Add send/receive sendto_kdc hooks and corresponding tests

Resolves: #1321135
This commit is contained in:
Robbie Harwood 2016-04-04 18:37:55 +00:00
parent f0b5fc56f2
commit 2f3f20f718
3 changed files with 704 additions and 1 deletions

View File

@ -0,0 +1,379 @@
From 117f6e415238b507a42cbc3ccdb45ad8408bfdfd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 7 Mar 2016 17:59:07 +0100
Subject: [PATCH] Add tests for send and receive sendto_kdc hooks
[ghudson@mit.edu: style changes]
ticket: 8386
---
.gitignore | 1 +
src/tests/Makefile.in | 18 ++--
src/tests/deps | 10 ++
src/tests/hooks.c | 253 ++++++++++++++++++++++++++++++++++++++++++++++++++
src/tests/t_hooks.py | 9 ++
5 files changed, 284 insertions(+), 7 deletions(-)
create mode 100644 src/tests/hooks.c
create mode 100755 src/tests/t_hooks.py
diff --git a/.gitignore b/.gitignore
index d424019..fdc62f9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -361,6 +361,7 @@ local.properties
/src/tests/etinfo
/src/tests/gcred
/src/tests/hist
+/src/tests/hooks
/src/tests/hrealm
/src/tests/icred
/src/tests/kdbtest
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 4ab8e6e..d060513 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -6,10 +6,10 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \
RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \
LC_ALL=C $(VALGRIND)
-OBJS= adata.o etinfo.o gcred.o hist.o hrealm.o icred.o kdbtest.o localauth.o \
- plugorder.o rdreq.o responder.o s2p.o s4u2proxy.o
-EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hrealm.c icred.c kdbtest.c \
- localauth.c plugorder.c rdreq.o responder.c s2p.c s4u2proxy.c
+OBJS= adata.o etinfo.o gcred.o hist.o hooks.o hrealm.o icred.o kdbtest.o \
+ localauth.o plugorder.o rdreq.o responder.o s2p.o s4u2proxy.o
+EXTRADEPSRCS= adata.c etinfo.c gcred.c hist.c hooks.c hrealm.c icred.c \
+ kdbtest.c localauth.c plugorder.c rdreq.o responder.c s2p.c s4u2proxy.c
TEST_DB = ./testdb
TEST_REALM = FOO.TEST.REALM
@@ -33,6 +33,9 @@ gcred: gcred.o $(KRB5_BASE_DEPLIBS)
hist: hist.o $(KDB5_DEPLIBS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ hist.o $(KDB5_LIBS) $(KADMSRV_LIBS) $(KRB5_BASE_LIBS)
+hooks: hooks.o $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o $@ hooks.o $(KRB5_BASE_LIBS)
+
hrealm: hrealm.o $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o $@ hrealm.o $(KRB5_BASE_LIBS)
@@ -107,9 +110,10 @@ kdb_check: kdc.conf krb5.conf
$(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
$(RM) $(TEST_DB)* stash_file
-check-pytests:: adata etinfo gcred hist hrealm icred kdbtest localauth
+check-pytests:: adata etinfo gcred hist hooks hrealm icred kdbtest localauth
check-pytests:: plugorder rdreq responder s2p s4u2proxy unlockiter
$(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_hooks.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS)
@@ -159,7 +163,7 @@ check-pytests:: plugorder rdreq responder s2p s4u2proxy unlockiter
$(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
clean::
- $(RM) adata etinfo gcred hist hrealm icred kdbtest localauth plugorder
- $(RM) rdreq responder s2p s4u2proxy krb5.conf kdc.conf
+ $(RM) adata etinfo gcred hist hooks hrealm icred kdbtest localauth
+ $(RM) plugorder rdreq responder s2p s4u2proxy krb5.conf kdc.conf
$(RM) -rf kdc_realm/sandbox ldap
$(RM) au.log
diff --git a/src/tests/deps b/src/tests/deps
index d280026..55df1a7 100644
--- a/src/tests/deps
+++ b/src/tests/deps
@@ -50,6 +50,16 @@ $(OUTPRE)hist.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
$(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \
hist.c
+$(OUTPRE)hooks.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
+ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \
+ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \
+ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \
+ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \
+ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \
+ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \
+ $(top_srcdir)/include/socket-utils.h hooks.c
$(OUTPRE)hrealm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
diff --git a/src/tests/hooks.c b/src/tests/hooks.c
new file mode 100644
index 0000000..fabdb89
--- /dev/null
+++ b/src/tests/hooks.c
@@ -0,0 +1,253 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/* tests/hooks.c - test harness for KDC send and recv hooks */
+/*
+ * Copyright (C) 2016 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "k5-int.h"
+
+static krb5_context ctx;
+
+static void
+check_code(krb5_error_code code, const char *file, int line)
+{
+ const char *errmsg;
+
+ if (code) {
+ errmsg = krb5_get_error_message(ctx, code);
+ fprintf(stderr, "%s:%d -- %s (code=%d)\n", file, line, errmsg,
+ (int)code);
+ krb5_free_error_message(ctx, errmsg);
+ exit(1);
+ }
+}
+
+#define check(code) check_code((code), __FILE__, __LINE__)
+
+/* Verify that the canonicalize bit is set in an AS-REQ and remove it. */
+static krb5_error_code
+test_send_as_req(krb5_context context, void *data, const krb5_data *realm,
+ const krb5_data *message, krb5_data **new_message_out,
+ krb5_data **reply_out)
+{
+ krb5_kdc_req *as_req;
+ int cmp;
+
+ assert(krb5_is_as_req(message));
+ check(decode_krb5_as_req(message, &as_req));
+
+ assert(as_req->msg_type == KRB5_AS_REQ);
+ assert(as_req->kdc_options & KDC_OPT_CANONICALIZE);
+ assert(as_req->client->realm.length == realm->length);
+ cmp = memcmp(as_req->client->realm.data, realm->data, realm->length);
+ assert(cmp == 0);
+
+ /* Remove the canonicalize flag and create a new message. */
+ as_req->kdc_options &= ~KDC_OPT_CANONICALIZE;
+ check(encode_krb5_as_req(as_req, new_message_out));
+
+ krb5_free_kdc_req(context, as_req);
+ return 0;
+}
+
+/* Verify that reply is an AS-REP with kvno 1 and a valid enctype. */
+static krb5_error_code
+test_recv_as_rep(krb5_context context, void *data, krb5_error_code code,
+ const krb5_data *realm, const krb5_data *message,
+ const krb5_data *reply, krb5_data **new_reply)
+{
+ krb5_kdc_rep *as_rep;
+
+ assert(code == 0);
+ assert(krb5_is_as_rep(reply));
+ check(decode_krb5_as_rep(reply, &as_rep));
+
+ assert(as_rep->msg_type == KRB5_AS_REP);
+ assert(as_rep->ticket->enc_part.kvno == 1);
+ assert(krb5_c_valid_enctype(as_rep->ticket->enc_part.enctype));
+
+ krb5_free_kdc_rep(context, as_rep);
+ return 0;
+}
+
+/* Create a fake error reply. */
+static krb5_error_code
+test_send_error(krb5_context context, void *data, const krb5_data *realm,
+ const krb5_data *message, krb5_data **new_message_out,
+ krb5_data **reply_out)
+{
+ krb5_error_code ret;
+ krb5_error err;
+ krb5_principal client, server;
+ char *realm_str, *princ_str;
+ int r;
+
+ realm_str = k5memdup0(realm->data, realm->length, &ret);
+ check(ret);
+
+ r = asprintf(&princ_str, "invalid@%s", realm_str);
+ assert(r > 0);
+ check(krb5_parse_name(ctx, princ_str, &client));
+ free(princ_str);
+
+ r = asprintf(&princ_str, "krbtgt@%s", realm_str);
+ assert(r > 0);
+ check(krb5_parse_name(ctx, princ_str, &server));
+ free(princ_str);
+ free(realm_str);
+
+ err.magic = KV5M_ERROR;
+ err.ctime = 1971196337;
+ err.cusec = 0;
+ err.susec = 97008;
+ err.stime = 1458219390;
+ err.error = 6;
+ err.client = client;
+ err.server = server;
+ err.text = string2data("CLIENT_NOT_FOUND");
+ err.e_data = empty_data();
+ check(encode_krb5_error(&err, reply_out));
+
+ krb5_free_principal(ctx, client);
+ krb5_free_principal(ctx, server);
+ return 0;
+}
+
+static krb5_error_code
+test_recv_error(krb5_context context, void *data, krb5_error_code code,
+ const krb5_data *realm, const krb5_data *message,
+ const krb5_data *reply, krb5_data **new_reply)
+{
+ /* The send hook created a reply, so this hook should not be executed. */
+ abort();
+}
+
+/* Modify an AS-REP reply, change the msg_type to KRB5_TGS_REP. */
+static krb5_error_code
+test_recv_modify_reply(krb5_context context, void *data, krb5_error_code code,
+ const krb5_data *realm, const krb5_data *message,
+ const krb5_data *reply, krb5_data **new_reply)
+{
+ krb5_kdc_rep *as_rep;
+
+ assert(code == 0);
+ assert(krb5_is_as_rep(reply));
+ check(decode_krb5_as_rep(reply, &as_rep));
+
+ as_rep->msg_type = KRB5_TGS_REP;
+ check(encode_krb5_as_rep(as_rep, new_reply));
+
+ krb5_free_kdc_rep(context, as_rep);
+ return 0;
+}
+
+/* Return an error given by the callback data argument. */
+static krb5_error_code
+test_send_return_value(krb5_context context, void *data,
+ const krb5_data *realm, const krb5_data *message,
+ krb5_data **new_message_out, krb5_data **reply_out)
+{
+ assert(data != NULL);
+ return *(krb5_error_code *)data;
+}
+
+/* Return an error given by the callback argument. */
+static krb5_error_code
+test_recv_return_value(krb5_context context, void *data, krb5_error_code code,
+ const krb5_data *realm, const krb5_data *message,
+ const krb5_data *reply, krb5_data **new_reply)
+{
+ assert(data != NULL);
+ return *(krb5_error_code *)data;
+}
+
+int
+main(int argc, char *argv[])
+{
+ const char *principal, *password;
+ krb5_principal client;
+ krb5_get_init_creds_opt *opts;
+ krb5_creds creds;
+ krb5_error_code ret, test_return_code;
+
+ if (argc != 3) {
+ fprintf(stderr, "Usage: %s princname password\n", argv[0]);
+ exit(1);
+ }
+ principal = argv[1];
+ password = argv[2];
+
+ check(krb5_init_context(&ctx));
+ check(krb5_parse_name(ctx, principal, &client));
+
+ /* Use a send hook to modify an outgoing AS-REQ. The library will detect
+ * the modification in the reply. */
+ check(krb5_get_init_creds_opt_alloc(ctx, &opts));
+ krb5_get_init_creds_opt_set_canonicalize(opts, 1);
+ krb5_set_kdc_send_hook(ctx, test_send_as_req, NULL);
+ krb5_set_kdc_recv_hook(ctx, test_recv_as_rep, NULL);
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
+ NULL, 0, NULL, opts);
+ assert(ret == KRB5_KDCREP_MODIFIED);
+ krb5_get_init_creds_opt_free(ctx, opts);
+
+ /* Use a send hook to synthesize a KRB-ERROR reply. */
+ krb5_set_kdc_send_hook(ctx, test_send_error, NULL);
+ krb5_set_kdc_recv_hook(ctx, test_recv_error, NULL);
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
+ NULL, 0, NULL, NULL);
+ assert(ret == KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN);
+
+ /* Use a recv hook to modify a KDC reply. */
+ krb5_set_kdc_send_hook(ctx, NULL, NULL);
+ krb5_set_kdc_recv_hook(ctx, test_recv_modify_reply, NULL);
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
+ NULL, 0, NULL, NULL);
+ assert(ret == KRB5KRB_AP_ERR_MSG_TYPE);
+
+ /* Verify that the user data pointer works in the send hook. */
+ test_return_code = KRB5KDC_ERR_PREAUTH_FAILED;
+ krb5_set_kdc_send_hook(ctx, test_send_return_value, &test_return_code);
+ krb5_set_kdc_recv_hook(ctx, NULL, NULL);
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
+ NULL, 0, NULL, NULL);
+ assert(ret == KRB5KDC_ERR_PREAUTH_FAILED);
+
+ /* Verify that the user data pointer works in the recv hook. */
+ test_return_code = KRB5KDC_ERR_NULL_KEY;
+ krb5_set_kdc_send_hook(ctx, NULL, NULL);
+ krb5_set_kdc_recv_hook(ctx, test_recv_return_value, &test_return_code);
+ ret = krb5_get_init_creds_password(ctx, &creds, client, password, NULL,
+ NULL, 0, NULL, NULL);
+ assert(ret == KRB5KDC_ERR_NULL_KEY);
+
+ krb5_free_principal(ctx, client);
+ krb5_free_context(ctx);
+ return 0;
+}
diff --git a/src/tests/t_hooks.py b/src/tests/t_hooks.py
new file mode 100755
index 0000000..58dff3a
--- /dev/null
+++ b/src/tests/t_hooks.py
@@ -0,0 +1,9 @@
+#!/usr/bin/python
+from k5test import *
+
+# Test that KDC send and recv hooks work correctly.
+realm = K5Realm(create_host=False, get_creds=False)
+realm.run(['./hooks', realm.user_princ, password('user')])
+realm.stop()
+
+success('send and recv hook tests')
--
2.8.0.rc3

View File

@ -0,0 +1,314 @@
From fb4d426ddeb9d4802a53dfbd74189ef8eacbe65e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 3 Mar 2016 18:53:31 +0100
Subject: [PATCH] Add KDC pre-send and post-receive KDC hooks
Add two new APIs, krb5_set_kdc_send_hook() and
krb5_set_kdc_recv_hook(), which can be used to inspect and override
messages sent to KDCs.
[ghudson@mit.edu: style and documentation changes]
ticket: 8386 (new)
---
doc/appdev/refs/api/index.rst | 2 +
doc/appdev/refs/types/index.rst | 2 +
src/include/k5-int.h | 6 +++
src/include/krb5/krb5.hin | 104 ++++++++++++++++++++++++++++++++++++++++
src/lib/krb5/libkrb5.exports | 2 +
src/lib/krb5/os/sendto_kdc.c | 56 +++++++++++++++++++++-
src/lib/krb5_32.def | 4 ++
7 files changed, 174 insertions(+), 2 deletions(-)
diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst
index 8df351d..e97cbca 100644
--- a/doc/appdev/refs/api/index.rst
+++ b/doc/appdev/refs/api/index.rst
@@ -268,6 +268,8 @@ Rarely used public interfaces
krb5_server_decrypt_ticket_keytab.rst
krb5_set_default_tgs_enctypes.rst
krb5_set_error_message.rst
+ krb5_set_kdc_recv_hook.rst
+ krb5_set_kdc_send_hook.rst
krb5_set_real_time.rst
krb5_string_to_cksumtype.rst
krb5_string_to_deltat.rst
diff --git a/doc/appdev/refs/types/index.rst b/doc/appdev/refs/types/index.rst
index 51c4093..dc414cf 100644
--- a/doc/appdev/refs/types/index.rst
+++ b/doc/appdev/refs/types/index.rst
@@ -57,6 +57,8 @@ Public
krb5_pa_svr_referral_data.rst
krb5_pa_data.rst
krb5_pointer.rst
+ krb5_post_recv_fn.rst
+ krb5_pre_send_fn.rst
krb5_preauthtype.rst
krb5_principal.rst
krb5_principal_data.rst
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 6b36e9d..d0216d6 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1242,6 +1242,12 @@ struct _krb5_context {
krb5_trace_callback trace_callback;
void *trace_callback_data;
+ krb5_pre_send_fn kdc_send_hook;
+ void *kdc_send_hook_data;
+
+ krb5_post_recv_fn kdc_recv_hook;
+ void *kdc_recv_hook_data;
+
struct plugin_interface plugins[PLUGIN_NUM_INTERFACES];
char *plugin_base_dir;
};
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 0a0d272..9e91a60 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -8292,6 +8292,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn,
krb5_error_code KRB5_CALLCONV
krb5_set_trace_filename(krb5_context context, const char *filename);
+
+/**
+ * Hook function for inspecting or modifying messages sent to KDCs.
+ *
+ * If the hook function returns an error code, the KDC communication will be
+ * aborted and the error code will be returned to the library operation which
+ * initiated the communication.
+ *
+ * If the hook function sets @a reply_out, @a message will not be sent to the
+ * KDC, and the given reply will used instead.
+ *
+ * If the hook function sets @a new_message_out, the given message will be sent
+ * to the KDC in place of @a message.
+ *
+ * If the hook function returns successfully without setting either output,
+ * @a message will be sent to the KDC normally.
+ *
+ * The hook function should use krb5_copy_data() to construct the value for
+ * @a new_message_out or @a reply_out, to ensure that it can be freed correctly
+ * by the library.
+ *
+ * @param [in] context Library context
+ * @param [in] data Callback data
+ * @param [in] realm The realm the message will be sent to
+ * @param [in] message The original message to be sent to the KDC
+ * @param [out] new_message_out Optional replacement message to be sent
+ * @param [out] reply_out Optional synthetic reply
+ *
+ * @retval 0 Success
+ * @return A Kerberos error code
+ */
+typedef krb5_error_code
+(KRB5_CALLCONV *krb5_pre_send_fn)(krb5_context context, void *data,
+ const krb5_data *realm,
+ const krb5_data *message,
+ krb5_data **new_message_out,
+ krb5_data **new_reply_out);
+
+/**
+ * Hook function for inspecting or overriding KDC replies.
+ *
+ * If @a code is zero, @a reply contains the reply received from the KDC. The
+ * hook function may return an error code to simulate an error, may synthesize
+ * a different reply by setting @a new_reply_out, or may simply return
+ * successfully to do nothing.
+ *
+ * If @a code is non-zero, KDC communication failed and @a reply should be
+ * ignored. The hook function may return @a code or a different error code, or
+ * may synthesize a reply by setting @a new_reply_out and return successfully.
+ *
+ * The hook function should use krb5_copy_data() to construct the value for
+ * @a new_reply_out, to ensure that it can be freed correctly by the library.
+ *
+ * @param [in] context Library context
+ * @param [in] data Callback data
+ * @param [in] code Status of KDC communication
+ * @param [in] realm The realm the reply was received from
+ * @param [in] message The message sent to the realm's KDC
+ * @param [in] reply The reply received from the KDC
+ * @param [out] new_reply_out Optional replacement reply
+ *
+ * @retval 0 Success
+ * @return A Kerberos error code
+ */
+typedef krb5_error_code
+(KRB5_CALLCONV *krb5_post_recv_fn)(krb5_context context, void *data,
+ krb5_error_code code,
+ const krb5_data *realm,
+ const krb5_data *message,
+ const krb5_data *reply,
+ krb5_data **new_reply_out);
+
+/**
+ * Set a KDC pre-send hook function.
+ *
+ * @a send_hook will be called before messages are sent to KDCs by library
+ * functions such as krb5_get_credentials(). The hook function may inspect,
+ * override, or synthesize its own reply to the message.
+ *
+ * @param [in] context Library context
+ * @param [in] send_hook Hook function (or NULL to disable the hook)
+ * @param [in] data Callback data to be passed to @a send_hook
+ */
+void KRB5_CALLCONV
+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook,
+ void *data);
+
+/**
+ * Set a KDC post-receive hook function.
+ *
+ * @a recv_hook will be called after a reply is received from a KDC during a
+ * call to a library function such as krb5_get_credentials(). The hook
+ * function may inspect or override the reply. This hook will not be executed
+ * if the pre-send hook returns a synthetic reply.
+ *
+ * @param [in] context The library context.
+ * @param [in] recv_hook Hook function (or NULL to disable the hook)
+ * @param [in] data Callback data to be passed to @a recv_hook
+ */
+void KRB5_CALLCONV
+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook,
+ void *data);
+
+
#if TARGET_OS_MAC
# pragma pack(pop)
#endif
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index c623409..ea6982d 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -581,6 +581,8 @@ krb5_set_password
krb5_set_password_using_ccache
krb5_set_principal_realm
krb5_set_real_time
+krb5_set_kdc_send_hook
+krb5_set_kdc_recv_hook
krb5_set_time_offsets
krb5_set_trace_callback
krb5_set_trace_filename
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 3b3b438..a2bc591 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -399,6 +399,22 @@ check_for_svc_unavailable (krb5_context context,
return 1;
}
+void
+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook,
+ void *data)
+{
+ context->kdc_send_hook = send_hook;
+ context->kdc_send_hook_data = data;
+}
+
+void
+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook,
+ void *data)
+{
+ context->kdc_recv_hook = recv_hook;
+ context->kdc_recv_hook_data = data;
+}
+
/*
* send the formatted request 'message' to a KDC for realm 'realm' and
* return the response (if any) in 'reply'.
@@ -412,13 +428,16 @@ check_for_svc_unavailable (krb5_context context,
krb5_error_code
krb5_sendto_kdc(krb5_context context, const krb5_data *message,
- const krb5_data *realm, krb5_data *reply, int *use_master,
+ const krb5_data *realm, krb5_data *reply_out, int *use_master,
int no_udp)
{
krb5_error_code retval, err;
struct serverlist servers;
int server_used;
k5_transport_strategy strategy;
+ krb5_data reply = empty_data(), *hook_message = NULL, *hook_reply = NULL;
+
+ *reply_out = empty_data();
/*
* find KDC location(s) for realm
@@ -463,9 +482,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
if (retval)
return retval;
+ if (context->kdc_send_hook != NULL) {
+ retval = context->kdc_send_hook(context, context->kdc_send_hook_data,
+ realm, message, &hook_message,
+ &hook_reply);
+ if (retval)
+ goto cleanup;
+
+ if (hook_reply != NULL) {
+ *reply_out = *hook_reply;
+ free(hook_reply);
+ goto cleanup;
+ }
+
+ if (hook_message != NULL)
+ message = hook_message;
+ }
+
err = 0;
retval = k5_sendto(context, message, realm, &servers, strategy, NULL,
- reply, NULL, NULL, &server_used,
+ &reply, NULL, NULL, &server_used,
check_for_svc_unavailable, &err);
if (retval == KRB5_KDC_UNREACH) {
if (err == KDC_ERR_SVC_UNAVAILABLE) {
@@ -476,9 +512,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
realm->length, realm->data);
}
}
+
+ if (context->kdc_recv_hook != NULL) {
+ retval = context->kdc_recv_hook(context, context->kdc_recv_hook_data,
+ retval, realm, message, &reply,
+ &hook_reply);
+ }
if (retval)
goto cleanup;
+ if (hook_reply != NULL) {
+ *reply_out = *hook_reply;
+ free(hook_reply);
+ } else {
+ *reply_out = reply;
+ reply = empty_data();
+ }
+
/* Set use_master to 1 if we ended up talking to a master when we didn't
* explicitly request to. */
if (*use_master == 0) {
@@ -488,6 +538,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,
}
cleanup:
+ krb5_free_data(context, hook_message);
+ krb5_free_data_contents(context, &reply);
k5_free_serverlist(&servers);
return retval;
}
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 3734e9b..8d58ea1 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -463,3 +463,7 @@ EXPORTS
krb5_vwrap_error_message @430
krb5_c_prfplus @431
krb5_c_derive_prfplus @432
+
+; new in 1.15
+ krb5_set_kdc_send_hook @433
+ krb5_set_kdc_recv_hook @434
--
2.8.0.rc3

View File

@ -13,7 +13,7 @@
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.14.1 Version: 1.14.1
Release: 3%{?dist} Release: 4%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead? # - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with # - The sources below are stored in a lookaside cache. Upload with
@ -68,6 +68,9 @@ Patch162: krb5-1.14.2-Revisit-inquire_attrs_for_mech-on-old-mechs.patch
Patch163: krb5-CVE-2016-3119.patch Patch163: krb5-CVE-2016-3119.patch
Patch164: krb5-1.15-kdc_send_receive_hooks.patch
Patch165: krb5-1.15-kdc_hooks_test.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
Group: System Environment/Libraries Group: System Environment/Libraries
@ -251,6 +254,9 @@ ln NOTICE LICENSE
%patch163 -p1 -b .CVE-2016-3119 %patch163 -p1 -b .CVE-2016-3119
%patch164 -p1 -b .kdc_send_receive_hooks
%patch165 -p1 -b .kdc_hooks_test
# Take the execute bit off of documentation. # Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -772,6 +778,10 @@ exit 0
%changelog %changelog
* Mon Apr 04 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-4
- Add send/receive sendto_kdc hooks and corresponding tests
- Resolves: #1321135
* Fri Mar 18 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-3 * Fri Mar 18 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-3
- Fix CVE-2016-3119 (NULL deref in LDAP module) - Fix CVE-2016-3119 (NULL deref in LDAP module)