Skip Menu |
 

Subject: Application server side support for authdata generated by authdata plugins
This patch needs some work on the function names (at the very least).
diff -uNr -x cscope.out -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Headers/Kerberos5Prefix.h Kerberos/KerberosFramework/Kerberos5/Headers/Kerberos5Prefix.h
--- Kerberos.orig/KerberosFramework/Kerberos5/Headers/Kerberos5Prefix.h 2007-03-09 13:15:18.000000000 -0800
+++ Kerberos/KerberosFramework/Kerberos5/Headers/Kerberos5Prefix.h 2007-03-29 01:54:58.000000000 -0700
@@ -12,6 +12,7 @@

#define KRB5_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosFrameworkPlugins"
#define KDB5_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosDatabasePlugins"
+#define KRB5_AUTHDATA_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosAuthDataPlugins"

#define SHARED 1

diff -uNr -x cscope.out -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Projects/Kerberos5.xcodeproj/project.pbxproj Kerberos/KerberosFramework/Kerberos5/Projects/Kerberos5.xcodeproj/project.pbxproj
--- Kerberos.orig/KerberosFramework/Kerberos5/Projects/Kerberos5.xcodeproj/project.pbxproj 2007-03-29 01:52:29.000000000 -0700
+++ Kerberos/KerberosFramework/Kerberos5/Projects/Kerberos5.xcodeproj/project.pbxproj 2007-03-29 01:54:58.000000000 -0700
@@ -70,8 +70,9 @@
/* End PBXAggregateTarget section */

/* Begin PBXBuildFile section */
- 729C0C390A526A75004D326F /* pkinit_apple_server.c in Sources */ = {isa = PBXBuildFile; fileRef = A15344CB0940F21400A3FB34 /* pkinit_apple_server.c */; };
724593AC0A54A8BB009AD017 /* notify_pws.c in Sources */ = {isa = PBXBuildFile; fileRef = 724593AB0A54A8BB009AD017 /* notify_pws.c */; };
+ 727FB3180B55A7FA006E5270 /* kdc_authdata.c in Sources */ = {isa = PBXBuildFile; fileRef = 727FB3170B55A7FA006E5270 /* kdc_authdata.c */; };
+ 729C0C390A526A75004D326F /* pkinit_apple_server.c in Sources */ = {isa = PBXBuildFile; fileRef = A15344CB0940F21400A3FB34 /* pkinit_apple_server.c */; };
A10D141A09DDBAF6004F9B1E /* fake-addrinfo.c in Sources */ = {isa = PBXBuildFile; fileRef = A15346A10940F21700A3FB34 /* fake-addrinfo.c */; };
A10D141B09DDBAF6004F9B1E /* init-addrinfo.c in Sources */ = {isa = PBXBuildFile; fileRef = A15346A20940F21700A3FB34 /* init-addrinfo.c */; };
A10D141C09DDBAF6004F9B1E /* plugins.c in Sources */ = {isa = PBXBuildFile; fileRef = A1E7180109C85F4400525147 /* plugins.c */; };
@@ -1159,9 +1160,10 @@
/* End PBXCopyFilesBuildPhase section */

/* Begin PBXFileReference section */
+ 724593AB0A54A8BB009AD017 /* notify_pws.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = notify_pws.c; sourceTree = "<group>"; };
+ 727FB3170B55A7FA006E5270 /* kdc_authdata.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; name = kdc_authdata.c; path = ../Sources/kdc/kdc_authdata.c; sourceTree = SOURCE_ROOT; };
A108E6210A41E1E0008545E5 /* Release.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; name = Release.xcconfig; path = ../../../Common/Resources/Release.xcconfig; sourceTree = SOURCE_ROOT; };
A108E6220A41E1E0008545E5 /* Debug.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; name = Debug.xcconfig; path = ../../../Common/Resources/Debug.xcconfig; sourceTree = SOURCE_ROOT; };
- 724593AB0A54A8BB009AD017 /* notify_pws.c */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.c; path = notify_pws.c; sourceTree = "<group>"; };
A10D141409DDBAC0004F9B1E /* libsupport.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsupport.a; sourceTree = BUILT_PRODUCTS_DIR; };
A10D155409DDCBB3004F9B1E /* libgssrpc.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libgssrpc.a; sourceTree = BUILT_PRODUCTS_DIR; };
A10D15B809DDCFE0004F9B1E /* types.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = types.h; sourceTree = "<group>"; };
@@ -7575,6 +7577,7 @@
F5CFD36F022D854401120112 = {
isa = PBXGroup;
children = (
+ 727FB3170B55A7FA006E5270 /* kdc_authdata.c */,
A108E6210A41E1E0008545E5 /* Release.xcconfig */,
A108E6220A41E1E0008545E5 /* Debug.xcconfig */,
A1BB08AF09EEDE7C0099B7F0 /* des425.pbexp */,
@@ -8260,6 +8263,7 @@
F5CFD36E022D854401120112 /* Project object */ = {
isa = PBXProject;
buildConfigurationList = A1518ECE086C85C40042CBBC /* Build configuration list for PBXProject "Kerberos5" */;
+ compatibilityVersion = "Xcode 2.4";
hasScannedForEncodings = 1;
mainGroup = F5CFD36F022D854401120112;
productRefGroup = F5CFD5CB022D86AD01120112 /* Products */;
@@ -8282,6 +8286,8 @@
ProjectRef = A163FB7B0A51CD5E0082F6D4 /* KerberosIPC.xcodeproj */;
},
);
+ projectRoot = "";
+ shouldCheckCompatibility = 1;
targets = (
A1E4F4F409E5C62100A56C1C /* Configure */,
A1B08BF7087F22550063079F /* Error Tables */,
@@ -9325,6 +9331,7 @@
A140AA2F09F0138D001D95C6 /* policy.c in Sources */,
A140AA3009F0138D001D95C6 /* replay.c in Sources */,
724593AC0A54A8BB009AD017 /* notify_pws.c in Sources */,
+ 727FB3180B55A7FA006E5270 /* kdc_authdata.c in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
diff -uNr -x cscope.out -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/include/krb5/authdata_plugin.h Kerberos/KerberosFramework/Kerberos5/Sources/include/krb5/authdata_plugin.h
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/include/krb5/authdata_plugin.h 1969-12-31 16:00:00.000000000 -0800
+++ Kerberos/KerberosFramework/Kerberos5/Sources/include/krb5/authdata_plugin.h 2007-03-29 01:54:58.000000000 -0700
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2007 Apple Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Apple Inc, nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * <krb5/authdata_plugin.h>
+ *
+ * AuthorizationData plugin definitions for Kerberos 5.
+ *
+ */
+
+#ifndef KRB5_AUTHDATA_PLUGIN_H_INCLUDED
+#define KRB5_AUTHDATA_PLUGIN_H_INCLUDED
+#include <krb5/krb5.h>
+
+/*
+ * While arguments of these types are passed-in, for the most part a preauth
+ * module can treat them as opaque. If we need keying data, we can ask for
+ * it directly.
+ */
+struct _krb5_db_entry_new;
+
+/*
+ * The function table / structure which a preauth server module must export as
+ * "authdata_server_0". NOTE: replace "0" with "1" for the type and
+ * variable names if this gets picked up by upstream. If the interfaces work
+ * correctly, future versions of the table will add either more callbacks or
+ * more arguments to callbacks, and in both cases we'll be able to wrap the v0
+ * functions.
+ */
+typedef struct krb5plugin_authdata_ftable_v0 {
+ /* Not-usually-visible name. */
+ char *name;
+
+ /* Per-plugin initialization/cleanup. The init function is called by the
+ * KDC when the plugin is loaded, and the fini function is called before
+ * the plugin is unloaded. Both are optional. */
+ krb5_error_code (*init_proc)(krb5_context, void **);
+ void (*fini_proc)(krb5_context, void *);
+ krb5_error_code (*authdata_proc)(krb5_context,
+ struct _krb5_db_entry_new *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part *enc_tkt_reply);
+} krb5plugin_authdata_ftable_v0;
+#endif /* KRB5_AUTHDATA_PLUGIN_H_INCLUDED */
\ No newline at end of file
diff -uNr -x cscope.out -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/include/stock/osconf.h Kerberos/KerberosFramework/Kerberos5/Sources/include/stock/osconf.h
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/include/stock/osconf.h 2007-03-09 13:15:40.000000000 -0800
+++ Kerberos/KerberosFramework/Kerberos5/Sources/include/stock/osconf.h 2007-03-29 01:54:58.000000000 -0700
@@ -52,6 +52,8 @@
#define DEFAULT_PROFILE_PATH ("~/Library/Preferences/edu.mit.Kerberos" ":" DEFAULT_SECURE_PROFILE_PATH)
#define KRB5_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosFrameworkPlugins"
#define KDB5_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosDatabasePlugins"
+#define KDB5_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosDatabasePlugins"
+#define KRB5_AUTHDATA_PLUGIN_BUNDLE_DIR "/System/Library/KerberosPlugins/KerberosAuthDataPlugins"
#else
#define DEFAULT_SECURE_PROFILE_PATH "/etc/krb5.conf:@SYSCONFDIR/krb5.conf"
#define DEFAULT_PROFILE_PATH DEFAULT_SECURE_PROFILE_PATH
diff -uNr -x cscope.out -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c Kerberos/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c 2007-03-29 01:52:28.000000000 -0700
+++ Kerberos/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c 2007-03-29 01:54:58.000000000 -0700
@@ -1,6 +1,7 @@
/*
* kdc/do_as_req.c
*
+ * Portions Copyright (C) 2007 Apple Inc.
* Copyright 1990,1991 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
@@ -318,6 +319,11 @@
goto errout;
}

+ errcode = handle_authdata(kdc_context, &client, req_pkt, request, &enc_tkt_reply);
+ if (errcode) {
+ krb5_klog_syslog(LOG_INFO, "AS_REQ : handle_authdata (%d)", errcode);
+ }
+
ticket_reply.enc_part2 = &enc_tkt_reply;

/*
diff -uNr -x cscope.out -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/kdc_authdata.c Kerberos/KerberosFramework/Kerberos5/Sources/kdc/kdc_authdata.c
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/kdc_authdata.c 1969-12-31 16:00:00.000000000 -0800
+++ Kerberos/KerberosFramework/Kerberos5/Sources/kdc/kdc_authdata.c 2007-03-29 01:54:58.000000000 -0700
@@ -0,0 +1,232 @@
+/*
+ * Copyright (c) 2007 Apple Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ * * Neither the name of Apple Inc, nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * kdc/kdc_authdata.c
+ *
+ * AuthorizationData routines for the KDC.
+ */
+
+#include "k5-int.h"
+#include "kdc_util.h"
+#include "extern.h"
+#include <stdio.h>
+#include "adm_proto.h"
+
+#include <syslog.h>
+
+#include <assert.h>
+#include "../include/krb5/authdata_plugin.h"
+
+#if TARGET_OS_MAC
+static const char *objdirs[] = { KRB5_AUTHDATA_PLUGIN_BUNDLE_DIR, LIBDIR "/krb5/plugins/authdata", NULL }; /* should be a list */
+#else
+static const char *objdirs[] = { LIBDIR "/krb5/plugins/authdata", NULL };
+#endif
+
+typedef krb5_error_code (*authdata_proc)
+ (krb5_context, krb5_db_entry *client,
+ krb5_data *req_pkt,
+ krb5_kdc_req *request,
+ krb5_enc_tkt_part * enc_tkt_reply);
+
+typedef krb5_error_code (*init_proc)
+ (krb5_context, void **);
+typedef void (*fini_proc)
+ (krb5_context, void *);
+
+typedef struct _krb5_authdata_systems {
+ const char *name;
+ int type;
+ int flags;
+ void *plugin_context;
+ init_proc init;
+ fini_proc fini;
+ authdata_proc handle_authdata;
+} krb5_authdata_systems;
+
+static krb5_authdata_systems static_authdata_systems[] = {
+ { "[end]", -1,}
+};
+
+static krb5_authdata_systems *authdata_systems;
+static int n_authdata_systems;
+static struct plugin_dir_handle authdata_plugins;
+
+krb5_error_code
+load_authdata_plugins(krb5_context context)
+{
+ struct errinfo err;
+ void **authdata_plugins_ftables = NULL;
+ struct krb5plugin_authdata_ftable_v0 *ftable = NULL;
+ int module_count, i, k;
+ init_proc server_init_proc = NULL;
+
+ memset(&err, 0, sizeof(err));
+
+ /* Attempt to load all of the authdata plugins we can find. */
+ PLUGIN_DIR_INIT(&authdata_plugins);
+ if (PLUGIN_DIR_OPEN(&authdata_plugins) == 0) {
+ if (krb5int_open_plugin_dirs(objdirs, NULL,
+ &authdata_plugins, &err) != 0) {
+ return KRB5_PLUGIN_NO_HANDLE;
+ }
+ }
+
+ /* Get the method tables provided by the loaded plugins. */
+ authdata_plugins_ftables = NULL;
+ n_authdata_systems = 0;
+ if (krb5int_get_plugin_dir_data(&authdata_plugins,
+ "authdata_server_0",
+ &authdata_plugins_ftables, &err) != 0) {
+ return KRB5_PLUGIN_NO_HANDLE;
+ }
+
+ /* Count the valid modules. */
+ module_count = sizeof(static_authdata_systems)
+ / sizeof(static_authdata_systems[0]);
+ if (authdata_plugins_ftables != NULL) {
+ for (i = 0; authdata_plugins_ftables[i] != NULL; i++) {
+ ftable = authdata_plugins_ftables[i];
+ if ((ftable->authdata_proc != NULL)) {
+ module_count++;
+ }
+ }
+ }
+
+ /* Build the complete list of supported authdata options, and
+ * leave room for a terminator entry. */
+ authdata_systems = calloc((module_count + 1), sizeof(krb5_authdata_systems) );
+ if (authdata_systems == NULL) {
+ krb5int_free_plugin_dir_data(authdata_plugins_ftables);
+ return ENOMEM;
+ }
+
+ /* Add the locally-supplied mechanisms to the dynamic list first. */
+ for (i = 0, k = 0;
+ i < sizeof(static_authdata_systems) / sizeof(static_authdata_systems[0]);
+ i++) {
+ if (static_authdata_systems[i].type == -1)
+ break;
+ authdata_systems[k] = static_authdata_systems[i];
+ /* Try to initialize the authdata system. If it fails, we'll remove it
+ * from the list of systems we'll be using. */
+ server_init_proc = static_authdata_systems[i].init;
+ if ((server_init_proc != NULL) &&
+ ((*server_init_proc)(context, NULL /* &plugin_context */) != 0)) {
+ memset(&authdata_systems[k], 0, sizeof(authdata_systems[k]));
+ continue;
+ }
+ k++;
+ }
+
+ /* Now add the dynamically-loaded mechanisms to the list. */
+ if (authdata_plugins_ftables != NULL) {
+ for (i = 0; authdata_plugins_ftables[i] != NULL; i++) {
+ ftable = authdata_plugins_ftables[i];
+ if ((ftable->authdata_proc == NULL)) {
+ continue;
+ }
+ server_init_proc = ftable->init_proc;
+ krb5_error_code initerr;
+ if ((server_init_proc != NULL) &&
+ ((initerr = (*server_init_proc)(context, NULL /* &plugin_context */)) != 0)) {
+ const char *emsg;
+ emsg = krb5_get_error_message(context, initerr);
+ if (emsg) {
+ krb5_klog_syslog(LOG_ERR,
+ "authdata %s failed to initialize: %s",
+ ftable->name, emsg);
+ krb5_free_error_message(context, emsg);
+ }
+ memset(&authdata_systems[k], 0, sizeof(authdata_systems[k]));
+
+ continue;
+ }
+
+ authdata_systems[k].name = ftable->name;
+ authdata_systems[k].init = server_init_proc;
+ authdata_systems[k].fini = ftable->fini_proc;
+ authdata_systems[k].handle_authdata = ftable->authdata_proc;
+ k++;
+ }
+ }
+ n_authdata_systems = k;
+ /* Add the end-of-list marker. */
+ authdata_systems[k].name = "[end]";
+ authdata_systems[k].type = -1;
+ return 0;
+}
+
+krb5_error_code
+unload_authdata_plugins(krb5_context context)
+{
+ int i;
+ if (authdata_systems != NULL) {
+ for (i = 0; i < n_authdata_systems; i++) {
+ if (authdata_systems[i].fini != NULL) {
+ (*authdata_systems[i].fini)(context,
+ authdata_systems[i].plugin_context);
+ }
+ memset(&authdata_systems[i], 0, sizeof(authdata_systems[i]));
+ }
+ free(authdata_systems);
+ authdata_systems = NULL;
+ n_authdata_systems = 0;
+ krb5int_close_plugin_dirs(&authdata_plugins);
+ }
+ return 0;
+}
+
+krb5_error_code
+handle_authdata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
+ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply)
+{
+ krb5_error_code retval = 0;
+ krb5_authdata_systems *authdata_sys;
+ int i;
+ const char *emsg;
+
+ krb5_klog_syslog (LOG_DEBUG, "handling authdata");
+
+ for (authdata_sys = authdata_systems, i = 0; authdata_sys != NULL && i < n_authdata_systems; i++) {
+ if (authdata_sys[i].handle_authdata && authdata_sys[i].type != -1) {
+ retval = authdata_sys[i].handle_authdata(context, client, req_pkt, request,
+ enc_tkt_reply);
+ if (retval) {
+ emsg = krb5_get_error_message (context, retval);
+ krb5_klog_syslog (LOG_INFO, "authdata (%s) handling failure: %s",
+ authdata_sys[i].name, emsg);
+ krb5_free_error_message (context, emsg);
+ } else {
+ krb5_klog_syslog (LOG_DEBUG, ".. .. ok");
+ }
+ }
+ }
+
+ return 0;
+ }
diff -uNr -x cscope.out -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/kdc_util.h Kerberos/KerberosFramework/Kerberos5/Sources/kdc/kdc_util.h
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/kdc_util.h 2007-03-09 13:15:54.000000000 -0800
+++ Kerberos/KerberosFramework/Kerberos5/Sources/kdc/kdc_util.h 2007-03-29 01:54:58.000000000 -0700
@@ -1,6 +1,7 @@
/*
* kdc/kdc_util.h
*
+ * Portions Copyright (C) 2007 Apple Inc.
* Copyright 1990 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
@@ -163,6 +164,13 @@
krb5_error_code free_padata_context
(krb5_context context, void **padata_context);

+/* kdc_authdata.c */
+krb5_error_code load_authdata_plugins(krb5_context context);
+krb5_error_code unload_authdata_plugins(krb5_context context);
+
+krb5_error_code handle_authdata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
+ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply);
+
/* replay.c */
krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **);
void kdc_insert_lookaside (krb5_data *, krb5_data *);
diff -uNr -x cscope.out -x '*.orig' -x '*.rej' -x '*~' Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/main.c Kerberos/KerberosFramework/Kerberos5/Sources/kdc/main.c
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/kdc/main.c 2007-03-29 01:52:28.000000000 -0700
+++ Kerberos/KerberosFramework/Kerberos5/Sources/kdc/main.c 2007-03-29 01:54:58.000000000 -0700
@@ -1,6 +1,7 @@
/*
* kdc/main.c
*
+ * Portions Copyright (C) 2007 Apple Inc.
* Copyright 1990,2001 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
@@ -747,6 +748,7 @@
setup_signal_handlers();

load_preauth_plugins(kcontext);
+ load_authdata_plugins(kcontext);

retval = setup_sam();
if (retval) {
@@ -776,6 +778,7 @@
}
krb5_klog_syslog(LOG_INFO, "shutting down");
unload_preauth_plugins(kcontext);
+ unload_authdata_plugins(kcontext);
krb5_klog_close(kdc_context);
finish_realms(argv[0]);
if (kdc_realmlist)
The attached patch appears to be for the KDC support, not application
server support.
[tlyu - Thu Jul 17 10:54:50 2008]:

Show quoted text
> The attached patch appears to be for the KDC support, not application
> server support.

You're right, because for some reason I attached the patch for ticket 5655 to this bug. Check
out this other patch. :-)
diff -uNr -x '\*.orig\' -x '\*.rej\' -x '\*~\' Kerberos.orig/KerberosFramework/Kerberos5/Projects/gssapi_krb5.pbexp Kerberos/KerberosFramework/Kerberos5/Projects/gssapi_krb5.pbexp
--- Kerberos.orig/KerberosFramework/Kerberos5/Projects/gssapi_krb5.pbexp 2007-03-28 13:06:58.000000000 -0700
+++ Kerberos/KerberosFramework/Kerberos5/Projects/gssapi_krb5.pbexp 2007-08-14 17:14:38.000000000 -0700
@@ -101,3 +101,9 @@
_gss_krb5_set_allowable_enctypes
_gss_krb5_export_lucid_sec_context
_gss_krb5_free_lucid_sec_context
+#
+# Apple authdata if relevant
+#
+ _apple_gss_krb5_export_authdata_if_relevant_context
+ _apple_gss_krb5_free_authdata_if_relevant
+#
diff -uNr -x '\*.orig\' -x '\*.rej\' -x '\*~\' Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/accept_sec_context.c Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/accept_sec_context.c
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/accept_sec_context.c 2007-03-28 13:07:44.000000000 -0700
+++ Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/accept_sec_context.c 2007-08-14 17:14:38.000000000 -0700
@@ -640,6 +640,11 @@
goto fail;
}

+ if ((code = krb5_copy_authdata(context, ticket->enc_part2->authorization_data, &ctx->apple_authdata_if_relevant))) {
+ major_status = GSS_S_FAILURE;
+ goto fail;
+ }
+
if ((code = krb5_copy_principal(context, authdat->client, &ctx->there))) {
major_status = GSS_S_FAILURE;
goto fail;
diff -uNr -x '\*.orig\' -x '\*.rej\' -x '\*~\' Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/delete_sec_context.c Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/delete_sec_context.c
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/delete_sec_context.c 2007-03-28 13:07:44.000000000 -0700
+++ Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/delete_sec_context.c 2007-08-14 17:14:38.000000000 -0700
@@ -93,6 +93,9 @@
if (ctx->acceptor_subkey)
krb5_free_keyblock(context, ctx->acceptor_subkey);

+ if (ctx->apple_authdata_if_relevant)
+ krb5_free_authdata(context, ctx->apple_authdata_if_relevant);
+
if (ctx->auth_context) {
if (ctx->cred_rcache)
(void)krb5_auth_con_setrcache(context, ctx->auth_context, NULL);
diff -uNr -x '\*.orig\' -x '\*.rej\' -x '\*~\' Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapiP_krb5.h Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapiP_krb5.h
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapiP_krb5.h 2007-03-28 13:07:44.000000000 -0700
+++ Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapiP_krb5.h 2007-08-14 17:14:38.000000000 -0700
@@ -207,6 +207,7 @@
krb5_keyblock *acceptor_subkey; /* CFX only */
krb5_cksumtype acceptor_subkey_cksumtype;
int cred_rcache; /* did we get rcache from creds? */
+ krb5_authdata **apple_authdata_if_relevant; /* added by Apple for pac information */
} krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;

extern g_set kg_vdb;
@@ -675,6 +676,11 @@
gss_ctx_id_t *context_handle,
OM_uint32 version,
void **kctx);
+OM_uint32 KRB5_CALLCONV
+apple_gss_krb5int_export_authdata_if_relevant_context(OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ OM_uint32 version,
+ void **kctx);


extern k5_mutex_t kg_kdc_flag_mutex;
diff -uNr -x '\*.orig\' -x '\*.rej\' -x '\*~\' Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapi_err_krb5.et Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapi_err_krb5.et
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapi_err_krb5.et 2007-03-28 13:07:44.000000000 -0700
+++ Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapi_err_krb5.et 2007-08-14 17:14:38.000000000 -0700
@@ -37,4 +37,5 @@
error_code KG_EMPTY_CCACHE, "Credential cache is empty"
error_code KG_NO_CTYPES, "Acceptor and Initiator share no checksum types"
error_code KG_LUCID_VERSION, "Requested lucid context version not supported"
+error_code APPLE_KG_AUTHDATA_VERSION, "Requested authdata context version not supported"
end
diff -uNr -x '\*.orig\' -x '\*.rej\' -x '\*~\' Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapi_krb5.hin Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapi_krb5.hin
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapi_krb5.hin 2007-03-28 13:07:44.000000000 -0700
+++ Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/gssapi_krb5.hin 2007-08-14 17:14:38.000000000 -0700
@@ -152,6 +152,11 @@
} gss_krb5_lucid_context_version_t;


+typedef struct apple_gss_krb5_authdata_if_relevant_key {
+OM_uint32 type; /* key encryption type */
+OM_uint32 length; /* length of key data */
+void * data; /* actual key data */
+} apple_gss_krb5_authdata_if_relevant;


/* Alias for Heimdal compat. */
@@ -256,6 +261,52 @@
OM_uint32 version,
void **kctx);

+
+
+/*
+ * Returns a non-opaque (lucid) version of the internal context
+ * information.
+ *
+ * Note that context_handle must not be used again by the caller
+ * after this call. The GSS implementation is free to release any
+ * resources associated with the original context. It is up to the
+ * GSS implementation whether it returns pointers to existing data,
+ * or copies of the data. The caller should treat the returned
+ * lucid context as read-only.
+ *
+ * The caller must call gss_krb5_free_lucid_context() to free
+ * the context and allocated resources when it is finished with it.
+ *
+ * 'version' is an integer indicating the highest version of lucid
+ * context understood by the caller. The highest version
+ * understood by both the caller and the GSS implementation must
+ * be returned. The caller can determine which version of the
+ * structure was actually returned by examining the version field
+ * of the returned structure. gss_krb5_lucid_context_version_t
+ * may be used as a mask to examine the returned structure version.
+ *
+ * If there are no common versions, an error should be returned.
+ * (XXX Need error definition(s))
+ *
+ *
+ */
+
+OM_uint32 KRB5_CALLCONV
+apple_gss_krb5_export_authdata_if_relevant_context(OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ OM_uint32 version,
+ void **kctx);
+
+/*
+* Frees the allocated storage associated with an
+* exported struct apple_gss_krb5_authdata_if_relevant.
+*/
+OM_uint32 KRB5_CALLCONV
+apple_gss_krb5_free_authdata_if_relevant(OM_uint32 *minor_status,
+void *kctx);
+
+
+
/*
* Frees the allocated storage associated with an
* exported struct gss_krb5_lucid_context.
diff -uNr -x '\*.orig\' -x '\*.rej\' -x '\*~\' Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/krb5_gss_glue.c Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/krb5_gss_glue.c
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/krb5_gss_glue.c 2007-08-14 17:14:13.000000000 -0700
+++ Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/krb5_gss_glue.c 2007-08-14 17:14:38.000000000 -0700
@@ -1105,6 +1105,27 @@
return (major);
}

+/* XXX need to delete mechglue ctx too */
+OM_uint32 KRB5_CALLCONV
+apple_gss_krb5_export_authdata_if_relevant_context(
+ OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ OM_uint32 version,
+ void **kctx)
+{
+ gss_union_ctx_id_t uctx;
+
+ uctx = (gss_union_ctx_id_t)*context_handle;
+ /*
+ if (!g_OID_equal(uctx->mech_type, &krb5_mechanism.mech_type) &&
+ !g_OID_equal(uctx->mech_type, &krb5_mechanism_old.mech_type))
+ return GSS_S_BAD_MECH;
+ */
+ return apple_gss_krb5int_export_authdata_if_relevant_context(minor_status,
+ &uctx->internal_ctx_id,
+ version, kctx);
+ }
+
OM_uint32 KRB5_CALLCONV
gss_krb5_set_allowable_enctypes(
OM_uint32 *minor_status,
diff -uNr -x '\*.orig\' -x '\*.rej\' -x '\*~\' Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/lucid_context.c Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/lucid_context.c
--- Kerberos.orig/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/lucid_context.c 2007-03-28 13:07:44.000000000 -0700
+++ Kerberos/KerberosFramework/Kerberos5/Sources/lib/gssapi/krb5/lucid_context.c 2007-08-14 17:42:19.000000000 -0700
@@ -54,6 +54,20 @@
unsigned int version,
void **out_ptr);

+static krb5_error_code
+apple_make_external_authdata_if_relevant(
+ krb5_gss_ctx_id_rec * gctx,
+ unsigned int version,
+ void **out_ptr);
+
+static krb5_error_code
+apple_copy_authdata_if_relevant_to_authdata_if_relevant_key(
+ krb5_authdata *k5data,
+ apple_gss_krb5_authdata_if_relevant **ldata);
+
+static void
+apple_gss_free_authdata_if_relevant(apple_gss_krb5_authdata_if_relevant *key);
+

/*
* Exported routines
@@ -130,6 +144,115 @@
return(retval);
}

+
+OM_uint32 KRB5_CALLCONV
+apple_gss_krb5int_export_authdata_if_relevant_context(
+ OM_uint32 *minor_status,
+ gss_ctx_id_t *context_handle,
+ OM_uint32 version,
+ void **kctx)
+{
+ krb5_error_code kret = 0;
+ OM_uint32 retval;
+ krb5_gss_ctx_id_t ctx;
+ void *lctx = NULL;
+
+ /* Assume failure */
+ retval = GSS_S_FAILURE;
+ *minor_status = 0;
+
+ if (kctx)
+ *kctx = NULL;
+ else {
+ kret = EINVAL;
+ goto error_out;
+ }
+
+ if (!kg_validate_ctx_id(*context_handle)) {
+ kret = (OM_uint32) G_VALIDATE_FAILED;
+ retval = GSS_S_NO_CONTEXT;
+ goto error_out;
+ }
+
+ ctx = (krb5_gss_ctx_id_t) *context_handle;
+ if (kret)
+ goto error_out;
+
+ /* Externalize a structure of the right version */
+ switch (version) {
+ case 1:
+ kret = apple_make_external_authdata_if_relevant((krb5_pointer)ctx,
+ version, &lctx);
+ break;
+ default:
+ kret = (OM_uint32) APPLE_KG_AUTHDATA_VERSION;
+ break;
+ }
+
+ if (kret)
+ goto error_out;
+
+ /* Success! Record the context and return the buffer */
+ if (! kg_save_lucidctx_id((void *)lctx)) {
+ kret = G_VALIDATE_FAILED;
+ goto error_out;
+ }
+ *kctx = lctx;
+ *minor_status = 0;
+ retval = GSS_S_COMPLETE;
+ return (retval);
+
+error_out:
+ if (*minor_status == 0)
+ *minor_status = (OM_uint32) kret;
+ if(kret == ENODATA)
+ retval = GSS_S_COMPLETE;
+ return(retval);
+}
+
+/*
+ * Frees the storage associated with an
+ * exported lucid context structure.
+ */
+OM_uint32 KRB5_CALLCONV
+apple_gss_krb5_free_authdata_if_relevant(
+ OM_uint32 *minor_status,
+ void *kctx)
+{
+ OM_uint32 retval;
+ krb5_error_code kret = 0;
+
+ /* Assume failure */
+ retval = GSS_S_FAILURE;
+ *minor_status = 0;
+
+ if (!kctx) {
+ kret = EINVAL;
+ goto error_out;
+ }
+
+ /* Verify pointer is valid lucid context */
+ if (! kg_validate_lucidctx_id(kctx)) {
+ kret = G_VALIDATE_FAILED;
+ goto error_out;
+ }
+
+ apple_gss_free_authdata_if_relevant((apple_gss_krb5_authdata_if_relevant*)kctx);
+
+ /* Success! */
+ (void)kg_delete_lucidctx_id(kctx);
+ *minor_status = 0;
+ retval = GSS_S_COMPLETE;
+
+ return (retval);
+
+error_out:
+ if (*minor_status == 0)
+ *minor_status = (OM_uint32) kret;
+ return(retval);
+}
+
+
/*
* Frees the storage associated with an
* exported lucid context structure.
@@ -253,6 +376,72 @@

}

+static krb5_error_code
+apple_make_external_authdata_if_relevant(
+ krb5_gss_ctx_id_rec * gctx,
+ unsigned int version,
+ void **out_ptr)
+{
+ apple_gss_krb5_authdata_if_relevant *lctx = NULL;
+ krb5_error_code retval;
+
+ if((gctx->apple_authdata_if_relevant != NULL) && (*(gctx->apple_authdata_if_relevant) != NULL)) {
+ if((retval = apple_copy_authdata_if_relevant_to_authdata_if_relevant_key(*(gctx->apple_authdata_if_relevant),&lctx)))
+ goto error_out;
+ }
+ else {
+ retval = ENODATA;
+ goto error_out; /* XXX better error code? */
+ }
+ /* Success! */
+ *out_ptr = lctx;
+
+ return 0;
+
+error_out:
+ if (lctx != NULL) {
+ apple_gss_free_authdata_if_relevant(lctx);
+ }
+ return retval;
+
+}
+
+
+/* Copy the contents of a krb5_authdata to a apple_gss_krb5_authdata_if_relevant structure */
+static krb5_error_code
+apple_copy_authdata_if_relevant_to_authdata_if_relevant_key(
+ krb5_authdata *k5data,
+ apple_gss_krb5_authdata_if_relevant **ldata)
+{
+ if(*ldata != NULL) {
+ apple_gss_free_authdata_if_relevant(*ldata);
+ *ldata = NULL;
+ }
+
+ if (!k5data || !k5data->contents || k5data->length == 0)
+ return ENODATA;
+
+ unsigned int bufsize = sizeof(apple_gss_krb5_authdata_if_relevant);
+ apple_gss_krb5_authdata_if_relevant *authdataptr = NULL;
+
+ /* Allocate the structure */
+ if ((authdataptr = xmalloc(bufsize)) == NULL) {
+ return ENOMEM;
+ }
+ memset(authdataptr, 0, sizeof(apple_gss_krb5_authdata_if_relevant));
+
+ if ((authdataptr->data = xmalloc(k5data->length)) == NULL) {
+ return ENOMEM;
+ }
+ memcpy(authdataptr->data,k5data->contents,k5data->length);
+ authdataptr->type = k5data->ad_type;
+ authdataptr->length = k5data->length;
+
+ *ldata = authdataptr;
+ return 0;
+}
+
+
/* Copy the contents of a krb5_keyblock to a gss_krb5_lucid_key_t structure */
static krb5_error_code
copy_keyblock_to_lucid_key(
@@ -307,3 +496,17 @@
ctx = NULL;
}
}
+
+/* Free any storage associated with a authdata_if_relevant structure */
+static void
+apple_gss_free_authdata_if_relevant(apple_gss_krb5_authdata_if_relevant *key)
+{
+ if (key!= NULL) {
+ if ((key->data!= NULL) && (key->length > 0)) {
+ memset(key->data, 0, key->length);
+ memset(key, 0, sizeof(apple_gss_krb5_authdata_if_relevant));
+ }
+ if(key->data != NULL)
+ xfree(key->data);
+ }
+}
Function names are prefixed with "apple_", which should change. Many
aspects appear to be cut-and-pasted from the lucid context support,
including comment blocks. Also, the interface is highly specific to the
"if-relevant" authorization data rather than being more generic.