xref: /illumos-gate/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h (revision 38603a2034ae521f26661b0a6239028a83026614)
1 /*
2  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 /*
7  * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006 by the Massachusetts Institute of Technology,
8  * Cambridge, MA, USA.  All Rights Reserved.
9  *
10  * This software is being provided to you, the LICENSEE, by the
11  * Massachusetts Institute of Technology (M.I.T.) under the following
12  * license.  By obtaining, using and/or copying this software, you agree
13  * that you have read, understood, and will comply with these terms and
14  * conditions:
15  *
16  * Export of this software from the United States of America may
17  * require a specific license from the United States Government.
18  * It is the responsibility of any person or organization contemplating
19  * export to obtain such a license before exporting.
20  *
21  * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
22  * this software and its documentation for any purpose and without fee or
23  * royalty is hereby granted, provided that you agree to comply with the
24  * following copyright notice and statements, including the disclaimer, and
25  * that the same appear on ALL copies of the software and documentation,
26  * including modifications that you make for internal use or for
27  * distribution:
28  *
29  * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
30  * OR WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
31  * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
32  * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
33  * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
34  * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
35  *
36  * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
37  * be used in advertising or publicity pertaining to distribution of the
38  * software.  Title to copyright in this software and any associated
39  * documentation shall at all times remain with M.I.T., and USER agrees to
40  * preserve same.
41  *
42  * Furthermore if you modify this software you must label
43  * your software as modified software and not distribute it in such a
44  * fashion that it might be confused with the original M.I.T. software.
45  */
46 
47 /*
48  * Copyright (C) 1998 by the FundsXpress, INC.
49  *
50  * All rights reserved.
51  *
52  * Export of this software from the United States of America may require
53  * a specific license from the United States Government.  It is the
54  * responsibility of any person or organization contemplating export to
55  * obtain such a license before exporting.
56  *
57  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
58  * distribute this software and its documentation for any purpose and
59  * without fee is hereby granted, provided that the above copyright
60  * notice appear in all copies and that both that copyright notice and
61  * this permission notice appear in supporting documentation, and that
62  * the name of FundsXpress. not be used in advertising or publicity pertaining
63  * to distribution of the software without specific, written prior
64  * permission.  FundsXpress makes no representations about the suitability of
65  * this software for any purpose.  It is provided "as is" without express
66  * or implied warranty.
67  *
68  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
69  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
70  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
71  */
72 
73 /*
74  * This prototype for k5-int.h (Krb5 internals include file)
75  * includes the user-visible definitions from krb5.h and then
76  * includes other definitions that are not user-visible but are
77  * required for compiling Kerberos internal routines.
78  *
79  * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
80  */
81 
82 #ifndef _KRB5_INT_H
83 #define _KRB5_INT_H
84 
85 #ifdef KRB5_GENERAL__
86 #error krb5.h included before k5-int.h
87 #endif /* KRB5_GENERAL__ */
88 
89 #ifndef	_KERNEL
90 #include <osconf.h>
91 #include <security/cryptoki.h>
92 #else
93 #include <sys/crypto/common.h>
94 #include <sys/crypto/api.h>
95 #endif
96 
97 #ifdef  DEBUG
98 #if !defined(KRB5_DEBUG)
99 #define KRB5_DEBUG
100 #endif
101 #ifndef  KRB5_LOG_LVL
102 #define KRB5_LOG_LVL KRB5_ERR
103 #endif
104 #endif  /* DEBUG */
105 
106 #ifdef  _KERNEL
107 
108 #ifdef  DEBUG
109 #include        <sys/types.h>
110 #include        <sys/cmn_err.h>
111  extern  void prom_printf();
112 #endif  /* DEBUG */
113 
114 #else   /* !_KERNEL */
115 
116 #define prom_printf printf
117 
118 #endif /* !_KERNEL */
119 
120 #ifdef KRB5_LOG_LVL
121 
122 /* krb5_log is used to set the logging level to determine what class of messages
123  * are output by the mech.  Note, more than one logging level can be used by
124  * bit or'ing the log values together.
125  *
126  * All log messages are captured by syslog.
127  */
128 
129 extern unsigned int krb5_log;
130 
131 /* Note, these defines should be mutually exclusive bit fields */
132 #define KRB5_ERR  1   /* Use this debug log level for error path logging. */
133 #define KRB5_INFO 2   /* Use this debug log level for informational messages. */
134 
135 #ifdef  _KERNEL
136 
137 #define KRB5_LOG1(A, B, C, D) \
138      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C), (D)), TRUE)))
139 #define KRB5_LOG(A, B, C) \
140      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C)), TRUE)))
141 #define KRB5_LOG0(A, B)   \
142      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B)), TRUE)))
143 
144 #else	/* !_KERNEL */
145 
146 #include <syslog.h>
147 
148 #define KRB5_LOG1(A, B, C, D) \
149         ((void)((krb5_log) && (krb5_log & (A)) && \
150 		(syslog(LOG_DEBUG, (B), (C), (D)), TRUE)))
151 #define KRB5_LOG(A, B, C) \
152         ((void)((krb5_log) && (krb5_log & (A)) && \
153 		(syslog(LOG_DEBUG, (B), (C)), TRUE)))
154 #define KRB5_LOG0(A, B)   \
155         ((void)((krb5_log) && (krb5_log & (A)) && \
156 	       	(syslog(LOG_DEBUG, B), TRUE)))
157 
158 #endif	/* _KERNEL */
159 
160 #else /* ! KRB5_LOG_LVL */
161 
162 #define KRB5_LOG1(A, B, C, D)
163 #define KRB5_LOG(A, B, C)
164 #define KRB5_LOG0(A, B)
165 
166 #endif /* KRB5_LOG_LVL */
167 
168 #ifdef POSIX_TYPES
169 #define timetype time_t
170 #else
171 #define timetype long
172 #endif
173 
174 /*
175  * Begin "k5-config.h"
176  */
177 #ifndef KRB5_CONFIG__
178 #define KRB5_CONFIG__
179 
180 /*
181  * Machine-type definitions: PC Clone 386 running Microloss Windows
182  */
183 
184 #if defined(_MSDOS) || defined(_WIN32)
185 #include "win-mac.h"
186 
187 /* Kerberos Windows initialization file */
188 #define KERBEROS_INI	"kerberos.ini"
189 #define INI_FILES	"Files"
190 #define INI_KRB_CCACHE	"krb5cc"	/* Location of the ccache */
191 #define INI_KRB5_CONF	"krb5.ini"	/* Location of krb5.conf file */
192 #define ANSI_STDIO
193 #endif
194 
195 #ifndef _KERNEL
196 #ifndef KRB5_AUTOCONF__
197 #define KRB5_AUTOCONF__
198 #include "autoconf.h"
199 #endif
200 #endif 		/* !_KERNEL  */
201 
202 #ifndef KRB5_SYSTYPES__
203 #define KRB5_SYSTYPES__
204 
205 #ifndef _KERNEL
206 #ifdef HAVE_SYS_TYPES_H		/* From autoconf.h */
207 #include <sys/types.h>
208 #else /* HAVE_SYS_TYPES_H */
209 typedef unsigned long 	u_long;
210 typedef unsigned int	u_int;
211 typedef unsigned short	u_short;
212 typedef unsigned char	u_char;
213 #endif /* HAVE_SYS_TYPES_H */
214 #endif /* KRB5_SYSTYPES__ */
215 #endif 		/* !_KERNEL  */
216 
217 
218 /* #include "k5-platform.h" SUNW XXX */
219 /* not used in krb5.h (yet) */
220 typedef uint64_t krb5_ui_8;
221 typedef int64_t krb5_int64;
222 
223 
224 
225 #define DEFAULT_PWD_STRING1 "Enter password:"
226 #define DEFAULT_PWD_STRING2 "Re-enter password for verification:"
227 #define	KRB5_KDB_MAX_LIFE	(60*60*24) /* one day */
228 #define	KRB5_KDB_MAX_RLIFE	(60*60*24*365) /* one year */
229 #define	KRB5_KDB_EXPIRATION	2145830400 /* Thu Jan  1 00:00:00 2038 UTC */
230 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
231 #define KRB5_DEFAULT_RENEW_LIFE 7*24*60*60 /* 7 Days */
232 
233 /*
234  * Windows requires a different api interface to each function. Here
235  * just define it as NULL.
236  */
237 #ifndef KRB5_CALLCONV
238 #define KRB5_CALLCONV
239 #define KRB5_CALLCONV_C
240 #endif
241 #ifndef O_BINARY
242 #define O_BINARY 0
243 #endif
244 
245 #endif /* KRB5_CONFIG__ */
246 
247 /*
248  * End "k5-config.h"
249  */
250 
251 /*
252  * After loading the configuration definitions, load the Kerberos definitions.
253  */
254 #ifndef _KERNEL
255 #include <errno.h>
256 #include "profile.h"
257 #endif
258 
259 #include <krb5.h>
260 
261 #ifndef _KERNEL
262 #if 1 /* def NEED_SOCKETS */
263 #include <port-sockets.h>
264 #include <socket-utils.h>
265 #else
266 #ifndef SOCK_DGRAM
267 struct sockaddr;
268 #endif
269 #endif
270 #endif
271 
272 /* Get mutex support; currently used only for the replay cache.  */
273 #include "k5-thread.h"
274 
275 
276 /* krb5/krb5.h includes many other .h files in the krb5 subdirectory.
277    The ones that it doesn't include, we include below.  */
278 
279 /*
280  * Begin "k5-errors.h"
281  */
282 #ifndef KRB5_ERRORS__
283 #define KRB5_ERRORS__
284 
285 
286 /* Error codes used in KRB_ERROR protocol messages.
287    Return values of library routines are based on a different error table
288    (which allows non-ambiguous error codes between subsystems) */
289 
290 /* KDC errors */
291 #define	KDC_ERR_NONE			0 /* No error */
292 #define	KDC_ERR_NAME_EXP		1 /* Client's entry in DB expired */
293 #define	KDC_ERR_SERVICE_EXP		2 /* Server's entry in DB expired */
294 #define	KDC_ERR_BAD_PVNO		3 /* Requested pvno not supported */
295 #define	KDC_ERR_C_OLD_MAST_KVNO		4 /* C's key encrypted in old master */
296 #define	KDC_ERR_S_OLD_MAST_KVNO		5 /* S's key encrypted in old master */
297 #define	KDC_ERR_C_PRINCIPAL_UNKNOWN	6 /* Client not found in Kerberos DB */
298 #define	KDC_ERR_S_PRINCIPAL_UNKNOWN	7 /* Server not found in Kerberos DB */
299 #define	KDC_ERR_PRINCIPAL_NOT_UNIQUE	8 /* Multiple entries in Kerberos DB */
300 #define	KDC_ERR_NULL_KEY		9 /* The C or S has a null key */
301 #define	KDC_ERR_CANNOT_POSTDATE		10 /* Tkt ineligible for postdating */
302 #define	KDC_ERR_NEVER_VALID		11 /* Requested starttime > endtime */
303 #define	KDC_ERR_POLICY			12 /* KDC policy rejects request */
304 #define	KDC_ERR_BADOPTION		13 /* KDC can't do requested opt. */
305 #define	KDC_ERR_ENCTYPE_NOSUPP		14 /* No support for encryption type */
306 #define KDC_ERR_SUMTYPE_NOSUPP		15 /* No support for checksum type */
307 #define KDC_ERR_PADATA_TYPE_NOSUPP	16 /* No support for padata type */
308 #define KDC_ERR_TRTYPE_NOSUPP		17 /* No support for transited type */
309 #define KDC_ERR_CLIENT_REVOKED		18 /* C's creds have been revoked */
310 #define KDC_ERR_SERVICE_REVOKED		19 /* S's creds have been revoked */
311 #define KDC_ERR_TGT_REVOKED		20 /* TGT has been revoked */
312 #define KDC_ERR_CLIENT_NOTYET		21 /* C not yet valid */
313 #define KDC_ERR_SERVICE_NOTYET		22 /* S not yet valid */
314 #define KDC_ERR_KEY_EXP			23 /* Password has expired */
315 #define KDC_ERR_PREAUTH_FAILED		24 /* Preauthentication failed */
316 #define KDC_ERR_PREAUTH_REQUIRED	25 /* Additional preauthentication */
317 					   /* required */
318 #define KDC_ERR_SERVER_NOMATCH		26 /* Requested server and */
319 					   /* ticket don't match*/
320 #define KDC_ERR_SVC_UNAVAILABLE		29 /* A service is not
321 					    * available that is
322 					    * required to process the
323 					    * request */
324 /* Application errors */
325 #define	KRB_AP_ERR_BAD_INTEGRITY 31	/* Decrypt integrity check failed */
326 #define	KRB_AP_ERR_TKT_EXPIRED	32	/* Ticket expired */
327 #define	KRB_AP_ERR_TKT_NYV	33	/* Ticket not yet valid */
328 #define	KRB_AP_ERR_REPEAT	34	/* Request is a replay */
329 #define	KRB_AP_ERR_NOT_US	35	/* The ticket isn't for us */
330 #define	KRB_AP_ERR_BADMATCH	36	/* Ticket/authenticator don't match */
331 #define	KRB_AP_ERR_SKEW		37	/* Clock skew too great */
332 #define	KRB_AP_ERR_BADADDR	38	/* Incorrect net address */
333 #define	KRB_AP_ERR_BADVERSION	39	/* Protocol version mismatch */
334 #define	KRB_AP_ERR_MSG_TYPE	40	/* Invalid message type */
335 #define	KRB_AP_ERR_MODIFIED	41	/* Message stream modified */
336 #define	KRB_AP_ERR_BADORDER	42	/* Message out of order */
337 #define	KRB_AP_ERR_BADKEYVER	44	/* Key version is not available */
338 #define	KRB_AP_ERR_NOKEY	45	/* Service key not available */
339 #define	KRB_AP_ERR_MUT_FAIL	46	/* Mutual authentication failed */
340 #define KRB_AP_ERR_BADDIRECTION	47 	/* Incorrect message direction */
341 #define KRB_AP_ERR_METHOD	48 	/* Alternative authentication */
342 					/* method required */
343 #define KRB_AP_ERR_BADSEQ	49 	/* Incorrect sequence numnber */
344 					/* in message */
345 #define KRB_AP_ERR_INAPP_CKSUM	50	/* Inappropriate type of */
346 					/* checksum in message */
347 #define KRB_AP_PATH_NOT_ACCEPTED 51	/* Policy rejects transited path */
348 #define KRB_ERR_RESPONSE_TOO_BIG 52	/* Response too big for UDP, */
349 					/*   retry with TCP */
350 
351 /* other errors */
352 #define KRB_ERR_GENERIC		60 	/* Generic error (description */
353 					/* in e-text) */
354 #define	KRB_ERR_FIELD_TOOLONG	61	/* Field is too long for impl. */
355 
356 /* PKINIT server-reported errors */
357 #define KDC_ERR_CLIENT_NOT_TRUSTED		62 /* client cert not trusted */
358 #define KDC_ERR_INVALID_SIG			64 /* client signature verify failed */
359 #define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED	65 /* invalid Diffie-Hellman parameters */
360 #define KDC_ERR_CANT_VERIFY_CERTIFICATE		70 /* client cert not verifiable to */
361 						   /* trusted root cert */
362 #define KDC_ERR_INVALID_CERTIFICATE		71 /* client cert had invalid signature */
363 #define KDC_ERR_REVOKED_CERTIFICATE		72 /* client cert was revoked */
364 #define KDC_ERR_REVOCATION_STATUS_UNKNOWN	73 /* client cert revoked, reason unknown */
365 #define KDC_ERR_CLIENT_NAME_MISMATCH		75 /* mismatch between client cert and */
366 						   /* principal name */
367 #define KDC_ERR_INCONSISTENT_KEY_PURPOSE	77 /* bad extended key use */
368 #define KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED	78 /* bad digest algorithm in client cert */
369 #define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED	79 /* missing paChecksum in PA-PK-AS-REQ */
370 #define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */
371 #define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
372 
373 #endif /* KRB5_ERRORS__ */
374 /*
375  * End "k5-errors.h"
376  */
377 
378 /*
379  * This structure is returned in the e-data field of the KRB-ERROR
380  * message when the error calling for an alternative form of
381  * authentication is returned, KRB_AP_METHOD.
382  */
383 typedef struct _krb5_alt_method {
384 	krb5_magic	magic;
385 	krb5_int32	method;
386 	unsigned int	length;
387 	krb5_octet	*data;
388 } krb5_alt_method;
389 
390 /*
391  * A null-terminated array of this structure is returned by the KDC as
392  * the data part of the ETYPE_INFO preauth type.  It informs the
393  * client which encryption types are supported.
394  * The  same data structure is used by both etype-info and etype-info2
395  * but s2kparams must be null when encoding etype-info.
396  */
397 typedef struct _krb5_etype_info_entry {
398 	krb5_magic	magic;
399 	krb5_enctype	etype;
400 	unsigned int	length;
401 	krb5_octet	*salt;
402     krb5_data s2kparams;
403 } krb5_etype_info_entry;
404 
405 /*
406  *  This is essentially -1 without sign extension which can screw up
407  *  comparisons on 64 bit machines. If the length is this value, then
408  *  the salt data is not present. This is to distinguish between not
409  *  being set and being of 0 length.
410  */
411 #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
412 
413 typedef krb5_etype_info_entry ** krb5_etype_info;
414 
415 /* RFC 4537 */
416 typedef struct _krb5_etype_list {
417         int             length;
418         krb5_enctype    *etypes;
419 } krb5_etype_list;
420 
421 /*
422  * a sam_challenge is returned for alternate preauth
423  */
424 /*
425           SAMFlags ::= BIT STRING {
426               use-sad-as-key[0],
427               send-encrypted-sad[1],
428               must-pk-encrypt-sad[2]
429           }
430  */
431 /*
432           PA-SAM-CHALLENGE ::= SEQUENCE {
433               sam-type[0]                 INTEGER,
434               sam-flags[1]                SAMFlags,
435               sam-type-name[2]            GeneralString OPTIONAL,
436               sam-track-id[3]             GeneralString OPTIONAL,
437               sam-challenge-label[4]      GeneralString OPTIONAL,
438               sam-challenge[5]            GeneralString OPTIONAL,
439               sam-response-prompt[6]      GeneralString OPTIONAL,
440               sam-pk-for-sad[7]           EncryptionKey OPTIONAL,
441               sam-nonce[8]                INTEGER OPTIONAL,
442               sam-cksum[9]                Checksum OPTIONAL
443           }
444 */
445 /* sam_type values -- informational only */
446 #define PA_SAM_TYPE_ENIGMA     1   /*  Enigma Logic */
447 #define PA_SAM_TYPE_DIGI_PATH  2   /*  Digital Pathways */
448 #define PA_SAM_TYPE_SKEY_K0    3   /*  S/key where  KDC has key 0 */
449 #define PA_SAM_TYPE_SKEY       4   /*  Traditional S/Key */
450 #define PA_SAM_TYPE_SECURID    5   /*  Security Dynamics */
451 #define PA_SAM_TYPE_CRYPTOCARD 6   /*  CRYPTOCard */
452 #if 1 /* XXX need to figure out who has which numbers assigned */
453 #define PA_SAM_TYPE_ACTIVCARD_DEC  6   /*  ActivCard decimal mode */
454 #define PA_SAM_TYPE_ACTIVCARD_HEX  7   /*  ActivCard hex mode */
455 #define PA_SAM_TYPE_DIGI_PATH_HEX  8   /*  Digital Pathways hex mode */
456 #endif
457 #define PA_SAM_TYPE_EXP_BASE    128 /* experimental */
458 #define PA_SAM_TYPE_GRAIL		(PA_SAM_TYPE_EXP_BASE+0) /* testing */
459 #define PA_SAM_TYPE_SECURID_PREDICT	(PA_SAM_TYPE_EXP_BASE+1) /* special */
460 
461 typedef struct _krb5_predicted_sam_response {
462 	krb5_magic	magic;
463 	krb5_keyblock	sam_key;
464 	krb5_flags	sam_flags; /* Makes key munging easier */
465 	krb5_timestamp  stime;	/* time on server, for replay detection */
466 	krb5_int32      susec;
467 	krb5_principal  client;
468 	krb5_data       msd;	/* mechanism specific data */
469 } krb5_predicted_sam_response;
470 
471 typedef struct _krb5_sam_challenge {
472 	krb5_magic	magic;
473 	krb5_int32	sam_type; /* information */
474 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
475 	krb5_data	sam_type_name;
476 	krb5_data	sam_track_id;
477 	krb5_data	sam_challenge_label;
478 	krb5_data	sam_challenge;
479 	krb5_data	sam_response_prompt;
480 	krb5_data	sam_pk_for_sad;
481 	krb5_int32	sam_nonce;
482 	krb5_checksum	sam_cksum;
483 } krb5_sam_challenge;
484 
485 typedef struct _krb5_sam_key {	/* reserved for future use */
486 	krb5_magic	magic;
487 	krb5_keyblock	sam_key;
488 } krb5_sam_key;
489 
490 typedef struct _krb5_enc_sam_response_enc {
491 	krb5_magic	magic;
492 	krb5_int32	sam_nonce;
493 	krb5_timestamp	sam_timestamp;
494 	krb5_int32	sam_usec;
495 	krb5_data	sam_sad;
496 } krb5_enc_sam_response_enc;
497 
498 typedef struct _krb5_sam_response {
499 	krb5_magic	magic;
500 	krb5_int32	sam_type; /* informational */
501 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
502 	krb5_data	sam_track_id; /* copied */
503 	krb5_enc_data	sam_enc_key; /* krb5_sam_key - future use */
504 	krb5_enc_data	sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
505 	krb5_int32	sam_nonce;
506 	krb5_timestamp	sam_patimestamp;
507 } krb5_sam_response;
508 
509 typedef struct _krb5_sam_challenge_2 {
510 	krb5_data	sam_challenge_2_body;
511 	krb5_checksum	**sam_cksum;		/* Array of checksums */
512 } krb5_sam_challenge_2;
513 
514 typedef struct _krb5_sam_challenge_2_body {
515 	krb5_magic	magic;
516 	krb5_int32	sam_type; /* information */
517 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
518 	krb5_data	sam_type_name;
519 	krb5_data	sam_track_id;
520 	krb5_data	sam_challenge_label;
521 	krb5_data	sam_challenge;
522 	krb5_data	sam_response_prompt;
523 	krb5_data	sam_pk_for_sad;
524 	krb5_int32	sam_nonce;
525 	krb5_enctype	sam_etype;
526 } krb5_sam_challenge_2_body;
527 
528 typedef struct _krb5_sam_response_2 {
529 	krb5_magic	magic;
530 	krb5_int32	sam_type; /* informational */
531 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
532 	krb5_data	sam_track_id; /* copied */
533 	krb5_enc_data	sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
534 	krb5_int32	sam_nonce;
535 } krb5_sam_response_2;
536 
537 typedef struct _krb5_enc_sam_response_enc_2 {
538 	krb5_magic	magic;
539 	krb5_int32	sam_nonce;
540 	krb5_data	sam_sad;
541 } krb5_enc_sam_response_enc_2;
542 
543 /*
544  * Keep the pkinit definitions in a separate file so that the plugin
545  * only has to include k5-int-pkinit.h rather than k5-int.h
546  */
547 
548 #include "k5-int-pkinit.h"
549 
550 /*
551  * Begin "dbm.h"
552  */
553 #ifndef _KERNEL
554 
555 /*
556  * Since we are always using db, use the db-ndbm include header file.
557  */
558 
559 #include "db-ndbm.h"
560 
561 #endif /* !KERNEL */
562 /*
563  * End "dbm.h"
564  */
565 
566 /*
567  * Begin "ext-proto.h"
568  */
569 #ifndef KRB5_EXT_PROTO__
570 #define KRB5_EXT_PROTO__
571 
572 #ifndef _KERNEL
573 #include <stdlib.h>
574 #include <string.h>
575 #endif /* !_KERNEL */
576 
577 #ifndef HAVE_STRDUP
578 extern char *strdup (const char *);
579 #endif
580 
581 #ifndef _KERNEL
582 #ifdef HAVE_UNISTD_H
583 #include <unistd.h>
584 #endif
585 #endif /* !_KERNEL */
586 
587 #endif /* KRB5_EXT_PROTO__ */
588 /*
589  * End "ext-proto.h"
590  */
591 
592 /*
593  * Begin "sysincl.h"
594  */
595 #ifndef KRB5_SYSINCL__
596 #define KRB5_SYSINCL__
597 
598 #ifndef KRB5_SYSTYPES__
599 #define KRB5_SYSTYPES__
600 /* needed for much of the rest -- but already handled in krb5.h? */
601 /* #include <sys/types.h> */
602 #endif /* KRB5_SYSTYPES__ */
603 
604 #ifdef	_KERNEL
605 #include <sys/time.h>
606 #else
607 #ifdef HAVE_SYS_TIME_H
608 #include <sys/time.h>
609 #ifdef TIME_WITH_SYS_TIME
610 #include <time.h>
611 #endif
612 #else
613 #include <time.h>
614 #endif
615 #endif /* _KERNEL */
616 
617 #ifdef HAVE_SYS_STAT_H
618 #include <sys/stat.h>			/* struct stat, stat() */
619 #endif
620 
621 #ifdef HAVE_SYS_PARAM_H
622 #include <sys/param.h>			/* MAXPATHLEN */
623 #endif
624 
625 #ifdef HAVE_SYS_FILE_H
626 #include <sys/file.h>			/* prototypes for file-related
627 					   syscalls; flags for open &
628 					   friends */
629 #endif
630 
631 #ifdef _KERNEL
632 #include <sys/fcntl.h>
633 #else
634 #include <fcntl.h>
635 #endif
636 
637 #endif /* KRB5_SYSINCL__ */
638 /*
639  * End "sysincl.h"
640  */
641 
642 /*
643  * Begin "los-proto.h"
644  */
645 #ifndef KRB5_LIBOS_PROTO__
646 #define KRB5_LIBOS_PROTO__
647 #endif
648 
649 #ifndef	_KERNEL
650 #include <stdio.h>
651 
652 struct addrlist;
653 struct sendto_callback_info;
654 #endif
655 
656 /* libos.spec */
657 krb5_error_code krb5_lock_file (krb5_context, int, int);
658 krb5_error_code krb5_unlock_file (krb5_context, int);
659 krb5_error_code krb5_sendto_kdc (krb5_context, const krb5_data *,
660 				 const krb5_data *, krb5_data *, int *, int);
661 
662 
663 krb5_error_code krb5_get_krbhst (krb5_context, const krb5_data *, char *** );
664 krb5_error_code krb5_free_krbhst (krb5_context, char * const * );
665 krb5_error_code krb5_create_secure_file (krb5_context, const char * pathname);
666 
667 int krb5_net_read (krb5_context, int , char *, int);
668 
669 int krb5_net_write
670 	(krb5_context, int , const char *, int);
671 
672 
673 krb5_error_code krb5_gen_replay_name
674     (krb5_context, const krb5_address *, const char *, char **);
675 
676 
677 #ifndef	_KERNEL
678 
679 krb5_error_code krb5_sync_disk_file (krb5_context, FILE *fp);
680 
681 krb5_error_code
682 krb5_open_pkcs11_session(CK_SESSION_HANDLE *);
683 
684 
685 krb5_error_code krb5_read_message
686 	(krb5_context, krb5_pointer, krb5_data *);
687 
688 krb5_error_code krb5_write_message
689 	(krb5_context, krb5_pointer, krb5_data *);
690 krb5_error_code krb5int_sendto (krb5_context context, const krb5_data *message,
691                 const struct addrlist *addrs, struct sendto_callback_info* callback_info,
692 				krb5_data *reply, struct sockaddr *localaddr, socklen_t *localaddrlen,
693                 struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, int *addr_used,
694 		int (*msg_handler)(krb5_context, const krb5_data *, void *),
695 		void *msg_handler_data);
696 
697 krb5_error_code krb5int_get_fq_local_hostname (char *, size_t);
698 
699 krb5_error_code krb5_set_debugging_time
700         (krb5_context, krb5_timestamp, krb5_int32);
701 krb5_error_code krb5_use_natural_time
702         (krb5_context);
703 krb5_error_code krb5_set_time_offsets
704         (krb5_context, krb5_timestamp, krb5_int32);
705 krb5_error_code krb5int_check_clockskew(krb5_context, krb5_timestamp);
706 #endif
707 
708 /*
709  * Solaris Kerberos
710  * The following two functions are needed for better realm
711  * determination based on the DNS domain name.
712  */
713 krb5_error_code krb5int_lookup_host(int , const char *, char **);
714 
715 krb5_error_code krb5int_domain_get_realm(krb5_context, const char *,
716     char **);
717 krb5_error_code krb5int_fqdn_get_realm(krb5_context, const char *,
718     char **);
719 
720 krb5_error_code krb5int_init_context_kdc(krb5_context *);
721 
722 krb5_error_code krb5_os_init_context (krb5_context, krb5_boolean);
723 
724 void krb5_os_free_context (krb5_context);
725 
726 /* This function is needed by KfM's KerberosPreferences API
727  * because it needs to be able to specify "secure" */
728 #ifndef _KERNEL
729 krb5_error_code os_get_default_config_files
730     (profile_filespec_t **pfiles, krb5_boolean secure);
731 #endif
732 
733 krb5_error_code krb5_os_hostaddr
734 	(krb5_context, const char *, krb5_address ***);
735 
736 #ifndef _KERNEL
737 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
738    going to use this structure.  */
739 struct addrlist {
740     struct {
741 #ifdef FAI_DEFINED
742 	struct addrinfo *ai;
743 #else
744 	struct undefined_addrinfo *ai;
745 #endif
746 	void (*freefn)(void *);
747 	void *data;
748     } *addrs;
749     int naddrs;
750     int space;
751 };
752 #define ADDRLIST_INIT { 0, 0, 0 }
753 extern void krb5int_free_addrlist (struct addrlist *);
754 extern int krb5int_grow_addrlist (struct addrlist *, int);
755 extern int krb5int_add_host_to_list (struct addrlist *, const char *,
756 				     int, int, int, int);
757 
758 #include <locate_plugin.h>
759 krb5_error_code
760 krb5int_locate_server (krb5_context, const krb5_data *realm,
761 		       struct addrlist *, enum locate_service_type svc,
762 		       int sockettype, int family);
763 
764 #endif /* _KERNEL */
765 
766 /* new encryption provider api */
767 
768 struct krb5_enc_provider {
769     /* keybytes is the input size to make_key;
770        keylength is the output size */
771     size_t block_size, keybytes, keylength;
772 
773     /* cipher-state == 0 fresh state thrown away at end */
774     krb5_error_code (*encrypt) (
775 	krb5_context context,
776 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
777 	krb5_const krb5_data *input, krb5_data *output);
778 
779     krb5_error_code (*decrypt) (
780 	krb5_context context,
781 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
782 	krb5_const krb5_data *input, krb5_data *output);
783 
784     krb5_error_code (*make_key)
785     (krb5_context, krb5_const krb5_data *, krb5_keyblock *);
786 
787     krb5_error_code (*init_state) (krb5_context,
788 			const krb5_keyblock *,
789 			krb5_keyusage, krb5_data *);
790     krb5_error_code (*free_state) (krb5_context, krb5_data *);
791 
792 };
793 
794 struct krb5_hash_provider {
795     size_t hashsize, blocksize;
796 
797     /* this takes multiple inputs to avoid lots of copying. */
798     krb5_error_code (*hash) (krb5_context context,
799 	unsigned int icount, krb5_const krb5_data *input,
800 	krb5_data *output);
801 };
802 
803 struct krb5_keyhash_provider {
804     size_t hashsize;
805 
806     krb5_error_code (*hash) (
807 	krb5_context context,
808 	krb5_const krb5_keyblock *key,
809 	krb5_keyusage keyusage,
810 	krb5_const krb5_data *ivec,
811 	krb5_const krb5_data *input, krb5_data *output);
812 
813     krb5_error_code (*verify) (
814 	krb5_context context,
815 	krb5_const krb5_keyblock *key,
816 	krb5_keyusage keyusage,
817 	krb5_const krb5_data *ivec,
818 	krb5_const krb5_data *input,
819 	krb5_const krb5_data *hash,
820 	krb5_boolean *valid);
821 
822 };
823 
824 typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc,
825   const struct krb5_hash_provider *hash,
826   size_t inputlen, size_t *length);
827 
828 typedef krb5_error_code (*krb5_crypt_func) (
829   krb5_context context,
830   krb5_const struct krb5_enc_provider *enc,
831   krb5_const struct krb5_hash_provider *hash,
832   krb5_const krb5_keyblock *key, krb5_keyusage usage,
833   krb5_const krb5_data *ivec,
834   krb5_const krb5_data *input, krb5_data *output);
835 
836 #ifndef	_KERNEL
837 typedef krb5_error_code (*krb5_str2key_func) (
838   krb5_context context,
839   krb5_const struct krb5_enc_provider *enc, krb5_const krb5_data *string,
840   krb5_const krb5_data *salt, krb5_const krb5_data *params,
841   krb5_keyblock *key);
842 #endif	/* _KERNEL */
843 
844 typedef krb5_error_code (*krb5_prf_func)(
845 					 const struct krb5_enc_provider *enc,
846 					 const struct krb5_hash_provider *hash,
847 					 const krb5_keyblock *key,
848 					 const krb5_data *in, krb5_data *out);
849 
850 struct krb5_keytypes {
851     krb5_enctype etype;
852     char *in_string;
853     char *out_string;
854     const struct krb5_enc_provider *enc;
855     const struct krb5_hash_provider *hash;
856     krb5_encrypt_length_func encrypt_len;
857     krb5_crypt_func encrypt;
858     krb5_crypt_func decrypt;
859     krb5_cksumtype required_ctype;
860 #ifndef	_KERNEL
861     /* Solaris Kerberos:  strings to key conversion not done in the kernel */
862     krb5_str2key_func str2key;
863 #else	/* _KERNEL */
864     char *mt_e_name;
865     char *mt_h_name;
866     crypto_mech_type_t kef_cipher_mt;
867     crypto_mech_type_t kef_hash_mt;
868 #endif	/* _KERNEL */
869 };
870 
871 struct krb5_cksumtypes {
872     krb5_cksumtype ctype;
873     unsigned int flags;
874     char *in_string;
875     char *out_string;
876     /* if the hash is keyed, this is the etype it is keyed with.
877        Actually, it can be keyed by any etype which has the same
878        enc_provider as the specified etype.  DERIVE checksums can
879        be keyed with any valid etype. */
880     krb5_enctype keyed_etype;
881     /* I can't statically initialize a union, so I'm just going to use
882        two pointers here.  The keyhash is used if non-NULL.  If NULL,
883        then HMAC/hash with derived keys is used if the relevant flag
884        is set.  Otherwise, a non-keyed hash is computed.  This is all
885        kind of messy, but so is the krb5 api. */
886     const struct krb5_keyhash_provider *keyhash;
887     const struct krb5_hash_provider *hash;
888     /* This just gets uglier and uglier.  In the key derivation case,
889        we produce an hmac.  To make the hmac code work, we can't hack
890        the output size indicated by the hash provider, but we may want
891        a truncated hmac.  If we want truncation, this is the number of
892        bytes we truncate to; it should be 0 otherwise.  */
893     unsigned int trunc_size;
894 #ifdef _KERNEL
895     char *mt_c_name;
896     crypto_mech_type_t kef_cksum_mt;
897 #endif /* _KERNEL */
898 };
899 
900 #define KRB5_CKSUMFLAG_DERIVE		0x0001
901 #define KRB5_CKSUMFLAG_NOT_COLL_PROOF	0x0002
902 
903 /*
904  * in here to deal with stuff from lib/crypto
905  */
906 
907 void krb5_nfold
908 (unsigned int inbits, const unsigned char *in,
909 		unsigned int outbits, unsigned char *out);
910 
911 krb5_error_code krb5int_pbkdf2_hmac_sha1 (krb5_context,
912 					   const krb5_data *,
913 					   unsigned long,
914 					   krb5_enctype,
915 					   const krb5_data *,
916 					   const krb5_data *);
917 
918 /* Make this a function eventually?  */
919 #ifdef _WIN32
920 # define krb5int_zap_data(ptr, len) SecureZeroMemory(ptr, len)
921 #elif defined(__palmos__) && !defined(__GNUC__)
922 /* CodeWarrior 8.3 complains about passing a pointer to volatile in to
923    memset.  On the other hand, we probably want it for gcc.  */
924 # define krb5int_zap_data(ptr, len) memset(ptr, 0, len)
925 #else
926 # define krb5int_zap_data(ptr, len) memset((void *)ptr, 0, len)
927 # if defined(__GNUC__) && defined(__GLIBC__)
928 /* GNU libc generates multiple bogus initialization warnings if we
929    pass memset a volatile pointer.  The compiler should do well enough
930    with memset even without GNU libc's attempt at optimization.  */
931 # undef memset
932 # endif
933 #endif /* WIN32 */
934 #define zap(p,l) krb5int_zap_data(p,l)
935 
936 
937 krb5_error_code krb5int_des_init_state
938 ( krb5_context,
939 	const krb5_keyblock *,
940 	krb5_keyusage, krb5_data *);
941 
942 krb5_error_code krb5int_c_mandatory_cksumtype(
943 	krb5_context,
944 	krb5_enctype,
945 	krb5_cksumtype *);
946 
947 /*
948  * normally to free a cipher_state you can just memset the length to zero and
949  * free it.
950  */
951 krb5_error_code krb5int_default_free_state
952 (krb5_context, krb5_data *);
953 
954 
955 /*
956  * Combine two keys (normally used by the hardware preauth mechanism)
957  */
958 krb5_error_code krb5int_c_combine_keys
959 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
960 		krb5_keyblock *outkey);
961 
962 
963 #ifdef _KERNEL
964 
965 int k5_ef_crypto(
966 	const char *, char *,
967 	long, krb5_keyblock *,
968 	const krb5_data *, int);
969 
970 krb5_error_code
971 krb5_hmac(krb5_context, const krb5_keyblock *,
972 	krb5_const krb5_data *, krb5_data *);
973 
974 #else
975 krb5_error_code krb5_hmac
976 	(krb5_context,
977 	krb5_const struct krb5_hash_provider *,
978 	krb5_const krb5_keyblock *, krb5_const unsigned int,
979 	krb5_const krb5_data *, krb5_data *);
980 
981 #endif /* _KERNEL */
982 
983 
984 /*
985  * These declarations are here, so both krb5 and k5crypto
986  * can get to them.
987  * krb5 needs to get to them so it can  make them available to libgssapi.
988  */
989 extern const struct krb5_enc_provider krb5int_enc_arcfour;
990 extern const struct krb5_hash_provider krb5int_hash_md5;
991 
992 
993 /* #ifdef KRB5_OLD_CRYPTO XXX SUNW14resync */
994 
995 krb5_error_code krb5_crypto_us_timeofday
996 	(krb5_int32 *,
997 		krb5_int32 *);
998 
999 #ifndef _KERNEL
1000 /* Solaris kerberos: for convenience */
1001 time_t krb5int_gmt_mktime (struct tm *);
1002 #endif /* ! _KERNEL */
1003 
1004 /* #endif KRB5_OLD_CRYPTO */
1005 
1006 /* this helper fct is in libkrb5, but it makes sense declared here. */
1007 
1008 krb5_error_code krb5_encrypt_helper
1009 (krb5_context context, const krb5_keyblock *key,
1010 		krb5_keyusage keyusage, const krb5_data *plain,
1011 		krb5_enc_data *cipher);
1012 
1013 /*
1014  * End "los-proto.h"
1015  */
1016 
1017 /*
1018  * Begin "libos.h"
1019  */
1020 #ifndef KRB5_LIBOS__
1021 #define KRB5_LIBOS__
1022 
1023 typedef struct _krb5_os_context {
1024 	krb5_magic		magic;
1025 	krb5_int32		time_offset;
1026 	krb5_int32		usec_offset;
1027 	krb5_int32		os_flags;
1028 	char *			default_ccname;
1029 } *krb5_os_context;
1030 
1031 /*
1032  * Flags for the os_flags field
1033  *
1034  * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid.
1035  * The intention is that this facility to correct the system clocks so
1036  * that they reflect the "real" time, for systems where for some
1037  * reason we can't set the system clock.  Instead we calculate the
1038  * offset between the system time and real time, and store the offset
1039  * in the os context so that we can correct the system clock as necessary.
1040  *
1041  * KRB5_OS_TOFFSET_TIME means that the time offset fields should be
1042  * returned as the time by the krb5 time routines.  This should only
1043  * be used for testing purposes (obviously!)
1044  */
1045 #define KRB5_OS_TOFFSET_VALID	1
1046 #define KRB5_OS_TOFFSET_TIME	2
1047 
1048 /* lock mode flags */
1049 #define	KRB5_LOCKMODE_SHARED	0x0001
1050 #define	KRB5_LOCKMODE_EXCLUSIVE	0x0002
1051 #define	KRB5_LOCKMODE_DONTBLOCK	0x0004
1052 #define	KRB5_LOCKMODE_UNLOCK	0x0008
1053 
1054 #endif /* KRB5_LIBOS__ */
1055 /*
1056  * End "libos.h"
1057  */
1058 
1059 /*
1060  * Define our view of the size of a DES key.
1061  */
1062 #define	KRB5_MIT_DES_KEYSIZE		8
1063 /*
1064  * Define a couple of SHA1 constants
1065  */
1066 #define	SHS_DATASIZE	64
1067 #define	SHS_DIGESTSIZE	20
1068 
1069 /*
1070  * Check if des_int.h has been included before us.  If so, then check to see
1071  * that our view of the DES key size is the same as des_int.h's.
1072  */
1073 #ifdef	MIT_DES_KEYSIZE
1074 #if	MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
1075 error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
1076 #endif	/* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
1077 #endif	/* MIT_DES_KEYSIZE */
1078 
1079 #ifndef _KERNEL
1080 /* Solaris Kerberos: only define PROVIDE_DES3_CBC_SHA if the following are
1081  * defined.
1082  */
1083 #define PROVIDE_DES3_CBC_SHA 1
1084 #define PROVIDE_NIST_SHA 1
1085 
1086 #endif /* !_KERNEL */
1087 
1088 /*
1089  * Begin "preauth.h"
1090  *
1091  * (Originally written by Glen Machin at Sandia Labs.)
1092  */
1093 /*
1094  * Sandia National Laboratories also makes no representations about the
1095  * suitability of the modifications, or additions to this software for
1096  * any purpose.  It is provided "as is" without express or implied warranty.
1097  *
1098  */
1099 #ifndef KRB5_PREAUTH__
1100 #define KRB5_PREAUTH__
1101 
1102 #include <preauth_plugin.h>
1103 
1104 #define CLIENT_ROCK_MAGIC 0x4352434b
1105 /* This structure is passed into the client preauth functions and passed
1106  * back to the "get_data_proc" function so that it can locate the
1107  * requested information.  It is opaque to the plugin code and can be
1108  * expanded in the future as new types of requests are defined which
1109  * may require other things to be passed through. */
1110 typedef struct _krb5_preauth_client_rock {
1111 	krb5_magic	magic;
1112 	krb5_kdc_rep	*as_reply;
1113 } krb5_preauth_client_rock;
1114 
1115 /* This structure lets us keep track of all of the modules which are loaded,
1116  * turning the list of modules and their lists of implemented preauth types
1117  * into a single list which we can walk easily. */
1118 typedef struct _krb5_preauth_context {
1119     int n_modules;
1120     struct _krb5_preauth_context_module {
1121 	/* Which of the possibly more than one preauth types which the
1122 	 * module supports we're using at this point in the list. */
1123 	krb5_preauthtype pa_type;
1124 	/* Encryption types which the client claims to support -- we
1125 	 * copy them directly into the krb5_kdc_req structure during
1126 	 * krb5_preauth_prepare_request(). */
1127 	krb5_enctype *enctypes;
1128 	/* The plugin's per-plugin context and a function to clear it. */
1129 	void *plugin_context;
1130 	preauth_client_plugin_fini_proc client_fini;
1131 	/* The module's table, and some of its members, copied here for
1132 	 * convenience when we populated the list. */
1133 	struct krb5plugin_preauth_client_ftable_v1 *ftable;
1134 	const char *name;
1135 	int flags, use_count;
1136 	preauth_client_process_proc client_process;
1137 	preauth_client_tryagain_proc client_tryagain;
1138 	preauth_client_supply_gic_opts_proc client_supply_gic_opts;
1139 	preauth_client_request_init_proc client_req_init;
1140 	preauth_client_request_fini_proc client_req_fini;
1141 	/* The per-request context which the client_req_init() function
1142 	 * might allocate, which we'll need to clean up later by
1143 	 * calling the client_req_fini() function. */
1144 	void *request_context;
1145 	/* A pointer to the request_context pointer.  All modules within
1146 	 * a plugin will point at the request_context of the first
1147 	 * module within the plugin. */
1148 	void **request_context_pp;
1149     } *modules;
1150 } krb5_preauth_context;
1151 
1152 typedef struct _krb5_pa_enc_ts {
1153     krb5_timestamp	patimestamp;
1154     krb5_int32		pausec;
1155 } krb5_pa_enc_ts;
1156 
1157 typedef struct _krb5_pa_for_user {
1158     krb5_principal      user;
1159     krb5_checksum       cksum;
1160     krb5_data           auth_package;
1161 } krb5_pa_for_user;
1162 
1163 enum {
1164   KRB5_FAST_ARMOR_AP_REQUEST = 0x1
1165 };
1166 
1167 typedef struct _krb5_fast_armor {
1168     krb5_int32 armor_type;
1169     krb5_data armor_value;
1170 } krb5_fast_armor;
1171 typedef struct _krb5_fast_armored_req {
1172     krb5_magic magic;
1173     krb5_fast_armor *armor;
1174     krb5_checksum req_checksum;
1175     krb5_enc_data enc_part;
1176 } krb5_fast_armored_req;
1177 
1178 typedef struct _krb5_fast_req {
1179     krb5_magic magic;
1180     krb5_flags fast_options;
1181     /* padata from req_body is used*/
1182    krb5_kdc_req *req_body;
1183 } krb5_fast_req;
1184 
1185 
1186 /* Bits 0-15 are critical in fast options.*/
1187 #define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff
1188 #define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01
1189 
1190 typedef struct _krb5_fast_finished {
1191     krb5_timestamp timestamp;
1192     krb5_int32 usec;
1193     krb5_principal client;
1194     krb5_checksum ticket_checksum;
1195 } krb5_fast_finished;
1196 
1197 typedef struct _krb5_fast_response {
1198     krb5_magic magic;
1199     krb5_pa_data **padata;
1200     krb5_keyblock *strengthen_key;
1201     krb5_fast_finished *finished;
1202     krb5_int32 nonce;
1203 } krb5_fast_response;
1204 
1205 typedef krb5_error_code (*krb5_preauth_obtain_proc)
1206     (krb5_context,
1207 		    krb5_pa_data *,
1208 		    krb5_etype_info,
1209 		    krb5_keyblock *,
1210 		    krb5_error_code ( * )(krb5_context,
1211 					  const krb5_enctype,
1212 					  krb5_data *,
1213 					  krb5_const_pointer,
1214 					  krb5_keyblock **),
1215 		    krb5_const_pointer,
1216 		    krb5_creds *,
1217 		    krb5_kdc_req *,
1218 		    krb5_pa_data **);
1219 
1220 typedef krb5_error_code (*krb5_preauth_process_proc)
1221     (krb5_context,
1222 		    krb5_pa_data *,
1223 		    krb5_kdc_req *,
1224 		    krb5_kdc_rep *,
1225 		    krb5_error_code ( * )(krb5_context,
1226 					  const krb5_enctype,
1227 					  krb5_data *,
1228 					  krb5_const_pointer,
1229 					  krb5_keyblock **),
1230 		    krb5_const_pointer,
1231 		    krb5_error_code ( * )(krb5_context,
1232 					  const krb5_keyblock *,
1233 					  krb5_const_pointer,
1234 					  krb5_kdc_rep * ),
1235 		    krb5_keyblock **,
1236 		    krb5_creds *,
1237 		    krb5_int32 *,
1238 		    krb5_int32 *);
1239 
1240 typedef struct _krb5_preauth_ops {
1241     krb5_magic magic;
1242     int     type;
1243     int	flags;
1244     krb5_preauth_obtain_proc	obtain;
1245     krb5_preauth_process_proc	process;
1246 } krb5_preauth_ops;
1247 
1248 
1249 krb5_error_code krb5_obtain_padata
1250     	(krb5_context,
1251 		krb5_pa_data **,
1252 		krb5_error_code ( * )(krb5_context,
1253 						      const krb5_enctype,
1254 						      krb5_data *,
1255 						      krb5_const_pointer,
1256 						      krb5_keyblock **),
1257 		krb5_const_pointer,
1258 		krb5_creds *,
1259 		krb5_kdc_req *);
1260 
1261 krb5_error_code krb5_process_padata
1262 	(krb5_context,
1263 		krb5_kdc_req *,
1264 		krb5_kdc_rep *,
1265 		krb5_error_code ( * )(krb5_context,
1266 						      const krb5_enctype,
1267 						      krb5_data *,
1268 						      krb5_const_pointer,
1269 						      krb5_keyblock **),
1270 		krb5_const_pointer,
1271 		krb5_error_code ( * )(krb5_context,
1272 						      const krb5_keyblock *,
1273 						      krb5_const_pointer,
1274 						      krb5_kdc_rep * ),
1275 		krb5_keyblock **,
1276 		krb5_creds *,
1277 		krb5_int32 *);
1278 
1279 void krb5_free_etype_info (krb5_context, krb5_etype_info);
1280 
1281 /*
1282  * Preauthentication property flags
1283  */
1284 #define KRB5_PREAUTH_FLAGS_ENCRYPT	0x00000001
1285 #define KRB5_PREAUTH_FLAGS_HARDWARE	0x00000002
1286 
1287 #endif /* KRB5_PREAUTH__ */
1288 /*
1289  * End "preauth.h"
1290  */
1291 
1292 /*
1293  * Extending the krb5_get_init_creds_opt structure.  The original
1294  * krb5_get_init_creds_opt structure is defined publicly.  The
1295  * new extended version is private.  The original interface
1296  * assumed a pre-allocated structure which was passed to
1297  * krb5_get_init_creds_init().  The new interface assumes that
1298  * the caller will call krb5_get_init_creds_alloc() and
1299  * krb5_get_init_creds_free().
1300  *
1301  * Callers MUST NOT call krb5_get_init_creds_init() after allocating an
1302  * opts structure using krb5_get_init_creds_alloc().  To do so will
1303  * introduce memory leaks.  Unfortunately, there is no way to enforce
1304  * this behavior.
1305  *
1306  * Two private flags are added for backward compatibility.
1307  * KRB5_GET_INIT_CREDS_OPT_EXTENDED says that the structure was allocated
1308  * with the new krb5_get_init_creds_opt_alloc() function.
1309  * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended
1310  * structure is a shadow copy of an original krb5_get_init_creds_opt
1311  * structure.
1312  * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to
1313  * krb5int_gic_opt_to_opte(), the resulting extended structure should be
1314  * freed (using krb5_get_init_creds_free).  Otherwise, the original
1315  * structure was already extended and there is no need to free it.
1316  */
1317 
1318 #define KRB5_GET_INIT_CREDS_OPT_EXTENDED 0x80000000
1319 #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
1320 
1321 #define krb5_gic_opt_is_extended(s) \
1322     ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
1323 #define krb5_gic_opt_is_shadowed(s) \
1324     ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
1325 
1326 
1327 typedef struct _krb5_gic_opt_private {
1328     int num_preauth_data;
1329     krb5_gic_opt_pa_data *preauth_data;
1330 } krb5_gic_opt_private;
1331 
1332 typedef struct _krb5_gic_opt_ext {
1333     krb5_flags flags;
1334     krb5_deltat tkt_life;
1335     krb5_deltat renew_life;
1336     int forwardable;
1337     int proxiable;
1338     krb5_enctype *etype_list;
1339     int etype_list_length;
1340     krb5_address **address_list;
1341     krb5_preauthtype *preauth_list;
1342     int preauth_list_length;
1343     krb5_data *salt;
1344     /*
1345      * Do not change anything above this point in this structure.
1346      * It is identical to the public krb5_get_init_creds_opt structure.
1347      * New members must be added below.
1348      */
1349     krb5_gic_opt_private *opt_private;
1350 } krb5_gic_opt_ext;
1351 
1352 krb5_error_code
1353 krb5int_gic_opt_to_opte(krb5_context context,
1354                         krb5_get_init_creds_opt *opt,
1355                         krb5_gic_opt_ext **opte,
1356                         unsigned int force,
1357                         const char *where);
1358 
1359 krb5_error_code
1360 krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *);
1361 
1362 #ifndef _KERNEL /* needed for lib/krb5/krb/ */
1363 typedef krb5_error_code (*krb5_gic_get_as_key_fct)
1364     (krb5_context,
1365 		     krb5_principal,
1366 		     krb5_enctype,
1367 		     krb5_prompter_fct,
1368 		     void *prompter_data,
1369 		     krb5_data *salt,
1370      krb5_data *s2kparams,
1371 		     krb5_keyblock *as_key,
1372 		     void *gak_data);
1373 
1374 krb5_error_code KRB5_CALLCONV
1375 krb5_get_init_creds
1376 (krb5_context context,
1377 		krb5_creds *creds,
1378 		krb5_principal client,
1379 		krb5_prompter_fct prompter,
1380 		void *prompter_data,
1381 		krb5_deltat start_time,
1382 		char *in_tkt_service,
1383 		krb5_gic_opt_ext *gic_options,
1384 		krb5_gic_get_as_key_fct gak,
1385 		void *gak_data,
1386 		int *master,
1387 		krb5_kdc_rep **as_reply);
1388 
1389 krb5_error_code krb5int_populate_gic_opt (
1390     krb5_context, krb5_gic_opt_ext **,
1391     krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
1392     krb5_preauthtype *pre_auth_types, krb5_creds *creds);
1393 
1394 
1395 krb5_error_code KRB5_CALLCONV krb5_do_preauth
1396 	(krb5_context context,
1397 	 krb5_kdc_req *request,
1398 	 krb5_data *encoded_request_body,
1399 	 krb5_data *encoded_previous_request,
1400 	 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1401 	 krb5_data *salt, krb5_data *s2kparams,
1402 	 krb5_enctype *etype, krb5_keyblock *as_key,
1403 	 krb5_prompter_fct prompter, void *prompter_data,
1404 	 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1405 	 krb5_preauth_client_rock *get_data_rock,
1406 	 krb5_gic_opt_ext *opte);
1407 krb5_error_code KRB5_CALLCONV krb5_do_preauth_tryagain
1408 	(krb5_context context,
1409 	 krb5_kdc_req *request,
1410 	 krb5_data *encoded_request_body,
1411 	 krb5_data *encoded_previous_request,
1412 	 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1413 	 krb5_error *err_reply,
1414 	 krb5_data *salt, krb5_data *s2kparams,
1415 	 krb5_enctype *etype, krb5_keyblock *as_key,
1416 	 krb5_prompter_fct prompter, void *prompter_data,
1417 	 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1418 	 krb5_preauth_client_rock *get_data_rock,
1419 	 krb5_gic_opt_ext *opte);
1420 void KRB5_CALLCONV krb5_init_preauth_context
1421 	(krb5_context);
1422 void KRB5_CALLCONV krb5_free_preauth_context
1423 	(krb5_context);
1424 void KRB5_CALLCONV krb5_clear_preauth_context_use_counts
1425 	(krb5_context);
1426 void KRB5_CALLCONV krb5_preauth_prepare_request
1427 	(krb5_context, krb5_gic_opt_ext *, krb5_kdc_req *);
1428 void KRB5_CALLCONV krb5_preauth_request_context_init
1429 	(krb5_context);
1430 void KRB5_CALLCONV krb5_preauth_request_context_fini
1431 	(krb5_context);
1432 
1433 #endif /* _KERNEL */
1434 void KRB5_CALLCONV krb5_free_sam_challenge
1435 	(krb5_context, krb5_sam_challenge * );
1436 void KRB5_CALLCONV krb5_free_sam_challenge_2
1437 	(krb5_context, krb5_sam_challenge_2 * );
1438 void KRB5_CALLCONV krb5_free_sam_challenge_2_body
1439 	(krb5_context, krb5_sam_challenge_2_body *);
1440 void KRB5_CALLCONV krb5_free_sam_response
1441 	(krb5_context, krb5_sam_response * );
1442 void KRB5_CALLCONV krb5_free_sam_response_2
1443 	(krb5_context, krb5_sam_response_2 * );
1444 void KRB5_CALLCONV krb5_free_predicted_sam_response
1445 	(krb5_context, krb5_predicted_sam_response * );
1446 void KRB5_CALLCONV krb5_free_enc_sam_response_enc
1447 	(krb5_context, krb5_enc_sam_response_enc * );
1448 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2
1449 	(krb5_context, krb5_enc_sam_response_enc_2 * );
1450 void KRB5_CALLCONV krb5_free_sam_challenge_contents
1451 	(krb5_context, krb5_sam_challenge * );
1452 void KRB5_CALLCONV krb5_free_sam_challenge_2_contents
1453 	(krb5_context, krb5_sam_challenge_2 * );
1454 void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents
1455 	(krb5_context, krb5_sam_challenge_2_body * );
1456 void KRB5_CALLCONV krb5_free_sam_response_contents
1457 	(krb5_context, krb5_sam_response * );
1458 void KRB5_CALLCONV krb5_free_sam_response_2_contents
1459 	(krb5_context, krb5_sam_response_2 *);
1460 void KRB5_CALLCONV krb5_free_predicted_sam_response_contents
1461 	(krb5_context, krb5_predicted_sam_response * );
1462 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents
1463 	(krb5_context, krb5_enc_sam_response_enc * );
1464 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents
1465 	(krb5_context, krb5_enc_sam_response_enc_2 * );
1466 
1467 void KRB5_CALLCONV krb5_free_pa_enc_ts
1468 	(krb5_context, krb5_pa_enc_ts *);
1469 
1470 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
1471 #ifndef	_KERNEL
1472 #include "com_err.h"
1473 #include <krb5/k5-plugin.h>
1474 #endif /* _KERNEL */
1475 
1476 /*
1477  * Solaris Kerberos: moved from sendto_kdc.c so other code can reference
1478  */
1479 #define	DEFAULT_UDP_PREF_LIMIT   1465
1480 
1481 #ifndef	_KERNEL
1482 #include "profile.h"
1483 #include <strings.h>
1484 #endif /* _KERNEL */
1485 
1486 #define KEY_CHANGED(k1, k2) \
1487 (k1 == NULL || \
1488  k1 != k2 || \
1489  k1->enctype != k2->enctype || \
1490  k1->length != k2->length || \
1491  bcmp(k1->contents, k2->contents, k1->length))
1492 
1493 #ifndef _KERNEL
1494 typedef struct _arcfour_ctx {
1495 	CK_SESSION_HANDLE eSession; /* encrypt session handle */
1496 	CK_SESSION_HANDLE dSession; /* decrypt session handle */
1497 	CK_OBJECT_HANDLE  eKey; /* encrypt key object */
1498 	CK_OBJECT_HANDLE  dKey; /* decrype key object */
1499 	uchar_t           initialized;
1500 }arcfour_ctx_rec;
1501 
1502 #endif /* !_KERNEL */
1503 
1504 struct _krb5_context {
1505 	krb5_magic	magic;
1506 	krb5_enctype	*in_tkt_ktypes;
1507 	unsigned int	in_tkt_ktype_count;
1508 	krb5_enctype	*tgs_ktypes;
1509 	unsigned int	tgs_ktype_count;
1510 	/* This used to be a void*, but since we always allocate them
1511 	   together (though in different source files), and the types
1512 	   are declared in the same header, might as well just combine
1513 	   them.
1514 
1515 	   The array[1] is so the existing code treating the field as
1516 	   a pointer will still work.  For cleanliness, it should
1517 	   eventually get changed to a single element instead of an
1518 	   array.  */
1519 	struct _krb5_os_context	os_context[1];
1520 	char		*default_realm;
1521 	int		ser_ctx_count;
1522 	krb5_boolean	profile_secure;
1523 	void	      	*ser_ctx;
1524 #ifndef _KERNEL
1525 	profile_t	profile;
1526 	void		*db_context;
1527 	void		*kdblog_context;
1528 	/* allowable clock skew */
1529 	krb5_deltat 	clockskew;
1530 	krb5_cksumtype	kdc_req_sumtype;
1531 	krb5_cksumtype	default_ap_req_sumtype;
1532 	krb5_cksumtype	default_safe_sumtype;
1533 	krb5_flags 	kdc_default_options;
1534 	krb5_flags	library_options;
1535 	int		fcc_default_format;
1536 	int		scc_default_format;
1537 	krb5_prompt_type *prompt_types;
1538 	/* Message size above which we'll try TCP first in send-to-kdc
1539 	   type code.  Aside from the 2**16 size limit, we put no
1540 	   absolute limit on the UDP packet size.  */
1541 	int		udp_pref_limit;
1542 
1543 	/* This is the tgs_ktypes list as read from the profile, or
1544 	   set to compiled-in defaults.	 The application code cannot
1545 	   override it.	 This is used for session keys for
1546 	   intermediate ticket-granting tickets used to acquire the
1547 	   requested ticket (the session key of which may be
1548 	   constrained by tgs_ktypes above).  */
1549 	krb5_enctype	*conf_tgs_ktypes;
1550 	int		conf_tgs_ktypes_count;
1551 
1552 	/* Use the _configured version?	 */
1553 	krb5_boolean	use_conf_ktypes;
1554 
1555 #ifdef KRB5_DNS_LOOKUP
1556         krb5_boolean    profile_in_memory;
1557 #endif /* KRB5_DNS_LOOKUP */
1558 
1559     /* locate_kdc module stuff */
1560     struct plugin_dir_handle libkrb5_plugins;
1561     struct krb5plugin_service_locate_ftable *vtbl;
1562     void (**locate_fptrs)(void);
1563 
1564 	pid_t pid;  /* fork safety: PID of process that did last PKCS11 init */
1565 
1566 	/* Solaris Kerberos: handles for PKCS#11 crypto */
1567 	/*
1568 	 * Warning, do not access hSession directly as this is not fork() safe.
1569 	 * Instead use the krb_ctx_hSession() macro below.
1570 	 */
1571 	CK_SESSION_HANDLE hSession;
1572 	int		cryptoki_initialized;
1573 
1574 	/* arcfour_ctx: used only for rcmd stuff so no fork safety issues apply */
1575 	arcfour_ctx_rec arcfour_ctx;
1576 
1577 	/* preauth module stuff */
1578 	struct plugin_dir_handle preauth_plugins;
1579 	krb5_preauth_context *preauth_context;
1580 
1581 	/* error detail info */
1582 	struct errinfo err;
1583 #else /* ! KERNEL */
1584 	crypto_mech_type_t kef_cipher_mt;
1585 	crypto_mech_type_t kef_hash_mt;
1586 	crypto_mech_type_t kef_cksum_mt;
1587 #endif /* ! KERNEL */
1588 };
1589 
1590 #ifndef  _KERNEL
1591 extern pid_t __krb5_current_pid;
1592 
1593 CK_SESSION_HANDLE krb5_reinit_ef_handle(krb5_context);
1594 
1595 /*
1596  * fork safety: barring the ef_init code, every other function must use the
1597  * krb_ctx_hSession() macro to access the hSession field in a krb context.
1598  * Note, if the pid of the krb ctx == the current global pid then it is safe to
1599  * use the ctx hSession otherwise it needs to be re-inited before it is returned
1600  * to the caller.
1601  */
1602 #define krb_ctx_hSession(ctx) \
1603     ((ctx)->pid == __krb5_current_pid) ? (ctx)->hSession : krb5_reinit_ef_handle((ctx))
1604 #endif
1605 
1606 #define MD5_CKSUM_LENGTH 16
1607 #define RSA_MD5_CKSUM_LENGTH 16
1608 #define MD5_BLOCKSIZE 64
1609 
1610 
1611 /*
1612  * Solaris Kerberos:
1613  * This next section of prototypes and constants
1614  * are all unique to the Solaris Kerberos implementation.
1615  * Because Solaris uses the native encryption framework
1616  * to provide crypto support, the following routines
1617  * are needed to support this system.
1618  */
1619 
1620 /*
1621  * Begin Solaris Crypto Prototypes
1622  */
1623 
1624 /*
1625  * define constants that are used for creating the constant
1626  * which is used to make derived keys.
1627  */
1628 #define DK_ENCR_KEY_BYTE 0xAA
1629 #define DK_HASH_KEY_BYTE 0x55
1630 #define DK_CKSUM_KEY_BYTE 0x99
1631 
1632 int init_derived_keydata(krb5_context, const struct krb5_enc_provider *,
1633 			krb5_keyblock *, krb5_keyusage,
1634 			krb5_keyblock **, krb5_keyblock **);
1635 
1636 krb5_error_code add_derived_key(krb5_keyblock *, krb5_keyusage, uchar_t,
1637 				krb5_keyblock *);
1638 
1639 krb5_keyblock *find_derived_key(krb5_keyusage, uchar_t, krb5_keyblock *);
1640 krb5_keyblock *krb5_create_derived_keyblock(int);
1641 
1642 #ifdef _KERNEL
1643 int k5_ef_hash(krb5_context, int, const krb5_data *, krb5_data *);
1644 
1645 int k5_ef_mac(krb5_context, krb5_keyblock *, krb5_data *,
1646         const krb5_data *, krb5_data *);
1647 
1648 void make_kef_key(krb5_keyblock *);
1649 int init_key_kef(crypto_mech_type_t, krb5_keyblock *);
1650 int update_key_template(krb5_keyblock *);
1651 void setup_kef_keytypes();
1652 void setup_kef_cksumtypes();
1653 crypto_mech_type_t get_cipher_mech_type(krb5_context, krb5_keyblock *);
1654 crypto_mech_type_t get_hash_mech_type(krb5_context, krb5_keyblock *);
1655 
1656 #else
1657 /*
1658  * This structure is used to map Kerberos supported OID's,
1659  * to PKCS11 mechanisms
1660  */
1661 #define USE_ENCR	0x01
1662 #define	USE_HASH	0x02
1663 
1664 typedef struct krb5_mech_2_pkcs {
1665 	uchar_t		flags;
1666 	CK_MECHANISM_TYPE enc_algo;
1667 	CK_MECHANISM_TYPE hash_algo;
1668 	CK_MECHANISM_TYPE str2key_algo;
1669 } KRB5_MECH_TO_PKCS;
1670 
1671 #define ENC_DEFINED(x)	(((x).flags & USE_ENCR))
1672 #define HASH_DEFINED(x)	(((x).flags & USE_HASH))
1673 
1674 extern CK_RV get_algo(krb5_enctype etype, KRB5_MECH_TO_PKCS * algos);
1675 extern CK_RV get_key_type (krb5_enctype etype, CK_KEY_TYPE * keyType);
1676 extern krb5_error_code slot_supports_krb5 (CK_SLOT_ID_PTR slotid);
1677 
1678 krb5_error_code init_key_uef(CK_SESSION_HANDLE, krb5_keyblock *);
1679 
1680 krb5_error_code k5_ef_hash(krb5_context, CK_MECHANISM *,
1681 	unsigned int, const krb5_data *, krb5_data *);
1682 
1683 krb5_error_code k5_ef_mac(krb5_context context,
1684 	krb5_keyblock *key, krb5_data *ivec,
1685 	krb5_const krb5_data *input, krb5_data *output);
1686 
1687 #endif	/* !_KERNEL */
1688 
1689 krb5_error_code
1690 derive_3des_keys(krb5_context, struct krb5_enc_provider *,
1691                 krb5_keyblock *, krb5_keyusage,
1692                 krb5_keyblock *, krb5_keyblock *);
1693 
1694 /*
1695  * End Solaris Crypto Prototypes
1696  */
1697 
1698 #define KRB5_LIBOPT_SYNC_KDCTIME	0x0001
1699 
1700 /* internal message representations */
1701 
1702 typedef struct _krb5_safe {
1703     krb5_magic magic;
1704     krb5_data user_data;		/* user data */
1705     krb5_timestamp timestamp;		/* client time, optional */
1706     krb5_int32 usec;			/* microsecond portion of time,
1707 					   optional */
1708     krb5_ui_4 seq_number;		/* sequence #, optional */
1709     krb5_address *s_address;	/* sender address */
1710     krb5_address *r_address;	/* recipient address, optional */
1711     krb5_checksum *checksum;	/* data integrity checksum */
1712 } krb5_safe;
1713 
1714 typedef struct _krb5_priv {
1715     krb5_magic magic;
1716     krb5_enc_data enc_part;		/* encrypted part */
1717 } krb5_priv;
1718 
1719 typedef struct _krb5_priv_enc_part {
1720     krb5_magic magic;
1721     krb5_data user_data;		/* user data */
1722     krb5_timestamp timestamp;		/* client time, optional */
1723     krb5_int32 usec;			/* microsecond portion of time, opt. */
1724     krb5_ui_4 seq_number;		/* sequence #, optional */
1725     krb5_address *s_address;	/* sender address */
1726     krb5_address *r_address;	/* recipient address, optional */
1727 } krb5_priv_enc_part;
1728 
1729 void KRB5_CALLCONV krb5_free_safe
1730 	(krb5_context, krb5_safe * );
1731 void KRB5_CALLCONV krb5_free_priv
1732 	(krb5_context, krb5_priv * );
1733 void KRB5_CALLCONV krb5_free_priv_enc_part
1734 	(krb5_context, krb5_priv_enc_part * );
1735 
1736 /*
1737  * Begin "asn1.h"
1738  */
1739 #ifndef KRB5_ASN1__
1740 #define KRB5_ASN1__
1741 
1742 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
1743 /* here we use some knowledge of ASN.1 encodings */
1744 /*
1745   Ticket is APPLICATION 1.
1746   Authenticator is APPLICATION 2.
1747   AS_REQ is APPLICATION 10.
1748   AS_REP is APPLICATION 11.
1749   TGS_REQ is APPLICATION 12.
1750   TGS_REP is APPLICATION 13.
1751   AP_REQ is APPLICATION 14.
1752   AP_REP is APPLICATION 15.
1753   KRB_SAFE is APPLICATION 20.
1754   KRB_PRIV is APPLICATION 21.
1755   KRB_CRED is APPLICATION 22.
1756   EncASRepPart is APPLICATION 25.
1757   EncTGSRepPart is APPLICATION 26.
1758   EncAPRepPart is APPLICATION 27.
1759   EncKrbPrivPart is APPLICATION 28.
1760   EncKrbCredPart is APPLICATION 29.
1761   KRB_ERROR is APPLICATION 30.
1762  */
1763 /* allow either constructed or primitive encoding, so check for bit 6
1764    set or reset */
1765 #define krb5_is_krb_ticket(dat)\
1766 	((dat) && (dat)->length && ((dat)->data[0] == 0x61 ||\
1767 				    (dat)->data[0] == 0x41))
1768 #define krb5_is_krb_authenticator(dat)\
1769 	((dat) && (dat)->length && ((dat)->data[0] == 0x62 ||\
1770 				    (dat)->data[0] == 0x42))
1771 #define krb5_is_as_req(dat)\
1772 	((dat) && (dat)->length && ((dat)->data[0] == 0x6a ||\
1773 				    (dat)->data[0] == 0x4a))
1774 #define krb5_is_as_rep(dat)\
1775 	((dat) && (dat)->length && ((dat)->data[0] == 0x6b ||\
1776 				    (dat)->data[0] == 0x4b))
1777 #define krb5_is_tgs_req(dat)\
1778 	((dat) && (dat)->length && ((dat)->data[0] == 0x6c ||\
1779 				    (dat)->data[0] == 0x4c))
1780 #define krb5_is_tgs_rep(dat)\
1781 	((dat) && (dat)->length && ((dat)->data[0] == 0x6d ||\
1782 				    (dat)->data[0] == 0x4d))
1783 #define krb5_is_ap_req(dat)\
1784 	((dat) && (dat)->length && ((dat)->data[0] == 0x6e ||\
1785 				    (dat)->data[0] == 0x4e))
1786 #define krb5_is_ap_rep(dat)\
1787 	((dat) && (dat)->length && ((dat)->data[0] == 0x6f ||\
1788 				    (dat)->data[0] == 0x4f))
1789 #define krb5_is_krb_safe(dat)\
1790 	((dat) && (dat)->length && ((dat)->data[0] == 0x74 ||\
1791 				    (dat)->data[0] == 0x54))
1792 #define krb5_is_krb_priv(dat)\
1793 	((dat) && (dat)->length && ((dat)->data[0] == 0x75 ||\
1794 				    (dat)->data[0] == 0x55))
1795 #define krb5_is_krb_cred(dat)\
1796 	((dat) && (dat)->length && ((dat)->data[0] == 0x76 ||\
1797 				    (dat)->data[0] == 0x56))
1798 #define krb5_is_krb_enc_as_rep_part(dat)\
1799 	((dat) && (dat)->length && ((dat)->data[0] == 0x79 ||\
1800 				    (dat)->data[0] == 0x59))
1801 #define krb5_is_krb_enc_tgs_rep_part(dat)\
1802 	((dat) && (dat)->length && ((dat)->data[0] == 0x7a ||\
1803 				    (dat)->data[0] == 0x5a))
1804 #define krb5_is_krb_enc_ap_rep_part(dat)\
1805 	((dat) && (dat)->length && ((dat)->data[0] == 0x7b ||\
1806 				    (dat)->data[0] == 0x5b))
1807 #define krb5_is_krb_enc_krb_priv_part(dat)\
1808 	((dat) && (dat)->length && ((dat)->data[0] == 0x7c ||\
1809 				    (dat)->data[0] == 0x5c))
1810 #define krb5_is_krb_enc_krb_cred_part(dat)\
1811 	((dat) && (dat)->length && ((dat)->data[0] == 0x7d ||\
1812 				    (dat)->data[0] == 0x5d))
1813 #define krb5_is_krb_error(dat)\
1814 	((dat) && (dat)->length && ((dat)->data[0] == 0x7e ||\
1815 				    (dat)->data[0] == 0x5e))
1816 
1817 /*************************************************************************
1818  * Prototypes for krb5_encode.c
1819  *************************************************************************/
1820 
1821 /*
1822    krb5_error_code encode_krb5_structure(const krb5_structure *rep,
1823 					 krb5_data **code);
1824    modifies  *code
1825    effects   Returns the ASN.1 encoding of *rep in **code.
1826              Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep.
1827              Returns ENOMEM if memory runs out.
1828 */
1829 
1830 krb5_error_code encode_krb5_authenticator
1831 	(const krb5_authenticator *rep, krb5_data **code);
1832 
1833 krb5_error_code encode_krb5_ticket
1834 	(const krb5_ticket *rep, krb5_data **code);
1835 
1836 krb5_error_code encode_krb5_encryption_key
1837 	(const krb5_keyblock *rep, krb5_data **code);
1838 
1839 krb5_error_code encode_krb5_enc_tkt_part
1840 	(const krb5_enc_tkt_part *rep, krb5_data **code);
1841 
1842 krb5_error_code encode_krb5_enc_kdc_rep_part
1843 	(const krb5_enc_kdc_rep_part *rep, krb5_data **code);
1844 
1845 /* yes, the translation is identical to that used for KDC__REP */
1846 krb5_error_code encode_krb5_as_rep
1847 	(const krb5_kdc_rep *rep, krb5_data **code);
1848 
1849 /* yes, the translation is identical to that used for KDC__REP */
1850 krb5_error_code encode_krb5_tgs_rep
1851 	(const krb5_kdc_rep *rep, krb5_data **code);
1852 
1853 krb5_error_code encode_krb5_ap_req
1854 	(const krb5_ap_req *rep, krb5_data **code);
1855 
1856 krb5_error_code encode_krb5_ap_rep
1857 	(const krb5_ap_rep *rep, krb5_data **code);
1858 
1859 krb5_error_code encode_krb5_ap_rep_enc_part
1860 	(const krb5_ap_rep_enc_part *rep, krb5_data **code);
1861 
1862 krb5_error_code encode_krb5_as_req
1863 	(const krb5_kdc_req *rep, krb5_data **code);
1864 
1865 krb5_error_code encode_krb5_tgs_req
1866 	(const krb5_kdc_req *rep, krb5_data **code);
1867 
1868 krb5_error_code encode_krb5_kdc_req_body
1869 	(const krb5_kdc_req *rep, krb5_data **code);
1870 
1871 krb5_error_code encode_krb5_safe
1872 	(const krb5_safe *rep, krb5_data **code);
1873 
1874 struct krb5_safe_with_body {
1875 	krb5_safe *safe;
1876 	krb5_data *body;
1877 };
1878 
1879 krb5_error_code encode_krb5_safe_with_body
1880 	(const struct krb5_safe_with_body *rep, krb5_data **code);
1881 
1882 krb5_error_code encode_krb5_priv
1883 	(const krb5_priv *rep, krb5_data **code);
1884 
1885 krb5_error_code encode_krb5_enc_priv_part
1886 	(const krb5_priv_enc_part *rep, krb5_data **code);
1887 
1888 krb5_error_code encode_krb5_cred
1889 	(const krb5_cred *rep, krb5_data **code);
1890 
1891 krb5_error_code encode_krb5_enc_cred_part
1892 	(const krb5_cred_enc_part *rep, krb5_data **code);
1893 
1894 krb5_error_code encode_krb5_error
1895 	(const krb5_error *rep, krb5_data **code);
1896 
1897 krb5_error_code encode_krb5_authdata
1898 	(krb5_authdata *const *rep, krb5_data **code);
1899 
1900 krb5_error_code encode_krb5_authdata_elt
1901 	(const krb5_authdata *rep, krb5_data **code);
1902 
1903 krb5_error_code encode_krb5_pwd_sequence
1904 	(const passwd_phrase_element *rep, krb5_data **code);
1905 
1906 krb5_error_code encode_krb5_pwd_data
1907 	(const krb5_pwd_data *rep, krb5_data **code);
1908 
1909 krb5_error_code encode_krb5_padata_sequence
1910         (krb5_pa_data *const *rep, krb5_data **code);
1911 
1912 krb5_error_code encode_krb5_alt_method
1913 	(const krb5_alt_method *, krb5_data **code);
1914 
1915 krb5_error_code encode_krb5_etype_info
1916         (krb5_etype_info_entry *const *, krb5_data **code);
1917 krb5_error_code encode_krb5_etype_info2
1918         (krb5_etype_info_entry *const *, krb5_data **code);
1919 
1920 krb5_error_code encode_krb5_enc_data
1921     	(const krb5_enc_data *, krb5_data **);
1922 
1923 krb5_error_code encode_krb5_pa_enc_ts
1924     	(const krb5_pa_enc_ts *, krb5_data **);
1925 
1926 krb5_error_code encode_krb5_sam_challenge
1927 	(const krb5_sam_challenge * , krb5_data **);
1928 
1929 krb5_error_code encode_krb5_sam_key
1930 	(const krb5_sam_key * , krb5_data **);
1931 
1932 krb5_error_code encode_krb5_enc_sam_response_enc
1933 	(const krb5_enc_sam_response_enc * , krb5_data **);
1934 
1935 krb5_error_code encode_krb5_sam_response
1936 	(const krb5_sam_response * , krb5_data **);
1937 
1938 krb5_error_code encode_krb5_sam_challenge_2
1939 	(const krb5_sam_challenge_2 * , krb5_data **);
1940 
1941 krb5_error_code encode_krb5_sam_challenge_2_body
1942 	(const krb5_sam_challenge_2_body * , krb5_data **);
1943 
1944 krb5_error_code encode_krb5_enc_sam_response_enc_2
1945 	(const krb5_enc_sam_response_enc_2 * , krb5_data **);
1946 
1947 krb5_error_code encode_krb5_sam_response_2
1948 	(const krb5_sam_response_2 * , krb5_data **);
1949 
1950 krb5_error_code encode_krb5_predicted_sam_response
1951 	(const krb5_predicted_sam_response * , krb5_data **);
1952 
1953 struct krb5_setpw_req {
1954     krb5_principal target;
1955     krb5_data password;
1956 };
1957 krb5_error_code encode_krb5_setpw_req
1958         (const struct krb5_setpw_req *rep, krb5_data **code);
1959 
1960 /*************************************************************************
1961  * End of prototypes for krb5_encode.c
1962  *************************************************************************/
1963 
1964 krb5_error_code decode_krb5_sam_challenge
1965        (const krb5_data *, krb5_sam_challenge **);
1966 
1967 krb5_error_code decode_krb5_enc_sam_key
1968        (const krb5_data *, krb5_sam_key **);
1969 
1970 krb5_error_code decode_krb5_enc_sam_response_enc
1971        (const krb5_data *, krb5_enc_sam_response_enc **);
1972 
1973 krb5_error_code decode_krb5_sam_response
1974        (const krb5_data *, krb5_sam_response **);
1975 
1976 krb5_error_code decode_krb5_predicted_sam_response
1977        (const krb5_data *, krb5_predicted_sam_response **);
1978 
1979 krb5_error_code decode_krb5_sam_challenge_2
1980 	(const krb5_data *, krb5_sam_challenge_2 **);
1981 
1982 krb5_error_code decode_krb5_sam_challenge_2_body
1983 	(const krb5_data *, krb5_sam_challenge_2_body **);
1984 
1985 krb5_error_code decode_krb5_enc_sam_response_enc_2
1986 	(const krb5_data *, krb5_enc_sam_response_enc_2 **);
1987 
1988 krb5_error_code decode_krb5_sam_response_2
1989 	(const krb5_data *, krb5_sam_response_2 **);
1990 
1991 
1992 /*************************************************************************
1993  * Prototypes for krb5_decode.c
1994  *************************************************************************/
1995 
1996 krb5_error_code krb5_validate_times
1997        (krb5_context,
1998 		       krb5_ticket_times *);
1999 
2000 /*
2001    krb5_error_code decode_krb5_structure(const krb5_data *code,
2002                                          krb5_structure **rep);
2003 
2004    requires  Expects **rep to not have been allocated;
2005               a new *rep is allocated regardless of the old value.
2006    effects   Decodes *code into **rep.
2007 	     Returns ENOMEM if memory is exhausted.
2008              Returns asn1 and krb5 errors.
2009 */
2010 
2011 krb5_error_code decode_krb5_authenticator
2012 	(const krb5_data *code, krb5_authenticator **rep);
2013 
2014 krb5_error_code decode_krb5_ticket
2015 	(const krb5_data *code, krb5_ticket **rep);
2016 
2017 krb5_error_code decode_krb5_encryption_key
2018 	(const krb5_data *output, krb5_keyblock **rep);
2019 
2020 krb5_error_code decode_krb5_enc_tkt_part
2021 	(const krb5_data *output, krb5_enc_tkt_part **rep);
2022 
2023 krb5_error_code decode_krb5_enc_kdc_rep_part
2024 	(const krb5_data *output, krb5_enc_kdc_rep_part **rep);
2025 
2026 krb5_error_code decode_krb5_as_rep
2027 	(const krb5_data *output, krb5_kdc_rep **rep);
2028 
2029 krb5_error_code decode_krb5_tgs_rep
2030 	(const krb5_data *output, krb5_kdc_rep **rep);
2031 
2032 krb5_error_code decode_krb5_ap_req
2033 	(const krb5_data *output, krb5_ap_req **rep);
2034 
2035 krb5_error_code decode_krb5_ap_rep
2036 	(const krb5_data *output, krb5_ap_rep **rep);
2037 
2038 krb5_error_code decode_krb5_ap_rep_enc_part
2039 	(const krb5_data *output, krb5_ap_rep_enc_part **rep);
2040 
2041 krb5_error_code decode_krb5_as_req
2042 	(const krb5_data *output, krb5_kdc_req **rep);
2043 
2044 krb5_error_code decode_krb5_tgs_req
2045 	(const krb5_data *output, krb5_kdc_req **rep);
2046 
2047 krb5_error_code decode_krb5_kdc_req_body
2048 	(const krb5_data *output, krb5_kdc_req **rep);
2049 
2050 krb5_error_code decode_krb5_safe
2051 	(const krb5_data *output, krb5_safe **rep);
2052 
2053 krb5_error_code decode_krb5_safe_with_body
2054 	(const krb5_data *output, krb5_safe **rep, krb5_data *body);
2055 
2056 krb5_error_code decode_krb5_priv
2057 	(const krb5_data *output, krb5_priv **rep);
2058 
2059 krb5_error_code decode_krb5_enc_priv_part
2060 	(const krb5_data *output, krb5_priv_enc_part **rep);
2061 
2062 krb5_error_code decode_krb5_cred
2063 	(const krb5_data *output, krb5_cred **rep);
2064 
2065 krb5_error_code decode_krb5_enc_cred_part
2066 	(const krb5_data *output, krb5_cred_enc_part **rep);
2067 
2068 krb5_error_code decode_krb5_error
2069 	(const krb5_data *output, krb5_error **rep);
2070 
2071 krb5_error_code decode_krb5_authdata
2072 	(const krb5_data *output, krb5_authdata ***rep);
2073 
2074 krb5_error_code decode_krb5_pwd_sequence
2075 	(const krb5_data *output, passwd_phrase_element **rep);
2076 
2077 krb5_error_code decode_krb5_pwd_data
2078 	(const krb5_data *output, krb5_pwd_data **rep);
2079 
2080 krb5_error_code decode_krb5_padata_sequence
2081 	(const krb5_data *output, krb5_pa_data ***rep);
2082 
2083 krb5_error_code decode_krb5_alt_method
2084 	(const krb5_data *output, krb5_alt_method **rep);
2085 
2086 krb5_error_code decode_krb5_etype_info
2087 	(const krb5_data *output, krb5_etype_info_entry ***rep);
2088 
2089 krb5_error_code decode_krb5_etype_info2
2090 	(const krb5_data *output, krb5_etype_info_entry ***rep);
2091 
2092 krb5_error_code decode_krb5_enc_data
2093 	(const krb5_data *output, krb5_enc_data **rep);
2094 
2095 krb5_error_code decode_krb5_pa_enc_ts
2096 	(const krb5_data *output, krb5_pa_enc_ts **rep);
2097 
2098 krb5_error_code decode_krb5_sam_key
2099 	(const krb5_data *, krb5_sam_key **);
2100 
2101 struct _krb5_key_data;		/* kdb.h */
2102 krb5_error_code
2103 krb5int_ldap_encode_sequence_of_keys (struct _krb5_key_data *key_data,
2104 				      krb5_int16 n_key_data,
2105 				      krb5_int32 mkvno,
2106 				      krb5_data **code);
2107 
2108 krb5_error_code
2109 krb5int_ldap_decode_sequence_of_keys (krb5_data *in,
2110 				      struct _krb5_key_data **out,
2111 				      krb5_int16 *n_key_data,
2112 				      int *mkvno);
2113 
2114 /*************************************************************************
2115  * End of prototypes for krb5_decode.c
2116  *************************************************************************/
2117 
2118 #endif /* KRB5_ASN1__ */
2119 /*
2120  * End "asn1.h"
2121  */
2122 
2123 
2124 /*
2125  * Internal krb5 library routines
2126  */
2127 krb5_error_code krb5_encrypt_tkt_part
2128 	(krb5_context,
2129 		const krb5_keyblock *,
2130 		krb5_ticket * );
2131 
2132 
2133 krb5_error_code krb5_encode_kdc_rep
2134 	(krb5_context,
2135 		const krb5_msgtype,
2136 		const krb5_enc_kdc_rep_part *,
2137 		int using_subkey,
2138 		const krb5_keyblock *,
2139 		krb5_kdc_rep *,
2140 		krb5_data ** );
2141 
2142 krb5_boolean krb5int_auth_con_chkseqnum
2143 	(krb5_context ctx, krb5_auth_context ac, krb5_ui_4 in_seq);
2144 /*
2145  * [De]Serialization Handle and operations.
2146  */
2147 struct __krb5_serializer {
2148     krb5_magic		odtype;
2149     krb5_error_code	(*sizer) (krb5_context,
2150 						  krb5_pointer,
2151 						  size_t *);
2152     krb5_error_code	(*externalizer) (krb5_context,
2153 							 krb5_pointer,
2154 							 krb5_octet **,
2155 							 size_t *);
2156     krb5_error_code	(*internalizer) (krb5_context,
2157 							 krb5_pointer *,
2158 							 krb5_octet **,
2159 							 size_t *);
2160 };
2161 typedef const struct __krb5_serializer * krb5_ser_handle;
2162 typedef struct __krb5_serializer krb5_ser_entry;
2163 
2164 krb5_ser_handle krb5_find_serializer
2165 	(krb5_context,
2166 		krb5_magic);
2167 krb5_error_code krb5_register_serializer
2168 	(krb5_context,
2169 			const krb5_ser_entry *);
2170 
2171 /* Determine the external size of a particular opaque structure */
2172 krb5_error_code KRB5_CALLCONV krb5_size_opaque
2173 	(krb5_context,
2174 		krb5_magic,
2175 		krb5_pointer,
2176 		size_t *);
2177 
2178 /* Serialize the structure into a buffer */
2179 krb5_error_code KRB5_CALLCONV krb5_externalize_opaque
2180 	(krb5_context,
2181 		krb5_magic,
2182 		krb5_pointer,
2183 		krb5_octet **,
2184 		size_t *);
2185 
2186 /* Deserialize the structure from a buffer */
2187 krb5_error_code KRB5_CALLCONV krb5_internalize_opaque
2188 	(krb5_context,
2189 		krb5_magic,
2190 		krb5_pointer *,
2191 		krb5_octet **,
2192 		size_t *);
2193 
2194 /* Serialize data into a buffer */
2195 krb5_error_code krb5_externalize_data
2196 	(krb5_context,
2197 		krb5_pointer,
2198 		krb5_octet **,
2199 		size_t *);
2200 /*
2201  * Initialization routines.
2202  */
2203 
2204 /* Initialize serialization for krb5_[os_]context */
2205 krb5_error_code KRB5_CALLCONV krb5_ser_context_init
2206 	(krb5_context);
2207 
2208 /* Initialize serialization for krb5_auth_context */
2209 krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init
2210 	(krb5_context);
2211 
2212 /* Initialize serialization for krb5_keytab */
2213 krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init
2214 	(krb5_context);
2215 
2216 /* Initialize serialization for krb5_ccache */
2217 krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init
2218 	(krb5_context);
2219 
2220 /* Initialize serialization for krb5_rcache */
2221 krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init
2222 	(krb5_context);
2223 
2224 /* [De]serialize 4-byte integer */
2225 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32
2226 	(krb5_int32,
2227 		krb5_octet **,
2228 		size_t *);
2229 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32
2230 	(krb5_int32 *,
2231 		krb5_octet **,
2232 		size_t *);
2233 /* [De]serialize 8-byte integer */
2234 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64
2235 	(krb5_int64, krb5_octet **, size_t *);
2236 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64
2237 	(krb5_int64 *, krb5_octet **, size_t *);
2238 /* [De]serialize byte string */
2239 krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
2240 	(krb5_octet *,
2241 		size_t,
2242 		krb5_octet **,
2243 		size_t *);
2244 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes
2245 	(krb5_octet *,
2246 		size_t,
2247 		krb5_octet **,
2248 		size_t *);
2249 
2250 krb5_error_code KRB5_CALLCONV krb5int_cc_default
2251 	(krb5_context, krb5_ccache *);
2252 
2253 krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default
2254 	(krb5_context, krb5_ccache, krb5_flags,
2255 			krb5_creds *, krb5_creds *);
2256 
2257 krb5_boolean KRB5_CALLCONV
2258 krb5_creds_compare (krb5_context in_context,
2259                     krb5_creds *in_creds,
2260                     krb5_creds *in_compare_creds);
2261 
2262 void krb5int_set_prompt_types
2263 	(krb5_context, krb5_prompt_type *);
2264 
2265 krb5_error_code
2266 krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
2267 				  krb5_keyblock * /* Old keyblock, not new!  */);
2268 
2269 /* set and change password helpers */
2270 
2271 krb5_error_code krb5int_mk_chpw_req
2272 	(krb5_context context, krb5_auth_context auth_context,
2273  			krb5_data *ap_req, char *passwd, krb5_data *packet);
2274 krb5_error_code krb5int_rd_chpw_rep
2275 	(krb5_context context, krb5_auth_context auth_context,
2276 		       krb5_data *packet, int *result_code,
2277 		       krb5_data *result_data);
2278 krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
2279 	(krb5_context context, int result_code,
2280 			char **result_codestr);
2281 krb5_error_code  krb5int_mk_setpw_req
2282 	(krb5_context context, krb5_auth_context auth_context,
2283  			krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet);
2284 krb5_error_code krb5int_rd_setpw_rep
2285 	(krb5_context context, krb5_auth_context auth_context,
2286 		       krb5_data *packet, int *result_code,
2287 		       krb5_data *result_data);
2288 krb5_error_code krb5int_setpw_result_code_string
2289 	(krb5_context context, int result_code,
2290 			const char **result_codestr);
2291 
2292 struct srv_dns_entry {
2293     struct srv_dns_entry *next;
2294     int priority;
2295     int weight;
2296     unsigned short port;
2297     char *host;
2298 };
2299 #ifdef KRB5_DNS_LOOKUP
2300 krb5_error_code
2301 krb5int_make_srv_query_realm(const krb5_data *realm,
2302 			     const char *service,
2303 			     const char *protocol,
2304 			     struct srv_dns_entry **answers);
2305 void krb5int_free_srv_dns_data(struct srv_dns_entry *);
2306 #endif
2307 
2308 /*
2309  * Convenience function for structure magic number
2310  */
2311 #define KRB5_VERIFY_MAGIC(structure,magic_number) \
2312     if ((structure)->magic != (magic_number)) return (magic_number);
2313 
2314 
2315 /* SUNW14resync XXX - see k5-util.h */
2316 #if 0
2317 int krb5_seteuid  (int);
2318 #endif
2319 
2320 char * krb5_getenv(const char *);
2321 int krb5_setenv  (const char *, const char *, int);
2322 void krb5_unsetenv  (const char *);
2323 
2324 
2325 /* SUNW14resync - (from here to EOF) not sure if we need this but will add it
2326    for future resync sake */
2327 
2328 /* To keep happy libraries which are (for now) accessing internal stuff */
2329 
2330 /* Make sure to increment by one when changing the struct */
2331 #define KRB5INT_ACCESS_STRUCT_VERSION 12
2332 
2333 #ifndef ANAME_SZ
2334 struct ktext;			/* from krb.h, for krb524 support */
2335 #endif
2336 typedef struct _krb5int_access {
2337     /* crypto stuff */
2338     const struct krb5_hash_provider *md5_hash_provider;
2339     const struct krb5_enc_provider *arcfour_enc_provider;
2340     krb5_error_code (* krb5_hmac) (krb5_context, const struct krb5_hash_provider *hash,
2341 				   const krb5_keyblock *key,
2342 				   unsigned int icount, const krb5_data *input,
2343 				   krb5_data *output);
2344     /* service location and communication */
2345 #ifndef _KERNEL
2346     krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
2347 				   const struct addrlist *, struct sendto_callback_info*, krb5_data *reply,
2348 				   struct sockaddr *, socklen_t *,struct sockaddr *,
2349 				   socklen_t *, int *,
2350 				   int (*msg_handler)(krb5_context, const krb5_data *, void *),
2351 				   void *msg_handler_data);
2352     krb5_error_code (*add_host_to_list)(struct addrlist *lp,
2353 					const char *hostname,
2354 					int port, int secport,
2355 					int socktype, int family);
2356     void (*free_addrlist) (struct addrlist *);
2357 #endif /* _KERNEL */
2358 
2359     krb5_error_code (*make_srv_query_realm)(const krb5_data *realm,
2360 					    const char *service,
2361 					    const char *protocol,
2362 					    struct srv_dns_entry **answers);
2363     void (*free_srv_dns_data)(struct srv_dns_entry *);
2364     int (*use_dns_kdc)(krb5_context);
2365     krb5_error_code (*clean_hostname)(krb5_context, const char *, char *, size_t);
2366 
2367     /* krb4 compatibility stuff -- may be null if not enabled */
2368     krb5_int32 (*krb_life_to_time)(krb5_int32, int);
2369     int (*krb_time_to_life)(krb5_int32, krb5_int32);
2370     int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *);
2371     krb5_error_code (*krb5int_c_mandatory_cksumtype)
2372         (krb5_context, krb5_enctype, krb5_cksumtype *);
2373     krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64)
2374         (krb5_int64, krb5_octet **, size_t *);
2375     krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64)
2376         (krb5_int64 *, krb5_octet **, size_t *);
2377 
2378     /* Used for KDB LDAP back end.  */
2379     krb5_error_code
2380     (*asn1_ldap_encode_sequence_of_keys) (struct _krb5_key_data *key_data,
2381 					  krb5_int16 n_key_data,
2382 					  krb5_int32 mkvno,
2383 					  krb5_data **code);
2384 
2385     krb5_error_code
2386     (*asn1_ldap_decode_sequence_of_keys) (krb5_data *in,
2387 					  struct _krb5_key_data **out,
2388 					  krb5_int16 *n_key_data,
2389 					  int *mkvno);
2390 
2391     /*
2392      * pkinit asn.1 encode/decode functions
2393      */
2394     krb5_error_code (*encode_krb5_auth_pack)
2395         (const krb5_auth_pack *rep, krb5_data **code);
2396     krb5_error_code (*encode_krb5_auth_pack_draft9)
2397         (const krb5_auth_pack_draft9 *rep, krb5_data **code);
2398     krb5_error_code (*encode_krb5_kdc_dh_key_info)
2399         (const krb5_kdc_dh_key_info *rep, krb5_data **code);
2400     krb5_error_code (*encode_krb5_pa_pk_as_rep)
2401         (const krb5_pa_pk_as_rep *rep, krb5_data **code);
2402     krb5_error_code (*encode_krb5_pa_pk_as_rep_draft9)
2403         (const krb5_pa_pk_as_rep_draft9 *rep, krb5_data **code);
2404     krb5_error_code (*encode_krb5_pa_pk_as_req)
2405 	(const krb5_pa_pk_as_req *rep, krb5_data **code);
2406     krb5_error_code (*encode_krb5_pa_pk_as_req_draft9)
2407 	(const krb5_pa_pk_as_req_draft9 *rep, krb5_data **code);
2408     krb5_error_code (*encode_krb5_reply_key_pack)
2409         (const krb5_reply_key_pack *, krb5_data **code);
2410     krb5_error_code (*encode_krb5_reply_key_pack_draft9)
2411         (const krb5_reply_key_pack_draft9 *, krb5_data **code);
2412     krb5_error_code (*encode_krb5_td_dh_parameters)
2413         (const krb5_algorithm_identifier **, krb5_data **code);
2414     krb5_error_code (*encode_krb5_td_trusted_certifiers)
2415         (const krb5_external_principal_identifier **, krb5_data **code);
2416     krb5_error_code (*encode_krb5_typed_data)
2417         (const krb5_typed_data **, krb5_data **code);
2418 
2419     krb5_error_code (*decode_krb5_auth_pack)
2420         (const krb5_data *, krb5_auth_pack **);
2421     krb5_error_code (*decode_krb5_auth_pack_draft9)
2422         (const krb5_data *, krb5_auth_pack_draft9 **);
2423     krb5_error_code (*decode_krb5_pa_pk_as_req)
2424         (const krb5_data *, krb5_pa_pk_as_req **);
2425     krb5_error_code (*decode_krb5_pa_pk_as_req_draft9)
2426         (const krb5_data *, krb5_pa_pk_as_req_draft9 **);
2427     krb5_error_code (*decode_krb5_pa_pk_as_rep)
2428         (const krb5_data *, krb5_pa_pk_as_rep **);
2429     krb5_error_code (*decode_krb5_pa_pk_as_rep_draft9)
2430         (const krb5_data *, krb5_pa_pk_as_rep_draft9 **);
2431     krb5_error_code (*decode_krb5_kdc_dh_key_info)
2432         (const krb5_data *, krb5_kdc_dh_key_info **);
2433     krb5_error_code (*decode_krb5_principal_name)
2434         (const krb5_data *, krb5_principal_data **);
2435     krb5_error_code (*decode_krb5_reply_key_pack)
2436         (const krb5_data *, krb5_reply_key_pack **);
2437     krb5_error_code (*decode_krb5_reply_key_pack_draft9)
2438         (const krb5_data *, krb5_reply_key_pack_draft9 **);
2439     krb5_error_code (*decode_krb5_td_dh_parameters)
2440         (const krb5_data *, krb5_algorithm_identifier ***);
2441     krb5_error_code (*decode_krb5_td_trusted_certifiers)
2442         (const krb5_data *, krb5_external_principal_identifier ***);
2443     krb5_error_code (*decode_krb5_typed_data)
2444         (const krb5_data *, krb5_typed_data ***);
2445 
2446     krb5_error_code (*decode_krb5_as_req)
2447 	(const krb5_data *output, krb5_kdc_req **rep);
2448     krb5_error_code (*encode_krb5_kdc_req_body)
2449 	(const krb5_kdc_req *rep, krb5_data **code);
2450     void (KRB5_CALLCONV *krb5_free_kdc_req)
2451 	(krb5_context, krb5_kdc_req * );
2452     void (*krb5int_set_prompt_types)
2453 	(krb5_context, krb5_prompt_type *);
2454     krb5_error_code (*encode_krb5_authdata_elt)
2455 	(const krb5_authdata *rep, krb5_data **code);
2456 
2457 } krb5int_access;
2458 
2459 #define KRB5INT_ACCESS_VERSION \
2460     (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \
2461 		   (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF)
2462 
2463 krb5_error_code KRB5_CALLCONV krb5int_accessor
2464 	(krb5int_access*, krb5_int32);
2465 
2466 /* Ick -- some krb524 and krb4 support placed in the krb5 library,
2467    because AFS (and potentially other applications?) use the krb4
2468    object as an opaque token, which (in some implementations) is not
2469    in fact a krb4 ticket, so we don't want to drag in the krb4 support
2470    just to enable this.  */
2471 
2472 #define KRB524_SERVICE "krb524"
2473 #define KRB524_PORT 4444
2474 
2475 /* v4lifetime.c */
2476 extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int);
2477 extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32);
2478 
2479 /* conv_creds.c */
2480 int krb5int_encode_v4tkt
2481 	(struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
2482 
2483 /* send524.c */
2484 int krb5int_524_sendto_kdc
2485         (krb5_context context, const krb5_data * message,
2486 	 const krb5_data * realm, krb5_data * reply,
2487 	 struct sockaddr *, socklen_t *);
2488 
2489 /* temporary -- this should be under lib/krb5/ccache somewhere */
2490 
2491 struct _krb5_ccache {
2492     krb5_magic magic;
2493     const struct _krb5_cc_ops *ops;
2494     krb5_pointer data;
2495 };
2496 
2497 /*
2498  * Per-type ccache cursor.
2499  */
2500 struct krb5_cc_ptcursor {
2501     const struct _krb5_cc_ops *ops;
2502     krb5_pointer data;
2503 };
2504 typedef struct krb5_cc_ptcursor *krb5_cc_ptcursor;
2505 
2506 struct _krb5_cc_ops {
2507     krb5_magic magic;
2508     char *prefix;
2509     const char * (KRB5_CALLCONV *get_name) (krb5_context, krb5_ccache);
2510     krb5_error_code (KRB5_CALLCONV *resolve) (krb5_context, krb5_ccache *,
2511 					    const char *);
2512     krb5_error_code (KRB5_CALLCONV *gen_new) (krb5_context, krb5_ccache *);
2513     krb5_error_code (KRB5_CALLCONV *init) (krb5_context, krb5_ccache,
2514 					    krb5_principal);
2515     krb5_error_code (KRB5_CALLCONV *destroy) (krb5_context, krb5_ccache);
2516     krb5_error_code (KRB5_CALLCONV *close) (krb5_context, krb5_ccache);
2517     krb5_error_code (KRB5_CALLCONV *store) (krb5_context, krb5_ccache,
2518 					    krb5_creds *);
2519     krb5_error_code (KRB5_CALLCONV *retrieve) (krb5_context, krb5_ccache,
2520 					    krb5_flags, krb5_creds *,
2521 					    krb5_creds *);
2522     krb5_error_code (KRB5_CALLCONV *get_princ) (krb5_context, krb5_ccache,
2523 					    krb5_principal *);
2524     krb5_error_code (KRB5_CALLCONV *get_first) (krb5_context, krb5_ccache,
2525 					    krb5_cc_cursor *);
2526     krb5_error_code (KRB5_CALLCONV *get_next) (krb5_context, krb5_ccache,
2527 					    krb5_cc_cursor *, krb5_creds *);
2528     krb5_error_code (KRB5_CALLCONV *end_get) (krb5_context, krb5_ccache,
2529 					    krb5_cc_cursor *);
2530     krb5_error_code (KRB5_CALLCONV *remove_cred) (krb5_context, krb5_ccache,
2531 					    krb5_flags, krb5_creds *);
2532     krb5_error_code (KRB5_CALLCONV *set_flags) (krb5_context, krb5_ccache,
2533 					    krb5_flags);
2534     krb5_error_code (KRB5_CALLCONV *get_flags) (krb5_context, krb5_ccache,
2535 						krb5_flags *);
2536     krb5_error_code (KRB5_CALLCONV *ptcursor_new)(krb5_context,
2537 						  krb5_cc_ptcursor *);
2538     krb5_error_code (KRB5_CALLCONV *ptcursor_next)(krb5_context,
2539 						   krb5_cc_ptcursor,
2540 						   krb5_ccache *);
2541     krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context,
2542 						   krb5_cc_ptcursor *);
2543     krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache);
2544     krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context,
2545 						krb5_ccache, krb5_timestamp *);
2546     krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache,
2547 						krb5_timestamp *);
2548 };
2549 
2550 extern const krb5_cc_ops *krb5_cc_dfl_ops;
2551 
2552 krb5_error_code
2553 krb5int_cc_os_default_name(krb5_context context, char **name);
2554 
2555 /*
2556  * Cursor for iterating over ccache types
2557  */
2558 struct krb5_cc_typecursor;
2559 typedef struct krb5_cc_typecursor *krb5_cc_typecursor;
2560 
2561 krb5_error_code
2562 krb5int_cc_typecursor_new(krb5_context context, krb5_cc_typecursor *cursor);
2563 
2564 krb5_error_code
2565 krb5int_cc_typecursor_next(
2566     krb5_context context,
2567     krb5_cc_typecursor cursor,
2568     const struct _krb5_cc_ops **ops);
2569 
2570 krb5_error_code
2571 krb5int_cc_typecursor_free(
2572     krb5_context context,
2573     krb5_cc_typecursor *cursor);
2574 
2575 typedef struct _krb5_donot_replay {
2576     krb5_magic magic;
2577     krb5_ui_4 hash;
2578     char *server;			/* null-terminated */
2579     char *client;			/* null-terminated */
2580     char *msghash;                      /* null-terminated */
2581     krb5_int32 cusec;
2582     krb5_timestamp ctime;
2583 } krb5_donot_replay;
2584 
2585 krb5_error_code krb5_rc_default
2586 	(krb5_context,
2587 		krb5_rcache *);
2588 krb5_error_code krb5_rc_resolve_type
2589 	(krb5_context,
2590 		krb5_rcache *,char *);
2591 krb5_error_code krb5_rc_resolve_full
2592 	(krb5_context,
2593 		krb5_rcache *,char *);
2594 char * krb5_rc_get_type
2595 	(krb5_context,
2596 		krb5_rcache);
2597 char * krb5_rc_default_type
2598 	(krb5_context);
2599 char * krb5_rc_default_name
2600 	(krb5_context);
2601 krb5_error_code krb5_auth_to_rep
2602 	(krb5_context,
2603 		krb5_tkt_authent *,
2604 		krb5_donot_replay *);
2605 
2606 
2607 krb5_error_code KRB5_CALLCONV krb5_rc_initialize
2608 	(krb5_context, krb5_rcache,krb5_deltat);
2609 krb5_error_code KRB5_CALLCONV krb5_rc_recover_or_initialize
2610 	(krb5_context, krb5_rcache,krb5_deltat);
2611 krb5_error_code KRB5_CALLCONV krb5_rc_recover
2612 	(krb5_context, krb5_rcache);
2613 krb5_error_code KRB5_CALLCONV krb5_rc_destroy
2614 	(krb5_context, krb5_rcache);
2615 krb5_error_code KRB5_CALLCONV krb5_rc_close
2616 	(krb5_context, krb5_rcache);
2617 krb5_error_code KRB5_CALLCONV krb5_rc_store
2618 	(krb5_context, krb5_rcache,krb5_donot_replay *);
2619 krb5_error_code KRB5_CALLCONV krb5_rc_expunge
2620 	(krb5_context, krb5_rcache);
2621 krb5_error_code KRB5_CALLCONV krb5_rc_get_lifespan
2622 	(krb5_context, krb5_rcache,krb5_deltat *);
2623 char *KRB5_CALLCONV krb5_rc_get_name
2624 	(krb5_context, krb5_rcache);
2625 krb5_error_code KRB5_CALLCONV krb5_rc_resolve
2626 	(krb5_context, krb5_rcache, char *);
2627 
2628 typedef struct _krb5_kt_ops {
2629     krb5_magic magic;
2630     char *prefix;
2631     /* routines always present */
2632     krb5_error_code (KRB5_CALLCONV *resolve)
2633 	(krb5_context,
2634 		 const char *,
2635 		 krb5_keytab *);
2636     krb5_error_code (KRB5_CALLCONV *get_name)
2637 	(krb5_context,
2638 		 krb5_keytab,
2639 		 char *,
2640 		 unsigned int);
2641     krb5_error_code (KRB5_CALLCONV *close)
2642 	(krb5_context,
2643 		 krb5_keytab);
2644     krb5_error_code (KRB5_CALLCONV *get)
2645 	(krb5_context,
2646 		 krb5_keytab,
2647 		 krb5_const_principal,
2648 		 krb5_kvno,
2649 		 krb5_enctype,
2650 		 krb5_keytab_entry *);
2651     krb5_error_code (KRB5_CALLCONV *start_seq_get)
2652 	(krb5_context,
2653 		 krb5_keytab,
2654 		 krb5_kt_cursor *);
2655     krb5_error_code (KRB5_CALLCONV *get_next)
2656 	(krb5_context,
2657 		 krb5_keytab,
2658 		 krb5_keytab_entry *,
2659 		 krb5_kt_cursor *);
2660     krb5_error_code (KRB5_CALLCONV *end_get)
2661 	(krb5_context,
2662 		 krb5_keytab,
2663 		 krb5_kt_cursor *);
2664     /* routines to be included on extended version (write routines) */
2665     krb5_error_code (KRB5_CALLCONV *add)
2666 	(krb5_context,
2667 		 krb5_keytab,
2668 		 krb5_keytab_entry *);
2669     krb5_error_code (KRB5_CALLCONV *remove)
2670 	(krb5_context,
2671 		 krb5_keytab,
2672 		  krb5_keytab_entry *);
2673 
2674     /* Handle for serializer */
2675     const krb5_ser_entry *serializer;
2676 } krb5_kt_ops;
2677 
2678 extern const krb5_kt_ops krb5_kt_dfl_ops;
2679 
2680 extern krb5_error_code krb5int_translate_gai_error (int);
2681 
2682 /* Not sure it's ready for exposure just yet.  */
2683 extern krb5_error_code
2684 krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *);
2685 
2686 extern int krb5int_crypto_init (void);
2687 extern int krb5int_prng_init(void);
2688 
2689 /*
2690  * SUNW14resync
2691  * Hack (?) to neuter C99 "inline" which causes warnings w/our build.
2692  */
2693 #define inline
2694 
2695 /* Solaris kerberos */
2696 krb5_boolean KRB5_CALLCONV is_in_keytype
2697 	(krb5_const krb5_enctype *keytype,
2698 	int numkeytypes, krb5_enctype enctype);
2699 
2700 /*
2701  * Solaris Kerberos
2702  * Use krb5_getuid() to select the mechanism to obtain the uid.
2703  */
2704 extern uid_t	krb5_getuid();
2705 
2706 /*
2707  * Referral definitions, debugging hooks, and subfunctions.
2708  */
2709 #define        KRB5_REFERRAL_MAXHOPS	5
2710 /* #define DEBUG_REFERRALS */
2711 
2712 #ifdef DEBUG_REFERRALS
2713 void krb5int_dbgref_dump_principal(char *, krb5_principal);
2714 #endif
2715 
2716 /* Common hostname-parsing code. */
2717 krb5_error_code KRB5_CALLCONV krb5int_clean_hostname
2718 	(krb5_context,
2719 		const char *,
2720 		char *,
2721 		size_t);
2722 
2723 /*
2724  * Solaris Kerberos
2725  * Kernel & user space realloc.
2726  */
2727 void *krb5int_realloc
2728 	(void *oldp,
2729 	 size_t new_size,
2730 	 size_t old_size);
2731 #endif /* _KRB5_INT_H */
2732