From 0d34b37b7abcdd2eba13d45df5feadf135e4602a Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 12 Jul 2010 18:53:54 +0000
Subject: Add check_transited_realms to the DAL table with a corresponding
 libkdb5 API, replacing the CHECK_TRANSITED_REALMS method of db_invoke.

ticket: 6749
status: open

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24183 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/include/kdb.h | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

(limited to 'src/include/kdb.h')

diff --git a/src/include/kdb.h b/src/include/kdb.h
index 3012b028fd..cb9a32820c 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -323,7 +323,6 @@ extern char *krb5_mkey_pwd_prompt2;
 #define KRB5_DB_LOCKMODE_PERMANENT    0x0008
 
 /* db_invoke methods */
-#define KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS          0x00000020
 #define KRB5_KDB_METHOD_CHECK_POLICY_AS                 0x00000030
 #define KRB5_KDB_METHOD_CHECK_POLICY_TGS                0x00000040
 #define KRB5_KDB_METHOD_AUDIT_AS                        0x00000050
@@ -331,13 +330,6 @@ extern char *krb5_mkey_pwd_prompt2;
 #define KRB5_KDB_METHOD_REFRESH_POLICY                  0x00000070
 #define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE       0x00000080
 
-typedef struct _kdb_check_transited_realms_req {
-    krb5_magic magic;
-    const krb5_data *tr_contents;
-    const krb5_data *client_realm;
-    const krb5_data *server_realm;
-} kdb_check_transited_realms_req;
-
 typedef struct _kdb_check_policy_as_req {
     krb5_magic magic;
     krb5_kdc_req *request;
@@ -652,6 +644,11 @@ krb5_error_code krb5_db_sign_authdata(krb5_context kcontext,
                                       krb5_authdata **tgt_auth_data,
                                       krb5_authdata ***signed_auth_data);
 
+krb5_error_code krb5_db_check_transited_realms(krb5_context kcontext,
+                                               const krb5_data *tr_contents,
+                                               const krb5_data *client_realm,
+                                               const krb5_data *server_realm);
+
 krb5_error_code krb5_db_invoke ( krb5_context kcontext,
                                  unsigned int method,
                                  const krb5_data *req,
@@ -1255,17 +1252,21 @@ typedef struct _kdb_vftabl {
                                      krb5_authdata **tgt_auth_data,
                                      krb5_authdata ***signed_auth_data);
 
+    /*
+     * Optional: Perform a policy check on a cross-realm ticket's transited
+     * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the
+     * check fails.
+     */
+    krb5_error_code (*check_transited_realms)(krb5_context kcontext,
+                                              const krb5_data *tr_contents,
+                                              const krb5_data *client_realm,
+                                              const krb5_data *server_realm);
+
     /*
      * Optional: Perform an operation on input data req with output stored in
      * rep.  Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the
      * method.  Defined methods are:
      *
-     *
-     * KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS: req contains a
-     *     kdb_check_transited_realms_req structure.  Perform a policy check on
-     *     a cross-realm ticket's transited field and return an error (other
-     *     than KRB5_PLUGIN_OP_NOTSUPP) if the check fails.  Leave rep alone.
-     *
      * KRB5_KDB_METHOD_CHECK_POLICY_AS: req contains a kdb_check_policy_as_req
      *     structure.  Perform a policy check on an AS request, in addition to
      *     the standard policy checks.  Return 0 if the AS request is allowed
-- 
cgit