diff options
author | Greg Hudson <ghudson@mit.edu> | 2010-01-27 03:52:52 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2010-01-27 03:52:52 +0000 |
commit | efb93f1098a314a060d850656ae77ffff176730b (patch) | |
tree | d9b0e71928d16dc998995fc66073ed814b82e4e3 /src/include/kdb.h | |
parent | b3963547981b74413a6bafe1ae6c9c1c9e28416c (diff) | |
download | krb5-efb93f1098a314a060d850656ae77ffff176730b.tar.gz krb5-efb93f1098a314a060d850656ae77ffff176730b.tar.xz krb5-efb93f1098a314a060d850656ae77ffff176730b.zip |
Get rid of kdb_ext.h and allow out-of-tree KDB plugins
Move the contents of kdb_ext.h into kdb.h, since there is no meaningful
"extensions" category of DB interfaces now that this stuff is in our
tree. Allows out-of-tree KDB plugins to be built since we install
kdb.h.
ticket: 6649
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23674 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include/kdb.h')
-rw-r--r-- | src/include/kdb.h | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index 4c94d0adca..1a33235ec5 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -104,6 +104,32 @@ #define KRB5_KDB_CREATE_BTREE 0x00000001 #define KRB5_KDB_CREATE_HASH 0x00000002 +/* Private flag used to indicate principal is local TGS */ +#define KRB5_KDB_TICKET_GRANTING_SERVICE 0x01000000 +/* Private flag used to indicate xrealm relationship is non-transitive */ +#define KRB5_KDB_XREALM_NON_TRANSITIVE 0x02000000 + +/* Entry get flags */ +/* Name canonicalization requested */ +#define KRB5_KDB_FLAG_CANONICALIZE 0x00000010 +/* Include authorization data generated by backend */ +#define KRB5_KDB_FLAG_INCLUDE_PAC 0x00000020 +/* Is AS-REQ (client referrals only) */ +#define KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY 0x00000040 +/* Map cross-realm principals */ +#define KRB5_KDB_FLAG_MAP_PRINCIPALS 0x00000080 +/* Protocol transition */ +#define KRB5_KDB_FLAG_PROTOCOL_TRANSITION 0x00000100 +/* Constrained delegation */ +#define KRB5_KDB_FLAG_CONSTRAINED_DELEGATION 0x00000200 +/* User-to-user */ +#define KRB5_KDB_FLAG_USER_TO_USER 0x00000800 +/* Cross-realm */ +#define KRB5_KDB_FLAG_CROSS_REALM 0x00001000 + +#define KRB5_KDB_FLAGS_S4U ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \ + KRB5_KDB_FLAG_CONSTRAINED_DELEGATION ) + #if !defined(_WIN32) /* @@ -200,6 +226,13 @@ typedef struct __krb5_key_salt_tuple { #define KRB5_TL_ACTKVNO 0x0009 #define KRB5_TL_MKEY_AUX 0x000a +#define KRB5_TL_PAC_LOGON_INFO 0x0100 /* NDR encoded validation info */ +#define KRB5_TL_SERVER_REFERRAL 0x0200 /* ASN.1 encoded ServerReferralInfo */ +#define KRB5_TL_SVR_REFERRAL_DATA 0x0300 /* ASN.1 encoded PA-SVR-REFERRAL-DATA */ +#define KRB5_TL_CONSTRAINED_DELEGATION_ACL 0x0400 /* Each entry is a permitted SPN */ +#define KRB5_TL_LM_KEY 0x0500 /* LM OWF */ +#define KRB5_TL_X509_SUBJECT_ISSUER_NAME 0x0600 /* <I>IssuerDN<S>SubjectDN */ + /* version number for KRB5_TL_ACTKVNO data */ #define KRB5_TL_ACTKVNO_VER 1 @@ -283,6 +316,95 @@ extern char *krb5_mkey_pwd_prompt2; #define KRB5_DB_LOCKMODE_DONTBLOCK 0x0004 #define KRB5_DB_LOCKMODE_PERMANENT 0x0008 +/* db_invoke methods */ +#define KRB5_KDB_METHOD_SIGN_AUTH_DATA 0x00000010 +#define KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS 0x00000020 +#define KRB5_KDB_METHOD_CHECK_POLICY_AS 0x00000030 +#define KRB5_KDB_METHOD_CHECK_POLICY_TGS 0x00000040 +#define KRB5_KDB_METHOD_AUDIT_AS 0x00000050 +#define KRB5_KDB_METHOD_AUDIT_TGS 0x00000060 +#define KRB5_KDB_METHOD_REFRESH_POLICY 0x00000070 +#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080 + +typedef struct _kdb_sign_auth_data_req { + krb5_magic magic; + unsigned int flags; /* KRB5_KDB flags */ + krb5_const_principal client_princ; /* Client name used in ticket */ + krb5_db_entry *client; /* DB entry for client principal */ + krb5_db_entry *server; /* DB entry for server principal */ + krb5_db_entry *krbtgt; /* DB entry for ticket granting service principal */ + krb5_keyblock *client_key; /* Reply key, valid for AS-REQ only */ + krb5_keyblock *server_key; /* Key used to generate server signature */ + krb5_timestamp authtime; /* Authtime of TGT */ + krb5_authdata **auth_data; /* Authorization data from TGT */ + krb5_keyblock *session_key; /* Reply session key */ + krb5_keyblock *krbtgt_key; /* Key used to decrypt TGT, valid for TGS-REQ only */ +} kdb_sign_auth_data_req; + +typedef struct _kdb_sign_auth_data_rep { + krb5_magic magic; + krb5_authdata **auth_data; /* Signed authorization data */ +} kdb_sign_auth_data_rep; + +typedef struct _kdb_check_transited_realms_req { + krb5_magic magic; + const krb5_data *tr_contents; + const krb5_data *client_realm; + const krb5_data *server_realm; +} kdb_check_transited_realms_req; + +typedef struct _kdb_check_policy_as_req { + krb5_magic magic; + krb5_kdc_req *request; + krb5_db_entry *client; + krb5_db_entry *server; + krb5_timestamp kdc_time; +} kdb_check_policy_as_req; + +typedef struct _kdb_check_policy_as_rep { + krb5_magic magic; + const char *status; + krb5_data e_data; +} kdb_check_policy_as_rep; + +typedef struct _kdb_check_policy_tgs_req { + krb5_magic magic; + krb5_kdc_req *request; + krb5_db_entry *server; + krb5_ticket *ticket; +} kdb_check_policy_tgs_req; + +typedef struct _kdb_check_policy_tgs_rep { + krb5_magic magic; + const char *status; + krb5_data e_data; +} kdb_check_policy_tgs_rep; + +typedef struct _kdb_audit_as_req { + krb5_magic magic; + krb5_kdc_req *request; + krb5_db_entry *client; + krb5_db_entry *server; + krb5_timestamp authtime; + krb5_error_code error_code; +} kdb_audit_as_req; + +typedef struct _kdb_audit_tgs_req { + krb5_magic magic; + krb5_kdc_req *request; + krb5_const_principal client; + krb5_db_entry *server; + krb5_timestamp authtime; + krb5_error_code error_code; +} kdb_audit_tgs_req; + +typedef struct _kdb_check_allowed_to_delegate_req { + krb5_magic magic; + const krb5_db_entry *server; + krb5_const_principal proxy; + krb5_const_principal client; +} kdb_check_allowed_to_delegate_req; + /* libkdb.spec */ krb5_error_code krb5_db_setup_lib_handle(krb5_context kcontext); krb5_error_code krb5_db_open( krb5_context kcontext, char **db_args, int mode ); @@ -303,6 +425,12 @@ krb5_error_code krb5_db_get_principal ( krb5_context kcontext, krb5_db_entry *entries, int *nentries, krb5_boolean *more ); +krb5_error_code krb5_db_get_principal_ext ( krb5_context kcontext, + krb5_const_principal search_for, + unsigned int flags, + krb5_db_entry *entries, + int *nentries, + krb5_boolean *more ); krb5_error_code krb5_db_free_principal ( krb5_context kcontext, krb5_db_entry *entry, int count ); @@ -546,6 +674,11 @@ krb5_db_get_key_data_kvno( krb5_context context, int count, krb5_key_data * data); +krb5_error_code krb5_db_invoke ( krb5_context kcontext, + unsigned int method, + const krb5_data *req, + krb5_data *rep ); + /* default functions. Should not be directly called */ /* |