: separate import and verify callbacks for authdata plugin X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f74614f7955e17486f142c03540f93a0e606119e;p=thirdparty%2Fkrb5.git separate import and verify callbacks for authdata plugin git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/authdata@22614 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/include/krb5/authdata_plugin.h b/src/include/krb5/authdata_plugin.h index 66e3f8ebf9..5a3550b093 100644 --- a/src/include/krb5/authdata_plugin.h +++ b/src/include/krb5/authdata_plugin.h @@ -189,9 +189,6 @@ typedef krb5_error_code (*authdata_client_import_attributes_proc)(krb5_context context, void *plugin_context, void *request_context, - const krb5_auth_context *auth_context, - const krb5_keyblock *key, - const krb5_ap_req *req, krb5_authdata **authdata); typedef krb5_error_code @@ -252,6 +249,14 @@ typedef void void *request_context, void *ptr); +typedef krb5_error_code +(*authdata_client_verify_proc)(krb5_context context, + void *plugin_context, + void *request_context, + const krb5_auth_context *auth_context, + const krb5_keyblock *key, + const krb5_ap_req *req); + typedef struct krb5plugin_authdata_client_ftable_v0 { char *name; krb5_authdatatype *ad_type_list; @@ -269,6 +274,7 @@ typedef struct krb5plugin_authdata_client_ftable_v0 { authdata_client_export_internal_proc export_internal; authdata_client_free_internal_proc free_internal; authdata_client_copy_context_proc copy_context; + authdata_client_verify_proc verify; } krb5plugin_authdata_client_ftable_v0; #endif /* KRB5_AUTHDATA_PLUGIN_H_INCLUDED */ diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c index 3e15be26a8..7064ba31a5 100644 --- a/src/lib/krb5/krb/authdata.c +++ b/src/lib/krb5/krb/authdata.c @@ -256,24 +256,14 @@ krb5_authdata_context_free(krb5_context kcontext, free(context); } -static krb5_error_code -k5_import_authdata_attributes(krb5_context kcontext, - krb5_authdata_context context, - krb5_flags usage, - const krb5_auth_context *auth_context, - const krb5_keyblock *key, - const krb5_ap_req *ap_req, - krb5_authdata **ticket_authdata) +krb5_error_code KRB5_CALLCONV +krb5_authdata_import_attributes(krb5_context kcontext, + krb5_authdata_context context, + krb5_flags usage, + krb5_authdata **authdata_to_import) { int i; krb5_error_code code; - krb5_authdata **authen_authdata = NULL; - - if (auth_context != NULL) - authen_authdata = (*auth_context)->authentp->authorization_data; - - if (ticket_authdata == NULL) - ticket_authdata = ap_req->ticket->enc_part2->authorization_data; for (i = 0; i < context->n_modules; i++) { struct _krb5_authdata_context_module *module = &context->modules[i]; @@ -286,8 +276,8 @@ k5_import_authdata_attributes(krb5_context kcontext, continue; code = krb5int_find_authdata(kcontext, - ticket_authdata, - authen_authdata, + authdata_to_import, + NULL, module->ad_type, &authdata); if (code != 0 || authdata == NULL) @@ -298,9 +288,6 @@ k5_import_authdata_attributes(krb5_context kcontext, code = (*module->ftable->import_attributes)(kcontext, module->plugin_context, *(module->request_context_pp), - auth_context, - key, - ap_req, authdata); if (code != 0 && (module->flags & AD_INFORMATIONAL)) code = 0; @@ -312,16 +299,6 @@ k5_import_authdata_attributes(krb5_context kcontext, return code; } -krb5_error_code KRB5_CALLCONV -krb5_authdata_import_attributes(krb5_context kcontext, - krb5_authdata_context context, - krb5_flags usage, - krb5_authdata **authdata) -{ - return k5_import_authdata_attributes(kcontext, context, usage, - NULL, NULL, NULL, authdata); -} - krb5_error_code krb5int_authdata_verify(krb5_context kcontext, krb5_authdata_context context, @@ -330,8 +307,54 @@ krb5int_authdata_verify(krb5_context kcontext, const krb5_keyblock *key, const krb5_ap_req *ap_req) { - return k5_import_authdata_attributes(kcontext, context, usage, - auth_context, key, ap_req, NULL); + int i; + krb5_error_code code; + krb5_authdata **authen_authdata; + krb5_authdata **ticket_authdata; + + authen_authdata = (*auth_context)->authentp->authorization_data; + ticket_authdata = ap_req->ticket->enc_part2->authorization_data; + + for (i = 0; i < context->n_modules; i++) { + struct _krb5_authdata_context_module *module = &context->modules[i]; + krb5_authdata **authdata; + + if ((module->flags & usage) == 0) + continue; + + if (module->ftable->import_attributes == NULL) + continue; + + code = krb5int_find_authdata(kcontext, + ticket_authdata, + authen_authdata, + module->ad_type, + &authdata); + if (code != 0 || authdata == NULL) + continue; + + assert(authdata[0] != NULL); + + code = (*module->ftable->import_attributes)(kcontext, + module->plugin_context, + *(module->request_context_pp), + authdata); + if (code == 0 && module->ftable->verify != NULL) { + code = (*module->ftable->verify)(kcontext, + module->plugin_context, + *(module->request_context_pp), + auth_context, + key, + ap_req); + } + if (code != 0 && (module->flags & AD_INFORMATIONAL)) + code = 0; + krb5_free_authdata(kcontext, authdata); + if (code != 0) + break; + } + + return code; } static krb5_error_code diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 40bb6e5847..2adf4bbf18 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -976,9 +976,6 @@ static krb5_error_code mspac_import_attributes(krb5_context context, void *plugin_context, void *request_context, - const krb5_auth_context *auth_context, - const krb5_keyblock *key, - const krb5_ap_req *req, krb5_authdata **authdata) { krb5_error_code code; @@ -994,19 +991,30 @@ mspac_import_attributes(krb5_context context, code = krb5_pac_parse(context, authdata[0]->contents, authdata[0]->length, &pacctx->pac); - if (code != 0) - return code; - if (req != NULL) { - assert(key != NULL); + return code; +} - code = krb5_pac_verify(context, - pacctx->pac, - req->ticket->enc_part2->times.authtime, - req->ticket->enc_part2->client, - key, - NULL); - } +static krb5_error_code +mspac_verify(krb5_context context, + void *plugin_context, + void *request_context, + const krb5_auth_context *auth_context, + const krb5_keyblock *key, + const krb5_ap_req *req) +{ + krb5_error_code code; + struct mspac_context *pacctx = (struct mspac_context *)request_context; + + if (pacctx->pac == NULL) + return EINVAL; + + code = krb5_pac_verify(context, + pacctx->pac, + req->ticket->enc_part2->times.authtime, + req->ticket->enc_part2->client, + key, + NULL); #if 0 /* @@ -1395,7 +1403,8 @@ krb5plugin_authdata_client_ftable_v0 krb5int_mspac_authdata_client_ftable = { mspac_export_attributes, mspac_export_internal, mspac_free_internal, - mspac_copy_context + mspac_copy_context, + mspac_verify };