1 /*
2 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
3 */
4 /*
5 * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006,2009 by the Massachusetts Institute of Technology,
6 * Cambridge, MA, USA. All Rights Reserved.
7 *
8 * This software is being provided to you, the LICENSEE, by the
9 * Massachusetts Institute of Technology (M.I.T.) under the following
10 * license. By obtaining, using and/or copying this software, you agree
11 * that you have read, understood, and will comply with these terms and
12 * conditions:
13 *
14 * Export of this software from the United States of America may
15 * require a specific license from the United States Government.
16 * It is the responsibility of any person or organization contemplating
17 * export to obtain such a license before exporting.
18 *
19 * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
20 * this software and its documentation for any purpose and without fee or
21 * royalty is hereby granted, provided that you agree to comply with the
22 * following copyright notice and statements, including the disclaimer, and
23 * that the same appear on ALL copies of the software and documentation,
24 * including modifications that you make for internal use or for
25 * distribution:
26 *
27 * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
28 * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
29 * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
30 * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
31 * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
32 * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
33 *
34 * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
35 * be used in advertising or publicity pertaining to distribution of the
36 * software. Title to copyright in this software and any associated
37 * documentation shall at all times remain with M.I.T., and USER agrees to
38 * preserve same.
39 *
40 * Furthermore if you modify this software you must label
41 * your software as modified software and not distribute it in such a
42 * fashion that it might be confused with the original M.I.T. software.
43 */
44
45 /*
46 * Copyright (C) 1998 by the FundsXpress, INC.
47 *
48 * All rights reserved.
49 *
50 * Export of this software from the United States of America may require
51 * a specific license from the United States Government. It is the
52 * responsibility of any person or organization contemplating export to
53 * obtain such a license before exporting.
54 *
55 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
56 * distribute this software and its documentation for any purpose and
57 * without fee is hereby granted, provided that the above copyright
58 * notice appear in all copies and that both that copyright notice and
59 * this permission notice appear in supporting documentation, and that
60 * the name of FundsXpress. not be used in advertising or publicity pertaining
61 * to distribution of the software without specific, written prior
62 * permission. FundsXpress makes no representations about the suitability of
63 * this software for any purpose. It is provided "as is" without express
64 * or implied warranty.
65 *
66 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
67 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
68 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
69 */
70
71 /*
72 * This prototype for k5-int.h (Krb5 internals include file)
73 * includes the user-visible definitions from krb5.h and then
74 * includes other definitions that are not user-visible but are
75 * required for compiling Kerberos internal routines.
76 *
77 * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
78 */
79
80 #ifndef _KRB5_INT_H
81 #define _KRB5_INT_H
82
83 #ifdef KRB5_GENERAL__
84 #error krb5.h included before k5-int.h
85 #endif /* KRB5_GENERAL__ */
86
87 #ifndef _KERNEL
88 #include <osconf.h>
89 #include <security/cryptoki.h>
90 #else
91 #include <sys/crypto/common.h>
92 #include <sys/crypto/api.h>
93 #endif
94
95 #ifdef DEBUG
96 #if !defined(KRB5_DEBUG)
97 #define KRB5_DEBUG
98 #endif
99 #ifndef KRB5_LOG_LVL
100 #define KRB5_LOG_LVL KRB5_ERR
101 #endif
102 #endif /* DEBUG */
103
104 #ifdef _KERNEL
105
106 #ifdef DEBUG
107 #include <sys/types.h>
108 #include <sys/cmn_err.h>
109 extern void prom_printf();
110 #endif /* DEBUG */
111
112 #else /* !_KERNEL */
113
114 #define prom_printf printf
115
116 #endif /* !_KERNEL */
117
118 #ifdef KRB5_LOG_LVL
119
120 /* krb5_log is used to set the logging level to determine what class of messages
121 * are output by the mech. Note, more than one logging level can be used by
122 * bit or'ing the log values together.
123 *
124 * All log messages are captured by syslog.
125 */
126
127 extern unsigned int krb5_log;
128
129 /* Note, these defines should be mutually exclusive bit fields */
130 #define KRB5_ERR 1 /* Use this debug log level for error path logging. */
131 #define KRB5_INFO 2 /* Use this debug log level for informational messages. */
132
133 #ifdef _KERNEL
134
135 #define KRB5_LOG1(A, B, C, D) \
136 ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C), (D)), TRUE)))
137 #define KRB5_LOG(A, B, C) \
138 ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C)), TRUE)))
139 #define KRB5_LOG0(A, B) \
140 ((void)((krb5_log) && (krb5_log & (A)) && (printf((B)), TRUE)))
141
142 #else /* !_KERNEL */
143
144 #include <syslog.h>
145
146 #define KRB5_LOG1(A, B, C, D) \
147 ((void)((krb5_log) && (krb5_log & (A)) && \
148 (syslog(LOG_DEBUG, (B), (C), (D)), TRUE)))
149 #define KRB5_LOG(A, B, C) \
150 ((void)((krb5_log) && (krb5_log & (A)) && \
151 (syslog(LOG_DEBUG, (B), (C)), TRUE)))
152 #define KRB5_LOG0(A, B) \
153 ((void)((krb5_log) && (krb5_log & (A)) && \
154 (syslog(LOG_DEBUG, B), TRUE)))
155
156 #endif /* _KERNEL */
157
158 #else /* ! KRB5_LOG_LVL */
159
160 #define KRB5_LOG1(A, B, C, D)
161 #define KRB5_LOG(A, B, C)
162 #define KRB5_LOG0(A, B)
163
164 #endif /* KRB5_LOG_LVL */
165
166 #ifdef POSIX_TYPES
167 #define timetype time_t
168 #else
169 #define timetype long
170 #endif
171
172 /*
173 * Begin "k5-config.h"
174 */
175 #ifndef KRB5_CONFIG__
176 #define KRB5_CONFIG__
177
178 /*
179 * Machine-type definitions: PC Clone 386 running Microloss Windows
180 */
181
182 #if defined(_MSDOS) || defined(_WIN32)
183 #include "win-mac.h"
184
185 /* Kerberos Windows initialization file */
186 #define KERBEROS_INI "kerberos.ini"
187 #define INI_FILES "Files"
188 #define INI_KRB_CCACHE "krb5cc" /* Location of the ccache */
189 #define INI_KRB5_CONF "krb5.ini" /* Location of krb5.conf file */
190 #define ANSI_STDIO
191 #endif
192
193 #ifndef _KERNEL
194 #ifndef KRB5_AUTOCONF__
195 #define KRB5_AUTOCONF__
196 #include "autoconf.h"
197 #endif
198 #endif /* !_KERNEL */
199
200 #ifndef KRB5_SYSTYPES__
201 #define KRB5_SYSTYPES__
202
203 #ifndef _KERNEL
204 #ifdef HAVE_SYS_TYPES_H /* From autoconf.h */
205 #include <sys/types.h>
206 #else /* HAVE_SYS_TYPES_H */
207 typedef unsigned long u_long;
208 typedef unsigned int u_int;
209 typedef unsigned short u_short;
210 typedef unsigned char u_char;
211 #endif /* HAVE_SYS_TYPES_H */
212 #endif /* KRB5_SYSTYPES__ */
213 #endif /* !_KERNEL */
214
215
216 /* #include "k5-platform.h" SUNW XXX */
217 /* not used in krb5.h (yet) */
218 typedef uint64_t krb5_ui_8;
219 typedef int64_t krb5_int64;
220
221
222
223 #define DEFAULT_PWD_STRING1 "Enter password:"
224 #define DEFAULT_PWD_STRING2 "Re-enter password for verification:"
225 #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
226 #define KRB5_KDB_MAX_RLIFE (60*60*24*365) /* one year */
227 #define KRB5_KDB_EXPIRATION 2145830400 /* Thu Jan 1 00:00:00 2038 UTC */
228 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
229 #define KRB5_DEFAULT_RENEW_LIFE 7*24*60*60 /* 7 Days */
230
231 /*
232 * Windows requires a different api interface to each function. Here
233 * just define it as NULL.
234 */
235 #ifndef KRB5_CALLCONV
236 #define KRB5_CALLCONV
237 #define KRB5_CALLCONV_C
238 #endif
239 #ifndef O_BINARY
240 #define O_BINARY 0
241 #endif
242
243 #endif /* KRB5_CONFIG__ */
244
245 /*
246 * End "k5-config.h"
247 */
248
249 /*
250 * After loading the configuration definitions, load the Kerberos definitions.
251 */
252 #ifndef _KERNEL
253 #include <errno.h>
254 #include "profile.h"
255 #endif
256
257 #include <krb5.h>
258
259 #ifndef _KERNEL
260 #if 1 /* def NEED_SOCKETS */
261 #include <port-sockets.h>
262 #include <socket-utils.h>
263 #else
264 #ifndef SOCK_DGRAM
265 struct sockaddr;
266 #endif
267 #endif
268 #endif
269
270 /* Get mutex support; currently used only for the replay cache. */
271 #include "k5-thread.h"
272
273
274 /* krb5/krb5.h includes many other .h files in the krb5 subdirectory.
275 The ones that it doesn't include, we include below. */
276
277 /*
278 * Begin "k5-errors.h"
279 */
280 #ifndef KRB5_ERRORS__
281 #define KRB5_ERRORS__
282
283
284 /* Error codes used in KRB_ERROR protocol messages.
285 Return values of library routines are based on a different error table
286 (which allows non-ambiguous error codes between subsystems) */
287
288 /* KDC errors */
289 #define KDC_ERR_NONE 0 /* No error */
290 #define KDC_ERR_NAME_EXP 1 /* Client's entry in DB expired */
291 #define KDC_ERR_SERVICE_EXP 2 /* Server's entry in DB expired */
292 #define KDC_ERR_BAD_PVNO 3 /* Requested pvno not supported */
293 #define KDC_ERR_C_OLD_MAST_KVNO 4 /* C's key encrypted in old master */
294 #define KDC_ERR_S_OLD_MAST_KVNO 5 /* S's key encrypted in old master */
295 #define KDC_ERR_C_PRINCIPAL_UNKNOWN 6 /* Client not found in Kerberos DB */
296 #define KDC_ERR_S_PRINCIPAL_UNKNOWN 7 /* Server not found in Kerberos DB */
297 #define KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 /* Multiple entries in Kerberos DB */
298 #define KDC_ERR_NULL_KEY 9 /* The C or S has a null key */
299 #define KDC_ERR_CANNOT_POSTDATE 10 /* Tkt ineligible for postdating */
300 #define KDC_ERR_NEVER_VALID 11 /* Requested starttime > endtime */
301 #define KDC_ERR_POLICY 12 /* KDC policy rejects request */
302 #define KDC_ERR_BADOPTION 13 /* KDC can't do requested opt. */
303 #define KDC_ERR_ENCTYPE_NOSUPP 14 /* No support for encryption type */
304 #define KDC_ERR_SUMTYPE_NOSUPP 15 /* No support for checksum type */
305 #define KDC_ERR_PADATA_TYPE_NOSUPP 16 /* No support for padata type */
306 #define KDC_ERR_TRTYPE_NOSUPP 17 /* No support for transited type */
307 #define KDC_ERR_CLIENT_REVOKED 18 /* C's creds have been revoked */
308 #define KDC_ERR_SERVICE_REVOKED 19 /* S's creds have been revoked */
309 #define KDC_ERR_TGT_REVOKED 20 /* TGT has been revoked */
310 #define KDC_ERR_CLIENT_NOTYET 21 /* C not yet valid */
311 #define KDC_ERR_SERVICE_NOTYET 22 /* S not yet valid */
312 #define KDC_ERR_KEY_EXP 23 /* Password has expired */
313 #define KDC_ERR_PREAUTH_FAILED 24 /* Preauthentication failed */
314 #define KDC_ERR_PREAUTH_REQUIRED 25 /* Additional preauthentication */
315 /* required */
316 #define KDC_ERR_SERVER_NOMATCH 26 /* Requested server and */
317 /* ticket don't match*/
318 #define KDC_ERR_MUST_USE_USER2USER 27 /* Server principal valid for */
319 /* user2user only */
320 #define KDC_ERR_PATH_NOT_ACCEPTED 28 /* KDC policy rejected transited */
321 /* path */
322 #define KDC_ERR_SVC_UNAVAILABLE 29 /* A service is not
323 * available that is
324 * required to process the
325 * request */
326 /* Application errors */
327 #define KRB_AP_ERR_BAD_INTEGRITY 31 /* Decrypt integrity check failed */
328 #define KRB_AP_ERR_TKT_EXPIRED 32 /* Ticket expired */
329 #define KRB_AP_ERR_TKT_NYV 33 /* Ticket not yet valid */
330 #define KRB_AP_ERR_REPEAT 34 /* Request is a replay */
331 #define KRB_AP_ERR_NOT_US 35 /* The ticket isn't for us */
332 #define KRB_AP_ERR_BADMATCH 36 /* Ticket/authenticator don't match */
333 #define KRB_AP_ERR_SKEW 37 /* Clock skew too great */
334 #define KRB_AP_ERR_BADADDR 38 /* Incorrect net address */
335 #define KRB_AP_ERR_BADVERSION 39 /* Protocol version mismatch */
336 #define KRB_AP_ERR_MSG_TYPE 40 /* Invalid message type */
337 #define KRB_AP_ERR_MODIFIED 41 /* Message stream modified */
338 #define KRB_AP_ERR_BADORDER 42 /* Message out of order */
339 #define KRB_AP_ERR_BADKEYVER 44 /* Key version is not available */
340 #define KRB_AP_ERR_NOKEY 45 /* Service key not available */
341 #define KRB_AP_ERR_MUT_FAIL 46 /* Mutual authentication failed */
342 #define KRB_AP_ERR_BADDIRECTION 47 /* Incorrect message direction */
343 #define KRB_AP_ERR_METHOD 48 /* Alternative authentication */
344 /* method required */
345 #define KRB_AP_ERR_BADSEQ 49 /* Incorrect sequence numnber */
346 /* in message */
347 #define KRB_AP_ERR_INAPP_CKSUM 50 /* Inappropriate type of */
348 /* checksum in message */
349 #define KRB_AP_PATH_NOT_ACCEPTED 51 /* Policy rejects transited path */
350 #define KRB_ERR_RESPONSE_TOO_BIG 52 /* Response too big for UDP, */
351 /* retry with TCP */
352
353 /* other errors */
354 #define KRB_ERR_GENERIC 60 /* Generic error (description */
355 /* in e-text) */
356 #define KRB_ERR_FIELD_TOOLONG 61 /* Field is too long for impl. */
357
358 /* PKINIT server-reported errors */
359 #define KDC_ERR_CLIENT_NOT_TRUSTED 62 /* client cert not trusted */
360 #define KDC_ERR_INVALID_SIG 64 /* client signature verify failed */
361 #define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65 /* invalid Diffie-Hellman parameters */
362 #define KDC_ERR_CERTIFICATE_MISMATCH 66
363 #define KRB_AP_ERR_NO_TGT 67
364 #define KDC_ERR_WRONG_REALM 68
365 #define KRB_AP_ERR_USER_TO_USER_REQUIRED 69
366 #define KDC_ERR_CANT_VERIFY_CERTIFICATE 70 /* client cert not verifiable
367 to */
368 /* trusted root cert */
369 #define KDC_ERR_INVALID_CERTIFICATE 71 /* client cert had invalid signature */
370 #define KDC_ERR_REVOKED_CERTIFICATE 72 /* client cert was revoked */
371 #define KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 /* client cert revoked, reason unknown */
372 #define KDC_ERR_CLIENT_NAME_MISMATCH 75 /* mismatch between client cert and */
373 /* principal name */
374 #define KDC_ERR_INCONSISTENT_KEY_PURPOSE 77 /* bad extended key use */
375 #define KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78 /* bad digest algorithm in client cert */
376 #define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79 /* missing paChecksum in PA-PK-AS-REQ */
377 #define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */
378 #define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
379
380 #endif /* KRB5_ERRORS__ */
381 /*
382 * End "k5-errors.h"
383 */
384
385 /*
386 * This structure is returned in the e-data field of the KRB-ERROR
387 * message when the error calling for an alternative form of
388 * authentication is returned, KRB_AP_METHOD.
389 */
390 typedef struct _krb5_alt_method {
391 krb5_magic magic;
392 krb5_int32 method;
393 unsigned int length;
394 krb5_octet *data;
395 } krb5_alt_method;
396
397 /*
398 * A null-terminated array of this structure is returned by the KDC as
399 * the data part of the ETYPE_INFO preauth type. It informs the
400 * client which encryption types are supported.
401 * The same data structure is used by both etype-info and etype-info2
402 * but s2kparams must be null when encoding etype-info.
403 */
404 typedef struct _krb5_etype_info_entry {
405 krb5_magic magic;
406 krb5_enctype etype;
407 unsigned int length;
408 krb5_octet *salt;
409 krb5_data s2kparams;
410 } krb5_etype_info_entry;
411
412 /*
413 * This is essentially -1 without sign extension which can screw up
414 * comparisons on 64 bit machines. If the length is this value, then
415 * the salt data is not present. This is to distinguish between not
416 * being set and being of 0 length.
417 */
418 #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
419
420 typedef krb5_etype_info_entry ** krb5_etype_info;
421
422 /* RFC 4537 */
423 typedef struct _krb5_etype_list {
424 int length;
425 krb5_enctype *etypes;
426 } krb5_etype_list;
427
428 /*
429 * a sam_challenge is returned for alternate preauth
430 */
431 /*
432 SAMFlags ::= BIT STRING {
433 use-sad-as-key[0],
434 send-encrypted-sad[1],
435 must-pk-encrypt-sad[2]
436 }
437 */
438 /*
439 PA-SAM-CHALLENGE ::= SEQUENCE {
440 sam-type[0] INTEGER,
441 sam-flags[1] SAMFlags,
442 sam-type-name[2] GeneralString OPTIONAL,
443 sam-track-id[3] GeneralString OPTIONAL,
444 sam-challenge-label[4] GeneralString OPTIONAL,
445 sam-challenge[5] GeneralString OPTIONAL,
446 sam-response-prompt[6] GeneralString OPTIONAL,
447 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
448 sam-nonce[8] INTEGER OPTIONAL,
449 sam-cksum[9] Checksum OPTIONAL
450 }
451 */
452 /* sam_type values -- informational only */
453 #define PA_SAM_TYPE_ENIGMA 1 /* Enigma Logic */
454 #define PA_SAM_TYPE_DIGI_PATH 2 /* Digital Pathways */
455 #define PA_SAM_TYPE_SKEY_K0 3 /* S/key where KDC has key 0 */
456 #define PA_SAM_TYPE_SKEY 4 /* Traditional S/Key */
457 #define PA_SAM_TYPE_SECURID 5 /* Security Dynamics */
458 #define PA_SAM_TYPE_CRYPTOCARD 6 /* CRYPTOCard */
459 #if 1 /* XXX need to figure out who has which numbers assigned */
460 #define PA_SAM_TYPE_ACTIVCARD_DEC 6 /* ActivCard decimal mode */
461 #define PA_SAM_TYPE_ACTIVCARD_HEX 7 /* ActivCard hex mode */
462 #define PA_SAM_TYPE_DIGI_PATH_HEX 8 /* Digital Pathways hex mode */
463 #endif
464 #define PA_SAM_TYPE_EXP_BASE 128 /* experimental */
465 #define PA_SAM_TYPE_GRAIL (PA_SAM_TYPE_EXP_BASE+0) /* testing */
466 #define PA_SAM_TYPE_SECURID_PREDICT (PA_SAM_TYPE_EXP_BASE+1) /* special */
467
468 typedef struct _krb5_predicted_sam_response {
469 krb5_magic magic;
470 krb5_keyblock sam_key;
471 krb5_flags sam_flags; /* Makes key munging easier */
472 krb5_timestamp stime; /* time on server, for replay detection */
473 krb5_int32 susec;
474 krb5_principal client;
475 krb5_data msd; /* mechanism specific data */
476 } krb5_predicted_sam_response;
477
478 typedef struct _krb5_sam_challenge {
479 krb5_magic magic;
480 krb5_int32 sam_type; /* information */
481 krb5_flags sam_flags; /* KRB5_SAM_* values */
482 krb5_data sam_type_name;
483 krb5_data sam_track_id;
484 krb5_data sam_challenge_label;
485 krb5_data sam_challenge;
486 krb5_data sam_response_prompt;
487 krb5_data sam_pk_for_sad;
488 krb5_int32 sam_nonce;
489 krb5_checksum sam_cksum;
490 } krb5_sam_challenge;
491
492 typedef struct _krb5_sam_key { /* reserved for future use */
493 krb5_magic magic;
494 krb5_keyblock sam_key;
495 } krb5_sam_key;
496
497 typedef struct _krb5_enc_sam_response_enc {
498 krb5_magic magic;
499 krb5_int32 sam_nonce;
500 krb5_timestamp sam_timestamp;
501 krb5_int32 sam_usec;
502 krb5_data sam_sad;
503 } krb5_enc_sam_response_enc;
504
505 typedef struct _krb5_sam_response {
506 krb5_magic magic;
507 krb5_int32 sam_type; /* informational */
508 krb5_flags sam_flags; /* KRB5_SAM_* values */
509 krb5_data sam_track_id; /* copied */
510 krb5_enc_data sam_enc_key; /* krb5_sam_key - future use */
511 krb5_enc_data sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
512 krb5_int32 sam_nonce;
513 krb5_timestamp sam_patimestamp;
514 } krb5_sam_response;
515
516 typedef struct _krb5_sam_challenge_2 {
517 krb5_data sam_challenge_2_body;
518 krb5_checksum **sam_cksum; /* Array of checksums */
519 } krb5_sam_challenge_2;
520
521 typedef struct _krb5_sam_challenge_2_body {
522 krb5_magic magic;
523 krb5_int32 sam_type; /* information */
524 krb5_flags sam_flags; /* KRB5_SAM_* values */
525 krb5_data sam_type_name;
526 krb5_data sam_track_id;
527 krb5_data sam_challenge_label;
528 krb5_data sam_challenge;
529 krb5_data sam_response_prompt;
530 krb5_data sam_pk_for_sad;
531 krb5_int32 sam_nonce;
532 krb5_enctype sam_etype;
533 } krb5_sam_challenge_2_body;
534
535 typedef struct _krb5_sam_response_2 {
536 krb5_magic magic;
537 krb5_int32 sam_type; /* informational */
538 krb5_flags sam_flags; /* KRB5_SAM_* values */
539 krb5_data sam_track_id; /* copied */
540 krb5_enc_data sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
541 krb5_int32 sam_nonce;
542 } krb5_sam_response_2;
543
544 typedef struct _krb5_enc_sam_response_enc_2 {
545 krb5_magic magic;
546 krb5_int32 sam_nonce;
547 krb5_data sam_sad;
548 } krb5_enc_sam_response_enc_2;
549
550 /*
551 * Keep the pkinit definitions in a separate file so that the plugin
552 * only has to include k5-int-pkinit.h rather than k5-int.h
553 */
554
555 #include "k5-int-pkinit.h"
556
557 /*
558 * Begin "dbm.h"
559 */
560 #ifndef _KERNEL
561
562 /*
563 * Since we are always using db, use the db-ndbm include header file.
564 */
565
566 #include "db-ndbm.h"
567
568 #endif /* !KERNEL */
569 /*
570 * End "dbm.h"
571 */
572
573 /*
574 * Begin "ext-proto.h"
575 */
576 #ifndef KRB5_EXT_PROTO__
577 #define KRB5_EXT_PROTO__
578
579 #ifndef _KERNEL
580 #include <stdlib.h>
581 #include <string.h>
582 #endif /* !_KERNEL */
583
584 #ifndef HAVE_STRDUP
585 extern char *strdup (const char *);
586 #endif
587
588 #ifndef _KERNEL
589 #ifdef HAVE_UNISTD_H
590 #include <unistd.h>
591 #endif
592 #endif /* !_KERNEL */
593
594 #endif /* KRB5_EXT_PROTO__ */
595 /*
596 * End "ext-proto.h"
597 */
598
599 /*
600 * Begin "sysincl.h"
601 */
602 #ifndef KRB5_SYSINCL__
603 #define KRB5_SYSINCL__
604
605 #ifndef KRB5_SYSTYPES__
606 #define KRB5_SYSTYPES__
607 /* needed for much of the rest -- but already handled in krb5.h? */
608 /* #include <sys/types.h> */
609 #endif /* KRB5_SYSTYPES__ */
610
611 #ifdef _KERNEL
612 #include <sys/time.h>
613 #else
614 #ifdef HAVE_SYS_TIME_H
615 #include <sys/time.h>
616 #ifdef TIME_WITH_SYS_TIME
617 #include <time.h>
618 #endif
619 #else
620 #include <time.h>
621 #endif
622 #endif /* _KERNEL */
623
624 #ifdef HAVE_SYS_STAT_H
625 #include <sys/stat.h> /* struct stat, stat() */
626 #endif
627
628 #ifdef HAVE_SYS_PARAM_H
629 #include <sys/param.h> /* MAXPATHLEN */
630 #endif
631
632 #ifdef HAVE_SYS_FILE_H
633 #include <sys/file.h> /* prototypes for file-related
634 syscalls; flags for open &
635 friends */
636 #endif
637
638 #ifdef _KERNEL
639 #include <sys/fcntl.h>
640 #else
641 #include <fcntl.h>
642 #endif
643
644 #endif /* KRB5_SYSINCL__ */
645 /*
646 * End "sysincl.h"
647 */
648
649 /*
650 * Begin "los-proto.h"
651 */
652 #ifndef KRB5_LIBOS_PROTO__
653 #define KRB5_LIBOS_PROTO__
654 #endif
655
656 #ifndef _KERNEL
657 #include <stdio.h>
658
659 struct addrlist;
660 struct sendto_callback_info;
661 #endif
662
663 /* libos.spec */
664 krb5_error_code krb5_lock_file (krb5_context, int, int);
665 krb5_error_code krb5_unlock_file (krb5_context, int);
666 krb5_error_code krb5_sendto_kdc (krb5_context, const krb5_data *,
667 const krb5_data *, krb5_data *, int *, int);
668 /* Solaris Kerberos */
669 krb5_error_code krb5_sendto_kdc2 (krb5_context, const krb5_data *,
670 const krb5_data *, krb5_data *, int *, int,
671 char **);
672
673
674 krb5_error_code krb5_get_krbhst (krb5_context, const krb5_data *, char *** );
675 krb5_error_code krb5_free_krbhst (krb5_context, char * const * );
676 krb5_error_code krb5_create_secure_file (krb5_context, const char * pathname);
677
678 int krb5_net_read (krb5_context, int , char *, int);
679
680 int krb5_net_write
681 (krb5_context, int , const char *, int);
682
683
684 krb5_error_code krb5_gen_replay_name
685 (krb5_context, const krb5_address *, const char *, char **);
686
687
688 #ifndef _KERNEL
689
690 krb5_error_code krb5_sync_disk_file (krb5_context, FILE *fp);
691
692 krb5_error_code
693 krb5_open_pkcs11_session(CK_SESSION_HANDLE *);
694
695
696 krb5_error_code krb5_read_message
697 (krb5_context, krb5_pointer, krb5_data *);
698
699 krb5_error_code krb5_write_message
700 (krb5_context, krb5_pointer, krb5_data *);
701 krb5_error_code krb5int_sendto (krb5_context context, const krb5_data *message,
702 const struct addrlist *addrs, struct sendto_callback_info* callback_info,
703 krb5_data *reply, struct sockaddr *localaddr, socklen_t *localaddrlen,
704 struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, int *addr_used,
705 int (*msg_handler)(krb5_context, const krb5_data *, void *),
706 void *msg_handler_data);
707
708 krb5_error_code krb5int_get_fq_local_hostname (char *, size_t);
709
710 krb5_error_code krb5_set_debugging_time
711 (krb5_context, krb5_timestamp, krb5_int32);
712 krb5_error_code krb5_use_natural_time
713 (krb5_context);
714 krb5_error_code krb5_set_time_offsets
715 (krb5_context, krb5_timestamp, krb5_int32);
716 krb5_error_code krb5int_check_clockskew(krb5_context, krb5_timestamp);
717 #endif
718
719 /*
720 * Solaris Kerberos
721 * The following two functions are needed for better realm
722 * determination based on the DNS domain name.
723 */
724 krb5_error_code krb5int_lookup_host(int , const char *, char **);
725
726 krb5_error_code krb5int_domain_get_realm(krb5_context, const char *,
727 char **);
728 krb5_error_code krb5int_fqdn_get_realm(krb5_context, const char *,
729 char **);
730
731 krb5_error_code krb5int_init_context_kdc(krb5_context *);
732
733 krb5_error_code krb5_os_init_context (krb5_context, krb5_boolean);
734
735 void krb5_os_free_context (krb5_context);
736
737 /* This function is needed by KfM's KerberosPreferences API
738 * because it needs to be able to specify "secure" */
739 #ifndef _KERNEL
740 krb5_error_code os_get_default_config_files
741 (profile_filespec_t **pfiles, krb5_boolean secure);
742 #endif
743
744 krb5_error_code krb5_os_hostaddr
745 (krb5_context, const char *, krb5_address ***);
746
747 #ifndef _KERNEL
748 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
749 going to use this structure. */
750 struct addrlist {
751 struct {
752 #ifdef FAI_DEFINED
753 struct addrinfo *ai;
754 #else
755 struct undefined_addrinfo *ai;
756 #endif
757 void (*freefn)(void *);
758 void *data;
759 } *addrs;
760 int naddrs;
761 int space;
762 };
763 #define ADDRLIST_INIT { 0, 0, 0 }
764 extern void krb5int_free_addrlist (struct addrlist *);
765 extern int krb5int_grow_addrlist (struct addrlist *, int);
766 extern int krb5int_add_host_to_list (struct addrlist *, const char *,
767 int, int, int, int);
768
769 #include <locate_plugin.h>
770 krb5_error_code
771 krb5int_locate_server (krb5_context, const krb5_data *realm,
772 struct addrlist *, enum locate_service_type svc,
773 int sockettype, int family);
774
775 #endif /* _KERNEL */
776
777 /* new encryption provider api */
778
779 struct krb5_enc_provider {
780 /* keybytes is the input size to make_key;
781 keylength is the output size */
782 size_t block_size, keybytes, keylength;
783
784 /* cipher-state == 0 fresh state thrown away at end */
785 krb5_error_code (*encrypt) (
786 krb5_context context,
787 krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
788 krb5_const krb5_data *input, krb5_data *output);
789
790 krb5_error_code (*decrypt) (
791 krb5_context context,
792 krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
793 krb5_const krb5_data *input, krb5_data *output);
794
795 krb5_error_code (*make_key)
796 (krb5_context, krb5_const krb5_data *, krb5_keyblock *);
797
798 krb5_error_code (*init_state) (krb5_context,
799 const krb5_keyblock *,
800 krb5_keyusage, krb5_data *);
801 krb5_error_code (*free_state) (krb5_context, krb5_data *);
802
803 };
804
805 struct krb5_hash_provider {
806 size_t hashsize, blocksize;
807
808 /* this takes multiple inputs to avoid lots of copying. */
809 krb5_error_code (*hash) (krb5_context context,
810 unsigned int icount, krb5_const krb5_data *input,
811 krb5_data *output);
812 };
813
814 struct krb5_keyhash_provider {
815 size_t hashsize;
816
817 krb5_error_code (*hash) (
818 krb5_context context,
819 krb5_const krb5_keyblock *key,
820 krb5_keyusage keyusage,
821 krb5_const krb5_data *ivec,
822 krb5_const krb5_data *input, krb5_data *output);
823
824 krb5_error_code (*verify) (
825 krb5_context context,
826 krb5_const krb5_keyblock *key,
827 krb5_keyusage keyusage,
828 krb5_const krb5_data *ivec,
829 krb5_const krb5_data *input,
830 krb5_const krb5_data *hash,
831 krb5_boolean *valid);
832
833 };
834
835 typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc,
836 const struct krb5_hash_provider *hash,
837 size_t inputlen, size_t *length);
838
839 typedef krb5_error_code (*krb5_crypt_func) (
840 krb5_context context,
841 krb5_const struct krb5_enc_provider *enc,
842 krb5_const struct krb5_hash_provider *hash,
843 krb5_const krb5_keyblock *key, krb5_keyusage usage,
844 krb5_const krb5_data *ivec,
845 krb5_const krb5_data *input, krb5_data *output);
846
847 #ifndef _KERNEL
848 typedef krb5_error_code (*krb5_str2key_func) (
849 krb5_context context,
850 krb5_const struct krb5_enc_provider *enc, krb5_const krb5_data *string,
851 krb5_const krb5_data *salt, krb5_const krb5_data *params,
852 krb5_keyblock *key);
853 #endif /* _KERNEL */
854
855 typedef krb5_error_code (*krb5_prf_func)(
856 const struct krb5_enc_provider *enc,
857 const struct krb5_hash_provider *hash,
858 const krb5_keyblock *key,
859 const krb5_data *in, krb5_data *out);
860
861 struct krb5_keytypes {
862 krb5_enctype etype;
863 char *in_string;
864 char *out_string;
865 const struct krb5_enc_provider *enc;
866 const struct krb5_hash_provider *hash;
867 krb5_encrypt_length_func encrypt_len;
868 krb5_crypt_func encrypt;
869 krb5_crypt_func decrypt;
870 krb5_cksumtype required_ctype;
871 #ifndef _KERNEL
872 /* Solaris Kerberos: strings to key conversion not done in the kernel */
873 krb5_str2key_func str2key;
874 #else /* _KERNEL */
875 char *mt_e_name;
876 char *mt_h_name;
877 crypto_mech_type_t kef_cipher_mt;
878 crypto_mech_type_t kef_hash_mt;
879 #endif /* _KERNEL */
880 };
881
882 struct krb5_cksumtypes {
883 krb5_cksumtype ctype;
884 unsigned int flags;
885 char *in_string;
886 char *out_string;
887 /* if the hash is keyed, this is the etype it is keyed with.
888 Actually, it can be keyed by any etype which has the same
889 enc_provider as the specified etype. DERIVE checksums can
890 be keyed with any valid etype. */
891 krb5_enctype keyed_etype;
892 /* I can't statically initialize a union, so I'm just going to use
893 two pointers here. The keyhash is used if non-NULL. If NULL,
894 then HMAC/hash with derived keys is used if the relevant flag
895 is set. Otherwise, a non-keyed hash is computed. This is all
896 kind of messy, but so is the krb5 api. */
897 const struct krb5_keyhash_provider *keyhash;
898 const struct krb5_hash_provider *hash;
899 /* This just gets uglier and uglier. In the key derivation case,
900 we produce an hmac. To make the hmac code work, we can't hack
901 the output size indicated by the hash provider, but we may want
902 a truncated hmac. If we want truncation, this is the number of
903 bytes we truncate to; it should be 0 otherwise. */
904 unsigned int trunc_size;
905 #ifdef _KERNEL
906 char *mt_c_name;
907 crypto_mech_type_t kef_cksum_mt;
908 #endif /* _KERNEL */
909 };
910
911 #define KRB5_CKSUMFLAG_DERIVE 0x0001
912 #define KRB5_CKSUMFLAG_NOT_COLL_PROOF 0x0002
913
914 /*
915 * in here to deal with stuff from lib/crypto
916 */
917
918 void krb5_nfold
919 (unsigned int inbits, const unsigned char *in,
920 unsigned int outbits, unsigned char *out);
921
922 krb5_error_code krb5int_pbkdf2_hmac_sha1 (krb5_context,
923 const krb5_data *,
924 unsigned long,
925 krb5_enctype,
926 const krb5_data *,
927 const krb5_data *);
928
929 /* Make this a function eventually? */
930 #ifdef _WIN32
931 # define krb5int_zap_data(ptr, len) SecureZeroMemory(ptr, len)
932 #elif defined(__palmos__) && !defined(__GNUC__)
933 /* CodeWarrior 8.3 complains about passing a pointer to volatile in to
934 memset. On the other hand, we probably want it for gcc. */
935 # define krb5int_zap_data(ptr, len) memset(ptr, 0, len)
936 #else
937 # define krb5int_zap_data(ptr, len) memset((void *)ptr, 0, len)
938 # if defined(__GNUC__) && defined(__GLIBC__)
939 /* GNU libc generates multiple bogus initialization warnings if we
940 pass memset a volatile pointer. The compiler should do well enough
941 with memset even without GNU libc's attempt at optimization. */
942 # undef memset
943 # endif
944 #endif /* WIN32 */
945 #define zap(p,l) krb5int_zap_data(p,l)
946
947
948 krb5_error_code krb5int_des_init_state
949 ( krb5_context,
950 const krb5_keyblock *,
951 krb5_keyusage, krb5_data *);
952
953 krb5_error_code krb5int_c_mandatory_cksumtype(
954 krb5_context,
955 krb5_enctype,
956 krb5_cksumtype *);
957
958 /*
959 * normally to free a cipher_state you can just memset the length to zero and
960 * free it.
961 */
962 krb5_error_code krb5int_default_free_state
963 (krb5_context, krb5_data *);
964
965
966 /*
967 * Combine two keys (normally used by the hardware preauth mechanism)
968 */
969 krb5_error_code krb5int_c_combine_keys
970 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
971 krb5_keyblock *outkey);
972
973
974 #ifdef _KERNEL
975
976 int k5_ef_crypto(
977 const char *, char *,
978 long, krb5_keyblock *,
979 const krb5_data *, int);
980
981 krb5_error_code
982 krb5_hmac(krb5_context, const krb5_keyblock *,
983 krb5_const krb5_data *, krb5_data *);
984
985 #else
986 krb5_error_code krb5_hmac
987 (krb5_context,
988 krb5_const struct krb5_hash_provider *,
989 krb5_const krb5_keyblock *, krb5_const unsigned int,
990 krb5_const krb5_data *, krb5_data *);
991
992 #endif /* _KERNEL */
993
994
995 /*
996 * These declarations are here, so both krb5 and k5crypto
997 * can get to them.
998 * krb5 needs to get to them so it can make them available to libgssapi.
999 */
1000 extern const struct krb5_enc_provider krb5int_enc_arcfour;
1001 extern const struct krb5_hash_provider krb5int_hash_md5;
1002
1003
1004 /* #ifdef KRB5_OLD_CRYPTO XXX SUNW14resync */
1005
1006 krb5_error_code krb5_crypto_us_timeofday
1007 (krb5_int32 *,
1008 krb5_int32 *);
1009
1010 #ifndef _KERNEL
1011 /* Solaris kerberos: for convenience */
1012 time_t krb5int_gmt_mktime (struct tm *);
1013 #endif /* ! _KERNEL */
1014
1015 /* #endif KRB5_OLD_CRYPTO */
1016
1017 /* this helper fct is in libkrb5, but it makes sense declared here. */
1018
1019 krb5_error_code krb5_encrypt_helper
1020 (krb5_context context, const krb5_keyblock *key,
1021 krb5_keyusage keyusage, const krb5_data *plain,
1022 krb5_enc_data *cipher);
1023
1024 /*
1025 * End "los-proto.h"
1026 */
1027
1028 /*
1029 * Begin "libos.h"
1030 */
1031 #ifndef KRB5_LIBOS__
1032 #define KRB5_LIBOS__
1033
1034 typedef struct _krb5_os_context {
1035 krb5_magic magic;
1036 krb5_int32 time_offset;
1037 krb5_int32 usec_offset;
1038 krb5_int32 os_flags;
1039 char * default_ccname;
1040 } *krb5_os_context;
1041
1042 /*
1043 * Flags for the os_flags field
1044 *
1045 * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid.
1046 * The intention is that this facility to correct the system clocks so
1047 * that they reflect the "real" time, for systems where for some
1048 * reason we can't set the system clock. Instead we calculate the
1049 * offset between the system time and real time, and store the offset
1050 * in the os context so that we can correct the system clock as necessary.
1051 *
1052 * KRB5_OS_TOFFSET_TIME means that the time offset fields should be
1053 * returned as the time by the krb5 time routines. This should only
1054 * be used for testing purposes (obviously!)
1055 */
1056 #define KRB5_OS_TOFFSET_VALID 1
1057 #define KRB5_OS_TOFFSET_TIME 2
1058
1059 /* lock mode flags */
1060 #define KRB5_LOCKMODE_SHARED 0x0001
1061 #define KRB5_LOCKMODE_EXCLUSIVE 0x0002
1062 #define KRB5_LOCKMODE_DONTBLOCK 0x0004
1063 #define KRB5_LOCKMODE_UNLOCK 0x0008
1064
1065 #endif /* KRB5_LIBOS__ */
1066 /*
1067 * End "libos.h"
1068 */
1069
1070 /*
1071 * Define our view of the size of a DES key.
1072 */
1073 #define KRB5_MIT_DES_KEYSIZE 8
1074 /*
1075 * Define a couple of SHA1 constants
1076 */
1077 #define SHS_DATASIZE 64
1078 #define SHS_DIGESTSIZE 20
1079
1080 /*
1081 * Check if des_int.h has been included before us. If so, then check to see
1082 * that our view of the DES key size is the same as des_int.h's.
1083 */
1084 #ifdef MIT_DES_KEYSIZE
1085 #if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
1086 error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
1087 #endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
1088 #endif /* MIT_DES_KEYSIZE */
1089
1090 #ifndef _KERNEL
1091 /* Solaris Kerberos: only define PROVIDE_DES3_CBC_SHA if the following are
1092 * defined.
1093 */
1094 #define PROVIDE_DES3_CBC_SHA 1
1095 #define PROVIDE_NIST_SHA 1
1096
1097 #endif /* !_KERNEL */
1098
1099 /*
1100 * Begin "preauth.h"
1101 *
1102 * (Originally written by Glen Machin at Sandia Labs.)
1103 */
1104 /*
1105 * Sandia National Laboratories also makes no representations about the
1106 * suitability of the modifications, or additions to this software for
1107 * any purpose. It is provided "as is" without express or implied warranty.
1108 *
1109 */
1110 #ifndef KRB5_PREAUTH__
1111 #define KRB5_PREAUTH__
1112
1113 #include <preauth_plugin.h>
1114
1115 #define CLIENT_ROCK_MAGIC 0x4352434b
1116 /* This structure is passed into the client preauth functions and passed
1117 * back to the "get_data_proc" function so that it can locate the
1118 * requested information. It is opaque to the plugin code and can be
1119 * expanded in the future as new types of requests are defined which
1120 * may require other things to be passed through. */
1121 typedef struct _krb5_preauth_client_rock {
1122 krb5_magic magic;
1123 krb5_kdc_rep *as_reply;
1124 } krb5_preauth_client_rock;
1125
1126 /* This structure lets us keep track of all of the modules which are loaded,
1127 * turning the list of modules and their lists of implemented preauth types
1128 * into a single list which we can walk easily. */
1129 typedef struct _krb5_preauth_context {
1130 int n_modules;
1131 struct _krb5_preauth_context_module {
1132 /* Which of the possibly more than one preauth types which the
1133 * module supports we're using at this point in the list. */
1134 krb5_preauthtype pa_type;
1135 /* Encryption types which the client claims to support -- we
1136 * copy them directly into the krb5_kdc_req structure during
1137 * krb5_preauth_prepare_request(). */
1138 krb5_enctype *enctypes;
1139 /* The plugin's per-plugin context and a function to clear it. */
1140 void *plugin_context;
1141 preauth_client_plugin_fini_proc client_fini;
1142 /* The module's table, and some of its members, copied here for
1143 * convenience when we populated the list. */
1144 struct krb5plugin_preauth_client_ftable_v1 *ftable;
1145 const char *name;
1146 int flags, use_count;
1147 preauth_client_process_proc client_process;
1148 preauth_client_tryagain_proc client_tryagain;
1149 preauth_client_supply_gic_opts_proc client_supply_gic_opts;
1150 preauth_client_request_init_proc client_req_init;
1151 preauth_client_request_fini_proc client_req_fini;
1152 /* The per-request context which the client_req_init() function
1153 * might allocate, which we'll need to clean up later by
1154 * calling the client_req_fini() function. */
1155 void *request_context;
1156 /* A pointer to the request_context pointer. All modules within
1157 * a plugin will point at the request_context of the first
1158 * module within the plugin. */
1159 void **request_context_pp;
1160 } *modules;
1161 } krb5_preauth_context;
1162
1163 typedef struct _krb5_pa_enc_ts {
1164 krb5_timestamp patimestamp;
1165 krb5_int32 pausec;
1166 } krb5_pa_enc_ts;
1167
1168 typedef struct _krb5_pa_for_user {
1169 krb5_principal user;
1170 krb5_checksum cksum;
1171 krb5_data auth_package;
1172 } krb5_pa_for_user;
1173
1174 enum {
1175 KRB5_FAST_ARMOR_AP_REQUEST = 0x1
1176 };
1177
1178 typedef struct _krb5_fast_armor {
1179 krb5_int32 armor_type;
1180 krb5_data armor_value;
1181 } krb5_fast_armor;
1182 typedef struct _krb5_fast_armored_req {
1183 krb5_magic magic;
1184 krb5_fast_armor *armor;
1185 krb5_checksum req_checksum;
1186 krb5_enc_data enc_part;
1187 } krb5_fast_armored_req;
1188
1189 typedef struct _krb5_fast_req {
1190 krb5_magic magic;
1191 krb5_flags fast_options;
1192 /* padata from req_body is used*/
1193 krb5_kdc_req *req_body;
1194 } krb5_fast_req;
1195
1196
1197 /* Bits 0-15 are critical in fast options.*/
1198 #define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff
1199 #define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01
1200
1201 typedef struct _krb5_fast_finished {
1202 krb5_timestamp timestamp;
1203 krb5_int32 usec;
1204 krb5_principal client;
1205 krb5_checksum ticket_checksum;
1206 } krb5_fast_finished;
1207
1208 typedef struct _krb5_fast_response {
1209 krb5_magic magic;
1210 krb5_pa_data **padata;
1211 krb5_keyblock *strengthen_key;
1212 krb5_fast_finished *finished;
1213 krb5_int32 nonce;
1214 } krb5_fast_response;
1215
1216 typedef krb5_error_code (*krb5_preauth_obtain_proc)
1217 (krb5_context,
1218 krb5_pa_data *,
1219 krb5_etype_info,
1220 krb5_keyblock *,
1221 krb5_error_code ( * )(krb5_context,
1222 const krb5_enctype,
1223 krb5_data *,
1224 krb5_const_pointer,
1225 krb5_keyblock **),
1226 krb5_const_pointer,
1227 krb5_creds *,
1228 krb5_kdc_req *,
1229 krb5_pa_data **);
1230
1231 typedef krb5_error_code (*krb5_preauth_process_proc)
1232 (krb5_context,
1233 krb5_pa_data *,
1234 krb5_kdc_req *,
1235 krb5_kdc_rep *,
1236 krb5_error_code ( * )(krb5_context,
1237 const krb5_enctype,
1238 krb5_data *,
1239 krb5_const_pointer,
1240 krb5_keyblock **),
1241 krb5_const_pointer,
1242 krb5_error_code ( * )(krb5_context,
1243 const krb5_keyblock *,
1244 krb5_const_pointer,
1245 krb5_kdc_rep * ),
1246 krb5_keyblock **,
1247 krb5_creds *,
1248 krb5_int32 *,
1249 krb5_int32 *);
1250
1251 typedef struct _krb5_preauth_ops {
1252 krb5_magic magic;
1253 int type;
1254 int flags;
1255 krb5_preauth_obtain_proc obtain;
1256 krb5_preauth_process_proc process;
1257 } krb5_preauth_ops;
1258
1259
1260 krb5_error_code krb5_obtain_padata
1261 (krb5_context,
1262 krb5_pa_data **,
1263 krb5_error_code ( * )(krb5_context,
1264 const krb5_enctype,
1265 krb5_data *,
1266 krb5_const_pointer,
1267 krb5_keyblock **),
1268 krb5_const_pointer,
1269 krb5_creds *,
1270 krb5_kdc_req *);
1271
1272 krb5_error_code krb5_process_padata
1273 (krb5_context,
1274 krb5_kdc_req *,
1275 krb5_kdc_rep *,
1276 krb5_error_code ( * )(krb5_context,
1277 const krb5_enctype,
1278 krb5_data *,
1279 krb5_const_pointer,
1280 krb5_keyblock **),
1281 krb5_const_pointer,
1282 krb5_error_code ( * )(krb5_context,
1283 const krb5_keyblock *,
1284 krb5_const_pointer,
1285 krb5_kdc_rep * ),
1286 krb5_keyblock **,
1287 krb5_creds *,
1288 krb5_int32 *);
1289
1290 void krb5_free_etype_info (krb5_context, krb5_etype_info);
1291
1292 /*
1293 * Preauthentication property flags
1294 */
1295 #define KRB5_PREAUTH_FLAGS_ENCRYPT 0x00000001
1296 #define KRB5_PREAUTH_FLAGS_HARDWARE 0x00000002
1297
1298 #endif /* KRB5_PREAUTH__ */
1299 /*
1300 * End "preauth.h"
1301 */
1302
1303 /*
1304 * Extending the krb5_get_init_creds_opt structure. The original
1305 * krb5_get_init_creds_opt structure is defined publicly. The
1306 * new extended version is private. The original interface
1307 * assumed a pre-allocated structure which was passed to
1308 * krb5_get_init_creds_init(). The new interface assumes that
1309 * the caller will call krb5_get_init_creds_alloc() and
1310 * krb5_get_init_creds_free().
1311 *
1312 * Callers MUST NOT call krb5_get_init_creds_init() after allocating an
1313 * opts structure using krb5_get_init_creds_alloc(). To do so will
1314 * introduce memory leaks. Unfortunately, there is no way to enforce
1315 * this behavior.
1316 *
1317 * Two private flags are added for backward compatibility.
1318 * KRB5_GET_INIT_CREDS_OPT_EXTENDED says that the structure was allocated
1319 * with the new krb5_get_init_creds_opt_alloc() function.
1320 * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended
1321 * structure is a shadow copy of an original krb5_get_init_creds_opt
1322 * structure.
1323 * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to
1324 * krb5int_gic_opt_to_opte(), the resulting extended structure should be
1325 * freed (using krb5_get_init_creds_free). Otherwise, the original
1326 * structure was already extended and there is no need to free it.
1327 */
1328
1329 #define KRB5_GET_INIT_CREDS_OPT_EXTENDED 0x80000000
1330 #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
1331
1332 #define krb5_gic_opt_is_extended(s) \
1333 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
1334 #define krb5_gic_opt_is_shadowed(s) \
1335 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
1336
1337
1338 typedef struct _krb5_gic_opt_private {
1339 int num_preauth_data;
1340 krb5_gic_opt_pa_data *preauth_data;
1341 } krb5_gic_opt_private;
1342
1343 typedef struct _krb5_gic_opt_ext {
1344 krb5_flags flags;
1345 krb5_deltat tkt_life;
1346 krb5_deltat renew_life;
1347 int forwardable;
1348 int proxiable;
1349 krb5_enctype *etype_list;
1350 int etype_list_length;
1351 krb5_address **address_list;
1352 krb5_preauthtype *preauth_list;
1353 int preauth_list_length;
1354 krb5_data *salt;
1355 /*
1356 * Do not change anything above this point in this structure.
1357 * It is identical to the public krb5_get_init_creds_opt structure.
1358 * New members must be added below.
1359 */
1360 krb5_gic_opt_private *opt_private;
1361 } krb5_gic_opt_ext;
1362
1363 krb5_error_code
1364 krb5int_gic_opt_to_opte(krb5_context context,
1365 krb5_get_init_creds_opt *opt,
1366 krb5_gic_opt_ext **opte,
1367 unsigned int force,
1368 const char *where);
1369
1370 krb5_error_code
1371 krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *);
1372 krb5_error_code
1373 krb5int_copy_data_contents_add0 (krb5_context, const krb5_data *, krb5_data *);
1374
1375 #ifndef _KERNEL /* needed for lib/krb5/krb/ */
1376 typedef krb5_error_code (*krb5_gic_get_as_key_fct)
1377 (krb5_context,
1378 krb5_principal,
1379 krb5_enctype,
1380 krb5_prompter_fct,
1381 void *prompter_data,
1382 krb5_data *salt,
1383 krb5_data *s2kparams,
1384 krb5_keyblock *as_key,
1385 void *gak_data);
1386
1387 krb5_error_code KRB5_CALLCONV
1388 krb5_get_init_creds
1389 (krb5_context context,
1390 krb5_creds *creds,
1391 krb5_principal client,
1392 krb5_prompter_fct prompter,
1393 void *prompter_data,
1394 krb5_deltat start_time,
1395 char *in_tkt_service,
1396 krb5_gic_opt_ext *gic_options,
1397 krb5_gic_get_as_key_fct gak,
1398 void *gak_data,
1399 int *master,
1400 krb5_kdc_rep **as_reply);
1401
1402 krb5_error_code krb5int_populate_gic_opt (
1403 krb5_context, krb5_gic_opt_ext **,
1404 krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
1405 krb5_preauthtype *pre_auth_types, krb5_creds *creds);
1406
1407
1408 krb5_error_code KRB5_CALLCONV krb5_do_preauth
1409 (krb5_context context,
1410 krb5_kdc_req *request,
1411 krb5_data *encoded_request_body,
1412 krb5_data *encoded_previous_request,
1413 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1414 krb5_data *salt, krb5_data *s2kparams,
1415 krb5_enctype *etype, krb5_keyblock *as_key,
1416 krb5_prompter_fct prompter, void *prompter_data,
1417 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1418 krb5_preauth_client_rock *get_data_rock,
1419 krb5_gic_opt_ext *opte);
1420 krb5_error_code KRB5_CALLCONV krb5_do_preauth_tryagain
1421 (krb5_context context,
1422 krb5_kdc_req *request,
1423 krb5_data *encoded_request_body,
1424 krb5_data *encoded_previous_request,
1425 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1426 krb5_error *err_reply,
1427 krb5_data *salt, krb5_data *s2kparams,
1428 krb5_enctype *etype, krb5_keyblock *as_key,
1429 krb5_prompter_fct prompter, void *prompter_data,
1430 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1431 krb5_preauth_client_rock *get_data_rock,
1432 krb5_gic_opt_ext *opte);
1433 void KRB5_CALLCONV krb5_init_preauth_context
1434 (krb5_context);
1435 void KRB5_CALLCONV krb5_free_preauth_context
1436 (krb5_context);
1437 void KRB5_CALLCONV krb5_clear_preauth_context_use_counts
1438 (krb5_context);
1439 void KRB5_CALLCONV krb5_preauth_prepare_request
1440 (krb5_context, krb5_gic_opt_ext *, krb5_kdc_req *);
1441 void KRB5_CALLCONV krb5_preauth_request_context_init
1442 (krb5_context);
1443 void KRB5_CALLCONV krb5_preauth_request_context_fini
1444 (krb5_context);
1445
1446 #endif /* _KERNEL */
1447 void KRB5_CALLCONV krb5_free_sam_challenge
1448 (krb5_context, krb5_sam_challenge * );
1449 void KRB5_CALLCONV krb5_free_sam_challenge_2
1450 (krb5_context, krb5_sam_challenge_2 * );
1451 void KRB5_CALLCONV krb5_free_sam_challenge_2_body
1452 (krb5_context, krb5_sam_challenge_2_body *);
1453 void KRB5_CALLCONV krb5_free_sam_response
1454 (krb5_context, krb5_sam_response * );
1455 void KRB5_CALLCONV krb5_free_sam_response_2
1456 (krb5_context, krb5_sam_response_2 * );
1457 void KRB5_CALLCONV krb5_free_predicted_sam_response
1458 (krb5_context, krb5_predicted_sam_response * );
1459 void KRB5_CALLCONV krb5_free_enc_sam_response_enc
1460 (krb5_context, krb5_enc_sam_response_enc * );
1461 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2
1462 (krb5_context, krb5_enc_sam_response_enc_2 * );
1463 void KRB5_CALLCONV krb5_free_sam_challenge_contents
1464 (krb5_context, krb5_sam_challenge * );
1465 void KRB5_CALLCONV krb5_free_sam_challenge_2_contents
1466 (krb5_context, krb5_sam_challenge_2 * );
1467 void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents
1468 (krb5_context, krb5_sam_challenge_2_body * );
1469 void KRB5_CALLCONV krb5_free_sam_response_contents
1470 (krb5_context, krb5_sam_response * );
1471 void KRB5_CALLCONV krb5_free_sam_response_2_contents
1472 (krb5_context, krb5_sam_response_2 *);
1473 void KRB5_CALLCONV krb5_free_predicted_sam_response_contents
1474 (krb5_context, krb5_predicted_sam_response * );
1475 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents
1476 (krb5_context, krb5_enc_sam_response_enc * );
1477 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents
1478 (krb5_context, krb5_enc_sam_response_enc_2 * );
1479
1480 void KRB5_CALLCONV krb5_free_pa_enc_ts
1481 (krb5_context, krb5_pa_enc_ts *);
1482
1483 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
1484 #ifndef _KERNEL
1485 #include "com_err.h"
1486 #include <krb5/k5-plugin.h>
1487 #endif /* _KERNEL */
1488
1489 /*
1490 * Solaris Kerberos: moved from sendto_kdc.c so other code can reference
1491 */
1492 #define DEFAULT_UDP_PREF_LIMIT 1465
1493
1494 #ifndef _KERNEL
1495 #include "profile.h"
1496 #include <strings.h>
1497 #endif /* _KERNEL */
1498
1499 #define KEY_CHANGED(k1, k2) \
1500 (k1 == NULL || \
1501 k1 != k2 || \
1502 k1->enctype != k2->enctype || \
1503 k1->length != k2->length || \
1504 bcmp(k1->contents, k2->contents, k1->length))
1505
1506 #ifndef _KERNEL
1507 typedef struct _arcfour_ctx {
1508 CK_SESSION_HANDLE eSession; /* encrypt session handle */
1509 CK_SESSION_HANDLE dSession; /* decrypt session handle */
1510 CK_OBJECT_HANDLE eKey; /* encrypt key object */
1511 CK_OBJECT_HANDLE dKey; /* decrype key object */
1512 uchar_t initialized;
1513 }arcfour_ctx_rec;
1514
1515 #endif /* !_KERNEL */
1516
1517 struct _krb5_context {
1518 krb5_magic magic;
1519 krb5_enctype *in_tkt_ktypes;
1520 unsigned int in_tkt_ktype_count;
1521 krb5_enctype *tgs_ktypes;
1522 unsigned int tgs_ktype_count;
1523 /* This used to be a void*, but since we always allocate them
1524 together (though in different source files), and the types
1525 are declared in the same header, might as well just combine
1526 them.
1527
1528 The array[1] is so the existing code treating the field as
1529 a pointer will still work. For cleanliness, it should
1530 eventually get changed to a single element instead of an
1531 array. */
1532 struct _krb5_os_context os_context[1];
1533 char *default_realm;
1534 int ser_ctx_count;
1535 krb5_boolean profile_secure;
1536 void *ser_ctx;
1537 #ifndef _KERNEL
1538 profile_t profile;
1539 void *db_context;
1540 void *kdblog_context;
1541 /* allowable clock skew */
1542 krb5_deltat clockskew;
1543 krb5_cksumtype kdc_req_sumtype;
1544 krb5_cksumtype default_ap_req_sumtype;
1545 krb5_cksumtype default_safe_sumtype;
1546 krb5_flags kdc_default_options;
1547 krb5_flags library_options;
1548 int fcc_default_format;
1549 int scc_default_format;
1550 krb5_prompt_type *prompt_types;
1551 /* Message size above which we'll try TCP first in send-to-kdc
1552 type code. Aside from the 2**16 size limit, we put no
1553 absolute limit on the UDP packet size. */
1554 int udp_pref_limit;
1555
1556 /* This is the tgs_ktypes list as read from the profile, or
1557 set to compiled-in defaults. The application code cannot
1558 override it. This is used for session keys for
1559 intermediate ticket-granting tickets used to acquire the
1560 requested ticket (the session key of which may be
1561 constrained by tgs_ktypes above). */
1562 krb5_enctype *conf_tgs_ktypes;
1563 int conf_tgs_ktypes_count;
1564
1565 /* Use the _configured version? */
1566 krb5_boolean use_conf_ktypes;
1567
1568 #ifdef KRB5_DNS_LOOKUP
1569 krb5_boolean profile_in_memory;
1570 #endif /* KRB5_DNS_LOOKUP */
1571
1572 /* locate_kdc module stuff */
1573 struct plugin_dir_handle libkrb5_plugins;
1574 struct krb5plugin_service_locate_ftable *vtbl;
1575 void (**locate_fptrs)(void);
1576
1577 pid_t pid; /* fork safety: PID of process that did last PKCS11 init */
1578
1579 /* Solaris Kerberos: handles for PKCS#11 crypto */
1580 /*
1581 * Warning, do not access hSession directly as this is not fork() safe.
1582 * Instead use the krb_ctx_hSession() macro below.
1583 */
1584 CK_SESSION_HANDLE hSession;
1585 int cryptoki_initialized;
1586
1587 /* arcfour_ctx: used only for rcmd stuff so no fork safety issues apply */
1588 arcfour_ctx_rec arcfour_ctx;
1589
1590 /* preauth module stuff */
1591 struct plugin_dir_handle preauth_plugins;
1592 krb5_preauth_context *preauth_context;
1593
1594 /* error detail info */
1595 struct errinfo err;
1596 #else /* ! KERNEL */
1597 crypto_mech_type_t kef_cipher_mt;
1598 crypto_mech_type_t kef_hash_mt;
1599 crypto_mech_type_t kef_cksum_mt;
1600 #endif /* ! KERNEL */
1601 };
1602
1603 #ifndef _KERNEL
1604 extern pid_t __krb5_current_pid;
1605
1606 CK_SESSION_HANDLE krb5_reinit_ef_handle(krb5_context);
1607
1608 /*
1609 * fork safety: barring the ef_init code, every other function must use the
1610 * krb_ctx_hSession() macro to access the hSession field in a krb context.
1611 * Note, if the pid of the krb ctx == the current global pid then it is safe to
1612 * use the ctx hSession otherwise it needs to be re-inited before it is returned
1613 * to the caller.
1614 */
1615 #define krb_ctx_hSession(ctx) \
1616 ((ctx)->pid == __krb5_current_pid) ? (ctx)->hSession : krb5_reinit_ef_handle((ctx))
1617 #endif
1618
1619 #define MD5_CKSUM_LENGTH 16
1620 #define RSA_MD5_CKSUM_LENGTH 16
1621 #define MD5_BLOCKSIZE 64
1622
1623
1624 /*
1625 * Solaris Kerberos:
1626 * This next section of prototypes and constants
1627 * are all unique to the Solaris Kerberos implementation.
1628 * Because Solaris uses the native encryption framework
1629 * to provide crypto support, the following routines
1630 * are needed to support this system.
1631 */
1632
1633 /*
1634 * Begin Solaris Crypto Prototypes
1635 */
1636
1637 /*
1638 * define constants that are used for creating the constant
1639 * which is used to make derived keys.
1640 */
1641 #define DK_ENCR_KEY_BYTE 0xAA
1642 #define DK_HASH_KEY_BYTE 0x55
1643 #define DK_CKSUM_KEY_BYTE 0x99
1644
1645 int init_derived_keydata(krb5_context, const struct krb5_enc_provider *,
1646 krb5_keyblock *, krb5_keyusage,
1647 krb5_keyblock **, krb5_keyblock **);
1648
1649 krb5_error_code add_derived_key(krb5_keyblock *, krb5_keyusage, uchar_t,
1650 krb5_keyblock *);
1651
1652 krb5_keyblock *find_derived_key(krb5_keyusage, uchar_t, krb5_keyblock *);
1653 krb5_keyblock *krb5_create_derived_keyblock(int);
1654
1655 #ifdef _KERNEL
1656 int k5_ef_hash(krb5_context, int, const krb5_data *, krb5_data *);
1657
1658 int k5_ef_mac(krb5_context, krb5_keyblock *, krb5_data *,
1659 const krb5_data *, krb5_data *);
1660
1661 void make_kef_key(krb5_keyblock *);
1662 int init_key_kef(crypto_mech_type_t, krb5_keyblock *);
1663 int update_key_template(krb5_keyblock *);
1664 void setup_kef_keytypes();
1665 void setup_kef_cksumtypes();
1666 crypto_mech_type_t get_cipher_mech_type(krb5_context, krb5_keyblock *);
1667 crypto_mech_type_t get_hash_mech_type(krb5_context, krb5_keyblock *);
1668
1669 #else
1670 /*
1671 * This structure is used to map Kerberos supported OID's,
1672 * to PKCS11 mechanisms
1673 */
1674 #define USE_ENCR 0x01
1675 #define USE_HASH 0x02
1676
1677 typedef struct krb5_mech_2_pkcs {
1678 uchar_t flags;
1679 CK_MECHANISM_TYPE enc_algo;
1680 CK_MECHANISM_TYPE hash_algo;
1681 CK_MECHANISM_TYPE str2key_algo;
1682 } KRB5_MECH_TO_PKCS;
1683
1684 #define ENC_DEFINED(x) (((x).flags & USE_ENCR))
1685 #define HASH_DEFINED(x) (((x).flags & USE_HASH))
1686
1687 extern CK_RV get_algo(krb5_enctype etype, KRB5_MECH_TO_PKCS * algos);
1688 extern CK_RV get_key_type (krb5_enctype etype, CK_KEY_TYPE * keyType);
1689 extern krb5_error_code slot_supports_krb5 (CK_SLOT_ID_PTR slotid);
1690
1691 krb5_error_code init_key_uef(CK_SESSION_HANDLE, krb5_keyblock *);
1692
1693 krb5_error_code k5_ef_hash(krb5_context, CK_MECHANISM *,
1694 unsigned int, const krb5_data *, krb5_data *);
1695
1696 krb5_error_code k5_ef_mac(krb5_context context,
1697 krb5_keyblock *key, krb5_data *ivec,
1698 krb5_const krb5_data *input, krb5_data *output);
1699
1700 #endif /* !_KERNEL */
1701
1702 krb5_error_code
1703 derive_3des_keys(krb5_context, struct krb5_enc_provider *,
1704 krb5_keyblock *, krb5_keyusage,
1705 krb5_keyblock *, krb5_keyblock *);
1706
1707 /*
1708 * End Solaris Crypto Prototypes
1709 */
1710
1711 #define KRB5_LIBOPT_SYNC_KDCTIME 0x0001
1712
1713 /* internal message representations */
1714
1715 typedef struct _krb5_safe {
1716 krb5_magic magic;
1717 krb5_data user_data; /* user data */
1718 krb5_timestamp timestamp; /* client time, optional */
1719 krb5_int32 usec; /* microsecond portion of time,
1720 optional */
1721 krb5_ui_4 seq_number; /* sequence #, optional */
1722 krb5_address *s_address; /* sender address */
1723 krb5_address *r_address; /* recipient address, optional */
1724 krb5_checksum *checksum; /* data integrity checksum */
1725 } krb5_safe;
1726
1727 typedef struct _krb5_priv {
1728 krb5_magic magic;
1729 krb5_enc_data enc_part; /* encrypted part */
1730 } krb5_priv;
1731
1732 typedef struct _krb5_priv_enc_part {
1733 krb5_magic magic;
1734 krb5_data user_data; /* user data */
1735 krb5_timestamp timestamp; /* client time, optional */
1736 krb5_int32 usec; /* microsecond portion of time, opt. */
1737 krb5_ui_4 seq_number; /* sequence #, optional */
1738 krb5_address *s_address; /* sender address */
1739 krb5_address *r_address; /* recipient address, optional */
1740 } krb5_priv_enc_part;
1741
1742 void KRB5_CALLCONV krb5_free_safe
1743 (krb5_context, krb5_safe * );
1744 void KRB5_CALLCONV krb5_free_priv
1745 (krb5_context, krb5_priv * );
1746 void KRB5_CALLCONV krb5_free_priv_enc_part
1747 (krb5_context, krb5_priv_enc_part * );
1748
1749 /*
1750 * Begin "asn1.h"
1751 */
1752 #ifndef KRB5_ASN1__
1753 #define KRB5_ASN1__
1754
1755 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
1756 /* here we use some knowledge of ASN.1 encodings */
1757 /*
1758 Ticket is APPLICATION 1.
1759 Authenticator is APPLICATION 2.
1760 AS_REQ is APPLICATION 10.
1761 AS_REP is APPLICATION 11.
1762 TGS_REQ is APPLICATION 12.
1763 TGS_REP is APPLICATION 13.
1764 AP_REQ is APPLICATION 14.
1765 AP_REP is APPLICATION 15.
1766 KRB_SAFE is APPLICATION 20.
1767 KRB_PRIV is APPLICATION 21.
1768 KRB_CRED is APPLICATION 22.
1769 EncASRepPart is APPLICATION 25.
1770 EncTGSRepPart is APPLICATION 26.
1771 EncAPRepPart is APPLICATION 27.
1772 EncKrbPrivPart is APPLICATION 28.
1773 EncKrbCredPart is APPLICATION 29.
1774 KRB_ERROR is APPLICATION 30.
1775 */
1776 /* allow either constructed or primitive encoding, so check for bit 6
1777 set or reset */
1778 #define krb5_is_krb_ticket(dat)\
1779 ((dat) && (dat)->length && ((dat)->data[0] == 0x61 ||\
1780 (dat)->data[0] == 0x41))
1781 #define krb5_is_krb_authenticator(dat)\
1782 ((dat) && (dat)->length && ((dat)->data[0] == 0x62 ||\
1783 (dat)->data[0] == 0x42))
1784 #define krb5_is_as_req(dat)\
1785 ((dat) && (dat)->length && ((dat)->data[0] == 0x6a ||\
1786 (dat)->data[0] == 0x4a))
1787 #define krb5_is_as_rep(dat)\
1788 ((dat) && (dat)->length && ((dat)->data[0] == 0x6b ||\
1789 (dat)->data[0] == 0x4b))
1790 #define krb5_is_tgs_req(dat)\
1791 ((dat) && (dat)->length && ((dat)->data[0] == 0x6c ||\
1792 (dat)->data[0] == 0x4c))
1793 #define krb5_is_tgs_rep(dat)\
1794 ((dat) && (dat)->length && ((dat)->data[0] == 0x6d ||\
1795 (dat)->data[0] == 0x4d))
1796 #define krb5_is_ap_req(dat)\
1797 ((dat) && (dat)->length && ((dat)->data[0] == 0x6e ||\
1798 (dat)->data[0] == 0x4e))
1799 #define krb5_is_ap_rep(dat)\
1800 ((dat) && (dat)->length && ((dat)->data[0] == 0x6f ||\
1801 (dat)->data[0] == 0x4f))
1802 #define krb5_is_krb_safe(dat)\
1803 ((dat) && (dat)->length && ((dat)->data[0] == 0x74 ||\
1804 (dat)->data[0] == 0x54))
1805 #define krb5_is_krb_priv(dat)\
1806 ((dat) && (dat)->length && ((dat)->data[0] == 0x75 ||\
1807 (dat)->data[0] == 0x55))
1808 #define krb5_is_krb_cred(dat)\
1809 ((dat) && (dat)->length && ((dat)->data[0] == 0x76 ||\
1810 (dat)->data[0] == 0x56))
1811 #define krb5_is_krb_enc_as_rep_part(dat)\
1812 ((dat) && (dat)->length && ((dat)->data[0] == 0x79 ||\
1813 (dat)->data[0] == 0x59))
1814 #define krb5_is_krb_enc_tgs_rep_part(dat)\
1815 ((dat) && (dat)->length && ((dat)->data[0] == 0x7a ||\
1816 (dat)->data[0] == 0x5a))
1817 #define krb5_is_krb_enc_ap_rep_part(dat)\
1818 ((dat) && (dat)->length && ((dat)->data[0] == 0x7b ||\
1819 (dat)->data[0] == 0x5b))
1820 #define krb5_is_krb_enc_krb_priv_part(dat)\
1821 ((dat) && (dat)->length && ((dat)->data[0] == 0x7c ||\
1822 (dat)->data[0] == 0x5c))
1823 #define krb5_is_krb_enc_krb_cred_part(dat)\
1824 ((dat) && (dat)->length && ((dat)->data[0] == 0x7d ||\
1825 (dat)->data[0] == 0x5d))
1826 #define krb5_is_krb_error(dat)\
1827 ((dat) && (dat)->length && ((dat)->data[0] == 0x7e ||\
1828 (dat)->data[0] == 0x5e))
1829
1830 /*************************************************************************
1831 * Prototypes for krb5_encode.c
1832 *************************************************************************/
1833
1834 /*
1835 krb5_error_code encode_krb5_structure(const krb5_structure *rep,
1836 krb5_data **code);
1837 modifies *code
1838 effects Returns the ASN.1 encoding of *rep in **code.
1839 Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep.
1840 Returns ENOMEM if memory runs out.
1841 */
1842
1843 krb5_error_code encode_krb5_authenticator
1844 (const krb5_authenticator *rep, krb5_data **code);
1845
1846 krb5_error_code encode_krb5_ticket
1847 (const krb5_ticket *rep, krb5_data **code);
1848
1849 krb5_error_code encode_krb5_encryption_key
1850 (const krb5_keyblock *rep, krb5_data **code);
1851
1852 krb5_error_code encode_krb5_enc_tkt_part
1853 (const krb5_enc_tkt_part *rep, krb5_data **code);
1854
1855 krb5_error_code encode_krb5_enc_kdc_rep_part
1856 (const krb5_enc_kdc_rep_part *rep, krb5_data **code);
1857
1858 /* yes, the translation is identical to that used for KDC__REP */
1859 krb5_error_code encode_krb5_as_rep
1860 (const krb5_kdc_rep *rep, krb5_data **code);
1861
1862 /* yes, the translation is identical to that used for KDC__REP */
1863 krb5_error_code encode_krb5_tgs_rep
1864 (const krb5_kdc_rep *rep, krb5_data **code);
1865
1866 krb5_error_code encode_krb5_ap_req
1867 (const krb5_ap_req *rep, krb5_data **code);
1868
1869 krb5_error_code encode_krb5_ap_rep
1870 (const krb5_ap_rep *rep, krb5_data **code);
1871
1872 krb5_error_code encode_krb5_ap_rep_enc_part
1873 (const krb5_ap_rep_enc_part *rep, krb5_data **code);
1874
1875 krb5_error_code encode_krb5_as_req
1876 (const krb5_kdc_req *rep, krb5_data **code);
1877
1878 krb5_error_code encode_krb5_tgs_req
1879 (const krb5_kdc_req *rep, krb5_data **code);
1880
1881 krb5_error_code encode_krb5_kdc_req_body
1882 (const krb5_kdc_req *rep, krb5_data **code);
1883
1884 krb5_error_code encode_krb5_safe
1885 (const krb5_safe *rep, krb5_data **code);
1886
1887 struct krb5_safe_with_body {
1888 krb5_safe *safe;
1889 krb5_data *body;
1890 };
1891
1892 krb5_error_code encode_krb5_safe_with_body
1893 (const struct krb5_safe_with_body *rep, krb5_data **code);
1894
1895 krb5_error_code encode_krb5_priv
1896 (const krb5_priv *rep, krb5_data **code);
1897
1898 krb5_error_code encode_krb5_enc_priv_part
1899 (const krb5_priv_enc_part *rep, krb5_data **code);
1900
1901 krb5_error_code encode_krb5_cred
1902 (const krb5_cred *rep, krb5_data **code);
1903
1904 krb5_error_code encode_krb5_enc_cred_part
1905 (const krb5_cred_enc_part *rep, krb5_data **code);
1906
1907 krb5_error_code encode_krb5_error
1908 (const krb5_error *rep, krb5_data **code);
1909
1910 krb5_error_code encode_krb5_authdata
1911 (krb5_authdata *const *rep, krb5_data **code);
1912
1913 krb5_error_code encode_krb5_authdata_elt
1914 (const krb5_authdata *rep, krb5_data **code);
1915
1916 krb5_error_code encode_krb5_pwd_sequence
1917 (const passwd_phrase_element *rep, krb5_data **code);
1918
1919 krb5_error_code encode_krb5_pwd_data
1920 (const krb5_pwd_data *rep, krb5_data **code);
1921
1922 krb5_error_code encode_krb5_padata_sequence
1923 (krb5_pa_data *const *rep, krb5_data **code);
1924
1925 krb5_error_code encode_krb5_alt_method
1926 (const krb5_alt_method *, krb5_data **code);
1927
1928 krb5_error_code encode_krb5_etype_info
1929 (krb5_etype_info_entry *const *, krb5_data **code);
1930 krb5_error_code encode_krb5_etype_info2
1931 (krb5_etype_info_entry *const *, krb5_data **code);
1932
1933 krb5_error_code encode_krb5_enc_data
1934 (const krb5_enc_data *, krb5_data **);
1935
1936 krb5_error_code encode_krb5_pa_enc_ts
1937 (const krb5_pa_enc_ts *, krb5_data **);
1938
1939 krb5_error_code encode_krb5_sam_challenge
1940 (const krb5_sam_challenge * , krb5_data **);
1941
1942 krb5_error_code encode_krb5_sam_key
1943 (const krb5_sam_key * , krb5_data **);
1944
1945 krb5_error_code encode_krb5_enc_sam_response_enc
1946 (const krb5_enc_sam_response_enc * , krb5_data **);
1947
1948 krb5_error_code encode_krb5_sam_response
1949 (const krb5_sam_response * , krb5_data **);
1950
1951 krb5_error_code encode_krb5_sam_challenge_2
1952 (const krb5_sam_challenge_2 * , krb5_data **);
1953
1954 krb5_error_code encode_krb5_sam_challenge_2_body
1955 (const krb5_sam_challenge_2_body * , krb5_data **);
1956
1957 krb5_error_code encode_krb5_enc_sam_response_enc_2
1958 (const krb5_enc_sam_response_enc_2 * , krb5_data **);
1959
1960 krb5_error_code encode_krb5_sam_response_2
1961 (const krb5_sam_response_2 * , krb5_data **);
1962
1963 krb5_error_code encode_krb5_predicted_sam_response
1964 (const krb5_predicted_sam_response * , krb5_data **);
1965
1966 struct krb5_setpw_req {
1967 krb5_principal target;
1968 krb5_data password;
1969 };
1970 krb5_error_code encode_krb5_setpw_req
1971 (const struct krb5_setpw_req *rep, krb5_data **code);
1972
1973 /*************************************************************************
1974 * End of prototypes for krb5_encode.c
1975 *************************************************************************/
1976
1977 krb5_error_code decode_krb5_sam_challenge
1978 (const krb5_data *, krb5_sam_challenge **);
1979
1980 krb5_error_code decode_krb5_enc_sam_key
1981 (const krb5_data *, krb5_sam_key **);
1982
1983 krb5_error_code decode_krb5_enc_sam_response_enc
1984 (const krb5_data *, krb5_enc_sam_response_enc **);
1985
1986 krb5_error_code decode_krb5_sam_response
1987 (const krb5_data *, krb5_sam_response **);
1988
1989 krb5_error_code decode_krb5_predicted_sam_response
1990 (const krb5_data *, krb5_predicted_sam_response **);
1991
1992 krb5_error_code decode_krb5_sam_challenge_2
1993 (const krb5_data *, krb5_sam_challenge_2 **);
1994
1995 krb5_error_code decode_krb5_sam_challenge_2_body
1996 (const krb5_data *, krb5_sam_challenge_2_body **);
1997
1998 krb5_error_code decode_krb5_enc_sam_response_enc_2
1999 (const krb5_data *, krb5_enc_sam_response_enc_2 **);
2000
2001 krb5_error_code decode_krb5_sam_response_2
2002 (const krb5_data *, krb5_sam_response_2 **);
2003
2004
2005 /*************************************************************************
2006 * Prototypes for krb5_decode.c
2007 *************************************************************************/
2008
2009 krb5_error_code krb5_validate_times
2010 (krb5_context,
2011 krb5_ticket_times *);
2012
2013 /*
2014 krb5_error_code decode_krb5_structure(const krb5_data *code,
2015 krb5_structure **rep);
2016
2017 requires Expects **rep to not have been allocated;
2018 a new *rep is allocated regardless of the old value.
2019 effects Decodes *code into **rep.
2020 Returns ENOMEM if memory is exhausted.
2021 Returns asn1 and krb5 errors.
2022 */
2023
2024 krb5_error_code decode_krb5_authenticator
2025 (const krb5_data *code, krb5_authenticator **rep);
2026
2027 krb5_error_code decode_krb5_ticket
2028 (const krb5_data *code, krb5_ticket **rep);
2029
2030 krb5_error_code decode_krb5_encryption_key
2031 (const krb5_data *output, krb5_keyblock **rep);
2032
2033 krb5_error_code decode_krb5_enc_tkt_part
2034 (const krb5_data *output, krb5_enc_tkt_part **rep);
2035
2036 krb5_error_code decode_krb5_enc_kdc_rep_part
2037 (const krb5_data *output, krb5_enc_kdc_rep_part **rep);
2038
2039 krb5_error_code decode_krb5_as_rep
2040 (const krb5_data *output, krb5_kdc_rep **rep);
2041
2042 krb5_error_code decode_krb5_tgs_rep
2043 (const krb5_data *output, krb5_kdc_rep **rep);
2044
2045 krb5_error_code decode_krb5_ap_req
2046 (const krb5_data *output, krb5_ap_req **rep);
2047
2048 krb5_error_code decode_krb5_ap_rep
2049 (const krb5_data *output, krb5_ap_rep **rep);
2050
2051 krb5_error_code decode_krb5_ap_rep_enc_part
2052 (const krb5_data *output, krb5_ap_rep_enc_part **rep);
2053
2054 krb5_error_code decode_krb5_as_req
2055 (const krb5_data *output, krb5_kdc_req **rep);
2056
2057 krb5_error_code decode_krb5_tgs_req
2058 (const krb5_data *output, krb5_kdc_req **rep);
2059
2060 krb5_error_code decode_krb5_kdc_req_body
2061 (const krb5_data *output, krb5_kdc_req **rep);
2062
2063 krb5_error_code decode_krb5_safe
2064 (const krb5_data *output, krb5_safe **rep);
2065
2066 krb5_error_code decode_krb5_safe_with_body
2067 (const krb5_data *output, krb5_safe **rep, krb5_data *body);
2068
2069 krb5_error_code decode_krb5_priv
2070 (const krb5_data *output, krb5_priv **rep);
2071
2072 krb5_error_code decode_krb5_enc_priv_part
2073 (const krb5_data *output, krb5_priv_enc_part **rep);
2074
2075 krb5_error_code decode_krb5_cred
2076 (const krb5_data *output, krb5_cred **rep);
2077
2078 krb5_error_code decode_krb5_enc_cred_part
2079 (const krb5_data *output, krb5_cred_enc_part **rep);
2080
2081 krb5_error_code decode_krb5_error
2082 (const krb5_data *output, krb5_error **rep);
2083
2084 krb5_error_code decode_krb5_authdata
2085 (const krb5_data *output, krb5_authdata ***rep);
2086
2087 krb5_error_code decode_krb5_pwd_sequence
2088 (const krb5_data *output, passwd_phrase_element **rep);
2089
2090 krb5_error_code decode_krb5_pwd_data
2091 (const krb5_data *output, krb5_pwd_data **rep);
2092
2093 krb5_error_code decode_krb5_padata_sequence
2094 (const krb5_data *output, krb5_pa_data ***rep);
2095
2096 krb5_error_code decode_krb5_alt_method
2097 (const krb5_data *output, krb5_alt_method **rep);
2098
2099 krb5_error_code decode_krb5_etype_info
2100 (const krb5_data *output, krb5_etype_info_entry ***rep);
2101
2102 krb5_error_code decode_krb5_etype_info2
2103 (const krb5_data *output, krb5_etype_info_entry ***rep);
2104
2105 krb5_error_code decode_krb5_enc_data
2106 (const krb5_data *output, krb5_enc_data **rep);
2107
2108 krb5_error_code decode_krb5_pa_enc_ts
2109 (const krb5_data *output, krb5_pa_enc_ts **rep);
2110
2111 krb5_error_code decode_krb5_sam_key
2112 (const krb5_data *, krb5_sam_key **);
2113
2114 struct _krb5_key_data; /* kdb.h */
2115 krb5_error_code
2116 krb5int_ldap_encode_sequence_of_keys (struct _krb5_key_data *key_data,
2117 krb5_int16 n_key_data,
2118 krb5_int32 mkvno,
2119 krb5_data **code);
2120
2121 krb5_error_code
2122 krb5int_ldap_decode_sequence_of_keys (krb5_data *in,
2123 struct _krb5_key_data **out,
2124 krb5_int16 *n_key_data,
2125 int *mkvno);
2126
2127 /*************************************************************************
2128 * End of prototypes for krb5_decode.c
2129 *************************************************************************/
2130
2131 #endif /* KRB5_ASN1__ */
2132 /*
2133 * End "asn1.h"
2134 */
2135
2136
2137 /*
2138 * Internal krb5 library routines
2139 */
2140 krb5_error_code krb5_encrypt_tkt_part
2141 (krb5_context,
2142 const krb5_keyblock *,
2143 krb5_ticket * );
2144
2145
2146 krb5_error_code krb5_encode_kdc_rep
2147 (krb5_context,
2148 const krb5_msgtype,
2149 const krb5_enc_kdc_rep_part *,
2150 int using_subkey,
2151 const krb5_keyblock *,
2152 krb5_kdc_rep *,
2153 krb5_data ** );
2154
2155 krb5_boolean krb5int_auth_con_chkseqnum
2156 (krb5_context ctx, krb5_auth_context ac, krb5_ui_4 in_seq);
2157 /*
2158 * [De]Serialization Handle and operations.
2159 */
2160 struct __krb5_serializer {
2161 krb5_magic odtype;
2162 krb5_error_code (*sizer) (krb5_context,
2163 krb5_pointer,
2164 size_t *);
2165 krb5_error_code (*externalizer) (krb5_context,
2166 krb5_pointer,
2167 krb5_octet **,
2168 size_t *);
2169 krb5_error_code (*internalizer) (krb5_context,
2170 krb5_pointer *,
2171 krb5_octet **,
2172 size_t *);
2173 };
2174 typedef const struct __krb5_serializer * krb5_ser_handle;
2175 typedef struct __krb5_serializer krb5_ser_entry;
2176
2177 krb5_ser_handle krb5_find_serializer
2178 (krb5_context,
2179 krb5_magic);
2180 krb5_error_code krb5_register_serializer
2181 (krb5_context,
2182 const krb5_ser_entry *);
2183
2184 /* Determine the external size of a particular opaque structure */
2185 krb5_error_code KRB5_CALLCONV krb5_size_opaque
2186 (krb5_context,
2187 krb5_magic,
2188 krb5_pointer,
2189 size_t *);
2190
2191 /* Serialize the structure into a buffer */
2192 krb5_error_code KRB5_CALLCONV krb5_externalize_opaque
2193 (krb5_context,
2194 krb5_magic,
2195 krb5_pointer,
2196 krb5_octet **,
2197 size_t *);
2198
2199 /* Deserialize the structure from a buffer */
2200 krb5_error_code KRB5_CALLCONV krb5_internalize_opaque
2201 (krb5_context,
2202 krb5_magic,
2203 krb5_pointer *,
2204 krb5_octet **,
2205 size_t *);
2206
2207 /* Serialize data into a buffer */
2208 krb5_error_code krb5_externalize_data
2209 (krb5_context,
2210 krb5_pointer,
2211 krb5_octet **,
2212 size_t *);
2213 /*
2214 * Initialization routines.
2215 */
2216
2217 /* Initialize serialization for krb5_[os_]context */
2218 krb5_error_code KRB5_CALLCONV krb5_ser_context_init
2219 (krb5_context);
2220
2221 /* Initialize serialization for krb5_auth_context */
2222 krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init
2223 (krb5_context);
2224
2225 /* Initialize serialization for krb5_keytab */
2226 krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init
2227 (krb5_context);
2228
2229 /* Initialize serialization for krb5_ccache */
2230 krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init
2231 (krb5_context);
2232
2233 /* Initialize serialization for krb5_rcache */
2234 krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init
2235 (krb5_context);
2236
2237 /* [De]serialize 4-byte integer */
2238 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32
2239 (krb5_int32,
2240 krb5_octet **,
2241 size_t *);
2242 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32
2243 (krb5_int32 *,
2244 krb5_octet **,
2245 size_t *);
2246 /* [De]serialize 8-byte integer */
2247 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64
2248 (krb5_int64, krb5_octet **, size_t *);
2249 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64
2250 (krb5_int64 *, krb5_octet **, size_t *);
2251 /* [De]serialize byte string */
2252 krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
2253 (krb5_octet *,
2254 size_t,
2255 krb5_octet **,
2256 size_t *);
2257 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes
2258 (krb5_octet *,
2259 size_t,
2260 krb5_octet **,
2261 size_t *);
2262
2263 krb5_error_code KRB5_CALLCONV krb5int_cc_default
2264 (krb5_context, krb5_ccache *);
2265
2266 krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default
2267 (krb5_context, krb5_ccache, krb5_flags,
2268 krb5_creds *, krb5_creds *);
2269
2270 krb5_boolean KRB5_CALLCONV
2271 krb5_creds_compare (krb5_context in_context,
2272 krb5_creds *in_creds,
2273 krb5_creds *in_compare_creds);
2274
2275 void krb5int_set_prompt_types
2276 (krb5_context, krb5_prompt_type *);
2277
2278 krb5_error_code
2279 krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
2280 krb5_keyblock * /* Old keyblock, not new! */);
2281
2282 /* set and change password helpers */
2283
2284 krb5_error_code krb5int_mk_chpw_req
2285 (krb5_context context, krb5_auth_context auth_context,
2286 krb5_data *ap_req, char *passwd, krb5_data *packet);
2287 krb5_error_code krb5int_rd_chpw_rep
2288 (krb5_context context, krb5_auth_context auth_context,
2289 krb5_data *packet, int *result_code,
2290 krb5_data *result_data);
2291 krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
2292 (krb5_context context, int result_code,
2293 char **result_codestr);
2294 krb5_error_code krb5int_mk_setpw_req
2295 (krb5_context context, krb5_auth_context auth_context,
2296 krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet);
2297 krb5_error_code krb5int_rd_setpw_rep
2298 (krb5_context context, krb5_auth_context auth_context,
2299 krb5_data *packet, int *result_code,
2300 krb5_data *result_data);
2301 krb5_error_code krb5int_setpw_result_code_string
2302 (krb5_context context, int result_code,
2303 const char **result_codestr);
2304
2305 struct srv_dns_entry {
2306 struct srv_dns_entry *next;
2307 int priority;
2308 int weight;
2309 unsigned short port;
2310 char *host;
2311 };
2312 #ifdef KRB5_DNS_LOOKUP
2313 krb5_error_code
2314 krb5int_make_srv_query_realm(const krb5_data *realm,
2315 const char *service,
2316 const char *protocol,
2317 struct srv_dns_entry **answers);
2318 void krb5int_free_srv_dns_data(struct srv_dns_entry *);
2319 #endif
2320
2321 /*
2322 * Convenience function for structure magic number
2323 */
2324 #define KRB5_VERIFY_MAGIC(structure,magic_number) \
2325 if ((structure)->magic != (magic_number)) return (magic_number);
2326
2327
2328 /* SUNW14resync XXX - see k5-util.h */
2329 #if 0
2330 int krb5_seteuid (int);
2331 #endif
2332
2333 char * krb5_getenv(const char *);
2334 int krb5_setenv (const char *, const char *, int);
2335 void krb5_unsetenv (const char *);
2336
2337
2338 /* SUNW14resync - (from here to EOF) not sure if we need this but will add it
2339 for future resync sake */
2340
2341 /* To keep happy libraries which are (for now) accessing internal stuff */
2342
2343 /* Make sure to increment by one when changing the struct */
2344 #define KRB5INT_ACCESS_STRUCT_VERSION 12
2345
2346 #ifndef ANAME_SZ
2347 struct ktext; /* from krb.h, for krb524 support */
2348 #endif
2349 typedef struct _krb5int_access {
2350 /* crypto stuff */
2351 const struct krb5_hash_provider *md5_hash_provider;
2352 const struct krb5_enc_provider *arcfour_enc_provider;
2353 krb5_error_code (* krb5_hmac) (krb5_context, const struct krb5_hash_provider *hash,
2354 const krb5_keyblock *key,
2355 unsigned int icount, const krb5_data *input,
2356 krb5_data *output);
2357 /* service location and communication */
2358 #ifndef _KERNEL
2359 krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
2360 const struct addrlist *, struct sendto_callback_info*, krb5_data *reply,
2361 struct sockaddr *, socklen_t *,struct sockaddr *,
2362 socklen_t *, int *,
2363 int (*msg_handler)(krb5_context, const krb5_data *, void *),
2364 void *msg_handler_data);
2365 krb5_error_code (*add_host_to_list)(struct addrlist *lp,
2366 const char *hostname,
2367 int port, int secport,
2368 int socktype, int family);
2369 void (*free_addrlist) (struct addrlist *);
2370 #endif /* _KERNEL */
2371
2372 krb5_error_code (*make_srv_query_realm)(const krb5_data *realm,
2373 const char *service,
2374 const char *protocol,
2375 struct srv_dns_entry **answers);
2376 void (*free_srv_dns_data)(struct srv_dns_entry *);
2377 int (*use_dns_kdc)(krb5_context);
2378 krb5_error_code (*clean_hostname)(krb5_context, const char *, char *, size_t);
2379
2380 /* krb4 compatibility stuff -- may be null if not enabled */
2381 krb5_int32 (*krb_life_to_time)(krb5_int32, int);
2382 int (*krb_time_to_life)(krb5_int32, krb5_int32);
2383 int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *);
2384 krb5_error_code (*krb5int_c_mandatory_cksumtype)
2385 (krb5_context, krb5_enctype, krb5_cksumtype *);
2386 krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64)
2387 (krb5_int64, krb5_octet **, size_t *);
2388 krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64)
2389 (krb5_int64 *, krb5_octet **, size_t *);
2390
2391 /* Used for KDB LDAP back end. */
2392 krb5_error_code
2393 (*asn1_ldap_encode_sequence_of_keys) (struct _krb5_key_data *key_data,
2394 krb5_int16 n_key_data,
2395 krb5_int32 mkvno,
2396 krb5_data **code);
2397
2398 krb5_error_code
2399 (*asn1_ldap_decode_sequence_of_keys) (krb5_data *in,
2400 struct _krb5_key_data **out,
2401 krb5_int16 *n_key_data,
2402 int *mkvno);
2403
2404 /*
2405 * pkinit asn.1 encode/decode functions
2406 */
2407 krb5_error_code (*encode_krb5_auth_pack)
2408 (const krb5_auth_pack *rep, krb5_data **code);
2409 krb5_error_code (*encode_krb5_auth_pack_draft9)
2410 (const krb5_auth_pack_draft9 *rep, krb5_data **code);
2411 krb5_error_code (*encode_krb5_kdc_dh_key_info)
2412 (const krb5_kdc_dh_key_info *rep, krb5_data **code);
2413 krb5_error_code (*encode_krb5_pa_pk_as_rep)
2414 (const krb5_pa_pk_as_rep *rep, krb5_data **code);
2415 krb5_error_code (*encode_krb5_pa_pk_as_rep_draft9)
2416 (const krb5_pa_pk_as_rep_draft9 *rep, krb5_data **code);
2417 krb5_error_code (*encode_krb5_pa_pk_as_req)
2418 (const krb5_pa_pk_as_req *rep, krb5_data **code);
2419 krb5_error_code (*encode_krb5_pa_pk_as_req_draft9)
2420 (const krb5_pa_pk_as_req_draft9 *rep, krb5_data **code);
2421 krb5_error_code (*encode_krb5_reply_key_pack)
2422 (const krb5_reply_key_pack *, krb5_data **code);
2423 krb5_error_code (*encode_krb5_reply_key_pack_draft9)
2424 (const krb5_reply_key_pack_draft9 *, krb5_data **code);
2425 krb5_error_code (*encode_krb5_td_dh_parameters)
2426 (const krb5_algorithm_identifier **, krb5_data **code);
2427 krb5_error_code (*encode_krb5_td_trusted_certifiers)
2428 (const krb5_external_principal_identifier **, krb5_data **code);
2429 krb5_error_code (*encode_krb5_typed_data)
2430 (const krb5_typed_data **, krb5_data **code);
2431
2432 krb5_error_code (*decode_krb5_auth_pack)
2433 (const krb5_data *, krb5_auth_pack **);
2434 krb5_error_code (*decode_krb5_auth_pack_draft9)
2435 (const krb5_data *, krb5_auth_pack_draft9 **);
2436 krb5_error_code (*decode_krb5_pa_pk_as_req)
2437 (const krb5_data *, krb5_pa_pk_as_req **);
2438 krb5_error_code (*decode_krb5_pa_pk_as_req_draft9)
2439 (const krb5_data *, krb5_pa_pk_as_req_draft9 **);
2440 krb5_error_code (*decode_krb5_pa_pk_as_rep)
2441 (const krb5_data *, krb5_pa_pk_as_rep **);
2442 krb5_error_code (*decode_krb5_pa_pk_as_rep_draft9)
2443 (const krb5_data *, krb5_pa_pk_as_rep_draft9 **);
2444 krb5_error_code (*decode_krb5_kdc_dh_key_info)
2445 (const krb5_data *, krb5_kdc_dh_key_info **);
2446 krb5_error_code (*decode_krb5_principal_name)
2447 (const krb5_data *, krb5_principal_data **);
2448 krb5_error_code (*decode_krb5_reply_key_pack)
2449 (const krb5_data *, krb5_reply_key_pack **);
2450 krb5_error_code (*decode_krb5_reply_key_pack_draft9)
2451 (const krb5_data *, krb5_reply_key_pack_draft9 **);
2452 krb5_error_code (*decode_krb5_td_dh_parameters)
2453 (const krb5_data *, krb5_algorithm_identifier ***);
2454 krb5_error_code (*decode_krb5_td_trusted_certifiers)
2455 (const krb5_data *, krb5_external_principal_identifier ***);
2456 krb5_error_code (*decode_krb5_typed_data)
2457 (const krb5_data *, krb5_typed_data ***);
2458
2459 krb5_error_code (*decode_krb5_as_req)
2460 (const krb5_data *output, krb5_kdc_req **rep);
2461 krb5_error_code (*encode_krb5_kdc_req_body)
2462 (const krb5_kdc_req *rep, krb5_data **code);
2463 void (KRB5_CALLCONV *krb5_free_kdc_req)
2464 (krb5_context, krb5_kdc_req * );
2465 void (*krb5int_set_prompt_types)
2466 (krb5_context, krb5_prompt_type *);
2467 krb5_error_code (*encode_krb5_authdata_elt)
2468 (const krb5_authdata *rep, krb5_data **code);
2469
2470 } krb5int_access;
2471
2472 #define KRB5INT_ACCESS_VERSION \
2473 (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \
2474 (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF)
2475
2476 krb5_error_code KRB5_CALLCONV krb5int_accessor
2477 (krb5int_access*, krb5_int32);
2478
2479 /* Ick -- some krb524 and krb4 support placed in the krb5 library,
2480 because AFS (and potentially other applications?) use the krb4
2481 object as an opaque token, which (in some implementations) is not
2482 in fact a krb4 ticket, so we don't want to drag in the krb4 support
2483 just to enable this. */
2484
2485 #define KRB524_SERVICE "krb524"
2486 #define KRB524_PORT 4444
2487
2488 /* v4lifetime.c */
2489 extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int);
2490 extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32);
2491
2492 /* conv_creds.c */
2493 int krb5int_encode_v4tkt
2494 (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
2495
2496 /* send524.c */
2497 int krb5int_524_sendto_kdc
2498 (krb5_context context, const krb5_data * message,
2499 const krb5_data * realm, krb5_data * reply,
2500 struct sockaddr *, socklen_t *);
2501
2502 /* temporary -- this should be under lib/krb5/ccache somewhere */
2503
2504 struct _krb5_ccache {
2505 krb5_magic magic;
2506 const struct _krb5_cc_ops *ops;
2507 krb5_pointer data;
2508 };
2509
2510 /*
2511 * Per-type ccache cursor.
2512 */
2513 struct krb5_cc_ptcursor {
2514 const struct _krb5_cc_ops *ops;
2515 krb5_pointer data;
2516 };
2517 typedef struct krb5_cc_ptcursor *krb5_cc_ptcursor;
2518
2519 struct _krb5_cc_ops {
2520 krb5_magic magic;
2521 char *prefix;
2522 const char * (KRB5_CALLCONV *get_name) (krb5_context, krb5_ccache);
2523 krb5_error_code (KRB5_CALLCONV *resolve) (krb5_context, krb5_ccache *,
2524 const char *);
2525 krb5_error_code (KRB5_CALLCONV *gen_new) (krb5_context, krb5_ccache *);
2526 krb5_error_code (KRB5_CALLCONV *init) (krb5_context, krb5_ccache,
2527 krb5_principal);
2528 krb5_error_code (KRB5_CALLCONV *destroy) (krb5_context, krb5_ccache);
2529 krb5_error_code (KRB5_CALLCONV *close) (krb5_context, krb5_ccache);
2530 krb5_error_code (KRB5_CALLCONV *store) (krb5_context, krb5_ccache,
2531 krb5_creds *);
2532 krb5_error_code (KRB5_CALLCONV *retrieve) (krb5_context, krb5_ccache,
2533 krb5_flags, krb5_creds *,
2534 krb5_creds *);
2535 krb5_error_code (KRB5_CALLCONV *get_princ) (krb5_context, krb5_ccache,
2536 krb5_principal *);
2537 krb5_error_code (KRB5_CALLCONV *get_first) (krb5_context, krb5_ccache,
2538 krb5_cc_cursor *);
2539 krb5_error_code (KRB5_CALLCONV *get_next) (krb5_context, krb5_ccache,
2540 krb5_cc_cursor *, krb5_creds *);
2541 krb5_error_code (KRB5_CALLCONV *end_get) (krb5_context, krb5_ccache,
2542 krb5_cc_cursor *);
2543 krb5_error_code (KRB5_CALLCONV *remove_cred) (krb5_context, krb5_ccache,
2544 krb5_flags, krb5_creds *);
2545 krb5_error_code (KRB5_CALLCONV *set_flags) (krb5_context, krb5_ccache,
2546 krb5_flags);
2547 krb5_error_code (KRB5_CALLCONV *get_flags) (krb5_context, krb5_ccache,
2548 krb5_flags *);
2549 krb5_error_code (KRB5_CALLCONV *ptcursor_new)(krb5_context,
2550 krb5_cc_ptcursor *);
2551 krb5_error_code (KRB5_CALLCONV *ptcursor_next)(krb5_context,
2552 krb5_cc_ptcursor,
2553 krb5_ccache *);
2554 krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context,
2555 krb5_cc_ptcursor *);
2556 krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache);
2557 krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context,
2558 krb5_ccache, krb5_timestamp *);
2559 krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache,
2560 krb5_timestamp *);
2561 };
2562
2563 extern const krb5_cc_ops *krb5_cc_dfl_ops;
2564
2565 krb5_error_code
2566 krb5int_cc_os_default_name(krb5_context context, char **name);
2567
2568 /*
2569 * Cursor for iterating over ccache types
2570 */
2571 struct krb5_cc_typecursor;
2572 typedef struct krb5_cc_typecursor *krb5_cc_typecursor;
2573
2574 krb5_error_code
2575 krb5int_cc_typecursor_new(krb5_context context, krb5_cc_typecursor *cursor);
2576
2577 krb5_error_code
2578 krb5int_cc_typecursor_next(
2579 krb5_context context,
2580 krb5_cc_typecursor cursor,
2581 const struct _krb5_cc_ops **ops);
2582
2583 krb5_error_code
2584 krb5int_cc_typecursor_free(
2585 krb5_context context,
2586 krb5_cc_typecursor *cursor);
2587
2588 typedef struct _krb5_donot_replay {
2589 krb5_magic magic;
2590 krb5_ui_4 hash;
2591 char *server; /* null-terminated */
2592 char *client; /* null-terminated */
2593 char *msghash; /* null-terminated */
2594 krb5_int32 cusec;
2595 krb5_timestamp ctime;
2596 } krb5_donot_replay;
2597
2598 krb5_error_code krb5_rc_default
2599 (krb5_context,
2600 krb5_rcache *);
2601 krb5_error_code krb5_rc_resolve_type
2602 (krb5_context,
2603 krb5_rcache *,char *);
2604 krb5_error_code krb5_rc_resolve_full
2605 (krb5_context,
2606 krb5_rcache *,char *);
2607 char * krb5_rc_get_type
2608 (krb5_context,
2609 krb5_rcache);
2610 char * krb5_rc_default_type
2611 (krb5_context);
2612 char * krb5_rc_default_name
2613 (krb5_context);
2614 krb5_error_code krb5_auth_to_rep
2615 (krb5_context,
2616 krb5_tkt_authent *,
2617 krb5_donot_replay *);
2618
2619
2620 krb5_error_code KRB5_CALLCONV krb5_rc_initialize
2621 (krb5_context, krb5_rcache,krb5_deltat);
2622 krb5_error_code KRB5_CALLCONV krb5_rc_recover_or_initialize
2623 (krb5_context, krb5_rcache,krb5_deltat);
2624 krb5_error_code KRB5_CALLCONV krb5_rc_recover
2625 (krb5_context, krb5_rcache);
2626 krb5_error_code KRB5_CALLCONV krb5_rc_destroy
2627 (krb5_context, krb5_rcache);
2628 krb5_error_code KRB5_CALLCONV krb5_rc_close
2629 (krb5_context, krb5_rcache);
2630 krb5_error_code KRB5_CALLCONV krb5_rc_store
2631 (krb5_context, krb5_rcache,krb5_donot_replay *);
2632 krb5_error_code KRB5_CALLCONV krb5_rc_expunge
2633 (krb5_context, krb5_rcache);
2634 krb5_error_code KRB5_CALLCONV krb5_rc_get_lifespan
2635 (krb5_context, krb5_rcache,krb5_deltat *);
2636 char *KRB5_CALLCONV krb5_rc_get_name
2637 (krb5_context, krb5_rcache);
2638 krb5_error_code KRB5_CALLCONV krb5_rc_resolve
2639 (krb5_context, krb5_rcache, char *);
2640
2641 typedef struct _krb5_kt_ops {
2642 krb5_magic magic;
2643 char *prefix;
2644 /* routines always present */
2645 krb5_error_code (KRB5_CALLCONV *resolve)
2646 (krb5_context,
2647 const char *,
2648 krb5_keytab *);
2649 krb5_error_code (KRB5_CALLCONV *get_name)
2650 (krb5_context,
2651 krb5_keytab,
2652 char *,
2653 unsigned int);
2654 krb5_error_code (KRB5_CALLCONV *close)
2655 (krb5_context,
2656 krb5_keytab);
2657 krb5_error_code (KRB5_CALLCONV *get)
2658 (krb5_context,
2659 krb5_keytab,
2660 krb5_const_principal,
2661 krb5_kvno,
2662 krb5_enctype,
2663 krb5_keytab_entry *);
2664 krb5_error_code (KRB5_CALLCONV *start_seq_get)
2665 (krb5_context,
2666 krb5_keytab,
2667 krb5_kt_cursor *);
2668 krb5_error_code (KRB5_CALLCONV *get_next)
2669 (krb5_context,
2670 krb5_keytab,
2671 krb5_keytab_entry *,
2672 krb5_kt_cursor *);
2673 krb5_error_code (KRB5_CALLCONV *end_get)
2674 (krb5_context,
2675 krb5_keytab,
2676 krb5_kt_cursor *);
2677 /* routines to be included on extended version (write routines) */
2678 krb5_error_code (KRB5_CALLCONV *add)
2679 (krb5_context,
2680 krb5_keytab,
2681 krb5_keytab_entry *);
2682 krb5_error_code (KRB5_CALLCONV *remove)
2683 (krb5_context,
2684 krb5_keytab,
2685 krb5_keytab_entry *);
2686
2687 /* Handle for serializer */
2688 const krb5_ser_entry *serializer;
2689 } krb5_kt_ops;
2690
2691 extern const krb5_kt_ops krb5_kt_dfl_ops;
2692
2693 extern krb5_error_code krb5int_translate_gai_error (int);
2694
2695 /* Not sure it's ready for exposure just yet. */
2696 extern krb5_error_code
2697 krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *);
2698
2699 extern int krb5int_crypto_init (void);
2700 extern int krb5int_prng_init(void);
2701
2702
2703 /*
2704 * SUNW14resync
2705 * Hack (?) to neuter C99 "inline" which causes warnings w/our build.
2706 */
2707 #define inline
2708
2709 /* Some data comparison and conversion functions. */
2710 #if 0
2711 static inline int data_cmp(krb5_data d1, krb5_data d2)
2712 {
2713 if (d1.length < d2.length) return -1;
2714 if (d1.length > d2.length) return 1;
2715 return memcmp(d1.data, d2.data, d1.length);
2716 }
2717 static inline int data_eq (krb5_data d1, krb5_data d2)
2718 {
2719 return data_cmp(d1, d2) == 0;
2720 }
2721 #else
data_eq(krb5_data d1,krb5_data d2)2722 static inline int data_eq (krb5_data d1, krb5_data d2)
2723 {
2724 return (d1.length == d2.length
2725 && !memcmp(d1.data, d2.data, d1.length));
2726 }
2727 #endif
string2data(char * str)2728 static inline krb5_data string2data (char *str)
2729 {
2730 krb5_data d;
2731 d.magic = KV5M_DATA;
2732 d.length = strlen(str);
2733 d.data = str;
2734 return d;
2735 }
2736 /*LINTED*/
data_eq_string(krb5_data d,char * s)2737 static inline int data_eq_string (krb5_data d, char *s)
2738 {
2739 return data_eq(d, string2data(s));
2740 }
2741 /*LINTED*/
authdata_eq(krb5_authdata a1,krb5_authdata a2)2742 static inline int authdata_eq (krb5_authdata a1, krb5_authdata a2)
2743 {
2744 return (a1.ad_type == a2.ad_type
2745 && a1.length == a2.length
2746 && !memcmp(a1.contents, a2.contents, a1.length));
2747 }
2748
2749
2750 /* Solaris kerberos */
2751 krb5_boolean KRB5_CALLCONV is_in_keytype
2752 (krb5_const krb5_enctype *keytype,
2753 int numkeytypes, krb5_enctype enctype);
2754
2755 /*
2756 * Solaris Kerberos
2757 * Use krb5_getuid() to select the mechanism to obtain the uid.
2758 */
2759 extern uid_t krb5_getuid();
2760
2761 /*
2762 * Referral definitions, debugging hooks, and subfunctions.
2763 */
2764 #define KRB5_REFERRAL_MAXHOPS 5
2765 /* #define DEBUG_REFERRALS */
2766
2767 #ifdef DEBUG_REFERRALS
2768 void krb5int_dbgref_dump_principal(char *, krb5_principal);
2769 #endif
2770
2771 /* Common hostname-parsing code. */
2772 krb5_error_code KRB5_CALLCONV krb5int_clean_hostname
2773 (krb5_context,
2774 const char *,
2775 char *,
2776 size_t);
2777
2778 /*
2779 * Solaris Kerberos
2780 * Kernel & user space realloc.
2781 */
2782 void *krb5int_realloc
2783 (void *oldp,
2784 size_t new_size,
2785 size_t old_size);
2786 #endif /* _KRB5_INT_H */
2787