1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2 /* include/krb5/certauth_plugin.h - certauth plugin header. */ 3 /* 4 * Copyright (C) 2017 by Red Hat, Inc. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * * Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * * Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 24 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 25 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 28 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 30 * OF THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 /* 34 * Declarations for certauth plugin module implementors. 35 * 36 * The certauth pluggable interface currently has only one supported major 37 * version, which is 1. Major version 1 has a current minor version number of 38 * 2. 39 * 40 * certauth plugin modules should define a function named 41 * certauth_<modulename>_initvt, matching the signature: 42 * 43 * krb5_error_code 44 * certauth_modname_initvt(krb5_context context, int maj_ver, int min_ver, 45 * krb5_plugin_vtable vtable); 46 * 47 * The initvt function should: 48 * 49 * - Check that the supplied maj_ver number is supported by the module, or 50 * return KRB5_PLUGIN_VER_NOTSUPP if it is not. 51 * 52 * - Cast the vtable pointer as appropriate for maj_ver: 53 * maj_ver == 1: Cast to krb5_certauth_vtable 54 * 55 * - Initialize the methods of the vtable, stopping as appropriate for the 56 * supplied min_ver. Optional methods may be left uninitialized. 57 * 58 * Memory for the vtable is allocated by the caller, not by the module. 59 */ 60 61 #ifndef KRB5_CERTAUTH_PLUGIN_H 62 #define KRB5_CERTAUTH_PLUGIN_H 63 64 #include <krb5/krb5.h> 65 #include <krb5/plugin.h> 66 67 /* Abstract module data type. */ 68 typedef struct krb5_certauth_moddata_st *krb5_certauth_moddata; 69 70 /* A module can optionally include <kdb.h> to inspect the client principal 71 * entry when authorizing a request. */ 72 struct _krb5_db_entry_new; 73 74 /* 75 * Optional: Initialize module data. 76 */ 77 typedef krb5_error_code 78 (*krb5_certauth_init_fn)(krb5_context context, 79 krb5_certauth_moddata *moddata_out); 80 81 /* 82 * Optional: Initialize module data. Supersedes init if present. 83 */ 84 typedef krb5_error_code 85 (*krb5_certauth_init_ex_fn)(krb5_context context, const char *const *realmlist, 86 krb5_certauth_moddata *moddata_out); 87 88 /* 89 * Optional: Clean up the module data. 90 */ 91 typedef void 92 (*krb5_certauth_fini_fn)(krb5_context context, krb5_certauth_moddata moddata); 93 94 /* 95 * Mandatory: decode cert as an X.509 certificate and determine whether it is 96 * authorized to authenticate as the requested client principal princ using 97 * PKINIT. Return 0 or KRB5_CERTAUTH_HWAUTH if the certificate is authorized. 98 * Otherwise return one of the following error codes: 99 * 100 * - KRB5KDC_ERR_CLIENT_NAME_MISMATCH - incorrect SAN value 101 * - KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE - incorrect EKU 102 * - KRB5KDC_ERR_CERTIFICATE_MISMATCH - other extension error 103 * - KRB5_PLUGIN_NO_HANDLE or KRB5_CERTAUTH_HWAUTH_PASS - the module has no 104 * opinion about whether cert is authorized 105 * 106 * Returning KRB5_CERTAUTH_HWAUTH will authorize the PKINIT authentication and 107 * cause the hw-authent flag to be set in the issued ticket (new in release 108 * 1.19). Returning KRB5_CERTAUTH_HWAUTH_PASS does not authorize the PKINIT 109 * authentication, but causes the hw-authent flag to be set if another module 110 * authorizes it (new in release 1.20) 111 * 112 * - opts is used by built-in modules to receive internal data, and must be 113 * ignored by other modules. 114 * - db_entry receives the client principal database entry, and can be ignored 115 * by modules that do not link with libkdb5. 116 * - *authinds_out optionally returns a null-terminated list of authentication 117 * indicator strings upon KRB5_PLUGIN_NO_HANDLE or accepted authorization. 118 */ 119 typedef krb5_error_code 120 (*krb5_certauth_authorize_fn)(krb5_context context, 121 krb5_certauth_moddata moddata, 122 const uint8_t *cert, size_t cert_len, 123 krb5_const_principal princ, const void *opts, 124 const struct _krb5_db_entry_new *db_entry, 125 char ***authinds_out); 126 127 /* 128 * Free indicators allocated by a module. Mandatory if authorize returns 129 * authentication indicators. 130 */ 131 typedef void 132 (*krb5_certauth_free_indicator_fn)(krb5_context context, 133 krb5_certauth_moddata moddata, 134 char **authinds); 135 136 typedef struct krb5_certauth_vtable_st { 137 const char *name; 138 krb5_certauth_init_fn init; 139 krb5_certauth_fini_fn fini; 140 krb5_certauth_authorize_fn authorize; 141 krb5_certauth_free_indicator_fn free_ind; 142 /* Minor version 1 ends here. */ 143 144 krb5_certauth_init_ex_fn init_ex; 145 /* Minor version 2 ends here. */ 146 } *krb5_certauth_vtable; 147 148 #endif /* KRB5_CERTAUTH_PLUGIN_H */ 149