From dfc60edc2e14db872001cfbb2c898a856d6e1e21 Mon Sep 17 00:00:00 2001 From: Zhanna Tsitkov Date: Thu, 22 Apr 2010 18:28:59 +0000 Subject: [PATCH] Add omitted in r23923 files git-svn-id: svn://anonsvn.mit.edu/krb5/branches/plugins@23924 dc483132-0cff-0310-8789-dd5450dbe970 --- src/plugins/pa/Makefile.in | 22 + src/plugins/pa/deps | 13 + .../pa/encrypted_challenge/Makefile.in | 25 ++ src/plugins/pa/encrypted_challenge/deps | 10 + .../pa/encrypted_challenge/plugin_pa_impl.c | 404 ++++++++++++++++++ .../pa/encrypted_challenge/plugin_pa_impl.h | 14 + src/plugins/pa/plugin_pa.c | 127 ++++++ src/plugins/pa/plugin_pa.h | 140 ++++++ 8 files changed, 755 insertions(+) create mode 100644 src/plugins/pa/Makefile.in create mode 100644 src/plugins/pa/deps create mode 100644 src/plugins/pa/encrypted_challenge/Makefile.in create mode 100644 src/plugins/pa/encrypted_challenge/deps create mode 100644 src/plugins/pa/encrypted_challenge/plugin_pa_impl.c create mode 100644 src/plugins/pa/encrypted_challenge/plugin_pa_impl.h create mode 100644 src/plugins/pa/plugin_pa.c create mode 100644 src/plugins/pa/plugin_pa.h diff --git a/src/plugins/pa/Makefile.in b/src/plugins/pa/Makefile.in new file mode 100644 index 0000000000..2622915345 --- /dev/null +++ b/src/plugins/pa/Makefile.in @@ -0,0 +1,22 @@ +mydir=plugins/pa +BUILDTOP=$(REL)../.. +RELDIR=../plugins/pa +PROG_LIBPATH=-L$(TOPLIBD) +PROG_RPATH=$(KRB5_LIBDIR) +DEFS= + +LOCALINCLUDES = -I../../include/krb5 -I. -I../../plugin_core + +LIBBASE=plugin_pa + +STLIBOBJS= plugin_pa.o +SRCS= plugin_pa.c +STOBJLISTS=OBJS.ST + +all-unix:: all-liblinks +clean-unix:: clean-liblinks clean-libs clean-libobjs +install-unix:: install-libs + +@libpriv_frag@ +@lib_frag@ +@libobj_frag@ diff --git a/src/plugins/pa/deps b/src/plugins/pa/deps new file mode 100644 index 0000000000..22b2661d9b --- /dev/null +++ b/src/plugins/pa/deps @@ -0,0 +1,13 @@ +# +# Generated makefile dependencies follow. +# +plugin_pa.so plugin_pa.po $(OUTPRE)plugin_pa.$(OBJEXT): \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/plugins/pa/plugin_pa.h \ + $(top_srcdir)/plugin_core/plugin_manager.h \ + $(top_srcdir)/plugin_core/plugin_factory.h \ + plugin_pa.c +plugin_pa_impl.so plugin_pa_impl.po $(OUTPRE)plugin_pa_impl.$(OBJEXT): \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/plugins/pa/plugin_pa_impl.h \ + $(top_srcdir)/plugin_core/plugin_manager.h \ + $(top_srcdir)/plugin_core/plugin_factory.h \ + plugin_pa_impl.c diff --git a/src/plugins/pa/encrypted_challenge/Makefile.in b/src/plugins/pa/encrypted_challenge/Makefile.in new file mode 100644 index 0000000000..0360da1790 --- /dev/null +++ b/src/plugins/pa/encrypted_challenge/Makefile.in @@ -0,0 +1,25 @@ +mydir=plugins/pa/encrypted_challenge +BUILDTOP=$(REL)../../.. +RELDIR=../plugins/pa/encrypted_challenge +PROG_LIBPATH=-L$(TOPLIBD) +PROG_RPATH=$(KRB5_LIBDIR) +DEFS= + +LOCALINCLUDES = -I../../../include/krb5 -I. -I../../../plugin_core -I.. -I$(srcdir)/.. \ + -I../../../plugins/preauth + +LIBBASE=encrypted_challenge + +STLIBOBJS= plugin_pa_impl.o +SRCS= $(srcdir)/plugin_pa_impl.c + +STOBJLISTS=OBJS.ST + +all-unix:: all-liblinks +clean-unix:: clean-liblinks clean-libs clean-libobjs +install-unix:: install-libs + + +@libpriv_frag@ +@lib_frag@ +@libobj_frag@ diff --git a/src/plugins/pa/encrypted_challenge/deps b/src/plugins/pa/encrypted_challenge/deps new file mode 100644 index 0000000000..e8189b5b20 --- /dev/null +++ b/src/plugins/pa/encrypted_challenge/deps @@ -0,0 +1,10 @@ +# +# Generated makefile dependencies follow. +# +plugin_pa_impl.so plugin_pa_impl.po $(OUTPRE)plugin_pa_impl.$(OBJEXT): \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/plugins/pa/encrypted_challenge/plugin_pa_impl.h \ + $(top_srcdir)/plugins/preauth/fast_factor.h \ + $(top_srcdir)/plugin_core/plugin_manager.h \ + $(top_srcdir)/plugin_core/plugin_factory.h \ + plugin_pa_impl.c + diff --git a/src/plugins/pa/encrypted_challenge/plugin_pa_impl.c b/src/plugins/pa/encrypted_challenge/plugin_pa_impl.c new file mode 100644 index 0000000000..4965fb943c --- /dev/null +++ b/src/plugins/pa/encrypted_challenge/plugin_pa_impl.c @@ -0,0 +1,404 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ + +/* Implement Encrypted Challenge fast factor from + * draft-ietf-krb-wg-preauth-framework + */ + + +#include "k5-int.h" +#include "fast_factor.h" + +//#include + + +#include +#include +#include "plugin_pa_impl.h" + + +static int +_plugin_preauth_flags(krb5_context context, krb5_preauthtype pa_type) +{ + return PA_REAL; +} + +static krb5_error_code +_plugin_process_preauth(krb5_context context, void *plugin_context, + void *request_context, krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc get_data_proc, + struct _krb5_preauth_client_rock *rock, krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, krb5_pa_data *padata, + krb5_prompter_fct prompter, void *prompter_data, + preauth_get_as_key_proc gak_fct, void *gak_data, + krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key, + krb5_pa_data ***out_padata) +{ + krb5_error_code retval = 0; + krb5_enctype enctype = 0; + krb5_keyblock *challenge_key = NULL, *armor_key = NULL; + krb5_data *etype_data = NULL; + krb5int_access kaccess; + + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) + return 0; + retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key); + if (retval || armor_key == NULL) + return 0; + retval = get_data_proc(context, rock, krb5plugin_preauth_client_get_etype, &etype_data); + if (retval == 0) { + enctype = *((krb5_enctype *)etype_data->data); + if (as_key->length == 0 ||as_key->enctype != enctype) + retval = gak_fct(context, request->client, + enctype, prompter, prompter_data, + salt, s2kparams, + as_key, gak_data); + } + if (retval == 0 && padata->length) { + krb5_enc_data *enc = NULL; + krb5_data scratch; + scratch.length = padata->length; + scratch.data = (char *) padata->contents; + retval = krb5_c_fx_cf2_simple(context,armor_key, "kdcchallengearmor", + as_key, "challengelongterm", + &challenge_key); + if (retval == 0) + retval =kaccess.decode_enc_data(&scratch, &enc); + scratch.data = NULL; + if (retval == 0) { + scratch.data = malloc(enc->ciphertext.length); + scratch.length = enc->ciphertext.length; + if (scratch.data == NULL) + retval = ENOMEM; + } + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, NULL, + enc, &scratch); + /* + * Per draft 11 of the preauth framework, the client MAY but is not + * required to actually check the timestamp from the KDC other than to + * confirm it decrypts. This code does not perform that check. + */ + if (scratch.data) + krb5_free_data_contents(context, &scratch); + if (retval == 0) + fast_set_kdc_verified(context, get_data_proc, rock); + if (enc) + kaccess.free_enc_data(context, enc); + } else if (retval == 0) { /*No padata; we send*/ + krb5_enc_data enc; + krb5_pa_data *pa = NULL; + krb5_pa_data **pa_array = NULL; + krb5_data *encoded_ts = NULL; + krb5_pa_enc_ts ts; + enc.ciphertext.data = NULL; + retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); + if (retval == 0) + retval = kaccess.encode_enc_ts(&ts, &encoded_ts); + if (retval == 0) + retval = krb5_c_fx_cf2_simple(context, + armor_key, "clientchallengearmor", + as_key, "challengelongterm", + &challenge_key); + if (retval == 0) + retval = kaccess.encrypt_helper(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, + encoded_ts, &enc); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + encoded_ts = NULL; + if (retval == 0) { + retval = kaccess.encode_enc_data(&enc, &encoded_ts); + krb5_free_data_contents(context, &enc.ciphertext); + } + if (retval == 0) { + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa_array = calloc(2, sizeof(krb5_pa_data *)); + if (pa_array == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa->length = encoded_ts->length; + pa->contents = (unsigned char *) encoded_ts->data; + pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; + free(encoded_ts); + encoded_ts = NULL; + pa_array[0] = pa; + pa = NULL; + *out_padata = pa_array; + pa_array = NULL; + } + if (pa) + free(pa); + if (encoded_ts) + krb5_free_data(context, encoded_ts); + if (pa_array) + free(pa_array); + } + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + if (armor_key) + krb5_free_keyblock(context, armor_key); + if (etype_data != NULL) + get_data_proc(context, rock, krb5plugin_preauth_client_free_etype, + &etype_data); + return retval; +} + + +static krb5_error_code +_plugin_kdc_include_padata(krb5_context context, krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, krb5_pa_data *data) +{ + krb5_error_code retval = 0; + krb5_keyblock *armor_key = NULL; + retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); + if (retval) + return retval; + if (armor_key == 0) + return ENOENT; + krb5_free_keyblock(context, armor_key); + return 0; +} + +static krb5_error_code +_plugin_kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, void **pa_request_context, + krb5_data **e_data, krb5_authdata ***authz_data) +{ + krb5_error_code retval = 0; + krb5_timestamp now; + krb5_enc_data *enc = NULL; + krb5_data scratch, plain; + krb5_keyblock *armor_key = NULL; + krb5_pa_enc_ts *ts = NULL; + krb5int_access kaccess; + krb5_keyblock *client_keys = NULL; + krb5_data *client_data = NULL; + krb5_keyblock *challenge_key = NULL; + int i = 0; + + plain.data = NULL; + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) + return 0; + + retval = fast_kdc_get_armor_key(context, get_entry_proc, request, client, &armor_key); + if (retval == 0 &&armor_key == NULL) { + retval = ENOENT; + krb5_set_error_message(context, ENOENT, "Encrypted Challenge used outside of FAST tunnel"); + } + scratch.data = (char *) data->contents; + scratch.length = data->length; + if (retval == 0) + retval = kaccess.decode_enc_data(&scratch, &enc); + if (retval == 0) { + plain.data = malloc(enc->ciphertext.length); + plain.length = enc->ciphertext.length; + if (plain.data == NULL) + retval = ENOMEM; + } + if (retval == 0) + retval = get_entry_proc(context, request, client, + krb5plugin_preauth_keys, &client_data); + if (retval == 0) { + client_keys = (krb5_keyblock *) client_data->data; + for (i = 0; client_keys[i].enctype&& (retval == 0); i++ ) { + retval = krb5_c_fx_cf2_simple(context, + armor_key, "clientchallengearmor", + &client_keys[i], "challengelongterm", + &challenge_key); + if (retval == 0) + retval = krb5_c_decrypt(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT, + NULL, enc, &plain); + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + challenge_key = NULL; + if (retval == 0) + break; + /*We failed to decrypt. Try next key*/ + retval = 0; + krb5_free_keyblock_contents(context, &client_keys[i]); + } + if (client_keys[i].enctype == 0) { + retval = KRB5KDC_ERR_PREAUTH_FAILED; + krb5_set_error_message(context, retval, "Incorrect password in encrypted challenge"); + } else { /*not run out of keys*/ + int j; + assert (retval == 0); + for (j = i+1; client_keys[j].enctype; j++) + krb5_free_keyblock_contents(context, &client_keys[j]); + } + + } + if (retval == 0) + retval = kaccess.decode_enc_ts(&plain, &ts); + if (retval == 0) + retval = krb5_timeofday(context, &now); + if (retval == 0) { + if (labs(now-ts->patimestamp) < context->clockskew) { + enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; + /* + * If this fails, we won't generate a reply to the client. That + * may cause the client to fail, but at this point the KDC has + * considered this a success, so the return value is ignored. + */ + fast_kdc_replace_reply_key(context, get_entry_proc, request); + krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", + &client_keys[i], "challengelongterm", + (krb5_keyblock **) pa_request_context); + } else { /*skew*/ + retval = KRB5KRB_AP_ERR_SKEW; + } + } + if (client_keys) { + if (client_keys[i].enctype) + krb5_free_keyblock_contents(context, &client_keys[i]); + krb5_free_data(context, client_data); + } + if (armor_key) + krb5_free_keyblock(context, armor_key); + if (plain.data) + free(plain.data); + if (enc) + kaccess.free_enc_data(context, enc); + if (ts) + kaccess.free_enc_ts(context, ts); + return retval; +} + +static krb5_error_code +_plugin_kdc_return_preauth(krb5_context context, krb5_pa_data *padata, + struct _krb5_db_entry_new *client, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + struct _krb5_key_data *client_keys, + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, void **pa_request_context) +{ + krb5_error_code retval = 0; + krb5_keyblock *challenge_key = *pa_request_context; + krb5_pa_enc_ts ts; + krb5_data *plain = NULL; + krb5_enc_data enc; + krb5_data *encoded = NULL; + krb5_pa_data *pa = NULL; + krb5int_access kaccess; + + if (krb5int_accessor(&kaccess, KRB5INT_ACCESS_VERSION) != 0) + return 0; + if (challenge_key == NULL) + return 0; + * pa_request_context = NULL; /*this function will free the + * challenge key*/ + enc.ciphertext.data = NULL; /* In case of error pass through */ + + retval = krb5_us_timeofday(context, &ts.patimestamp, &ts.pausec); + if (retval == 0) + retval = kaccess.encode_enc_ts(&ts, &plain); + if (retval == 0) + retval = kaccess.encrypt_helper(context, challenge_key, + KRB5_KEYUSAGE_ENC_CHALLENGE_KDC, + plain, &enc); + if (retval == 0) + retval = kaccess.encode_enc_data(&enc, &encoded); + if (retval == 0) { + pa = calloc(1, sizeof(krb5_pa_data)); + if (pa == NULL) + retval = ENOMEM; + } + if (retval == 0) { + pa->pa_type = KRB5_PADATA_ENCRYPTED_CHALLENGE; + pa->contents = (unsigned char *) encoded->data; + pa->length = encoded->length; + encoded->data = NULL; + *send_pa = pa; + pa = NULL; + } + if (challenge_key) + krb5_free_keyblock(context, challenge_key); + if (encoded) + krb5_free_data(context, encoded); + if (plain) + krb5_free_data(context, plain); + if (enc.ciphertext.data) + krb5_free_data_contents(context, &enc.ciphertext); + return retval; +} + +static int +_plugin_kdc_preauth_flags(krb5_context context, krb5_preauthtype patype) +{ + return 0; +} + +static krb5_error_code +_plugin_server_free_reqctx(krb5_context kcontext, + void *pa_module_context, + void **pa_request_context) +{ + return 0; +} + +static krb5_error_code +_plugin_server_init(krb5_context kcontext, void **module_context, const char **realmnames) +{ + return 0; +} + +static void +_plugin_server_fini(krb5_context kcontext, void *module_context) +{ + return; +} + + + +#if 0 +krb5_preauthtype supported_pa_types[] = { + KRB5_PADATA_ENCRYPTED_CHALLENGE, 0}; + +struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = { + "Encrypted challenge", + &supported_pa_types[0], + NULL, + NULL, + kdc_preauth_flags, + kdc_include_padata, + kdc_verify_preauth, + kdc_return_preauth, + NULL +}; +#endif + +plhandle +plugin_encrypted_challenge_pa_create() +{ + plhandle handle; + plugin_pa* api = malloc(sizeof(plugin_pa)); + + memset(api, 0, sizeof(plugin_pa)); + api->version = 1; + api->server_init = _plugin_server_init; + api->server_fini = _plugin_server_fini; + api->preauth_flags = _plugin_preauth_flags; + api->process_preauth = _plugin_process_preauth; + api->kdc_include_padata = _plugin_kdc_include_padata; + api->kdc_verify_preauth = _plugin_kdc_verify_preauth; + api->kdc_return_preauth = _plugin_kdc_return_preauth; + api->server_free_reqctx = _plugin_server_free_reqctx; + handle.api = api; + + return handle; +} diff --git a/src/plugins/pa/encrypted_challenge/plugin_pa_impl.h b/src/plugins/pa/encrypted_challenge/plugin_pa_impl.h new file mode 100644 index 0000000000..14fc4bf927 --- /dev/null +++ b/src/plugins/pa/encrypted_challenge/plugin_pa_impl.h @@ -0,0 +1,14 @@ +/* + * plugin_pa_impl.h + * + */ + +#ifndef PLUGIN_PA_IMPL_H_ +#define PLUGIN_PA_IMPL_H_ + +#include +#include + +plhandle plugin_encrypted_challenge_pa_create(void); + +#endif /* PLUGIN_PA_IMPL_H_ */ diff --git a/src/plugins/pa/plugin_pa.c b/src/plugins/pa/plugin_pa.c new file mode 100644 index 0000000000..4edeaf9c23 --- /dev/null +++ b/src/plugins/pa/plugin_pa.c @@ -0,0 +1,127 @@ +/* + * plugin_pa.c + * + */ +#include +#include "plugin_pa.h" + +int +plugin_preauth_flags(plhandle handle, krb5_context context, krb5_preauthtype pa_type) +{ + int flags = 0; + plugin_pa* api = (plugin_pa*) handle.api; + flags = api->preauth_flags(context, pa_type); + return flags; + +} +krb5_error_code +plugin_process_preauth(plhandle handle, krb5_context context, void *plugin_context, + void *request_context, krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc get_data_proc, + struct _krb5_preauth_client_rock *rock, krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, krb5_pa_data *padata, + krb5_prompter_fct prompter, void *prompter_data, + preauth_get_as_key_proc gak_fct, void *gak_data, + krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key, + krb5_pa_data ***out_padata) +{ + krb5_error_code retval = 0; + plugin_pa* api = (plugin_pa*) handle.api; + retval = api->process_preauth(context, plugin_context, + request_context, opt, + get_data_proc, + rock, request, + encoded_request_body, + encoded_previous_request, padata, + prompter, prompter_data, + gak_fct, gak_data, + salt, s2kparams, as_key, + out_padata); + return retval; + +} + +krb5_error_code +plugin_kdc_include_padata(plhandle handle, krb5_context context, krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, krb5_pa_data *data) +{ + krb5_error_code retval = 0; + plugin_pa* api = (plugin_pa*) handle.api; + retval = api->kdc_include_padata(context, request, + client, + server, + get_entry_proc, + pa_module_context, data); + return retval; +} +krb5_error_code +plugin_kdc_verify_preauth(plhandle handle, krb5_context context, struct _krb5_db_entry_new *client, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, void **pa_request_context, + krb5_data **e_data, krb5_authdata ***authz_data) +{ + krb5_error_code retval = 0; + plugin_pa* api = (plugin_pa*) handle.api; + retval = api->kdc_verify_preauth(context, client, + req_pkt, request, + enc_tkt_reply, data, + get_entry_proc, + pa_module_context, pa_request_context, + e_data, authz_data); + return retval; +} + +krb5_error_code +plugin_kdc_return_preauth(plhandle handle, krb5_context context, krb5_pa_data *padata, + struct _krb5_db_entry_new *client, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + struct _krb5_key_data *client_keys, + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, void **pa_request_context) +{ + krb5_error_code retval = 0; + plugin_pa* api = (plugin_pa*) handle.api; + retval = api->kdc_return_preauth(context, padata, + client, req_pkt, + request, reply, + client_keys, + encrypting_key, send_pa, + get_entry_proc, + pa_module_context, pa_request_context); + return retval; + +} +krb5_error_code +plugin_server_free_reqctx(plhandle handle, krb5_context kcontext, + void *pa_module_context, + void **pa_request_context) +{ + krb5_error_code retval = 0; + plugin_pa* api = (plugin_pa*) handle.api; + retval = api->server_free_reqctx(kcontext, + pa_module_context, + pa_request_context); + return retval; +} +krb5_error_code +plugin_server_init(plhandle handle, krb5_context kcontext, void **module_context, const char **realmnames) +{ + krb5_error_code retval = 0; + plugin_pa* api = (plugin_pa*) handle.api; + retval = api->server_init(kcontext, module_context, realmnames); + return retval; +} +void +plugin_server_fini(plhandle handle, krb5_context kcontext, void *module_context) +{ + plugin_pa* api = (plugin_pa*) handle.api; + api->server_fini(kcontext, module_context); + return; +} diff --git a/src/plugins/pa/plugin_pa.h b/src/plugins/pa/plugin_pa.h new file mode 100644 index 0000000000..f7d6cca305 --- /dev/null +++ b/src/plugins/pa/plugin_pa.h @@ -0,0 +1,140 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* + * plugins/pa/plugin_pa.h + * + * Copyright (C) 2010 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * Implement Encrypted Challenge fast factor from + * draft-ietf-krb-wg-preauth-framework + */ + +#ifndef PLUGIN_PA_H_ +#define PLUGIN_PA_H_ + +#include +#include + +/* PREAUTH API */ +typedef struct { + int version; + krb5_error_code (*server_init)(krb5_context, void**, const char**); + void (*server_fini)(krb5_context, void*); + int (*preauth_flags)(krb5_context context, krb5_preauthtype pa_type); + krb5_error_code (*process_preauth)(krb5_context, void*, void*, + krb5_get_init_creds_opt*, + preauth_get_client_data_proc, + struct _krb5_preauth_client_rock*, + krb5_kdc_req*, + krb5_data*, krb5_data*, krb5_pa_data*, + krb5_prompter_fct prompter, void*, + preauth_get_as_key_proc, void*, + krb5_data*, krb5_data*, krb5_keyblock*, + krb5_pa_data***); + krb5_error_code (*kdc_include_padata)(krb5_context, krb5_kdc_req*, + struct _krb5_db_entry_new*, + struct _krb5_db_entry_new*, + preauth_get_entry_data_proc, + void*, krb5_pa_data*); + krb5_error_code (*kdc_verify_preauth)(krb5_context, struct _krb5_db_entry_new*, + krb5_data*, krb5_kdc_req*, + krb5_enc_tkt_part*, krb5_pa_data*, + preauth_get_entry_data_proc, + void*, void**, + krb5_data**, krb5_authdata***); + krb5_error_code (*kdc_return_preauth)(krb5_context, krb5_pa_data*, + struct _krb5_db_entry_new*, krb5_data*, + krb5_kdc_req*, krb5_kdc_rep*, + struct _krb5_key_data*, + krb5_keyblock*, krb5_pa_data**, + preauth_get_entry_data_proc, + void*, void**); + krb5_error_code (*server_free_reqctx)(krb5_context, void*, void**); +} plugin_pa; + +int plugin_preauth_flags(plhandle handle, krb5_context context, krb5_preauthtype pa_type); +krb5_error_code plugin_process_preauth(plhandle handle, krb5_context context, void *plugin_context, + void *request_context, krb5_get_init_creds_opt *opt, + preauth_get_client_data_proc get_data_proc, + struct _krb5_preauth_client_rock *rock, krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, krb5_pa_data *padata, + krb5_prompter_fct prompter, void *prompter_data, + preauth_get_as_key_proc gak_fct, void *gak_data, + krb5_data *salt, krb5_data *s2kparams, krb5_keyblock *as_key, + krb5_pa_data ***out_padata); +krb5_error_code plugin_kdc_include_padata(plhandle handle, krb5_context context, krb5_kdc_req *request, + struct _krb5_db_entry_new *client, + struct _krb5_db_entry_new *server, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, krb5_pa_data *data); +krb5_error_code plugin_kdc_verify_preauth(plhandle handle, krb5_context context, struct _krb5_db_entry_new *client, + krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, void **pa_request_context, + krb5_data **e_data, krb5_authdata ***authz_data); +krb5_error_code plugin_kdc_return_preauth(plhandle handle, krb5_context context, krb5_pa_data *padata, + struct _krb5_db_entry_new *client, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + struct _krb5_key_data *client_keys, + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, + preauth_get_entry_data_proc get_entry_proc, + void *pa_module_context, void **pa_request_context); +krb5_error_code plugin_server_free_reqctx(plhandle handle, krb5_context kcontext, + void *pa_module_context, + void **pa_request_context); +krb5_error_code plugin_server_init(plhandle handle, krb5_context kcontext, void **module_context, const char **realmnames); +void plugin_server_fini(plhandle handle, krb5_context kcontext, void *module_context); + +#if 0 +krb5_preauthtype supported_pa_types[] = {KRB5_PADATA_ENCRYPTED_CHALLENGE, 0}; + +struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = { + "Encrypted challenge", + &supported_pa_types[0], + NULL, + NULL, + kdc_preauth_flags, + kdc_include_padata, + kdc_verify_preauth, + kdc_return_preauth, + NULL +}; + +struct krb5plugin_preauth_client_ftable_v1 preauthentication_client_1 = { + "Encrypted Challenge", /* name */ + &supported_pa_types[0], /* pa_type_list */ + NULL, /* enctype_list */ + NULL, /* plugin init function */ + NULL, /* plugin fini function */ + preauth_flags, /* get flags function */ + NULL, /* request init function */ + NULL, /* request fini function */ + process_preauth, /* process function */ + NULL, /* try_again function */ + NULL /* get init creds opt function */ +}; +#endif + +#endif /* PLUGIN_PA_H_ */ -- 2.47.2