diff options
| author | Greg Hudson <ghudson@mit.edu> | 2023-03-29 10:15:35 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2023-04-11 00:34:23 -0400 |
| commit | 2928f4f1682ee6245cec1f3c6d9d4b9bf30f8ee1 (patch) | |
| tree | fde7186aed1164d30f089200a2edd230b2960b92 /src | |
| parent | 67de20e187ab2216ce82966f3b6fccf9b7cea279 (diff) | |
| download | krb5-2928f4f1682ee6245cec1f3c6d9d4b9bf30f8ee1.tar.gz | |
Convey realm names to certauth modules
In the certauth pluggable interface, add an extended init method which
receives the realm list.
ticket: 9090 (new)
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/krb5/certauth_plugin.h | 13 | ||||
| -rw-r--r-- | src/plugins/preauth/pkinit/pkinit_srv.c | 20 |
2 files changed, 23 insertions, 10 deletions
diff --git a/src/include/krb5/certauth_plugin.h b/src/include/krb5/certauth_plugin.h index bba09b155..bc8c88ac9 100644 --- a/src/include/krb5/certauth_plugin.h +++ b/src/include/krb5/certauth_plugin.h @@ -35,7 +35,7 @@ * * The certauth pluggable interface currently has only one supported major * version, which is 1. Major version 1 has a current minor version number of - * 1. + * 2. * * certauth plugin modules should define a function named * certauth_<modulename>_initvt, matching the signature: @@ -79,6 +79,13 @@ typedef krb5_error_code krb5_certauth_moddata *moddata_out); /* + * Optional: Initialize module data. Supersedes init if present. + */ +typedef krb5_error_code +(*krb5_certauth_init_ex_fn)(krb5_context context, const char *const *realmlist, + krb5_certauth_moddata *moddata_out); + +/* * Optional: Clean up the module data. */ typedef void @@ -132,6 +139,10 @@ typedef struct krb5_certauth_vtable_st { krb5_certauth_fini_fn fini; krb5_certauth_authorize_fn authorize; krb5_certauth_free_indicator_fn free_ind; + /* Minor version 1 ends here. */ + + krb5_certauth_init_ex_fn init_ex; + /* Minor version 2 ends here. */ } *krb5_certauth_vtable; #endif /* KRB5_CERTAUTH_PLUGIN_H */ diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 0ac9ca065..1b3bf6d4d 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -1400,7 +1400,8 @@ certauth_dbmatch_initvt(krb5_context context, int maj_ver, int min_ver, } static krb5_error_code -load_certauth_plugins(krb5_context context, certauth_handle **handle_out) +load_certauth_plugins(krb5_context context, const char *const *realmnames, + certauth_handle **handle_out) { krb5_error_code ret; krb5_plugin_initvt_fn *modules = NULL, *mod; @@ -1440,20 +1441,21 @@ load_certauth_plugins(krb5_context context, certauth_handle **handle_out) if (h == NULL) goto cleanup; - ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt); + ret = (*mod)(context, 1, 2, (krb5_plugin_vtable)&h->vt); if (ret) { TRACE_CERTAUTH_VTINIT_FAIL(context, ret); free(h); continue; } h->moddata = NULL; - if (h->vt.init != NULL) { + if (h->vt.init_ex != NULL) + ret = h->vt.init_ex(context, realmnames, &h->moddata); + else if (h->vt.init != NULL) ret = h->vt.init(context, &h->moddata); - if (ret) { - TRACE_CERTAUTH_INIT_FAIL(context, h->vt.name, ret); - free(h); - continue; - } + if (ret) { + TRACE_CERTAUTH_INIT_FAIL(context, h->vt.name, ret); + free(h); + continue; } list[count++] = h; list[count] = NULL; @@ -1516,7 +1518,7 @@ pkinit_server_plugin_init(krb5_context context, goto errout; } - retval = load_certauth_plugins(context, &certauth_modules); + retval = load_certauth_plugins(context, realmnames, &certauth_modules); if (retval) goto errout; |