kdc/kdc-plugin.h

   1 /*
   2  * Copyright (c) 2006 Kungliga Tekniska Högskolan
   3  * (Royal Institute of Technology, Stockholm, Sweden).
   4  * All rights reserved.
   5  *
   6  * Redistribution and use in source and binary forms, with or without
   7  * modification, are permitted provided that the following conditions
   8  * are met:
   9  *
  10  * 1. Redistributions of source code must retain the above copyright
  11  *    notice, this list of conditions and the following disclaimer.
  12  *
  13  * 2. Redistributions in binary form must reproduce the above copyright
  14  *    notice, this list of conditions and the following disclaimer in the
  15  *    documentation and/or other materials provided with the distribution.
  16  *
  17  * 3. Neither the name of the Institute nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 /* $Id$ */
  35
  36 #ifndef HEIMDAL_KDC_KDC_PLUGIN_H
  37 #define HEIMDAL_KDC_KDC_PLUGIN_H 1
  38
  39 #include <krb5.h>
  40 #include <kdc.h>
  41 #include <kdc-accessors.h>
  42 #include <hdb.h>
  43
  44 /*
  45  * Allocate a PAC for the given client with krb5_pac_init(),
  46  * and fill its contents in with krb5_pac_add_buffer().
  47  */
  48
  49 typedef krb5_error_code
  50 (KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *,
  51                                              astgs_request_t,
  52                                              hdb_entry *, /* client */
  53                                              hdb_entry *, /* server */
  54                                              const krb5_keyblock *, /* pk_replykey */
  55                                              uint64_t,        /* pac_attributes */
  56                                              krb5_pac *);
  57
  58 /*
  59  * Verify the PAC KDC signatures by fetching the appropriate TGS key
  60  * and calling krb5_pac_verify() with that key. Optionally update the
  61  * PAC buffers on success.
  62  */
  63
  64 typedef krb5_error_code
  65 (KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *,
  66                                            astgs_request_t,
  67                                            const krb5_principal, /* new ticket client */
  68                                            const krb5_principal, /* delegation proxy */
  69                                            hdb_entry *,/* client */
  70                                            hdb_entry *,/* server */
  71                                            hdb_entry *,/* krbtgt */
  72                                            krb5_pac *);
  73
  74 /*
  75  * Authorize the client principal's access to the Authentication Service (AS).
  76  * This function is called after any pre-authentication has completed.
  77  */
  78
  79 typedef krb5_error_code
  80 (KRB5_CALLCONV *krb5plugin_kdc_client_access)(void *, astgs_request_t);
  81
  82 /*
  83  * A referral policy plugin can either rewrite the server principal
  84  * by resetting priv->server_princ, or it can disable referral
  85  * processing entirely by returning an error.
  86  *
  87  * The error code from the previous server lookup is available as r->ret.
  88  *
  89  * If the function returns KRB5_PLUGIN_NO_HANDLE, the TGS will continue
  90  * with its default referral handling.
  91  *
  92  * Note well: the plugin should free priv->server_princ is replacing.
  93  */
  94
  95 typedef krb5_error_code
  96 (KRB5_CALLCONV *krb5plugin_kdc_referral_policy)(void *, astgs_request_t);
  97
  98 /*
  99  * Update the AS or TGS reply immediately prior to encoding.
 100  */
 101
 102 typedef krb5_error_code
 103 (KRB5_CALLCONV *krb5plugin_kdc_finalize_reply)(void *, astgs_request_t);
 104
 105 /*
 106  * Audit an AS or TGS request. This function is called after encoding the
 107  * reply (on success), or before encoding the error message. If a HDB audit
 108  * function is also present, it is called after this one.
 109  *
 110  * The request should not be modified by the plugin.
 111  */
 112
 113 typedef krb5_error_code
 114 (KRB5_CALLCONV *krb5plugin_kdc_audit)(void *, astgs_request_t);
 115
 116 /*
 117  * Plugins should carefully check API contract notes for changes
 118  * between plugin API versions.
 119  */
 120 #define KRB5_PLUGIN_KDC_VERSION_10      10
 121
 122 typedef struct krb5plugin_kdc_ftable {
 123     HEIM_PLUGIN_FTABLE_COMMON_ELEMENTS(krb5_context);
 124     krb5plugin_kdc_pac_generate         pac_generate;
 125     krb5plugin_kdc_pac_verify           pac_verify;
 126     krb5plugin_kdc_client_access        client_access;
 127     krb5plugin_kdc_referral_policy      referral_policy;
 128     krb5plugin_kdc_finalize_reply       finalize_reply;
 129     krb5plugin_kdc_audit                audit;
 130 } krb5plugin_kdc_ftable;
 131
 132 #endif /* HEIMDAL_KDC_KDC_PLUGIN_H */