From 21330cb3db69fc5a004844a1e4dec8998eb50068 Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Thu, 3 Mar 2016 18:53:31 +0100

Subject: [PATCH] Add KDC pre-send and post-receive KDC hooks

Add two new APIs, krb5_set_kdc_send_hook() and

krb5_set_kdc_recv_hook(), which can be used to inspect and override

messages sent to KDCs.

[ghudson@mit.edu: style and documentation changes]

ticket: 8386 (new)

---

 doc/appdev/refs/api/index.rst   |   2 +

 doc/appdev/refs/types/index.rst |   2 +

 src/include/k5-int.h            |   6 +++

 src/include/krb5/krb5.hin       | 104 ++++++++++++++++++++++++++++++++++++++++

 src/lib/krb5/libkrb5.exports    |   2 +

 src/lib/krb5/os/sendto_kdc.c    |  56 +++++++++++++++++++++-

 src/lib/krb5_32.def             |   4 ++

 7 files changed, 174 insertions(+), 2 deletions(-)

diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst

index 8df351d..e97cbca 100644

--- a/doc/appdev/refs/api/index.rst

+++ b/doc/appdev/refs/api/index.rst

@@ -268,6 +268,8 @@ Rarely used public interfaces

    krb5_server_decrypt_ticket_keytab.rst

    krb5_set_default_tgs_enctypes.rst

    krb5_set_error_message.rst

+   krb5_set_kdc_recv_hook.rst

+   krb5_set_kdc_send_hook.rst

    krb5_set_real_time.rst

    krb5_string_to_cksumtype.rst

    krb5_string_to_deltat.rst

diff --git a/doc/appdev/refs/types/index.rst b/doc/appdev/refs/types/index.rst

index 51c4093..dc414cf 100644

--- a/doc/appdev/refs/types/index.rst

+++ b/doc/appdev/refs/types/index.rst

@@ -57,6 +57,8 @@ Public

    krb5_pa_svr_referral_data.rst

    krb5_pa_data.rst

    krb5_pointer.rst

+   krb5_post_recv_fn.rst

+   krb5_pre_send_fn.rst

    krb5_preauthtype.rst

    krb5_principal.rst

    krb5_principal_data.rst

diff --git a/src/include/k5-int.h b/src/include/k5-int.h

index 6b7b2e3..045abfc 100644

--- a/src/include/k5-int.h

+++ b/src/include/k5-int.h

@@ -1238,6 +1238,12 @@ struct _krb5_context {

     krb5_trace_callback trace_callback;

     void *trace_callback_data;

+    krb5_pre_send_fn kdc_send_hook;

+    void *kdc_send_hook_data;

+

+    krb5_post_recv_fn kdc_recv_hook;

+    void *kdc_recv_hook_data;

+

     struct plugin_interface plugins[PLUGIN_NUM_INTERFACES];

     char *plugin_base_dir;

 };

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin

index c93a0f2..2b0d59e 100644

--- a/src/include/krb5/krb5.hin

+++ b/src/include/krb5/krb5.hin

@@ -8300,6 +8300,110 @@ krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn,

 krb5_error_code KRB5_CALLCONV

 krb5_set_trace_filename(krb5_context context, const char *filename);

+

+/**

+ * Hook function for inspecting or modifying messages sent to KDCs.

+ *

+ * If the hook function returns an error code, the KDC communication will be

+ * aborted and the error code will be returned to the library operation which

+ * initiated the communication.

+ *

+ * If the hook function sets @a reply_out, @a message will not be sent to the

+ * KDC, and the given reply will used instead.

+ *

+ * If the hook function sets @a new_message_out, the given message will be sent

+ * to the KDC in place of @a message.

+ *

+ * If the hook function returns successfully without setting either output,

+ * @a message will be sent to the KDC normally.

+ *

+ * The hook function should use krb5_copy_data() to construct the value for

+ * @a new_message_out or @a reply_out, to ensure that it can be freed correctly

+ * by the library.

+ *

+ * @param [in]  context         Library context

+ * @param [in]  data            Callback data

+ * @param [in]  realm           The realm the message will be sent to

+ * @param [in]  message         The original message to be sent to the KDC

+ * @param [out] new_message_out Optional replacement message to be sent

+ * @param [out] reply_out       Optional synthetic reply

+ *

+ * @retval 0 Success

+ * @return A Kerberos error code

+ */

+typedef krb5_error_code

+(KRB5_CALLCONV *krb5_pre_send_fn)(krb5_context context, void *data,

+                                  const krb5_data *realm,

+                                  const krb5_data *message,

+                                  krb5_data **new_message_out,

+                                  krb5_data **new_reply_out);

+

+/**

+ * Hook function for inspecting or overriding KDC replies.

+ *

+ * If @a code is zero, @a reply contains the reply received from the KDC.  The

+ * hook function may return an error code to simulate an error, may synthesize

+ * a different reply by setting @a new_reply_out, or may simply return

+ * successfully to do nothing.

+ *

+ * If @a code is non-zero, KDC communication failed and @a reply should be

+ * ignored.  The hook function may return @a code or a different error code, or

+ * may synthesize a reply by setting @a new_reply_out and return successfully.

+ *

+ * The hook function should use krb5_copy_data() to construct the value for

+ * @a new_reply_out, to ensure that it can be freed correctly by the library.

+ *

+ * @param [in]  context         Library context

+ * @param [in]  data            Callback data

+ * @param [in]  code            Status of KDC communication

+ * @param [in]  realm           The realm the reply was received from

+ * @param [in]  message         The message sent to the realm's KDC

+ * @param [in]  reply           The reply received from the KDC

+ * @param [out] new_reply_out   Optional replacement reply

+ *

+ * @retval 0 Success

+ * @return A Kerberos error code

+ */

+typedef krb5_error_code

+(KRB5_CALLCONV *krb5_post_recv_fn)(krb5_context context, void *data,

+                                   krb5_error_code code,

+                                   const krb5_data *realm,

+                                   const krb5_data *message,

+                                   const krb5_data *reply,

+                                   krb5_data **new_reply_out);

+

+/**

+ * Set a KDC pre-send hook function.

+ *

+ * @a send_hook will be called before messages are sent to KDCs by library

+ * functions such as krb5_get_credentials().  The hook function may inspect,

+ * override, or synthesize its own reply to the message.

+ *

+ * @param [in] context          Library context

+ * @param [in] send_hook        Hook function (or NULL to disable the hook)

+ * @param [in] data             Callback data to be passed to @a send_hook

+ */

+void KRB5_CALLCONV

+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook,

+                       void *data);

+

+/**

+ * Set a KDC post-receive hook function.

+ *

+ * @a recv_hook will be called after a reply is received from a KDC during a

+ * call to a library function such as krb5_get_credentials().  The hook

+ * function may inspect or override the reply.  This hook will not be executed

+ * if the pre-send hook returns a synthetic reply.

+ *

+ * @param [in] context          The library context.

+ * @param [in] recv_hook        Hook function (or NULL to disable the hook)

+ * @param [in] data             Callback data to be passed to @a recv_hook

+ */

+void KRB5_CALLCONV

+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook,

+                       void *data);

+

+

 #if TARGET_OS_MAC

 #    pragma pack(pop)

 #endif

diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports

index c623409..ea6982d 100644

--- a/src/lib/krb5/libkrb5.exports

+++ b/src/lib/krb5/libkrb5.exports

@@ -581,6 +581,8 @@ krb5_set_password

 krb5_set_password_using_ccache

 krb5_set_principal_realm

 krb5_set_real_time

+krb5_set_kdc_send_hook

+krb5_set_kdc_recv_hook

 krb5_set_time_offsets

 krb5_set_trace_callback

 krb5_set_trace_filename

diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c

index 6231de2..be00b8f 100644

--- a/src/lib/krb5/os/sendto_kdc.c

+++ b/src/lib/krb5/os/sendto_kdc.c

@@ -403,6 +403,22 @@ check_for_svc_unavailable (krb5_context context,

     return 1;

 }

+void

+krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook,

+                       void *data)

+{

+    context->kdc_send_hook = send_hook;

+    context->kdc_send_hook_data = data;

+}

+

+void

+krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook,

+                       void *data)

+{

+    context->kdc_recv_hook = recv_hook;

+    context->kdc_recv_hook_data = data;

+}

+

 /*

  * send the formatted request 'message' to a KDC for realm 'realm' and

  * return the response (if any) in 'reply'.

@@ -416,13 +432,16 @@ check_for_svc_unavailable (krb5_context context,

 krb5_error_code

 krb5_sendto_kdc(krb5_context context, const krb5_data *message,

-                const krb5_data *realm, krb5_data *reply, int *use_master,

+                const krb5_data *realm, krb5_data *reply_out, int *use_master,

                 int no_udp)

 {

     krb5_error_code retval, err;

     struct serverlist servers;

     int server_used;

     k5_transport_strategy strategy;

+    krb5_data reply = empty_data(), *hook_message = NULL, *hook_reply = NULL;

+

+    *reply_out = empty_data();

     /*

      * find KDC location(s) for realm

@@ -467,9 +486,26 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,

     if (retval)

         return retval;

+    if (context->kdc_send_hook != NULL) {

+        retval = context->kdc_send_hook(context, context->kdc_send_hook_data,

+                                        realm, message, &hook_message,

+                                        &hook_reply);

+        if (retval)

+            goto cleanup;

+

+        if (hook_reply != NULL) {

+            *reply_out = *hook_reply;

+            free(hook_reply);

+            goto cleanup;

+        }

+

+        if (hook_message != NULL)

+            message = hook_message;

+    }

+

     err = 0;

     retval = k5_sendto(context, message, realm, &servers, strategy, NULL,

-                       reply, NULL, NULL, &server_used,

+                       &reply, NULL, NULL, &server_used,

                        check_for_svc_unavailable, &err;;

     if (retval == KRB5_KDC_UNREACH) {

         if (err == KDC_ERR_SVC_UNAVAILABLE) {

@@ -480,9 +516,23 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,

                       realm->length, realm->data);

         }

     }

+

+    if (context->kdc_recv_hook != NULL) {

+        retval = context->kdc_recv_hook(context, context->kdc_recv_hook_data,

+                                        retval, realm, message, &reply,

+                                        &hook_reply);

+    }

     if (retval)

         goto cleanup;

+    if (hook_reply != NULL) {

+        *reply_out = *hook_reply;

+        free(hook_reply);

+    } else {

+        *reply_out = reply;

+        reply = empty_data();

+    }

+

     /* Set use_master to 1 if we ended up talking to a master when we didn't

      * explicitly request to. */

     if (*use_master == 0) {

@@ -492,6 +542,8 @@ krb5_sendto_kdc(krb5_context context, const krb5_data *message,

     }

 cleanup:

+    krb5_free_data(context, hook_message);

+    krb5_free_data_contents(context, &reply);

     k5_free_serverlist(&servers);

     return retval;

 }

diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def

index 3734e9b..8d58ea1 100644

--- a/src/lib/krb5_32.def

+++ b/src/lib/krb5_32.def

@@ -463,3 +463,7 @@ EXPORTS

 	krb5_vwrap_error_message			@430

 	krb5_c_prfplus					@431

 	krb5_c_derive_prfplus				@432

+

+; new in 1.15

+	krb5_set_kdc_send_hook				@433

+	krb5_set_kdc_recv_hook				@434

-- 

2.9.3