1 /* 2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006 by the Massachusetts Institute of Technology, 8 * Cambridge, MA, USA. All Rights Reserved. 9 * 10 * This software is being provided to you, the LICENSEE, by the 11 * Massachusetts Institute of Technology (M.I.T.) under the following 12 * license. By obtaining, using and/or copying this software, you agree 13 * that you have read, understood, and will comply with these terms and 14 * conditions: 15 * 16 * Export of this software from the United States of America may 17 * require a specific license from the United States Government. 18 * It is the responsibility of any person or organization contemplating 19 * export to obtain such a license before exporting. 20 * 21 * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute 22 * this software and its documentation for any purpose and without fee or 23 * royalty is hereby granted, provided that you agree to comply with the 24 * following copyright notice and statements, including the disclaimer, and 25 * that the same appear on ALL copies of the software and documentation, 26 * including modifications that you make for internal use or for 27 * distribution: 28 * 29 * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS 30 * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not 31 * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF 32 * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF 33 * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY 34 * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. 35 * 36 * The name of the Massachusetts Institute of Technology or M.I.T. may NOT 37 * be used in advertising or publicity pertaining to distribution of the 38 * software. Title to copyright in this software and any associated 39 * documentation shall at all times remain with M.I.T., and USER agrees to 40 * preserve same. 41 * 42 * Furthermore if you modify this software you must label 43 * your software as modified software and not distribute it in such a 44 * fashion that it might be confused with the original M.I.T. software. 45 */ 46 47 /* 48 * Copyright (C) 1998 by the FundsXpress, INC. 49 * 50 * All rights reserved. 51 * 52 * Export of this software from the United States of America may require 53 * a specific license from the United States Government. It is the 54 * responsibility of any person or organization contemplating export to 55 * obtain such a license before exporting. 56 * 57 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 58 * distribute this software and its documentation for any purpose and 59 * without fee is hereby granted, provided that the above copyright 60 * notice appear in all copies and that both that copyright notice and 61 * this permission notice appear in supporting documentation, and that 62 * the name of FundsXpress. not be used in advertising or publicity pertaining 63 * to distribution of the software without specific, written prior 64 * permission. FundsXpress makes no representations about the suitability of 65 * this software for any purpose. It is provided "as is" without express 66 * or implied warranty. 67 * 68 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 69 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 70 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 71 */ 72 73 /* 74 * This prototype for k5-int.h (Krb5 internals include file) 75 * includes the user-visible definitions from krb5.h and then 76 * includes other definitions that are not user-visible but are 77 * required for compiling Kerberos internal routines. 78 * 79 * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995 80 */ 81 82 #ifndef _KRB5_INT_H 83 #define _KRB5_INT_H 84 85 #ifdef KRB5_GENERAL__ 86 #error krb5.h included before k5-int.h 87 #endif /* KRB5_GENERAL__ */ 88 89 #ifndef _KERNEL 90 #include <osconf.h> 91 #include <security/cryptoki.h> 92 #else 93 #include <sys/crypto/common.h> 94 #include <sys/crypto/api.h> 95 #endif 96 97 #ifdef DEBUG 98 #if !defined(KRB5_DEBUG) 99 #define KRB5_DEBUG 100 #endif 101 #ifndef KRB5_LOG_LVL 102 #define KRB5_LOG_LVL KRB5_ERR 103 #endif 104 #endif /* DEBUG */ 105 106 #ifdef _KERNEL 107 108 #ifdef DEBUG 109 #include <sys/types.h> 110 #include <sys/cmn_err.h> 111 extern void prom_printf(); 112 #endif /* DEBUG */ 113 114 #else /* !_KERNEL */ 115 116 #define prom_printf printf 117 118 #endif /* !_KERNEL */ 119 120 #ifdef KRB5_LOG_LVL 121 122 /* krb5_log is used to set the logging level to determine what class of messages 123 * are output by the mech. Note, more than one logging level can be used by 124 * bit or'ing the log values together. 125 * 126 * All log messages are captured by syslog. 127 */ 128 129 extern unsigned int krb5_log; 130 131 /* Note, these defines should be mutually exclusive bit fields */ 132 #define KRB5_ERR 1 /* Use this debug log level for error path logging. */ 133 #define KRB5_INFO 2 /* Use this debug log level for informational messages. */ 134 135 #ifdef _KERNEL 136 137 #define KRB5_LOG1(A, B, C, D) \ 138 ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C), (D)), TRUE))) 139 #define KRB5_LOG(A, B, C) \ 140 ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C)), TRUE))) 141 #define KRB5_LOG0(A, B) \ 142 ((void)((krb5_log) && (krb5_log & (A)) && (printf((B)), TRUE))) 143 144 #else /* !_KERNEL */ 145 146 #include <syslog.h> 147 148 #define KRB5_LOG1(A, B, C, D) \ 149 ((void)((krb5_log) && (krb5_log & (A)) && \ 150 (syslog(LOG_DEBUG, (B), (C), (D)), TRUE))) 151 #define KRB5_LOG(A, B, C) \ 152 ((void)((krb5_log) && (krb5_log & (A)) && \ 153 (syslog(LOG_DEBUG, (B), (C)), TRUE))) 154 #define KRB5_LOG0(A, B) \ 155 ((void)((krb5_log) && (krb5_log & (A)) && \ 156 (syslog(LOG_DEBUG, B), TRUE))) 157 158 #endif /* _KERNEL */ 159 160 #else /* ! KRB5_LOG_LVL */ 161 162 #define KRB5_LOG1(A, B, C, D) 163 #define KRB5_LOG(A, B, C) 164 #define KRB5_LOG0(A, B) 165 166 #endif /* KRB5_LOG_LVL */ 167 168 #ifdef POSIX_TYPES 169 #define timetype time_t 170 #else 171 #define timetype long 172 #endif 173 174 /* 175 * Begin "k5-config.h" 176 */ 177 #ifndef KRB5_CONFIG__ 178 #define KRB5_CONFIG__ 179 180 /* 181 * Machine-type definitions: PC Clone 386 running Microloss Windows 182 */ 183 184 #if defined(_MSDOS) || defined(_WIN32) 185 #include "win-mac.h" 186 187 /* Kerberos Windows initialization file */ 188 #define KERBEROS_INI "kerberos.ini" 189 #define INI_FILES "Files" 190 #define INI_KRB_CCACHE "krb5cc" /* Location of the ccache */ 191 #define INI_KRB5_CONF "krb5.ini" /* Location of krb5.conf file */ 192 #define ANSI_STDIO 193 #endif 194 195 #ifndef _KERNEL 196 #ifndef KRB5_AUTOCONF__ 197 #define KRB5_AUTOCONF__ 198 #include "autoconf.h" 199 #endif 200 #endif /* !_KERNEL */ 201 202 #ifndef KRB5_SYSTYPES__ 203 #define KRB5_SYSTYPES__ 204 205 #ifndef _KERNEL 206 #ifdef HAVE_SYS_TYPES_H /* From autoconf.h */ 207 #include <sys/types.h> 208 #else /* HAVE_SYS_TYPES_H */ 209 typedef unsigned long u_long; 210 typedef unsigned int u_int; 211 typedef unsigned short u_short; 212 typedef unsigned char u_char; 213 #endif /* HAVE_SYS_TYPES_H */ 214 #endif /* KRB5_SYSTYPES__ */ 215 #endif /* !_KERNEL */ 216 217 218 /* #include "k5-platform.h" SUNW XXX */ 219 /* not used in krb5.h (yet) */ 220 typedef uint64_t krb5_ui_8; 221 typedef int64_t krb5_int64; 222 223 224 225 #define DEFAULT_PWD_STRING1 "Enter password:" 226 #define DEFAULT_PWD_STRING2 "Re-enter password for verification:" 227 #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ 228 #define KRB5_KDB_MAX_RLIFE (60*60*24*365) /* one year */ 229 #define KRB5_KDB_EXPIRATION 2145830400 /* Thu Jan 1 00:00:00 2038 UTC */ 230 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 231 #define KRB5_DEFAULT_RENEW_LIFE 7*24*60*60 /* 7 Days */ 232 233 /* 234 * Windows requires a different api interface to each function. Here 235 * just define it as NULL. 236 */ 237 #ifndef KRB5_CALLCONV 238 #define KRB5_CALLCONV 239 #define KRB5_CALLCONV_C 240 #endif 241 #ifndef O_BINARY 242 #define O_BINARY 0 243 #endif 244 245 #endif /* KRB5_CONFIG__ */ 246 247 /* 248 * End "k5-config.h" 249 */ 250 251 /* 252 * After loading the configuration definitions, load the Kerberos definitions. 253 */ 254 #ifndef _KERNEL 255 #include <errno.h> 256 #include "profile.h" 257 #endif 258 259 #include <krb5.h> 260 261 #ifndef _KERNEL 262 #if 1 /* def NEED_SOCKETS */ 263 #include <port-sockets.h> 264 #include <socket-utils.h> 265 #else 266 #ifndef SOCK_DGRAM 267 struct sockaddr; 268 #endif 269 #endif 270 #endif 271 272 /* Get mutex support; currently used only for the replay cache. */ 273 #include "k5-thread.h" 274 275 276 /* krb5/krb5.h includes many other .h files in the krb5 subdirectory. 277 The ones that it doesn't include, we include below. */ 278 279 /* 280 * Begin "k5-errors.h" 281 */ 282 #ifndef KRB5_ERRORS__ 283 #define KRB5_ERRORS__ 284 285 286 /* Error codes used in KRB_ERROR protocol messages. 287 Return values of library routines are based on a different error table 288 (which allows non-ambiguous error codes between subsystems) */ 289 290 /* KDC errors */ 291 #define KDC_ERR_NONE 0 /* No error */ 292 #define KDC_ERR_NAME_EXP 1 /* Client's entry in DB expired */ 293 #define KDC_ERR_SERVICE_EXP 2 /* Server's entry in DB expired */ 294 #define KDC_ERR_BAD_PVNO 3 /* Requested pvno not supported */ 295 #define KDC_ERR_C_OLD_MAST_KVNO 4 /* C's key encrypted in old master */ 296 #define KDC_ERR_S_OLD_MAST_KVNO 5 /* S's key encrypted in old master */ 297 #define KDC_ERR_C_PRINCIPAL_UNKNOWN 6 /* Client not found in Kerberos DB */ 298 #define KDC_ERR_S_PRINCIPAL_UNKNOWN 7 /* Server not found in Kerberos DB */ 299 #define KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 /* Multiple entries in Kerberos DB */ 300 #define KDC_ERR_NULL_KEY 9 /* The C or S has a null key */ 301 #define KDC_ERR_CANNOT_POSTDATE 10 /* Tkt ineligible for postdating */ 302 #define KDC_ERR_NEVER_VALID 11 /* Requested starttime > endtime */ 303 #define KDC_ERR_POLICY 12 /* KDC policy rejects request */ 304 #define KDC_ERR_BADOPTION 13 /* KDC can't do requested opt. */ 305 #define KDC_ERR_ENCTYPE_NOSUPP 14 /* No support for encryption type */ 306 #define KDC_ERR_SUMTYPE_NOSUPP 15 /* No support for checksum type */ 307 #define KDC_ERR_PADATA_TYPE_NOSUPP 16 /* No support for padata type */ 308 #define KDC_ERR_TRTYPE_NOSUPP 17 /* No support for transited type */ 309 #define KDC_ERR_CLIENT_REVOKED 18 /* C's creds have been revoked */ 310 #define KDC_ERR_SERVICE_REVOKED 19 /* S's creds have been revoked */ 311 #define KDC_ERR_TGT_REVOKED 20 /* TGT has been revoked */ 312 #define KDC_ERR_CLIENT_NOTYET 21 /* C not yet valid */ 313 #define KDC_ERR_SERVICE_NOTYET 22 /* S not yet valid */ 314 #define KDC_ERR_KEY_EXP 23 /* Password has expired */ 315 #define KDC_ERR_PREAUTH_FAILED 24 /* Preauthentication failed */ 316 #define KDC_ERR_PREAUTH_REQUIRED 25 /* Additional preauthentication */ 317 /* required */ 318 #define KDC_ERR_SERVER_NOMATCH 26 /* Requested server and */ 319 /* ticket don't match*/ 320 #define KDC_ERR_SVC_UNAVAILABLE 29 /* A service is not 321 * available that is 322 * required to process the 323 * request */ 324 /* Application errors */ 325 #define KRB_AP_ERR_BAD_INTEGRITY 31 /* Decrypt integrity check failed */ 326 #define KRB_AP_ERR_TKT_EXPIRED 32 /* Ticket expired */ 327 #define KRB_AP_ERR_TKT_NYV 33 /* Ticket not yet valid */ 328 #define KRB_AP_ERR_REPEAT 34 /* Request is a replay */ 329 #define KRB_AP_ERR_NOT_US 35 /* The ticket isn't for us */ 330 #define KRB_AP_ERR_BADMATCH 36 /* Ticket/authenticator don't match */ 331 #define KRB_AP_ERR_SKEW 37 /* Clock skew too great */ 332 #define KRB_AP_ERR_BADADDR 38 /* Incorrect net address */ 333 #define KRB_AP_ERR_BADVERSION 39 /* Protocol version mismatch */ 334 #define KRB_AP_ERR_MSG_TYPE 40 /* Invalid message type */ 335 #define KRB_AP_ERR_MODIFIED 41 /* Message stream modified */ 336 #define KRB_AP_ERR_BADORDER 42 /* Message out of order */ 337 #define KRB_AP_ERR_BADKEYVER 44 /* Key version is not available */ 338 #define KRB_AP_ERR_NOKEY 45 /* Service key not available */ 339 #define KRB_AP_ERR_MUT_FAIL 46 /* Mutual authentication failed */ 340 #define KRB_AP_ERR_BADDIRECTION 47 /* Incorrect message direction */ 341 #define KRB_AP_ERR_METHOD 48 /* Alternative authentication */ 342 /* method required */ 343 #define KRB_AP_ERR_BADSEQ 49 /* Incorrect sequence numnber */ 344 /* in message */ 345 #define KRB_AP_ERR_INAPP_CKSUM 50 /* Inappropriate type of */ 346 /* checksum in message */ 347 #define KRB_AP_PATH_NOT_ACCEPTED 51 /* Policy rejects transited path */ 348 #define KRB_ERR_RESPONSE_TOO_BIG 52 /* Response too big for UDP, */ 349 /* retry with TCP */ 350 351 /* other errors */ 352 #define KRB_ERR_GENERIC 60 /* Generic error (description */ 353 /* in e-text) */ 354 #define KRB_ERR_FIELD_TOOLONG 61 /* Field is too long for impl. */ 355 356 /* PKINIT server-reported errors */ 357 #define KDC_ERR_CLIENT_NOT_TRUSTED 62 /* client cert not trusted */ 358 #define KDC_ERR_INVALID_SIG 64 /* client signature verify failed */ 359 #define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65 /* invalid Diffie-Hellman parameters */ 360 #define KDC_ERR_CANT_VERIFY_CERTIFICATE 70 /* client cert not verifiable to */ 361 /* trusted root cert */ 362 #define KDC_ERR_INVALID_CERTIFICATE 71 /* client cert had invalid signature */ 363 #define KDC_ERR_REVOKED_CERTIFICATE 72 /* client cert was revoked */ 364 #define KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 /* client cert revoked, reason unknown */ 365 #define KDC_ERR_CLIENT_NAME_MISMATCH 75 /* mismatch between client cert and */ 366 /* principal name */ 367 #define KDC_ERR_INCONSISTENT_KEY_PURPOSE 77 /* bad extended key use */ 368 #define KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78 /* bad digest algorithm in client cert */ 369 #define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79 /* missing paChecksum in PA-PK-AS-REQ */ 370 #define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */ 371 #define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81 372 373 #endif /* KRB5_ERRORS__ */ 374 /* 375 * End "k5-errors.h" 376 */ 377 378 /* 379 * This structure is returned in the e-data field of the KRB-ERROR 380 * message when the error calling for an alternative form of 381 * authentication is returned, KRB_AP_METHOD. 382 */ 383 typedef struct _krb5_alt_method { 384 krb5_magic magic; 385 krb5_int32 method; 386 unsigned int length; 387 krb5_octet *data; 388 } krb5_alt_method; 389 390 /* 391 * A null-terminated array of this structure is returned by the KDC as 392 * the data part of the ETYPE_INFO preauth type. It informs the 393 * client which encryption types are supported. 394 * The same data structure is used by both etype-info and etype-info2 395 * but s2kparams must be null when encoding etype-info. 396 */ 397 typedef struct _krb5_etype_info_entry { 398 krb5_magic magic; 399 krb5_enctype etype; 400 unsigned int length; 401 krb5_octet *salt; 402 krb5_data s2kparams; 403 } krb5_etype_info_entry; 404 405 /* 406 * This is essentially -1 without sign extension which can screw up 407 * comparisons on 64 bit machines. If the length is this value, then 408 * the salt data is not present. This is to distinguish between not 409 * being set and being of 0 length. 410 */ 411 #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS 412 413 typedef krb5_etype_info_entry ** krb5_etype_info; 414 415 /* 416 * a sam_challenge is returned for alternate preauth 417 */ 418 /* 419 SAMFlags ::= BIT STRING { 420 use-sad-as-key[0], 421 send-encrypted-sad[1], 422 must-pk-encrypt-sad[2] 423 } 424 */ 425 /* 426 PA-SAM-CHALLENGE ::= SEQUENCE { 427 sam-type[0] INTEGER, 428 sam-flags[1] SAMFlags, 429 sam-type-name[2] GeneralString OPTIONAL, 430 sam-track-id[3] GeneralString OPTIONAL, 431 sam-challenge-label[4] GeneralString OPTIONAL, 432 sam-challenge[5] GeneralString OPTIONAL, 433 sam-response-prompt[6] GeneralString OPTIONAL, 434 sam-pk-for-sad[7] EncryptionKey OPTIONAL, 435 sam-nonce[8] INTEGER OPTIONAL, 436 sam-cksum[9] Checksum OPTIONAL 437 } 438 */ 439 /* sam_type values -- informational only */ 440 #define PA_SAM_TYPE_ENIGMA 1 /* Enigma Logic */ 441 #define PA_SAM_TYPE_DIGI_PATH 2 /* Digital Pathways */ 442 #define PA_SAM_TYPE_SKEY_K0 3 /* S/key where KDC has key 0 */ 443 #define PA_SAM_TYPE_SKEY 4 /* Traditional S/Key */ 444 #define PA_SAM_TYPE_SECURID 5 /* Security Dynamics */ 445 #define PA_SAM_TYPE_CRYPTOCARD 6 /* CRYPTOCard */ 446 #if 1 /* XXX need to figure out who has which numbers assigned */ 447 #define PA_SAM_TYPE_ACTIVCARD_DEC 6 /* ActivCard decimal mode */ 448 #define PA_SAM_TYPE_ACTIVCARD_HEX 7 /* ActivCard hex mode */ 449 #define PA_SAM_TYPE_DIGI_PATH_HEX 8 /* Digital Pathways hex mode */ 450 #endif 451 #define PA_SAM_TYPE_EXP_BASE 128 /* experimental */ 452 #define PA_SAM_TYPE_GRAIL (PA_SAM_TYPE_EXP_BASE+0) /* testing */ 453 #define PA_SAM_TYPE_SECURID_PREDICT (PA_SAM_TYPE_EXP_BASE+1) /* special */ 454 455 typedef struct _krb5_predicted_sam_response { 456 krb5_magic magic; 457 krb5_keyblock sam_key; 458 krb5_flags sam_flags; /* Makes key munging easier */ 459 krb5_timestamp stime; /* time on server, for replay detection */ 460 krb5_int32 susec; 461 krb5_principal client; 462 krb5_data msd; /* mechanism specific data */ 463 } krb5_predicted_sam_response; 464 465 typedef struct _krb5_sam_challenge { 466 krb5_magic magic; 467 krb5_int32 sam_type; /* information */ 468 krb5_flags sam_flags; /* KRB5_SAM_* values */ 469 krb5_data sam_type_name; 470 krb5_data sam_track_id; 471 krb5_data sam_challenge_label; 472 krb5_data sam_challenge; 473 krb5_data sam_response_prompt; 474 krb5_data sam_pk_for_sad; 475 krb5_int32 sam_nonce; 476 krb5_checksum sam_cksum; 477 } krb5_sam_challenge; 478 479 typedef struct _krb5_sam_key { /* reserved for future use */ 480 krb5_magic magic; 481 krb5_keyblock sam_key; 482 } krb5_sam_key; 483 484 typedef struct _krb5_enc_sam_response_enc { 485 krb5_magic magic; 486 krb5_int32 sam_nonce; 487 krb5_timestamp sam_timestamp; 488 krb5_int32 sam_usec; 489 krb5_data sam_sad; 490 } krb5_enc_sam_response_enc; 491 492 typedef struct _krb5_sam_response { 493 krb5_magic magic; 494 krb5_int32 sam_type; /* informational */ 495 krb5_flags sam_flags; /* KRB5_SAM_* values */ 496 krb5_data sam_track_id; /* copied */ 497 krb5_enc_data sam_enc_key; /* krb5_sam_key - future use */ 498 krb5_enc_data sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */ 499 krb5_int32 sam_nonce; 500 krb5_timestamp sam_patimestamp; 501 } krb5_sam_response; 502 503 typedef struct _krb5_sam_challenge_2 { 504 krb5_data sam_challenge_2_body; 505 krb5_checksum **sam_cksum; /* Array of checksums */ 506 } krb5_sam_challenge_2; 507 508 typedef struct _krb5_sam_challenge_2_body { 509 krb5_magic magic; 510 krb5_int32 sam_type; /* information */ 511 krb5_flags sam_flags; /* KRB5_SAM_* values */ 512 krb5_data sam_type_name; 513 krb5_data sam_track_id; 514 krb5_data sam_challenge_label; 515 krb5_data sam_challenge; 516 krb5_data sam_response_prompt; 517 krb5_data sam_pk_for_sad; 518 krb5_int32 sam_nonce; 519 krb5_enctype sam_etype; 520 } krb5_sam_challenge_2_body; 521 522 typedef struct _krb5_sam_response_2 { 523 krb5_magic magic; 524 krb5_int32 sam_type; /* informational */ 525 krb5_flags sam_flags; /* KRB5_SAM_* values */ 526 krb5_data sam_track_id; /* copied */ 527 krb5_enc_data sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */ 528 krb5_int32 sam_nonce; 529 } krb5_sam_response_2; 530 531 typedef struct _krb5_enc_sam_response_enc_2 { 532 krb5_magic magic; 533 krb5_int32 sam_nonce; 534 krb5_data sam_sad; 535 } krb5_enc_sam_response_enc_2; 536 537 /* 538 * Keep the pkinit definitions in a separate file so that the plugin 539 * only has to include k5-int-pkinit.h rather than k5-int.h 540 */ 541 542 #include "k5-int-pkinit.h" 543 544 /* 545 * Begin "dbm.h" 546 */ 547 #ifndef _KERNEL 548 549 /* 550 * Since we are always using db, use the db-ndbm include header file. 551 */ 552 553 #include "db-ndbm.h" 554 555 #endif /* !KERNEL */ 556 /* 557 * End "dbm.h" 558 */ 559 560 /* 561 * Begin "ext-proto.h" 562 */ 563 #ifndef KRB5_EXT_PROTO__ 564 #define KRB5_EXT_PROTO__ 565 566 #ifndef _KERNEL 567 #include <stdlib.h> 568 #include <string.h> 569 #endif /* !_KERNEL */ 570 571 #ifndef HAVE_STRDUP 572 extern char *strdup (const char *); 573 #endif 574 575 #ifndef _KERNEL 576 #ifdef HAVE_UNISTD_H 577 #include <unistd.h> 578 #endif 579 #endif /* !_KERNEL */ 580 581 #endif /* KRB5_EXT_PROTO__ */ 582 /* 583 * End "ext-proto.h" 584 */ 585 586 /* 587 * Begin "sysincl.h" 588 */ 589 #ifndef KRB5_SYSINCL__ 590 #define KRB5_SYSINCL__ 591 592 #ifndef KRB5_SYSTYPES__ 593 #define KRB5_SYSTYPES__ 594 /* needed for much of the rest -- but already handled in krb5.h? */ 595 /* #include <sys/types.h> */ 596 #endif /* KRB5_SYSTYPES__ */ 597 598 #ifdef _KERNEL 599 #include <sys/time.h> 600 #else 601 #ifdef HAVE_SYS_TIME_H 602 #include <sys/time.h> 603 #ifdef TIME_WITH_SYS_TIME 604 #include <time.h> 605 #endif 606 #else 607 #include <time.h> 608 #endif 609 #endif /* _KERNEL */ 610 611 #ifdef HAVE_SYS_STAT_H 612 #include <sys/stat.h> /* struct stat, stat() */ 613 #endif 614 615 #ifdef HAVE_SYS_PARAM_H 616 #include <sys/param.h> /* MAXPATHLEN */ 617 #endif 618 619 #ifdef HAVE_SYS_FILE_H 620 #include <sys/file.h> /* prototypes for file-related 621 syscalls; flags for open & 622 friends */ 623 #endif 624 625 #ifdef _KERNEL 626 #include <sys/fcntl.h> 627 #else 628 #include <fcntl.h> 629 #endif 630 631 #endif /* KRB5_SYSINCL__ */ 632 /* 633 * End "sysincl.h" 634 */ 635 636 /* 637 * Begin "los-proto.h" 638 */ 639 #ifndef KRB5_LIBOS_PROTO__ 640 #define KRB5_LIBOS_PROTO__ 641 #endif 642 643 #ifndef _KERNEL 644 #include <stdio.h> 645 646 struct addrlist; 647 struct sendto_callback_info; 648 #endif 649 650 /* libos.spec */ 651 krb5_error_code krb5_lock_file (krb5_context, int, int); 652 krb5_error_code krb5_unlock_file (krb5_context, int); 653 krb5_error_code krb5_sendto_kdc (krb5_context, const krb5_data *, 654 const krb5_data *, krb5_data *, int *, int); 655 656 657 krb5_error_code krb5_get_krbhst (krb5_context, const krb5_data *, char *** ); 658 krb5_error_code krb5_free_krbhst (krb5_context, char * const * ); 659 krb5_error_code krb5_create_secure_file (krb5_context, const char * pathname); 660 661 int krb5_net_read (krb5_context, int , char *, int); 662 663 int krb5_net_write 664 (krb5_context, int , const char *, int); 665 666 667 krb5_error_code krb5_gen_replay_name 668 (krb5_context, const krb5_address *, const char *, char **); 669 670 671 #ifndef _KERNEL 672 673 krb5_error_code krb5_sync_disk_file (krb5_context, FILE *fp); 674 675 krb5_error_code 676 krb5_open_pkcs11_session(CK_SESSION_HANDLE *); 677 678 679 krb5_error_code krb5_read_message 680 (krb5_context, krb5_pointer, krb5_data *); 681 682 krb5_error_code krb5_write_message 683 (krb5_context, krb5_pointer, krb5_data *); 684 krb5_error_code krb5int_sendto (krb5_context context, const krb5_data *message, 685 const struct addrlist *addrs, struct sendto_callback_info* callback_info, 686 krb5_data *reply, struct sockaddr *localaddr, socklen_t *localaddrlen, 687 struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, int *addr_used, 688 int (*msg_handler)(krb5_context, const krb5_data *, void *), 689 void *msg_handler_data); 690 691 krb5_error_code krb5int_get_fq_local_hostname (char *, size_t); 692 #endif 693 694 /* 695 * Solaris Kerberos 696 * The following two functions are needed for better realm 697 * determination based on the DNS domain name. 698 */ 699 krb5_error_code krb5int_lookup_host(int , const char *, char **); 700 701 krb5_error_code krb5int_domain_get_realm(krb5_context, const char *, 702 char **); 703 krb5_error_code krb5int_fqdn_get_realm(krb5_context, const char *, 704 char **); 705 706 krb5_error_code krb5int_init_context_kdc(krb5_context *); 707 708 krb5_error_code krb5_os_init_context (krb5_context, krb5_boolean); 709 710 void krb5_os_free_context (krb5_context); 711 712 /* This function is needed by KfM's KerberosPreferences API 713 * because it needs to be able to specify "secure" */ 714 #ifndef _KERNEL 715 krb5_error_code os_get_default_config_files 716 (profile_filespec_t **pfiles, krb5_boolean secure); 717 #endif 718 719 krb5_error_code krb5_os_hostaddr 720 (krb5_context, const char *, krb5_address ***); 721 722 #ifndef _KERNEL 723 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're 724 going to use this structure. */ 725 struct addrlist { 726 struct { 727 #ifdef FAI_DEFINED 728 struct addrinfo *ai; 729 #else 730 struct undefined_addrinfo *ai; 731 #endif 732 void (*freefn)(void *); 733 void *data; 734 } *addrs; 735 int naddrs; 736 int space; 737 }; 738 #define ADDRLIST_INIT { 0, 0, 0 } 739 extern void krb5int_free_addrlist (struct addrlist *); 740 extern int krb5int_grow_addrlist (struct addrlist *, int); 741 extern int krb5int_add_host_to_list (struct addrlist *, const char *, 742 int, int, int, int); 743 744 #include <locate_plugin.h> 745 krb5_error_code 746 krb5int_locate_server (krb5_context, const krb5_data *realm, 747 struct addrlist *, enum locate_service_type svc, 748 int sockettype, int family); 749 750 #endif /* _KERNEL */ 751 752 /* new encryption provider api */ 753 754 struct krb5_enc_provider { 755 /* keybytes is the input size to make_key; 756 keylength is the output size */ 757 size_t block_size, keybytes, keylength; 758 759 /* cipher-state == 0 fresh state thrown away at end */ 760 krb5_error_code (*encrypt) ( 761 krb5_context context, 762 krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec, 763 krb5_const krb5_data *input, krb5_data *output); 764 765 krb5_error_code (*decrypt) ( 766 krb5_context context, 767 krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec, 768 krb5_const krb5_data *input, krb5_data *output); 769 770 krb5_error_code (*make_key) 771 (krb5_context, krb5_const krb5_data *, krb5_keyblock *); 772 773 krb5_error_code (*init_state) (krb5_context, 774 const krb5_keyblock *, 775 krb5_keyusage, krb5_data *); 776 krb5_error_code (*free_state) (krb5_context, krb5_data *); 777 778 }; 779 780 struct krb5_hash_provider { 781 size_t hashsize, blocksize; 782 783 /* this takes multiple inputs to avoid lots of copying. */ 784 krb5_error_code (*hash) (krb5_context context, 785 unsigned int icount, krb5_const krb5_data *input, 786 krb5_data *output); 787 }; 788 789 struct krb5_keyhash_provider { 790 size_t hashsize; 791 792 krb5_error_code (*hash) ( 793 krb5_context context, 794 krb5_const krb5_keyblock *key, 795 krb5_keyusage keyusage, 796 krb5_const krb5_data *ivec, 797 krb5_const krb5_data *input, krb5_data *output); 798 799 krb5_error_code (*verify) ( 800 krb5_context context, 801 krb5_const krb5_keyblock *key, 802 krb5_keyusage keyusage, 803 krb5_const krb5_data *ivec, 804 krb5_const krb5_data *input, 805 krb5_const krb5_data *hash, 806 krb5_boolean *valid); 807 808 }; 809 810 typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc, 811 const struct krb5_hash_provider *hash, 812 size_t inputlen, size_t *length); 813 814 typedef krb5_error_code (*krb5_crypt_func) ( 815 krb5_context context, 816 krb5_const struct krb5_enc_provider *enc, 817 krb5_const struct krb5_hash_provider *hash, 818 krb5_const krb5_keyblock *key, krb5_keyusage usage, 819 krb5_const krb5_data *ivec, 820 krb5_const krb5_data *input, krb5_data *output); 821 822 #ifndef _KERNEL 823 typedef krb5_error_code (*krb5_str2key_func) ( 824 krb5_context context, 825 krb5_const struct krb5_enc_provider *enc, krb5_const krb5_data *string, 826 krb5_const krb5_data *salt, krb5_const krb5_data *params, 827 krb5_keyblock *key); 828 #endif /* _KERNEL */ 829 830 typedef krb5_error_code (*krb5_prf_func)( 831 const struct krb5_enc_provider *enc, 832 const struct krb5_hash_provider *hash, 833 const krb5_keyblock *key, 834 const krb5_data *in, krb5_data *out); 835 836 struct krb5_keytypes { 837 krb5_enctype etype; 838 char *in_string; 839 char *out_string; 840 const struct krb5_enc_provider *enc; 841 const struct krb5_hash_provider *hash; 842 krb5_encrypt_length_func encrypt_len; 843 krb5_crypt_func encrypt; 844 krb5_crypt_func decrypt; 845 krb5_cksumtype required_ctype; 846 #ifndef _KERNEL 847 /* Solaris Kerberos: strings to key conversion not done in the kernel */ 848 krb5_str2key_func str2key; 849 #else /* _KERNEL */ 850 char *mt_e_name; 851 char *mt_h_name; 852 crypto_mech_type_t kef_cipher_mt; 853 crypto_mech_type_t kef_hash_mt; 854 #endif /* _KERNEL */ 855 }; 856 857 struct krb5_cksumtypes { 858 krb5_cksumtype ctype; 859 unsigned int flags; 860 char *in_string; 861 char *out_string; 862 /* if the hash is keyed, this is the etype it is keyed with. 863 Actually, it can be keyed by any etype which has the same 864 enc_provider as the specified etype. DERIVE checksums can 865 be keyed with any valid etype. */ 866 krb5_enctype keyed_etype; 867 /* I can't statically initialize a union, so I'm just going to use 868 two pointers here. The keyhash is used if non-NULL. If NULL, 869 then HMAC/hash with derived keys is used if the relevant flag 870 is set. Otherwise, a non-keyed hash is computed. This is all 871 kind of messy, but so is the krb5 api. */ 872 const struct krb5_keyhash_provider *keyhash; 873 const struct krb5_hash_provider *hash; 874 /* This just gets uglier and uglier. In the key derivation case, 875 we produce an hmac. To make the hmac code work, we can't hack 876 the output size indicated by the hash provider, but we may want 877 a truncated hmac. If we want truncation, this is the number of 878 bytes we truncate to; it should be 0 otherwise. */ 879 unsigned int trunc_size; 880 #ifdef _KERNEL 881 char *mt_c_name; 882 crypto_mech_type_t kef_cksum_mt; 883 #endif /* _KERNEL */ 884 }; 885 886 #define KRB5_CKSUMFLAG_DERIVE 0x0001 887 #define KRB5_CKSUMFLAG_NOT_COLL_PROOF 0x0002 888 889 /* 890 * in here to deal with stuff from lib/crypto 891 */ 892 893 void krb5_nfold 894 (unsigned int inbits, const unsigned char *in, 895 unsigned int outbits, unsigned char *out); 896 897 krb5_error_code krb5int_pbkdf2_hmac_sha1 (krb5_context, 898 const krb5_data *, 899 unsigned long, 900 krb5_enctype, 901 const krb5_data *, 902 const krb5_data *); 903 904 /* Make this a function eventually? */ 905 #ifdef _WIN32 906 # define krb5int_zap_data(ptr, len) SecureZeroMemory(ptr, len) 907 #elif defined(__palmos__) && !defined(__GNUC__) 908 /* CodeWarrior 8.3 complains about passing a pointer to volatile in to 909 memset. On the other hand, we probably want it for gcc. */ 910 # define krb5int_zap_data(ptr, len) memset(ptr, 0, len) 911 #else 912 # define krb5int_zap_data(ptr, len) memset((void *)ptr, 0, len) 913 # if defined(__GNUC__) && defined(__GLIBC__) 914 /* GNU libc generates multiple bogus initialization warnings if we 915 pass memset a volatile pointer. The compiler should do well enough 916 with memset even without GNU libc's attempt at optimization. */ 917 # undef memset 918 # endif 919 #endif /* WIN32 */ 920 #define zap(p,l) krb5int_zap_data(p,l) 921 922 923 krb5_error_code krb5int_des_init_state 924 ( krb5_context, 925 const krb5_keyblock *, 926 krb5_keyusage, krb5_data *); 927 928 krb5_error_code krb5int_c_mandatory_cksumtype( 929 krb5_context, 930 krb5_enctype, 931 krb5_cksumtype *); 932 933 /* 934 * normally to free a cipher_state you can just memset the length to zero and 935 * free it. 936 */ 937 krb5_error_code krb5int_default_free_state 938 (krb5_context, krb5_data *); 939 940 941 /* 942 * Combine two keys (normally used by the hardware preauth mechanism) 943 */ 944 krb5_error_code krb5int_c_combine_keys 945 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2, 946 krb5_keyblock *outkey); 947 948 949 #ifdef _KERNEL 950 951 int k5_ef_crypto( 952 const char *, char *, 953 long, krb5_keyblock *, 954 const krb5_data *, int); 955 956 krb5_error_code 957 krb5_hmac(krb5_context, const krb5_keyblock *, 958 krb5_const krb5_data *, krb5_data *); 959 960 #else 961 krb5_error_code krb5_hmac 962 (krb5_context, 963 krb5_const struct krb5_hash_provider *, 964 krb5_const krb5_keyblock *, krb5_const unsigned int, 965 krb5_const krb5_data *, krb5_data *); 966 967 #endif /* _KERNEL */ 968 969 970 /* 971 * These declarations are here, so both krb5 and k5crypto 972 * can get to them. 973 * krb5 needs to get to them so it can make them available to libgssapi. 974 */ 975 extern const struct krb5_enc_provider krb5int_enc_arcfour; 976 extern const struct krb5_hash_provider krb5int_hash_md5; 977 978 979 /* #ifdef KRB5_OLD_CRYPTO XXX SUNW14resync */ 980 981 krb5_error_code krb5_crypto_us_timeofday 982 (krb5_int32 *, 983 krb5_int32 *); 984 985 #ifndef _KERNEL 986 /* Solaris kerberos: for convenience */ 987 time_t krb5int_gmt_mktime (struct tm *); 988 #endif /* ! _KERNEL */ 989 990 /* #endif KRB5_OLD_CRYPTO */ 991 992 /* this helper fct is in libkrb5, but it makes sense declared here. */ 993 994 krb5_error_code krb5_encrypt_helper 995 (krb5_context context, const krb5_keyblock *key, 996 krb5_keyusage keyusage, const krb5_data *plain, 997 krb5_enc_data *cipher); 998 999 /* 1000 * End "los-proto.h" 1001 */ 1002 1003 /* 1004 * Begin "libos.h" 1005 */ 1006 #ifndef KRB5_LIBOS__ 1007 #define KRB5_LIBOS__ 1008 1009 typedef struct _krb5_os_context { 1010 krb5_magic magic; 1011 krb5_int32 time_offset; 1012 krb5_int32 usec_offset; 1013 krb5_int32 os_flags; 1014 char * default_ccname; 1015 } *krb5_os_context; 1016 1017 /* 1018 * Flags for the os_flags field 1019 * 1020 * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid. 1021 * The intention is that this facility to correct the system clocks so 1022 * that they reflect the "real" time, for systems where for some 1023 * reason we can't set the system clock. Instead we calculate the 1024 * offset between the system time and real time, and store the offset 1025 * in the os context so that we can correct the system clock as necessary. 1026 * 1027 * KRB5_OS_TOFFSET_TIME means that the time offset fields should be 1028 * returned as the time by the krb5 time routines. This should only 1029 * be used for testing purposes (obviously!) 1030 */ 1031 #define KRB5_OS_TOFFSET_VALID 1 1032 #define KRB5_OS_TOFFSET_TIME 2 1033 1034 /* lock mode flags */ 1035 #define KRB5_LOCKMODE_SHARED 0x0001 1036 #define KRB5_LOCKMODE_EXCLUSIVE 0x0002 1037 #define KRB5_LOCKMODE_DONTBLOCK 0x0004 1038 #define KRB5_LOCKMODE_UNLOCK 0x0008 1039 1040 #endif /* KRB5_LIBOS__ */ 1041 /* 1042 * End "libos.h" 1043 */ 1044 1045 /* 1046 * Define our view of the size of a DES key. 1047 */ 1048 #define KRB5_MIT_DES_KEYSIZE 8 1049 /* 1050 * Define a couple of SHA1 constants 1051 */ 1052 #define SHS_DATASIZE 64 1053 #define SHS_DIGESTSIZE 20 1054 1055 /* 1056 * Check if des_int.h has been included before us. If so, then check to see 1057 * that our view of the DES key size is the same as des_int.h's. 1058 */ 1059 #ifdef MIT_DES_KEYSIZE 1060 #if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE 1061 error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE) 1062 #endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */ 1063 #endif /* MIT_DES_KEYSIZE */ 1064 1065 #ifndef _KERNEL 1066 /* Solaris Kerberos: only define PROVIDE_DES3_CBC_SHA if the following are 1067 * defined. 1068 */ 1069 #define PROVIDE_DES3_CBC_SHA 1 1070 #define PROVIDE_NIST_SHA 1 1071 1072 #endif /* !_KERNEL */ 1073 1074 /* 1075 * Begin "preauth.h" 1076 * 1077 * (Originally written by Glen Machin at Sandia Labs.) 1078 */ 1079 /* 1080 * Sandia National Laboratories also makes no representations about the 1081 * suitability of the modifications, or additions to this software for 1082 * any purpose. It is provided "as is" without express or implied warranty. 1083 * 1084 */ 1085 #ifndef KRB5_PREAUTH__ 1086 #define KRB5_PREAUTH__ 1087 1088 #include <preauth_plugin.h> 1089 1090 #define CLIENT_ROCK_MAGIC 0x4352434b 1091 /* This structure is passed into the client preauth functions and passed 1092 * back to the "get_data_proc" function so that it can locate the 1093 * requested information. It is opaque to the plugin code and can be 1094 * expanded in the future as new types of requests are defined which 1095 * may require other things to be passed through. */ 1096 typedef struct _krb5_preauth_client_rock { 1097 krb5_magic magic; 1098 krb5_kdc_rep *as_reply; 1099 } krb5_preauth_client_rock; 1100 1101 /* This structure lets us keep track of all of the modules which are loaded, 1102 * turning the list of modules and their lists of implemented preauth types 1103 * into a single list which we can walk easily. */ 1104 typedef struct _krb5_preauth_context { 1105 int n_modules; 1106 struct _krb5_preauth_context_module { 1107 /* Which of the possibly more than one preauth types which the 1108 * module supports we're using at this point in the list. */ 1109 krb5_preauthtype pa_type; 1110 /* Encryption types which the client claims to support -- we 1111 * copy them directly into the krb5_kdc_req structure during 1112 * krb5_preauth_prepare_request(). */ 1113 krb5_enctype *enctypes; 1114 /* The plugin's per-plugin context and a function to clear it. */ 1115 void *plugin_context; 1116 preauth_client_plugin_fini_proc client_fini; 1117 /* The module's table, and some of its members, copied here for 1118 * convenience when we populated the list. */ 1119 struct krb5plugin_preauth_client_ftable_v1 *ftable; 1120 const char *name; 1121 int flags, use_count; 1122 preauth_client_process_proc client_process; 1123 preauth_client_tryagain_proc client_tryagain; 1124 preauth_client_supply_gic_opts_proc client_supply_gic_opts; 1125 preauth_client_request_init_proc client_req_init; 1126 preauth_client_request_fini_proc client_req_fini; 1127 /* The per-request context which the client_req_init() function 1128 * might allocate, which we'll need to clean up later by 1129 * calling the client_req_fini() function. */ 1130 void *request_context; 1131 /* A pointer to the request_context pointer. All modules within 1132 * a plugin will point at the request_context of the first 1133 * module within the plugin. */ 1134 void **request_context_pp; 1135 } *modules; 1136 } krb5_preauth_context; 1137 1138 typedef struct _krb5_pa_enc_ts { 1139 krb5_timestamp patimestamp; 1140 krb5_int32 pausec; 1141 } krb5_pa_enc_ts; 1142 1143 typedef krb5_error_code (*krb5_preauth_obtain_proc) 1144 (krb5_context, 1145 krb5_pa_data *, 1146 krb5_etype_info, 1147 krb5_keyblock *, 1148 krb5_error_code ( * )(krb5_context, 1149 const krb5_enctype, 1150 krb5_data *, 1151 krb5_const_pointer, 1152 krb5_keyblock **), 1153 krb5_const_pointer, 1154 krb5_creds *, 1155 krb5_kdc_req *, 1156 krb5_pa_data **); 1157 1158 typedef krb5_error_code (*krb5_preauth_process_proc) 1159 (krb5_context, 1160 krb5_pa_data *, 1161 krb5_kdc_req *, 1162 krb5_kdc_rep *, 1163 krb5_error_code ( * )(krb5_context, 1164 const krb5_enctype, 1165 krb5_data *, 1166 krb5_const_pointer, 1167 krb5_keyblock **), 1168 krb5_const_pointer, 1169 krb5_error_code ( * )(krb5_context, 1170 const krb5_keyblock *, 1171 krb5_const_pointer, 1172 krb5_kdc_rep * ), 1173 krb5_keyblock **, 1174 krb5_creds *, 1175 krb5_int32 *, 1176 krb5_int32 *); 1177 1178 typedef struct _krb5_preauth_ops { 1179 krb5_magic magic; 1180 int type; 1181 int flags; 1182 krb5_preauth_obtain_proc obtain; 1183 krb5_preauth_process_proc process; 1184 } krb5_preauth_ops; 1185 1186 1187 krb5_error_code krb5_obtain_padata 1188 (krb5_context, 1189 krb5_pa_data **, 1190 krb5_error_code ( * )(krb5_context, 1191 const krb5_enctype, 1192 krb5_data *, 1193 krb5_const_pointer, 1194 krb5_keyblock **), 1195 krb5_const_pointer, 1196 krb5_creds *, 1197 krb5_kdc_req *); 1198 1199 krb5_error_code krb5_process_padata 1200 (krb5_context, 1201 krb5_kdc_req *, 1202 krb5_kdc_rep *, 1203 krb5_error_code ( * )(krb5_context, 1204 const krb5_enctype, 1205 krb5_data *, 1206 krb5_const_pointer, 1207 krb5_keyblock **), 1208 krb5_const_pointer, 1209 krb5_error_code ( * )(krb5_context, 1210 const krb5_keyblock *, 1211 krb5_const_pointer, 1212 krb5_kdc_rep * ), 1213 krb5_keyblock **, 1214 krb5_creds *, 1215 krb5_int32 *); 1216 1217 void krb5_free_etype_info (krb5_context, krb5_etype_info); 1218 1219 /* 1220 * Preauthentication property flags 1221 */ 1222 #define KRB5_PREAUTH_FLAGS_ENCRYPT 0x00000001 1223 #define KRB5_PREAUTH_FLAGS_HARDWARE 0x00000002 1224 1225 #endif /* KRB5_PREAUTH__ */ 1226 /* 1227 * End "preauth.h" 1228 */ 1229 1230 /* 1231 * Extending the krb5_get_init_creds_opt structure. The original 1232 * krb5_get_init_creds_opt structure is defined publicly. The 1233 * new extended version is private. The original interface 1234 * assumed a pre-allocated structure which was passed to 1235 * krb5_get_init_creds_init(). The new interface assumes that 1236 * the caller will call krb5_get_init_creds_alloc() and 1237 * krb5_get_init_creds_free(). 1238 * 1239 * Callers MUST NOT call krb5_get_init_creds_init() after allocating an 1240 * opts structure using krb5_get_init_creds_alloc(). To do so will 1241 * introduce memory leaks. Unfortunately, there is no way to enforce 1242 * this behavior. 1243 * 1244 * Two private flags are added for backward compatibility. 1245 * KRB5_GET_INIT_CREDS_OPT_EXTENDED says that the structure was allocated 1246 * with the new krb5_get_init_creds_opt_alloc() function. 1247 * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended 1248 * structure is a shadow copy of an original krb5_get_init_creds_opt 1249 * structure. 1250 * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to 1251 * krb5int_gic_opt_to_opte(), the resulting extended structure should be 1252 * freed (using krb5_get_init_creds_free). Otherwise, the original 1253 * structure was already extended and there is no need to free it. 1254 */ 1255 1256 #define KRB5_GET_INIT_CREDS_OPT_EXTENDED 0x80000000 1257 #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000 1258 1259 #define krb5_gic_opt_is_extended(s) \ 1260 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0) 1261 #define krb5_gic_opt_is_shadowed(s) \ 1262 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0) 1263 1264 1265 typedef struct _krb5_gic_opt_private { 1266 int num_preauth_data; 1267 krb5_gic_opt_pa_data *preauth_data; 1268 } krb5_gic_opt_private; 1269 1270 typedef struct _krb5_gic_opt_ext { 1271 krb5_flags flags; 1272 krb5_deltat tkt_life; 1273 krb5_deltat renew_life; 1274 int forwardable; 1275 int proxiable; 1276 krb5_enctype *etype_list; 1277 int etype_list_length; 1278 krb5_address **address_list; 1279 krb5_preauthtype *preauth_list; 1280 int preauth_list_length; 1281 krb5_data *salt; 1282 /* 1283 * Do not change anything above this point in this structure. 1284 * It is identical to the public krb5_get_init_creds_opt structure. 1285 * New members must be added below. 1286 */ 1287 krb5_gic_opt_private *opt_private; 1288 } krb5_gic_opt_ext; 1289 1290 krb5_error_code 1291 krb5int_gic_opt_to_opte(krb5_context context, 1292 krb5_get_init_creds_opt *opt, 1293 krb5_gic_opt_ext **opte, 1294 unsigned int force, 1295 const char *where); 1296 1297 krb5_error_code 1298 krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *); 1299 1300 #ifndef _KERNEL /* needed for lib/krb5/krb/ */ 1301 typedef krb5_error_code (*krb5_gic_get_as_key_fct) 1302 (krb5_context, 1303 krb5_principal, 1304 krb5_enctype, 1305 krb5_prompter_fct, 1306 void *prompter_data, 1307 krb5_data *salt, 1308 krb5_data *s2kparams, 1309 krb5_keyblock *as_key, 1310 void *gak_data); 1311 1312 krb5_error_code KRB5_CALLCONV 1313 krb5_get_init_creds 1314 (krb5_context context, 1315 krb5_creds *creds, 1316 krb5_principal client, 1317 krb5_prompter_fct prompter, 1318 void *prompter_data, 1319 krb5_deltat start_time, 1320 char *in_tkt_service, 1321 krb5_gic_opt_ext *gic_options, 1322 krb5_gic_get_as_key_fct gak, 1323 void *gak_data, 1324 int *master, 1325 krb5_kdc_rep **as_reply); 1326 1327 krb5_error_code krb5int_populate_gic_opt ( 1328 krb5_context, krb5_gic_opt_ext **, 1329 krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes, 1330 krb5_preauthtype *pre_auth_types, krb5_creds *creds); 1331 1332 1333 krb5_error_code KRB5_CALLCONV krb5_do_preauth 1334 (krb5_context context, 1335 krb5_kdc_req *request, 1336 krb5_data *encoded_request_body, 1337 krb5_data *encoded_previous_request, 1338 krb5_pa_data **in_padata, krb5_pa_data ***out_padata, 1339 krb5_data *salt, krb5_data *s2kparams, 1340 krb5_enctype *etype, krb5_keyblock *as_key, 1341 krb5_prompter_fct prompter, void *prompter_data, 1342 krb5_gic_get_as_key_fct gak_fct, void *gak_data, 1343 krb5_preauth_client_rock *get_data_rock, 1344 krb5_gic_opt_ext *opte); 1345 krb5_error_code KRB5_CALLCONV krb5_do_preauth_tryagain 1346 (krb5_context context, 1347 krb5_kdc_req *request, 1348 krb5_data *encoded_request_body, 1349 krb5_data *encoded_previous_request, 1350 krb5_pa_data **in_padata, krb5_pa_data ***out_padata, 1351 krb5_error *err_reply, 1352 krb5_data *salt, krb5_data *s2kparams, 1353 krb5_enctype *etype, krb5_keyblock *as_key, 1354 krb5_prompter_fct prompter, void *prompter_data, 1355 krb5_gic_get_as_key_fct gak_fct, void *gak_data, 1356 krb5_preauth_client_rock *get_data_rock, 1357 krb5_gic_opt_ext *opte); 1358 void KRB5_CALLCONV krb5_init_preauth_context 1359 (krb5_context); 1360 void KRB5_CALLCONV krb5_free_preauth_context 1361 (krb5_context); 1362 void KRB5_CALLCONV krb5_clear_preauth_context_use_counts 1363 (krb5_context); 1364 void KRB5_CALLCONV krb5_preauth_prepare_request 1365 (krb5_context, krb5_gic_opt_ext *, krb5_kdc_req *); 1366 void KRB5_CALLCONV krb5_preauth_request_context_init 1367 (krb5_context); 1368 void KRB5_CALLCONV krb5_preauth_request_context_fini 1369 (krb5_context); 1370 1371 #endif /* _KERNEL */ 1372 void KRB5_CALLCONV krb5_free_sam_challenge 1373 (krb5_context, krb5_sam_challenge * ); 1374 void KRB5_CALLCONV krb5_free_sam_challenge_2 1375 (krb5_context, krb5_sam_challenge_2 * ); 1376 void KRB5_CALLCONV krb5_free_sam_challenge_2_body 1377 (krb5_context, krb5_sam_challenge_2_body *); 1378 void KRB5_CALLCONV krb5_free_sam_response 1379 (krb5_context, krb5_sam_response * ); 1380 void KRB5_CALLCONV krb5_free_sam_response_2 1381 (krb5_context, krb5_sam_response_2 * ); 1382 void KRB5_CALLCONV krb5_free_predicted_sam_response 1383 (krb5_context, krb5_predicted_sam_response * ); 1384 void KRB5_CALLCONV krb5_free_enc_sam_response_enc 1385 (krb5_context, krb5_enc_sam_response_enc * ); 1386 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2 1387 (krb5_context, krb5_enc_sam_response_enc_2 * ); 1388 void KRB5_CALLCONV krb5_free_sam_challenge_contents 1389 (krb5_context, krb5_sam_challenge * ); 1390 void KRB5_CALLCONV krb5_free_sam_challenge_2_contents 1391 (krb5_context, krb5_sam_challenge_2 * ); 1392 void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents 1393 (krb5_context, krb5_sam_challenge_2_body * ); 1394 void KRB5_CALLCONV krb5_free_sam_response_contents 1395 (krb5_context, krb5_sam_response * ); 1396 void KRB5_CALLCONV krb5_free_sam_response_2_contents 1397 (krb5_context, krb5_sam_response_2 *); 1398 void KRB5_CALLCONV krb5_free_predicted_sam_response_contents 1399 (krb5_context, krb5_predicted_sam_response * ); 1400 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents 1401 (krb5_context, krb5_enc_sam_response_enc * ); 1402 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents 1403 (krb5_context, krb5_enc_sam_response_enc_2 * ); 1404 1405 void KRB5_CALLCONV krb5_free_pa_enc_ts 1406 (krb5_context, krb5_pa_enc_ts *); 1407 1408 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */ 1409 #ifndef _KERNEL 1410 #include "com_err.h" 1411 #include <krb5/k5-plugin.h> 1412 #endif /* _KERNEL */ 1413 1414 /* 1415 * Solaris Kerberos: moved from sendto_kdc.c so other code can reference 1416 */ 1417 #define DEFAULT_UDP_PREF_LIMIT 1465 1418 1419 #ifndef _KERNEL 1420 #include "profile.h" 1421 #include <strings.h> 1422 #endif /* _KERNEL */ 1423 1424 #define KEY_CHANGED(k1, k2) \ 1425 (k1 == NULL || \ 1426 k1 != k2 || \ 1427 k1->enctype != k2->enctype || \ 1428 k1->length != k2->length || \ 1429 bcmp(k1->contents, k2->contents, k1->length)) 1430 1431 #ifndef _KERNEL 1432 typedef struct _arcfour_ctx { 1433 CK_SESSION_HANDLE eSession; /* encrypt session handle */ 1434 CK_SESSION_HANDLE dSession; /* decrypt session handle */ 1435 CK_OBJECT_HANDLE eKey; /* encrypt key object */ 1436 CK_OBJECT_HANDLE dKey; /* decrype key object */ 1437 uchar_t initialized; 1438 }arcfour_ctx_rec; 1439 1440 #endif /* !_KERNEL */ 1441 1442 struct _krb5_context { 1443 krb5_magic magic; 1444 krb5_enctype *in_tkt_ktypes; 1445 unsigned int in_tkt_ktype_count; 1446 krb5_enctype *tgs_ktypes; 1447 unsigned int tgs_ktype_count; 1448 /* This used to be a void*, but since we always allocate them 1449 together (though in different source files), and the types 1450 are declared in the same header, might as well just combine 1451 them. 1452 1453 The array[1] is so the existing code treating the field as 1454 a pointer will still work. For cleanliness, it should 1455 eventually get changed to a single element instead of an 1456 array. */ 1457 struct _krb5_os_context os_context[1]; 1458 char *default_realm; 1459 int ser_ctx_count; 1460 krb5_boolean profile_secure; 1461 void *ser_ctx; 1462 #ifndef _KERNEL 1463 profile_t profile; 1464 void *db_context; 1465 void *kdblog_context; 1466 /* allowable clock skew */ 1467 krb5_deltat clockskew; 1468 krb5_cksumtype kdc_req_sumtype; 1469 krb5_cksumtype default_ap_req_sumtype; 1470 krb5_cksumtype default_safe_sumtype; 1471 krb5_flags kdc_default_options; 1472 krb5_flags library_options; 1473 int fcc_default_format; 1474 int scc_default_format; 1475 krb5_prompt_type *prompt_types; 1476 /* Message size above which we'll try TCP first in send-to-kdc 1477 type code. Aside from the 2**16 size limit, we put no 1478 absolute limit on the UDP packet size. */ 1479 int udp_pref_limit; 1480 1481 /* This is the tgs_ktypes list as read from the profile, or 1482 set to compiled-in defaults. The application code cannot 1483 override it. This is used for session keys for 1484 intermediate ticket-granting tickets used to acquire the 1485 requested ticket (the session key of which may be 1486 constrained by tgs_ktypes above). */ 1487 krb5_enctype *conf_tgs_ktypes; 1488 int conf_tgs_ktypes_count; 1489 1490 /* Use the _configured version? */ 1491 krb5_boolean use_conf_ktypes; 1492 1493 #ifdef KRB5_DNS_LOOKUP 1494 krb5_boolean profile_in_memory; 1495 #endif /* KRB5_DNS_LOOKUP */ 1496 1497 /* locate_kdc module stuff */ 1498 struct plugin_dir_handle libkrb5_plugins; 1499 struct krb5plugin_service_locate_ftable *vtbl; 1500 void (**locate_fptrs)(void); 1501 1502 pid_t pid; /* fork safety: PID of process that did last PKCS11 init */ 1503 1504 /* Solaris Kerberos: handles for PKCS#11 crypto */ 1505 /* 1506 * Warning, do not access hSession directly as this is not fork() safe. 1507 * Instead use the krb_ctx_hSession() macro below. 1508 */ 1509 CK_SESSION_HANDLE hSession; 1510 int cryptoki_initialized; 1511 1512 /* arcfour_ctx: used only for rcmd stuff so no fork safety issues apply */ 1513 arcfour_ctx_rec arcfour_ctx; 1514 1515 /* preauth module stuff */ 1516 struct plugin_dir_handle preauth_plugins; 1517 krb5_preauth_context *preauth_context; 1518 1519 /* error detail info */ 1520 struct errinfo err; 1521 #else /* ! KERNEL */ 1522 crypto_mech_type_t kef_cipher_mt; 1523 crypto_mech_type_t kef_hash_mt; 1524 crypto_mech_type_t kef_cksum_mt; 1525 #endif /* ! KERNEL */ 1526 }; 1527 1528 #ifndef _KERNEL 1529 extern pid_t __krb5_current_pid; 1530 1531 CK_SESSION_HANDLE krb5_reinit_ef_handle(krb5_context); 1532 1533 /* 1534 * fork safety: barring the ef_init code, every other function must use the 1535 * krb_ctx_hSession() macro to access the hSession field in a krb context. 1536 * Note, if the pid of the krb ctx == the current global pid then it is safe to 1537 * use the ctx hSession otherwise it needs to be re-inited before it is returned 1538 * to the caller. 1539 */ 1540 #define krb_ctx_hSession(ctx) \ 1541 ((ctx)->pid == __krb5_current_pid) ? (ctx)->hSession : krb5_reinit_ef_handle((ctx)) 1542 #endif 1543 1544 #define MD5_CKSUM_LENGTH 16 1545 #define RSA_MD5_CKSUM_LENGTH 16 1546 #define MD5_BLOCKSIZE 64 1547 1548 1549 /* 1550 * Solaris Kerberos: 1551 * This next section of prototypes and constants 1552 * are all unique to the Solaris Kerberos implementation. 1553 * Because Solaris uses the native encryption framework 1554 * to provide crypto support, the following routines 1555 * are needed to support this system. 1556 */ 1557 1558 /* 1559 * Begin Solaris Crypto Prototypes 1560 */ 1561 1562 /* 1563 * define constants that are used for creating the constant 1564 * which is used to make derived keys. 1565 */ 1566 #define DK_ENCR_KEY_BYTE 0xAA 1567 #define DK_HASH_KEY_BYTE 0x55 1568 #define DK_CKSUM_KEY_BYTE 0x99 1569 1570 int init_derived_keydata(krb5_context, const struct krb5_enc_provider *, 1571 krb5_keyblock *, krb5_keyusage, 1572 krb5_keyblock **, krb5_keyblock **); 1573 1574 krb5_error_code add_derived_key(krb5_keyblock *, krb5_keyusage, uchar_t, 1575 krb5_keyblock *); 1576 1577 krb5_keyblock *find_derived_key(krb5_keyusage, uchar_t, krb5_keyblock *); 1578 krb5_keyblock *krb5_create_derived_keyblock(int); 1579 1580 #ifdef _KERNEL 1581 int k5_ef_hash(krb5_context, int, const krb5_data *, krb5_data *); 1582 1583 int k5_ef_mac(krb5_context, krb5_keyblock *, krb5_data *, 1584 const krb5_data *, krb5_data *); 1585 1586 void make_kef_key(krb5_keyblock *); 1587 int init_key_kef(crypto_mech_type_t, krb5_keyblock *); 1588 int update_key_template(krb5_keyblock *); 1589 void setup_kef_keytypes(); 1590 void setup_kef_cksumtypes(); 1591 crypto_mech_type_t get_cipher_mech_type(krb5_context, krb5_keyblock *); 1592 crypto_mech_type_t get_hash_mech_type(krb5_context, krb5_keyblock *); 1593 1594 #else 1595 /* 1596 * This structure is used to map Kerberos supported OID's, 1597 * to PKCS11 mechanisms 1598 */ 1599 #define USE_ENCR 0x01 1600 #define USE_HASH 0x02 1601 1602 typedef struct krb5_mech_2_pkcs { 1603 uchar_t flags; 1604 CK_MECHANISM_TYPE enc_algo; 1605 CK_MECHANISM_TYPE hash_algo; 1606 CK_MECHANISM_TYPE str2key_algo; 1607 } KRB5_MECH_TO_PKCS; 1608 1609 #define ENC_DEFINED(x) (((x).flags & USE_ENCR)) 1610 #define HASH_DEFINED(x) (((x).flags & USE_HASH)) 1611 1612 extern CK_RV get_algo(krb5_enctype etype, KRB5_MECH_TO_PKCS * algos); 1613 extern CK_RV get_key_type (krb5_enctype etype, CK_KEY_TYPE * keyType); 1614 extern krb5_error_code slot_supports_krb5 (CK_SLOT_ID_PTR slotid); 1615 1616 krb5_error_code init_key_uef(CK_SESSION_HANDLE, krb5_keyblock *); 1617 1618 krb5_error_code k5_ef_hash(krb5_context, CK_MECHANISM *, 1619 unsigned int, const krb5_data *, krb5_data *); 1620 1621 krb5_error_code k5_ef_mac(krb5_context context, 1622 krb5_keyblock *key, krb5_data *ivec, 1623 krb5_const krb5_data *input, krb5_data *output); 1624 1625 #endif /* !_KERNEL */ 1626 1627 krb5_error_code 1628 derive_3des_keys(krb5_context, struct krb5_enc_provider *, 1629 krb5_keyblock *, krb5_keyusage, 1630 krb5_keyblock *, krb5_keyblock *); 1631 1632 /* 1633 * End Solaris Crypto Prototypes 1634 */ 1635 1636 #define KRB5_LIBOPT_SYNC_KDCTIME 0x0001 1637 1638 /* internal message representations */ 1639 1640 typedef struct _krb5_safe { 1641 krb5_magic magic; 1642 krb5_data user_data; /* user data */ 1643 krb5_timestamp timestamp; /* client time, optional */ 1644 krb5_int32 usec; /* microsecond portion of time, 1645 optional */ 1646 krb5_ui_4 seq_number; /* sequence #, optional */ 1647 krb5_address *s_address; /* sender address */ 1648 krb5_address *r_address; /* recipient address, optional */ 1649 krb5_checksum *checksum; /* data integrity checksum */ 1650 } krb5_safe; 1651 1652 typedef struct _krb5_priv { 1653 krb5_magic magic; 1654 krb5_enc_data enc_part; /* encrypted part */ 1655 } krb5_priv; 1656 1657 typedef struct _krb5_priv_enc_part { 1658 krb5_magic magic; 1659 krb5_data user_data; /* user data */ 1660 krb5_timestamp timestamp; /* client time, optional */ 1661 krb5_int32 usec; /* microsecond portion of time, opt. */ 1662 krb5_ui_4 seq_number; /* sequence #, optional */ 1663 krb5_address *s_address; /* sender address */ 1664 krb5_address *r_address; /* recipient address, optional */ 1665 } krb5_priv_enc_part; 1666 1667 void KRB5_CALLCONV krb5_free_safe 1668 (krb5_context, krb5_safe * ); 1669 void KRB5_CALLCONV krb5_free_priv 1670 (krb5_context, krb5_priv * ); 1671 void KRB5_CALLCONV krb5_free_priv_enc_part 1672 (krb5_context, krb5_priv_enc_part * ); 1673 1674 /* 1675 * Begin "asn1.h" 1676 */ 1677 #ifndef KRB5_ASN1__ 1678 #define KRB5_ASN1__ 1679 1680 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */ 1681 /* here we use some knowledge of ASN.1 encodings */ 1682 /* 1683 Ticket is APPLICATION 1. 1684 Authenticator is APPLICATION 2. 1685 AS_REQ is APPLICATION 10. 1686 AS_REP is APPLICATION 11. 1687 TGS_REQ is APPLICATION 12. 1688 TGS_REP is APPLICATION 13. 1689 AP_REQ is APPLICATION 14. 1690 AP_REP is APPLICATION 15. 1691 KRB_SAFE is APPLICATION 20. 1692 KRB_PRIV is APPLICATION 21. 1693 KRB_CRED is APPLICATION 22. 1694 EncASRepPart is APPLICATION 25. 1695 EncTGSRepPart is APPLICATION 26. 1696 EncAPRepPart is APPLICATION 27. 1697 EncKrbPrivPart is APPLICATION 28. 1698 EncKrbCredPart is APPLICATION 29. 1699 KRB_ERROR is APPLICATION 30. 1700 */ 1701 /* allow either constructed or primitive encoding, so check for bit 6 1702 set or reset */ 1703 #define krb5_is_krb_ticket(dat)\ 1704 ((dat) && (dat)->length && ((dat)->data[0] == 0x61 ||\ 1705 (dat)->data[0] == 0x41)) 1706 #define krb5_is_krb_authenticator(dat)\ 1707 ((dat) && (dat)->length && ((dat)->data[0] == 0x62 ||\ 1708 (dat)->data[0] == 0x42)) 1709 #define krb5_is_as_req(dat)\ 1710 ((dat) && (dat)->length && ((dat)->data[0] == 0x6a ||\ 1711 (dat)->data[0] == 0x4a)) 1712 #define krb5_is_as_rep(dat)\ 1713 ((dat) && (dat)->length && ((dat)->data[0] == 0x6b ||\ 1714 (dat)->data[0] == 0x4b)) 1715 #define krb5_is_tgs_req(dat)\ 1716 ((dat) && (dat)->length && ((dat)->data[0] == 0x6c ||\ 1717 (dat)->data[0] == 0x4c)) 1718 #define krb5_is_tgs_rep(dat)\ 1719 ((dat) && (dat)->length && ((dat)->data[0] == 0x6d ||\ 1720 (dat)->data[0] == 0x4d)) 1721 #define krb5_is_ap_req(dat)\ 1722 ((dat) && (dat)->length && ((dat)->data[0] == 0x6e ||\ 1723 (dat)->data[0] == 0x4e)) 1724 #define krb5_is_ap_rep(dat)\ 1725 ((dat) && (dat)->length && ((dat)->data[0] == 0x6f ||\ 1726 (dat)->data[0] == 0x4f)) 1727 #define krb5_is_krb_safe(dat)\ 1728 ((dat) && (dat)->length && ((dat)->data[0] == 0x74 ||\ 1729 (dat)->data[0] == 0x54)) 1730 #define krb5_is_krb_priv(dat)\ 1731 ((dat) && (dat)->length && ((dat)->data[0] == 0x75 ||\ 1732 (dat)->data[0] == 0x55)) 1733 #define krb5_is_krb_cred(dat)\ 1734 ((dat) && (dat)->length && ((dat)->data[0] == 0x76 ||\ 1735 (dat)->data[0] == 0x56)) 1736 #define krb5_is_krb_enc_as_rep_part(dat)\ 1737 ((dat) && (dat)->length && ((dat)->data[0] == 0x79 ||\ 1738 (dat)->data[0] == 0x59)) 1739 #define krb5_is_krb_enc_tgs_rep_part(dat)\ 1740 ((dat) && (dat)->length && ((dat)->data[0] == 0x7a ||\ 1741 (dat)->data[0] == 0x5a)) 1742 #define krb5_is_krb_enc_ap_rep_part(dat)\ 1743 ((dat) && (dat)->length && ((dat)->data[0] == 0x7b ||\ 1744 (dat)->data[0] == 0x5b)) 1745 #define krb5_is_krb_enc_krb_priv_part(dat)\ 1746 ((dat) && (dat)->length && ((dat)->data[0] == 0x7c ||\ 1747 (dat)->data[0] == 0x5c)) 1748 #define krb5_is_krb_enc_krb_cred_part(dat)\ 1749 ((dat) && (dat)->length && ((dat)->data[0] == 0x7d ||\ 1750 (dat)->data[0] == 0x5d)) 1751 #define krb5_is_krb_error(dat)\ 1752 ((dat) && (dat)->length && ((dat)->data[0] == 0x7e ||\ 1753 (dat)->data[0] == 0x5e)) 1754 1755 /************************************************************************* 1756 * Prototypes for krb5_encode.c 1757 *************************************************************************/ 1758 1759 /* 1760 krb5_error_code encode_krb5_structure(const krb5_structure *rep, 1761 krb5_data **code); 1762 modifies *code 1763 effects Returns the ASN.1 encoding of *rep in **code. 1764 Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep. 1765 Returns ENOMEM if memory runs out. 1766 */ 1767 1768 krb5_error_code encode_krb5_authenticator 1769 (const krb5_authenticator *rep, krb5_data **code); 1770 1771 krb5_error_code encode_krb5_ticket 1772 (const krb5_ticket *rep, krb5_data **code); 1773 1774 krb5_error_code encode_krb5_encryption_key 1775 (const krb5_keyblock *rep, krb5_data **code); 1776 1777 krb5_error_code encode_krb5_enc_tkt_part 1778 (const krb5_enc_tkt_part *rep, krb5_data **code); 1779 1780 krb5_error_code encode_krb5_enc_kdc_rep_part 1781 (const krb5_enc_kdc_rep_part *rep, krb5_data **code); 1782 1783 /* yes, the translation is identical to that used for KDC__REP */ 1784 krb5_error_code encode_krb5_as_rep 1785 (const krb5_kdc_rep *rep, krb5_data **code); 1786 1787 /* yes, the translation is identical to that used for KDC__REP */ 1788 krb5_error_code encode_krb5_tgs_rep 1789 (const krb5_kdc_rep *rep, krb5_data **code); 1790 1791 krb5_error_code encode_krb5_ap_req 1792 (const krb5_ap_req *rep, krb5_data **code); 1793 1794 krb5_error_code encode_krb5_ap_rep 1795 (const krb5_ap_rep *rep, krb5_data **code); 1796 1797 krb5_error_code encode_krb5_ap_rep_enc_part 1798 (const krb5_ap_rep_enc_part *rep, krb5_data **code); 1799 1800 krb5_error_code encode_krb5_as_req 1801 (const krb5_kdc_req *rep, krb5_data **code); 1802 1803 krb5_error_code encode_krb5_tgs_req 1804 (const krb5_kdc_req *rep, krb5_data **code); 1805 1806 krb5_error_code encode_krb5_kdc_req_body 1807 (const krb5_kdc_req *rep, krb5_data **code); 1808 1809 krb5_error_code encode_krb5_safe 1810 (const krb5_safe *rep, krb5_data **code); 1811 1812 krb5_error_code encode_krb5_safe_with_body 1813 (const krb5_safe *rep, const krb5_data *body, krb5_data **code); 1814 1815 krb5_error_code encode_krb5_priv 1816 (const krb5_priv *rep, krb5_data **code); 1817 1818 krb5_error_code encode_krb5_enc_priv_part 1819 (const krb5_priv_enc_part *rep, krb5_data **code); 1820 1821 krb5_error_code encode_krb5_cred 1822 (const krb5_cred *rep, krb5_data **code); 1823 1824 krb5_error_code encode_krb5_enc_cred_part 1825 (const krb5_cred_enc_part *rep, krb5_data **code); 1826 1827 krb5_error_code encode_krb5_error 1828 (const krb5_error *rep, krb5_data **code); 1829 1830 krb5_error_code encode_krb5_authdata 1831 (const krb5_authdata **rep, krb5_data **code); 1832 1833 krb5_error_code encode_krb5_authdata_elt 1834 (const krb5_authdata *rep, krb5_data **code); 1835 1836 krb5_error_code encode_krb5_pwd_sequence 1837 (const passwd_phrase_element *rep, krb5_data **code); 1838 1839 krb5_error_code encode_krb5_pwd_data 1840 (const krb5_pwd_data *rep, krb5_data **code); 1841 1842 krb5_error_code encode_krb5_padata_sequence 1843 (const krb5_pa_data ** rep, krb5_data **code); 1844 1845 krb5_error_code encode_krb5_alt_method 1846 (const krb5_alt_method *, krb5_data **code); 1847 1848 krb5_error_code encode_krb5_etype_info 1849 (const krb5_etype_info_entry **, krb5_data **code); 1850 krb5_error_code encode_krb5_etype_info2 1851 (const krb5_etype_info_entry **, krb5_data **code); 1852 1853 krb5_error_code encode_krb5_enc_data 1854 (const krb5_enc_data *, krb5_data **); 1855 1856 krb5_error_code encode_krb5_pa_enc_ts 1857 (const krb5_pa_enc_ts *, krb5_data **); 1858 1859 krb5_error_code encode_krb5_sam_challenge 1860 (const krb5_sam_challenge * , krb5_data **); 1861 1862 krb5_error_code encode_krb5_sam_key 1863 (const krb5_sam_key * , krb5_data **); 1864 1865 krb5_error_code encode_krb5_enc_sam_response_enc 1866 (const krb5_enc_sam_response_enc * , krb5_data **); 1867 1868 krb5_error_code encode_krb5_sam_response 1869 (const krb5_sam_response * , krb5_data **); 1870 1871 krb5_error_code encode_krb5_sam_challenge_2 1872 (const krb5_sam_challenge_2 * , krb5_data **); 1873 1874 krb5_error_code encode_krb5_sam_challenge_2_body 1875 (const krb5_sam_challenge_2_body * , krb5_data **); 1876 1877 krb5_error_code encode_krb5_enc_sam_response_enc_2 1878 (const krb5_enc_sam_response_enc_2 * , krb5_data **); 1879 1880 krb5_error_code encode_krb5_sam_response_2 1881 (const krb5_sam_response_2 * , krb5_data **); 1882 1883 krb5_error_code encode_krb5_predicted_sam_response 1884 (const krb5_predicted_sam_response * , krb5_data **); 1885 1886 krb5_error_code encode_krb5_setpw_req 1887 (const krb5_principal target, char *password, krb5_data **code); 1888 1889 /************************************************************************* 1890 * End of prototypes for krb5_encode.c 1891 *************************************************************************/ 1892 1893 krb5_error_code decode_krb5_sam_challenge 1894 (const krb5_data *, krb5_sam_challenge **); 1895 1896 krb5_error_code decode_krb5_enc_sam_key 1897 (const krb5_data *, krb5_sam_key **); 1898 1899 krb5_error_code decode_krb5_enc_sam_response_enc 1900 (const krb5_data *, krb5_enc_sam_response_enc **); 1901 1902 krb5_error_code decode_krb5_sam_response 1903 (const krb5_data *, krb5_sam_response **); 1904 1905 krb5_error_code decode_krb5_predicted_sam_response 1906 (const krb5_data *, krb5_predicted_sam_response **); 1907 1908 krb5_error_code decode_krb5_sam_challenge_2 1909 (const krb5_data *, krb5_sam_challenge_2 **); 1910 1911 krb5_error_code decode_krb5_sam_challenge_2_body 1912 (const krb5_data *, krb5_sam_challenge_2_body **); 1913 1914 krb5_error_code decode_krb5_enc_sam_response_enc_2 1915 (const krb5_data *, krb5_enc_sam_response_enc_2 **); 1916 1917 krb5_error_code decode_krb5_sam_response_2 1918 (const krb5_data *, krb5_sam_response_2 **); 1919 1920 1921 /************************************************************************* 1922 * Prototypes for krb5_decode.c 1923 *************************************************************************/ 1924 1925 krb5_error_code krb5_validate_times 1926 (krb5_context, 1927 krb5_ticket_times *); 1928 1929 /* 1930 krb5_error_code decode_krb5_structure(const krb5_data *code, 1931 krb5_structure **rep); 1932 1933 requires Expects **rep to not have been allocated; 1934 a new *rep is allocated regardless of the old value. 1935 effects Decodes *code into **rep. 1936 Returns ENOMEM if memory is exhausted. 1937 Returns asn1 and krb5 errors. 1938 */ 1939 1940 krb5_error_code decode_krb5_authenticator 1941 (const krb5_data *code, krb5_authenticator **rep); 1942 1943 krb5_error_code decode_krb5_ticket 1944 (const krb5_data *code, krb5_ticket **rep); 1945 1946 krb5_error_code decode_krb5_encryption_key 1947 (const krb5_data *output, krb5_keyblock **rep); 1948 1949 krb5_error_code decode_krb5_enc_tkt_part 1950 (const krb5_data *output, krb5_enc_tkt_part **rep); 1951 1952 krb5_error_code decode_krb5_enc_kdc_rep_part 1953 (const krb5_data *output, krb5_enc_kdc_rep_part **rep); 1954 1955 krb5_error_code decode_krb5_as_rep 1956 (const krb5_data *output, krb5_kdc_rep **rep); 1957 1958 krb5_error_code decode_krb5_tgs_rep 1959 (const krb5_data *output, krb5_kdc_rep **rep); 1960 1961 krb5_error_code decode_krb5_ap_req 1962 (const krb5_data *output, krb5_ap_req **rep); 1963 1964 krb5_error_code decode_krb5_ap_rep 1965 (const krb5_data *output, krb5_ap_rep **rep); 1966 1967 krb5_error_code decode_krb5_ap_rep_enc_part 1968 (const krb5_data *output, krb5_ap_rep_enc_part **rep); 1969 1970 krb5_error_code decode_krb5_as_req 1971 (const krb5_data *output, krb5_kdc_req **rep); 1972 1973 krb5_error_code decode_krb5_tgs_req 1974 (const krb5_data *output, krb5_kdc_req **rep); 1975 1976 krb5_error_code decode_krb5_kdc_req_body 1977 (const krb5_data *output, krb5_kdc_req **rep); 1978 1979 krb5_error_code decode_krb5_safe 1980 (const krb5_data *output, krb5_safe **rep); 1981 1982 krb5_error_code decode_krb5_safe_with_body 1983 (const krb5_data *output, krb5_safe **rep, krb5_data *body); 1984 1985 krb5_error_code decode_krb5_priv 1986 (const krb5_data *output, krb5_priv **rep); 1987 1988 krb5_error_code decode_krb5_enc_priv_part 1989 (const krb5_data *output, krb5_priv_enc_part **rep); 1990 1991 krb5_error_code decode_krb5_cred 1992 (const krb5_data *output, krb5_cred **rep); 1993 1994 krb5_error_code decode_krb5_enc_cred_part 1995 (const krb5_data *output, krb5_cred_enc_part **rep); 1996 1997 krb5_error_code decode_krb5_error 1998 (const krb5_data *output, krb5_error **rep); 1999 2000 krb5_error_code decode_krb5_authdata 2001 (const krb5_data *output, krb5_authdata ***rep); 2002 2003 krb5_error_code decode_krb5_pwd_sequence 2004 (const krb5_data *output, passwd_phrase_element **rep); 2005 2006 krb5_error_code decode_krb5_pwd_data 2007 (const krb5_data *output, krb5_pwd_data **rep); 2008 2009 krb5_error_code decode_krb5_padata_sequence 2010 (const krb5_data *output, krb5_pa_data ***rep); 2011 2012 krb5_error_code decode_krb5_alt_method 2013 (const krb5_data *output, krb5_alt_method **rep); 2014 2015 krb5_error_code decode_krb5_etype_info 2016 (const krb5_data *output, krb5_etype_info_entry ***rep); 2017 2018 krb5_error_code decode_krb5_etype_info2 2019 (const krb5_data *output, krb5_etype_info_entry ***rep); 2020 2021 krb5_error_code decode_krb5_enc_data 2022 (const krb5_data *output, krb5_enc_data **rep); 2023 2024 krb5_error_code decode_krb5_pa_enc_ts 2025 (const krb5_data *output, krb5_pa_enc_ts **rep); 2026 2027 krb5_error_code decode_krb5_sam_key 2028 (const krb5_data *, krb5_sam_key **); 2029 2030 struct _krb5_key_data; /* kdb.h */ 2031 krb5_error_code 2032 krb5int_ldap_encode_sequence_of_keys (struct _krb5_key_data *key_data, 2033 krb5_int16 n_key_data, 2034 krb5_int32 mkvno, 2035 krb5_data **code); 2036 2037 krb5_error_code 2038 krb5int_ldap_decode_sequence_of_keys (krb5_data *in, 2039 struct _krb5_key_data **out, 2040 krb5_int16 *n_key_data, 2041 int *mkvno); 2042 2043 /************************************************************************* 2044 * End of prototypes for krb5_decode.c 2045 *************************************************************************/ 2046 2047 #endif /* KRB5_ASN1__ */ 2048 /* 2049 * End "asn1.h" 2050 */ 2051 2052 2053 /* 2054 * Internal krb5 library routines 2055 */ 2056 krb5_error_code krb5_encrypt_tkt_part 2057 (krb5_context, 2058 const krb5_keyblock *, 2059 krb5_ticket * ); 2060 2061 2062 krb5_error_code krb5_encode_kdc_rep 2063 (krb5_context, 2064 const krb5_msgtype, 2065 const krb5_enc_kdc_rep_part *, 2066 int using_subkey, 2067 const krb5_keyblock *, 2068 krb5_kdc_rep *, 2069 krb5_data ** ); 2070 2071 krb5_boolean krb5int_auth_con_chkseqnum 2072 (krb5_context ctx, krb5_auth_context ac, krb5_ui_4 in_seq); 2073 /* 2074 * [De]Serialization Handle and operations. 2075 */ 2076 struct __krb5_serializer { 2077 krb5_magic odtype; 2078 krb5_error_code (*sizer) (krb5_context, 2079 krb5_pointer, 2080 size_t *); 2081 krb5_error_code (*externalizer) (krb5_context, 2082 krb5_pointer, 2083 krb5_octet **, 2084 size_t *); 2085 krb5_error_code (*internalizer) (krb5_context, 2086 krb5_pointer *, 2087 krb5_octet **, 2088 size_t *); 2089 }; 2090 typedef const struct __krb5_serializer * krb5_ser_handle; 2091 typedef struct __krb5_serializer krb5_ser_entry; 2092 2093 krb5_ser_handle krb5_find_serializer 2094 (krb5_context, 2095 krb5_magic); 2096 krb5_error_code krb5_register_serializer 2097 (krb5_context, 2098 const krb5_ser_entry *); 2099 2100 /* Determine the external size of a particular opaque structure */ 2101 krb5_error_code KRB5_CALLCONV krb5_size_opaque 2102 (krb5_context, 2103 krb5_magic, 2104 krb5_pointer, 2105 size_t *); 2106 2107 /* Serialize the structure into a buffer */ 2108 krb5_error_code KRB5_CALLCONV krb5_externalize_opaque 2109 (krb5_context, 2110 krb5_magic, 2111 krb5_pointer, 2112 krb5_octet **, 2113 size_t *); 2114 2115 /* Deserialize the structure from a buffer */ 2116 krb5_error_code KRB5_CALLCONV krb5_internalize_opaque 2117 (krb5_context, 2118 krb5_magic, 2119 krb5_pointer *, 2120 krb5_octet **, 2121 size_t *); 2122 2123 /* Serialize data into a buffer */ 2124 krb5_error_code krb5_externalize_data 2125 (krb5_context, 2126 krb5_pointer, 2127 krb5_octet **, 2128 size_t *); 2129 /* 2130 * Initialization routines. 2131 */ 2132 2133 /* Initialize serialization for krb5_[os_]context */ 2134 krb5_error_code KRB5_CALLCONV krb5_ser_context_init 2135 (krb5_context); 2136 2137 /* Initialize serialization for krb5_auth_context */ 2138 krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init 2139 (krb5_context); 2140 2141 /* Initialize serialization for krb5_keytab */ 2142 krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init 2143 (krb5_context); 2144 2145 /* Initialize serialization for krb5_ccache */ 2146 krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init 2147 (krb5_context); 2148 2149 /* Initialize serialization for krb5_rcache */ 2150 krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init 2151 (krb5_context); 2152 2153 /* [De]serialize 4-byte integer */ 2154 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32 2155 (krb5_int32, 2156 krb5_octet **, 2157 size_t *); 2158 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32 2159 (krb5_int32 *, 2160 krb5_octet **, 2161 size_t *); 2162 /* [De]serialize 8-byte integer */ 2163 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64 2164 (krb5_int64, krb5_octet **, size_t *); 2165 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64 2166 (krb5_int64 *, krb5_octet **, size_t *); 2167 /* [De]serialize byte string */ 2168 krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes 2169 (krb5_octet *, 2170 size_t, 2171 krb5_octet **, 2172 size_t *); 2173 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes 2174 (krb5_octet *, 2175 size_t, 2176 krb5_octet **, 2177 size_t *); 2178 2179 krb5_error_code KRB5_CALLCONV krb5int_cc_default 2180 (krb5_context, krb5_ccache *); 2181 2182 krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default 2183 (krb5_context, krb5_ccache, krb5_flags, 2184 krb5_creds *, krb5_creds *); 2185 2186 krb5_boolean KRB5_CALLCONV 2187 krb5_creds_compare (krb5_context in_context, 2188 krb5_creds *in_creds, 2189 krb5_creds *in_compare_creds); 2190 2191 void krb5int_set_prompt_types 2192 (krb5_context, krb5_prompt_type *); 2193 2194 krb5_error_code 2195 krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context, 2196 krb5_keyblock * /* Old keyblock, not new! */); 2197 2198 /* set and change password helpers */ 2199 2200 krb5_error_code krb5int_mk_chpw_req 2201 (krb5_context context, krb5_auth_context auth_context, 2202 krb5_data *ap_req, char *passwd, krb5_data *packet); 2203 krb5_error_code krb5int_rd_chpw_rep 2204 (krb5_context context, krb5_auth_context auth_context, 2205 krb5_data *packet, int *result_code, 2206 krb5_data *result_data); 2207 krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string 2208 (krb5_context context, int result_code, 2209 char **result_codestr); 2210 krb5_error_code krb5int_mk_setpw_req 2211 (krb5_context context, krb5_auth_context auth_context, 2212 krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet); 2213 krb5_error_code krb5int_rd_setpw_rep 2214 (krb5_context context, krb5_auth_context auth_context, 2215 krb5_data *packet, int *result_code, 2216 krb5_data *result_data); 2217 krb5_error_code krb5int_setpw_result_code_string 2218 (krb5_context context, int result_code, 2219 const char **result_codestr); 2220 2221 struct srv_dns_entry { 2222 struct srv_dns_entry *next; 2223 int priority; 2224 int weight; 2225 unsigned short port; 2226 char *host; 2227 }; 2228 #ifdef KRB5_DNS_LOOKUP 2229 krb5_error_code 2230 krb5int_make_srv_query_realm(const krb5_data *realm, 2231 const char *service, 2232 const char *protocol, 2233 struct srv_dns_entry **answers); 2234 void krb5int_free_srv_dns_data(struct srv_dns_entry *); 2235 #endif 2236 2237 /* 2238 * Convenience function for structure magic number 2239 */ 2240 #define KRB5_VERIFY_MAGIC(structure,magic_number) \ 2241 if ((structure)->magic != (magic_number)) return (magic_number); 2242 2243 2244 /* SUNW14resync XXX - see k5-util.h */ 2245 #if 0 2246 int krb5_seteuid (int); 2247 #endif 2248 2249 char * krb5_getenv(const char *); 2250 int krb5_setenv (const char *, const char *, int); 2251 void krb5_unsetenv (const char *); 2252 2253 2254 /* SUNW14resync - (from here to EOF) not sure if we need this but will add it 2255 for future resync sake */ 2256 2257 /* To keep happy libraries which are (for now) accessing internal stuff */ 2258 2259 /* Make sure to increment by one when changing the struct */ 2260 #define KRB5INT_ACCESS_STRUCT_VERSION 12 2261 2262 #ifndef ANAME_SZ 2263 struct ktext; /* from krb.h, for krb524 support */ 2264 #endif 2265 typedef struct _krb5int_access { 2266 /* crypto stuff */ 2267 const struct krb5_hash_provider *md5_hash_provider; 2268 const struct krb5_enc_provider *arcfour_enc_provider; 2269 krb5_error_code (* krb5_hmac) (krb5_context, const struct krb5_hash_provider *hash, 2270 const krb5_keyblock *key, 2271 unsigned int icount, const krb5_data *input, 2272 krb5_data *output); 2273 /* service location and communication */ 2274 #ifndef _KERNEL 2275 krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg, 2276 const struct addrlist *, struct sendto_callback_info*, krb5_data *reply, 2277 struct sockaddr *, socklen_t *,struct sockaddr *, 2278 socklen_t *, int *, 2279 int (*msg_handler)(krb5_context, const krb5_data *, void *), 2280 void *msg_handler_data); 2281 krb5_error_code (*add_host_to_list)(struct addrlist *lp, 2282 const char *hostname, 2283 int port, int secport, 2284 int socktype, int family); 2285 void (*free_addrlist) (struct addrlist *); 2286 #endif /* _KERNEL */ 2287 2288 krb5_error_code (*make_srv_query_realm)(const krb5_data *realm, 2289 const char *service, 2290 const char *protocol, 2291 struct srv_dns_entry **answers); 2292 void (*free_srv_dns_data)(struct srv_dns_entry *); 2293 int (*use_dns_kdc)(krb5_context); 2294 2295 /* krb4 compatibility stuff -- may be null if not enabled */ 2296 krb5_int32 (*krb_life_to_time)(krb5_int32, int); 2297 int (*krb_time_to_life)(krb5_int32, krb5_int32); 2298 int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *); 2299 krb5_error_code (*krb5int_c_mandatory_cksumtype) 2300 (krb5_context, krb5_enctype, krb5_cksumtype *); 2301 krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64) 2302 (krb5_int64, krb5_octet **, size_t *); 2303 krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64) 2304 (krb5_int64 *, krb5_octet **, size_t *); 2305 2306 /* Used for KDB LDAP back end. */ 2307 krb5_error_code 2308 (*asn1_ldap_encode_sequence_of_keys) (struct _krb5_key_data *key_data, 2309 krb5_int16 n_key_data, 2310 krb5_int32 mkvno, 2311 krb5_data **code); 2312 2313 krb5_error_code 2314 (*asn1_ldap_decode_sequence_of_keys) (krb5_data *in, 2315 struct _krb5_key_data **out, 2316 krb5_int16 *n_key_data, 2317 int *mkvno); 2318 2319 /* 2320 * pkinit asn.1 encode/decode functions 2321 */ 2322 krb5_error_code (*encode_krb5_auth_pack) 2323 (const krb5_auth_pack *rep, krb5_data **code); 2324 krb5_error_code (*encode_krb5_auth_pack_draft9) 2325 (const krb5_auth_pack_draft9 *rep, krb5_data **code); 2326 krb5_error_code (*encode_krb5_kdc_dh_key_info) 2327 (const krb5_kdc_dh_key_info *rep, krb5_data **code); 2328 krb5_error_code (*encode_krb5_pa_pk_as_rep) 2329 (const krb5_pa_pk_as_rep *rep, krb5_data **code); 2330 krb5_error_code (*encode_krb5_pa_pk_as_rep_draft9) 2331 (const krb5_pa_pk_as_rep_draft9 *rep, krb5_data **code); 2332 krb5_error_code (*encode_krb5_pa_pk_as_req) 2333 (const krb5_pa_pk_as_req *rep, krb5_data **code); 2334 krb5_error_code (*encode_krb5_pa_pk_as_req_draft9) 2335 (const krb5_pa_pk_as_req_draft9 *rep, krb5_data **code); 2336 krb5_error_code (*encode_krb5_reply_key_pack) 2337 (const krb5_reply_key_pack *, krb5_data **code); 2338 krb5_error_code (*encode_krb5_reply_key_pack_draft9) 2339 (const krb5_reply_key_pack_draft9 *, krb5_data **code); 2340 krb5_error_code (*encode_krb5_td_dh_parameters) 2341 (const krb5_algorithm_identifier **, krb5_data **code); 2342 krb5_error_code (*encode_krb5_td_trusted_certifiers) 2343 (const krb5_external_principal_identifier **, krb5_data **code); 2344 krb5_error_code (*encode_krb5_typed_data) 2345 (const krb5_typed_data **, krb5_data **code); 2346 2347 krb5_error_code (*decode_krb5_auth_pack) 2348 (const krb5_data *, krb5_auth_pack **); 2349 krb5_error_code (*decode_krb5_auth_pack_draft9) 2350 (const krb5_data *, krb5_auth_pack_draft9 **); 2351 krb5_error_code (*decode_krb5_pa_pk_as_req) 2352 (const krb5_data *, krb5_pa_pk_as_req **); 2353 krb5_error_code (*decode_krb5_pa_pk_as_req_draft9) 2354 (const krb5_data *, krb5_pa_pk_as_req_draft9 **); 2355 krb5_error_code (*decode_krb5_pa_pk_as_rep) 2356 (const krb5_data *, krb5_pa_pk_as_rep **); 2357 krb5_error_code (*decode_krb5_pa_pk_as_rep_draft9) 2358 (const krb5_data *, krb5_pa_pk_as_rep_draft9 **); 2359 krb5_error_code (*decode_krb5_kdc_dh_key_info) 2360 (const krb5_data *, krb5_kdc_dh_key_info **); 2361 krb5_error_code (*decode_krb5_principal_name) 2362 (const krb5_data *, krb5_principal_data **); 2363 krb5_error_code (*decode_krb5_reply_key_pack) 2364 (const krb5_data *, krb5_reply_key_pack **); 2365 krb5_error_code (*decode_krb5_reply_key_pack_draft9) 2366 (const krb5_data *, krb5_reply_key_pack_draft9 **); 2367 krb5_error_code (*decode_krb5_td_dh_parameters) 2368 (const krb5_data *, krb5_algorithm_identifier ***); 2369 krb5_error_code (*decode_krb5_td_trusted_certifiers) 2370 (const krb5_data *, krb5_external_principal_identifier ***); 2371 krb5_error_code (*decode_krb5_typed_data) 2372 (const krb5_data *, krb5_typed_data ***); 2373 2374 krb5_error_code (*decode_krb5_as_req) 2375 (const krb5_data *output, krb5_kdc_req **rep); 2376 krb5_error_code (*encode_krb5_kdc_req_body) 2377 (const krb5_kdc_req *rep, krb5_data **code); 2378 void (KRB5_CALLCONV *krb5_free_kdc_req) 2379 (krb5_context, krb5_kdc_req * ); 2380 void (*krb5int_set_prompt_types) 2381 (krb5_context, krb5_prompt_type *); 2382 krb5_error_code (*encode_krb5_authdata_elt) 2383 (const krb5_authdata *rep, krb5_data **code); 2384 2385 } krb5int_access; 2386 2387 #define KRB5INT_ACCESS_VERSION \ 2388 (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \ 2389 (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF) 2390 2391 krb5_error_code KRB5_CALLCONV krb5int_accessor 2392 (krb5int_access*, krb5_int32); 2393 2394 /* Ick -- some krb524 and krb4 support placed in the krb5 library, 2395 because AFS (and potentially other applications?) use the krb4 2396 object as an opaque token, which (in some implementations) is not 2397 in fact a krb4 ticket, so we don't want to drag in the krb4 support 2398 just to enable this. */ 2399 2400 #define KRB524_SERVICE "krb524" 2401 #define KRB524_PORT 4444 2402 2403 /* v4lifetime.c */ 2404 extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int); 2405 extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32); 2406 2407 /* conv_creds.c */ 2408 int krb5int_encode_v4tkt 2409 (struct ktext *v4tkt, char *buf, unsigned int *encoded_len); 2410 2411 /* send524.c */ 2412 int krb5int_524_sendto_kdc 2413 (krb5_context context, const krb5_data * message, 2414 const krb5_data * realm, krb5_data * reply, 2415 struct sockaddr *, socklen_t *); 2416 2417 /* temporary -- this should be under lib/krb5/ccache somewhere */ 2418 2419 struct _krb5_ccache { 2420 krb5_magic magic; 2421 const struct _krb5_cc_ops *ops; 2422 krb5_pointer data; 2423 }; 2424 2425 /* 2426 * Per-type ccache cursor. 2427 */ 2428 struct krb5_cc_ptcursor { 2429 const struct _krb5_cc_ops *ops; 2430 krb5_pointer data; 2431 }; 2432 typedef struct krb5_cc_ptcursor *krb5_cc_ptcursor; 2433 2434 struct _krb5_cc_ops { 2435 krb5_magic magic; 2436 char *prefix; 2437 const char * (KRB5_CALLCONV *get_name) (krb5_context, krb5_ccache); 2438 krb5_error_code (KRB5_CALLCONV *resolve) (krb5_context, krb5_ccache *, 2439 const char *); 2440 krb5_error_code (KRB5_CALLCONV *gen_new) (krb5_context, krb5_ccache *); 2441 krb5_error_code (KRB5_CALLCONV *init) (krb5_context, krb5_ccache, 2442 krb5_principal); 2443 krb5_error_code (KRB5_CALLCONV *destroy) (krb5_context, krb5_ccache); 2444 krb5_error_code (KRB5_CALLCONV *close) (krb5_context, krb5_ccache); 2445 krb5_error_code (KRB5_CALLCONV *store) (krb5_context, krb5_ccache, 2446 krb5_creds *); 2447 krb5_error_code (KRB5_CALLCONV *retrieve) (krb5_context, krb5_ccache, 2448 krb5_flags, krb5_creds *, 2449 krb5_creds *); 2450 krb5_error_code (KRB5_CALLCONV *get_princ) (krb5_context, krb5_ccache, 2451 krb5_principal *); 2452 krb5_error_code (KRB5_CALLCONV *get_first) (krb5_context, krb5_ccache, 2453 krb5_cc_cursor *); 2454 krb5_error_code (KRB5_CALLCONV *get_next) (krb5_context, krb5_ccache, 2455 krb5_cc_cursor *, krb5_creds *); 2456 krb5_error_code (KRB5_CALLCONV *end_get) (krb5_context, krb5_ccache, 2457 krb5_cc_cursor *); 2458 krb5_error_code (KRB5_CALLCONV *remove_cred) (krb5_context, krb5_ccache, 2459 krb5_flags, krb5_creds *); 2460 krb5_error_code (KRB5_CALLCONV *set_flags) (krb5_context, krb5_ccache, 2461 krb5_flags); 2462 krb5_error_code (KRB5_CALLCONV *get_flags) (krb5_context, krb5_ccache, 2463 krb5_flags *); 2464 krb5_error_code (KRB5_CALLCONV *ptcursor_new)(krb5_context, 2465 krb5_cc_ptcursor *); 2466 krb5_error_code (KRB5_CALLCONV *ptcursor_next)(krb5_context, 2467 krb5_cc_ptcursor, 2468 krb5_ccache *); 2469 krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context, 2470 krb5_cc_ptcursor *); 2471 krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache); 2472 krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context, 2473 krb5_ccache, krb5_timestamp *); 2474 krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache, 2475 krb5_timestamp *); 2476 }; 2477 2478 extern const krb5_cc_ops *krb5_cc_dfl_ops; 2479 2480 krb5_error_code 2481 krb5int_cc_os_default_name(krb5_context context, char **name); 2482 2483 /* 2484 * Cursor for iterating over ccache types 2485 */ 2486 struct krb5_cc_typecursor; 2487 typedef struct krb5_cc_typecursor *krb5_cc_typecursor; 2488 2489 krb5_error_code 2490 krb5int_cc_typecursor_new(krb5_context context, krb5_cc_typecursor *cursor); 2491 2492 krb5_error_code 2493 krb5int_cc_typecursor_next( 2494 krb5_context context, 2495 krb5_cc_typecursor cursor, 2496 const struct _krb5_cc_ops **ops); 2497 2498 krb5_error_code 2499 krb5int_cc_typecursor_free( 2500 krb5_context context, 2501 krb5_cc_typecursor *cursor); 2502 2503 typedef struct _krb5_donot_replay { 2504 krb5_magic magic; 2505 krb5_ui_4 hash; 2506 char *server; /* null-terminated */ 2507 char *client; /* null-terminated */ 2508 krb5_int32 cusec; 2509 krb5_timestamp ctime; 2510 } krb5_donot_replay; 2511 2512 krb5_error_code krb5_rc_default 2513 (krb5_context, 2514 krb5_rcache *); 2515 krb5_error_code krb5_rc_resolve_type 2516 (krb5_context, 2517 krb5_rcache *,char *); 2518 krb5_error_code krb5_rc_resolve_full 2519 (krb5_context, 2520 krb5_rcache *,char *); 2521 char * krb5_rc_get_type 2522 (krb5_context, 2523 krb5_rcache); 2524 char * krb5_rc_default_type 2525 (krb5_context); 2526 char * krb5_rc_default_name 2527 (krb5_context); 2528 krb5_error_code krb5_auth_to_rep 2529 (krb5_context, 2530 krb5_tkt_authent *, 2531 krb5_donot_replay *); 2532 2533 2534 krb5_error_code KRB5_CALLCONV krb5_rc_initialize 2535 (krb5_context, krb5_rcache,krb5_deltat); 2536 krb5_error_code KRB5_CALLCONV krb5_rc_recover_or_initialize 2537 (krb5_context, krb5_rcache,krb5_deltat); 2538 krb5_error_code KRB5_CALLCONV krb5_rc_recover 2539 (krb5_context, krb5_rcache); 2540 krb5_error_code KRB5_CALLCONV krb5_rc_destroy 2541 (krb5_context, krb5_rcache); 2542 krb5_error_code KRB5_CALLCONV krb5_rc_close 2543 (krb5_context, krb5_rcache); 2544 krb5_error_code KRB5_CALLCONV krb5_rc_store 2545 (krb5_context, krb5_rcache,krb5_donot_replay *); 2546 krb5_error_code KRB5_CALLCONV krb5_rc_expunge 2547 (krb5_context, krb5_rcache); 2548 krb5_error_code KRB5_CALLCONV krb5_rc_get_lifespan 2549 (krb5_context, krb5_rcache,krb5_deltat *); 2550 char *KRB5_CALLCONV krb5_rc_get_name 2551 (krb5_context, krb5_rcache); 2552 krb5_error_code KRB5_CALLCONV krb5_rc_resolve 2553 (krb5_context, krb5_rcache, char *); 2554 2555 typedef struct _krb5_kt_ops { 2556 krb5_magic magic; 2557 char *prefix; 2558 /* routines always present */ 2559 krb5_error_code (KRB5_CALLCONV *resolve) 2560 (krb5_context, 2561 const char *, 2562 krb5_keytab *); 2563 krb5_error_code (KRB5_CALLCONV *get_name) 2564 (krb5_context, 2565 krb5_keytab, 2566 char *, 2567 unsigned int); 2568 krb5_error_code (KRB5_CALLCONV *close) 2569 (krb5_context, 2570 krb5_keytab); 2571 krb5_error_code (KRB5_CALLCONV *get) 2572 (krb5_context, 2573 krb5_keytab, 2574 krb5_const_principal, 2575 krb5_kvno, 2576 krb5_enctype, 2577 krb5_keytab_entry *); 2578 krb5_error_code (KRB5_CALLCONV *start_seq_get) 2579 (krb5_context, 2580 krb5_keytab, 2581 krb5_kt_cursor *); 2582 krb5_error_code (KRB5_CALLCONV *get_next) 2583 (krb5_context, 2584 krb5_keytab, 2585 krb5_keytab_entry *, 2586 krb5_kt_cursor *); 2587 krb5_error_code (KRB5_CALLCONV *end_get) 2588 (krb5_context, 2589 krb5_keytab, 2590 krb5_kt_cursor *); 2591 /* routines to be included on extended version (write routines) */ 2592 krb5_error_code (KRB5_CALLCONV *add) 2593 (krb5_context, 2594 krb5_keytab, 2595 krb5_keytab_entry *); 2596 krb5_error_code (KRB5_CALLCONV *remove) 2597 (krb5_context, 2598 krb5_keytab, 2599 krb5_keytab_entry *); 2600 2601 /* Handle for serializer */ 2602 const krb5_ser_entry *serializer; 2603 } krb5_kt_ops; 2604 2605 extern const krb5_kt_ops krb5_kt_dfl_ops; 2606 2607 extern krb5_error_code krb5int_translate_gai_error (int); 2608 2609 /* Not sure it's ready for exposure just yet. */ 2610 extern krb5_error_code 2611 krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *); 2612 2613 extern int krb5int_crypto_init (void); 2614 extern int krb5int_prng_init(void); 2615 2616 /* 2617 * SUNW14resync 2618 * Hack (?) to neuter C99 "inline" which causes warnings w/our build. 2619 */ 2620 #define inline 2621 2622 /* Solaris kerberos */ 2623 krb5_boolean KRB5_CALLCONV is_in_keytype 2624 (krb5_const krb5_enctype *keytype, 2625 int numkeytypes, krb5_enctype enctype); 2626 2627 /* 2628 * Solaris Kerberos 2629 * Use krb5_getuid() to select the mechanism to obtain the uid. 2630 */ 2631 extern uid_t krb5_getuid(); 2632 2633 /* 2634 * Referral definitions, debugging hooks, and subfunctions. 2635 */ 2636 #define KRB5_REFERRAL_MAXHOPS 5 2637 /* #define DEBUG_REFERRALS */ 2638 2639 #ifdef DEBUG_REFERRALS 2640 void krb5int_dbgref_dump_principal(char *, krb5_principal); 2641 #endif 2642 2643 /* Common hostname-parsing code. */ 2644 krb5_error_code KRB5_CALLCONV krb5int_clean_hostname 2645 (krb5_context, 2646 const char *, 2647 char *, 2648 size_t); 2649 2650 #endif /* _KRB5_INT_H */ 2651