diff options
Diffstat (limited to 'src/include')
-rw-r--r-- | src/include/kdb.h | 92 |
1 files changed, 49 insertions, 43 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index cb9a328..53a4e24 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -323,40 +323,11 @@ extern char *krb5_mkey_pwd_prompt2; #define KRB5_DB_LOCKMODE_PERMANENT 0x0008 /* db_invoke methods */ -#define KRB5_KDB_METHOD_CHECK_POLICY_AS 0x00000030 -#define KRB5_KDB_METHOD_CHECK_POLICY_TGS 0x00000040 #define KRB5_KDB_METHOD_AUDIT_AS 0x00000050 #define KRB5_KDB_METHOD_AUDIT_TGS 0x00000060 #define KRB5_KDB_METHOD_REFRESH_POLICY 0x00000070 #define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080 -typedef struct _kdb_check_policy_as_req { - krb5_magic magic; - krb5_kdc_req *request; - krb5_db_entry *client; - krb5_db_entry *server; - krb5_timestamp kdc_time; -} kdb_check_policy_as_req; - -typedef struct _kdb_check_policy_as_rep { - krb5_magic magic; - const char *status; - krb5_data e_data; -} kdb_check_policy_as_rep; - -typedef struct _kdb_check_policy_tgs_req { - krb5_magic magic; - krb5_kdc_req *request; - krb5_db_entry *server; - krb5_ticket *ticket; -} kdb_check_policy_tgs_req; - -typedef struct _kdb_check_policy_tgs_rep { - krb5_magic magic; - const char *status; - krb5_data e_data; -} kdb_check_policy_tgs_rep; - typedef struct _kdb_audit_as_req { krb5_magic magic; krb5_kdc_req *request; @@ -649,6 +620,21 @@ krb5_error_code krb5_db_check_transited_realms(krb5_context kcontext, const krb5_data *client_realm, const krb5_data *server_realm); +krb5_error_code krb5_db_check_policy_as(krb5_context kcontext, + krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp kdc_time, + const char **status, + krb5_data *e_data); + +krb5_error_code krb5_db_check_policy_tgs(krb5_context kcontext, + krb5_kdc_req *request, + krb5_db_entry *server, + krb5_ticket *ticket, + const char **status, + krb5_data *e_data); + krb5_error_code krb5_db_invoke ( krb5_context kcontext, unsigned int method, const krb5_data *req, @@ -1263,24 +1249,44 @@ typedef struct _kdb_vftabl { const krb5_data *server_realm); /* + * Optional: Perform a policy check on an AS request, in addition to the + * standard policy checks. Return 0 if the AS request is allowed. If the + * AS request is not allowed: + * - Place a short string literal into *status. + * - If desired, place data into e_data. Any data placed here will be + * freed by the caller using the standard free function. + * - Return an appropriate error (such as KDC_ERR_POLICY). + */ + krb5_error_code (*check_policy_as)(krb5_context kcontext, + krb5_kdc_req *request, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_timestamp kdc_time, + const char **status, + krb5_data *e_data); + + /* + * Optional: Perform a policy check on a TGS request, in addition to the + * standard policy checks. Return 0 if the TGS request is allowed. If the + * TGS request is not allowed: + * - Place a short string literal into *status. + * - If desired, place data into e_data. Any data placed here will be + * freed by the caller using the standard free function. + * - Return an appropriate error (such as KDC_ERR_POLICY). + * The input parameter ticket contains the TGT used in the TGS request. + */ + krb5_error_code (*check_policy_tgs)(krb5_context kcontext, + krb5_kdc_req *request, + krb5_db_entry *server, + krb5_ticket *ticket, + const char **status, + krb5_data *e_data); + + /* * Optional: Perform an operation on input data req with output stored in * rep. Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the * method. Defined methods are: * - * KRB5_KDB_METHOD_CHECK_POLICY_AS: req contains a kdb_check_policy_as_req - * structure. Perform a policy check on an AS request, in addition to - * the standard policy checks. Return 0 if the AS request is allowed - * or an appropriate error (such as KDC_ERR_POLICY) if it is - * disallowed. Place in rep a kdb_check_policy_as_rep structure - * containing a status string and e_data value to return to the client - * if the policy check fails. The status string may be NULL, but must - * not contain allocated data as it will not be freed. The e_data - * structure may be empty; if not, it will be freed by the caller using - * the standard free function. - * - * KRB5_KDB_METHOD_CHECK_POLICY_TGS: Same as above, except the structures - * are kdb_check_policy_tgs_req and kdb_check_policy_tgs_rep. - * * KRB5_KDB_METHOD_AUDIT_AS: req contains a kdb_audit_as_req structure. * Informs the module of a successful or unsuccessful AS request. Do * not place any data in rep. |