xref: /illumos-gate/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h (revision 7247f8883be6bcac5fe4735b6f87f873387dbbef)
1 /*
2  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 /*
7  * Copyright (C) 1989-1995 by the Massachusetts Institute of Technology,
8  * Cambridge, MA, USA.  All Rights Reserved.
9  *
10  * This software is being provided to you, the LICENSEE, by the
11  * Massachusetts Institute of Technology (M.I.T.) under the following
12  * license.  By obtaining, using and/or copying this software, you agree
13  * that you have read, understood, and will comply with these terms and
14  * conditions:
15  *
16  * Export of this software from the United States of America may
17  * require a specific license from the United States Government.
18  * It is the responsibility of any person or organization contemplating
19  * export to obtain such a license before exporting.
20  *
21  * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
22  * this software and its documentation for any purpose and without fee or
23  * royalty is hereby granted, provided that you agree to comply with the
24  * following copyright notice and statements, including the disclaimer, and
25  * that the same appear on ALL copies of the software and documentation,
26  * including modifications that you make for internal use or for
27  * distribution:
28  *
29  * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
30  * OR WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
31  * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
32  * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
33  * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
34  * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
35  *
36  * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
37  * be used in advertising or publicity pertaining to distribution of the
38  * software.  Title to copyright in this software and any associated
39  * documentation shall at all times remain with M.I.T., and USER agrees to
40  * preserve same.
41  */
42 /*
43  * Copyright (C) 1998 by the FundsXpress, INC.
44  *
45  * All rights reserved.
46  *
47  * Export of this software from the United States of America may require
48  * a specific license from the United States Government.  It is the
49  * responsibility of any person or organization contemplating export to
50  * obtain such a license before exporting.
51  *
52  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
53  * distribute this software and its documentation for any purpose and
54  * without fee is hereby granted, provided that the above copyright
55  * notice appear in all copies and that both that copyright notice and
56  * this permission notice appear in supporting documentation, and that
57  * the name of FundsXpress. not be used in advertising or publicity pertaining
58  * to distribution of the software without specific, written prior
59  * permission.  FundsXpress makes no representations about the suitability of
60  * this software for any purpose.  It is provided "as is" without express
61  * or implied warranty.
62  *
63  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
64  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
65  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
66  */
67 
68 /*
69  * This prototype for k5-int.h (Krb5 internals include file)
70  * includes the user-visible definitions from krb5.h and then
71  * includes other definitions that are not user-visible but are
72  * required for compiling Kerberos internal routines.
73  *
74  * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
75  */
76 
77 #ifndef _KRB5_INT_H
78 #define _KRB5_INT_H
79 
80 #pragma ident	"%Z%%M%	%I%	%E% SMI"
81 
82 #ifndef	_KERNEL
83 #include <osconf.h>
84 #include <security/cryptoki.h>
85 #else
86 #include <sys/crypto/common.h>
87 #include <sys/crypto/api.h>
88 #endif
89 
90 #ifdef  DEBUG
91 #if !defined(KRB5_DEBUG)
92 #define KRB5_DEBUG
93 #endif
94 #ifndef  KRB5_LOG_LVL
95 #define KRB5_LOG_LVL KRB5_ERR
96 #endif
97 #endif  /* DEBUG */
98 
99 #ifdef  _KERNEL
100 
101 #ifdef  DEBUG
102 #include        <sys/types.h>
103 #include        <sys/cmn_err.h>
104  extern  void prom_printf();
105 #endif  /* DEBUG */
106 
107 #else   /* !_KERNEL */
108 
109 #define prom_printf printf
110 
111 #endif /* !_KERNEL */
112 
113 #ifdef KRB5_LOG_LVL
114 
115 /* krb5_log is used to set the logging level to determine what class of messages
116  * are output by the mech.  Note, more than one logging level can be used by
117  * bit or'ing the log values together.
118  *
119  * All log messages are captured by syslog.
120  */
121 
122 extern unsigned int krb5_log;
123 
124 /* Note, these defines should be mutually exclusive bit fields */
125 #define KRB5_ERR  1   /* Use this debug log level for error path logging. */
126 #define KRB5_INFO 2   /* Use this debug log level for informational messages. */
127 
128 #ifdef  _KERNEL
129 
130 #define KRB5_LOG1(A, B, C, D) \
131      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C), (D)), TRUE)))
132 #define KRB5_LOG(A, B, C) \
133      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C)), TRUE)))
134 #define KRB5_LOG0(A, B)   \
135      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B)), TRUE)))
136 
137 #else	/* !_KERNEL */
138 
139 #include <syslog.h>
140 
141 #define KRB5_LOG1(A, B, C, D) \
142         ((void)((krb5_log) && (krb5_log & (A)) && \
143 		(syslog(LOG_DEBUG, (B), (C), (D)), TRUE)))
144 #define KRB5_LOG(A, B, C) \
145         ((void)((krb5_log) && (krb5_log & (A)) && \
146 		(syslog(LOG_DEBUG, (B), (C)), TRUE)))
147 #define KRB5_LOG0(A, B)   \
148         ((void)((krb5_log) && (krb5_log & (A)) && \
149 	       	(syslog(LOG_DEBUG, B), TRUE)))
150 
151 #endif	/* _KERNEL */
152 
153 #else /* ! KRB5_LOG_LVL */
154 
155 #define KRB5_LOG1(A, B, C, D)
156 #define KRB5_LOG(A, B, C)
157 #define KRB5_LOG0(A, B)
158 
159 #endif /* KRB5_LOG_LVL */
160 
161 #ifdef POSIX_TYPES
162 #define timetype time_t
163 #else
164 #define timetype long
165 #endif
166 
167 /*
168  * Begin "k5-config.h"
169  */
170 #ifndef KRB5_CONFIG__
171 #define KRB5_CONFIG__
172 
173 /*
174  * Machine-type definitions: PC Clone 386 running Microsoft Windows
175  */
176 
177 #if defined(_MSDOS) || defined(_WIN32)
178 #include "win-mac.h"
179 
180 /* Kerberos Windows initialization file */
181 #define KERBEROS_INI    "kerberos.ini"
182 #define INI_FILES       "Files"
183 #define INI_KRB_CCACHE  "krb5cc"       /* Location of the ccache */
184 #define INI_KRB5_CONF   "krb5.ini"		/* Location of krb5.conf file */
185 #define ANSI_STDIO
186 #endif
187 
188 #ifndef _KERNEL
189 #ifndef KRB5_AUTOCONF__
190 #define KRB5_AUTOCONF__
191 #include <autoconf.h>
192 #endif
193 #endif 		/* !_KERNEL  */
194 
195 #ifndef KRB5_SYSTYPES__
196 #define KRB5_SYSTYPES__
197 
198 #ifdef HAVE_SYS_TYPES_H		/* From autoconf.h */
199 #include <sys/types.h>
200 #else /* HAVE_SYS_TYPES_H */
201 #endif /* HAVE_SYS_TYPES_H */
202 #endif /* KRB5_SYSTYPES__ */
203 
204 /* #include "k5-platform.h" SUNW XXX */
205 /* not used in krb5.h (yet) */
206 typedef uint64_t krb5_ui_8;
207 typedef int64_t krb5_int64;
208 
209 #define DEFAULT_PWD_STRING1 "Enter password:"
210 #define DEFAULT_PWD_STRING2 "Re-enter password for verification:"
211 
212 #define	KRB5_KDB_MAX_LIFE	(60*60*24) /* one day */
213 #define	KRB5_KDB_MAX_RLIFE	(60*60*24*365) /* one year */
214 #define	KRB5_KDB_EXPIRATION	2145830400 /* Thu Jan  1 00:00:00 2038 UTC */
215 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
216 #define KRB5_DEFAULT_RENEW_LIFE 7*24*60*60 /* 7 Days */
217 
218 /*
219  * Windows requires a different api interface to each function. Here
220  * just define it as NULL.
221  */
222 #ifndef KRB5_CALLCONV
223 #define KRB5_CALLCONV
224 #define KRB5_CALLCONV_C
225 #endif
226 #ifndef O_BINARY
227 #define O_BINARY 0
228 #endif
229 
230 #endif /* KRB5_CONFIG__ */
231 
232 /*
233  * End "k5-config.h"
234  */
235 
236 /*
237  * After loading the configuration definitions, load the Kerberos definitions.
238  */
239 #ifndef _KERNEL
240 #include <errno.h>
241 #include "profile.h"
242 #endif
243 
244 #include <krb5.h>
245 
246 #ifndef _KERNEL
247 #if 1 /* def NEED_SOCKETS */
248 #include <port-sockets.h>
249 #include <socket-utils.h>
250 #else
251 #ifndef SOCK_DGRAM
252 struct sockaddr;
253 #endif
254 #endif
255 #endif
256 
257 /* Get mutex support; currently used only for the replay cache.  */
258 #include "k5-thread.h"
259 
260 
261 /* krb5/krb5.h includes many other .h files in the krb5 subdirectory.
262    The ones that it doesn't include, we include below.  */
263 
264 /*
265  * Begin "k5-errors.h"
266  */
267 #ifndef KRB5_ERRORS__
268 #define KRB5_ERRORS__
269 
270 
271 /* Error codes used in KRB_ERROR protocol messages.
272    Return values of library routines are based on a different error table
273    (which allows non-ambiguous error codes between subsystems) */
274 
275 /* KDC errors */
276 #define	KDC_ERR_NONE			0 /* No error */
277 #define	KDC_ERR_NAME_EXP		1 /* Client's entry in DB expired */
278 #define	KDC_ERR_SERVICE_EXP		2 /* Server's entry in DB expired */
279 #define	KDC_ERR_BAD_PVNO		3 /* Requested pvno not supported */
280 #define	KDC_ERR_C_OLD_MAST_KVNO		4 /* C's key encrypted in old master */
281 #define	KDC_ERR_S_OLD_MAST_KVNO		5 /* S's key encrypted in old master */
282 #define	KDC_ERR_C_PRINCIPAL_UNKNOWN	6 /* Client not found in Kerberos DB */
283 #define	KDC_ERR_S_PRINCIPAL_UNKNOWN	7 /* Server not found in Kerberos DB */
284 #define	KDC_ERR_PRINCIPAL_NOT_UNIQUE	8 /* Multiple entries in Kerberos DB */
285 #define	KDC_ERR_NULL_KEY		9 /* The C or S has a null key */
286 #define	KDC_ERR_CANNOT_POSTDATE		10 /* Tkt ineligible for postdating */
287 #define	KDC_ERR_NEVER_VALID		11 /* Requested starttime > endtime */
288 #define	KDC_ERR_POLICY			12 /* KDC policy rejects request */
289 #define	KDC_ERR_BADOPTION		13 /* KDC can't do requested opt. */
290 #define	KDC_ERR_ENCTYPE_NOSUPP		14 /* No support for encryption type */
291 #define KDC_ERR_SUMTYPE_NOSUPP		15 /* No support for checksum type */
292 #define KDC_ERR_PADATA_TYPE_NOSUPP	16 /* No support for padata type */
293 #define KDC_ERR_TRTYPE_NOSUPP		17 /* No support for transited type */
294 #define KDC_ERR_CLIENT_REVOKED		18 /* C's creds have been revoked */
295 #define KDC_ERR_SERVICE_REVOKED		19 /* S's creds have been revoked */
296 #define KDC_ERR_TGT_REVOKED		20 /* TGT has been revoked */
297 #define KDC_ERR_CLIENT_NOTYET		21 /* C not yet valid */
298 #define KDC_ERR_SERVICE_NOTYET		22 /* S not yet valid */
299 #define KDC_ERR_KEY_EXP			23 /* Password has expired */
300 #define KDC_ERR_PREAUTH_FAILED		24 /* Preauthentication failed */
301 #define KDC_ERR_PREAUTH_REQUIRED	25 /* Additional preauthentication */
302 					   /* required */
303 #define KDC_ERR_SERVER_NOMATCH		26 /* Requested server and */
304 					   /* ticket don't match*/
305 /* Application errors */
306 #define	KRB_AP_ERR_BAD_INTEGRITY 31	/* Decrypt integrity check failed */
307 #define	KRB_AP_ERR_TKT_EXPIRED	32	/* Ticket expired */
308 #define	KRB_AP_ERR_TKT_NYV	33	/* Ticket not yet valid */
309 #define	KRB_AP_ERR_REPEAT	34	/* Request is a replay */
310 #define	KRB_AP_ERR_NOT_US	35	/* The ticket isn't for us */
311 #define	KRB_AP_ERR_BADMATCH	36	/* Ticket/authenticator don't match */
312 #define	KRB_AP_ERR_SKEW		37	/* Clock skew too great */
313 #define	KRB_AP_ERR_BADADDR	38	/* Incorrect net address */
314 #define	KRB_AP_ERR_BADVERSION	39	/* Protocol version mismatch */
315 #define	KRB_AP_ERR_MSG_TYPE	40	/* Invalid message type */
316 #define	KRB_AP_ERR_MODIFIED	41	/* Message stream modified */
317 #define	KRB_AP_ERR_BADORDER	42	/* Message out of order */
318 #define	KRB_AP_ERR_BADKEYVER	44	/* Key version is not available */
319 #define	KRB_AP_ERR_NOKEY	45	/* Service key not available */
320 #define	KRB_AP_ERR_MUT_FAIL	46	/* Mutual authentication failed */
321 #define KRB_AP_ERR_BADDIRECTION	47 	/* Incorrect message direction */
322 #define KRB_AP_ERR_METHOD	48 	/* Alternative authentication */
323 					/* method required */
324 #define KRB_AP_ERR_BADSEQ	49 	/* Incorrect sequence numnber */
325 					/* in message */
326 #define KRB_AP_ERR_INAPP_CKSUM	50	/* Inappropriate type of */
327 					/* checksum in message */
328 #define	KRB_AP_PATH_NOT_ACCEPTED 51	/* Policy rejects transited path */
329 #define	KRB_ERR_RESPONSE_TOO_BIG 52	/* Response too big for UDP, */
330 					/*   retry with TCP */
331 
332 /* other errors */
333 #define KRB_ERR_GENERIC		60 	/* Generic error (description */
334 					/* in e-text) */
335 #define	KRB_ERR_FIELD_TOOLONG	61	/* Field is too long for impl. */
336 
337 #endif /* KRB5_ERRORS__ */
338 /*
339  * End "k5-errors.h"
340  */
341 
342 /*
343  * This structure is returned in the e-data field of the KRB-ERROR
344  * message when the error calling for an alternative form of
345  * authentication is returned, KRB_AP_METHOD.
346  */
347 typedef struct _krb5_alt_method {
348 	krb5_magic	magic;
349 	krb5_int32	method;
350 	unsigned int	length;
351 	krb5_octet	*data;
352 } krb5_alt_method;
353 
354 /*
355  * A null-terminated array of this structure is returned by the KDC as
356  * the data part of the ETYPE_INFO preauth type.  It informs the
357  * client which encryption types are supported.
358  * The	same data structure is used by both etype-info and etype-info2
359  * but s2kparams must be null when encoding etype-info.
360  */
361 typedef struct _krb5_etype_info_entry {
362 	krb5_magic	magic;
363 	krb5_enctype	etype;
364 	unsigned int	length;
365 	krb5_octet	*salt;
366 	krb5_data	s2kparams;
367 } krb5_etype_info_entry;
368 
369 /*
370  *  This is essentially -1 without sign extension which can screw up
371  *  comparisons on 64 bit machines. If the length is this value, then
372  *  the salt data is not present. This is to distinguish between not
373  *  being set and being of 0 length.
374  */
375 #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
376 
377 typedef krb5_etype_info_entry ** krb5_etype_info;
378 
379 /*
380  * a sam_challenge is returned for alternate preauth
381  */
382 /*
383           SAMFlags ::= BIT STRING {
384               use-sad-as-key[0],
385               send-encrypted-sad[1],
386               must-pk-encrypt-sad[2]
387           }
388  */
389 /*
390           PA-SAM-CHALLENGE ::= SEQUENCE {
391               sam-type[0]                 INTEGER,
392               sam-flags[1]                SAMFlags,
393               sam-type-name[2]            GeneralString OPTIONAL,
394               sam-track-id[3]             GeneralString OPTIONAL,
395               sam-challenge-label[4]      GeneralString OPTIONAL,
396               sam-challenge[5]            GeneralString OPTIONAL,
397               sam-response-prompt[6]      GeneralString OPTIONAL,
398               sam-pk-for-sad[7]           EncryptionKey OPTIONAL,
399               sam-nonce[8]                INTEGER OPTIONAL,
400               sam-cksum[9]                Checksum OPTIONAL
401           }
402 */
403 /* sam_type values -- informational only */
404 #define PA_SAM_TYPE_ENIGMA     1   /*  Enigma Logic */
405 #define PA_SAM_TYPE_DIGI_PATH  2   /*  Digital Pathways */
406 #define PA_SAM_TYPE_SKEY_K0    3   /*  S/key where  KDC has key 0 */
407 #define PA_SAM_TYPE_SKEY       4   /*  Traditional S/Key */
408 #define PA_SAM_TYPE_SECURID    5   /*  Security Dynamics */
409 #define PA_SAM_TYPE_CRYPTOCARD 6   /*  CRYPTOCard */
410 #if 1 /* XXX need to figure out who has which numbers assigned */
411 #define PA_SAM_TYPE_ACTIVCARD_DEC  6   /*  ActivCard decimal mode */
412 #define PA_SAM_TYPE_ACTIVCARD_HEX  7   /*  ActivCard hex mode */
413 #define PA_SAM_TYPE_DIGI_PATH_HEX  8   /*  Digital Pathways hex mode */
414 #endif
415 #define PA_SAM_TYPE_EXP_BASE    128 /* experimental */
416 #define PA_SAM_TYPE_GRAIL		(PA_SAM_TYPE_EXP_BASE+0) /* testing */
417 #define PA_SAM_TYPE_SECURID_PREDICT	(PA_SAM_TYPE_EXP_BASE+1) /* special */
418 
419 typedef struct _krb5_predicted_sam_response {
420 	krb5_magic	magic;
421 	krb5_keyblock	sam_key;
422         krb5_flags      sam_flags; /* Makes key munging easier */
423         krb5_timestamp  stime;  /* time on server, for replay detection */
424         krb5_int32      susec;
425         krb5_principal  client;
426         krb5_data       msd;    /* mechanism specific data */
427 } krb5_predicted_sam_response;
428 
429 typedef struct _krb5_sam_challenge {
430 	krb5_magic	magic;
431 	krb5_int32	sam_type; /* information */
432 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
433 	krb5_data	sam_type_name;
434 	krb5_data	sam_track_id;
435 	krb5_data	sam_challenge_label;
436 	krb5_data	sam_challenge;
437 	krb5_data	sam_response_prompt;
438 	krb5_data	sam_pk_for_sad;
439 	krb5_int32	sam_nonce;
440 	krb5_checksum	sam_cksum;
441 } krb5_sam_challenge;
442 
443 typedef struct _krb5_sam_key {	/* reserved for future use */
444 	krb5_magic	magic;
445 	krb5_keyblock	sam_key;
446 } krb5_sam_key;
447 
448 typedef struct _krb5_enc_sam_response_enc {
449 	krb5_magic	magic;
450 	krb5_int32	sam_nonce;
451 	krb5_timestamp	sam_timestamp;
452 	krb5_int32	sam_usec;
453 	krb5_data	sam_sad;
454 } krb5_enc_sam_response_enc;
455 
456 typedef struct _krb5_sam_response {
457 	krb5_magic	magic;
458 	krb5_int32	sam_type; /* informational */
459 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
460 	krb5_data	sam_track_id; /* copied */
461 	krb5_enc_data	sam_enc_key; /* krb5_sam_key - future use */
462 	krb5_enc_data	sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
463 	krb5_int32	sam_nonce;
464 	krb5_timestamp	sam_patimestamp;
465 } krb5_sam_response;
466 
467 typedef struct _krb5_sam_challenge_2 {
468 	krb5_data	sam_challenge_2_body;
469 	krb5_checksum	**sam_cksum;		/* Array of checksums */
470 } krb5_sam_challenge_2;
471 
472 typedef struct _krb5_sam_challenge_2_body {
473 	krb5_magic	magic;
474 	krb5_int32	sam_type; /* information */
475 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
476 	krb5_data	sam_type_name;
477 	krb5_data	sam_track_id;
478 	krb5_data	sam_challenge_label;
479 	krb5_data	sam_challenge;
480 	krb5_data	sam_response_prompt;
481 	krb5_data	sam_pk_for_sad;
482 	krb5_int32	sam_nonce;
483 	krb5_enctype	sam_etype;
484 } krb5_sam_challenge_2_body;
485 
486 typedef struct _krb5_sam_response_2 {
487 	krb5_magic	magic;
488 	krb5_int32	sam_type; /* informational */
489 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
490 	krb5_data	sam_track_id; /* copied */
491 	krb5_enc_data	sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
492 	krb5_int32	sam_nonce;
493 } krb5_sam_response_2;
494 
495 typedef struct _krb5_enc_sam_response_enc_2 {
496 	krb5_magic	magic;
497 	krb5_int32	sam_nonce;
498 	krb5_data	sam_sad;
499 } krb5_enc_sam_response_enc_2;
500 
501 /*
502  * Begin "dbm.h"
503  */
504 #ifndef _KERNEL
505 
506 /*
507  * Since we are always using db, use the db-ndbm include header file.
508  */
509 
510 #include "db-ndbm.h"
511 
512 #endif /* !KERNEL */
513 /*
514  * End "dbm.h"
515  */
516 
517 /*
518  * Begin "ext-proto.h"
519  */
520 #ifndef KRB5_EXT_PROTO__
521 #define KRB5_EXT_PROTO__
522 
523 #ifndef _KERNEL
524 #include <stdlib.h>
525 #include <string.h>
526 #endif /* !_KERNEL */
527 
528 #ifndef HAVE_STRDUP
529 extern char *strdup (const char *);
530 #endif
531 
532 #ifndef _KERNEL
533 #ifdef HAVE_UNISTD_H
534 #include <unistd.h>
535 #endif
536 #endif /* !_KERNEL */
537 
538 #endif /* KRB5_EXT_PROTO__ */
539 /*
540  * End "ext-proto.h"
541  */
542 
543 /*
544  * Begin "sysincl.h"
545  */
546 #ifndef KRB5_SYSINCL__
547 #define KRB5_SYSINCL__
548 
549 #ifndef KRB5_SYSTYPES__
550 #define KRB5_SYSTYPES__
551 /* needed for much of the rest -- but already handled in krb5.h? */
552 /* #include <sys/types.h> */
553 #endif /* KRB5_SYSTYPES__ */
554 
555 #ifdef	_KERNEL
556 #include <sys/time.h>
557 #else
558 #ifdef HAVE_SYS_TIME_H
559 #include <sys/time.h>
560 #ifdef TIME_WITH_SYS_TIME
561 #include <time.h>
562 #endif
563 #else
564 #include <time.h>
565 #endif
566 #endif /* _KERNEL */
567 
568 #ifdef HAVE_SYS_STAT_H
569 #include <sys/stat.h>			/* struct stat, stat() */
570 #endif
571 
572 #ifdef HAVE_SYS_PARAM_H
573 #include <sys/param.h>			/* MAXPATHLEN */
574 #endif
575 
576 #ifdef HAVE_SYS_FILE_H
577 #include <sys/file.h>			/* prototypes for file-related
578 					   syscalls; flags for open &
579 					   friends */
580 #endif
581 
582 #ifdef _KERNEL
583 #include <sys/fcntl.h>
584 #else
585 #include <fcntl.h>
586 #endif
587 
588 #endif /* KRB5_SYSINCL__ */
589 /*
590  * End "sysincl.h"
591  */
592 
593 /*
594  * Begin "los-proto.h"
595  */
596 #ifndef KRB5_LIBOS_PROTO__
597 #define KRB5_LIBOS_PROTO__
598 
599 #ifndef	_KERNEL
600 #include <stdio.h>
601 
602 struct addrlist;
603 #endif
604 
605 /* libos.spec */
606 krb5_error_code krb5_lock_file
607 	(krb5_context, int, int);
608 
609 krb5_error_code krb5_unlock_file
610 	(krb5_context, int);
611 
612 int krb5_net_read
613 	(krb5_context, int , char *, int);
614 
615 int krb5_net_write
616 	(krb5_context, int , const char *, int);
617 
618 krb5_error_code krb5_sendto_kdc
619 	(krb5_context, const krb5_data *, const krb5_data *,
620 	   krb5_data *, int *, int);
621 
622 krb5_error_code krb5_get_krbhst
623 	(krb5_context, const krb5_data *, char ***);
624 
625 krb5_error_code krb5_free_krbhst
626 	(krb5_context, char * const *);
627 
628 krb5_error_code krb5_gen_replay_name
629     (krb5_context, const krb5_address *, const char *, char **);
630 
631 krb5_error_code krb5_create_secure_file
632 	(krb5_context, const char * pathname);
633 
634 #ifndef	_KERNEL
635 krb5_error_code krb5_sync_disk_file
636 	(krb5_context, FILE *fp);
637 
638 krb5_error_code
639 krb5_open_pkcs11_session(CK_SESSION_HANDLE *);
640 #endif
641 
642 
643 krb5_error_code krb5_read_message
644 	(krb5_context, krb5_pointer, krb5_data *);
645 
646 krb5_error_code krb5_write_message
647 	(krb5_context, krb5_pointer, krb5_data *);
648 
649 krb5_error_code krb5int_get_fq_local_hostname (char *, size_t);
650 
651 krb5_error_code krb5_os_init_context
652         (krb5_context);
653 
654 void krb5_os_free_context (krb5_context);
655 
656 /* This function is needed by KfM's KerberosPreferences API
657  * because it needs to be able to specify "secure" */
658 #ifndef _KERNEL
659 krb5_error_code os_get_default_config_files
660     (profile_filespec_t **pfiles, krb5_boolean secure);
661 #endif
662 
663 krb5_error_code krb5_find_config_files(void);
664 
665 krb5_error_code krb5_os_hostaddr
666     (krb5_context, const char *, krb5_address ***);
667 
668 #ifndef _KERNEL
669 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
670  * going to use this structure.  */
671 struct addrlist {
672 	struct addrinfo **addrs;
673 	int naddrs;
674 	int space;
675 };
676 
677 #define	ADDRLIST_INIT { 0, 0, 0 }
678 extern void krb5int_free_addrlist (struct addrlist *);
679 extern int krb5int_grow_addrlist (struct addrlist *, int);
680 extern int krb5int_add_host_to_list (struct addrlist *, const char *,
681 			int, int, int, int);
682 
683 krb5_error_code
684 krb5int_locate_server (krb5_context,
685 		       const krb5_data *realm,
686 		       struct addrlist *,
687 		       /* Only meaningful for kdc, really...  */
688 		       int want_masters,
689 		       /* look up [realms]->$realm->$name in krb5.conf */
690 		       const char *profilename,
691 		       /* SRV record lookup */
692 		       const char *dnsname,
693 		       int is_stream_service,
694 		       /* Port numbers, in network order!  For profile
695 			  version only, DNS code gets port numbers
696 			  itself.  Use 0 for dflport2 if there's no
697 			  secondary port (most common, except kdc
698 			  case).  */
699 		       int dflport1, int dflport2,
700 		       int family);
701 
702 #endif /* _KERNEL */
703 
704 #endif /* KRB5_LIBOS_PROTO__ */
705 
706 /* new encryption provider api */
707 
708 struct krb5_enc_provider {
709 
710     /* keybytes is the input size to make_key;
711        keylength is the output size */
712     size_t block_size, keybytes, keylength;
713 
714     /* cipher-state == 0 fresh state thrown away at end */
715     krb5_error_code (*encrypt) (
716 	krb5_context context,
717 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
718 	krb5_const krb5_data *input, krb5_data *output);
719 
720     krb5_error_code (*decrypt) (
721 	krb5_context context,
722 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
723 	krb5_const krb5_data *input, krb5_data *output);
724 
725     krb5_error_code (*make_key)
726     (krb5_context, krb5_const krb5_data *, krb5_keyblock *);
727 
728     krb5_error_code (*init_state) (krb5_context,
729 			const krb5_keyblock *,
730 			krb5_keyusage, krb5_data *);
731     krb5_error_code (*free_state) (krb5_context, krb5_data *);
732 
733 };
734 
735 struct krb5_hash_provider {
736     size_t hashsize, blocksize;
737 
738     /* this takes multiple inputs to avoid lots of copying. */
739     krb5_error_code (*hash) (krb5_context context,
740 	unsigned int icount, krb5_const krb5_data *input,
741 	krb5_data *output);
742 };
743 
744 struct krb5_keyhash_provider {
745     size_t hashsize;
746 
747     krb5_error_code (*hash) (
748 	krb5_context context,
749 	krb5_const krb5_keyblock *key,
750 	krb5_keyusage keyusage,
751 	krb5_const krb5_data *ivec,
752 	krb5_const krb5_data *input, krb5_data *output);
753 
754     krb5_error_code (*verify) (
755 	krb5_context context,
756 	krb5_const krb5_keyblock *key,
757 	krb5_keyusage keyusage,
758 	krb5_const krb5_data *ivec,
759 	krb5_const krb5_data *input,
760 	krb5_const krb5_data *hash,
761 	krb5_boolean *valid);
762 
763 };
764 
765 typedef void (*krb5_encrypt_length_func) (
766   krb5_const struct krb5_enc_provider *enc,
767   krb5_const struct krb5_hash_provider *hash,
768   size_t inputlen, size_t *length);
769 
770 typedef krb5_error_code (*krb5_crypt_func) (
771   krb5_context context,
772   krb5_const struct krb5_enc_provider *enc,
773   krb5_const struct krb5_hash_provider *hash,
774   krb5_const krb5_keyblock *key, krb5_keyusage usage,
775   krb5_const krb5_data *ivec,
776   krb5_const krb5_data *input, krb5_data *output);
777 
778 #ifndef	_KERNEL
779 typedef krb5_error_code (*krb5_str2key_func) (
780   krb5_context context,
781   krb5_const struct krb5_enc_provider *enc, krb5_const krb5_data *string,
782   krb5_const krb5_data *salt, krb5_const krb5_data *params,
783   krb5_keyblock *key);
784 #endif	/* _KERNEL */
785 
786 struct krb5_keytypes {
787     krb5_enctype etype;
788     char *in_string;
789     char *out_string;
790     const struct krb5_enc_provider *enc;
791     const struct krb5_hash_provider *hash;
792     krb5_encrypt_length_func encrypt_len;
793     krb5_crypt_func encrypt;
794     krb5_crypt_func decrypt;
795     krb5_cksumtype required_ctype;
796 #ifndef	_KERNEL
797     /* Solaris Kerberos:  strings to key conversion not done in the kernel */
798     krb5_str2key_func str2key;
799 #else	/* _KERNEL */
800     char *mt_e_name;
801     char *mt_h_name;
802     crypto_mech_type_t kef_cipher_mt;
803     crypto_mech_type_t kef_hash_mt;
804 #endif	/* _KERNEL */
805 };
806 
807 
808 struct krb5_cksumtypes {
809     krb5_cksumtype ctype;
810     unsigned int flags;
811     char *in_string;
812     char *out_string;
813     /* if the hash is keyed, this is the etype it is keyed with.
814        Actually, it can be keyed by any etype which has the same
815        enc_provider as the specified etype.  DERIVE checksums can
816        be keyed with any valid etype. */
817     krb5_enctype keyed_etype;
818     /* I can't statically initialize a union, so I'm just going to use
819        two pointers here.  The keyhash is used if non-NULL.  If NULL,
820        then HMAC/hash with derived keys is used if the relevant flag
821        is set.  Otherwise, a non-keyed hash is computed.  This is all
822        kind of messy, but so is the krb5 api. */
823     const struct krb5_keyhash_provider *keyhash;
824     const struct krb5_hash_provider *hash;
825     /* This just gets uglier and uglier.  In the key derivation case,
826 	we produce an hmac.  To make the hmac code work, we can't hack
827 	the output size indicated by the hash provider, but we may want
828 	a truncated hmac.  If we want truncation, this is the number of
829 	bytes we truncate to; it should be 0 otherwise.	*/
830     unsigned int trunc_size;
831 #ifdef _KERNEL
832     char *mt_c_name;
833     crypto_mech_type_t kef_cksum_mt;
834 #endif /* _KERNEL */
835 };
836 
837 #define KRB5_CKSUMFLAG_DERIVE		0x0001
838 #define KRB5_CKSUMFLAG_NOT_COLL_PROOF	0x0002
839 
840 krb5_error_code krb5int_des_init_state(
841 	krb5_context,
842 	const krb5_keyblock *,
843 	krb5_keyusage, krb5_data *);
844 
845 krb5_error_code krb5int_c_mandatory_cksumtype(
846 	krb5_context,
847 	krb5_enctype,
848 	krb5_cksumtype *);
849 
850 /*
851  * normally to free a cipher_state you can just memset the length to zero and
852  * free it.
853  */
854 krb5_error_code krb5int_default_free_state(krb5_context, krb5_data *);
855 
856 /*
857  * Combine two keys (normally used by the hardware preauth mechanism)
858  */
859 krb5_error_code krb5int_c_combine_keys
860 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
861 		krb5_keyblock *outkey);
862 /*
863  * in here to deal with stuff from lib/crypto
864  */
865 
866 void krb5_nfold (int inbits, krb5_const unsigned char *in,
867 		int outbits, unsigned char *out);
868 
869 #ifdef _KERNEL
870 
871 int k5_ef_crypto(
872 	const char *, char *,
873 	long, krb5_keyblock *,
874 	const krb5_data *, int);
875 
876 krb5_error_code
877 krb5_hmac(krb5_context, const krb5_keyblock *,
878 	krb5_const krb5_data *, krb5_data *);
879 
880 #else
881 krb5_error_code krb5_hmac
882 	(krb5_context,
883 	krb5_const struct krb5_hash_provider *,
884 	krb5_const krb5_keyblock *, krb5_const unsigned int,
885 	krb5_const krb5_data *, krb5_data *);
886 
887 #endif /* _KERNEL */
888 
889 krb5_error_code krb5int_pbkdf2_hmac_sha1 (krb5_context,
890 		const krb5_data *,
891 		unsigned long,
892 		krb5_enctype,
893 		const krb5_data *,
894 		const krb5_data *);
895 
896 /* Make this a function eventually?  */
897 #ifdef WIN32
898 # define krb5int_zap_data(ptr, len) SecureZeroMemory(ptr, len)
899 #else
900 # define krb5int_zap_data(ptr, len) memset((void *)ptr, 0, len)
901 # if defined(__GNUC__) && defined(__GLIBC__)
902 /* GNU libc generates multiple bogus initialization warnings if we
903    pass memset a volatile pointer.  The compiler should do well enough
904    with memset even without GNU libc's attempt at optimization.  */
905 # undef memset
906 # endif
907 #endif /* WIN32 */
908 #define zap(p,l) krb5int_zap_data(p,l)
909 
910 
911 /*
912  * These declarations are here, so both krb5 and k5crypto
913  * can get to them.
914  * krb5 needs to get to them so it can  make them available to libgssapi.
915  */
916 extern const struct krb5_enc_provider krb5int_enc_arcfour;
917 extern const struct krb5_hash_provider krb5int_hash_md5;
918 
919 
920 /* #ifdef KRB5_OLD_CRYPTO XXX SUNW14resync */
921 
922 krb5_error_code krb5_crypto_us_timeofday
923     (krb5_int32  *, krb5_int32  *);
924 
925 /* #endif KRB5_OLD_CRYPTO */
926 
927 /* this helper fct is in libkrb5, but it makes sense declared here. */
928 
929 krb5_error_code krb5_encrypt_helper
930 	(krb5_context context, krb5_const krb5_keyblock *key,
931 	krb5_keyusage usage, krb5_const krb5_data *plain,
932 	krb5_enc_data *cipher);
933 
934 /*
935  * End "los-proto.h"
936  */
937 
938 /*
939  * Include the KDB definitions.
940  */
941 #ifndef _KERNEL
942 #include <krb5/kdb.h>
943 #endif /* !_KERNEL */
944 /*
945  * Begin "libos.h"
946  */
947 #ifndef KRB5_LIBOS__
948 #define KRB5_LIBOS__
949 
950 typedef struct _krb5_os_context {
951 	krb5_magic	magic;
952 	krb5_int32	time_offset;
953 	krb5_int32	usec_offset;
954 	krb5_int32	os_flags;
955 	char *		default_ccname;
956 } *krb5_os_context;
957 
958 /*
959  * Flags for the os_flags field
960  *
961  * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid.
962  * The intention is that this facility to correct the system clocks so
963  * that they reflect the "real" time, for systems where for some
964  * reason we can't set the system clock.  Instead we calculate the
965  * offset between the system time and real time, and store the offset
966  * in the os context so that we can correct the system clock as necessary.
967  *
968  * KRB5_OS_TOFFSET_TIME means that the time offset fields should be
969  * returned as the time by the krb5 time routines.  This should only
970  * be used for testing purposes (obviously!)
971  */
972 #define KRB5_OS_TOFFSET_VALID	1
973 #define KRB5_OS_TOFFSET_TIME	2
974 
975 /* lock mode flags */
976 #define	KRB5_LOCKMODE_SHARED	0x0001
977 #define	KRB5_LOCKMODE_EXCLUSIVE	0x0002
978 #define	KRB5_LOCKMODE_DONTBLOCK	0x0004
979 #define	KRB5_LOCKMODE_UNLOCK	0x0008
980 
981 #endif /* KRB5_LIBOS__ */
982 /*
983  * End "libos.h"
984  */
985 
986 /*
987  * Define our view of the size of a DES key.
988  */
989 #define	KRB5_MIT_DES_KEYSIZE		8
990 
991 /*
992  * Define a couple of SHA1 constants
993  */
994 #define	SHS_DATASIZE	64
995 #define	SHS_DIGESTSIZE	20
996 
997 /*
998  * Check if des_int.h has been included before us.  If so, then check to see
999  * that our view of the DES key size is the same as des_int.h's.
1000  */
1001 #ifdef	MIT_DES_KEYSIZE
1002 #if	MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
1003 error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
1004 #endif	/* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
1005 #endif	/* MIT_DES_KEYSIZE */
1006 
1007 #ifndef _KERNEL
1008 /* Solaris Kerberos: only define PROVIDE_DES3_CBC_SHA if the following are
1009  * defined.
1010  */
1011 #define PROVIDE_DES3_CBC_SHA 1
1012 #define PROVIDE_NIST_SHA 1
1013 
1014 #endif /* !_KERNEL */
1015 
1016 /*
1017  * Begin "preauth.h"
1018  *
1019  * (Originally written by Glen Machin at Sandia Labs.)
1020  */
1021 /*
1022  * Sandia National Laboratories also makes no representations about the
1023  * suitability of the modifications, or additions to this software for
1024  * any purpose.  It is provided "as is" without express or implied warranty.
1025  *
1026  */
1027 #ifndef KRB5_PREAUTH__
1028 #define KRB5_PREAUTH__
1029 
1030 typedef struct _krb5_pa_enc_ts {
1031     krb5_timestamp	patimestamp;
1032     krb5_int32		pausec;
1033 } krb5_pa_enc_ts;
1034 
1035 typedef krb5_error_code (*krb5_preauth_obtain_proc)
1036     (krb5_context,
1037 	    krb5_pa_data *,
1038 	    krb5_etype_info,
1039 	    krb5_keyblock *,
1040 	    krb5_error_code ( * )(krb5_context,
1041 				  krb5_const krb5_enctype,
1042 				  krb5_data *,
1043 				  krb5_const_pointer,
1044 				  krb5_keyblock **),
1045 	    krb5_const_pointer,
1046 	    krb5_creds *,
1047 	    krb5_kdc_req *,
1048 	    krb5_pa_data **);
1049 
1050 typedef krb5_error_code (*krb5_preauth_process_proc)
1051     (krb5_context,
1052 	    krb5_pa_data *,
1053 	    krb5_kdc_req *,
1054 	    krb5_kdc_rep *,
1055 	    krb5_error_code ( * )(krb5_context,
1056 				  krb5_const krb5_enctype,
1057 				  krb5_data *,
1058 				  krb5_const_pointer,
1059 				  krb5_keyblock **),
1060 	    krb5_const_pointer,
1061 	    krb5_error_code ( * )(krb5_context,
1062 				  krb5_const krb5_keyblock *,
1063 				  krb5_const_pointer,
1064 				  krb5_kdc_rep * ),
1065 	    krb5_keyblock **,
1066 	    krb5_creds *,
1067 	    krb5_int32 *,
1068 	    krb5_int32 *);
1069 
1070 typedef struct _krb5_preauth_ops {
1071     krb5_magic magic;
1072     int     type;
1073     int	flags;
1074     krb5_preauth_obtain_proc	obtain;
1075     krb5_preauth_process_proc	process;
1076 } krb5_preauth_ops;
1077 
1078 void krb5_free_etype_info (krb5_context, krb5_etype_info);
1079 
1080 /*
1081  * Preauthentication property flags
1082  */
1083 #define KRB5_PREAUTH_FLAGS_ENCRYPT	0x00000001
1084 #define KRB5_PREAUTH_FLAGS_HARDWARE	0x00000002
1085 
1086 #endif /* KRB5_PREAUTH__ */
1087 /*
1088  * End "preauth.h"
1089  */
1090 
1091 krb5_error_code
1092 krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *);
1093 
1094 #ifndef _KERNEL /* needed for lib/krb5/krb/ */
1095 typedef krb5_error_code (*krb5_gic_get_as_key_fct)
1096     (krb5_context,
1097      krb5_principal,
1098      krb5_enctype,
1099      krb5_prompter_fct,
1100      void *prompter_data,
1101      krb5_data *salt,
1102      krb5_data *s2kparams,
1103      krb5_keyblock *as_key,
1104      void *gak_data);
1105 
1106 krb5_error_code KRB5_CALLCONV
1107 krb5_get_init_creds
1108 (krb5_context context,
1109 	krb5_creds *creds,
1110 	krb5_principal client,
1111 	krb5_prompter_fct prompter,
1112 	void *prompter_data,
1113 	krb5_deltat start_time,
1114 	char *in_tkt_service,
1115 	krb5_get_init_creds_opt *options,
1116 	krb5_gic_get_as_key_fct gak,
1117 	void *gak_data,
1118 	int *master,
1119 	krb5_kdc_rep **as_reply);
1120 
1121 void krb5int_populate_gic_opt (
1122      krb5_context, krb5_get_init_creds_opt *,
1123      krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
1124      krb5_preauthtype *pre_auth_types, krb5_creds *creds);
1125 
1126 krb5_error_code krb5_do_preauth
1127 	(krb5_context, krb5_kdc_req *,
1128 	krb5_pa_data **, krb5_pa_data ***,
1129 	krb5_data *, krb5_data *, krb5_enctype *,
1130 	krb5_keyblock *,
1131 	krb5_prompter_fct, void *,
1132 	krb5_gic_get_as_key_fct, void *);
1133 #endif /* _KERNEL */
1134 
1135 void KRB5_CALLCONV krb5_free_sam_challenge
1136 	(krb5_context, krb5_sam_challenge * );
1137 void KRB5_CALLCONV krb5_free_sam_challenge_2
1138 	(krb5_context, krb5_sam_challenge_2 * );
1139 void KRB5_CALLCONV krb5_free_sam_challenge_2_body
1140 	(krb5_context, krb5_sam_challenge_2_body *);
1141 void KRB5_CALLCONV krb5_free_sam_response
1142 	(krb5_context, krb5_sam_response * );
1143 void KRB5_CALLCONV krb5_free_sam_response_2
1144 	(krb5_context, krb5_sam_response_2 * );
1145 void KRB5_CALLCONV krb5_free_predicted_sam_response
1146 	(krb5_context, krb5_predicted_sam_response * );
1147 void KRB5_CALLCONV krb5_free_enc_sam_response_enc
1148 	(krb5_context, krb5_enc_sam_response_enc * );
1149 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2
1150 	(krb5_context, krb5_enc_sam_response_enc_2 * );
1151 void KRB5_CALLCONV krb5_free_sam_challenge_contents
1152 	(krb5_context, krb5_sam_challenge * );
1153 void KRB5_CALLCONV krb5_free_sam_challenge_2_contents
1154 	(krb5_context, krb5_sam_challenge_2 * );
1155 void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents
1156 	(krb5_context, krb5_sam_challenge_2_body * );
1157 void KRB5_CALLCONV krb5_free_sam_response_contents
1158 	(krb5_context, krb5_sam_response * );
1159 void KRB5_CALLCONV krb5_free_sam_response_2_contents
1160 	(krb5_context, krb5_sam_response_2 *);
1161 void KRB5_CALLCONV krb5_free_predicted_sam_response_contents
1162 	(krb5_context, krb5_predicted_sam_response * );
1163 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents
1164 	(krb5_context, krb5_enc_sam_response_enc * );
1165 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents
1166 	(krb5_context, krb5_enc_sam_response_enc_2 * );
1167 
1168 void KRB5_CALLCONV krb5_free_pa_enc_ts
1169 	(krb5_context, krb5_pa_enc_ts *);
1170 
1171 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
1172 #ifndef	_KERNEL
1173 #include "com_err.h"
1174 #endif /* _KERNEL */
1175 
1176 /*
1177  * Solaris Kerberos: moved from sendto_kdc.c so other code can reference
1178  */
1179 #define	DEFAULT_UDP_PREF_LIMIT   1465
1180 
1181 #ifndef	_KERNEL
1182 #include "profile.h"
1183 #include <strings.h>
1184 #endif /* _KERNEL */
1185 
1186 #define KEY_CHANGED(k1, k2) \
1187 (k1 == NULL || \
1188  k1 != k2 || \
1189  k1->enctype != k2->enctype || \
1190  k1->length != k2->length || \
1191  bcmp(k1->contents, k2->contents, k1->length))
1192 
1193 #ifndef _KERNEL
1194 typedef struct _arcfour_ctx {
1195 	CK_SESSION_HANDLE eSession; /* encrypt session handle */
1196 	CK_SESSION_HANDLE dSession; /* decrypt session handle */
1197 	CK_OBJECT_HANDLE  eKey; /* encrypt key object */
1198 	CK_OBJECT_HANDLE  dKey; /* decrype key object */
1199 	uchar_t           initialized;
1200 }arcfour_ctx_rec;
1201 
1202 #endif /* !_KERNEL */
1203 
1204 struct _krb5_context {
1205 	krb5_magic	magic;
1206 	krb5_enctype	*in_tkt_ktypes;
1207 	int		in_tkt_ktype_count;
1208 	krb5_enctype	*tgs_ktypes;
1209 	int		tgs_ktype_count;
1210         /* This used to be a void*, but since we always allocate them
1211            together (though in different source files), and the types
1212            are declared in the same header, might as well just combine
1213            them.
1214 
1215            The array[1] is so the existing code treating the field as
1216            a pointer will still work.  For cleanliness, it should
1217            eventually get changed to a single element instead of an
1218            array.  */
1219         struct _krb5_os_context os_context[1];
1220 	char		*default_realm;
1221 	int		ser_ctx_count;
1222 	krb5_boolean	profile_secure;
1223 	void	      	*ser_ctx;
1224 #ifndef _KERNEL
1225 	profile_t	profile;
1226 	void		*db_context;
1227 	void		*kdblog_context;
1228 	/* allowable clock skew */
1229 	krb5_deltat 	clockskew;
1230 	krb5_cksumtype	kdc_req_sumtype;
1231 	krb5_cksumtype	default_ap_req_sumtype;
1232 	krb5_cksumtype	default_safe_sumtype;
1233 	krb5_flags 	kdc_default_options;
1234 	krb5_flags	library_options;
1235 	int		fcc_default_format;
1236 	int		scc_default_format;
1237 	krb5_prompt_type *prompt_types;
1238 	/* Message size above which we'll try TCP first in send-to-kdc
1239 	   type code.  Aside from the 2**16 size limit, we put no
1240 	   absolute limit on the UDP packet size.  */
1241 	int		udp_pref_limit;
1242 
1243 	/* This is the tgs_ktypes list as read from the profile, or
1244 	   set to compiled-in defaults.	 The application code cannot
1245 	   override it.	 This is used for session keys for
1246 	   intermediate ticket-granting tickets used to acquire the
1247 	   requested ticket (the session key of which may be
1248 	   constrained by tgs_ktypes above).  */
1249 	krb5_enctype	*conf_tgs_ktypes;
1250 	int		conf_tgs_ktypes_count;
1251 
1252 	/* Use the _configured version?	 */
1253 	krb5_boolean	use_conf_ktypes;
1254 #ifdef KRB5_DNS_LOOKUP
1255 	krb5_boolean	profile_in_memory;
1256 #endif /* KRB5_DNS_LOOKUP */
1257 
1258 	pid_t pid;  /* fork safety: PID of process that did last PKCS11 init */
1259 
1260 	/* Solaris Kerberos: handles for PKCS#11 crypto */
1261 	/*
1262 	 * Warning, do not access hSession directly as this is not fork() safe.
1263 	 * Instead use the krb_ctx_hSession() macro below.
1264 	 */
1265 	CK_SESSION_HANDLE hSession;
1266 	int		cryptoki_initialized;
1267 
1268 	/* arcfour_ctx: used only for rcmd stuff so no fork safety issues apply */
1269 	arcfour_ctx_rec arcfour_ctx;
1270 #else /* ! KERNEL */
1271 	crypto_mech_type_t kef_cipher_mt;
1272 	crypto_mech_type_t kef_hash_mt;
1273 	crypto_mech_type_t kef_cksum_mt;
1274 #endif /* ! KERNEL */
1275 };
1276 
1277 #ifndef  _KERNEL
1278 extern pid_t __krb5_current_pid;
1279 
1280 CK_SESSION_HANDLE krb5_reinit_ef_handle(krb5_context);
1281 
1282 /*
1283  * fork safety: barring the ef_init code, every other function must use the
1284  * krb_ctx_hSession() macro to access the hSession field in a krb context.
1285  * Note, if the pid of the krb ctx == the current global pid then it is safe to
1286  * use the ctx hSession otherwise it needs to be re-inited before it is returned
1287  * to the caller.
1288  */
1289 #define krb_ctx_hSession(ctx) \
1290     ((ctx)->pid == __krb5_current_pid) ? (ctx)->hSession : krb5_reinit_ef_handle((ctx))
1291 #endif
1292 
1293 #define MD5_CKSUM_LENGTH 16
1294 #define RSA_MD5_CKSUM_LENGTH 16
1295 #define MD5_BLOCKSIZE 64
1296 
1297 
1298 /*
1299  * Solaris Kerberos:
1300  * This next section of prototypes and constants
1301  * are all unique to the Solaris Kerberos implementation.
1302  * Because Solaris uses the native encryption framework
1303  * to provide crypto support, the following routines
1304  * are needed to support this system.
1305  */
1306 
1307 /*
1308  * Begin Solaris Crypto Prototypes
1309  */
1310 
1311 /*
1312  * define constants that are used for creating the constant
1313  * which is used to make derived keys.
1314  */
1315 #define DK_ENCR_KEY_BYTE 0xAA
1316 #define DK_HASH_KEY_BYTE 0x55
1317 #define DK_CKSUM_KEY_BYTE 0x99
1318 
1319 int init_derived_keydata(krb5_context, const struct krb5_enc_provider *,
1320 			krb5_keyblock *, krb5_keyusage,
1321 			krb5_keyblock **, krb5_keyblock **);
1322 
1323 krb5_error_code add_derived_key(krb5_keyblock *, krb5_keyusage, uchar_t,
1324 				krb5_keyblock *);
1325 
1326 krb5_keyblock *find_derived_key(krb5_keyusage, uchar_t, krb5_keyblock *);
1327 krb5_keyblock *krb5_create_derived_keyblock(int);
1328 
1329 #ifdef _KERNEL
1330 int k5_ef_hash(krb5_context, int, const krb5_data *, krb5_data *);
1331 
1332 int k5_ef_mac(krb5_context, krb5_keyblock *, krb5_data *,
1333         const krb5_data *, krb5_data *);
1334 
1335 void make_kef_key(krb5_keyblock *);
1336 int init_key_kef(crypto_mech_type_t, krb5_keyblock *);
1337 int update_key_template(krb5_keyblock *);
1338 void setup_kef_keytypes();
1339 void setup_kef_cksumtypes();
1340 crypto_mech_type_t get_cipher_mech_type(krb5_context, krb5_keyblock *);
1341 crypto_mech_type_t get_hash_mech_type(krb5_context, krb5_keyblock *);
1342 
1343 #else
1344 /*
1345  * This structure is used to map Kerberos supported OID's,
1346  * to PKCS11 mechanisms
1347  */
1348 #define USE_ENCR	0x01
1349 #define	USE_HASH	0x02
1350 
1351 typedef struct krb5_mech_2_pkcs {
1352 	uchar_t		flags;
1353 	CK_MECHANISM_TYPE enc_algo;
1354 	CK_MECHANISM_TYPE hash_algo;
1355 	CK_MECHANISM_TYPE str2key_algo;
1356 } KRB5_MECH_TO_PKCS;
1357 
1358 #define ENC_DEFINED(x)	(((x).flags & USE_ENCR))
1359 #define HASH_DEFINED(x)	(((x).flags & USE_HASH))
1360 
1361 extern CK_RV get_algo(krb5_enctype etype, KRB5_MECH_TO_PKCS * algos);
1362 extern CK_RV get_key_type (krb5_enctype etype, CK_KEY_TYPE * keyType);
1363 extern krb5_error_code slot_supports_krb5 (CK_SLOT_ID_PTR slotid);
1364 
1365 krb5_error_code init_key_uef(CK_SESSION_HANDLE, krb5_keyblock *);
1366 
1367 krb5_error_code k5_ef_hash(krb5_context, CK_MECHANISM *,
1368 	unsigned int, const krb5_data *, krb5_data *);
1369 
1370 krb5_error_code k5_ef_mac(krb5_context context,
1371 	krb5_keyblock *key, krb5_data *ivec,
1372 	krb5_const krb5_data *input, krb5_data *output);
1373 
1374 #endif	/* !_KERNEL */
1375 
1376 krb5_error_code
1377 derive_3des_keys(krb5_context, struct krb5_enc_provider *,
1378                 krb5_keyblock *, krb5_keyusage,
1379                 krb5_keyblock *, krb5_keyblock *);
1380 
1381 /*
1382  * End Solaris Crypto Prototypes
1383  */
1384 
1385 #define KRB5_LIBOPT_SYNC_KDCTIME	0x0001
1386 
1387 /* internal message representations */
1388 
1389 typedef struct _krb5_safe {
1390     krb5_magic magic;
1391     krb5_data user_data;                /* user data */
1392     krb5_timestamp timestamp;           /* client time, optional */
1393     krb5_int32 usec;                    /* microsecond portion of time,
1394                                            optional */
1395     krb5_ui_4 seq_number;               /* sequence #, optional */
1396     krb5_address *s_address;    /* sender address */
1397     krb5_address *r_address;    /* recipient address, optional */
1398     krb5_checksum *checksum;    /* data integrity checksum */
1399 } krb5_safe;
1400 
1401 typedef struct _krb5_priv {
1402     krb5_magic magic;
1403     krb5_enc_data enc_part;             /* encrypted part */
1404 } krb5_priv;
1405 
1406 typedef struct _krb5_priv_enc_part {
1407     krb5_magic magic;
1408     krb5_data user_data;                /* user data */
1409     krb5_timestamp timestamp;           /* client time, optional */
1410     krb5_int32 usec;                    /* microsecond portion of time, opt. */
1411     krb5_ui_4 seq_number;               /* sequence #, optional */
1412     krb5_address *s_address;    /* sender address */
1413     krb5_address *r_address;    /* recipient address, optional */
1414 } krb5_priv_enc_part;
1415 
1416 void KRB5_CALLCONV krb5_free_safe
1417         (krb5_context, krb5_safe * );
1418 void KRB5_CALLCONV krb5_free_priv
1419         (krb5_context, krb5_priv * );
1420 void KRB5_CALLCONV krb5_free_priv_enc_part
1421         (krb5_context, krb5_priv_enc_part * );
1422 
1423 /*
1424  * Begin "asn1.h"
1425  */
1426 #ifndef KRB5_ASN1__
1427 #define KRB5_ASN1__
1428 
1429 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
1430 /* here we use some knowledge of ASN.1 encodings */
1431 /*
1432   Ticket is APPLICATION 1.
1433   Authenticator is APPLICATION 2.
1434   AS_REQ is APPLICATION 10.
1435   AS_REP is APPLICATION 11.
1436   TGS_REQ is APPLICATION 12.
1437   TGS_REP is APPLICATION 13.
1438   AP_REQ is APPLICATION 14.
1439   AP_REP is APPLICATION 15.
1440   KRB_SAFE is APPLICATION 20.
1441   KRB_PRIV is APPLICATION 21.
1442   KRB_CRED is APPLICATION 22.
1443   EncASRepPart is APPLICATION 25.
1444   EncTGSRepPart is APPLICATION 26.
1445   EncAPRepPart is APPLICATION 27.
1446   EncKrbPrivPart is APPLICATION 28.
1447   EncKrbCredPart is APPLICATION 29.
1448   KRB_ERROR is APPLICATION 30.
1449  */
1450 /* allow either constructed or primitive encoding, so check for bit 6
1451    set or reset */
1452 #define krb5_is_krb_ticket(dat)\
1453 	((dat) && (dat)->length && ((dat)->data[0] == 0x61 ||\
1454 				    (dat)->data[0] == 0x41))
1455 #define krb5_is_krb_authenticator(dat)\
1456 	((dat) && (dat)->length && ((dat)->data[0] == 0x62 ||\
1457 				    (dat)->data[0] == 0x42))
1458 #define krb5_is_as_req(dat)\
1459 	((dat) && (dat)->length && ((dat)->data[0] == 0x6a ||\
1460 				    (dat)->data[0] == 0x4a))
1461 #define krb5_is_as_rep(dat)\
1462 	((dat) && (dat)->length && ((dat)->data[0] == 0x6b ||\
1463 				    (dat)->data[0] == 0x4b))
1464 #define krb5_is_tgs_req(dat)\
1465 	((dat) && (dat)->length && ((dat)->data[0] == 0x6c ||\
1466 				    (dat)->data[0] == 0x4c))
1467 #define krb5_is_tgs_rep(dat)\
1468 	((dat) && (dat)->length && ((dat)->data[0] == 0x6d ||\
1469 				    (dat)->data[0] == 0x4d))
1470 #define krb5_is_ap_req(dat)\
1471 	((dat) && (dat)->length && ((dat)->data[0] == 0x6e ||\
1472 				    (dat)->data[0] == 0x4e))
1473 #define krb5_is_ap_rep(dat)\
1474 	((dat) && (dat)->length && ((dat)->data[0] == 0x6f ||\
1475 				    (dat)->data[0] == 0x4f))
1476 #define krb5_is_krb_safe(dat)\
1477 	((dat) && (dat)->length && ((dat)->data[0] == 0x74 ||\
1478 				    (dat)->data[0] == 0x54))
1479 #define krb5_is_krb_priv(dat)\
1480 	((dat) && (dat)->length && ((dat)->data[0] == 0x75 ||\
1481 				    (dat)->data[0] == 0x55))
1482 #define krb5_is_krb_cred(dat)\
1483 	((dat) && (dat)->length && ((dat)->data[0] == 0x76 ||\
1484 				    (dat)->data[0] == 0x56))
1485 #define krb5_is_krb_enc_as_rep_part(dat)\
1486 	((dat) && (dat)->length && ((dat)->data[0] == 0x79 ||\
1487 				    (dat)->data[0] == 0x59))
1488 #define krb5_is_krb_enc_tgs_rep_part(dat)\
1489 	((dat) && (dat)->length && ((dat)->data[0] == 0x7a ||\
1490 				    (dat)->data[0] == 0x5a))
1491 #define krb5_is_krb_enc_ap_rep_part(dat)\
1492 	((dat) && (dat)->length && ((dat)->data[0] == 0x7b ||\
1493 				    (dat)->data[0] == 0x5b))
1494 #define krb5_is_krb_enc_krb_priv_part(dat)\
1495 	((dat) && (dat)->length && ((dat)->data[0] == 0x7c ||\
1496 				    (dat)->data[0] == 0x5c))
1497 #define krb5_is_krb_enc_krb_cred_part(dat)\
1498 	((dat) && (dat)->length && ((dat)->data[0] == 0x7d ||\
1499 				    (dat)->data[0] == 0x5d))
1500 #define krb5_is_krb_error(dat)\
1501 	((dat) && (dat)->length && ((dat)->data[0] == 0x7e ||\
1502 				    (dat)->data[0] == 0x5e))
1503 
1504 /*************************************************************************
1505  * Prototypes for krb5_encode.c
1506  *************************************************************************/
1507 
1508 /*
1509    krb5_error_code encode_krb5_structure(const krb5_structure *rep,
1510 					 krb5_data **code);
1511    modifies  *code
1512    effects   Returns the ASN.1 encoding of *rep in **code.
1513              Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep.
1514              Returns ENOMEM if memory runs out.
1515 */
1516 
1517 krb5_error_code encode_krb5_authenticator
1518 	(const krb5_authenticator *rep, krb5_data **code);
1519 
1520 krb5_error_code encode_krb5_ticket
1521 	(const krb5_ticket *rep, krb5_data **code);
1522 
1523 krb5_error_code encode_krb5_encryption_key
1524 	(const krb5_keyblock *rep, krb5_data **code);
1525 
1526 krb5_error_code encode_krb5_enc_tkt_part
1527 	(const krb5_enc_tkt_part *rep, krb5_data **code);
1528 
1529 krb5_error_code encode_krb5_enc_kdc_rep_part
1530 	(const krb5_enc_kdc_rep_part *rep, krb5_data **code);
1531 
1532 /* yes, the translation is identical to that used for KDC__REP */
1533 krb5_error_code encode_krb5_as_rep
1534 	(const krb5_kdc_rep *rep, krb5_data **code);
1535 
1536 /* yes, the translation is identical to that used for KDC__REP */
1537 krb5_error_code encode_krb5_tgs_rep
1538 	(const krb5_kdc_rep *rep, krb5_data **code);
1539 
1540 krb5_error_code encode_krb5_ap_req
1541 	(const krb5_ap_req *rep, krb5_data **code);
1542 
1543 krb5_error_code encode_krb5_ap_rep
1544 	(const krb5_ap_rep *rep, krb5_data **code);
1545 
1546 krb5_error_code encode_krb5_ap_rep_enc_part
1547 	(const krb5_ap_rep_enc_part *rep, krb5_data **code);
1548 
1549 krb5_error_code encode_krb5_as_req
1550 	(const krb5_kdc_req *rep, krb5_data **code);
1551 
1552 krb5_error_code encode_krb5_tgs_req
1553 	(const krb5_kdc_req *rep, krb5_data **code);
1554 
1555 krb5_error_code encode_krb5_kdc_req_body
1556 	(const krb5_kdc_req *rep, krb5_data **code);
1557 
1558 krb5_error_code encode_krb5_safe
1559 	(const krb5_safe *rep, krb5_data **code);
1560 
1561 krb5_error_code encode_krb5_safe_with_body
1562 	(const krb5_safe *rep, const krb5_data *body, krb5_data **code);
1563 
1564 krb5_error_code encode_krb5_priv
1565 	(const krb5_priv *rep, krb5_data **code);
1566 
1567 krb5_error_code encode_krb5_enc_priv_part
1568 	(const krb5_priv_enc_part *rep, krb5_data **code);
1569 
1570 krb5_error_code encode_krb5_cred
1571 	(const krb5_cred *rep, krb5_data **code);
1572 
1573 krb5_error_code encode_krb5_enc_cred_part
1574 	(const krb5_cred_enc_part *rep, krb5_data **code);
1575 
1576 krb5_error_code encode_krb5_error
1577 	(const krb5_error *rep, krb5_data **code);
1578 
1579 krb5_error_code encode_krb5_authdata
1580 	(const krb5_authdata **rep, krb5_data **code);
1581 
1582 krb5_error_code encode_krb5_pwd_sequence
1583 	(const passwd_phrase_element *rep, krb5_data **code);
1584 
1585 krb5_error_code encode_krb5_pwd_data
1586 	(const krb5_pwd_data *rep, krb5_data **code);
1587 
1588 krb5_error_code encode_krb5_padata_sequence
1589 	(const krb5_pa_data ** rep, krb5_data **code);
1590 
1591 krb5_error_code encode_krb5_alt_method
1592 	(const krb5_alt_method *, krb5_data **code);
1593 
1594 krb5_error_code encode_krb5_etype_info
1595 	(const krb5_etype_info_entry **, krb5_data **code);
1596 
1597 krb5_error_code encode_krb5_etype_info2
1598 	(const krb5_etype_info_entry **, krb5_data **code);
1599 
1600 krb5_error_code encode_krb5_enc_data
1601     	(const krb5_enc_data *, krb5_data **);
1602 
1603 krb5_error_code encode_krb5_pa_enc_ts
1604     	(const krb5_pa_enc_ts *, krb5_data **);
1605 
1606 krb5_error_code encode_krb5_sam_challenge
1607 	(const krb5_sam_challenge * , krb5_data **);
1608 
1609 krb5_error_code encode_krb5_sam_key
1610 	(const krb5_sam_key * , krb5_data **);
1611 
1612 krb5_error_code encode_krb5_enc_sam_response_enc
1613 	(const krb5_enc_sam_response_enc * , krb5_data **);
1614 
1615 krb5_error_code encode_krb5_sam_response
1616 	(const krb5_sam_response * , krb5_data **);
1617 
1618 krb5_error_code encode_krb5_predicted_sam_response
1619 	(const krb5_predicted_sam_response * , krb5_data **);
1620 
1621 krb5_error_code encode_krb5_sam_challenge_2
1622 	(const krb5_sam_challenge_2 * , krb5_data **);
1623 
1624 krb5_error_code encode_krb5_sam_challenge_2_body
1625 	(const krb5_sam_challenge_2_body * , krb5_data **);
1626 
1627 krb5_error_code encode_krb5_enc_sam_response_enc_2
1628 	(const krb5_enc_sam_response_enc_2 * , krb5_data **);
1629 
1630 krb5_error_code encode_krb5_sam_response_2
1631 	(const krb5_sam_response_2 * , krb5_data **);
1632 
1633 krb5_error_code encode_krb5_setpw_req
1634         (const krb5_principal target, char *password, krb5_data **code);
1635 
1636 /*************************************************************************
1637  * End of prototypes for krb5_encode.c
1638  *************************************************************************/
1639 
1640 /*************************************************************************
1641  * Prototypes for krb5_decode.c
1642  *************************************************************************/
1643 
1644 /*
1645    krb5_error_code decode_krb5_structure(const krb5_data *code,
1646                                          krb5_structure **rep);
1647 
1648    requires  Expects **rep to not have been allocated;
1649               a new *rep is allocated regardless of the old value.
1650    effects   Decodes *code into **rep.
1651 	     Returns ENOMEM if memory is exhausted.
1652              Returns asn1 and krb5 errors.
1653 */
1654 
1655 krb5_error_code decode_krb5_authenticator
1656 	(const krb5_data *code, krb5_authenticator **rep);
1657 
1658 krb5_error_code decode_krb5_ticket
1659 	(const krb5_data *code, krb5_ticket **rep);
1660 
1661 krb5_error_code decode_krb5_encryption_key
1662 	(const krb5_data *output, krb5_keyblock **rep);
1663 
1664 krb5_error_code decode_krb5_enc_tkt_part
1665 	(const krb5_data *output, krb5_enc_tkt_part **rep);
1666 
1667 krb5_error_code decode_krb5_enc_kdc_rep_part
1668 	(const krb5_data *output, krb5_enc_kdc_rep_part **rep);
1669 
1670 krb5_error_code decode_krb5_as_rep
1671 	(const krb5_data *output, krb5_kdc_rep **rep);
1672 
1673 krb5_error_code decode_krb5_tgs_rep
1674 	(const krb5_data *output, krb5_kdc_rep **rep);
1675 
1676 krb5_error_code decode_krb5_ap_req
1677 	(const krb5_data *output, krb5_ap_req **rep);
1678 
1679 krb5_error_code decode_krb5_ap_rep
1680 	(const krb5_data *output, krb5_ap_rep **rep);
1681 
1682 krb5_error_code decode_krb5_ap_rep_enc_part
1683 	(const krb5_data *output, krb5_ap_rep_enc_part **rep);
1684 
1685 krb5_error_code decode_krb5_as_req
1686 	(const krb5_data *output, krb5_kdc_req **rep);
1687 
1688 krb5_error_code decode_krb5_tgs_req
1689 	(const krb5_data *output, krb5_kdc_req **rep);
1690 
1691 krb5_error_code decode_krb5_kdc_req_body
1692 	(const krb5_data *output, krb5_kdc_req **rep);
1693 
1694 krb5_error_code decode_krb5_safe
1695 	(const krb5_data *output, krb5_safe **rep);
1696 
1697 krb5_error_code decode_krb5_safe_with_body
1698 	(const krb5_data *output, krb5_safe **rep, krb5_data *body);
1699 
1700 krb5_error_code decode_krb5_priv
1701 	(const krb5_data *output, krb5_priv **rep);
1702 
1703 krb5_error_code decode_krb5_enc_priv_part
1704 	(const krb5_data *output, krb5_priv_enc_part **rep);
1705 
1706 krb5_error_code decode_krb5_cred
1707 	(const krb5_data *output, krb5_cred **rep);
1708 
1709 krb5_error_code decode_krb5_enc_cred_part
1710 	(const krb5_data *output, krb5_cred_enc_part **rep);
1711 
1712 krb5_error_code decode_krb5_error
1713 	(const krb5_data *output, krb5_error **rep);
1714 
1715 krb5_error_code decode_krb5_authdata
1716 	(const krb5_data *output, krb5_authdata ***rep);
1717 
1718 krb5_error_code decode_krb5_pwd_sequence
1719 	(const krb5_data *output, passwd_phrase_element **rep);
1720 
1721 krb5_error_code decode_krb5_pwd_data
1722 	(const krb5_data *output, krb5_pwd_data **rep);
1723 
1724 krb5_error_code decode_krb5_padata_sequence
1725 	(const krb5_data *output, krb5_pa_data ***rep);
1726 
1727 krb5_error_code decode_krb5_alt_method
1728 	(const krb5_data *output, krb5_alt_method **rep);
1729 
1730 krb5_error_code decode_krb5_etype_info
1731 	(const krb5_data *output, krb5_etype_info_entry ***rep);
1732 
1733 krb5_error_code decode_krb5_etype_info2
1734 	(const krb5_data *output, krb5_etype_info_entry ***rep);
1735 
1736 krb5_error_code decode_krb5_enc_data
1737 	(const krb5_data *output, krb5_enc_data **rep);
1738 
1739 krb5_error_code decode_krb5_pa_enc_ts
1740 	(const krb5_data *output, krb5_pa_enc_ts **rep);
1741 
1742 krb5_error_code decode_krb5_sam_challenge
1743 	(const krb5_data *, krb5_sam_challenge **);
1744 
1745 krb5_error_code decode_krb5_sam_key
1746 	(const krb5_data *, krb5_sam_key **);
1747 
1748 krb5_error_code decode_krb5_enc_sam_response_enc
1749 	(const krb5_data *, krb5_enc_sam_response_enc **);
1750 
1751 krb5_error_code decode_krb5_sam_response
1752 	(const krb5_data *, krb5_sam_response **);
1753 
1754 krb5_error_code decode_krb5_predicted_sam_response
1755 	(const krb5_data *, krb5_predicted_sam_response **);
1756 
1757 krb5_error_code decode_krb5_sam_challenge_2
1758 	(const krb5_data *, krb5_sam_challenge_2 **);
1759 
1760 krb5_error_code decode_krb5_sam_challenge_2_body
1761 	(const krb5_data *, krb5_sam_challenge_2_body **);
1762 
1763 krb5_error_code decode_krb5_enc_sam_response_enc_2
1764 	(const krb5_data *, krb5_enc_sam_response_enc_2 **);
1765 
1766 krb5_error_code decode_krb5_sam_response_2
1767 	(const krb5_data *, krb5_sam_response_2 **);
1768 
1769 
1770 /*************************************************************************
1771  * End of prototypes for krb5_decode.c
1772  *************************************************************************/
1773 
1774 #endif /* KRB5_ASN1__ */
1775 /*
1776  * End "asn1.h"
1777  */
1778 
1779 
1780 /*
1781  * Internal krb5 library routines
1782  */
1783 krb5_error_code krb5_encrypt_tkt_part
1784 	(krb5_context,
1785 	   krb5_const krb5_keyblock *,
1786 	   krb5_ticket *);
1787 
1788 
1789 krb5_error_code krb5_encode_kdc_rep
1790 	(krb5_context,
1791 	   krb5_const krb5_msgtype,
1792 	   krb5_const krb5_enc_kdc_rep_part *,
1793 	   int using_subkey,
1794 	   krb5_const krb5_keyblock *,
1795 	   krb5_kdc_rep *,
1796 	   krb5_data ** );
1797 
1798 krb5_error_code krb5_validate_times
1799 	(krb5_context, krb5_ticket_times *);
1800 
1801 krb5_boolean krb5int_auth_con_chkseqnum
1802 	(krb5_context ctx, krb5_auth_context ac, krb5_ui_4 in_seq);
1803 
1804 /*
1805  * [De]Serialization Handle and operations.
1806  */
1807 struct __krb5_serializer {
1808     krb5_magic		odtype;
1809     krb5_error_code	(*sizer) (krb5_context,
1810 				  krb5_pointer,
1811 				  size_t *);
1812     krb5_error_code	(*externalizer) (krb5_context,
1813 					 krb5_pointer,
1814 					 krb5_octet **,
1815 					 size_t *);
1816     krb5_error_code	(*internalizer) (krb5_context,
1817 					 krb5_pointer *,
1818 					 krb5_octet **,
1819 					 size_t *);
1820 };
1821 typedef struct __krb5_serializer * krb5_ser_handle;
1822 typedef struct __krb5_serializer krb5_ser_entry;
1823 
1824 krb5_ser_handle krb5_find_serializer
1825 	(krb5_context,
1826 		krb5_magic);
1827 krb5_error_code krb5_register_serializer
1828 	(krb5_context,
1829 			const krb5_ser_entry *);
1830 
1831 /* Determine the external size of a particular opaque structure */
1832 krb5_error_code KRB5_CALLCONV krb5_size_opaque
1833 	(krb5_context,
1834 		krb5_magic,
1835 		krb5_pointer,
1836 		size_t *);
1837 
1838 /* Serialize the structure into a buffer */
1839 krb5_error_code KRB5_CALLCONV krb5_externalize_opaque
1840 	(krb5_context,
1841 	krb5_magic,
1842 	krb5_pointer,
1843 	krb5_octet * *,
1844 	size_t *);
1845 
1846 /* Deserialize the structure from a buffer */
1847 krb5_error_code KRB5_CALLCONV krb5_internalize_opaque
1848 	(krb5_context,
1849 		krb5_magic,
1850 		krb5_pointer *,
1851 		krb5_octet **,
1852 		size_t *);
1853 
1854 /* Serialize data into a buffer */
1855 krb5_error_code krb5_externalize_data
1856 	(krb5_context,
1857 		krb5_pointer,
1858 		krb5_octet **,
1859 		size_t *);
1860 /*
1861  * Initialization routines.
1862  */
1863 
1864 /* Initialize serialization for krb5_[os_]context */
1865 krb5_error_code KRB5_CALLCONV krb5_ser_context_init
1866 	(krb5_context);
1867 
1868 /* Initialize serialization for krb5_auth_context */
1869 krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init
1870 	(krb5_context);
1871 
1872 /* Initialize serialization for krb5_keytab */
1873 krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init
1874 	(krb5_context);
1875 
1876 /* Initialize serialization for krb5_ccache */
1877 krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init
1878 	(krb5_context);
1879 
1880 /* Initialize serialization for krb5_rcache */
1881 krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init
1882 	(krb5_context);
1883 
1884 /* [De]serialize 4-byte integer */
1885 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32
1886 	(krb5_int32,
1887 		krb5_octet **,
1888 		size_t *);
1889 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32
1890 	(krb5_int32 *,
1891 		krb5_octet **,
1892 		size_t *);
1893 /* [De]serialize 8-byte integer */
1894 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64
1895 	(krb5_int64, krb5_octet * *, size_t *);
1896 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64
1897 	(krb5_int64 *, krb5_octet **, size_t *);
1898 /* [De]serialize byte string */
1899 krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
1900 	(krb5_octet *,
1901 		size_t,
1902 		krb5_octet **,
1903 		size_t *);
1904 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes
1905 	(krb5_octet *,
1906 		size_t,
1907 		krb5_octet **,
1908 		size_t *);
1909 
1910 
1911 krb5_error_code KRB5_CALLCONV krb5int_cc_default
1912 	(krb5_context, krb5_ccache *);
1913 
1914 krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default
1915 	(krb5_context, krb5_ccache, krb5_flags, krb5_creds *, krb5_creds *);
1916 
1917 void krb5int_set_prompt_types
1918 	(krb5_context, krb5_prompt_type *);
1919 
1920 krb5_error_code
1921 krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
1922 		krb5_keyblock * /* Old keyblock, not new!  */);
1923 
1924 /* set and change password helpers */
1925 
1926 krb5_error_code krb5int_mk_chpw_req
1927         (krb5_context context, krb5_auth_context auth_context,
1928              krb5_data *ap_req, char *passwd, krb5_data *packet);
1929 krb5_error_code krb5int_rd_chpw_rep
1930         (krb5_context context, krb5_auth_context auth_context,
1931                        krb5_data *packet, int *result_code,
1932                        krb5_data *result_data);
1933 krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
1934         (krb5_context context, int result_code,
1935                         char **result_codestr);
1936 krb5_error_code  krb5int_mk_setpw_req
1937         (krb5_context context, krb5_auth_context auth_context,
1938              krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet);
1939 krb5_error_code krb5int_rd_setpw_rep
1940         (krb5_context context, krb5_auth_context auth_context,
1941                        krb5_data *packet, int *result_code,
1942                        krb5_data *result_data);
1943 
1944 krb5_error_code krb5int_setpw_result_code_string
1945         (krb5_context context, int result_code,
1946                        const char **result_codestr);
1947 
1948 struct srv_dns_entry {
1949 	struct srv_dns_entry *next;
1950 	int priority;
1951 	int weight;
1952 	unsigned short port;
1953 	char *host;
1954 };
1955 
1956 krb5_error_code
1957 krb5int_make_srv_query_realm(const krb5_data *realm,
1958 	const char *service,
1959 	const char *protocol,
1960 	struct srv_dns_entry **answers);
1961 void krb5int_free_srv_dns_data(struct srv_dns_entry *);
1962 
1963 /*
1964  * Convenience function for structure magic number
1965  */
1966 #define KRB5_VERIFY_MAGIC(structure,magic_number) \
1967     if ((structure)->magic != (magic_number)) return (magic_number);
1968 
1969 
1970 /* SUNW14resync XXX - see k5-util.h */
1971 #if 0
1972 int krb5_seteuid  (int);
1973 #endif
1974 
1975 char * krb5_getenv(const char *);
1976 int krb5_setenv  (const char *, const char *, int);
1977 void krb5_unsetenv  (const char *);
1978 
1979 
1980 /* SUNW14resync - (from here to EOF) not sure if we need this but will add it
1981    for future resync sake */
1982 
1983 /* To keep happy libraries which are (for now) accessing internal stuff */
1984 
1985 /* Make sure to increment by one when changing the struct */
1986 #define KRB5INT_ACCESS_STRUCT_VERSION 9
1987 
1988 #ifndef ANAME_SZ
1989 struct ktext;                   /* from krb.h, for krb524 support */
1990 #endif
1991 typedef struct _krb5int_access {
1992     /* crypto stuff */
1993     const struct krb5_hash_provider *md5_hash_provider;
1994     const struct krb5_enc_provider *arcfour_enc_provider;
1995     krb5_error_code (* krb5_hmac) (const struct krb5_hash_provider *hash,
1996                                    const krb5_keyblock *key,
1997                                    unsigned int icount, const krb5_data *input,
1998                                    krb5_data *output);
1999     /* service location and communication */
2000 #ifndef _KERNEL
2001     krb5_error_code (*locate_server) (krb5_context, const krb5_data *,
2002                                       struct addrlist *, int,
2003                                       const char *, const char *,
2004                                       int, int, int, int);
2005     krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
2006                                    const struct addrlist *, krb5_data *reply,
2007                                    struct sockaddr *, socklen_t *, int *);
2008     krb5_error_code (*add_host_to_list)(struct addrlist *lp,
2009                                         const char *hostname,
2010                                         int port, int secport,
2011                                         int socktype, int family);
2012     void (*free_addrlist) (struct addrlist *);
2013 #endif /* _KERNEL */
2014 
2015 
2016     krb5_error_code (*make_srv_query_realm)(const krb5_data *realm,
2017                                             const char *service,
2018                                             const char *protocol,
2019                                             struct srv_dns_entry **answers);
2020     void (*free_srv_dns_data)(struct srv_dns_entry *);
2021     int (*use_dns_kdc)(krb5_context);
2022 
2023     /* krb4 compatibility stuff -- may be null if not enabled */
2024     krb5_int32 (*krb_life_to_time)(krb5_int32, int);
2025     int (*krb_time_to_life)(krb5_int32, krb5_int32);
2026     int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *);
2027     krb5_error_code (*krb5int_c_mandatory_cksumtype)
2028         (krb5_context, krb5_enctype, krb5_cksumtype *);
2029     krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64)
2030         (krb5_int64, krb5_octet **, size_t *);
2031     krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64)
2032         (krb5_int64 *, krb5_octet **, size_t *);
2033 } krb5int_access;
2034 
2035 #define KRB5INT_ACCESS_VERSION \
2036     (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \
2037                    (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF)
2038 
2039 krb5_error_code KRB5_CALLCONV krb5int_accessor
2040         (krb5int_access*, krb5_int32);
2041 
2042 /* Ick -- some krb524 and krb4 support placed in the krb5 library,
2043    because AFS (and potentially other applications?) use the krb4
2044    object as an opaque token, which (in some implementations) is not
2045    in fact a krb4 ticket, so we don't want to drag in the krb4 support
2046    just to enable this.  */
2047 
2048 #define KRB524_SERVICE "krb524"
2049 #define KRB524_PORT 4444
2050 
2051 /* v4lifetime.c */
2052 extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int);
2053 extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32);
2054 
2055 /* conv_creds.c */
2056 int krb5int_encode_v4tkt
2057         (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
2058 
2059 /* send524.c */
2060 int krb5int_524_sendto_kdc
2061         (krb5_context context, const krb5_data * message,
2062          const krb5_data * realm, krb5_data * reply,
2063          struct sockaddr *, socklen_t *);
2064 
2065 /* temporary -- this should be under lib/krb5/ccache somewhere */
2066 
2067 struct _krb5_ccache {
2068     krb5_magic magic;
2069     const struct _krb5_cc_ops *ops;
2070     krb5_pointer data;
2071 };
2072 
2073 struct _krb5_cc_ops {
2074     krb5_magic magic;
2075     char *prefix;
2076     const char * (KRB5_CALLCONV *get_name) (krb5_context, krb5_ccache);
2077     krb5_error_code (KRB5_CALLCONV *resolve) (krb5_context, krb5_ccache *,
2078                                             const char *);
2079     krb5_error_code (KRB5_CALLCONV *gen_new) (krb5_context, krb5_ccache *);
2080     krb5_error_code (KRB5_CALLCONV *init) (krb5_context, krb5_ccache,
2081                                             krb5_principal);
2082     krb5_error_code (KRB5_CALLCONV *destroy) (krb5_context, krb5_ccache);
2083     krb5_error_code (KRB5_CALLCONV *close) (krb5_context, krb5_ccache);
2084     krb5_error_code (KRB5_CALLCONV *store) (krb5_context, krb5_ccache,
2085                                             krb5_creds *);
2086     krb5_error_code (KRB5_CALLCONV *retrieve) (krb5_context, krb5_ccache,
2087                                             krb5_flags, krb5_creds *,
2088                                             krb5_creds *);
2089     krb5_error_code (KRB5_CALLCONV *get_princ) (krb5_context, krb5_ccache,
2090                                             krb5_principal *);
2091     krb5_error_code (KRB5_CALLCONV *get_first) (krb5_context, krb5_ccache,
2092                                             krb5_cc_cursor *);
2093     krb5_error_code (KRB5_CALLCONV *get_next) (krb5_context, krb5_ccache,
2094                                             krb5_cc_cursor *, krb5_creds *);
2095     krb5_error_code (KRB5_CALLCONV *end_get) (krb5_context, krb5_ccache,
2096                                             krb5_cc_cursor *);
2097     krb5_error_code (KRB5_CALLCONV *remove_cred) (krb5_context, krb5_ccache,
2098                                             krb5_flags, krb5_creds *);
2099     krb5_error_code (KRB5_CALLCONV *set_flags) (krb5_context, krb5_ccache,
2100                                             krb5_flags);
2101 };
2102 
2103 extern const krb5_cc_ops *krb5_cc_dfl_ops;
2104 
2105 typedef struct _krb5_donot_replay {
2106     krb5_magic magic;
2107     krb5_ui_4 hash;
2108     char *server;                       /* null-terminated */
2109     char *client;                       /* null-terminated */
2110     krb5_int32 cusec;
2111     krb5_timestamp ctime;
2112 } krb5_donot_replay;
2113 
2114 krb5_error_code krb5_rc_default
2115         (krb5_context,
2116                 krb5_rcache *);
2117 krb5_error_code krb5_rc_resolve_type
2118         (krb5_context,
2119                 krb5_rcache *,char *);
2120 krb5_error_code krb5_rc_resolve_full
2121         (krb5_context,
2122                 krb5_rcache *,char *);
2123 char * krb5_rc_get_type
2124         (krb5_context,
2125                 krb5_rcache);
2126 char * krb5_rc_default_type
2127         (krb5_context);
2128 char * krb5_rc_default_name
2129         (krb5_context);
2130 krb5_error_code krb5_auth_to_rep
2131         (krb5_context,
2132                 krb5_tkt_authent *,
2133                 krb5_donot_replay *);
2134 
2135 krb5_error_code KRB5_CALLCONV krb5_rc_initialize
2136         (krb5_context, krb5_rcache,krb5_deltat);
2137 krb5_error_code KRB5_CALLCONV krb5_rc_recover_or_initialize
2138         (krb5_context, krb5_rcache,krb5_deltat);
2139 krb5_error_code KRB5_CALLCONV krb5_rc_recover
2140         (krb5_context, krb5_rcache);
2141 krb5_error_code KRB5_CALLCONV krb5_rc_destroy
2142         (krb5_context, krb5_rcache);
2143 krb5_error_code KRB5_CALLCONV krb5_rc_close
2144         (krb5_context, krb5_rcache);
2145 krb5_error_code KRB5_CALLCONV krb5_rc_store
2146         (krb5_context, krb5_rcache,krb5_donot_replay *);
2147 krb5_error_code KRB5_CALLCONV krb5_rc_expunge
2148         (krb5_context, krb5_rcache);
2149 krb5_error_code KRB5_CALLCONV krb5_rc_get_lifespan
2150         (krb5_context, krb5_rcache,krb5_deltat *);
2151 char *KRB5_CALLCONV krb5_rc_get_name
2152         (krb5_context, krb5_rcache);
2153 krb5_error_code KRB5_CALLCONV krb5_rc_resolve
2154         (krb5_context, krb5_rcache, char *);
2155 
2156 typedef struct _krb5_kt_ops {
2157     krb5_magic magic;
2158     char *prefix;
2159     /* routines always present */
2160     krb5_error_code (KRB5_CALLCONV *resolve)
2161         (krb5_context,
2162                  const char *,
2163                  krb5_keytab *);
2164     krb5_error_code (KRB5_CALLCONV *get_name)
2165         (krb5_context,
2166                  krb5_keytab,
2167                  char *,
2168                  unsigned int);
2169     krb5_error_code (KRB5_CALLCONV *close)
2170         (krb5_context,
2171                  krb5_keytab);
2172     krb5_error_code (KRB5_CALLCONV *get)
2173         (krb5_context,
2174                  krb5_keytab,
2175                  krb5_const_principal,
2176                  krb5_kvno,
2177                  krb5_enctype,
2178                  krb5_keytab_entry *);
2179     krb5_error_code (KRB5_CALLCONV *start_seq_get)
2180         (krb5_context,
2181                  krb5_keytab,
2182                  krb5_kt_cursor *);
2183     krb5_error_code (KRB5_CALLCONV *get_next)
2184         (krb5_context,
2185                  krb5_keytab,
2186                  krb5_keytab_entry *,
2187                  krb5_kt_cursor *);
2188     krb5_error_code (KRB5_CALLCONV *end_get)
2189         (krb5_context,
2190                  krb5_keytab,
2191                  krb5_kt_cursor *);
2192     /* routines to be included on extended version (write routines) */
2193     krb5_error_code (KRB5_CALLCONV *add)
2194         (krb5_context,
2195                  krb5_keytab,
2196                  krb5_keytab_entry *);
2197     krb5_error_code (KRB5_CALLCONV *remove)
2198         (krb5_context,
2199                  krb5_keytab,
2200                   krb5_keytab_entry *);
2201 
2202     /* Handle for serializer */
2203     const krb5_ser_entry *serializer;
2204 } krb5_kt_ops;
2205 
2206 extern const krb5_kt_ops krb5_kt_dfl_ops;
2207 
2208 extern krb5_error_code krb5int_translate_gai_error (int);
2209 
2210 /* Not sure it's ready for exposure just yet.  */
2211 extern krb5_error_code
2212 krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *);
2213 
2214 extern int krb5int_crypto_init (void);
2215 extern int krb5int_prng_init(void);
2216 
2217 /*
2218  * SUNW14resync
2219  * Hack (?) to neuter C99 "inline" which causes warnings w/our build.
2220  */
2221 #define inline
2222 
2223 /* Solaris kerberos */
2224 krb5_boolean KRB5_CALLCONV is_in_keytype
2225 	(krb5_const krb5_enctype *keytype,
2226 	int numkeytypes, krb5_enctype enctype);
2227 
2228 /*
2229  * Solaris Kerberos
2230  * Use krb5_getuid() to select the mechanism to obtain the uid.
2231  */
2232 extern uid_t	krb5_getuid();
2233 
2234 #endif /* _KRB5_INT_H */
2235