#define KRB5_DB_LOCKMODE_PERMANENT 0x0008
/* db_invoke methods */
-#define KRB5_KDB_METHOD_SIGN_AUTH_DATA 0x00000010
#define KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS 0x00000020
#define KRB5_KDB_METHOD_CHECK_POLICY_AS 0x00000030
#define KRB5_KDB_METHOD_CHECK_POLICY_TGS 0x00000040
#define KRB5_KDB_METHOD_REFRESH_POLICY 0x00000070
#define KRB5_KDB_METHOD_CHECK_ALLOWED_TO_DELEGATE 0x00000080
-typedef struct _kdb_sign_auth_data_req {
- krb5_magic magic;
- unsigned int flags; /* KRB5_KDB flags */
- krb5_const_principal client_princ; /* Client name used in ticket */
- krb5_db_entry *client; /* DB entry for client principal */
- krb5_db_entry *server; /* DB entry for server principal */
- krb5_db_entry *krbtgt; /* DB entry for ticket granting service principal */
- krb5_keyblock *client_key; /* Reply key, valid for AS-REQ only */
- krb5_keyblock *server_key; /* Key used to generate server signature */
- krb5_timestamp authtime; /* Authtime of TGT */
- krb5_authdata **auth_data; /* Authorization data from TGT */
- krb5_keyblock *session_key; /* Reply session key */
- krb5_keyblock *krbtgt_key; /* Key used to decrypt TGT, valid for TGS-REQ only */
-} kdb_sign_auth_data_req;
-
-typedef struct _kdb_sign_auth_data_rep {
- krb5_magic magic;
- krb5_authdata **auth_data; /* Signed authorization data */
-} kdb_sign_auth_data_rep;
-
typedef struct _kdb_check_transited_realms_req {
krb5_magic magic;
const krb5_data *tr_contents;
int count,
krb5_key_data * data);
+krb5_error_code krb5_db_sign_authdata(krb5_context kcontext,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_keyblock *session_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ krb5_authdata ***signed_auth_data);
+
krb5_error_code krb5_db_invoke ( krb5_context kcontext,
unsigned int method,
const krb5_data *req,
krb5_data *rep );
-
/* default functions. Should not be directly called */
/*
* Default functions prototype
* DAL. It is passed to init_library to allow KDB modules to detect when
* they are being loaded by an incompatible version of the KDC.
*/
-#define KRB5_KDB_DAL_VERSION 20100702
+#define KRB5_KDB_DAL_VERSION 20100712
/*
* A krb5_context can hold one database object. Modules should use
const krb5_keysalt *keysalt,
int keyver, krb5_key_data *key_data);
+ /*
+ * Optional: Generate signed authorization data, such as a Windows PAC, for
+ * the ticket to be returned to the client. Place the signed authorization
+ * data, if any, in *signed_auth_data. This function will be invoked for
+ * an AS request if the client included padata requesting a PAC. This
+ * function will be invoked for a TGS request if there is authorization
+ * data in the TGT, if the client is from another realm, or if the TGS
+ * request is an S4U2Self or S4U2Proxy request. This function will not be
+ * invoked during TGS requests if the server principal has the
+ * no_auth_data_required attribute set. Input parameters are:
+ *
+ * flags: The flags used to look up the client principal.
+ *
+ * client_princ: For S4U2Proxy TGS requests, the client principal
+ * requested by the service; for regular TGS requests, the
+ * possibly-canonicalized client principal.
+ *
+ * client: The DB entry of the client. For S4U2Self, this will be the DB
+ * entry for the client principal requested by the service).
+ *
+ * server: The DB entry of the service principal.
+ *
+ * krbtgt: For TGS requests, the DB entry of the (possibly foreign)
+ * ticket granting service of the TGT. For AS requests, the DB entry
+ * of the service principal.
+ *
+ * client_key: The reply key for the KDC request, before any FAST armor
+ * is applied. For AS requests, this may be the client's long-term key
+ * or a key chosen by a preauth mechanism. For TGS requests, this may
+ * be the subkey found in the AP-REQ or the session key of the TGT.
+ *
+ * server_key: The server key used to encrypt the returned ticket.
+ *
+ * krbtgt_key: For TGS requests, the key of the (possibly foreign) ticket
+ * granting service of the TGT. for AS requests, the service
+ * principal's key.
+ *
+ * session_key: The session key of the ticket being granted to the
+ * requestor.
+ *
+ * authtime: The timestamp of the original client authentication time.
+ * For AS requests, this is the current time. For TGS requests, this
+ * is the authtime of the subject ticket (TGT or S4U2Proxy evidence
+ * ticket).
+ *
+ * tgt_auth_data: For TGS requests, the authorization data present in the
+ * subject ticket. For AS requests, NULL.
+ */
+ krb5_error_code (*sign_authdata)(krb5_context kcontext,
+ unsigned int flags,
+ krb5_const_principal client_princ,
+ krb5_db_entry *client,
+ krb5_db_entry *server,
+ krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key,
+ krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key,
+ krb5_keyblock *session_key,
+ krb5_timestamp authtime,
+ krb5_authdata **tgt_auth_data,
+ krb5_authdata ***signed_auth_data);
+
/*
* Optional: Perform an operation on input data req with output stored in
* rep. Return KRB5_PLUGIN_OP_NOTSUPP if the module does not implement the
* method. Defined methods are:
*
- * KRB5_KDB_METHOD_SIGN_AUTH_DATA: req contains a krb5_sign_auth_data_req
- * structure. Generate signed authorization data, such as a Windows
- * PAC, for the ticket to be returned to the client. Place the signed
- * authorization data in rep using a krb5_sign_auth_data_rep structure.
- * This function will be invoked for an AS request if the client
- * included padata requesting a PAC. This function will be invoked for
- * a TGS request if there is authorization data in the TGT, if the
- * client is from another realm, or if the TGS request is an S4U2Self
- * or S4U2Proxy request.
*
* KRB5_KDB_METHOD_CHECK_TRANSITED_REALMS: req contains a
* kdb_check_transited_realms_req structure. Perform a policy check on
krb5_enc_tkt_part *enc_tkt_reply)
{
krb5_error_code code;
- krb5_authdata **db_authdata = NULL;
+ krb5_authdata **tgt_authdata, **db_authdata = NULL;
krb5_boolean tgs_req = (request->msg_type == KRB5_TGS_REQ);
krb5_const_principal actual_client;
else
actual_client = enc_tkt_reply->client;
- code = sign_db_authdata(context,
- flags,
- actual_client,
- client,
- server,
- krbtgt,
- client_key,
- server_key, /* U2U or server key */
- krbtgt_key,
- enc_tkt_reply->times.authtime,
- tgs_req ? enc_tkt_request->authorization_data : NULL,
- enc_tkt_reply->session,
- &db_authdata);
+ tgt_authdata = tgs_req ? enc_tkt_request->authorization_data : NULL;
+ code = krb5_db_sign_authdata(context, flags, actual_client, client,
+ server, krbtgt, client_key, server_key,
+ krbtgt_key, enc_tkt_reply->session,
+ enc_tkt_reply->times.authtime, tgt_authdata,
+ &db_authdata);
if (code == 0) {
code = merge_authdata(context,
db_authdata,
return;
}
-krb5_error_code
-sign_db_authdata (krb5_context context,
- unsigned int flags,
- krb5_const_principal client_princ,
- krb5_db_entry *client,
- krb5_db_entry *server,
- krb5_db_entry *krbtgt,
- krb5_keyblock *client_key,
- krb5_keyblock *server_key,
- krb5_keyblock *krbtgt_key,
- krb5_timestamp authtime,
- krb5_authdata **tgs_authdata,
- krb5_keyblock *session_key,
- krb5_authdata ***ret_authdata)
-{
- krb5_error_code code;
- kdb_sign_auth_data_req req;
- kdb_sign_auth_data_rep rep;
- krb5_data req_data;
- krb5_data rep_data;
-
- *ret_authdata = NULL;
-
- memset(&req, 0, sizeof(req));
- memset(&rep, 0, sizeof(rep));
-
- req.flags = flags;
- req.client_princ = client_princ;
- req.client = client;
- req.server = server;
- req.krbtgt = krbtgt;
- req.client_key = client_key;
- req.server_key = server_key;
- req.authtime = authtime;
- req.auth_data = tgs_authdata;
- req.session_key = session_key;
- req.krbtgt_key = krbtgt_key;
-
- req_data.data = (void *)&req;
- req_data.length = sizeof(req);
-
- rep_data.data = (void *)&rep;
- rep_data.length = sizeof(rep);
-
- code = krb5_db_invoke(context,
- KRB5_KDB_METHOD_SIGN_AUTH_DATA,
- &req_data,
- &rep_data);
-
- *ret_authdata = rep.auth_data;
-
- return code;
-}
-
static krb5_error_code
verify_for_user_checksum(krb5_context context,
krb5_keyblock *key,
return 0;
}
+krb5_error_code
+krb5_db_sign_authdata(krb5_context kcontext, unsigned int flags,
+ krb5_const_principal client_princ, krb5_db_entry *client,
+ krb5_db_entry *server, krb5_db_entry *krbtgt,
+ krb5_keyblock *client_key, krb5_keyblock *server_key,
+ krb5_keyblock *krbtgt_key, krb5_keyblock *session_key,
+ krb5_timestamp authtime, krb5_authdata **tgt_auth_data,
+ krb5_authdata ***signed_auth_data)
+{
+ krb5_error_code status = 0;
+ kdb_vftabl *v;
+
+ *signed_auth_data = NULL;
+ status = get_vftabl(kcontext, &v);
+ if (status)
+ return status;
+ if (v->sign_authdata == NULL)
+ return KRB5_PLUGIN_OP_NOTSUPP;
+ return v->sign_authdata(kcontext, flags, client_princ, client, server,
+ krbtgt, client_key, server_key, krbtgt_key,
+ session_key, authtime, tgt_auth_data,
+ signed_auth_data);
+}
+
krb5_error_code
krb5_db_invoke(krb5_context kcontext,
unsigned int method,