static void otp_edata(krb5_context context, krb5_kdc_req *request, krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type, krb5_kdcpreauth_edata_respond_fn respond, void *arg) { krb5_otp_tokeninfo ti, *tis[2] = { &ti, NULL }; krb5_keyblock *armor_key = NULL; krb5_pa_otp_challenge chl; krb5_pa_data *pa = NULL; krb5_error_code retval; krb5_data *encoding; char *config; /* Determine if otp is enabled for the user. */ retval = cb->get_string(context, rock, "otp", &config); if (retval == 0 && config == NULL) retval = ENOENT; if (retval != 0) goto out; cb->free_string(context, rock, config); /* Get the armor key. This indicates the length of random data to use in * the nonce. */ armor_key = cb->fast_armor(context, rock); if (armor_key == NULL) { retval = ENOENT; goto out; } /* Build the (mostly empty) challenge. */ memset(&ti, 0, sizeof(ti)); memset(&chl, 0, sizeof(chl)); chl.tokeninfo = tis; ti.format = -1; ti.length = -1; ti.iteration_count = -1; /* Generate the nonce. */ retval = nonce_generate(context, armor_key->length, &chl.nonce); if (retval != 0) goto out; /* Build the output pa-data. */ retval = encode_krb5_pa_otp_challenge(&chl, &encoding); if (retval != 0) goto out; pa = k5alloc(sizeof(krb5_pa_data), &retval); if (pa == NULL) { krb5_free_data(context, encoding); goto out; } pa->pa_type = KRB5_PADATA_OTP_CHALLENGE; pa->contents = (krb5_octet *)encoding->data; pa->length = encoding->length; free(encoding); out: (*respond)(arg, retval, pa); }
static void otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa, krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_verify_respond_fn respond, void *arg) { krb5_keyblock *armor_key = NULL; krb5_pa_otp_req *req = NULL; struct request_state *rs; krb5_error_code retval; krb5_data d, plaintext; char *config; enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; /* Get the FAST armor key. */ armor_key = cb->fast_armor(context, rock); if (armor_key == NULL) { retval = KRB5KDC_ERR_PREAUTH_FAILED; com_err("otp", retval, "No armor key found when verifying padata"); goto error; } /* Decode the request. */ d = make_data(pa->contents, pa->length); retval = decode_krb5_pa_otp_req(&d, &req); if (retval != 0) { com_err("otp", retval, "Unable to decode OTP request"); goto error; } /* Decrypt the nonce from the request. */ retval = decrypt_encdata(context, armor_key, req, &plaintext); if (retval != 0) { com_err("otp", retval, "Unable to decrypt nonce"); goto error; } /* Verify the nonce or timestamp. */ retval = nonce_verify(context, armor_key, &plaintext); if (retval != 0) retval = timestamp_verify(context, &plaintext); krb5_free_data_contents(context, &plaintext); if (retval != 0) { com_err("otp", retval, "Unable to verify nonce or timestamp"); goto error; } /* Create the request state. */ rs = k5alloc(sizeof(struct request_state), &retval); if (rs == NULL) goto error; rs->arg = arg; rs->respond = respond; /* Get the principal's OTP configuration string. */ retval = cb->get_string(context, rock, "otp", &config); if (retval == 0 && config == NULL) retval = KRB5_PREAUTH_FAILED; if (retval != 0) { free(rs); goto error; } /* Send the request. */ otp_state_verify((otp_state *)moddata, cb->event_context(context, rock), request->client, config, req, on_response, rs); cb->free_string(context, rock, config); k5_free_pa_otp_req(context, req); return; error: k5_free_pa_otp_req(context, req); (*respond)(arg, retval, NULL, NULL, NULL); }