diff options
| author | Nathaniel McCallum <npmccallum@redhat.com> | 2012-09-10 17:38:23 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2012-09-11 01:05:07 -0400 |
| commit | 43f507711689a71d3aaec8696721b8c981f8428e (patch) | |
| tree | bf12cf79cd74c0e4459947e3d1ea334aca61b479 /src/include/krb5/preauth_plugin.h | |
| parent | 1d4cf92a9de119e634b068820e48ee509cb1f71f (diff) | |
| download | krb5-43f507711689a71d3aaec8696721b8c981f8428e.tar.gz krb5-43f507711689a71d3aaec8696721b8c981f8428e.tar.xz krb5-43f507711689a71d3aaec8696721b8c981f8428e.zip | |
Add responder feature for initial cred exchanges
Add new APIs:
* krb5_get_init_creds_opt_set_responder
* krb5_responder_get_challenge
* krb5_responder_list_questions
* krb5_responder_set_answer
If a caller sets a responder, it will be invoked after preauth modules
have had a chance to review their incoming padata but before they produce
outgoing padata. The responder will be presented a set of questions with
optional challenges. The responder should then answer all questions it knows
how to handle. Both the answers and the challenges are printable UTF-8 and
may contain encoded, structured data specific to the question asked.
Add two new callbacks and one optional method to the clpreauth
interface. The new method (prep_questions) allows modules to ask questions
by setting them in the responder context using one of the new callbacks
(ask_responder_question). The other new callback (get_responder_answer) is
used by the process method to read the answers to the questions asked.
ticket: 7355 (new)
Diffstat (limited to 'src/include/krb5/preauth_plugin.h')
| -rw-r--r-- | src/include/krb5/preauth_plugin.h | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/src/include/krb5/preauth_plugin.h b/src/include/krb5/preauth_plugin.h index 72fd92d26f..a9a2ab9d2c 100644 --- a/src/include/krb5/preauth_plugin.h +++ b/src/include/krb5/preauth_plugin.h @@ -38,7 +38,7 @@ * * * The clpreauth interface has a single supported major version, which is - * 1. Major version 1 has a current minor version of 1. clpreauth modules + * 1. Major version 1 has a current minor version of 2. clpreauth modules * should define a function named clpreauth_<modulename>_initvt, matching * the signature: * @@ -193,6 +193,19 @@ typedef struct krb5_clpreauth_callbacks_st { krb5_timestamp *time_out, krb5_int32 *usec_out); + /* Set a question to be answered by the responder and optionally provide + * a challenge. */ + krb5_error_code (*ask_responder_question)(krb5_context context, + krb5_clpreauth_rock rock, + const char *question, + const char *challenge); + + /* Get an answer from the responder, or NULL if the question was + * unanswered. */ + const char *(*get_responder_answer)(krb5_context context, + krb5_clpreauth_rock rock, + const char *question); + /* End of version 2 clpreauth callbacks (added in 1.11). */ } *krb5_clpreauth_callbacks; @@ -235,6 +248,25 @@ typedef void krb5_clpreauth_modreq modreq); /* + * Optional: process server-supplied data in pa_data and set responder + * questions. + * + * encoded_previous_request may be NULL if there has been no previous request + * in the AS exchange. + */ +typedef krb5_error_code +(*krb5_clpreauth_prep_questions_fn)(krb5_context context, + krb5_clpreauth_moddata moddata, + krb5_clpreauth_modreq modreq, + krb5_get_init_creds_opt *opt, + krb5_clpreauth_callbacks cb, + krb5_clpreauth_rock rock, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *pa_data); + +/* * Mandatory: process server-supplied data in pa_data and return created data * in pa_data_out. Also called after the AS-REP is received if the AS-REP * includes preauthentication data of the associated type. @@ -317,6 +349,9 @@ typedef struct krb5_clpreauth_vtable_st { krb5_clpreauth_tryagain_fn tryagain; krb5_clpreauth_supply_gic_opts_fn gic_opts; /* Minor version 1 ends here. */ + + krb5_clpreauth_prep_questions_fn prep_questions; + /* Minor version 2 ends here. */ } *krb5_clpreauth_vtable; /* |