|
jpayne@69
|
1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
|
|
jpayne@69
|
2 /*
|
|
jpayne@69
|
3 * Copyright (c) 2006 Red Hat, Inc.
|
|
jpayne@69
|
4 * Portions copyright (c) 2006, 2011 Massachusetts Institute of Technology
|
|
jpayne@69
|
5 * All Rights Reserved.
|
|
jpayne@69
|
6 *
|
|
jpayne@69
|
7 * Redistribution and use in source and binary forms, with or without
|
|
jpayne@69
|
8 * modification, are permitted provided that the following conditions are met:
|
|
jpayne@69
|
9 *
|
|
jpayne@69
|
10 * * Redistributions of source code must retain the above copyright
|
|
jpayne@69
|
11 * notice, this list of conditions and the following disclaimer.
|
|
jpayne@69
|
12 * * Redistributions in binary form must reproduce the above copyright
|
|
jpayne@69
|
13 * notice, this list of conditions and the following disclaimer in
|
|
jpayne@69
|
14 * the documentation and/or other materials provided with the
|
|
jpayne@69
|
15 * distribution.
|
|
jpayne@69
|
16 * * Neither the name of Red Hat, Inc., nor the names of its
|
|
jpayne@69
|
17 * contributors may be used to endorse or promote products derived
|
|
jpayne@69
|
18 * from this software without specific prior written permission.
|
|
jpayne@69
|
19 *
|
|
jpayne@69
|
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
|
|
jpayne@69
|
21 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
jpayne@69
|
22 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
|
|
jpayne@69
|
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
|
|
jpayne@69
|
24 * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
jpayne@69
|
25 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
jpayne@69
|
26 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
|
jpayne@69
|
27 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
jpayne@69
|
28 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
|
jpayne@69
|
29 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
jpayne@69
|
30 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
jpayne@69
|
31 */
|
|
jpayne@69
|
32
|
|
jpayne@69
|
33 /*
|
|
jpayne@69
|
34 * Declarations for kdcpreauth plugin module implementors.
|
|
jpayne@69
|
35 *
|
|
jpayne@69
|
36 * The kdcpreauth interface has a single supported major version, which is 1.
|
|
jpayne@69
|
37 * Major version 1 has a current minor version of 2. kdcpreauth modules should
|
|
jpayne@69
|
38 * define a function named kdcpreauth_<modulename>_initvt, matching the
|
|
jpayne@69
|
39 * signature:
|
|
jpayne@69
|
40 *
|
|
jpayne@69
|
41 * krb5_error_code
|
|
jpayne@69
|
42 * kdcpreauth_modname_initvt(krb5_context context, int maj_ver, int min_ver,
|
|
jpayne@69
|
43 * krb5_plugin_vtable vtable);
|
|
jpayne@69
|
44 *
|
|
jpayne@69
|
45 * The initvt function should:
|
|
jpayne@69
|
46 *
|
|
jpayne@69
|
47 * - Check that the supplied maj_ver number is supported by the module, or
|
|
jpayne@69
|
48 * return KRB5_PLUGIN_VER_NOTSUPP if it is not.
|
|
jpayne@69
|
49 *
|
|
jpayne@69
|
50 * - Cast the vtable pointer as appropriate for the interface and maj_ver:
|
|
jpayne@69
|
51 * kdcpreauth, maj_ver == 1: Cast to krb5_kdcpreauth_vtable
|
|
jpayne@69
|
52 *
|
|
jpayne@69
|
53 * - Initialize the methods of the vtable, stopping as appropriate for the
|
|
jpayne@69
|
54 * supplied min_ver. Optional methods may be left uninitialized.
|
|
jpayne@69
|
55 *
|
|
jpayne@69
|
56 * Memory for the vtable is allocated by the caller, not by the module.
|
|
jpayne@69
|
57 */
|
|
jpayne@69
|
58
|
|
jpayne@69
|
59 #ifndef KRB5_KDCPREAUTH_PLUGIN_H
|
|
jpayne@69
|
60 #define KRB5_KDCPREAUTH_PLUGIN_H
|
|
jpayne@69
|
61
|
|
jpayne@69
|
62 #include <krb5/krb5.h>
|
|
jpayne@69
|
63 #include <krb5/plugin.h>
|
|
jpayne@69
|
64
|
|
jpayne@69
|
65 /* kdcpreauth mechanism property flags */
|
|
jpayne@69
|
66
|
|
jpayne@69
|
67 /*
|
|
jpayne@69
|
68 * Causes the KDC to include this mechanism in a list of supported preauth
|
|
jpayne@69
|
69 * types if the user's DB entry flags the user as requiring hardware-based
|
|
jpayne@69
|
70 * preauthentication.
|
|
jpayne@69
|
71 */
|
|
jpayne@69
|
72 #define PA_HARDWARE 0x00000004
|
|
jpayne@69
|
73
|
|
jpayne@69
|
74 /*
|
|
jpayne@69
|
75 * Causes the KDC to include this mechanism in a list of supported preauth
|
|
jpayne@69
|
76 * types if the user's DB entry flags the user as requiring preauthentication,
|
|
jpayne@69
|
77 * and to fail preauthentication if we can't verify the client data. The
|
|
jpayne@69
|
78 * flipside of PA_SUFFICIENT.
|
|
jpayne@69
|
79 */
|
|
jpayne@69
|
80 #define PA_REQUIRED 0x00000008
|
|
jpayne@69
|
81
|
|
jpayne@69
|
82 /*
|
|
jpayne@69
|
83 * Causes the KDC to include this mechanism in a list of supported preauth
|
|
jpayne@69
|
84 * types if the user's DB entry flags the user as requiring preauthentication,
|
|
jpayne@69
|
85 * and to mark preauthentication as successful if we can verify the client
|
|
jpayne@69
|
86 * data. The flipside of PA_REQUIRED.
|
|
jpayne@69
|
87 */
|
|
jpayne@69
|
88 #define PA_SUFFICIENT 0x00000010
|
|
jpayne@69
|
89
|
|
jpayne@69
|
90 /*
|
|
jpayne@69
|
91 * Marks this preauthentication mechanism as one which changes the key which is
|
|
jpayne@69
|
92 * used for encrypting the response to the client. Modules which have this
|
|
jpayne@69
|
93 * flag have their server_return_fn called before modules which do not, and are
|
|
jpayne@69
|
94 * passed over if a previously-called module has modified the encrypting key.
|
|
jpayne@69
|
95 */
|
|
jpayne@69
|
96 #define PA_REPLACES_KEY 0x00000020
|
|
jpayne@69
|
97
|
|
jpayne@69
|
98 /*
|
|
jpayne@69
|
99 * Not really a padata type, so don't include it in any list of preauth types
|
|
jpayne@69
|
100 * which gets sent over the wire.
|
|
jpayne@69
|
101 */
|
|
jpayne@69
|
102 #define PA_PSEUDO 0x00000080
|
|
jpayne@69
|
103
|
|
jpayne@69
|
104 /*
|
|
jpayne@69
|
105 * Indicates that e_data in non-FAST errors should be encoded as typed data
|
|
jpayne@69
|
106 * instead of padata.
|
|
jpayne@69
|
107 */
|
|
jpayne@69
|
108 #define PA_TYPED_E_DATA 0x00000100
|
|
jpayne@69
|
109
|
|
jpayne@69
|
110 /* Abstract type for a KDC callback data handle. */
|
|
jpayne@69
|
111 typedef struct krb5_kdcpreauth_rock_st *krb5_kdcpreauth_rock;
|
|
jpayne@69
|
112
|
|
jpayne@69
|
113 /* Abstract type for module data and per-request module data. */
|
|
jpayne@69
|
114 typedef struct krb5_kdcpreauth_moddata_st *krb5_kdcpreauth_moddata;
|
|
jpayne@69
|
115 typedef struct krb5_kdcpreauth_modreq_st *krb5_kdcpreauth_modreq;
|
|
jpayne@69
|
116
|
|
jpayne@69
|
117 /* The verto context structure type (typedef is in verto.h; we want to avoid a
|
|
jpayne@69
|
118 * header dependency for the moment). */
|
|
jpayne@69
|
119 struct verto_ctx;
|
|
jpayne@69
|
120
|
|
jpayne@69
|
121 /* Before using a callback after version 1, modules must check the vers
|
|
jpayne@69
|
122 * field of the callback structure. */
|
|
jpayne@69
|
123 typedef struct krb5_kdcpreauth_callbacks_st {
|
|
jpayne@69
|
124 int vers;
|
|
jpayne@69
|
125
|
|
jpayne@69
|
126 krb5_deltat (*max_time_skew)(krb5_context context,
|
|
jpayne@69
|
127 krb5_kdcpreauth_rock rock);
|
|
jpayne@69
|
128
|
|
jpayne@69
|
129 /*
|
|
jpayne@69
|
130 * Get an array of krb5_keyblock structures containing the client keys
|
|
jpayne@69
|
131 * matching the request enctypes, terminated by an entry with key type = 0.
|
|
jpayne@69
|
132 * Returns ENOENT if no keys are available for the request enctypes. Free
|
|
jpayne@69
|
133 * the resulting object with the free_keys callback.
|
|
jpayne@69
|
134 */
|
|
jpayne@69
|
135 krb5_error_code (*client_keys)(krb5_context context,
|
|
jpayne@69
|
136 krb5_kdcpreauth_rock rock,
|
|
jpayne@69
|
137 krb5_keyblock **keys_out);
|
|
jpayne@69
|
138
|
|
jpayne@69
|
139 /* Free the result of client_keys. */
|
|
jpayne@69
|
140 void (*free_keys)(krb5_context context, krb5_kdcpreauth_rock rock,
|
|
jpayne@69
|
141 krb5_keyblock *keys);
|
|
jpayne@69
|
142
|
|
jpayne@69
|
143 /*
|
|
jpayne@69
|
144 * Get the encoded request body, which is sometimes needed for checksums.
|
|
jpayne@69
|
145 * For a FAST request this is the encoded inner request body. The returned
|
|
jpayne@69
|
146 * pointer is an alias and should not be freed.
|
|
jpayne@69
|
147 */
|
|
jpayne@69
|
148 krb5_data *(*request_body)(krb5_context context,
|
|
jpayne@69
|
149 krb5_kdcpreauth_rock rock);
|
|
jpayne@69
|
150
|
|
jpayne@69
|
151 /* Get a pointer to the FAST armor key, or NULL if the request did not use
|
|
jpayne@69
|
152 * FAST. The returned pointer is an alias and should not be freed. */
|
|
jpayne@69
|
153 krb5_keyblock *(*fast_armor)(krb5_context context,
|
|
jpayne@69
|
154 krb5_kdcpreauth_rock rock);
|
|
jpayne@69
|
155
|
|
jpayne@69
|
156 /* Retrieve a string attribute from the client DB entry, or NULL if no such
|
|
jpayne@69
|
157 * attribute is set. Free the result with the free_string callback. */
|
|
jpayne@69
|
158 krb5_error_code (*get_string)(krb5_context context,
|
|
jpayne@69
|
159 krb5_kdcpreauth_rock rock, const char *key,
|
|
jpayne@69
|
160 char **value_out);
|
|
jpayne@69
|
161
|
|
jpayne@69
|
162 /* Free the result of get_string. */
|
|
jpayne@69
|
163 void (*free_string)(krb5_context context, krb5_kdcpreauth_rock rock,
|
|
jpayne@69
|
164 char *string);
|
|
jpayne@69
|
165
|
|
jpayne@69
|
166 /* Get a pointer to the client DB entry (returned as a void pointer to
|
|
jpayne@69
|
167 * avoid a dependency on a libkdb5 type). */
|
|
jpayne@69
|
168 void *(*client_entry)(krb5_context context, krb5_kdcpreauth_rock rock);
|
|
jpayne@69
|
169
|
|
jpayne@69
|
170 /* Get a pointer to the verto context which should be used by an
|
|
jpayne@69
|
171 * asynchronous edata or verify method. */
|
|
jpayne@69
|
172 struct verto_ctx *(*event_context)(krb5_context context,
|
|
jpayne@69
|
173 krb5_kdcpreauth_rock rock);
|
|
jpayne@69
|
174
|
|
jpayne@69
|
175 /* End of version 1 kdcpreauth callbacks. */
|
|
jpayne@69
|
176
|
|
jpayne@69
|
177 /* Return true if the client DB entry contains any keys matching the
|
|
jpayne@69
|
178 * request enctypes. */
|
|
jpayne@69
|
179 krb5_boolean (*have_client_keys)(krb5_context context,
|
|
jpayne@69
|
180 krb5_kdcpreauth_rock rock);
|
|
jpayne@69
|
181
|
|
jpayne@69
|
182 /* End of version 2 kdcpreauth callbacks. */
|
|
jpayne@69
|
183
|
|
jpayne@69
|
184 /*
|
|
jpayne@69
|
185 * Get the current reply key. Initially the reply key is the decrypted
|
|
jpayne@69
|
186 * client long-term key chosen according to the request enctype list, or
|
|
jpayne@69
|
187 * NULL if no matching key was found. The value may be changed by the
|
|
jpayne@69
|
188 * replace_reply_key callback or a return_padata method modifying
|
|
jpayne@69
|
189 * encrypting_key. The returned pointer is an alias and should not be
|
|
jpayne@69
|
190 * freed.
|
|
jpayne@69
|
191 */
|
|
jpayne@69
|
192 const krb5_keyblock *(*client_keyblock)(krb5_context context,
|
|
jpayne@69
|
193 krb5_kdcpreauth_rock rock);
|
|
jpayne@69
|
194
|
|
jpayne@69
|
195 /* Assert an authentication indicator in the AS-REP authdata. Duplicate
|
|
jpayne@69
|
196 * indicators will be ignored. */
|
|
jpayne@69
|
197 krb5_error_code (*add_auth_indicator)(krb5_context context,
|
|
jpayne@69
|
198 krb5_kdcpreauth_rock rock,
|
|
jpayne@69
|
199 const char *indicator);
|
|
jpayne@69
|
200
|
|
jpayne@69
|
201 /*
|
|
jpayne@69
|
202 * Read a data value for pa_type from the request cookie, placing it in
|
|
jpayne@69
|
203 * *out. The value placed there is an alias and must not be freed.
|
|
jpayne@69
|
204 * Returns true if a value for pa_type was retrieved, false if not.
|
|
jpayne@69
|
205 */
|
|
jpayne@69
|
206 krb5_boolean (*get_cookie)(krb5_context context, krb5_kdcpreauth_rock rock,
|
|
jpayne@69
|
207 krb5_preauthtype pa_type, krb5_data *out);
|
|
jpayne@69
|
208
|
|
jpayne@69
|
209 /*
|
|
jpayne@69
|
210 * Set a data value for pa_type to be sent in a secure cookie in the next
|
|
jpayne@69
|
211 * error response. If pa_type is already present, the value is ignored.
|
|
jpayne@69
|
212 * If the preauth mechanism has different preauth types for requests and
|
|
jpayne@69
|
213 * responses, use the request type. Secure cookies are encrypted in a key
|
|
jpayne@69
|
214 * known only to the KDCs, but can be replayed within a short time window
|
|
jpayne@69
|
215 * for requests using the same client principal.
|
|
jpayne@69
|
216 */
|
|
jpayne@69
|
217 krb5_error_code (*set_cookie)(krb5_context context,
|
|
jpayne@69
|
218 krb5_kdcpreauth_rock rock,
|
|
jpayne@69
|
219 krb5_preauthtype pa_type,
|
|
jpayne@69
|
220 const krb5_data *data);
|
|
jpayne@69
|
221
|
|
jpayne@69
|
222 /* End of version 3 kdcpreauth callbacks. */
|
|
jpayne@69
|
223
|
|
jpayne@69
|
224 /*
|
|
jpayne@69
|
225 * Return true if princ matches the principal named in the request or the
|
|
jpayne@69
|
226 * client principal (possibly canonicalized). If princ does not match,
|
|
jpayne@69
|
227 * attempt a database lookup of princ with aliases allowed and compare the
|
|
jpayne@69
|
228 * result to the client principal, returning true if it matches.
|
|
jpayne@69
|
229 * Otherwise, return false.
|
|
jpayne@69
|
230 */
|
|
jpayne@69
|
231 krb5_boolean (*match_client)(krb5_context context,
|
|
jpayne@69
|
232 krb5_kdcpreauth_rock rock,
|
|
jpayne@69
|
233 krb5_principal princ);
|
|
jpayne@69
|
234
|
|
jpayne@69
|
235 /*
|
|
jpayne@69
|
236 * Get an alias to the client DB entry principal (possibly canonicalized).
|
|
jpayne@69
|
237 */
|
|
jpayne@69
|
238 krb5_principal (*client_name)(krb5_context context,
|
|
jpayne@69
|
239 krb5_kdcpreauth_rock rock);
|
|
jpayne@69
|
240
|
|
jpayne@69
|
241 /* End of version 4 kdcpreauth callbacks. */
|
|
jpayne@69
|
242
|
|
jpayne@69
|
243 /*
|
|
jpayne@69
|
244 * Instruct the KDC to send a freshness token in the method data
|
|
jpayne@69
|
245 * accompanying a PREAUTH_REQUIRED or PREAUTH_FAILED error, if the client
|
|
jpayne@69
|
246 * indicated support for freshness tokens. This callback should only be
|
|
jpayne@69
|
247 * invoked from the edata method.
|
|
jpayne@69
|
248 */
|
|
jpayne@69
|
249 void (*send_freshness_token)(krb5_context context,
|
|
jpayne@69
|
250 krb5_kdcpreauth_rock rock);
|
|
jpayne@69
|
251
|
|
jpayne@69
|
252 /* Validate a freshness token sent by the client. Return 0 on success,
|
|
jpayne@69
|
253 * KRB5KDC_ERR_PREAUTH_EXPIRED on error. */
|
|
jpayne@69
|
254 krb5_error_code (*check_freshness_token)(krb5_context context,
|
|
jpayne@69
|
255 krb5_kdcpreauth_rock rock,
|
|
jpayne@69
|
256 const krb5_data *token);
|
|
jpayne@69
|
257
|
|
jpayne@69
|
258 /* End of version 5 kdcpreauth callbacks. */
|
|
jpayne@69
|
259
|
|
jpayne@69
|
260 /*
|
|
jpayne@69
|
261 * Replace the reply key with key. If is_strengthen is true, key must be a
|
|
jpayne@69
|
262 * derivative of the client long-term key. This callback may be invoked
|
|
jpayne@69
|
263 * from the verify or return_padata methods. If it is invoked from the
|
|
jpayne@69
|
264 * verify method, the new key will appear as the encrypting_key input to
|
|
jpayne@69
|
265 * return_padata.
|
|
jpayne@69
|
266 */
|
|
jpayne@69
|
267 krb5_error_code (*replace_reply_key)(krb5_context context,
|
|
jpayne@69
|
268 krb5_kdcpreauth_rock rock,
|
|
jpayne@69
|
269 const krb5_keyblock *key,
|
|
jpayne@69
|
270 krb5_boolean is_strengthen);
|
|
jpayne@69
|
271
|
|
jpayne@69
|
272 /* End of version 6 kdcpreauth callbacks. */
|
|
jpayne@69
|
273
|
|
jpayne@69
|
274 } *krb5_kdcpreauth_callbacks;
|
|
jpayne@69
|
275
|
|
jpayne@69
|
276 /* Optional: preauth plugin initialization function. */
|
|
jpayne@69
|
277 typedef krb5_error_code
|
|
jpayne@69
|
278 (*krb5_kdcpreauth_init_fn)(krb5_context context,
|
|
jpayne@69
|
279 krb5_kdcpreauth_moddata *moddata_out,
|
|
jpayne@69
|
280 const char **realmnames);
|
|
jpayne@69
|
281
|
|
jpayne@69
|
282 /* Optional: preauth plugin cleanup function. */
|
|
jpayne@69
|
283 typedef void
|
|
jpayne@69
|
284 (*krb5_kdcpreauth_fini_fn)(krb5_context context,
|
|
jpayne@69
|
285 krb5_kdcpreauth_moddata moddata);
|
|
jpayne@69
|
286
|
|
jpayne@69
|
287 /*
|
|
jpayne@69
|
288 * Optional: return the flags which the KDC should use for this module. This
|
|
jpayne@69
|
289 * is a callback instead of a static value because the module may or may not
|
|
jpayne@69
|
290 * wish to count itself as a hardware preauthentication module (in other words,
|
|
jpayne@69
|
291 * the flags may be affected by the configuration, for example if a site
|
|
jpayne@69
|
292 * administrator can force a particular preauthentication type to be supported
|
|
jpayne@69
|
293 * using only hardware). This function is called for each entry entry in the
|
|
jpayne@69
|
294 * server_pa_type_list.
|
|
jpayne@69
|
295 */
|
|
jpayne@69
|
296 typedef int
|
|
jpayne@69
|
297 (*krb5_kdcpreauth_flags_fn)(krb5_context context, krb5_preauthtype pa_type);
|
|
jpayne@69
|
298
|
|
jpayne@69
|
299 /*
|
|
jpayne@69
|
300 * Responder for krb5_kdcpreauth_edata_fn. If invoked with a non-zero code, pa
|
|
jpayne@69
|
301 * will be ignored and the padata type will not be included in the hint list.
|
|
jpayne@69
|
302 * If invoked with a zero code and a null pa value, the padata type will be
|
|
jpayne@69
|
303 * included in the list with an empty value. If invoked with a zero code and a
|
|
jpayne@69
|
304 * non-null pa value, pa will be included in the hint list and will later be
|
|
jpayne@69
|
305 * freed by the KDC.
|
|
jpayne@69
|
306 */
|
|
jpayne@69
|
307 typedef void
|
|
jpayne@69
|
308 (*krb5_kdcpreauth_edata_respond_fn)(void *arg, krb5_error_code code,
|
|
jpayne@69
|
309 krb5_pa_data *pa);
|
|
jpayne@69
|
310
|
|
jpayne@69
|
311 /*
|
|
jpayne@69
|
312 * Optional: provide pa_data to send to the client as part of the "you need to
|
|
jpayne@69
|
313 * use preauthentication" error. The implementation must invoke the respond
|
|
jpayne@69
|
314 * when complete, whether successful or not, either before returning or
|
|
jpayne@69
|
315 * asynchronously using the verto context returned by cb->event_context().
|
|
jpayne@69
|
316 *
|
|
jpayne@69
|
317 * This function is not allowed to create a modreq object because we have no
|
|
jpayne@69
|
318 * guarantee that the client will ever make a follow-up request, or that it
|
|
jpayne@69
|
319 * will hit this KDC if it does.
|
|
jpayne@69
|
320 */
|
|
jpayne@69
|
321 typedef void
|
|
jpayne@69
|
322 (*krb5_kdcpreauth_edata_fn)(krb5_context context, krb5_kdc_req *request,
|
|
jpayne@69
|
323 krb5_kdcpreauth_callbacks cb,
|
|
jpayne@69
|
324 krb5_kdcpreauth_rock rock,
|
|
jpayne@69
|
325 krb5_kdcpreauth_moddata moddata,
|
|
jpayne@69
|
326 krb5_preauthtype pa_type,
|
|
jpayne@69
|
327 krb5_kdcpreauth_edata_respond_fn respond,
|
|
jpayne@69
|
328 void *arg);
|
|
jpayne@69
|
329
|
|
jpayne@69
|
330 /*
|
|
jpayne@69
|
331 * Responder for krb5_kdcpreauth_verify_fn. Invoke with the arg parameter
|
|
jpayne@69
|
332 * supplied to verify, the error code (0 for success), an optional module
|
|
jpayne@69
|
333 * request state object to be consumed by return_fn or free_modreq_fn, optional
|
|
jpayne@69
|
334 * e_data to be passed to the caller if code is nonzero, and optional
|
|
jpayne@69
|
335 * authorization data to be included in the ticket. In non-FAST replies,
|
|
jpayne@69
|
336 * e_data will be encoded as typed-data if the module sets the PA_TYPED_E_DATA
|
|
jpayne@69
|
337 * flag, and as pa-data otherwise. e_data and authz_data will be freed by the
|
|
jpayne@69
|
338 * KDC.
|
|
jpayne@69
|
339 */
|
|
jpayne@69
|
340 typedef void
|
|
jpayne@69
|
341 (*krb5_kdcpreauth_verify_respond_fn)(void *arg, krb5_error_code code,
|
|
jpayne@69
|
342 krb5_kdcpreauth_modreq modreq,
|
|
jpayne@69
|
343 krb5_pa_data **e_data,
|
|
jpayne@69
|
344 krb5_authdata **authz_data);
|
|
jpayne@69
|
345
|
|
jpayne@69
|
346 /*
|
|
jpayne@69
|
347 * Optional: verify preauthentication data sent by the client, setting the
|
|
jpayne@69
|
348 * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
|
|
jpayne@69
|
349 * field as appropriate. The implementation must invoke the respond function
|
|
jpayne@69
|
350 * when complete, whether successful or not, either before returning or
|
|
jpayne@69
|
351 * asynchronously using the verto context returned by cb->event_context().
|
|
jpayne@69
|
352 */
|
|
jpayne@69
|
353 typedef void
|
|
jpayne@69
|
354 (*krb5_kdcpreauth_verify_fn)(krb5_context context,
|
|
jpayne@69
|
355 krb5_data *req_pkt, krb5_kdc_req *request,
|
|
jpayne@69
|
356 krb5_enc_tkt_part *enc_tkt_reply,
|
|
jpayne@69
|
357 krb5_pa_data *data,
|
|
jpayne@69
|
358 krb5_kdcpreauth_callbacks cb,
|
|
jpayne@69
|
359 krb5_kdcpreauth_rock rock,
|
|
jpayne@69
|
360 krb5_kdcpreauth_moddata moddata,
|
|
jpayne@69
|
361 krb5_kdcpreauth_verify_respond_fn respond,
|
|
jpayne@69
|
362 void *arg);
|
|
jpayne@69
|
363
|
|
jpayne@69
|
364 /*
|
|
jpayne@69
|
365 * Optional: generate preauthentication response data to send to the client as
|
|
jpayne@69
|
366 * part of the AS-REP. If it needs to override the key which is used to
|
|
jpayne@69
|
367 * encrypt the response, it can do so by modifying encrypting_key, but it is
|
|
jpayne@69
|
368 * preferrable to use the replace_reply_key callback.
|
|
jpayne@69
|
369 */
|
|
jpayne@69
|
370 typedef krb5_error_code
|
|
jpayne@69
|
371 (*krb5_kdcpreauth_return_fn)(krb5_context context,
|
|
jpayne@69
|
372 krb5_pa_data *padata,
|
|
jpayne@69
|
373 krb5_data *req_pkt,
|
|
jpayne@69
|
374 krb5_kdc_req *request,
|
|
jpayne@69
|
375 krb5_kdc_rep *reply,
|
|
jpayne@69
|
376 krb5_keyblock *encrypting_key,
|
|
jpayne@69
|
377 krb5_pa_data **send_pa_out,
|
|
jpayne@69
|
378 krb5_kdcpreauth_callbacks cb,
|
|
jpayne@69
|
379 krb5_kdcpreauth_rock rock,
|
|
jpayne@69
|
380 krb5_kdcpreauth_moddata moddata,
|
|
jpayne@69
|
381 krb5_kdcpreauth_modreq modreq);
|
|
jpayne@69
|
382
|
|
jpayne@69
|
383 /* Optional: free a per-request context. */
|
|
jpayne@69
|
384 typedef void
|
|
jpayne@69
|
385 (*krb5_kdcpreauth_free_modreq_fn)(krb5_context,
|
|
jpayne@69
|
386 krb5_kdcpreauth_moddata moddata,
|
|
jpayne@69
|
387 krb5_kdcpreauth_modreq modreq);
|
|
jpayne@69
|
388
|
|
jpayne@69
|
389 /* Optional: invoked after init_fn to provide the module with a pointer to the
|
|
jpayne@69
|
390 * verto main loop. */
|
|
jpayne@69
|
391 typedef krb5_error_code
|
|
jpayne@69
|
392 (*krb5_kdcpreauth_loop_fn)(krb5_context context,
|
|
jpayne@69
|
393 krb5_kdcpreauth_moddata moddata,
|
|
jpayne@69
|
394 struct verto_ctx *ctx);
|
|
jpayne@69
|
395
|
|
jpayne@69
|
396 typedef struct krb5_kdcpreauth_vtable_st {
|
|
jpayne@69
|
397 /* Mandatory: name of module. */
|
|
jpayne@69
|
398 const char *name;
|
|
jpayne@69
|
399
|
|
jpayne@69
|
400 /* Mandatory: pointer to zero-terminated list of pa_types which this module
|
|
jpayne@69
|
401 * can provide services for. */
|
|
jpayne@69
|
402 krb5_preauthtype *pa_type_list;
|
|
jpayne@69
|
403
|
|
jpayne@69
|
404 krb5_kdcpreauth_init_fn init;
|
|
jpayne@69
|
405 krb5_kdcpreauth_fini_fn fini;
|
|
jpayne@69
|
406 krb5_kdcpreauth_flags_fn flags;
|
|
jpayne@69
|
407 krb5_kdcpreauth_edata_fn edata;
|
|
jpayne@69
|
408 krb5_kdcpreauth_verify_fn verify;
|
|
jpayne@69
|
409 krb5_kdcpreauth_return_fn return_padata;
|
|
jpayne@69
|
410 krb5_kdcpreauth_free_modreq_fn free_modreq;
|
|
jpayne@69
|
411 /* Minor 1 ends here. */
|
|
jpayne@69
|
412
|
|
jpayne@69
|
413 krb5_kdcpreauth_loop_fn loop;
|
|
jpayne@69
|
414 /* Minor 2 ends here. */
|
|
jpayne@69
|
415 } *krb5_kdcpreauth_vtable;
|
|
jpayne@69
|
416
|
|
jpayne@69
|
417 #endif /* KRB5_KDCPREAUTH_PLUGIN_H */
|
