|
 |
167778 |
From 44fdcedd2a61cd40fe68aef533c878b5f2f665a8 Mon Sep 17 00:00:00 2001
|
|
|
167778 |
From: Greg Hudson <ghudson@mit.edu>
|
|
|
167778 |
Date: Tue, 20 Dec 2016 16:06:24 -0500
|
|
|
167778 |
Subject: [PATCH] Properly scope per-request preauth data
|
|
|
167778 |
|
|
|
167778 |
It should be possible to successfully use multiple initial credentials
|
|
|
167778 |
contexts with the same library context. Create a new internal type
|
|
|
167778 |
krb5_preauth_req_context containing per-request preauth state,
|
|
|
167778 |
including the clpreauth modreq handles and the list of preauth types
|
|
|
167778 |
already tried. Remove this state from clpreauth_handle and
|
|
|
167778 |
krb5_preauth_context.
|
|
|
167778 |
|
|
|
167778 |
ticket: 7877
|
|
|
167778 |
(cherry picked from commit b061f419cfc9653b7549b905e54fbbd78deea49e)
|
|
|
167778 |
---
|
|
|
167778 |
src/include/k5-trace.h | 3 +
|
|
|
167778 |
src/lib/krb5/krb/get_in_tkt.c | 12 +-
|
|
|
167778 |
src/lib/krb5/krb/init_creds_ctx.h | 3 +
|
|
|
167778 |
src/lib/krb5/krb/int-proto.h | 8 +-
|
|
|
167778 |
src/lib/krb5/krb/preauth2.c | 190 +++++++++++++++++++-----------
|
|
|
167778 |
5 files changed, 135 insertions(+), 81 deletions(-)
|
|
|
167778 |
|
|
|
167778 |
diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
|
|
|
167778 |
index 2885408a2..f44f162d3 100644
|
|
|
167778 |
--- a/src/include/k5-trace.h
|
|
|
167778 |
+++ b/src/include/k5-trace.h
|
|
|
167778 |
@@ -291,6 +291,9 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
|
|
|
167778 |
TRACE(c, "Preauth tryagain input types: {patypes}", padata)
|
|
|
167778 |
#define TRACE_PREAUTH_TRYAGAIN_OUTPUT(c, padata) \
|
|
|
167778 |
TRACE(c, "Followup preauth for next request: {patypes}", padata)
|
|
|
167778 |
+#define TRACE_PREAUTH_WRONG_CONTEXT(c) \
|
|
|
167778 |
+ TRACE(c, "Wrong context passed to krb5_init_creds_free(); leaking " \
|
|
|
167778 |
+ "modreq objects")
|
|
|
167778 |
|
|
|
167778 |
#define TRACE_PROFILE_ERR(c,subsection, section, retval) \
|
|
|
167778 |
TRACE(c, "Bad value of {str} from [{str}] in conf file: {kerr}", \
|
|
|
167778 |
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
|
|
|
167778 |
index ed15550f0..80f5e1870 100644
|
|
|
167778 |
--- a/src/lib/krb5/krb/get_in_tkt.c
|
|
|
167778 |
+++ b/src/lib/krb5/krb/get_in_tkt.c
|
|
|
167778 |
@@ -565,7 +565,7 @@ krb5_init_creds_free(krb5_context context,
|
|
|
167778 |
k5_response_items_free(ctx->rctx.items);
|
|
|
167778 |
free(ctx->in_tkt_service);
|
|
|
167778 |
zapfree(ctx->gakpw.storage.data, ctx->gakpw.storage.length);
|
|
|
167778 |
- k5_preauth_request_context_fini(context);
|
|
|
167778 |
+ k5_preauth_request_context_fini(context, ctx);
|
|
|
167778 |
krb5_free_error(context, ctx->err_reply);
|
|
|
167778 |
krb5_free_pa_data(context, ctx->err_padata);
|
|
|
167778 |
krb5_free_cred_contents(context, &ctx->cred);
|
|
|
167778 |
@@ -816,8 +816,8 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx,
|
|
|
167778 |
if (fast_upgrade)
|
|
|
167778 |
ctx->fast_state->fast_state_flags |= KRB5INT_FAST_DO_FAST;
|
|
|
167778 |
|
|
|
167778 |
- k5_preauth_request_context_fini(context);
|
|
|
167778 |
- k5_preauth_request_context_init(context);
|
|
|
167778 |
+ k5_preauth_request_context_fini(context, ctx);
|
|
|
167778 |
+ k5_preauth_request_context_init(context, ctx);
|
|
|
167778 |
krb5_free_data(context, ctx->outer_request_body);
|
|
|
167778 |
ctx->outer_request_body = NULL;
|
|
|
167778 |
if (ctx->opt->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) {
|
|
|
167778 |
@@ -1504,7 +1504,7 @@ init_creds_step_reply(krb5_context context,
|
|
|
167778 |
} else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED ||
|
|
|
167778 |
reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) {
|
|
|
167778 |
/* reset the list of preauth types to try */
|
|
|
167778 |
- k5_reset_preauth_types_tried(context);
|
|
|
167778 |
+ k5_reset_preauth_types_tried(ctx);
|
|
|
167778 |
krb5_free_pa_data(context, ctx->preauth_to_use);
|
|
|
167778 |
ctx->preauth_to_use = ctx->err_padata;
|
|
|
167778 |
ctx->err_padata = NULL;
|
|
|
167778 |
@@ -1555,7 +1555,7 @@ init_creds_step_reply(krb5_context context,
|
|
|
167778 |
goto cleanup;
|
|
|
167778 |
|
|
|
167778 |
/* process any preauth data in the as_reply */
|
|
|
167778 |
- k5_reset_preauth_types_tried(context);
|
|
|
167778 |
+ k5_reset_preauth_types_tried(ctx);
|
|
|
167778 |
code = krb5int_fast_process_response(context, ctx->fast_state,
|
|
|
167778 |
ctx->reply, &strengthen_key);
|
|
|
167778 |
if (code != 0)
|
|
|
167778 |
@@ -1640,7 +1640,7 @@ init_creds_step_reply(krb5_context context,
|
|
|
167778 |
k5_prependmsg(context, code, _("Failed to store credentials"));
|
|
|
167778 |
}
|
|
|
167778 |
|
|
|
167778 |
- k5_preauth_request_context_fini(context);
|
|
|
167778 |
+ k5_preauth_request_context_fini(context, ctx);
|
|
|
167778 |
|
|
|
167778 |
/* success */
|
|
|
167778 |
ctx->complete = TRUE;
|
|
|
167778 |
diff --git a/src/lib/krb5/krb/init_creds_ctx.h b/src/lib/krb5/krb/init_creds_ctx.h
|
|
|
167778 |
index 38c01c775..a7cded942 100644
|
|
|
167778 |
--- a/src/lib/krb5/krb/init_creds_ctx.h
|
|
|
167778 |
+++ b/src/lib/krb5/krb/init_creds_ctx.h
|
|
|
167778 |
@@ -6,6 +6,8 @@
|
|
|
167778 |
#include "k5-json.h"
|
|
|
167778 |
#include "int-proto.h"
|
|
|
167778 |
|
|
|
167778 |
+typedef struct krb5_preauth_req_context_st *krb5_preauth_req_context;
|
|
|
167778 |
+
|
|
|
167778 |
struct krb5_responder_context_st {
|
|
|
167778 |
k5_response_items *items;
|
|
|
167778 |
};
|
|
|
167778 |
@@ -67,6 +69,7 @@ struct _krb5_init_creds_context {
|
|
|
167778 |
krb5_timestamp pa_offset;
|
|
|
167778 |
krb5_int32 pa_offset_usec;
|
|
|
167778 |
enum { NO_OFFSET = 0, UNAUTH_OFFSET, AUTH_OFFSET } pa_offset_state;
|
|
|
167778 |
+ krb5_preauth_req_context preauth_reqctx;
|
|
|
167778 |
};
|
|
|
167778 |
|
|
|
167778 |
krb5_error_code
|
|
|
167778 |
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
|
|
|
167778 |
index 9c746d05b..f1667c238 100644
|
|
|
167778 |
--- a/src/lib/krb5/krb/int-proto.h
|
|
|
167778 |
+++ b/src/lib/krb5/krb/int-proto.h
|
|
|
167778 |
@@ -194,17 +194,19 @@ void
|
|
|
167778 |
k5_free_preauth_context(krb5_context context);
|
|
|
167778 |
|
|
|
167778 |
void
|
|
|
167778 |
-k5_reset_preauth_types_tried(krb5_context context);
|
|
|
167778 |
+k5_reset_preauth_types_tried(krb5_init_creds_context ctx);
|
|
|
167778 |
|
|
|
167778 |
void
|
|
|
167778 |
k5_preauth_prepare_request(krb5_context context, krb5_get_init_creds_opt *opt,
|
|
|
167778 |
krb5_kdc_req *request);
|
|
|
167778 |
|
|
|
167778 |
void
|
|
|
167778 |
-k5_preauth_request_context_init(krb5_context context);
|
|
|
167778 |
+k5_preauth_request_context_init(krb5_context context,
|
|
|
167778 |
+ krb5_init_creds_context ctx);
|
|
|
167778 |
|
|
|
167778 |
void
|
|
|
167778 |
-k5_preauth_request_context_fini(krb5_context context);
|
|
|
167778 |
+k5_preauth_request_context_fini(krb5_context context,
|
|
|
167778 |
+ krb5_init_creds_context ctx);
|
|
|
167778 |
|
|
|
167778 |
krb5_error_code
|
|
|
167778 |
k5_response_items_new(k5_response_items **ri_out);
|
|
|
167778 |
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
|
|
|
167778 |
index b04d14829..9a178f4e3 100644
|
|
|
167778 |
--- a/src/lib/krb5/krb/preauth2.c
|
|
|
167778 |
+++ b/src/lib/krb5/krb/preauth2.c
|
|
|
167778 |
@@ -46,14 +46,18 @@
|
|
|
167778 |
typedef struct {
|
|
|
167778 |
struct krb5_clpreauth_vtable_st vt;
|
|
|
167778 |
krb5_clpreauth_moddata data;
|
|
|
167778 |
- krb5_clpreauth_modreq req;
|
|
|
167778 |
} *clpreauth_handle;
|
|
|
167778 |
|
|
|
167778 |
struct krb5_preauth_context_st {
|
|
|
167778 |
- krb5_preauthtype *tried;
|
|
|
167778 |
clpreauth_handle *handles;
|
|
|
167778 |
};
|
|
|
167778 |
|
|
|
167778 |
+struct krb5_preauth_req_context_st {
|
|
|
167778 |
+ krb5_context orig_context;
|
|
|
167778 |
+ krb5_preauthtype *tried;
|
|
|
167778 |
+ krb5_clpreauth_modreq *modreqs;
|
|
|
167778 |
+};
|
|
|
167778 |
+
|
|
|
167778 |
/* Release the memory used by a list of handles. */
|
|
|
167778 |
static void
|
|
|
167778 |
free_handles(krb5_context context, clpreauth_handle *handles)
|
|
|
167778 |
@@ -71,21 +75,44 @@ free_handles(krb5_context context, clpreauth_handle *handles)
|
|
|
167778 |
free(handles);
|
|
|
167778 |
}
|
|
|
167778 |
|
|
|
167778 |
-/* Find the handle in handles which can process pa_type. */
|
|
|
167778 |
-static clpreauth_handle
|
|
|
167778 |
-find_module(clpreauth_handle *handles, krb5_preauthtype pa_type)
|
|
|
167778 |
+/* Return an index into handles which can process pa_type, or -1 if none is
|
|
|
167778 |
+ * found found. */
|
|
|
167778 |
+static int
|
|
|
167778 |
+search_module_list(clpreauth_handle *handles, krb5_preauthtype pa_type)
|
|
|
167778 |
{
|
|
|
167778 |
- clpreauth_handle *hp, h;
|
|
|
167778 |
- krb5_preauthtype *tp;
|
|
|
167778 |
+ clpreauth_handle h;
|
|
|
167778 |
+ int i, j;
|
|
|
167778 |
|
|
|
167778 |
- for (hp = handles; *hp != NULL; hp++) {
|
|
|
167778 |
- h = *hp;
|
|
|
167778 |
- for (tp = h->vt.pa_type_list; *tp != 0; tp++) {
|
|
|
167778 |
- if (*tp == pa_type)
|
|
|
167778 |
- return h;
|
|
|
167778 |
+ for (i = 0; handles[i] != NULL; i++) {
|
|
|
167778 |
+ h = handles[i];
|
|
|
167778 |
+ for (j = 0; h->vt.pa_type_list[j] != 0; j++) {
|
|
|
167778 |
+ if (h->vt.pa_type_list[j] == pa_type)
|
|
|
167778 |
+ return i;
|
|
|
167778 |
}
|
|
|
167778 |
}
|
|
|
167778 |
- return FALSE;
|
|
|
167778 |
+ return -1;
|
|
|
167778 |
+}
|
|
|
167778 |
+
|
|
|
167778 |
+/* Find the handle which can process pa_type, or NULL if none is found. On
|
|
|
167778 |
+ * success, set *modreq_out to the corresponding per-request module data. */
|
|
|
167778 |
+static clpreauth_handle
|
|
|
167778 |
+find_module(krb5_context context, krb5_init_creds_context ctx,
|
|
|
167778 |
+ krb5_preauthtype pa_type, krb5_clpreauth_modreq *modreq_out)
|
|
|
167778 |
+{
|
|
|
167778 |
+ krb5_preauth_context pctx = context->preauth_context;
|
|
|
167778 |
+ krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
|
|
|
167778 |
+ int i;
|
|
|
167778 |
+
|
|
|
167778 |
+ *modreq_out = NULL;
|
|
|
167778 |
+ if (pctx == NULL || reqctx == NULL)
|
|
|
167778 |
+ return NULL;
|
|
|
167778 |
+
|
|
|
167778 |
+ i = search_module_list(pctx->handles, pa_type);
|
|
|
167778 |
+ if (i == -1)
|
|
|
167778 |
+ return NULL;
|
|
|
167778 |
+
|
|
|
167778 |
+ *modreq_out = reqctx->modreqs[i];
|
|
|
167778 |
+ return pctx->handles[i];
|
|
|
167778 |
}
|
|
|
167778 |
|
|
|
167778 |
/* Initialize the preauth state for a krb5 context. */
|
|
|
167778 |
@@ -93,7 +120,8 @@ void
|
|
|
167778 |
k5_init_preauth_context(krb5_context context)
|
|
|
167778 |
{
|
|
|
167778 |
krb5_plugin_initvt_fn *modules = NULL, *mod;
|
|
|
167778 |
- clpreauth_handle *list = NULL, h, h2;
|
|
|
167778 |
+ clpreauth_handle *list = NULL, h;
|
|
|
167778 |
+ int i;
|
|
|
167778 |
size_t count;
|
|
|
167778 |
krb5_preauthtype *tp;
|
|
|
167778 |
|
|
|
167778 |
@@ -140,9 +168,10 @@ k5_init_preauth_context(krb5_context context)
|
|
|
167778 |
|
|
|
167778 |
/* Check for a preauth type conflict with an existing module. */
|
|
|
167778 |
for (tp = h->vt.pa_type_list; *tp != 0; tp++) {
|
|
|
167778 |
- h2 = find_module(list, *tp);
|
|
|
167778 |
- if (h2 != NULL) {
|
|
|
167778 |
- TRACE_PREAUTH_CONFLICT(context, h->vt.name, h2->vt.name, *tp);
|
|
|
167778 |
+ i = search_module_list(list, *tp);
|
|
|
167778 |
+ if (i != -1) {
|
|
|
167778 |
+ TRACE_PREAUTH_CONFLICT(context, h->vt.name, list[i]->vt.name,
|
|
|
167778 |
+ *tp);
|
|
|
167778 |
break;
|
|
|
167778 |
}
|
|
|
167778 |
}
|
|
|
167778 |
@@ -164,7 +193,6 @@ k5_init_preauth_context(krb5_context context)
|
|
|
167778 |
context->preauth_context = malloc(sizeof(*context->preauth_context));
|
|
|
167778 |
if (context->preauth_context == NULL)
|
|
|
167778 |
goto cleanup;
|
|
|
167778 |
- context->preauth_context->tried = NULL;
|
|
|
167778 |
context->preauth_context->handles = list;
|
|
|
167778 |
list = NULL;
|
|
|
167778 |
|
|
|
167778 |
@@ -179,14 +207,14 @@ cleanup:
|
|
|
167778 |
* AS-REP).
|
|
|
167778 |
*/
|
|
|
167778 |
void
|
|
|
167778 |
-k5_reset_preauth_types_tried(krb5_context context)
|
|
|
167778 |
+k5_reset_preauth_types_tried(krb5_init_creds_context ctx)
|
|
|
167778 |
{
|
|
|
167778 |
- krb5_preauth_context pctx = context->preauth_context;
|
|
|
167778 |
+ krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
|
|
|
167778 |
|
|
|
167778 |
- if (pctx == NULL)
|
|
|
167778 |
+ if (reqctx == NULL)
|
|
|
167778 |
return;
|
|
|
167778 |
- free(pctx->tried);
|
|
|
167778 |
- pctx->tried = NULL;
|
|
|
167778 |
+ free(reqctx->tried);
|
|
|
167778 |
+ reqctx->tried = NULL;
|
|
|
167778 |
}
|
|
|
167778 |
|
|
|
167778 |
|
|
|
167778 |
@@ -200,7 +228,6 @@ k5_free_preauth_context(krb5_context context)
|
|
|
167778 |
|
|
|
167778 |
if (pctx == NULL)
|
|
|
167778 |
return;
|
|
|
167778 |
- free(pctx->tried);
|
|
|
167778 |
free_handles(context, pctx->handles);
|
|
|
167778 |
free(pctx);
|
|
|
167778 |
context->preauth_context = NULL;
|
|
|
167778 |
@@ -209,10 +236,13 @@ k5_free_preauth_context(krb5_context context)
|
|
|
167778 |
/* Initialize the per-AS-REQ context. This means calling the client_req_init
|
|
|
167778 |
* function to give the plugin a chance to allocate a per-request context. */
|
|
|
167778 |
void
|
|
|
167778 |
-k5_preauth_request_context_init(krb5_context context)
|
|
|
167778 |
+k5_preauth_request_context_init(krb5_context context,
|
|
|
167778 |
+ krb5_init_creds_context ctx)
|
|
|
167778 |
{
|
|
|
167778 |
krb5_preauth_context pctx = context->preauth_context;
|
|
|
167778 |
- clpreauth_handle *hp, h;
|
|
|
167778 |
+ clpreauth_handle h;
|
|
|
167778 |
+ krb5_preauth_req_context reqctx;
|
|
|
167778 |
+ size_t count, i;
|
|
|
167778 |
|
|
|
167778 |
if (pctx == NULL) {
|
|
|
167778 |
k5_init_preauth_context(context);
|
|
|
167778 |
@@ -220,30 +250,50 @@ k5_preauth_request_context_init(krb5_context context)
|
|
|
167778 |
if (pctx == NULL)
|
|
|
167778 |
return;
|
|
|
167778 |
}
|
|
|
167778 |
- k5_reset_preauth_types_tried(context);
|
|
|
167778 |
- for (hp = pctx->handles; *hp != NULL; hp++) {
|
|
|
167778 |
- h = *hp;
|
|
|
167778 |
+
|
|
|
167778 |
+ reqctx = calloc(1, sizeof(*reqctx));
|
|
|
167778 |
+ if (reqctx == NULL)
|
|
|
167778 |
+ return;
|
|
|
167778 |
+ reqctx->orig_context = context;
|
|
|
167778 |
+
|
|
|
167778 |
+ /* Create an array of per-request module data objects corresponding to the
|
|
|
167778 |
+ * preauth context's array of handles. */
|
|
|
167778 |
+ for (count = 0; pctx->handles[count] != NULL; count++);
|
|
|
167778 |
+ reqctx->modreqs = calloc(count, sizeof(*reqctx->modreqs));
|
|
|
167778 |
+ for (i = 0; i < count; i++) {
|
|
|
167778 |
+ h = pctx->handles[i];
|
|
|
167778 |
if (h->vt.request_init != NULL)
|
|
|
167778 |
- h->vt.request_init(context, h->data, &h->req);
|
|
|
167778 |
+ h->vt.request_init(context, h->data, &reqctx->modreqs[i]);
|
|
|
167778 |
}
|
|
|
167778 |
+ ctx->preauth_reqctx = reqctx;
|
|
|
167778 |
}
|
|
|
167778 |
|
|
|
167778 |
/* Free the per-AS-REQ context. This means clearing any request-specific
|
|
|
167778 |
* context which the plugin may have created. */
|
|
|
167778 |
void
|
|
|
167778 |
-k5_preauth_request_context_fini(krb5_context context)
|
|
|
167778 |
+k5_preauth_request_context_fini(krb5_context context,
|
|
|
167778 |
+ krb5_init_creds_context ctx)
|
|
|
167778 |
{
|
|
|
167778 |
krb5_preauth_context pctx = context->preauth_context;
|
|
|
167778 |
- clpreauth_handle *hp, h;
|
|
|
167778 |
+ krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
|
|
|
167778 |
+ size_t i;
|
|
|
167778 |
+ clpreauth_handle h;
|
|
|
167778 |
|
|
|
167778 |
- if (pctx == NULL)
|
|
|
167778 |
+ if (reqctx == NULL)
|
|
|
167778 |
return;
|
|
|
167778 |
- for (hp = pctx->handles; *hp != NULL; hp++) {
|
|
|
167778 |
- h = *hp;
|
|
|
167778 |
- if (h->req != NULL && h->vt.request_fini != NULL)
|
|
|
167778 |
- h->vt.request_fini(context, h->data, h->req);
|
|
|
167778 |
- h->req = NULL;
|
|
|
167778 |
+ if (reqctx->orig_context == context && pctx != NULL) {
|
|
|
167778 |
+ for (i = 0; pctx->handles[i] != NULL; i++) {
|
|
|
167778 |
+ h = pctx->handles[i];
|
|
|
167778 |
+ if (reqctx->modreqs[i] != NULL && h->vt.request_fini != NULL)
|
|
|
167778 |
+ h->vt.request_fini(context, h->data, reqctx->modreqs[i]);
|
|
|
167778 |
+ }
|
|
|
167778 |
+ } else {
|
|
|
167778 |
+ TRACE_PREAUTH_WRONG_CONTEXT(context);
|
|
|
167778 |
}
|
|
|
167778 |
+ free(reqctx->modreqs);
|
|
|
167778 |
+ free(reqctx->tried);
|
|
|
167778 |
+ free(reqctx);
|
|
|
167778 |
+ ctx->preauth_reqctx = NULL;
|
|
|
167778 |
}
|
|
|
167778 |
|
|
|
167778 |
/* Return 1 if pa_type is a real preauthentication mechanism according to the
|
|
|
167778 |
@@ -259,6 +309,7 @@ clpreauth_is_real(krb5_context context, clpreauth_handle h,
|
|
|
167778 |
|
|
|
167778 |
static krb5_error_code
|
|
|
167778 |
clpreauth_prep_questions(krb5_context context, clpreauth_handle h,
|
|
|
167778 |
+ krb5_clpreauth_modreq modreq,
|
|
|
167778 |
krb5_get_init_creds_opt *opt,
|
|
|
167778 |
krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock,
|
|
|
167778 |
krb5_kdc_req *req, krb5_data *req_body,
|
|
|
167778 |
@@ -266,35 +317,35 @@ clpreauth_prep_questions(krb5_context context, clpreauth_handle h,
|
|
|
167778 |
{
|
|
|
167778 |
if (h->vt.prep_questions == NULL)
|
|
|
167778 |
return 0;
|
|
|
167778 |
- return h->vt.prep_questions(context, h->data, h->req, opt, cb, rock, req,
|
|
|
167778 |
+ return h->vt.prep_questions(context, h->data, modreq, opt, cb, rock, req,
|
|
|
167778 |
req_body, prev_req, pa_data);
|
|
|
167778 |
}
|
|
|
167778 |
|
|
|
167778 |
static krb5_error_code
|
|
|
167778 |
clpreauth_process(krb5_context context, clpreauth_handle h,
|
|
|
167778 |
- krb5_get_init_creds_opt *opt, krb5_clpreauth_callbacks cb,
|
|
|
167778 |
- krb5_clpreauth_rock rock, krb5_kdc_req *req,
|
|
|
167778 |
- krb5_data *req_body, krb5_data *prev_req,
|
|
|
167778 |
+ krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt,
|
|
|
167778 |
+ krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock,
|
|
|
167778 |
+ krb5_kdc_req *req, krb5_data *req_body, krb5_data *prev_req,
|
|
|
167778 |
krb5_pa_data *pa_data, krb5_prompter_fct prompter,
|
|
|
167778 |
void *prompter_data, krb5_pa_data ***pa_data_out)
|
|
|
167778 |
{
|
|
|
167778 |
- return h->vt.process(context, h->data, h->req, opt, cb, rock, req,
|
|
|
167778 |
+ return h->vt.process(context, h->data, modreq, opt, cb, rock, req,
|
|
|
167778 |
req_body, prev_req, pa_data, prompter, prompter_data,
|
|
|
167778 |
pa_data_out);
|
|
|
167778 |
}
|
|
|
167778 |
|
|
|
167778 |
static krb5_error_code
|
|
|
167778 |
clpreauth_tryagain(krb5_context context, clpreauth_handle h,
|
|
|
167778 |
- krb5_get_init_creds_opt *opt, krb5_clpreauth_callbacks cb,
|
|
|
167778 |
- krb5_clpreauth_rock rock, krb5_kdc_req *req,
|
|
|
167778 |
- krb5_data *req_body, krb5_data *prev_req,
|
|
|
167778 |
+ krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt,
|
|
|
167778 |
+ krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock,
|
|
|
167778 |
+ krb5_kdc_req *req, krb5_data *req_body, krb5_data *prev_req,
|
|
|
167778 |
krb5_preauthtype pa_type, krb5_error *error,
|
|
|
167778 |
krb5_pa_data **error_padata, krb5_prompter_fct prompter,
|
|
|
167778 |
void *prompter_data, krb5_pa_data ***pa_data_out)
|
|
|
167778 |
{
|
|
|
167778 |
if (h->vt.tryagain == NULL)
|
|
|
167778 |
return 0;
|
|
|
167778 |
- return h->vt.tryagain(context, h->data, h->req, opt, cb, rock, req,
|
|
|
167778 |
+ return h->vt.tryagain(context, h->data, modreq, opt, cb, rock, req,
|
|
|
167778 |
req_body, prev_req, pa_type, error, error_padata,
|
|
|
167778 |
prompter, prompter_data, pa_data_out);
|
|
|
167778 |
}
|
|
|
167778 |
@@ -554,22 +605,22 @@ pa_type_allowed(krb5_init_creds_context ctx, krb5_preauthtype pa_type)
|
|
|
167778 |
* types and return false.
|
|
|
167778 |
*/
|
|
|
167778 |
static krb5_boolean
|
|
|
167778 |
-already_tried(krb5_context context, krb5_preauthtype pa_type)
|
|
|
167778 |
+already_tried(krb5_init_creds_context ctx, krb5_preauthtype pa_type)
|
|
|
167778 |
{
|
|
|
167778 |
- krb5_preauth_context pctx = context->preauth_context;
|
|
|
167778 |
- size_t count;
|
|
|
167778 |
+ krb5_preauth_req_context reqctx = ctx->preauth_reqctx;
|
|
|
167778 |
+ size_t i;
|
|
|
167778 |
krb5_preauthtype *newptr;
|
|
|
167778 |
|
|
|
167778 |
- for (count = 0; pctx->tried != NULL && pctx->tried[count] != 0; count++) {
|
|
|
167778 |
- if (pctx->tried[count] == pa_type)
|
|
|
167778 |
+ for (i = 0; reqctx->tried != NULL && reqctx->tried[i] != 0; i++) {
|
|
|
167778 |
+ if (reqctx->tried[i] == pa_type)
|
|
|
167778 |
return TRUE;
|
|
|
167778 |
}
|
|
|
167778 |
- newptr = realloc(pctx->tried, (count + 2) * sizeof(*newptr));
|
|
|
167778 |
+ newptr = realloc(reqctx->tried, (i + 2) * sizeof(*newptr));
|
|
|
167778 |
if (newptr == NULL)
|
|
|
167778 |
return FALSE;
|
|
|
167778 |
- pctx->tried = newptr;
|
|
|
167778 |
- pctx->tried[count] = pa_type;
|
|
|
167778 |
- pctx->tried[count + 1] = ENCTYPE_NULL;
|
|
|
167778 |
+ reqctx->tried = newptr;
|
|
|
167778 |
+ reqctx->tried[i] = pa_type;
|
|
|
167778 |
+ reqctx->tried[i + 1] = ENCTYPE_NULL;
|
|
|
167778 |
return FALSE;
|
|
|
167778 |
}
|
|
|
167778 |
|
|
|
167778 |
@@ -580,16 +631,13 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx,
|
|
|
167778 |
krb5_pa_data ***out_pa_list, int *out_pa_list_size,
|
|
|
167778 |
krb5_preauthtype *out_type)
|
|
|
167778 |
{
|
|
|
167778 |
- krb5_preauth_context pctx = context->preauth_context;
|
|
|
167778 |
struct errinfo save = EMPTY_ERRINFO;
|
|
|
167778 |
krb5_pa_data *pa, **pa_ptr, **mod_pa;
|
|
|
167778 |
krb5_error_code ret = 0;
|
|
|
167778 |
+ krb5_clpreauth_modreq modreq;
|
|
|
167778 |
clpreauth_handle h;
|
|
|
167778 |
int real, i;
|
|
|
167778 |
|
|
|
167778 |
- if (pctx == NULL)
|
|
|
167778 |
- return ENOENT;
|
|
|
167778 |
-
|
|
|
167778 |
/* Process all informational padata types, then the first real preauth type
|
|
|
167778 |
* we succeed on. */
|
|
|
167778 |
for (real = 0; real <= 1; real++) {
|
|
|
167778 |
@@ -598,17 +646,17 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx,
|
|
|
167778 |
/* Restrict real mechanisms to the chosen one if we have one. */
|
|
|
167778 |
if (real && !pa_type_allowed(ctx, pa->pa_type))
|
|
|
167778 |
continue;
|
|
|
167778 |
- h = find_module(pctx->handles, pa->pa_type);
|
|
|
167778 |
+ h = find_module(context, ctx, pa->pa_type, &modreq);
|
|
|
167778 |
if (h == NULL)
|
|
|
167778 |
continue;
|
|
|
167778 |
/* Make sure this type is for the current pass. */
|
|
|
167778 |
if (clpreauth_is_real(context, h, pa->pa_type) != real)
|
|
|
167778 |
continue;
|
|
|
167778 |
/* Only try a real mechanism once per authentication. */
|
|
|
167778 |
- if (real && already_tried(context, pa->pa_type))
|
|
|
167778 |
+ if (real && already_tried(ctx, pa->pa_type))
|
|
|
167778 |
continue;
|
|
|
167778 |
mod_pa = NULL;
|
|
|
167778 |
- ret = clpreauth_process(context, h, ctx->opt, &callbacks,
|
|
|
167778 |
+ ret = clpreauth_process(context, h, modreq, ctx->opt, &callbacks,
|
|
|
167778 |
(krb5_clpreauth_rock)ctx, ctx->request,
|
|
|
167778 |
ctx->inner_request_body,
|
|
|
167778 |
ctx->encoded_previous_request, pa,
|
|
|
167778 |
@@ -858,24 +906,22 @@ krb5_error_code
|
|
|
167778 |
k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx,
|
|
|
167778 |
krb5_pa_data **in_padata, krb5_pa_data ***padata_out)
|
|
|
167778 |
{
|
|
|
167778 |
- krb5_preauth_context pctx = context->preauth_context;
|
|
|
167778 |
krb5_error_code ret;
|
|
|
167778 |
krb5_pa_data **mod_pa;
|
|
|
167778 |
+ krb5_clpreauth_modreq modreq;
|
|
|
167778 |
clpreauth_handle h;
|
|
|
167778 |
int i;
|
|
|
167778 |
|
|
|
167778 |
*padata_out = NULL;
|
|
|
167778 |
- if (pctx == NULL)
|
|
|
167778 |
- return KRB5KRB_ERR_GENERIC;
|
|
|
167778 |
|
|
|
167778 |
TRACE_PREAUTH_TRYAGAIN_INPUT(context, in_padata);
|
|
|
167778 |
|
|
|
167778 |
for (i = 0; in_padata[i] != NULL; i++) {
|
|
|
167778 |
- h = find_module(pctx->handles, in_padata[i]->pa_type);
|
|
|
167778 |
+ h = find_module(context, ctx, in_padata[i]->pa_type, &modreq);
|
|
|
167778 |
if (h == NULL)
|
|
|
167778 |
continue;
|
|
|
167778 |
mod_pa = NULL;
|
|
|
167778 |
- ret = clpreauth_tryagain(context, h, ctx->opt, &callbacks,
|
|
|
167778 |
+ ret = clpreauth_tryagain(context, h, modreq, ctx->opt, &callbacks,
|
|
|
167778 |
(krb5_clpreauth_rock)ctx, ctx->request,
|
|
|
167778 |
ctx->inner_request_body,
|
|
|
167778 |
ctx->encoded_previous_request,
|
|
|
167778 |
@@ -897,9 +943,9 @@ static krb5_error_code
|
|
|
167778 |
fill_response_items(krb5_context context, krb5_init_creds_context ctx,
|
|
|
167778 |
krb5_pa_data **in_padata)
|
|
|
167778 |
{
|
|
|
167778 |
- krb5_preauth_context pctx = context->preauth_context;
|
|
|
167778 |
krb5_error_code ret;
|
|
|
167778 |
krb5_pa_data *pa;
|
|
|
167778 |
+ krb5_clpreauth_modreq modreq;
|
|
|
167778 |
clpreauth_handle h;
|
|
|
167778 |
int i;
|
|
|
167778 |
|
|
|
167778 |
@@ -908,11 +954,11 @@ fill_response_items(krb5_context context, krb5_init_creds_context ctx,
|
|
|
167778 |
pa = in_padata[i];
|
|
|
167778 |
if (!pa_type_allowed(ctx, pa->pa_type))
|
|
|
167778 |
continue;
|
|
|
167778 |
- h = find_module(pctx->handles, pa->pa_type);
|
|
|
167778 |
+ h = find_module(context, ctx, pa->pa_type, &modreq);
|
|
|
167778 |
if (h == NULL)
|
|
|
167778 |
continue;
|
|
|
167778 |
- ret = clpreauth_prep_questions(context, h, ctx->opt, &callbacks,
|
|
|
167778 |
- (krb5_clpreauth_rock)ctx,
|
|
|
167778 |
+ ret = clpreauth_prep_questions(context, h, modreq, ctx->opt,
|
|
|
167778 |
+ &callbacks, (krb5_clpreauth_rock)ctx,
|
|
|
167778 |
ctx->request, ctx->inner_request_body,
|
|
|
167778 |
ctx->encoded_previous_request, pa);
|
|
|
167778 |
if (ret)
|