62
61
krb5_error_code retval;
66
65
retval = krb5_copy_principal(context, client, &newp);
68
com_err("krb5kdc", retval,
69
"copying client name for preauth probe");
67
com_err("krb5kdc", retval, "copying client name for preauth probe");
73
71
probeslot = krb5_princ_size(context, newp)++;
74
72
ptr = realloc(krb5_princ_name(context, newp),
75
73
krb5_princ_size(context, newp) * sizeof(krb5_data));
80
krb5_princ_name(context, newp) = ptr;
82
for(sam_ptr = sam_inst_map; sam_ptr->name; sam_ptr++) {
83
if (*sam_type && *sam_type != sam_ptr->sam_type)
86
krb5_princ_component(context,newp,probeslot)->data = sam_ptr->name;
87
krb5_princ_component(context,newp,probeslot)->length =
88
strlen(sam_ptr->name);
89
retval = krb5_db_get_principal(context, newp, 0, &assoc);
78
krb5_princ_name(context, newp) = ptr;
80
for(sam_ptr = sam_inst_map; sam_ptr->name; sam_ptr++) {
81
if (*sam_type && *sam_type != sam_ptr->sam_type)
84
krb5_princ_component(context,newp,probeslot)->data = sam_ptr->name;
85
krb5_princ_component(context,newp,probeslot)->length =
86
strlen(sam_ptr->name);
87
retval = krb5_db_get_principal(context, newp, 0, &assoc);
95
krb5_princ_component(context,newp,probeslot)->data = 0;
96
krb5_princ_component(context,newp,probeslot)->length = 0;
97
krb5_free_principal(context, newp);
100
krb5_princ_size(context, newp)--;
103
if (sam_ptr->sam_type) {
104
/* Found entry of type sam_ptr->sam_type */
106
*sam_type = sam_ptr->sam_type;
110
krb5_db_free_principal(context, assoc);
113
return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
93
krb5_princ_component(context,newp,probeslot)->data = 0;
94
krb5_princ_component(context,newp,probeslot)->length = 0;
95
krb5_free_principal(context, newp);
98
krb5_princ_size(context, newp)--;
101
if (sam_ptr->sam_type) {
102
/* Found entry of type sam_ptr->sam_type */
104
*sam_type = sam_ptr->sam_type;
108
krb5_db_free_principal(context, assoc);
111
return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
117
115
static krb5_error_code
118
116
kdc_include_padata(krb5_context context, krb5_kdc_req *request,
119
struct _krb5_db_entry_new *client,
120
struct _krb5_db_entry_new *server,
121
preauth_get_entry_data_proc get_entry_proc,
122
void *pa_module_context, krb5_pa_data *pa_data)
117
krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
118
krb5_kdcpreauth_moddata moddata, krb5_pa_data *pa_data)
124
120
krb5_error_code retval;
125
krb5_data *client_keys_data = NULL;
126
121
krb5_keyblock *client_key = NULL;
127
122
krb5_sam_challenge_2 sc2;
128
123
krb5_sam_challenge_2_body sc2b;
129
124
int sam_type = 0; /* unknown */
130
krb5_db_entry *sam_db_entry = NULL;
125
krb5_db_entry *sam_db_entry = NULL, *client;
131
126
krb5_data *encoded_challenge = NULL;
133
128
memset(&sc2, 0, sizeof(sc2));
135
130
sc2b.magic = KV5M_SAM_CHALLENGE_2;
136
131
sc2b.sam_type = sam_type;
133
client = cb->client_entry(context, rock);
138
134
retval = sam_get_db_entry(context, client->princ, &sam_type,
142
retval = get_entry_proc(context, request, client,
143
krb5plugin_preauth_keys, &client_keys_data);
138
retval = cb->client_keys(context, rock, &client_key);
146
client_key = (krb5_keyblock *) client_keys_data->data;
147
141
if (client_key->enctype == 0) {
148
142
retval = KRB5KDC_ERR_ETYPE_NOSUPP;
149
com_err("krb5kdc", retval, "No client keys found in processing SAM2 challenge");
143
com_err("krb5kdc", retval,
144
"No client keys found in processing SAM2 challenge");
193
188
krb5_free_data(context, encoded_challenge);
194
189
if (sam_db_entry)
195
190
krb5_db_free_principal(context, sam_db_entry);
196
if (client_keys_data) {
197
while (client_key->enctype) {
198
krb5_free_keyblock_contents(context, client_key);
201
krb5_free_data(context, client_keys_data);
191
cb->free_keys(context, rock, client_key);
206
static krb5_error_code
207
kdc_verify_preauth(krb5_context context, struct _krb5_db_entry_new *client,
208
krb5_data *req_pkt, krb5_kdc_req *request,
209
krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa_data,
210
preauth_get_entry_data_proc get_entry_proc,
211
void *pa_module_context, void **opaque,
212
krb5_data **e_data, krb5_authdata ***authz_data)
196
kdc_verify_preauth(krb5_context context, krb5_data *req_pkt,
197
krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
198
krb5_pa_data *pa_data, krb5_kdcpreauth_callbacks cb,
199
krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata,
200
krb5_kdcpreauth_verify_respond_fn respond, void *arg)
214
202
krb5_error_code retval, saved_retval = 0;
215
203
krb5_sam_response_2 *sr2 = NULL;
216
krb5_data scratch, *scratch2;
204
krb5_data scratch, *scratch2, *e_data = NULL;
217
205
char *client_name = NULL;
218
206
krb5_sam_challenge_2 *out_sc2 = NULL;
207
krb5_db_entry *client = cb->client_entry(context, rock);
220
209
scratch.data = (char *) pa_data->contents;
221
210
scratch.length = pa_data->length;
251
* It is up to the method-specific verify routine to set the ticket flags to
252
* indicate TKT_FLG_HW_AUTH and/or TKT_FLG_PRE_AUTH. Some methods may
253
* require more than one round of dialog with the client and must return
254
* successfully from their verify routine. If does not set the TGT flags,
255
* the required_preauth conditions will not be met and it will try again to
256
* get enough preauth data from the client. Do not set TGT flags here.
240
* It is up to the method-specific verify routine to set the
241
* ticket flags to indicate TKT_FLG_HW_AUTH and/or
242
* TKT_FLG_PRE_AUTH. Some methods may require more than one round
243
* of dialog with the client and must return successfully from
244
* their verify routine. If does not set the TGT flags, the
245
* required_preauth conditions will not be met and it will try
246
* again to get enough preauth data from the client. Do not set
259
/*Note that e_data is an output even in error conditions. If we
260
successfully encode the output e_data, we return whatever error
261
is received above. Otherwise we return the encoding error.*/
251
* Note that e_data is an output even in error conditions. If we
252
* successfully encode the output e_data, we return whatever error is
253
* received above. Otherwise we return the encoding error.
262
255
saved_retval = retval;
264
257
krb5_pa_data pa_out;
293
287
krb5_preauthtype supported_pa_types[] = {
294
288
KRB5_PADATA_SAM_RESPONSE_2, 0};
296
struct krb5plugin_preauth_server_ftable_v1 preauthentication_server_1 = {
298
&supported_pa_types[0],
291
kdcpreauth_securid_sam2_initvt(krb5_context context, int maj_ver, int min_ver,
292
krb5_plugin_vtable vtable);
295
kdcpreauth_securid_sam2_initvt(krb5_context context, int maj_ver, int min_ver,
296
krb5_plugin_vtable vtable)
298
krb5_kdcpreauth_vtable vt;
301
return KRB5_PLUGIN_VER_NOTSUPP;
302
vt = (krb5_kdcpreauth_vtable)vtable;
303
vt->name = "securid_sam2";
304
vt->pa_type_list = supported_pa_types;
305
vt->flags = kdc_preauth_flags;
306
vt->edata = kdc_include_padata;
307
vt->verify = kdc_verify_preauth;