diff options
author | Greg Hudson <ghudson@mit.edu> | 2015-08-12 11:58:17 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2015-08-26 11:14:49 -0400 |
commit | 4e15c03b54464b661c6578f78de3bd348163fc07 (patch) | |
tree | 016186cdeceb26a05f34730ef2675306ff562709 /src/include/krb5/kdcpreauth_plugin.h | |
parent | 312b3bc29a0c52a0a82055f566241964532c2128 (diff) | |
download | krb5-4e15c03b54464b661c6578f78de3bd348163fc07.zip krb5-4e15c03b54464b661c6578f78de3bd348163fc07.tar.gz krb5-4e15c03b54464b661c6578f78de3bd348163fc07.tar.bz2 |
Add secure cookie support
Remove the existing support for creating trivial cookies. Add new
functions to fast_util.c for reading and generating secure cookies.
Add new kdcpreauth callbacks "get_cookie" and "set_cookie" to allow
preauth mechs to retrieve and set cookie values.
Based on a patch by Nathaniel McCallum.
ticket: 8233 (new)
Diffstat (limited to 'src/include/krb5/kdcpreauth_plugin.h')
-rw-r--r-- | src/include/krb5/kdcpreauth_plugin.h | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h index 356004f..f455eff 100644 --- a/src/include/krb5/kdcpreauth_plugin.h +++ b/src/include/krb5/kdcpreauth_plugin.h @@ -198,6 +198,27 @@ typedef struct krb5_kdcpreauth_callbacks_st { krb5_kdcpreauth_rock rock, const char *indicator); + /* + * Read a data value for pa_type from the request cookie, placing it in + * *out. The value placed there is an alias and must not be freed. + * Returns true if a value for pa_type was retrieved, false if not. + */ + krb5_boolean (*get_cookie)(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_preauthtype pa_type, krb5_data *out); + + /* + * Set a data value for pa_type to be sent in a secure cookie in the next + * error response. If pa_type is already present, the value is ignored. + * If the preauth mechanism has different preauth types for requests and + * responses, use the request type. Secure cookies are encrypted in a key + * known only to the KDCs, but can be replayed within a short time window + * for requests using the same client principal. + */ + krb5_error_code (*set_cookie)(krb5_context context, + krb5_kdcpreauth_rock rock, + krb5_preauthtype pa_type, + const krb5_data *data); + /* End of version 3 kdcpreauth callbacks. */ } *krb5_kdcpreauth_callbacks; |