static void
otp_edata(krb5_context context, krb5_kdc_req *request,
krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type,
krb5_kdcpreauth_edata_respond_fn respond, void *arg)
{
krb5_otp_tokeninfo ti, *tis[2] = { &ti, NULL };
krb5_keyblock *armor_key = NULL;
krb5_pa_otp_challenge chl;
krb5_pa_data *pa = NULL;
krb5_error_code retval;
krb5_data *encoding;
char *config;
/* Determine if otp is enabled for the user. */
retval = cb->get_string(context, rock, "otp", &config);
if (retval == 0 && config == NULL)
retval = ENOENT;
if (retval != 0)
goto out;
cb->free_string(context, rock, config);
/* Get the armor key. This indicates the length of random data to use in
* the nonce. */
armor_key = cb->fast_armor(context, rock);
if (armor_key == NULL) {
retval = ENOENT;
goto out;
}
/* Build the (mostly empty) challenge. */
memset(&ti, 0, sizeof(ti));
memset(&chl, 0, sizeof(chl));
chl.tokeninfo = tis;
ti.format = -1;
ti.length = -1;
ti.iteration_count = -1;
/* Generate the nonce. */
retval = nonce_generate(context, armor_key->length, &chl.nonce);
if (retval != 0)
goto out;
/* Build the output pa-data. */
retval = encode_krb5_pa_otp_challenge(&chl, &encoding);
if (retval != 0)
goto out;
pa = k5alloc(sizeof(krb5_pa_data), &retval);
if (pa == NULL) {
krb5_free_data(context, encoding);
goto out;
}
pa->pa_type = KRB5_PADATA_OTP_CHALLENGE;
pa->contents = (krb5_octet *)encoding->data;
pa->length = encoding->length;
free(encoding);
out:
(*respond)(arg, retval, pa);
}
static void
otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *pa,
krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock,
krb5_kdcpreauth_moddata moddata,
krb5_kdcpreauth_verify_respond_fn respond, void *arg)
{
krb5_keyblock *armor_key = NULL;
krb5_pa_otp_req *req = NULL;
struct request_state *rs;
krb5_error_code retval;
krb5_data d, plaintext;
char *config;
enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH;
/* Get the FAST armor key. */
armor_key = cb->fast_armor(context, rock);
if (armor_key == NULL) {
retval = KRB5KDC_ERR_PREAUTH_FAILED;
com_err("otp", retval, "No armor key found when verifying padata");
goto error;
}
/* Decode the request. */
d = make_data(pa->contents, pa->length);
retval = decode_krb5_pa_otp_req(&d, &req);
if (retval != 0) {
com_err("otp", retval, "Unable to decode OTP request");
goto error;
}
/* Decrypt the nonce from the request. */
retval = decrypt_encdata(context, armor_key, req, &plaintext);
if (retval != 0) {
com_err("otp", retval, "Unable to decrypt nonce");
goto error;
}
/* Verify the nonce or timestamp. */
retval = nonce_verify(context, armor_key, &plaintext);
if (retval != 0)
retval = timestamp_verify(context, &plaintext);
krb5_free_data_contents(context, &plaintext);
if (retval != 0) {
com_err("otp", retval, "Unable to verify nonce or timestamp");
goto error;
}
/* Create the request state. */
rs = k5alloc(sizeof(struct request_state), &retval);
if (rs == NULL)
goto error;
rs->arg = arg;
rs->respond = respond;
/* Get the principal's OTP configuration string. */
retval = cb->get_string(context, rock, "otp", &config);
if (retval == 0 && config == NULL)
retval = KRB5_PREAUTH_FAILED;
if (retval != 0) {
free(rs);
goto error;
}
/* Send the request. */
otp_state_verify((otp_state *)moddata, cb->event_context(context, rock),
request->client, config, req, on_response, rs);
cb->free_string(context, rock, config);
k5_free_pa_otp_req(context, req);
return;
error:
k5_free_pa_otp_req(context, req);
(*respond)(arg, retval, NULL, NULL, NULL);
}
