1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2 /* lib/krb5/krb/int-proto.h - Prototypes for libkrb5 internal functions */ 3 /* 4 * Copyright 1990,1991 the Massachusetts Institute of Technology. 5 * All Rights Reserved. 6 * 7 * Export of this software from the United States of America may 8 * require a specific license from the United States Government. 9 * It is the responsibility of any person or organization contemplating 10 * export to obtain such a license before exporting. 11 * 12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 13 * distribute this software and its documentation for any purpose and 14 * without fee is hereby granted, provided that the above copyright 15 * notice appear in all copies and that both that copyright notice and 16 * this permission notice appear in supporting documentation, and that 17 * the name of M.I.T. not be used in advertising or publicity pertaining 18 * to distribution of the software without specific, written prior 19 * permission. Furthermore if you modify this software you must label 20 * your software as modified software and not distribute it in such a 21 * fashion that it might be confused with the original M.I.T. software. 22 * M.I.T. makes no representations about the suitability of 23 * this software for any purpose. It is provided "as is" without express 24 * or implied warranty. 25 */ 26 27 #ifndef KRB5_INT_FUNC_PROTO__ 28 #define KRB5_INT_FUNC_PROTO__ 29 30 struct krb5int_fast_request_state; 31 struct kdclist; 32 33 typedef struct k5_response_items_st k5_response_items; 34 35 typedef krb5_error_code 36 (*get_as_key_fn)(krb5_context, krb5_principal, krb5_enctype, krb5_prompter_fct, 37 void *prompter_data, krb5_data *salt, krb5_data *s2kparams, 38 krb5_keyblock *as_key, void *gak_data, 39 k5_response_items *ritems); 40 41 krb5_error_code 42 krb5int_tgtname(krb5_context context, const krb5_data *, const krb5_data *, 43 krb5_principal *); 44 45 krb5_error_code 46 krb5int_libdefault_boolean(krb5_context, const krb5_data *, const char *, 47 int *); 48 krb5_error_code 49 krb5int_libdefault_string(krb5_context context, const krb5_data *realm, 50 const char *option, char **ret_value); 51 52 53 krb5_error_code krb5_ser_authdata_init (krb5_context); 54 krb5_error_code krb5_ser_address_init (krb5_context); 55 krb5_error_code krb5_ser_authenticator_init (krb5_context); 56 krb5_error_code krb5_ser_checksum_init (krb5_context); 57 krb5_error_code krb5_ser_keyblock_init (krb5_context); 58 krb5_error_code krb5_ser_principal_init (krb5_context); 59 krb5_error_code krb5_ser_authdata_context_init (krb5_context); 60 61 krb5_error_code 62 krb5_preauth_supply_preauth_data(krb5_context context, 63 krb5_get_init_creds_opt *opt, 64 const char *attr, const char *value); 65 66 krb5_error_code 67 clpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver, 68 int min_ver, krb5_plugin_vtable vtable); 69 70 krb5_error_code 71 clpreauth_encrypted_timestamp_initvt(krb5_context context, int maj_ver, 72 int min_ver, krb5_plugin_vtable vtable); 73 74 krb5_error_code 75 clpreauth_sam2_initvt(krb5_context context, int maj_ver, int min_ver, 76 krb5_plugin_vtable vtable); 77 78 krb5_error_code 79 clpreauth_otp_initvt(krb5_context context, int maj_ver, int min_ver, 80 krb5_plugin_vtable vtable); 81 82 krb5_error_code 83 k5_get_cached_cred(krb5_context context, krb5_flags options, 84 krb5_ccache ccache, krb5_creds *in_creds, 85 krb5_creds **creds_out); 86 87 #define IS_TGS_PRINC(p) ((p)->length == 2 && \ 88 data_eq_string((p)->data[0], KRB5_TGS_NAME)) 89 90 typedef krb5_error_code 91 (*k5_pacb_fn)(krb5_context context, krb5_keyblock *subkey, krb5_kdc_req *req, 92 void *arg); 93 94 krb5_error_code 95 krb5_get_cred_via_tkt_ext(krb5_context context, krb5_creds *tkt, 96 krb5_flags kdcoptions, krb5_address *const *address, 97 krb5_pa_data **in_padata, krb5_creds *in_cred, 98 k5_pacb_fn pacb_fn, void *pacb_data, 99 krb5_pa_data ***out_padata, 100 krb5_pa_data ***enc_padata, krb5_creds **out_cred, 101 krb5_keyblock **out_subkey); 102 103 krb5_error_code 104 k5_generate_nonce(krb5_context context, int32_t *out); 105 106 krb5_error_code 107 k5_make_tgs_req(krb5_context context, struct krb5int_fast_request_state *, 108 krb5_creds *tkt, krb5_flags kdcoptions, 109 krb5_address *const *address, krb5_pa_data **in_padata, 110 krb5_creds *in_cred, k5_pacb_fn pacb_fn, void *pacb_data, 111 krb5_data *req_asn1_out, krb5_timestamp *timestamp_out, 112 krb5_int32 *nonce_out, krb5_keyblock **subkey_out); 113 114 krb5_error_code 115 krb5int_process_tgs_reply(krb5_context context, 116 struct krb5int_fast_request_state *, 117 krb5_data *response_data, 118 krb5_creds *tkt, 119 krb5_flags kdcoptions, 120 krb5_address *const *address, 121 krb5_pa_data **in_padata, 122 krb5_creds *in_cred, 123 krb5_timestamp timestamp, 124 krb5_int32 nonce, 125 krb5_keyblock *subkey, 126 krb5_pa_data ***out_padata, 127 krb5_pa_data ***out_enc_padata, 128 krb5_creds **out_cred); 129 130 /* The subkey field is an output parameter; if a 131 * tgs-rep is received then the subkey will be filled 132 * in with the subkey needed to decrypt the TGS 133 * response. Otherwise it will be set to null. 134 */ 135 krb5_error_code krb5int_decode_tgs_rep(krb5_context, 136 struct krb5int_fast_request_state *, 137 krb5_data *, 138 const krb5_keyblock *, krb5_keyusage, 139 krb5_kdc_rep ** ); 140 141 krb5_error_code 142 krb5int_validate_times(krb5_context, krb5_ticket_times *); 143 144 krb5_error_code 145 krb5int_copy_authdatum(krb5_context, const krb5_authdata *, krb5_authdata **); 146 147 /* Set replay data fields in rdata and caller_rdata according to the flags in 148 * authcon. */ 149 krb5_error_code 150 k5_privsafe_gen_rdata(krb5_context context, krb5_auth_context authcon, 151 krb5_replay_data *rdata, krb5_replay_data *caller_rdata); 152 153 /* 154 * Set *local_out and *remote_out to addresses based on authcon. The resulting 155 * pointers should not be freed, but addresses may be placed into *lstorage and 156 * *rstorage which the caller must free, even on error. 157 */ 158 krb5_error_code 159 k5_privsafe_gen_addrs(krb5_context context, krb5_auth_context authcon, 160 krb5_address *lstorage, krb5_address *rstorage, 161 krb5_address **local_out, krb5_address **remote_out); 162 163 /* 164 * If the DO_TIME flag is set in authcon, store a replay record in a memory 165 * replay cache (initializing one if necessary). Either enc or cksum must be 166 * non-null. If rdata is not null, also check that its timestamp is within 167 * clock skew. 168 */ 169 krb5_error_code 170 k5_privsafe_check_replay(krb5_context context, krb5_auth_context authcon, 171 const krb5_replay_data *rdata, 172 const krb5_enc_data *enc, const krb5_checksum *cksum); 173 174 krb5_boolean 175 k5_privsafe_check_seqnum(krb5_context ctx, krb5_auth_context ac, 176 krb5_ui_4 in_seq); 177 178 krb5_error_code 179 k5_privsafe_check_addrs(krb5_context context, krb5_auth_context ac, 180 krb5_address *msg_s_addr, krb5_address *msg_r_addr); 181 182 krb5_error_code 183 krb5int_mk_chpw_req(krb5_context context, krb5_auth_context auth_context, 184 krb5_data *ap_req, const char *passwd, krb5_data *packet); 185 186 krb5_error_code 187 krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, 188 krb5_data *packet, int *result_code, 189 krb5_data *result_data); 190 191 krb5_error_code KRB5_CALLCONV 192 krb5_chpw_result_code_string(krb5_context context, int result_code, 193 char **result_codestr); 194 195 krb5_error_code 196 krb5int_mk_setpw_req(krb5_context context, krb5_auth_context auth_context, 197 krb5_data *ap_req, krb5_principal targetprinc, 198 const char *passwd, krb5_data *packet); 199 200 void 201 k5_ccselect_free_context(krb5_context context); 202 203 krb5_error_code 204 k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx, 205 krb5_boolean use_primary, struct kdclist *kdcs); 206 207 krb5_error_code 208 k5_init_creds_current_time(krb5_context context, krb5_init_creds_context ctx, 209 krb5_boolean allow_unauth, krb5_timestamp *time_out, 210 krb5_int32 *usec_out); 211 212 krb5_error_code 213 k5_preauth(krb5_context context, krb5_init_creds_context ctx, 214 krb5_pa_data **in_padata, krb5_boolean must_preauth, 215 krb5_pa_data ***padata_out, krb5_preauthtype *pa_type_out); 216 217 krb5_error_code 218 k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, 219 krb5_preauthtype pa_type, krb5_error *err, 220 krb5_pa_data **err_padata, krb5_pa_data ***padata_out); 221 222 void 223 k5_init_preauth_context(krb5_context context); 224 225 void 226 k5_free_preauth_context(krb5_context context); 227 228 krb5_error_code 229 k5_preauth_note_failed(krb5_init_creds_context ctx, krb5_preauthtype pa_type); 230 231 void 232 k5_preauth_prepare_request(krb5_context context, krb5_get_init_creds_opt *opt, 233 krb5_kdc_req *request); 234 235 void 236 k5_preauth_request_context_init(krb5_context context, 237 krb5_init_creds_context ctx); 238 239 void 240 k5_preauth_request_context_fini(krb5_context context, 241 krb5_init_creds_context ctx); 242 243 krb5_error_code 244 k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx); 245 246 krb5_error_code 247 k5_response_items_new(k5_response_items **ri_out); 248 249 void 250 k5_response_items_free(k5_response_items *ri); 251 252 void 253 k5_response_items_reset(k5_response_items *ri); 254 255 krb5_boolean 256 k5_response_items_empty(const k5_response_items *ri); 257 258 const char * const * 259 k5_response_items_list_questions(const k5_response_items *ri); 260 261 krb5_error_code 262 k5_response_items_ask_question(k5_response_items *ri, const char *question, 263 const char *challenge); 264 265 const char * 266 k5_response_items_get_challenge(const k5_response_items *ri, 267 const char *question); 268 269 krb5_error_code 270 k5_response_items_set_answer(k5_response_items *ri, const char *question, 271 const char *answer); 272 273 const char * 274 k5_response_items_get_answer(const k5_response_items *ri, 275 const char *question); 276 277 /* Save code and its extended message (if any) in out. */ 278 void 279 k5_save_ctx_error(krb5_context ctx, krb5_error_code code, struct errinfo *out); 280 281 /* Return the code from in and restore its extended message (if any). */ 282 krb5_error_code 283 k5_restore_ctx_error(krb5_context ctx, struct errinfo *in); 284 285 krb5_error_code 286 k5_encrypt_keyhelper(krb5_context context, krb5_key key, 287 krb5_keyusage keyusage, const krb5_data *plain, 288 krb5_enc_data *cipher); 289 290 krb5_error_code 291 k5_get_init_creds(krb5_context context, krb5_creds *creds, 292 krb5_principal client, krb5_prompter_fct prompter, 293 void *prompter_data, krb5_deltat start_time, 294 const char *in_tkt_service, krb5_get_init_creds_opt *options, 295 get_as_key_fn gak, void *gak_data, krb5_kdc_rep **as_reply); 296 297 /* 298 * Make AS requests with the canonicalize flag set, stopping when we get a 299 * message indicating which realm the client principal is in. Set *client_out 300 * to a copy of client with the canonical realm. If subject_cert is non-null, 301 * include PA_S4U_X509_USER pa-data with the subject certificate each request. 302 * (See [MS-SFU] 3.1.5.1.1.1 and 3.1.5.1.1.2.) 303 */ 304 krb5_error_code 305 k5_identify_realm(krb5_context context, krb5_principal client, 306 const krb5_data *subject_cert, krb5_principal *client_out); 307 308 krb5_error_code 309 k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **opt, 310 krb5_flags options, krb5_address *const *addrs, 311 krb5_enctype *ktypes, krb5_preauthtype *pre_auth_types, 312 krb5_creds *creds); 313 314 krb5_error_code 315 k5_copy_creds_contents(krb5_context, const krb5_creds *, krb5_creds *); 316 317 krb5_error_code 318 k5_build_conf_principals(krb5_context context, krb5_ccache id, 319 krb5_const_principal principal, const char *name, 320 krb5_creds *cred); 321 322 krb5_error_code 323 k5_generate_and_save_subkey(krb5_context context, 324 krb5_auth_context auth_context, 325 krb5_keyblock *keyblock, krb5_enctype enctype); 326 327 krb5_error_code 328 k5_client_realm_path(krb5_context context, const krb5_data *client, 329 const krb5_data *server, krb5_data **rpath_out); 330 331 size_t 332 k5_count_etypes(const krb5_enctype *list); 333 334 krb5_error_code 335 k5_copy_etypes(const krb5_enctype *old_list, krb5_enctype **new_list); 336 337 krb5_ccache 338 k5_gic_opt_get_in_ccache(krb5_get_init_creds_opt *opt); 339 340 krb5_ccache 341 k5_gic_opt_get_out_ccache(krb5_get_init_creds_opt *opt); 342 343 const char * 344 k5_gic_opt_get_fast_ccache_name(krb5_get_init_creds_opt *opt); 345 346 krb5_flags 347 k5_gic_opt_get_fast_flags(krb5_get_init_creds_opt *opt); 348 349 void 350 k5_gic_opt_get_expire_cb(krb5_get_init_creds_opt *opt, 351 krb5_expire_callback_func *cb_out, void **data_out); 352 353 void 354 k5_gic_opt_get_responder(krb5_get_init_creds_opt *opt, 355 krb5_responder_fn *responder_out, void **data_out); 356 357 /* 358 * Make a shallow copy of opt, with all pointer fields aliased, or NULL on an 359 * out-of-memory failure. The caller must free the result with free, and must 360 * not use it with the following functions: 361 * 362 * krb5_get_init_creds_opt_free 363 * krb5_get_init_creds_opt_set_pa 364 * krb5_get_init_creds_opt_set_fast_ccache 365 * krb5_get_init_creds_opt_set_fast_ccache_name 366 */ 367 krb5_get_init_creds_opt * 368 k5_gic_opt_shallow_copy(krb5_get_init_creds_opt *opt); 369 370 /* Return -1 if no PAC request option was specified, or the option value as a 371 * boolean (0 or 1). */ 372 int 373 k5_gic_opt_pac_request(krb5_get_init_creds_opt *opt); 374 375 krb5_error_code 376 k5_get_etype_info(krb5_context context, krb5_init_creds_context ctx, 377 krb5_pa_data **padata); 378 379 /* 380 * Make an S4U2Proxy (constrained delegation) request. in_creds->client is the 381 * impersonator principal, and in_creds->second_ticket is the evidence 382 * ticket. 383 */ 384 krb5_error_code 385 k5_get_proxy_cred_from_kdc(krb5_context context, krb5_flags options, 386 krb5_ccache ccache, krb5_creds *in_creds, 387 krb5_creds **out_creds); 388 389 /* Return true if mprinc will match any hostname in a host-based principal name 390 * (possibly due to ignore_acceptor_hostname) with krb5_sname_match(). */ 391 krb5_boolean 392 k5_sname_wildcard_host(krb5_context context, krb5_const_principal mprinc); 393 394 /* Guess the appropriate name-type for a principal based on the name. */ 395 krb5_int32 396 k5_infer_principal_type(krb5_principal princ); 397 398 krb5_boolean 399 k5_pac_should_have_ticket_signature(krb5_const_principal sprinc); 400 401 #endif /* KRB5_INT_FUNC_PROTO__ */ 402