kdc: add finalize_reply API to windc plugin

Allow a windc plugin to finalize the KDC reply (including the encrypted ticket
and reply parts) before encoding for transmission.

kdc/kerberos5.c

@@ -2745,6 +2745,13 @@ _kdc_as_rep(astgs_request_t r)
 	}
     }
 
+    /*
+     * Last chance for plugins to update reply
+     */
+    ret = _kdc_finalize_reply(r);
+    if (ret)
+	goto out;
+
     /*
      * Don't send kvno from client entry if the pre-authentication
      * mechanism replaced the reply key.

kdc/krb5tgs.c

@@ -841,6 +841,10 @@ tgs_make_reply(astgs_request_t r,
 	}
     }
 
+    ret = _kdc_finalize_reply(r);
+    if (ret)
+	goto out;
+
     /* It is somewhat unclear where the etype in the following
        encryption should come from. What we have is a session
        key in the passed tgt, and a list of preferred etypes

kdc/windc.c

@@ -234,6 +234,30 @@ _kdc_check_access(astgs_request_t r, METHOD_DATA *method_data)
     return ret;
 }
 
+static krb5_error_code KRB5_LIB_CALL
+finalize(krb5_context context, const void *plug, void *plugctx, void *userctx)
+{
+    krb5plugin_windc_ftable *ft = (krb5plugin_windc_ftable *)plug;
+
+    if (ft->finalize_reply == NULL)
+	return KRB5_PLUGIN_NO_HANDLE;
+    return ft->finalize_reply((void *)plug, (astgs_request_t)userctx);
+}
+
+krb5_error_code
+_kdc_finalize_reply(astgs_request_t r)
+{
+    krb5_error_code ret = KRB5_PLUGIN_NO_HANDLE;
+
+    if (have_plugin)
+        ret = _krb5_plugin_run_f(r->context, &windc_plugin_data, 0, r, finalize);
+
+    if (ret == KRB5_PLUGIN_NO_HANDLE)
+        ret = 0;
+
+    return ret;
+}
+
 uintptr_t KRB5_CALLCONV
 kdc_get_instance(const char *libname)
 {

kdc/windc_plugin.h

@@ -37,6 +37,7 @@
 #define HEIMDAL_KDC_WINDC_PLUGIN_H 1
 
 #include <krb5.h>
+#include <kdc.h>
 
 /*
  * The PAC generate function should allocate a krb5_pac using
@@ -77,8 +78,10 @@ typedef krb5_error_code
 	hdb_entry_ex *, const char *, 
 	KDC_REQ *, METHOD_DATA *);
 
+typedef krb5_error_code
+(KRB5_CALLCONV *krb5plugin_windc_finalize_reply)(void *, astgs_request_t r);
 
-#define KRB5_WINDC_PLUGIN_MINOR			7
+#define KRB5_WINDC_PLUGIN_MINOR			8
 #define KRB5_WINDC_PLUGING_MINOR KRB5_WINDC_PLUGIN_MINOR
 
 typedef struct krb5plugin_windc_ftable {
@@ -88,6 +91,7 @@ typedef struct krb5plugin_windc_ftable {
     krb5plugin_windc_pac_generate	pac_generate;
     krb5plugin_windc_pac_verify		pac_verify;
     krb5plugin_windc_client_access	client_access;
+    krb5plugin_windc_finalize_reply	finalize_reply;
 } krb5plugin_windc_ftable;
 
 #endif /* HEIMDAL_KDC_WINDC_PLUGIN_H */

tests/plugin/windc.c

@@ -107,13 +107,21 @@ client_access(void *ctx,
     return 0;
 }
 
+static krb5_error_code KRB5_CALLCONV
+finalize_reply(void *ctx, astgs_request_t r)
+{
+    krb5_warnx(r->context, "finalize_reply");
+    return 0;
+}
+
 static krb5plugin_windc_ftable windc = {
     KRB5_WINDC_PLUGING_MINOR,
     windc_init,
     windc_fini,
     pac_generate,
     pac_verify,
-    client_access
+    client_access,
+    finalize_reply
 };
 
 static const krb5plugin_windc_ftable *const windc_plugins[] = {