1*7f2fe78bSCy Schubert /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2*7f2fe78bSCy Schubert /* plugins/authdata/greet_server/greet_auth.c */
3*7f2fe78bSCy Schubert /*
4*7f2fe78bSCy Schubert * Copyright 2009 by the Massachusetts Institute of Technology.
5*7f2fe78bSCy Schubert *
6*7f2fe78bSCy Schubert * Export of this software from the United States of America may
7*7f2fe78bSCy Schubert * require a specific license from the United States Government.
8*7f2fe78bSCy Schubert * It is the responsibility of any person or organization contemplating
9*7f2fe78bSCy Schubert * export to obtain such a license before exporting.
10*7f2fe78bSCy Schubert *
11*7f2fe78bSCy Schubert * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
12*7f2fe78bSCy Schubert * distribute this software and its documentation for any purpose and
13*7f2fe78bSCy Schubert * without fee is hereby granted, provided that the above copyright
14*7f2fe78bSCy Schubert * notice appear in all copies and that both that copyright notice and
15*7f2fe78bSCy Schubert * this permission notice appear in supporting documentation, and that
16*7f2fe78bSCy Schubert * the name of M.I.T. not be used in advertising or publicity pertaining
17*7f2fe78bSCy Schubert * to distribution of the software without specific, written prior
18*7f2fe78bSCy Schubert * permission. Furthermore if you modify this software you must label
19*7f2fe78bSCy Schubert * your software as modified software and not distribute it in such a
20*7f2fe78bSCy Schubert * fashion that it might be confused with the original M.I.T. software.
21*7f2fe78bSCy Schubert * M.I.T. makes no representations about the suitability of
22*7f2fe78bSCy Schubert * this software for any purpose. It is provided "as is" without express
23*7f2fe78bSCy Schubert * or implied warranty.
24*7f2fe78bSCy Schubert */
25*7f2fe78bSCy Schubert
26*7f2fe78bSCy Schubert /*
27*7f2fe78bSCy Schubert *
28*7f2fe78bSCy Schubert * Sample authorization data plugin
29*7f2fe78bSCy Schubert */
30*7f2fe78bSCy Schubert
31*7f2fe78bSCy Schubert #include <k5-int.h>
32*7f2fe78bSCy Schubert #include <krb5/kdcauthdata_plugin.h>
33*7f2fe78bSCy Schubert
greet_hello(krb5_context context,krb5_data ** ret)34*7f2fe78bSCy Schubert static krb5_error_code greet_hello(krb5_context context, krb5_data **ret)
35*7f2fe78bSCy Schubert {
36*7f2fe78bSCy Schubert krb5_data tmp;
37*7f2fe78bSCy Schubert
38*7f2fe78bSCy Schubert tmp.data = "Hello, KDC issued acceptor world!";
39*7f2fe78bSCy Schubert tmp.length = strlen(tmp.data);
40*7f2fe78bSCy Schubert
41*7f2fe78bSCy Schubert return krb5_copy_data(context, &tmp, ret);
42*7f2fe78bSCy Schubert }
43*7f2fe78bSCy Schubert
44*7f2fe78bSCy Schubert static krb5_error_code
greet_kdc_sign(krb5_context context,krb5_enc_tkt_part * enc_tkt_reply,krb5_const_principal tgs,krb5_data * greeting)45*7f2fe78bSCy Schubert greet_kdc_sign(krb5_context context,
46*7f2fe78bSCy Schubert krb5_enc_tkt_part *enc_tkt_reply,
47*7f2fe78bSCy Schubert krb5_const_principal tgs,
48*7f2fe78bSCy Schubert krb5_data *greeting)
49*7f2fe78bSCy Schubert {
50*7f2fe78bSCy Schubert krb5_error_code code;
51*7f2fe78bSCy Schubert krb5_authdata ad_datum, *ad_data[2], **kdc_issued = NULL;
52*7f2fe78bSCy Schubert krb5_authdata **if_relevant = NULL;
53*7f2fe78bSCy Schubert krb5_authdata **tkt_authdata;
54*7f2fe78bSCy Schubert
55*7f2fe78bSCy Schubert ad_datum.ad_type = -42;
56*7f2fe78bSCy Schubert ad_datum.contents = (krb5_octet *)greeting->data;
57*7f2fe78bSCy Schubert ad_datum.length = greeting->length;
58*7f2fe78bSCy Schubert
59*7f2fe78bSCy Schubert ad_data[0] = &ad_datum;
60*7f2fe78bSCy Schubert ad_data[1] = NULL;
61*7f2fe78bSCy Schubert
62*7f2fe78bSCy Schubert code = krb5_make_authdata_kdc_issued(context,
63*7f2fe78bSCy Schubert enc_tkt_reply->session,
64*7f2fe78bSCy Schubert tgs,
65*7f2fe78bSCy Schubert ad_data,
66*7f2fe78bSCy Schubert &kdc_issued);
67*7f2fe78bSCy Schubert if (code != 0)
68*7f2fe78bSCy Schubert return code;
69*7f2fe78bSCy Schubert
70*7f2fe78bSCy Schubert code = krb5_encode_authdata_container(context,
71*7f2fe78bSCy Schubert KRB5_AUTHDATA_IF_RELEVANT,
72*7f2fe78bSCy Schubert kdc_issued,
73*7f2fe78bSCy Schubert &if_relevant);
74*7f2fe78bSCy Schubert if (code != 0) {
75*7f2fe78bSCy Schubert krb5_free_authdata(context, kdc_issued);
76*7f2fe78bSCy Schubert return code;
77*7f2fe78bSCy Schubert }
78*7f2fe78bSCy Schubert
79*7f2fe78bSCy Schubert code = krb5_merge_authdata(context,
80*7f2fe78bSCy Schubert if_relevant,
81*7f2fe78bSCy Schubert enc_tkt_reply->authorization_data,
82*7f2fe78bSCy Schubert &tkt_authdata);
83*7f2fe78bSCy Schubert if (code == 0) {
84*7f2fe78bSCy Schubert krb5_free_authdata(context, enc_tkt_reply->authorization_data);
85*7f2fe78bSCy Schubert enc_tkt_reply->authorization_data = tkt_authdata;
86*7f2fe78bSCy Schubert }
87*7f2fe78bSCy Schubert
88*7f2fe78bSCy Schubert krb5_free_authdata(context, if_relevant);
89*7f2fe78bSCy Schubert krb5_free_authdata(context, kdc_issued);
90*7f2fe78bSCy Schubert
91*7f2fe78bSCy Schubert return code;
92*7f2fe78bSCy Schubert }
93*7f2fe78bSCy Schubert
94*7f2fe78bSCy Schubert static krb5_error_code
greet_authdata(krb5_context context,krb5_kdcauthdata_moddata moddata,unsigned int flags,krb5_db_entry * client,krb5_db_entry * server,krb5_db_entry * tgs,krb5_keyblock * client_key,krb5_keyblock * server_key,krb5_keyblock * krbtgt_key,krb5_data * req_pkt,krb5_kdc_req * request,krb5_const_principal for_user_princ,krb5_enc_tkt_part * enc_tkt_request,krb5_enc_tkt_part * enc_tkt_reply)95*7f2fe78bSCy Schubert greet_authdata(krb5_context context,
96*7f2fe78bSCy Schubert krb5_kdcauthdata_moddata moddata,
97*7f2fe78bSCy Schubert unsigned int flags,
98*7f2fe78bSCy Schubert krb5_db_entry *client,
99*7f2fe78bSCy Schubert krb5_db_entry *server,
100*7f2fe78bSCy Schubert krb5_db_entry *tgs,
101*7f2fe78bSCy Schubert krb5_keyblock *client_key,
102*7f2fe78bSCy Schubert krb5_keyblock *server_key,
103*7f2fe78bSCy Schubert krb5_keyblock *krbtgt_key,
104*7f2fe78bSCy Schubert krb5_data *req_pkt,
105*7f2fe78bSCy Schubert krb5_kdc_req *request,
106*7f2fe78bSCy Schubert krb5_const_principal for_user_princ,
107*7f2fe78bSCy Schubert krb5_enc_tkt_part *enc_tkt_request,
108*7f2fe78bSCy Schubert krb5_enc_tkt_part *enc_tkt_reply)
109*7f2fe78bSCy Schubert {
110*7f2fe78bSCy Schubert krb5_error_code code;
111*7f2fe78bSCy Schubert krb5_data *greeting = NULL;
112*7f2fe78bSCy Schubert
113*7f2fe78bSCy Schubert if (request->msg_type != KRB5_TGS_REQ)
114*7f2fe78bSCy Schubert return 0;
115*7f2fe78bSCy Schubert
116*7f2fe78bSCy Schubert code = greet_hello(context, &greeting);
117*7f2fe78bSCy Schubert if (code != 0)
118*7f2fe78bSCy Schubert return code;
119*7f2fe78bSCy Schubert
120*7f2fe78bSCy Schubert code = greet_kdc_sign(context, enc_tkt_reply, tgs->princ, greeting);
121*7f2fe78bSCy Schubert
122*7f2fe78bSCy Schubert krb5_free_data(context, greeting);
123*7f2fe78bSCy Schubert
124*7f2fe78bSCy Schubert return code;
125*7f2fe78bSCy Schubert }
126*7f2fe78bSCy Schubert
127*7f2fe78bSCy Schubert krb5_error_code
128*7f2fe78bSCy Schubert kdcauthdata_greet_initvt(krb5_context context, int maj_ver, int min_ver,
129*7f2fe78bSCy Schubert krb5_plugin_vtable vtable);
130*7f2fe78bSCy Schubert
131*7f2fe78bSCy Schubert krb5_error_code
kdcauthdata_greet_initvt(krb5_context context,int maj_ver,int min_ver,krb5_plugin_vtable vtable)132*7f2fe78bSCy Schubert kdcauthdata_greet_initvt(krb5_context context, int maj_ver, int min_ver,
133*7f2fe78bSCy Schubert krb5_plugin_vtable vtable)
134*7f2fe78bSCy Schubert {
135*7f2fe78bSCy Schubert krb5_kdcauthdata_vtable vt = (krb5_kdcauthdata_vtable)vtable;
136*7f2fe78bSCy Schubert
137*7f2fe78bSCy Schubert vt->name = "greet";
138*7f2fe78bSCy Schubert vt->handle = greet_authdata;
139*7f2fe78bSCy Schubert return 0;
140*7f2fe78bSCy Schubert }
141