mech_krb5/include/preauth_plugin.h

159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/*
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * <krb5/preauth_plugin.h>
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Copyright (c) 2006 Red Hat, Inc.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Portions copyright (c) 2006 Massachusetts Institute of Technology
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * All Rights Reserved.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Redistribution and use in source and binary forms, with or without
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * modification, are permitted provided that the following conditions are met:
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *  * Redistributions of source code must retain the above copyright
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *    notice, this list of conditions and the following disclaimer.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *  * Redistributions in binary form must reproduce the above copyright
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *    notice, this list of conditions and the following disclaimer in
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *    the documentation and/or other materials provided with the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *    distribution.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *  * Neither the name of Red Hat, Inc., nor the names of its
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *    contributors may be used to endorse or promote products derived
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *    from this software without specific prior written permission.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Preauthentication plugin definitions for Kerberos 5.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan#ifndef KRB5_PREAUTH_PLUGIN_H_INCLUDED
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan#define KRB5_PREAUTH_PLUGIN_H_INCLUDED
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan#include <krb5.h>
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/*
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * While arguments of these types are passed-in, for the most part a preauth
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * module can treat them as opaque.  If we need keying data, we can ask for
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * it directly.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalanstruct _krb5_db_entry_new;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalanstruct _krb5_key_data;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalanstruct _krb5_preauth_client_rock;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/*
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Preauth mechanism property flags, unified from previous definitions in the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * KDC and libkrb5 sources.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Provides a real answer which we can send back to the KDC (client-only).  The
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * client assumes that one real answer will be enough. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan#define PA_REAL     0x00000001
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Doesn't provide a real answer, but must be given a chance to run before any
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * REAL mechanism callbacks (client-only). */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan#define PA_INFO     0x00000002
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Causes the KDC to include this mechanism in a list of supported preauth
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * types if the user's DB entry flags the user as requiring hardware-based
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * preauthentication (server-only). */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan#define PA_HARDWARE 0x00000004
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Causes the KDC to include this mechanism in a list of supported preauth
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * types if the user's DB entry flags the user as requiring preauthentication,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * and to fail preauthentication if we can't verify the client data.  The
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * flipside of PA_SUFFICIENT (server-only). */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan#define PA_REQUIRED 0x00000008
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Causes the KDC to include this mechanism in a list of supported preauth
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * types if the user's DB entry flags the user as requiring preauthentication,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * and to mark preauthentication as successful if we can verify the client
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * data.  The flipside of PA_REQUIRED (server-only). */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan#define PA_SUFFICIENT   0x00000010
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Marks this preauthentication mechanism as one which changes the key which is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * used for encrypting the response to the client.  Modules which have this
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * flag have their server_return_proc called before modules which do not, and
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * are passed over if a previously-called module has modified the encrypting
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * key (server-only). */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan#define PA_REPLACES_KEY 0x00000020
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Causes the KDC to check with this preauthentication module even if the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * client has no entry in the realm database.  If the module returns a success
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * code, continue processing and assume that its return_padata callback will
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * supply us with a key for encrypting the AS reply (server-only). */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* #define PA_VIRTUAL   (0x00000040 | PA_REPLACES_KEY) */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Not really a padata type, so don't include it in any list of preauth types
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * which gets sent over the wire. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan#define PA_PSEUDO   0x00000080
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/***************************************************************************
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Client-side preauthentication plugin interface definition.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan ***************************************************************************/
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/*
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * A callback which will obtain the user's long-term AS key by prompting the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * user for the password, then salting it properly, and so on.  For the moment,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * it's identical to the get_as_key callback used inside of libkrb5, but we
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * define a new typedef here instead of making the existing one public to
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * isolate ourselves from potential future changes.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef krb5_error_code
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_get_as_key_proc)(krb5_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan               krb5_principal,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan               krb5_enctype,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan               krb5_prompter_fct,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan               void *prompter_data,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan               krb5_data *salt,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan               krb5_data *s2kparams,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan               krb5_keyblock *as_key,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan               void *gak_data);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/*
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * A client module's callback functions are allowed to request various
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * information to enable it to process a request.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalanenum krb5plugin_preauth_client_request_type {
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* The returned krb5_data item holds the enctype used to encrypt the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * encrypted portion of the AS_REP packet. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    krb5plugin_preauth_client_get_etype = 1,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Free the data returned from krb5plugin_preauth_client_req_get_etype */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    krb5plugin_preauth_client_free_etype = 2
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan};
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef krb5_error_code
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_get_client_data_proc)(krb5_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                struct _krb5_preauth_client_rock *,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                krb5_int32 request_type,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                krb5_data **);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Per-plugin initialization/cleanup.  The init function is called
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * by libkrb5 when the plugin is loaded, and the fini function is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * called before the plugin is unloaded.  Both are optional and
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * may be called multiple times in case the plugin is used in
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * multiple contexts.  The returned context lives the lifetime of
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * the krb5_context */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef krb5_error_code
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_client_plugin_init_proc)(krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   void **plugin_context);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef void
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_client_plugin_fini_proc)(krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   void *plugin_context);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* A callback which returns flags indicating if the module is a "real" or
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * an "info" mechanism, and so on.  This function is called for each entry
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * in the client_pa_type_list. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef int
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_client_get_flags_proc)(krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                 krb5_preauthtype pa_type);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Per-request initialization/cleanup.  The request_init function is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * called when beginning to process a get_init_creds request and the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * request_fini function is called when processing of the request is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * complete.  This is optional.  It may be called multiple times in
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * the lifetime of a krb5_context. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef void
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_client_request_init_proc)(krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                    void *plugin_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                    void **request_context);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef void
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_client_request_fini_proc)(krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                    void *plugin_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                    void *request_context);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Client function which processes server-supplied data in pa_data,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * returns created data in out_pa_data, storing any of its own state in
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * client_context if data for the associated preauthentication type is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * needed.  It is also called after the AS-REP is received if the AS-REP
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * includes preauthentication data of the associated type.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * NOTE! the encoded_previous_request will be NULL the first time this
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * function is called, because it is expected to only ever contain the data
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * obtained from a previous call to this function. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef krb5_error_code
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_client_process_proc)(krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   void *plugin_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   void *request_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   krb5_get_init_creds_opt *opt,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   preauth_get_client_data_proc get_data_proc,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   struct _krb5_preauth_client_rock *rock,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   krb5_kdc_req *request,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   krb5_data *encoded_request_body,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   krb5_data *encoded_previous_request,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   krb5_pa_data *pa_data,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   krb5_prompter_fct prompter,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   void *prompter_data,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   preauth_get_as_key_proc gak_fct,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   void *gak_data,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   krb5_data *salt,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   krb5_data *s2kparams,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   krb5_keyblock *as_key,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   krb5_pa_data ***out_pa_data);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Client function which can attempt to use e-data in the error response to
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * try to recover from the given error.  If this function is not NULL, and
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * it stores data in out_pa_data which is different data from the contents
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * of in_pa_data, then the client library will retransmit the request. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef krb5_error_code
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_client_tryagain_proc)(krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                void *plugin_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                void *request_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                krb5_get_init_creds_opt *opt,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                preauth_get_client_data_proc get_data_proc,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                struct _krb5_preauth_client_rock *rock,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                krb5_kdc_req *request,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                krb5_data *encoded_request_body,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                krb5_data *encoded_previous_request,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                krb5_pa_data *in_pa_data,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                krb5_error *error,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                krb5_prompter_fct prompter,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                void *prompter_data,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                preauth_get_as_key_proc gak_fct,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                void *gak_data,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                krb5_data *salt,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                krb5_data *s2kparams,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                krb5_keyblock *as_key,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                krb5_pa_data ***out_pa_data);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/*
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Client function which receives krb5_get_init_creds_opt information.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * The attr and value information supplied should be copied locally by
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * the module if it wishes to reference it after returning from this call.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef krb5_error_code
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_client_supply_gic_opts_proc)(krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                       void *plugin_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                       krb5_get_init_creds_opt *opt,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                       const char *attr,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                       const char *value);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/*
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * The function table / structure which a preauth client module must export as
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * "preauthentication_client_0".  If the interfaces work correctly, future
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * versions of the table will add either more callbacks or more arguments to
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * callbacks, and in both cases we'll be able to wrap the v0 functions.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef struct krb5plugin_preauth_client_ftable_v1 {
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Not-usually-visible name. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    char *name;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Pointer to zero-terminated list of pa_types which this module can
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * provide services for. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    krb5_preauthtype *pa_type_list;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Pointer to zero-terminated list of enc_types which this module claims
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * to add support for. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    krb5_enctype *enctype_list;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Per-plugin initialization/cleanup.  The init function is called
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * by libkrb5 when the plugin is loaded, and the fini function is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * called before the plugin is unloaded.  Both are optional and
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * may be called multiple times in case the plugin is used in
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * multiple contexts.  The returned context lives the lifetime of
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * the krb5_context */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_client_plugin_init_proc init;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_client_plugin_fini_proc fini;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* A callback which returns flags indicating if the module is a "real" or
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * an "info" mechanism, and so on.  This function is called for each entry
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * in the client_pa_type_list. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_client_get_flags_proc flags;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Per-request initialization/cleanup.  The request_init function is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * called when beginning to process a get_init_creds request and the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * request_fini function is called when processing of the request is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * complete.  This is optional.  It may be called multiple times in
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * the lifetime of a krb5_context. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_client_request_init_proc request_init;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_client_request_fini_proc request_fini;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Client function which processes server-supplied data in pa_data,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * returns created data in out_pa_data, storing any of its own state in
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * client_context if data for the associated preauthentication type is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * needed.  It is also called after the AS-REP is received if the AS-REP
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * includes preauthentication data of the associated type.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * NOTE! the encoded_previous_request will be NULL the first time this
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * function is called, because it is expected to only ever contain the data
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * obtained from a previous call to this function. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_client_process_proc process;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Client function which can attempt to use e-data in the error response to
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * try to recover from the given error.  If this function is not NULL, and
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * it stores data in out_pa_data which is different data from the contents
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * of in_pa_data, then the client library will retransmit the request. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_client_tryagain_proc tryagain;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /*
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * Client function which receives krb5_get_init_creds_opt information.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * The attr and value information supplied should be copied locally by
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * the module if it wishes to reference it after returning from this call.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_client_supply_gic_opts_proc gic_opts;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan} krb5plugin_preauth_client_ftable_v1;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/***************************************************************************
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Server-side preauthentication plugin interface definition.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan ***************************************************************************/
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/*
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * A server module's callback functions are allowed to request specific types
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * of information about the given client or server record or request, even
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * though the database records themselves are opaque to the module.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalanenum krb5plugin_preauth_entry_request_type {
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* The returned krb5_data item holds a DER-encoded X.509 certificate. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    krb5plugin_preauth_entry_request_certificate = 1,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* The returned krb5_data_item holds a krb5_deltat. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    krb5plugin_preauth_entry_max_time_skew = 2,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* The returned krb5_data_item holds an array of krb5_keyblock structures,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * terminated by an entry with key type = 0.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * Each keyblock should have its contents freed in turn, and then the data
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * item itself should be freed. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    krb5plugin_preauth_keys = 3,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* The returned krb5_data_item holds the request structure, re-encoded
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * using DER.  Unless the client implementation is the same as the server
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * implementation, there's a good chance that the result will not match
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * what the client sent, so don't go creating any fatal errors if it
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * doesn't match up. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    krb5plugin_preauth_request_body = 4
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan};
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef krb5_error_code
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_get_entry_data_proc)(krb5_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   krb5_kdc_req *,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   struct _krb5_db_entry_new *,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   krb5_int32 request_type,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                   krb5_data **);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Preauth plugin initialization function */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef krb5_error_code
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_server_init_proc)(krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                void **plugin_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                const char** realmnames);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Preauth plugin cleanup function */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef void
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_server_fini_proc)(krb5_context context, void *plugin_context);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Return the flags which the KDC should use for this module.  This is a
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * callback instead of a static value because the module may or may not
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * wish to count itself as a hardware preauthentication module (in other
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * words, the flags may be affected by the configuration, for example if a
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * site administrator can force a particular preauthentication type to be
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * supported using only hardware).  This function is called for each entry
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * entry in the server_pa_type_list. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef int
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_server_flags_proc)(krb5_context context, krb5_preauthtype patype);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Get preauthentication data to send to the client as part of the "you
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * need to use preauthentication" error.  The module doesn't need to
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * actually provide data if the protocol doesn't require it, but it should
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * return either zero or non-zero to control whether its padata type is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * included in the list which is sent back to the client.  Is not allowed
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * to create a context because we have no guarantee that the client will
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * ever call again (or that it will hit this server if it does), in which
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * case a context might otherwise hang around forever. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef krb5_error_code
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_server_edata_proc)(krb5_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                 krb5_kdc_req *request,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                 struct _krb5_db_entry_new *client,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                 struct _krb5_db_entry_new *server,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                 preauth_get_entry_data_proc,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                 void *pa_module_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                 krb5_pa_data *data);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Verify preauthentication data sent by the client, setting the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * field as appropriate, and returning nonzero on failure.  Can create
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * context data for consumption by the return_proc or freepa_proc below. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef krb5_error_code
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_server_verify_proc)(krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  struct _krb5_db_entry_new *client,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  krb5_data *req_pkt,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  krb5_kdc_req *request,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  krb5_enc_tkt_part *enc_tkt_reply,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  krb5_pa_data *data,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  preauth_get_entry_data_proc,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  void *pa_module_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  void **pa_request_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  krb5_data **e_data,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  krb5_authdata ***authz_data);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Generate preauthentication response data to send to the client as part
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * of the AS-REP.  If it needs to override the key which is used to encrypt
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * the response, it can do so.  The module is expected (but not required,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * if a preauth_server_free_reqcontext_proc is also provided) to free any
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * context data it saved in "pa_request_context". */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef krb5_error_code
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_server_return_proc)(krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  krb5_pa_data * padata,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  struct _krb5_db_entry_new *client,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  krb5_data *req_pkt,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  krb5_kdc_req *request,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  krb5_kdc_rep *reply,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  struct _krb5_key_data *client_keys,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  krb5_keyblock *encrypting_key,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  krb5_pa_data **send_pa,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  preauth_get_entry_data_proc,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  void *pa_module_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                  void **pa_request_context);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/* Free up the server-side per-request context, in cases where
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * server_return_proc() didn't or for whatever reason was not called.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * Can be NULL. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef krb5_error_code
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan(*preauth_server_free_reqcontext_proc)(krb5_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                       void *pa_module_context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan                       void **request_pa_context);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/*
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * The function table / structure which a preauth server module must export as
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * "preauthentication_server_0".  NOTE: replace "0" with "1" for the type and
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * variable names if this gets picked up by upstream.  If the interfaces work
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * correctly, future versions of the table will add either more callbacks or
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * more arguments to callbacks, and in both cases we'll be able to wrap the v0
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * functions.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalantypedef struct krb5plugin_preauth_server_ftable_v1 {
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Not-usually-visible name. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    char *name;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Pointer to zero-terminated list of pa_types which this module can
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * provide services for. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    krb5_preauthtype *pa_type_list;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Per-plugin initialization/cleanup.  The init function is called by the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * KDC when the plugin is loaded, and the fini function is called before
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * the plugin is unloaded.  Both are optional. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_server_init_proc init_proc;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_server_fini_proc fini_proc;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Return the flags which the KDC should use for this module.  This is a
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * callback instead of a static value because the module may or may not
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * wish to count itself as a hardware preauthentication module (in other
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * words, the flags may be affected by the configuration, for example if a
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * site administrator can force a particular preauthentication type to be
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * supported using only hardware).  This function is called for each entry
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * entry in the server_pa_type_list. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_server_flags_proc flags_proc;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Get preauthentication data to send to the client as part of the "you
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * need to use preauthentication" error.  The module doesn't need to
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * actually provide data if the protocol doesn't require it, but it should
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * return either zero or non-zero to control whether its padata type is
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * included in the list which is sent back to the client.  Is not allowed
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * to create a context because we have no guarantee that the client will
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * ever call again (or that it will hit this server if it does), in which
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * case a context might otherwise hang around forever. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_server_edata_proc edata_proc;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Verify preauthentication data sent by the client, setting the
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags"
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * field as appropriate, and returning nonzero on failure.  Can create
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * context data for consumption by the return_proc or freepa_proc below. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_server_verify_proc verify_proc;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Generate preauthentication response data to send to the client as part
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * of the AS-REP.  If it needs to override the key which is used to encrypt
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * the response, it can do so.  The module is expected (but not required,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * if a freepa_proc is also provided) to free any context data it saved in
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * "request_pa_context". */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_server_return_proc return_proc;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    /* Free up the server-side per-request context, in cases where
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * server_return_proc() didn't or for whatever reason was not called.
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan     * Can be NULL. */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan    preauth_server_free_reqcontext_proc freepa_reqcontext_proc;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan} krb5plugin_preauth_server_ftable_v1;
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/*
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * This function allows a preauth plugin to obtain preauth
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * options.  The preauth_data returned from this function
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * should be freed by calling krb5_get_init_creds_opt_free_pa().
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan *
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * The 'opt' pointer supplied to this function must have been
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * obtained using krb5_get_init_creds_opt_alloc()
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalankrb5_error_code KRB5_CALLCONV
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalankrb5_get_init_creds_opt_get_pa
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan        (krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan        krb5_get_init_creds_opt *opt,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan        int *num_preauth_data,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan        krb5_gic_opt_pa_data **preauth_data);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan/*
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * This function frees the preauth_data that was returned by
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan * krb5_get_init_creds_opt_get_pa().
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan */
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalanvoid KRB5_CALLCONV
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalankrb5_get_init_creds_opt_free_pa
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan        (krb5_context context,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan         int num_preauth_data,
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan         krb5_gic_opt_pa_data *preauth_data);
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan
159d09a20817016f09b3ea28d1bdada4a336bb91Mark Phalan#endif /* KRB5_PREAUTH_PLUGIN_H_INCLUDED */