diff options
| author | Greg Hudson <ghudson@mit.edu> | 2010-07-12 18:53:54 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2010-07-12 18:53:54 +0000 |
| commit | 0d34b37b7abcdd2eba13d45df5feadf135e4602a (patch) | |
| tree | 0e44182c2e56fbf7a90a120af089765df3f9e747 /src/include/kdb.h | |
| parent | 62880787886fadd5dfb8f350779369795319fa21 (diff) | |
| download | krb5-0d34b37b7abcdd2eba13d45df5feadf135e4602a.tar.gz krb5-0d34b37b7abcdd2eba13d45df5feadf135e4602a.tar.xz krb5-0d34b37b7abcdd2eba13d45df5feadf135e4602a.zip | |
Add check_transited_realms to the DAL table with a corresponding
libkdb5 API, replacing the CHECK_TRANSITED_REALMS method of db_invoke.
ticket: 6749
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24183 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include/kdb.h')
| -rw-r--r-- | src/include/kdb.h | 29 |
1 files changed, 15 insertions, 14 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index 3012b028fd..cb9a32820c 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -323,7 +323,6 @@ extern char *krb5_mkey_pwd_prompt2; #define KRB5_DB_LOCKMODE_PERMANENT 0x0008 /* db_invoke methods */ -#define KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS 0x00000020 #define KRB5_KDB_METHOD_CHECK_POLICY_AS 0x00000030 #define KRB5_KDB_METHOD_CHECK_POLICY_TGS 0x00000040 #define KRB5_KDB_METHOD_AUDIT_AS 0x00000050 @@ -331,13 +330,6 @@ extern char *krb5_mkey_pwd_prompt2; #define KRB5_KDB_METHOD_REFRESH_POLICY 0x00000070 #define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080 -typedef struct _kdb_check_transited_realms_req { - krb5_magic magic; - const krb5_data *tr_contents; - const krb5_data *client_realm; - const krb5_data *server_realm; -} kdb_check_transited_realms_req; - typedef struct _kdb_check_policy_as_req { krb5_magic magic; krb5_kdc_req *request; @@ -652,6 +644,11 @@ krb5_error_code krb5_db_sign_authdata(krb5_context kcontext, krb5_authdata **tgt_auth_data, krb5_authdata ***signed_auth_data); +krb5_error_code krb5_db_check_transited_realms(krb5_context kcontext, + const krb5_data *tr_contents, + const krb5_data *client_realm, + const krb5_data *server_realm); + krb5_error_code krb5_db_invoke ( krb5_context kcontext, unsigned int method, const krb5_data *req, @@ -1256,16 +1253,20 @@ typedef struct _kdb_vftabl { krb5_authdata ***signed_auth_data); /* + * Optional: Perform a policy check on a cross-realm ticket's transited + * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the + * check fails. + */ + krb5_error_code (*check_transited_realms)(krb5_context kcontext, + const krb5_data *tr_contents, + const krb5_data *client_realm, + const krb5_data *server_realm); + + /* * Optional: Perform an operation on input data req with output stored in * rep. Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the * method. Defined methods are: * - * - * KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS: req contains a - * kdb_check_transited_realms_req structure. Perform a policy check on - * a cross-realm ticket's transited field and return an error (other - * than KRB5_PLUGIN_OP_NOTSUPP) if the check fails. Leave rep alone. - * * KRB5_KDB_METHOD_CHECK_POLICY_AS: req contains a kdb_check_policy_as_req * structure. Perform a policy check on an AS request, in addition to * the standard policy checks. Return 0 if the AS request is allowed |