2
* include/krb5/kdb_ext.h
4
* Copyright (c) 2006-2008, Novell, Inc.
7
* Redistribution and use in source and binary forms, with or without
8
* modification, are permitted provided that the following conditions are met:
10
* * Redistributions of source code must retain the above copyright notice,
11
* this list of conditions and the following disclaimer.
12
* * Redistributions in binary form must reproduce the above copyright
13
* notice, this list of conditions and the following disclaimer in the
14
* documentation and/or other materials provided with the distribution.
15
* * The copyright holder's name is not used to endorse or promote products
16
* derived from this software without specific prior written permission.
18
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
22
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28
* POSSIBILITY OF SUCH DAMAGE.
31
#ifndef KRB5_KDB5_EXT__
32
#define KRB5_KDB5_EXT__
34
/* Can be delegated as in TicketFlags */
35
#define KRB5_KDB_OK_AS_DELEGATE 0x00100000
36
/* Allowed to use protocol transition */
37
#define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000
38
/* Service does not require authorization data */
39
#define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x00400000
40
/* Private flag used to indicate principal is local TGS */
41
#define KRB5_KDB_TICKET_GRANTING_SERVICE 0x01000000
42
/* Private flag used to indicate xrealm relationship is non-transitive */
43
#define KRB5_KDB_XREALM_NON_TRANSITIVE 0x02000000
46
/* Name canonicalization requested */
47
#define KRB5_KDB_FLAG_CANONICALIZE 0x00000010
48
/* Include authorization data generated by backend */
49
#define KRB5_KDB_FLAG_INCLUDE_PAC 0x00000020
50
/* Is AS-REQ (client referrals only) */
51
#define KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY 0x00000040
52
/* Map cross-realm principals */
53
#define KRB5_KDB_FLAG_MAP_PRINCIPALS 0x00000080
54
/* Protocol transition */
55
#define KRB5_KDB_FLAG_PROTOCOL_TRANSITION 0x00000100
56
/* Constrained delegation */
57
#define KRB5_KDB_FLAG_CONSTRAINED_DELEGATION 0x00000200
59
#define KRB5_KDB_FLAG_USER_TO_USER 0x00000800
61
#define KRB5_KDB_FLAG_CROSS_REALM 0x00001000
63
#define KRB5_KDB_FLAGS_S4U ( KRB5_KDB_FLAG_PROTOCOL_TRANSITION | \
64
KRB5_KDB_FLAG_CONSTRAINED_DELEGATION )
66
#define KRB5_TL_PAC_LOGON_INFO 0x0100 /* NDR encoded validation info */
67
#define KRB5_TL_SERVER_REFERRAL 0x0200 /* ASN.1 encoded ServerReferralInfo */
68
#define KRB5_TL_SVR_REFERRAL_DATA 0x0300 /* ASN.1 encoded PA-SVR-REFERRAL-DATA */
69
#define KRB5_TL_CONSTRAINED_DELEGATION_ACL 0x0400 /* Each entry is a permitted SPN */
70
#define KRB5_TL_LM_KEY 0x0500 /* LM OWF */
71
#define KRB5_TL_X509_SUBJECT_ISSUER_NAME 0x0600 /* <I>IssuerDN<S>SubjectDN */
73
krb5_error_code krb5_db_get_principal_ext ( krb5_context kcontext,
74
krb5_const_principal search_for,
76
krb5_db_entry *entries,
80
krb5_error_code krb5_db_invoke ( krb5_context kcontext,
85
/* db_invoke methods */
86
#define KRB5_KDB_METHOD_SIGN_AUTH_DATA 0x00000010
87
#define KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS 0x00000020
88
#define KRB5_KDB_METHOD_CHECK_POLICY_AS 0x00000030
89
#define KRB5_KDB_METHOD_CHECK_POLICY_TGS 0x00000040
90
#define KRB5_KDB_METHOD_AUDIT_AS 0x00000050
91
#define KRB5_KDB_METHOD_AUDIT_TGS 0x00000060
92
#define KRB5_KDB_METHOD_REFRESH_POLICY 0x00000070
93
#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080
95
typedef struct _kdb_sign_auth_data_req {
97
unsigned int flags; /* KRB5_KDB flags */
98
krb5_const_principal client_princ; /* Client name used in ticket */
99
krb5_db_entry *client; /* DB entry for client principal */
100
krb5_db_entry *server; /* DB entry for server principal */
101
krb5_db_entry *krbtgt; /* DB entry for ticket granting service principal */
102
krb5_keyblock *client_key; /* Reply key, valid for AS-REQ only */
103
krb5_keyblock *server_key; /* Key used to generate server signature */
104
krb5_timestamp authtime; /* Authtime of TGT */
105
krb5_authdata **auth_data; /* Authorization data from TGT */
106
} kdb_sign_auth_data_req;
108
typedef struct _kdb_sign_auth_data_rep {
110
krb5_authdata **auth_data; /* Signed authorization data */
111
krb5_db_entry *entry; /* Optional client principal extracted from auth data */
112
int nprincs; /* Non-zero if above contains principal data */
113
} kdb_sign_auth_data_rep;
115
typedef struct _kdb_check_transited_realms_req {
117
const krb5_data *tr_contents;
118
const krb5_data *client_realm;
119
const krb5_data *server_realm;
120
} kdb_check_transited_realms_req;
122
typedef struct _kdb_check_policy_as_req {
124
krb5_kdc_req *request;
125
krb5_db_entry *client;
126
krb5_db_entry *server;
127
krb5_timestamp kdc_time;
128
} kdb_check_policy_as_req;
130
typedef struct _kdb_check_policy_as_rep {
133
} kdb_check_policy_as_rep;
135
typedef struct _kdb_check_policy_tgs_req {
137
krb5_kdc_req *request;
138
krb5_db_entry *server;
140
} kdb_check_policy_tgs_req;
142
typedef struct _kdb_check_policy_tgs_rep {
145
} kdb_check_policy_tgs_rep;
147
typedef struct _kdb_audit_as_req {
149
krb5_kdc_req *request;
150
krb5_db_entry *client;
151
krb5_db_entry *server;
152
krb5_timestamp authtime;
153
krb5_error_code error_code;
156
typedef struct _kdb_audit_tgs_req {
158
krb5_kdc_req *request;
159
krb5_const_principal client;
160
krb5_db_entry *server;
161
krb5_timestamp authtime;
162
krb5_error_code error_code;
165
typedef struct _kdb_check_allowed_to_delegate_req {
167
const krb5_db_entry *server;
168
krb5_const_principal proxy;
169
} kdb_check_allowed_to_delegate_req;
171
#endif /* KRB5_KDB5_EXT__ */