60
88
* REAL mechanism callbacks (client-only). */
61
89
#define PA_INFO 0x00000002
63
/* Causes the KDC to include this mechanism in a list of supported preauth
92
* Causes the KDC to include this mechanism in a list of supported preauth
64
93
* types if the user's DB entry flags the user as requiring hardware-based
65
* preauthentication (server-only). */
94
* preauthentication (KDC-only).
66
96
#define PA_HARDWARE 0x00000004
68
/* Causes the KDC to include this mechanism in a list of supported preauth
99
* Causes the KDC to include this mechanism in a list of supported preauth
69
100
* types if the user's DB entry flags the user as requiring preauthentication,
70
101
* and to fail preauthentication if we can't verify the client data. The
71
* flipside of PA_SUFFICIENT (server-only). */
102
* flipside of PA_SUFFICIENT (KDC-only).
72
104
#define PA_REQUIRED 0x00000008
74
/* Causes the KDC to include this mechanism in a list of supported preauth
107
* Causes the KDC to include this mechanism in a list of supported preauth
75
108
* types if the user's DB entry flags the user as requiring preauthentication,
76
109
* and to mark preauthentication as successful if we can verify the client
77
* data. The flipside of PA_REQUIRED (server-only). */
110
* data. The flipside of PA_REQUIRED (KDC-only).
78
112
#define PA_SUFFICIENT 0x00000010
80
/* Marks this preauthentication mechanism as one which changes the key which is
115
* Marks this preauthentication mechanism as one which changes the key which is
81
116
* used for encrypting the response to the client. Modules which have this
82
* flag have their server_return_proc called before modules which do not, and
83
* are passed over if a previously-called module has modified the encrypting
84
* key (server-only). */
117
* flag have their server_return_fn called before modules which do not, and are
118
* passed over if a previously-called module has modified the encrypting key
85
121
#define PA_REPLACES_KEY 0x00000020
87
/* Causes the KDC to check with this preauthentication module even if the
88
* client has no entry in the realm database. If the module returns a success
89
* code, continue processing and assume that its return_padata callback will
90
* supply us with a key for encrypting the AS reply (server-only). */
91
/* #define PA_VIRTUAL (0x00000040 | PA_REPLACES_KEY) */
93
/* Not really a padata type, so don't include it in any list of preauth types
94
* which gets sent over the wire. */
124
* Not really a padata type, so don't include it in any list of preauth types
125
* which gets sent over the wire.
95
127
#define PA_PSEUDO 0x00000080
98
/***************************************************************************
100
* Client-side preauthentication plugin interface definition.
102
***************************************************************************/
105
* A callback which will obtain the user's long-term AS key by prompting the
106
* user for the password, then salting it properly, and so on. For the moment,
107
* it's identical to the get_as_key callback used inside of libkrb5, but we
108
* define a new typedef here instead of making the existing one public to
109
* isolate ourselves from potential future changes.
111
typedef krb5_error_code
112
(*preauth_get_as_key_proc)(krb5_context,
118
krb5_data *s2kparams,
119
krb5_keyblock *as_key,
123
* A client module's callback functions are allowed to request various
124
* information to enable it to process a request.
126
enum krb5plugin_preauth_client_request_type {
127
/* The returned krb5_data item holds the enctype expected to be used to encrypt the
128
* encrypted portion of the AS_REP packet. When handling a
129
* PREAUTH_REQUIRED error, this typically comes from etype-info2.
130
* When handling an AS reply, it is initialized from the AS reply itself.*/
131
krb5plugin_preauth_client_get_etype = 1,
132
/* Free the data returned from krb5plugin_preauth_client_req_get_etype */
133
krb5plugin_preauth_client_free_etype = 2,
134
/* The returned krb5_data contains the FAST armor key in a
135
* krb5_keyblock. Returns success with a NULL data item in the
136
* krb5_data if the client library supports FAST but is not using it.*/
137
krb5plugin_preauth_client_fast_armor = 3,
138
/* Frees return from KRB5PLUGIN_PREAUTH_CLIENT_FAST_ARMOR. It is
139
* acceptable to set data to NULL and free the keyblock using
140
* krb5_free_keyblock; in that case, this frees the krb5_data
142
krb5plugin_preauth_client_free_fast_armor = 4
144
typedef krb5_error_code
145
(*preauth_get_client_data_proc)(krb5_context,
146
struct _krb5_preauth_client_rock *,
147
krb5_int32 request_type,
150
/* Per-plugin initialization/cleanup. The init function is called
151
* by libkrb5 when the plugin is loaded, and the fini function is
152
* called before the plugin is unloaded. Both are optional and
153
* may be called multiple times in case the plugin is used in
154
* multiple contexts. The returned context lives the lifetime of
155
* the krb5_context */
156
typedef krb5_error_code
157
(*preauth_client_plugin_init_proc)(krb5_context context,
158
void **plugin_context);
130
* For kdcpreauth mechanisms, indicates that e_data in non-FAST errors should
131
* be encoded as typed data instead of padata.
133
#define PA_TYPED_E_DATA 0x00000100
136
* clpreauth plugin interface definition.
139
/* Abstract type for a client request information handle. */
140
typedef struct krb5_clpreauth_rock_st *krb5_clpreauth_rock;
142
/* Abstract types for module data and per-request module data. */
143
typedef struct krb5_clpreauth_moddata_st *krb5_clpreauth_moddata;
144
typedef struct krb5_clpreauth_modreq_st *krb5_clpreauth_modreq;
146
/* Before using a callback after version 1, modules must check the vers
147
* field of the callback structure. */
148
typedef struct krb5_clpreauth_callbacks_st {
152
* Get the enctype expected to be used to encrypt the encrypted portion of
153
* the AS_REP packet. When handling a PREAUTH_REQUIRED error, this
154
* typically comes from etype-info2. When handling an AS reply, it is
155
* initialized from the AS reply itself.
157
krb5_enctype (*get_etype)(krb5_context context, krb5_clpreauth_rock rock);
159
/* Get a pointer to the FAST armor key, or NULL if the client is not using
160
* FAST. The returned pointer is an alias and should not be freed. */
161
krb5_keyblock *(*fast_armor)(krb5_context context,
162
krb5_clpreauth_rock rock);
165
* Get a pointer to the client-supplied reply key, possibly invoking the
166
* prompter to ask for a password if this has not already been done. The
167
* returned pointer is an alias and should not be freed.
169
krb5_error_code (*get_as_key)(krb5_context context,
170
krb5_clpreauth_rock rock,
171
krb5_keyblock **keyblock);
173
/* Replace the reply key to be used to decrypt the AS response. */
174
krb5_error_code (*set_as_key)(krb5_context context,
175
krb5_clpreauth_rock rock,
176
const krb5_keyblock *keyblock);
178
/* End of version 1 clpreauth callbacks. */
179
} *krb5_clpreauth_callbacks;
182
* Optional: per-plugin initialization/cleanup. The init function is called by
183
* libkrb5 when the plugin is loaded, and the fini function is called before
184
* the plugin is unloaded. These may be called multiple times in case the
185
* plugin is used in multiple contexts. The returned context lives the
186
* lifetime of the krb5_context.
188
typedef krb5_error_code
189
(*krb5_clpreauth_init_fn)(krb5_context context,
190
krb5_clpreauth_moddata *moddata_out);
160
(*preauth_client_plugin_fini_proc)(krb5_context context,
161
void *plugin_context);
192
(*krb5_clpreauth_fini_fn)(krb5_context context,
193
krb5_clpreauth_moddata moddata);
163
/* A callback which returns flags indicating if the module is a "real" or
164
* an "info" mechanism, and so on. This function is called for each entry
165
* in the client_pa_type_list. */
196
* Mandatory: Return flags indicating if the module is a "real" or an "info"
197
* mechanism, and so on. This function is called for each entry in the
198
* client_pa_type_list.
167
(*preauth_client_get_flags_proc)(krb5_context context,
168
krb5_preauthtype pa_type);
201
(*krb5_clpreauth_get_flags_fn)(krb5_context context, krb5_preauthtype pa_type);
170
/* Per-request initialization/cleanup. The request_init function is
204
* Optional: per-request initialization/cleanup. The request_init function is
171
205
* called when beginning to process a get_init_creds request and the
172
* request_fini function is called when processing of the request is
173
* complete. This is optional. It may be called multiple times in
174
* the lifetime of a krb5_context. */
176
(*preauth_client_request_init_proc)(krb5_context context,
177
void *plugin_context,
178
void **request_context);
180
(*preauth_client_request_fini_proc)(krb5_context context,
181
void *plugin_context,
182
void *request_context);
206
* request_fini function is called when processing of the request is complete.
207
* This is optional. It may be called multiple times in the lifetime of a
211
(*krb5_clpreauth_request_init_fn)(krb5_context context,
212
krb5_clpreauth_moddata moddata,
213
krb5_clpreauth_modreq *modreq_out);
215
(*krb5_clpreauth_request_fini_fn)(krb5_context context,
216
krb5_clpreauth_moddata moddata,
217
krb5_clpreauth_modreq modreq);
184
/* Client function which processes server-supplied data in pa_data,
185
* returns created data in out_pa_data, storing any of its own state in
186
* client_context if data for the associated preauthentication type is
187
* needed. It is also called after the AS-REP is received if the AS-REP
220
* Mandatory: process server-supplied data in pa_data and return created data
221
* in pa_data_out. Also called after the AS-REP is received if the AS-REP
188
222
* includes preauthentication data of the associated type.
189
* NOTE! the encoded_previous_request will be NULL the first time this
190
* function is called, because it is expected to only ever contain the data
191
* obtained from a previous call to this function. */
192
typedef krb5_error_code
193
(*preauth_client_process_proc)(krb5_context context,
194
void *plugin_context,
195
void *request_context,
196
krb5_get_init_creds_opt *opt,
197
preauth_get_client_data_proc get_data_proc,
198
struct _krb5_preauth_client_rock *rock,
199
krb5_kdc_req *request,
200
krb5_data *encoded_request_body,
201
krb5_data *encoded_previous_request,
202
krb5_pa_data *pa_data,
203
krb5_prompter_fct prompter,
205
preauth_get_as_key_proc gak_fct,
208
krb5_data *s2kparams,
209
krb5_keyblock *as_key,
210
krb5_pa_data ***out_pa_data);
212
/* Client function which can attempt to use e-data in the error response to
213
* try to recover from the given error. If this function is not NULL, and
214
* it stores data in out_pa_data which is different data from the contents
215
* of in_pa_data, then the client library will retransmit the request. */
216
typedef krb5_error_code
217
(*preauth_client_tryagain_proc)(krb5_context context,
218
void *plugin_context,
219
void *request_context,
220
krb5_get_init_creds_opt *opt,
221
preauth_get_client_data_proc get_data_proc,
222
struct _krb5_preauth_client_rock *rock,
223
krb5_kdc_req *request,
224
krb5_data *encoded_request_body,
225
krb5_data *encoded_previous_request,
226
krb5_pa_data *in_pa_data,
228
krb5_prompter_fct prompter,
230
preauth_get_as_key_proc gak_fct,
233
krb5_data *s2kparams,
234
krb5_keyblock *as_key,
235
krb5_pa_data ***out_pa_data);
238
* Client function which receives krb5_get_init_creds_opt information.
239
* The attr and value information supplied should be copied locally by
240
* the module if it wishes to reference it after returning from this call.
242
typedef krb5_error_code
243
(*preauth_client_supply_gic_opts_proc)(krb5_context context,
244
void *plugin_context,
245
krb5_get_init_creds_opt *opt,
250
* The function table / structure which a preauth client module must export as
251
* "preauthentication_client_0". If the interfaces work correctly, future
252
* versions of the table will add either more callbacks or more arguments to
253
* callbacks, and in both cases we'll be able to wrap the v0 functions.
255
typedef struct krb5plugin_preauth_client_ftable_v1 {
256
/* Not-usually-visible name. */
224
* as_key contains the client-supplied key if known, or an empty keyblock if
225
* not. If it is empty, the module may use gak_fct to fill it in.
227
* encoded_previous_request may be NULL if there has been no previous request
228
* in the AS exchange.
230
typedef krb5_error_code
231
(*krb5_clpreauth_process_fn)(krb5_context context,
232
krb5_clpreauth_moddata moddata,
233
krb5_clpreauth_modreq modreq,
234
krb5_get_init_creds_opt *opt,
235
krb5_clpreauth_callbacks cb,
236
krb5_clpreauth_rock rock,
237
krb5_kdc_req *request,
238
krb5_data *encoded_request_body,
239
krb5_data *encoded_previous_request,
240
krb5_pa_data *pa_data,
241
krb5_prompter_fct prompter, void *prompter_data,
242
krb5_pa_data ***pa_data_out);
245
* Optional: Attempt to use e-data in the error response to try to recover from
246
* the given error. If this function is provided, and it stores data in
247
* pa_data_out which is different data from the contents of pa_data_in, then
248
* the client library will retransmit the request.
250
typedef krb5_error_code
251
(*krb5_clpreauth_tryagain_fn)(krb5_context context,
252
krb5_clpreauth_moddata moddata,
253
krb5_clpreauth_modreq modreq,
254
krb5_get_init_creds_opt *opt,
255
krb5_clpreauth_callbacks cb,
256
krb5_clpreauth_rock rock,
257
krb5_kdc_req *request,
258
krb5_data *encoded_request_body,
259
krb5_data *encoded_previous_request,
260
krb5_pa_data *pa_data_in,
262
krb5_prompter_fct prompter, void *prompter_data,
263
krb5_pa_data ***pa_data_out);
266
* Optional: receive krb5_get_init_creds_opt information. The attr and value
267
* information supplied should be copied into moddata by the module if it
268
* wishes to reference it after returning from this call.
270
typedef krb5_error_code
271
(*krb5_clpreauth_supply_gic_opts_fn)(krb5_context context,
272
krb5_clpreauth_moddata moddata,
273
krb5_get_init_creds_opt *opt,
274
const char *attr, const char *value);
276
typedef struct krb5_clpreauth_vtable_st {
277
/* Mandatory: name of module. */
259
/* Pointer to zero-terminated list of pa_types which this module can
260
* provide services for. */
280
/* Mandatory: pointer to zero-terminated list of pa_types which this module
281
* can provide services for. */
261
282
krb5_preauthtype *pa_type_list;
263
/* Pointer to zero-terminated list of enc_types which this module claims
264
* to add support for. */
284
/* Optional: pointer to zero-terminated list of enc_types which this module
285
* claims to add support for. */
265
286
krb5_enctype *enctype_list;
267
/* Per-plugin initialization/cleanup. The init function is called
268
* by libkrb5 when the plugin is loaded, and the fini function is
269
* called before the plugin is unloaded. Both are optional and
270
* may be called multiple times in case the plugin is used in
271
* multiple contexts. The returned context lives the lifetime of
272
* the krb5_context */
273
preauth_client_plugin_init_proc init;
274
preauth_client_plugin_fini_proc fini;
276
/* A callback which returns flags indicating if the module is a "real" or
277
* an "info" mechanism, and so on. This function is called for each entry
278
* in the client_pa_type_list. */
279
preauth_client_get_flags_proc flags;
281
/* Per-request initialization/cleanup. The request_init function is
282
* called when beginning to process a get_init_creds request and the
283
* request_fini function is called when processing of the request is
284
* complete. This is optional. It may be called multiple times in
285
* the lifetime of a krb5_context. */
286
preauth_client_request_init_proc request_init;
287
preauth_client_request_fini_proc request_fini;
289
/* Client function which processes server-supplied data in pa_data,
290
* returns created data in out_pa_data, storing any of its own state in
291
* client_context if data for the associated preauthentication type is
292
* needed. It is also called after the AS-REP is received if the AS-REP
293
* includes preauthentication data of the associated type.
294
* NOTE! the encoded_previous_request will be NULL the first time this
295
* function is called, because it is expected to only ever contain the data
296
* obtained from a previous call to this function. */
297
preauth_client_process_proc process;
299
/* Client function which can attempt to use e-data in the error response to
300
* try to recover from the given error. If this function is not NULL, and
301
* it stores data in out_pa_data which is different data from the contents
302
* of in_pa_data, then the client library will retransmit the request. */
303
preauth_client_tryagain_proc tryagain;
306
* Client function which receives krb5_get_init_creds_opt information.
307
* The attr and value information supplied should be copied locally by
308
* the module if it wishes to reference it after returning from this call.
310
preauth_client_supply_gic_opts_proc gic_opts;
312
} krb5plugin_preauth_client_ftable_v1;
315
/***************************************************************************
317
* Server-side preauthentication plugin interface definition.
319
***************************************************************************/
322
* A server module's callback functions are allowed to request specific types
323
* of information about the given client or server record or request, even
324
* though the database records themselves are opaque to the module.
326
enum krb5plugin_preauth_entry_request_type {
327
/* The returned krb5_data item holds a DER-encoded X.509 certificate. */
328
krb5plugin_preauth_entry_request_certificate = 1,
329
/* The returned krb5_data_item holds a krb5_deltat. */
330
krb5plugin_preauth_entry_max_time_skew = 2,
331
/* The returned krb5_data_item holds an array of krb5_keyblock structures,
332
* terminated by an entry with key type = 0.
333
* Each keyblock should have its contents freed in turn, and then the data
334
* item itself should be freed. */
335
krb5plugin_preauth_keys = 3,
336
/* The returned krb5_data_item holds the request structure, re-encoded
337
* using DER. Unless the client implementation is the same as the server
338
* implementation, there's a good chance that the result will not match
339
* what the client sent, so don't go creating any fatal errors if it
340
* doesn't match up. */
341
krb5plugin_preauth_request_body = 4,
342
/* The returned krb5_data contains a krb5_keyblock with the FAST
343
armor key. The data member is NULL if this method is not part
345
krb5plugin_preauth_fast_armor = 5,
346
/* Frees a fast armor key; it is acceptable to set data to NULL
347
and free the keyblock using krb5_free_keyblock; in that case,
348
this function simply frees the data*/
349
krb5plugin_preauth_free_fast_armor = 6
352
typedef krb5_error_code
353
(*preauth_get_entry_data_proc)(krb5_context,
355
struct _krb5_db_entry_new *,
356
krb5_int32 request_type,
359
/* Preauth plugin initialization function */
360
typedef krb5_error_code
361
(*preauth_server_init_proc)(krb5_context context,
362
void **plugin_context,
363
const char** realmnames);
365
/* Preauth plugin cleanup function */
367
(*preauth_server_fini_proc)(krb5_context context, void *plugin_context);
369
/* Return the flags which the KDC should use for this module. This is a
370
* callback instead of a static value because the module may or may not
371
* wish to count itself as a hardware preauthentication module (in other
372
* words, the flags may be affected by the configuration, for example if a
373
* site administrator can force a particular preauthentication type to be
374
* supported using only hardware). This function is called for each entry
375
* entry in the server_pa_type_list. */
377
(*preauth_server_flags_proc)(krb5_context context, krb5_preauthtype patype);
379
/* Get preauthentication data to send to the client as part of the "you
380
* need to use preauthentication" error. The module doesn't need to
381
* actually provide data if the protocol doesn't require it, but it should
382
* return either zero or non-zero to control whether its padata type is
383
* included in the list which is sent back to the client. Is not allowed
384
* to create a context because we have no guarantee that the client will
385
* ever call again (or that it will hit this server if it does), in which
386
* case a context might otherwise hang around forever. */
387
typedef krb5_error_code
388
(*preauth_server_edata_proc)(krb5_context,
389
krb5_kdc_req *request,
390
struct _krb5_db_entry_new *client,
391
struct _krb5_db_entry_new *server,
392
preauth_get_entry_data_proc,
393
void *pa_module_context,
396
/* Verify preauthentication data sent by the client, setting the
397
* TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
398
* field as appropriate, and returning nonzero on failure. Can create
399
* context data for consumption by the return_proc or freepa_proc below. */
400
typedef krb5_error_code
401
(*preauth_server_verify_proc)(krb5_context context,
402
struct _krb5_db_entry_new *client,
404
krb5_kdc_req *request,
405
krb5_enc_tkt_part *enc_tkt_reply,
407
preauth_get_entry_data_proc,
408
void *pa_module_context,
409
void **pa_request_context,
411
krb5_authdata ***authz_data);
413
/* Generate preauthentication response data to send to the client as part
414
* of the AS-REP. If it needs to override the key which is used to encrypt
415
* the response, it can do so. The module is expected (but not required,
416
* if a preauth_server_free_reqcontext_proc is also provided) to free any
417
* context data it saved in "pa_request_context". */
418
typedef krb5_error_code
419
(*preauth_server_return_proc)(krb5_context context,
420
krb5_pa_data * padata,
421
struct _krb5_db_entry_new *client,
423
krb5_kdc_req *request,
425
struct _krb5_key_data *client_keys,
426
krb5_keyblock *encrypting_key,
427
krb5_pa_data **send_pa,
428
preauth_get_entry_data_proc,
429
void *pa_module_context,
430
void **pa_request_context);
432
/* Free up the server-side per-request context, in cases where
433
* server_return_proc() didn't or for whatever reason was not called.
435
typedef krb5_error_code
436
(*preauth_server_free_reqcontext_proc)(krb5_context,
437
void *pa_module_context,
438
void **request_pa_context);
441
* The function table / structure which a preauth server module must export as
442
* "preauthentication_server_0". NOTE: replace "0" with "1" for the type and
443
* variable names if this gets picked up by upstream. If the interfaces work
444
* correctly, future versions of the table will add either more callbacks or
445
* more arguments to callbacks, and in both cases we'll be able to wrap the v0
448
typedef struct krb5plugin_preauth_server_ftable_v1 {
449
/* Not-usually-visible name. */
452
/* Pointer to zero-terminated list of pa_types which this module can
453
* provide services for. */
454
krb5_preauthtype *pa_type_list;
456
/* Per-plugin initialization/cleanup. The init function is called by the
457
* KDC when the plugin is loaded, and the fini function is called before
458
* the plugin is unloaded. Both are optional. */
459
preauth_server_init_proc init_proc;
460
preauth_server_fini_proc fini_proc;
462
/* Return the flags which the KDC should use for this module. This is a
463
* callback instead of a static value because the module may or may not
464
* wish to count itself as a hardware preauthentication module (in other
465
* words, the flags may be affected by the configuration, for example if a
466
* site administrator can force a particular preauthentication type to be
467
* supported using only hardware). This function is called for each entry
468
* entry in the server_pa_type_list. */
469
preauth_server_flags_proc flags_proc;
471
/* Get preauthentication data to send to the client as part of the "you
472
* need to use preauthentication" error. The module doesn't need to
473
* actually provide data if the protocol doesn't require it, but it should
474
* return either zero or non-zero to control whether its padata type is
475
* included in the list which is sent back to the client. Is not allowed
476
* to create a context because we have no guarantee that the client will
477
* ever call again (or that it will hit this server if it does), in which
478
* case a context might otherwise hang around forever. */
479
preauth_server_edata_proc edata_proc;
481
/* Verify preauthentication data sent by the client, setting the
482
* TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
483
* field as appropriate, and returning nonzero on failure. Can create
484
* context data for consumption by the return_proc or freepa_proc below. */
485
preauth_server_verify_proc verify_proc;
487
/* Generate preauthentication response data to send to the client as part
488
* of the AS-REP. If it needs to override the key which is used to encrypt
489
* the response, it can do so. The module is expected (but not required,
490
* if a freepa_proc is also provided) to free any context data it saved in
491
* "request_pa_context". */
492
preauth_server_return_proc return_proc;
494
/* Free up the server-side per-request context, in cases where
495
* server_return_proc() didn't or for whatever reason was not called.
497
preauth_server_free_reqcontext_proc freepa_reqcontext_proc;
499
} krb5plugin_preauth_server_ftable_v1;
503
* This function allows a preauth plugin to obtain preauth
504
* options. The preauth_data returned from this function
505
* should be freed by calling krb5_get_init_creds_opt_free_pa().
507
* The 'opt' pointer supplied to this function must have been
508
* obtained using krb5_get_init_creds_opt_alloc()
288
krb5_clpreauth_init_fn init;
289
krb5_clpreauth_fini_fn fini;
290
krb5_clpreauth_get_flags_fn flags;
291
krb5_clpreauth_request_init_fn request_init;
292
krb5_clpreauth_request_fini_fn request_fini;
293
krb5_clpreauth_process_fn process;
294
krb5_clpreauth_tryagain_fn tryagain;
295
krb5_clpreauth_supply_gic_opts_fn gic_opts;
296
/* Minor version 1 ends here. */
297
} *krb5_clpreauth_vtable;
300
* This function allows a clpreauth plugin to obtain preauth options. The
301
* preauth_data returned from this function should be freed by calling
302
* krb5_get_init_creds_opt_free_pa().
510
304
krb5_error_code KRB5_CALLCONV
511
305
krb5_get_init_creds_opt_get_pa(krb5_context context,
522
316
int num_preauth_data,
523
317
krb5_gic_opt_pa_data *preauth_data);
321
* kdcpreauth plugin interface definition.
324
/* Abstract type for a KDC callback data handle. */
325
typedef struct krb5_kdcpreauth_rock_st *krb5_kdcpreauth_rock;
327
/* Abstract type for module data and per-request module data. */
328
typedef struct krb5_kdcpreauth_moddata_st *krb5_kdcpreauth_moddata;
329
typedef struct krb5_kdcpreauth_modreq_st *krb5_kdcpreauth_modreq;
331
/* Before using a callback after version 1, modules must check the vers
332
* field of the callback structure. */
333
typedef struct krb5_kdcpreauth_callbacks_st {
336
krb5_deltat (*max_time_skew)(krb5_context context,
337
krb5_kdcpreauth_rock rock);
340
* Get an array of krb5_keyblock structures containing the client keys
341
* matching the request enctypes, terminated by an entry with key type = 0.
342
* Returns ENOENT if no keys are available for the request enctypes. Free
343
* the resulting object with the free_keys callback.
345
krb5_error_code (*client_keys)(krb5_context context,
346
krb5_kdcpreauth_rock rock,
347
krb5_keyblock **keys_out);
349
/* Free the result of client_keys. */
350
void (*free_keys)(krb5_context context, krb5_kdcpreauth_rock rock,
351
krb5_keyblock *keys);
354
* Get the request structure, re-encoded using DER. Unless the client
355
* implementation is the same as the server implementation, there's a good
356
* chance that the result will not match what the client sent, so don't
357
* create any fatal errors if it doesn't match up. Free the resulting data
358
* object with krb5_free_data.
360
krb5_error_code (*request_body)(krb5_context context,
361
krb5_kdcpreauth_rock rock,
362
krb5_data **body_out);
364
/* Get a pointer to the FAST armor key, or NULL if the request did not use
365
* FAST. The returned pointer is an alias and should not be freed. */
366
krb5_keyblock *(*fast_armor)(krb5_context context,
367
krb5_kdcpreauth_rock rock);
369
/* Retrieve a string attribute from the client DB entry, or NULL if no such
370
* attribute is set. Free the result with the free_string callback. */
371
krb5_error_code (*get_string)(krb5_context context,
372
krb5_kdcpreauth_rock rock, const char *key,
375
/* Free the result of get_string. */
376
void (*free_string)(krb5_context context, krb5_kdcpreauth_rock rock,
379
/* Get a pointer to the client DB entry (returned as a void pointer to
380
* avoid a dependency on a libkdb5 type). */
381
void *(*client_entry)(krb5_context context, krb5_kdcpreauth_rock rock);
383
/* End of version 1 kdcpreauth callbacks. */
384
} *krb5_kdcpreauth_callbacks;
386
/* Optional: preauth plugin initialization function. */
387
typedef krb5_error_code
388
(*krb5_kdcpreauth_init_fn)(krb5_context context,
389
krb5_kdcpreauth_moddata *moddata_out,
390
const char **realmnames);
392
/* Optional: preauth plugin cleanup function. */
394
(*krb5_kdcpreauth_fini_fn)(krb5_context context,
395
krb5_kdcpreauth_moddata moddata);
398
* Optional: return the flags which the KDC should use for this module. This
399
* is a callback instead of a static value because the module may or may not
400
* wish to count itself as a hardware preauthentication module (in other words,
401
* the flags may be affected by the configuration, for example if a site
402
* administrator can force a particular preauthentication type to be supported
403
* using only hardware). This function is called for each entry entry in the
404
* server_pa_type_list.
407
(*krb5_kdcpreauth_flags_fn)(krb5_context context, krb5_preauthtype pa_type);
410
* Responder for krb5_kdcpreauth_edata_fn. If invoked with a non-zero code, pa
411
* will be ignored and the padata type will not be included in the hint list.
412
* If invoked with a zero code and a null pa value, the padata type will be
413
* included in the list with an empty value. If invoked with a zero code and a
414
* non-null pa value, pa will be included in the hint list and will later be
418
(*krb5_kdcpreauth_edata_respond_fn)(void *arg, krb5_error_code code,
422
* Optional: provide pa_data to send to the client as part of the "you need to
423
* use preauthentication" error. This function is not allowed to create a
424
* modreq object because we have no guarantee that the client will ever make a
425
* follow-up request, or that it will hit this KDC if it does.
428
(*krb5_kdcpreauth_edata_fn)(krb5_context context, krb5_kdc_req *request,
429
krb5_kdcpreauth_callbacks cb,
430
krb5_kdcpreauth_rock rock,
431
krb5_kdcpreauth_moddata moddata,
432
krb5_preauthtype pa_type,
433
krb5_kdcpreauth_edata_respond_fn respond,
437
* Responder for krb5_kdcpreauth_verify_fn. Invoke with the arg parameter
438
* supplied to verify, the error code (0 for success), an optional module
439
* request state object to be consumed by return_fn or free_modreq_fn, optional
440
* e_data to be passed to the caller if code is nonzero, and optional
441
* authorization data to be included in the ticket. In non-FAST replies,
442
* e_data will be encoded as typed-data if the module sets the PA_TYPED_E_DATA
443
* flag, and as pa-data otherwise. e_data and authz_data will be freed by the
447
(*krb5_kdcpreauth_verify_respond_fn)(void *arg, krb5_error_code code,
448
krb5_kdcpreauth_modreq modreq,
449
krb5_pa_data **e_data,
450
krb5_authdata **authz_data);
453
* Optional: verify preauthentication data sent by the client, setting the
454
* TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
455
* field as appropriate. The implementation must invoke the respond function
456
* when complete, whether successful or not.
459
(*krb5_kdcpreauth_verify_fn)(krb5_context context,
460
krb5_data *req_pkt, krb5_kdc_req *request,
461
krb5_enc_tkt_part *enc_tkt_reply,
463
krb5_kdcpreauth_callbacks cb,
464
krb5_kdcpreauth_rock rock,
465
krb5_kdcpreauth_moddata moddata,
466
krb5_kdcpreauth_verify_respond_fn respond,
470
* Optional: generate preauthentication response data to send to the client as
471
* part of the AS-REP. If it needs to override the key which is used to
472
* encrypt the response, it can do so.
474
typedef krb5_error_code
475
(*krb5_kdcpreauth_return_fn)(krb5_context context,
476
krb5_pa_data *padata,
478
krb5_kdc_req *request,
480
krb5_keyblock *encrypting_key,
481
krb5_pa_data **send_pa_out,
482
krb5_kdcpreauth_callbacks cb,
483
krb5_kdcpreauth_rock rock,
484
krb5_kdcpreauth_moddata moddata,
485
krb5_kdcpreauth_modreq modreq);
487
/* Optional: free a per-request context. */
489
(*krb5_kdcpreauth_free_modreq_fn)(krb5_context,
490
krb5_kdcpreauth_moddata moddata,
491
krb5_kdcpreauth_modreq modreq);
493
typedef struct krb5_kdcpreauth_vtable_st {
494
/* Mandatory: name of module. */
497
/* Mandatory: pointer to zero-terminated list of pa_types which this module
498
* can provide services for. */
499
krb5_preauthtype *pa_type_list;
501
krb5_kdcpreauth_init_fn init;
502
krb5_kdcpreauth_fini_fn fini;
503
krb5_kdcpreauth_flags_fn flags;
504
krb5_kdcpreauth_edata_fn edata;
505
krb5_kdcpreauth_verify_fn verify;
506
krb5_kdcpreauth_return_fn return_padata;
507
krb5_kdcpreauth_free_modreq_fn free_modreq;
508
} *krb5_kdcpreauth_vtable;
525
510
#endif /* KRB5_PREAUTH_PLUGIN_H_INCLUDED */