Get rid of kdb_ext.h and allow out-of-tree KDB plugins

Move the contents of kdb_ext.h into kdb.h, since there is no meaningful
"extensions" category of DB interfaces now that this stuff is in our
tree.  Allows out-of-tree KDB plugins to be built since we install
kdb.h.

ticket: 6649
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23674 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 133 insertions, 0 deletions

diff --git a/src/include/kdb.h b/src/include/kdb.h
index 4c94d0adca..1a33235ec5 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -104,6 +104,32 @@
 #define KRB5_KDB_CREATE_BTREE           0x00000001
 #define KRB5_KDB_CREATE_HASH            0x00000002
 
+/* Private flag used to indicate principal is local TGS */
+#define KRB5_KDB_TICKET_GRANTING_SERVICE        0x01000000
+/* Private flag used to indicate xrealm relationship  is non-transitive */
+#define KRB5_KDB_XREALM_NON_TRANSITIVE          0x02000000
+
+/* Entry get flags */
+/* Name canonicalization requested */
+#define KRB5_KDB_FLAG_CANONICALIZE              0x00000010
+/* Include authorization data generated by backend */
+#define KRB5_KDB_FLAG_INCLUDE_PAC               0x00000020
+/* Is AS-REQ (client referrals only) */
+#define KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY     0x00000040
+/* Map cross-realm principals */
+#define KRB5_KDB_FLAG_MAP_PRINCIPALS            0x00000080
+/* Protocol transition */
+#define KRB5_KDB_FLAG_PROTOCOL_TRANSITION       0x00000100
+/* Constrained delegation */
+#define KRB5_KDB_FLAG_CONSTRAINED_DELEGATION    0x00000200
+/* User-to-user */
+#define KRB5_KDB_FLAG_USER_TO_USER              0x00000800
+/* Cross-realm */
+#define KRB5_KDB_FLAG_CROSS_REALM               0x00001000
+
+#define KRB5_KDB_FLAGS_S4U                      ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \
+                                                  KRB5_KDB_FLAG_CONSTRAINED_DELEGATION )
+
 #if !defined(_WIN32)
 
 /*
@@ -200,6 +226,13 @@ typedef struct __krb5_key_salt_tuple {
 #define KRB5_TL_ACTKVNO                 0x0009
 #define KRB5_TL_MKEY_AUX                0x000a
 
+#define KRB5_TL_PAC_LOGON_INFO          0x0100 /* NDR encoded validation info */
+#define KRB5_TL_SERVER_REFERRAL         0x0200 /* ASN.1 encoded ServerReferralInfo */
+#define KRB5_TL_SVR_REFERRAL_DATA       0x0300 /* ASN.1 encoded PA-SVR-REFERRAL-DATA */
+#define KRB5_TL_CONSTRAINED_DELEGATION_ACL 0x0400 /* Each entry is a permitted SPN */
+#define KRB5_TL_LM_KEY                  0x0500 /* LM OWF */
+#define KRB5_TL_X509_SUBJECT_ISSUER_NAME 0x0600 /* <I>IssuerDN<S>SubjectDN */
+
 /* version number for KRB5_TL_ACTKVNO data */
 #define KRB5_TL_ACTKVNO_VER     1
 
@@ -283,6 +316,95 @@ extern char *krb5_mkey_pwd_prompt2;
 #define KRB5_DB_LOCKMODE_DONTBLOCK    0x0004
 #define KRB5_DB_LOCKMODE_PERMANENT    0x0008
 
+/* db_invoke methods */
+#define KRB5_KDB_METHOD_SIGN_AUTH_DATA                  0x00000010
+#define KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS          0x00000020
+#define KRB5_KDB_METHOD_CHECK_POLICY_AS                 0x00000030
+#define KRB5_KDB_METHOD_CHECK_POLICY_TGS                0x00000040
+#define KRB5_KDB_METHOD_AUDIT_AS                        0x00000050
+#define KRB5_KDB_METHOD_AUDIT_TGS                       0x00000060
+#define KRB5_KDB_METHOD_REFRESH_POLICY                  0x00000070
+#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE       0x00000080
+
+typedef struct _kdb_sign_auth_data_req {
+    krb5_magic magic;
+    unsigned int flags;                 /* KRB5_KDB flags */
+    krb5_const_principal client_princ;  /* Client name used in ticket */
+    krb5_db_entry *client;              /* DB entry for client principal */
+    krb5_db_entry *server;              /* DB entry for server principal */
+    krb5_db_entry *krbtgt;              /* DB entry for ticket granting service principal */
+    krb5_keyblock *client_key;          /* Reply key, valid for AS-REQ only */
+    krb5_keyblock *server_key;          /* Key used to generate server signature */
+    krb5_timestamp authtime;            /* Authtime of TGT */
+    krb5_authdata **auth_data;          /* Authorization data from TGT */
+    krb5_keyblock *session_key;         /* Reply session key */
+    krb5_keyblock *krbtgt_key;          /* Key used to decrypt TGT, valid for TGS-REQ only */
+} kdb_sign_auth_data_req;
+
+typedef struct _kdb_sign_auth_data_rep {
+    krb5_magic magic;
+    krb5_authdata **auth_data;          /* Signed authorization data */
+} kdb_sign_auth_data_rep;
+
+typedef struct _kdb_check_transited_realms_req {
+    krb5_magic magic;
+    const krb5_data *tr_contents;
+    const krb5_data *client_realm;
+    const krb5_data *server_realm;
+} kdb_check_transited_realms_req;
+
+typedef struct _kdb_check_policy_as_req {
+    krb5_magic magic;
+    krb5_kdc_req *request;
+    krb5_db_entry *client;
+    krb5_db_entry *server;
+    krb5_timestamp kdc_time;
+} kdb_check_policy_as_req;
+
+typedef struct _kdb_check_policy_as_rep {
+    krb5_magic magic;
+    const char *status;
+    krb5_data e_data;
+} kdb_check_policy_as_rep;
+
+typedef struct _kdb_check_policy_tgs_req {
+    krb5_magic magic;
+    krb5_kdc_req *request;
+    krb5_db_entry *server;
+    krb5_ticket *ticket;
+} kdb_check_policy_tgs_req;
+
+typedef struct _kdb_check_policy_tgs_rep {
+    krb5_magic magic;
+    const char *status;
+    krb5_data e_data;
+} kdb_check_policy_tgs_rep;
+
+typedef struct _kdb_audit_as_req {
+    krb5_magic magic;
+    krb5_kdc_req *request;
+    krb5_db_entry *client;
+    krb5_db_entry *server;
+    krb5_timestamp authtime;
+    krb5_error_code error_code;
+} kdb_audit_as_req;
+
+typedef struct _kdb_audit_tgs_req {
+    krb5_magic magic;
+    krb5_kdc_req *request;
+    krb5_const_principal client;
+    krb5_db_entry *server;
+    krb5_timestamp authtime;
+    krb5_error_code error_code;
+} kdb_audit_tgs_req;
+
+typedef struct _kdb_check_allowed_to_delegate_req {
+    krb5_magic magic;
+    const krb5_db_entry *server;
+    krb5_const_principal proxy;
+    krb5_const_principal client;
+} kdb_check_allowed_to_delegate_req;
+
 /* libkdb.spec */
 krb5_error_code krb5_db_setup_lib_handle(krb5_context kcontext);
 krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode );
@@ -303,6 +425,12 @@ krb5_error_code krb5_db_get_principal ( krb5_context kcontext,
                                         krb5_db_entry *entries,
                                         int *nentries,
                                         krb5_boolean *more );
+krb5_error_code krb5_db_get_principal_ext ( krb5_context kcontext,
+                                            krb5_const_principal search_for,
+                                            unsigned int flags,
+                                            krb5_db_entry *entries,
+                                            int *nentries,
+                                            krb5_boolean *more );
 krb5_error_code krb5_db_free_principal ( krb5_context kcontext,
                                          krb5_db_entry *entry,
                                          int count );
@@ -546,6 +674,11 @@ krb5_db_get_key_data_kvno( krb5_context    context,
                            int             count,
                            krb5_key_data * data);
 
+krb5_error_code krb5_db_invoke ( krb5_context kcontext,
+                                 unsigned int method,
+                                 const krb5_data *req,
+                                 krb5_data *rep );
+
 
 /* default functions. Should not be directly called */
 /*