1 /* 2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * kdc/kdc_util.h 8 * 9 * Copyright 1990 by the Massachusetts Institute of Technology. 10 * 11 * Export of this software from the United States of America may 12 * require a specific license from the United States Government. 13 * It is the responsibility of any person or organization contemplating 14 * export to obtain such a license before exporting. 15 * 16 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 17 * distribute this software and its documentation for any purpose and 18 * without fee is hereby granted, provided that the above copyright 19 * notice appear in all copies and that both that copyright notice and 20 * this permission notice appear in supporting documentation, and that 21 * the name of M.I.T. not be used in advertising or publicity pertaining 22 * to distribution of the software without specific, written prior 23 * permission. Furthermore if you modify this software you must label 24 * your software as modified software and not distribute it in such a 25 * fashion that it might be confused with the original M.I.T. software. 26 * M.I.T. makes no representations about the suitability of 27 * this software for any purpose. It is provided "as is" without express 28 * or implied warranty. 29 * 30 * 31 * Declarations for policy.c 32 */ 33 34 #ifndef __KRB5_KDC_UTIL__ 35 #define __KRB5_KDC_UTIL__ 36 37 38 #include "kdb.h" 39 40 #ifdef __cplusplus 41 extern "C" { 42 #endif 43 44 typedef struct _krb5_fulladdr { 45 krb5_address * address; 46 krb5_ui_4 port; 47 } krb5_fulladdr; 48 49 krb5_error_code check_hot_list (krb5_ticket *); 50 krb5_boolean realm_compare (krb5_principal, krb5_principal); 51 krb5_boolean krb5_is_tgs_principal (krb5_principal); 52 krb5_error_code add_to_transited (krb5_data *, 53 krb5_data *, 54 krb5_principal, 55 krb5_principal, 56 krb5_principal); 57 krb5_error_code compress_transited (krb5_data *, 58 krb5_principal, 59 krb5_data *); 60 krb5_error_code concat_authorization_data (krb5_authdata **, 61 krb5_authdata **, 62 krb5_authdata ***); 63 krb5_error_code fetch_last_req_info (krb5_db_entry *, 64 krb5_last_req_entry ***); 65 66 krb5_error_code kdc_convert_key (krb5_keyblock *, 67 krb5_keyblock *, 68 int); 69 krb5_error_code kdc_process_tgs_req 70 (krb5_kdc_req *, 71 const krb5_fulladdr *, 72 krb5_data *, 73 krb5_ticket **, 74 krb5_keyblock **); 75 76 krb5_error_code kdc_get_server_key (krb5_ticket *, 77 krb5_keyblock **, 78 krb5_kvno *); 79 80 int validate_as_request (krb5_kdc_req *, krb5_db_entry, 81 krb5_db_entry, krb5_timestamp, 82 const char **); 83 84 int validate_tgs_request (krb5_kdc_req *, krb5_db_entry, 85 krb5_ticket *, krb5_timestamp, 86 const char **); 87 88 int fetch_asn1_field (unsigned char *, unsigned int, unsigned int, 89 krb5_data *); 90 91 int 92 dbentry_has_key_for_enctype (krb5_context context, 93 krb5_db_entry *client, 94 krb5_enctype enctype); 95 96 int 97 dbentry_supports_enctype (krb5_context context, 98 krb5_db_entry *client, 99 krb5_enctype enctype); 100 101 krb5_enctype 102 select_session_keytype (krb5_context context, 103 krb5_db_entry *server, 104 int nktypes, 105 krb5_enctype *ktypes); 106 107 krb5_error_code 108 get_salt_from_key (krb5_context, krb5_principal, 109 krb5_key_data *, krb5_data *); 110 111 void limit_string (char *name); 112 113 void 114 ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype); 115 116 void 117 rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep); 118 119 /* do_as_req.c */ 120 krb5_error_code process_as_req (krb5_kdc_req *, krb5_data *, 121 const krb5_fulladdr *, 122 krb5_data ** ); 123 124 /* do_tgs_req.c */ 125 krb5_error_code process_tgs_req (krb5_data *, 126 const krb5_fulladdr *, 127 krb5_data ** ); 128 /* dispatch.c */ 129 krb5_error_code dispatch (krb5_data *, 130 const krb5_fulladdr *, 131 krb5_data **); 132 133 /* main.c */ 134 krb5_error_code kdc_initialize_rcache (krb5_context, char *); 135 136 krb5_error_code setup_server_realm (krb5_principal); 137 138 /* network.c */ 139 krb5_error_code listen_and_process (const char *); 140 krb5_error_code setup_network (const char *); 141 krb5_error_code closedown_network (const char *); 142 143 /* policy.c */ 144 int against_local_policy_as (krb5_kdc_req *, krb5_db_entry, 145 krb5_db_entry, krb5_timestamp, 146 const char **); 147 148 int against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry, 149 krb5_ticket *, const char **); 150 151 /* kdc_preauth.c */ 152 const char * missing_required_preauth 153 (krb5_db_entry *client, krb5_db_entry *server, 154 krb5_enc_tkt_part *enc_tkt_reply); 155 void get_preauth_hint_list (krb5_kdc_req * request, 156 krb5_db_entry *client, 157 krb5_db_entry *server, 158 krb5_data *e_data); 159 krb5_error_code load_preauth_plugins(krb5_context context); 160 krb5_error_code unload_preauth_plugins(krb5_context context); 161 162 krb5_error_code check_padata 163 (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, 164 krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, 165 void **padata_context, krb5_data *e_data); 166 167 krb5_error_code return_padata 168 (krb5_context context, krb5_db_entry *client, 169 krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, 170 krb5_key_data *client_key, krb5_keyblock *encrypting_key, 171 void **padata_context); 172 173 krb5_error_code free_padata_context 174 (krb5_context context, void **padata_context); 175 176 /* replay.c */ 177 krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **); 178 void kdc_insert_lookaside (krb5_data *, krb5_data *); 179 void kdc_free_lookaside(krb5_context); 180 181 /* which way to convert key? */ 182 #define CONVERT_INTO_DB 0 183 #define CONVERT_OUTOF_DB 1 184 185 #define isflagset(flagfield, flag) (flagfield & (flag)) 186 #define setflag(flagfield, flag) (flagfield |= (flag)) 187 #define clear(flagfield, flag) (flagfield &= ~(flag)) 188 189 #ifdef KRB5_KRB4_COMPAT 190 krb5_error_code process_v4 (const krb5_data *, 191 const krb5_fulladdr *, 192 krb5_data **); 193 void process_v4_mode (const char *, const char *); 194 void enable_v4_crossrealm(char *); 195 #else 196 #define process_v4(foo,bar,quux,foobar) KRB5KRB_AP_ERR_BADVERSION 197 #endif 198 199 #ifndef min 200 #define min(a, b) ((a) < (b) ? (a) : (b)) 201 #define max(a, b) ((a) > (b) ? (a) : (b)) 202 #endif 203 204 #ifdef KRB5_USE_INET6 205 #define ADDRTYPE2FAMILY(X) \ 206 ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1) 207 #else 208 #define ADDRTYPE2FAMILY(X) \ 209 ((X) == ADDRTYPE_INET ? AF_INET : -1) 210 #endif 211 212 /* RFC 4120: KRB5KDC_ERR_KEY_TOO_WEAK 213 * RFC 4556: KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED */ 214 #define KRB5KDC_ERR_KEY_TOO_WEAK KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 215 216 #ifdef __cplusplus 217 } 218 #endif 219 220 #endif /* !__KRB5_KDC_UTIL__ */ 221