xref: /illumos-gate/usr/src/uts/common/gssapi/mechs/krb5/include/k5-int.h (revision a38ddfee9c8c6b6c5a2947ff52fd2338362a4444)
1 /*
2  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 /*
7  * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006 by the Massachusetts Institute of Technology,
8  * Cambridge, MA, USA.  All Rights Reserved.
9  *
10  * This software is being provided to you, the LICENSEE, by the
11  * Massachusetts Institute of Technology (M.I.T.) under the following
12  * license.  By obtaining, using and/or copying this software, you agree
13  * that you have read, understood, and will comply with these terms and
14  * conditions:
15  *
16  * Export of this software from the United States of America may
17  * require a specific license from the United States Government.
18  * It is the responsibility of any person or organization contemplating
19  * export to obtain such a license before exporting.
20  *
21  * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
22  * this software and its documentation for any purpose and without fee or
23  * royalty is hereby granted, provided that you agree to comply with the
24  * following copyright notice and statements, including the disclaimer, and
25  * that the same appear on ALL copies of the software and documentation,
26  * including modifications that you make for internal use or for
27  * distribution:
28  *
29  * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
30  * OR WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
31  * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
32  * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
33  * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
34  * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
35  *
36  * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
37  * be used in advertising or publicity pertaining to distribution of the
38  * software.  Title to copyright in this software and any associated
39  * documentation shall at all times remain with M.I.T., and USER agrees to
40  * preserve same.
41  *
42  * Furthermore if you modify this software you must label
43  * your software as modified software and not distribute it in such a
44  * fashion that it might be confused with the original M.I.T. software.
45  */
46 
47 /*
48  * Copyright (C) 1998 by the FundsXpress, INC.
49  *
50  * All rights reserved.
51  *
52  * Export of this software from the United States of America may require
53  * a specific license from the United States Government.  It is the
54  * responsibility of any person or organization contemplating export to
55  * obtain such a license before exporting.
56  *
57  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
58  * distribute this software and its documentation for any purpose and
59  * without fee is hereby granted, provided that the above copyright
60  * notice appear in all copies and that both that copyright notice and
61  * this permission notice appear in supporting documentation, and that
62  * the name of FundsXpress. not be used in advertising or publicity pertaining
63  * to distribution of the software without specific, written prior
64  * permission.  FundsXpress makes no representations about the suitability of
65  * this software for any purpose.  It is provided "as is" without express
66  * or implied warranty.
67  *
68  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
69  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
70  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
71  */
72 
73 /*
74  * This prototype for k5-int.h (Krb5 internals include file)
75  * includes the user-visible definitions from krb5.h and then
76  * includes other definitions that are not user-visible but are
77  * required for compiling Kerberos internal routines.
78  *
79  * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
80  */
81 
82 #ifndef _KRB5_INT_H
83 #define _KRB5_INT_H
84 
85 #ifdef KRB5_GENERAL__
86 #error krb5.h included before k5-int.h
87 #endif /* KRB5_GENERAL__ */
88 
89 #ifndef	_KERNEL
90 #include <osconf.h>
91 #include <security/cryptoki.h>
92 #else
93 #include <sys/crypto/common.h>
94 #include <sys/crypto/api.h>
95 #endif
96 
97 #ifdef  DEBUG
98 #if !defined(KRB5_DEBUG)
99 #define KRB5_DEBUG
100 #endif
101 #ifndef  KRB5_LOG_LVL
102 #define KRB5_LOG_LVL KRB5_ERR
103 #endif
104 #endif  /* DEBUG */
105 
106 #ifdef  _KERNEL
107 
108 #ifdef  DEBUG
109 #include        <sys/types.h>
110 #include        <sys/cmn_err.h>
111  extern  void prom_printf();
112 #endif  /* DEBUG */
113 
114 #else   /* !_KERNEL */
115 
116 #define prom_printf printf
117 
118 #endif /* !_KERNEL */
119 
120 #ifdef KRB5_LOG_LVL
121 
122 /* krb5_log is used to set the logging level to determine what class of messages
123  * are output by the mech.  Note, more than one logging level can be used by
124  * bit or'ing the log values together.
125  *
126  * All log messages are captured by syslog.
127  */
128 
129 extern unsigned int krb5_log;
130 
131 /* Note, these defines should be mutually exclusive bit fields */
132 #define KRB5_ERR  1   /* Use this debug log level for error path logging. */
133 #define KRB5_INFO 2   /* Use this debug log level for informational messages. */
134 
135 #ifdef  _KERNEL
136 
137 #define KRB5_LOG1(A, B, C, D) \
138      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C), (D)), TRUE)))
139 #define KRB5_LOG(A, B, C) \
140      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C)), TRUE)))
141 #define KRB5_LOG0(A, B)   \
142      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B)), TRUE)))
143 
144 #else	/* !_KERNEL */
145 
146 #include <syslog.h>
147 
148 #define KRB5_LOG1(A, B, C, D) \
149         ((void)((krb5_log) && (krb5_log & (A)) && \
150 		(syslog(LOG_DEBUG, (B), (C), (D)), TRUE)))
151 #define KRB5_LOG(A, B, C) \
152         ((void)((krb5_log) && (krb5_log & (A)) && \
153 		(syslog(LOG_DEBUG, (B), (C)), TRUE)))
154 #define KRB5_LOG0(A, B)   \
155         ((void)((krb5_log) && (krb5_log & (A)) && \
156 	       	(syslog(LOG_DEBUG, B), TRUE)))
157 
158 #endif	/* _KERNEL */
159 
160 #else /* ! KRB5_LOG_LVL */
161 
162 #define KRB5_LOG1(A, B, C, D)
163 #define KRB5_LOG(A, B, C)
164 #define KRB5_LOG0(A, B)
165 
166 #endif /* KRB5_LOG_LVL */
167 
168 #ifdef POSIX_TYPES
169 #define timetype time_t
170 #else
171 #define timetype long
172 #endif
173 
174 /*
175  * Begin "k5-config.h"
176  */
177 #ifndef KRB5_CONFIG__
178 #define KRB5_CONFIG__
179 
180 /*
181  * Machine-type definitions: PC Clone 386 running Microloss Windows
182  */
183 
184 #if defined(_MSDOS) || defined(_WIN32)
185 #include "win-mac.h"
186 
187 /* Kerberos Windows initialization file */
188 #define KERBEROS_INI	"kerberos.ini"
189 #define INI_FILES	"Files"
190 #define INI_KRB_CCACHE	"krb5cc"	/* Location of the ccache */
191 #define INI_KRB5_CONF	"krb5.ini"	/* Location of krb5.conf file */
192 #define ANSI_STDIO
193 #endif
194 
195 #ifndef _KERNEL
196 #ifndef KRB5_AUTOCONF__
197 #define KRB5_AUTOCONF__
198 #include "autoconf.h"
199 #endif
200 #endif 		/* !_KERNEL  */
201 
202 #ifndef KRB5_SYSTYPES__
203 #define KRB5_SYSTYPES__
204 
205 #ifndef _KERNEL
206 #ifdef HAVE_SYS_TYPES_H		/* From autoconf.h */
207 #include <sys/types.h>
208 #else /* HAVE_SYS_TYPES_H */
209 typedef unsigned long 	u_long;
210 typedef unsigned int	u_int;
211 typedef unsigned short	u_short;
212 typedef unsigned char	u_char;
213 #endif /* HAVE_SYS_TYPES_H */
214 #endif /* KRB5_SYSTYPES__ */
215 #endif 		/* !_KERNEL  */
216 
217 
218 /* #include "k5-platform.h" SUNW XXX */
219 /* not used in krb5.h (yet) */
220 typedef uint64_t krb5_ui_8;
221 typedef int64_t krb5_int64;
222 
223 
224 
225 #define DEFAULT_PWD_STRING1 "Enter password:"
226 #define DEFAULT_PWD_STRING2 "Re-enter password for verification:"
227 #define	KRB5_KDB_MAX_LIFE	(60*60*24) /* one day */
228 #define	KRB5_KDB_MAX_RLIFE	(60*60*24*365) /* one year */
229 #define	KRB5_KDB_EXPIRATION	2145830400 /* Thu Jan  1 00:00:00 2038 UTC */
230 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
231 #define KRB5_DEFAULT_RENEW_LIFE 7*24*60*60 /* 7 Days */
232 
233 /*
234  * Windows requires a different api interface to each function. Here
235  * just define it as NULL.
236  */
237 #ifndef KRB5_CALLCONV
238 #define KRB5_CALLCONV
239 #define KRB5_CALLCONV_C
240 #endif
241 #ifndef O_BINARY
242 #define O_BINARY 0
243 #endif
244 
245 #endif /* KRB5_CONFIG__ */
246 
247 /*
248  * End "k5-config.h"
249  */
250 
251 /*
252  * After loading the configuration definitions, load the Kerberos definitions.
253  */
254 #ifndef _KERNEL
255 #include <errno.h>
256 #include "profile.h"
257 #endif
258 
259 #include <krb5.h>
260 
261 #ifndef _KERNEL
262 #if 1 /* def NEED_SOCKETS */
263 #include <port-sockets.h>
264 #include <socket-utils.h>
265 #else
266 #ifndef SOCK_DGRAM
267 struct sockaddr;
268 #endif
269 #endif
270 #endif
271 
272 /* Get mutex support; currently used only for the replay cache.  */
273 #include "k5-thread.h"
274 
275 
276 /* krb5/krb5.h includes many other .h files in the krb5 subdirectory.
277    The ones that it doesn't include, we include below.  */
278 
279 /*
280  * Begin "k5-errors.h"
281  */
282 #ifndef KRB5_ERRORS__
283 #define KRB5_ERRORS__
284 
285 
286 /* Error codes used in KRB_ERROR protocol messages.
287    Return values of library routines are based on a different error table
288    (which allows non-ambiguous error codes between subsystems) */
289 
290 /* KDC errors */
291 #define	KDC_ERR_NONE			0 /* No error */
292 #define	KDC_ERR_NAME_EXP		1 /* Client's entry in DB expired */
293 #define	KDC_ERR_SERVICE_EXP		2 /* Server's entry in DB expired */
294 #define	KDC_ERR_BAD_PVNO		3 /* Requested pvno not supported */
295 #define	KDC_ERR_C_OLD_MAST_KVNO		4 /* C's key encrypted in old master */
296 #define	KDC_ERR_S_OLD_MAST_KVNO		5 /* S's key encrypted in old master */
297 #define	KDC_ERR_C_PRINCIPAL_UNKNOWN	6 /* Client not found in Kerberos DB */
298 #define	KDC_ERR_S_PRINCIPAL_UNKNOWN	7 /* Server not found in Kerberos DB */
299 #define	KDC_ERR_PRINCIPAL_NOT_UNIQUE	8 /* Multiple entries in Kerberos DB */
300 #define	KDC_ERR_NULL_KEY		9 /* The C or S has a null key */
301 #define	KDC_ERR_CANNOT_POSTDATE		10 /* Tkt ineligible for postdating */
302 #define	KDC_ERR_NEVER_VALID		11 /* Requested starttime > endtime */
303 #define	KDC_ERR_POLICY			12 /* KDC policy rejects request */
304 #define	KDC_ERR_BADOPTION		13 /* KDC can't do requested opt. */
305 #define	KDC_ERR_ENCTYPE_NOSUPP		14 /* No support for encryption type */
306 #define KDC_ERR_SUMTYPE_NOSUPP		15 /* No support for checksum type */
307 #define KDC_ERR_PADATA_TYPE_NOSUPP	16 /* No support for padata type */
308 #define KDC_ERR_TRTYPE_NOSUPP		17 /* No support for transited type */
309 #define KDC_ERR_CLIENT_REVOKED		18 /* C's creds have been revoked */
310 #define KDC_ERR_SERVICE_REVOKED		19 /* S's creds have been revoked */
311 #define KDC_ERR_TGT_REVOKED		20 /* TGT has been revoked */
312 #define KDC_ERR_CLIENT_NOTYET		21 /* C not yet valid */
313 #define KDC_ERR_SERVICE_NOTYET		22 /* S not yet valid */
314 #define KDC_ERR_KEY_EXP			23 /* Password has expired */
315 #define KDC_ERR_PREAUTH_FAILED		24 /* Preauthentication failed */
316 #define KDC_ERR_PREAUTH_REQUIRED	25 /* Additional preauthentication */
317 					   /* required */
318 #define KDC_ERR_SERVER_NOMATCH		26 /* Requested server and */
319 					   /* ticket don't match*/
320 #define KDC_ERR_SVC_UNAVAILABLE		29 /* A service is not
321 					    * available that is
322 					    * required to process the
323 					    * request */
324 /* Application errors */
325 #define	KRB_AP_ERR_BAD_INTEGRITY 31	/* Decrypt integrity check failed */
326 #define	KRB_AP_ERR_TKT_EXPIRED	32	/* Ticket expired */
327 #define	KRB_AP_ERR_TKT_NYV	33	/* Ticket not yet valid */
328 #define	KRB_AP_ERR_REPEAT	34	/* Request is a replay */
329 #define	KRB_AP_ERR_NOT_US	35	/* The ticket isn't for us */
330 #define	KRB_AP_ERR_BADMATCH	36	/* Ticket/authenticator don't match */
331 #define	KRB_AP_ERR_SKEW		37	/* Clock skew too great */
332 #define	KRB_AP_ERR_BADADDR	38	/* Incorrect net address */
333 #define	KRB_AP_ERR_BADVERSION	39	/* Protocol version mismatch */
334 #define	KRB_AP_ERR_MSG_TYPE	40	/* Invalid message type */
335 #define	KRB_AP_ERR_MODIFIED	41	/* Message stream modified */
336 #define	KRB_AP_ERR_BADORDER	42	/* Message out of order */
337 #define	KRB_AP_ERR_BADKEYVER	44	/* Key version is not available */
338 #define	KRB_AP_ERR_NOKEY	45	/* Service key not available */
339 #define	KRB_AP_ERR_MUT_FAIL	46	/* Mutual authentication failed */
340 #define KRB_AP_ERR_BADDIRECTION	47 	/* Incorrect message direction */
341 #define KRB_AP_ERR_METHOD	48 	/* Alternative authentication */
342 					/* method required */
343 #define KRB_AP_ERR_BADSEQ	49 	/* Incorrect sequence numnber */
344 					/* in message */
345 #define KRB_AP_ERR_INAPP_CKSUM	50	/* Inappropriate type of */
346 					/* checksum in message */
347 #define KRB_AP_PATH_NOT_ACCEPTED 51	/* Policy rejects transited path */
348 #define KRB_ERR_RESPONSE_TOO_BIG 52	/* Response too big for UDP, */
349 					/*   retry with TCP */
350 
351 /* other errors */
352 #define KRB_ERR_GENERIC		60 	/* Generic error (description */
353 					/* in e-text) */
354 #define	KRB_ERR_FIELD_TOOLONG	61	/* Field is too long for impl. */
355 
356 /* PKINIT server-reported errors */
357 #define KDC_ERR_CLIENT_NOT_TRUSTED		62 /* client cert not trusted */
358 #define KDC_ERR_INVALID_SIG			64 /* client signature verify failed */
359 #define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED	65 /* invalid Diffie-Hellman parameters */
360 #define KDC_ERR_CANT_VERIFY_CERTIFICATE		70 /* client cert not verifiable to */
361 						   /* trusted root cert */
362 #define KDC_ERR_INVALID_CERTIFICATE		71 /* client cert had invalid signature */
363 #define KDC_ERR_REVOKED_CERTIFICATE		72 /* client cert was revoked */
364 #define KDC_ERR_REVOCATION_STATUS_UNKNOWN	73 /* client cert revoked, reason unknown */
365 #define KDC_ERR_CLIENT_NAME_MISMATCH		75 /* mismatch between client cert and */
366 						   /* principal name */
367 #define KDC_ERR_INCONSISTENT_KEY_PURPOSE	77 /* bad extended key use */
368 #define KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED	78 /* bad digest algorithm in client cert */
369 #define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED	79 /* missing paChecksum in PA-PK-AS-REQ */
370 #define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */
371 #define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
372 
373 #endif /* KRB5_ERRORS__ */
374 /*
375  * End "k5-errors.h"
376  */
377 
378 /*
379  * This structure is returned in the e-data field of the KRB-ERROR
380  * message when the error calling for an alternative form of
381  * authentication is returned, KRB_AP_METHOD.
382  */
383 typedef struct _krb5_alt_method {
384 	krb5_magic	magic;
385 	krb5_int32	method;
386 	unsigned int	length;
387 	krb5_octet	*data;
388 } krb5_alt_method;
389 
390 /*
391  * A null-terminated array of this structure is returned by the KDC as
392  * the data part of the ETYPE_INFO preauth type.  It informs the
393  * client which encryption types are supported.
394  * The  same data structure is used by both etype-info and etype-info2
395  * but s2kparams must be null when encoding etype-info.
396  */
397 typedef struct _krb5_etype_info_entry {
398 	krb5_magic	magic;
399 	krb5_enctype	etype;
400 	unsigned int	length;
401 	krb5_octet	*salt;
402     krb5_data s2kparams;
403 } krb5_etype_info_entry;
404 
405 /*
406  *  This is essentially -1 without sign extension which can screw up
407  *  comparisons on 64 bit machines. If the length is this value, then
408  *  the salt data is not present. This is to distinguish between not
409  *  being set and being of 0 length.
410  */
411 #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
412 
413 typedef krb5_etype_info_entry ** krb5_etype_info;
414 
415 /*
416  * a sam_challenge is returned for alternate preauth
417  */
418 /*
419           SAMFlags ::= BIT STRING {
420               use-sad-as-key[0],
421               send-encrypted-sad[1],
422               must-pk-encrypt-sad[2]
423           }
424  */
425 /*
426           PA-SAM-CHALLENGE ::= SEQUENCE {
427               sam-type[0]                 INTEGER,
428               sam-flags[1]                SAMFlags,
429               sam-type-name[2]            GeneralString OPTIONAL,
430               sam-track-id[3]             GeneralString OPTIONAL,
431               sam-challenge-label[4]      GeneralString OPTIONAL,
432               sam-challenge[5]            GeneralString OPTIONAL,
433               sam-response-prompt[6]      GeneralString OPTIONAL,
434               sam-pk-for-sad[7]           EncryptionKey OPTIONAL,
435               sam-nonce[8]                INTEGER OPTIONAL,
436               sam-cksum[9]                Checksum OPTIONAL
437           }
438 */
439 /* sam_type values -- informational only */
440 #define PA_SAM_TYPE_ENIGMA     1   /*  Enigma Logic */
441 #define PA_SAM_TYPE_DIGI_PATH  2   /*  Digital Pathways */
442 #define PA_SAM_TYPE_SKEY_K0    3   /*  S/key where  KDC has key 0 */
443 #define PA_SAM_TYPE_SKEY       4   /*  Traditional S/Key */
444 #define PA_SAM_TYPE_SECURID    5   /*  Security Dynamics */
445 #define PA_SAM_TYPE_CRYPTOCARD 6   /*  CRYPTOCard */
446 #if 1 /* XXX need to figure out who has which numbers assigned */
447 #define PA_SAM_TYPE_ACTIVCARD_DEC  6   /*  ActivCard decimal mode */
448 #define PA_SAM_TYPE_ACTIVCARD_HEX  7   /*  ActivCard hex mode */
449 #define PA_SAM_TYPE_DIGI_PATH_HEX  8   /*  Digital Pathways hex mode */
450 #endif
451 #define PA_SAM_TYPE_EXP_BASE    128 /* experimental */
452 #define PA_SAM_TYPE_GRAIL		(PA_SAM_TYPE_EXP_BASE+0) /* testing */
453 #define PA_SAM_TYPE_SECURID_PREDICT	(PA_SAM_TYPE_EXP_BASE+1) /* special */
454 
455 typedef struct _krb5_predicted_sam_response {
456 	krb5_magic	magic;
457 	krb5_keyblock	sam_key;
458 	krb5_flags	sam_flags; /* Makes key munging easier */
459 	krb5_timestamp  stime;	/* time on server, for replay detection */
460 	krb5_int32      susec;
461 	krb5_principal  client;
462 	krb5_data       msd;	/* mechanism specific data */
463 } krb5_predicted_sam_response;
464 
465 typedef struct _krb5_sam_challenge {
466 	krb5_magic	magic;
467 	krb5_int32	sam_type; /* information */
468 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
469 	krb5_data	sam_type_name;
470 	krb5_data	sam_track_id;
471 	krb5_data	sam_challenge_label;
472 	krb5_data	sam_challenge;
473 	krb5_data	sam_response_prompt;
474 	krb5_data	sam_pk_for_sad;
475 	krb5_int32	sam_nonce;
476 	krb5_checksum	sam_cksum;
477 } krb5_sam_challenge;
478 
479 typedef struct _krb5_sam_key {	/* reserved for future use */
480 	krb5_magic	magic;
481 	krb5_keyblock	sam_key;
482 } krb5_sam_key;
483 
484 typedef struct _krb5_enc_sam_response_enc {
485 	krb5_magic	magic;
486 	krb5_int32	sam_nonce;
487 	krb5_timestamp	sam_timestamp;
488 	krb5_int32	sam_usec;
489 	krb5_data	sam_sad;
490 } krb5_enc_sam_response_enc;
491 
492 typedef struct _krb5_sam_response {
493 	krb5_magic	magic;
494 	krb5_int32	sam_type; /* informational */
495 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
496 	krb5_data	sam_track_id; /* copied */
497 	krb5_enc_data	sam_enc_key; /* krb5_sam_key - future use */
498 	krb5_enc_data	sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
499 	krb5_int32	sam_nonce;
500 	krb5_timestamp	sam_patimestamp;
501 } krb5_sam_response;
502 
503 typedef struct _krb5_sam_challenge_2 {
504 	krb5_data	sam_challenge_2_body;
505 	krb5_checksum	**sam_cksum;		/* Array of checksums */
506 } krb5_sam_challenge_2;
507 
508 typedef struct _krb5_sam_challenge_2_body {
509 	krb5_magic	magic;
510 	krb5_int32	sam_type; /* information */
511 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
512 	krb5_data	sam_type_name;
513 	krb5_data	sam_track_id;
514 	krb5_data	sam_challenge_label;
515 	krb5_data	sam_challenge;
516 	krb5_data	sam_response_prompt;
517 	krb5_data	sam_pk_for_sad;
518 	krb5_int32	sam_nonce;
519 	krb5_enctype	sam_etype;
520 } krb5_sam_challenge_2_body;
521 
522 typedef struct _krb5_sam_response_2 {
523 	krb5_magic	magic;
524 	krb5_int32	sam_type; /* informational */
525 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
526 	krb5_data	sam_track_id; /* copied */
527 	krb5_enc_data	sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
528 	krb5_int32	sam_nonce;
529 } krb5_sam_response_2;
530 
531 typedef struct _krb5_enc_sam_response_enc_2 {
532 	krb5_magic	magic;
533 	krb5_int32	sam_nonce;
534 	krb5_data	sam_sad;
535 } krb5_enc_sam_response_enc_2;
536 
537 /*
538  * Keep the pkinit definitions in a separate file so that the plugin
539  * only has to include k5-int-pkinit.h rather than k5-int.h
540  */
541 
542 #include "k5-int-pkinit.h"
543 
544 /*
545  * Begin "dbm.h"
546  */
547 #ifndef _KERNEL
548 
549 /*
550  * Since we are always using db, use the db-ndbm include header file.
551  */
552 
553 #include "db-ndbm.h"
554 
555 #endif /* !KERNEL */
556 /*
557  * End "dbm.h"
558  */
559 
560 /*
561  * Begin "ext-proto.h"
562  */
563 #ifndef KRB5_EXT_PROTO__
564 #define KRB5_EXT_PROTO__
565 
566 #ifndef _KERNEL
567 #include <stdlib.h>
568 #include <string.h>
569 #endif /* !_KERNEL */
570 
571 #ifndef HAVE_STRDUP
572 extern char *strdup (const char *);
573 #endif
574 
575 #ifndef _KERNEL
576 #ifdef HAVE_UNISTD_H
577 #include <unistd.h>
578 #endif
579 #endif /* !_KERNEL */
580 
581 #endif /* KRB5_EXT_PROTO__ */
582 /*
583  * End "ext-proto.h"
584  */
585 
586 /*
587  * Begin "sysincl.h"
588  */
589 #ifndef KRB5_SYSINCL__
590 #define KRB5_SYSINCL__
591 
592 #ifndef KRB5_SYSTYPES__
593 #define KRB5_SYSTYPES__
594 /* needed for much of the rest -- but already handled in krb5.h? */
595 /* #include <sys/types.h> */
596 #endif /* KRB5_SYSTYPES__ */
597 
598 #ifdef	_KERNEL
599 #include <sys/time.h>
600 #else
601 #ifdef HAVE_SYS_TIME_H
602 #include <sys/time.h>
603 #ifdef TIME_WITH_SYS_TIME
604 #include <time.h>
605 #endif
606 #else
607 #include <time.h>
608 #endif
609 #endif /* _KERNEL */
610 
611 #ifdef HAVE_SYS_STAT_H
612 #include <sys/stat.h>			/* struct stat, stat() */
613 #endif
614 
615 #ifdef HAVE_SYS_PARAM_H
616 #include <sys/param.h>			/* MAXPATHLEN */
617 #endif
618 
619 #ifdef HAVE_SYS_FILE_H
620 #include <sys/file.h>			/* prototypes for file-related
621 					   syscalls; flags for open &
622 					   friends */
623 #endif
624 
625 #ifdef _KERNEL
626 #include <sys/fcntl.h>
627 #else
628 #include <fcntl.h>
629 #endif
630 
631 #endif /* KRB5_SYSINCL__ */
632 /*
633  * End "sysincl.h"
634  */
635 
636 /*
637  * Begin "los-proto.h"
638  */
639 #ifndef KRB5_LIBOS_PROTO__
640 #define KRB5_LIBOS_PROTO__
641 #endif
642 
643 #ifndef	_KERNEL
644 #include <stdio.h>
645 
646 struct addrlist;
647 struct sendto_callback_info;
648 #endif
649 
650 /* libos.spec */
651 krb5_error_code krb5_lock_file (krb5_context, int, int);
652 krb5_error_code krb5_unlock_file (krb5_context, int);
653 krb5_error_code krb5_sendto_kdc (krb5_context, const krb5_data *,
654 				 const krb5_data *, krb5_data *, int *, int);
655 
656 
657 krb5_error_code krb5_get_krbhst (krb5_context, const krb5_data *, char *** );
658 krb5_error_code krb5_free_krbhst (krb5_context, char * const * );
659 krb5_error_code krb5_create_secure_file (krb5_context, const char * pathname);
660 
661 int krb5_net_read (krb5_context, int , char *, int);
662 
663 int krb5_net_write
664 	(krb5_context, int , const char *, int);
665 
666 
667 krb5_error_code krb5_gen_replay_name
668     (krb5_context, const krb5_address *, const char *, char **);
669 
670 
671 #ifndef	_KERNEL
672 
673 krb5_error_code krb5_sync_disk_file (krb5_context, FILE *fp);
674 
675 krb5_error_code
676 krb5_open_pkcs11_session(CK_SESSION_HANDLE *);
677 
678 
679 krb5_error_code krb5_read_message
680 	(krb5_context, krb5_pointer, krb5_data *);
681 
682 krb5_error_code krb5_write_message
683 	(krb5_context, krb5_pointer, krb5_data *);
684 krb5_error_code krb5int_sendto (krb5_context context, const krb5_data *message,
685                 const struct addrlist *addrs, struct sendto_callback_info* callback_info,
686 				krb5_data *reply, struct sockaddr *localaddr, socklen_t *localaddrlen,
687                 struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, int *addr_used,
688 		int (*msg_handler)(krb5_context, const krb5_data *, void *),
689 		void *msg_handler_data);
690 
691 krb5_error_code krb5int_get_fq_local_hostname (char *, size_t);
692 #endif
693 
694 /*
695  * Solaris Kerberos
696  * The following two functions are needed for better realm
697  * determination based on the DNS domain name.
698  */
699 krb5_error_code krb5int_lookup_host(int , const char *, char **);
700 
701 krb5_error_code krb5int_domain_get_realm(krb5_context, const char *,
702     char **);
703 krb5_error_code krb5int_fqdn_get_realm(krb5_context, const char *,
704     char **);
705 
706 krb5_error_code krb5int_init_context_kdc(krb5_context *);
707 
708 krb5_error_code krb5_os_init_context (krb5_context, krb5_boolean);
709 
710 void krb5_os_free_context (krb5_context);
711 
712 /* This function is needed by KfM's KerberosPreferences API
713  * because it needs to be able to specify "secure" */
714 #ifndef _KERNEL
715 krb5_error_code os_get_default_config_files
716     (profile_filespec_t **pfiles, krb5_boolean secure);
717 #endif
718 
719 krb5_error_code krb5_os_hostaddr
720 	(krb5_context, const char *, krb5_address ***);
721 
722 #ifndef _KERNEL
723 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
724    going to use this structure.  */
725 struct addrlist {
726     struct {
727 #ifdef FAI_DEFINED
728 	struct addrinfo *ai;
729 #else
730 	struct undefined_addrinfo *ai;
731 #endif
732 	void (*freefn)(void *);
733 	void *data;
734     } *addrs;
735     int naddrs;
736     int space;
737 };
738 #define ADDRLIST_INIT { 0, 0, 0 }
739 extern void krb5int_free_addrlist (struct addrlist *);
740 extern int krb5int_grow_addrlist (struct addrlist *, int);
741 extern int krb5int_add_host_to_list (struct addrlist *, const char *,
742 				     int, int, int, int);
743 
744 #include <locate_plugin.h>
745 krb5_error_code
746 krb5int_locate_server (krb5_context, const krb5_data *realm,
747 		       struct addrlist *, enum locate_service_type svc,
748 		       int sockettype, int family);
749 
750 #endif /* _KERNEL */
751 
752 /* new encryption provider api */
753 
754 struct krb5_enc_provider {
755     /* keybytes is the input size to make_key;
756        keylength is the output size */
757     size_t block_size, keybytes, keylength;
758 
759     /* cipher-state == 0 fresh state thrown away at end */
760     krb5_error_code (*encrypt) (
761 	krb5_context context,
762 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
763 	krb5_const krb5_data *input, krb5_data *output);
764 
765     krb5_error_code (*decrypt) (
766 	krb5_context context,
767 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
768 	krb5_const krb5_data *input, krb5_data *output);
769 
770     krb5_error_code (*make_key)
771     (krb5_context, krb5_const krb5_data *, krb5_keyblock *);
772 
773     krb5_error_code (*init_state) (krb5_context,
774 			const krb5_keyblock *,
775 			krb5_keyusage, krb5_data *);
776     krb5_error_code (*free_state) (krb5_context, krb5_data *);
777 
778 };
779 
780 struct krb5_hash_provider {
781     size_t hashsize, blocksize;
782 
783     /* this takes multiple inputs to avoid lots of copying. */
784     krb5_error_code (*hash) (krb5_context context,
785 	unsigned int icount, krb5_const krb5_data *input,
786 	krb5_data *output);
787 };
788 
789 struct krb5_keyhash_provider {
790     size_t hashsize;
791 
792     krb5_error_code (*hash) (
793 	krb5_context context,
794 	krb5_const krb5_keyblock *key,
795 	krb5_keyusage keyusage,
796 	krb5_const krb5_data *ivec,
797 	krb5_const krb5_data *input, krb5_data *output);
798 
799     krb5_error_code (*verify) (
800 	krb5_context context,
801 	krb5_const krb5_keyblock *key,
802 	krb5_keyusage keyusage,
803 	krb5_const krb5_data *ivec,
804 	krb5_const krb5_data *input,
805 	krb5_const krb5_data *hash,
806 	krb5_boolean *valid);
807 
808 };
809 
810 typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc,
811   const struct krb5_hash_provider *hash,
812   size_t inputlen, size_t *length);
813 
814 typedef krb5_error_code (*krb5_crypt_func) (
815   krb5_context context,
816   krb5_const struct krb5_enc_provider *enc,
817   krb5_const struct krb5_hash_provider *hash,
818   krb5_const krb5_keyblock *key, krb5_keyusage usage,
819   krb5_const krb5_data *ivec,
820   krb5_const krb5_data *input, krb5_data *output);
821 
822 #ifndef	_KERNEL
823 typedef krb5_error_code (*krb5_str2key_func) (
824   krb5_context context,
825   krb5_const struct krb5_enc_provider *enc, krb5_const krb5_data *string,
826   krb5_const krb5_data *salt, krb5_const krb5_data *params,
827   krb5_keyblock *key);
828 #endif	/* _KERNEL */
829 
830 typedef krb5_error_code (*krb5_prf_func)(
831 					 const struct krb5_enc_provider *enc,
832 					 const struct krb5_hash_provider *hash,
833 					 const krb5_keyblock *key,
834 					 const krb5_data *in, krb5_data *out);
835 
836 struct krb5_keytypes {
837     krb5_enctype etype;
838     char *in_string;
839     char *out_string;
840     const struct krb5_enc_provider *enc;
841     const struct krb5_hash_provider *hash;
842     krb5_encrypt_length_func encrypt_len;
843     krb5_crypt_func encrypt;
844     krb5_crypt_func decrypt;
845     krb5_cksumtype required_ctype;
846 #ifndef	_KERNEL
847     /* Solaris Kerberos:  strings to key conversion not done in the kernel */
848     krb5_str2key_func str2key;
849 #else	/* _KERNEL */
850     char *mt_e_name;
851     char *mt_h_name;
852     crypto_mech_type_t kef_cipher_mt;
853     crypto_mech_type_t kef_hash_mt;
854 #endif	/* _KERNEL */
855 };
856 
857 struct krb5_cksumtypes {
858     krb5_cksumtype ctype;
859     unsigned int flags;
860     char *in_string;
861     char *out_string;
862     /* if the hash is keyed, this is the etype it is keyed with.
863        Actually, it can be keyed by any etype which has the same
864        enc_provider as the specified etype.  DERIVE checksums can
865        be keyed with any valid etype. */
866     krb5_enctype keyed_etype;
867     /* I can't statically initialize a union, so I'm just going to use
868        two pointers here.  The keyhash is used if non-NULL.  If NULL,
869        then HMAC/hash with derived keys is used if the relevant flag
870        is set.  Otherwise, a non-keyed hash is computed.  This is all
871        kind of messy, but so is the krb5 api. */
872     const struct krb5_keyhash_provider *keyhash;
873     const struct krb5_hash_provider *hash;
874     /* This just gets uglier and uglier.  In the key derivation case,
875        we produce an hmac.  To make the hmac code work, we can't hack
876        the output size indicated by the hash provider, but we may want
877        a truncated hmac.  If we want truncation, this is the number of
878        bytes we truncate to; it should be 0 otherwise.  */
879     unsigned int trunc_size;
880 #ifdef _KERNEL
881     char *mt_c_name;
882     crypto_mech_type_t kef_cksum_mt;
883 #endif /* _KERNEL */
884 };
885 
886 #define KRB5_CKSUMFLAG_DERIVE		0x0001
887 #define KRB5_CKSUMFLAG_NOT_COLL_PROOF	0x0002
888 
889 /*
890  * in here to deal with stuff from lib/crypto
891  */
892 
893 void krb5_nfold
894 (unsigned int inbits, const unsigned char *in,
895 		unsigned int outbits, unsigned char *out);
896 
897 krb5_error_code krb5int_pbkdf2_hmac_sha1 (krb5_context,
898 					   const krb5_data *,
899 					   unsigned long,
900 					   krb5_enctype,
901 					   const krb5_data *,
902 					   const krb5_data *);
903 
904 /* Make this a function eventually?  */
905 #ifdef _WIN32
906 # define krb5int_zap_data(ptr, len) SecureZeroMemory(ptr, len)
907 #elif defined(__palmos__) && !defined(__GNUC__)
908 /* CodeWarrior 8.3 complains about passing a pointer to volatile in to
909    memset.  On the other hand, we probably want it for gcc.  */
910 # define krb5int_zap_data(ptr, len) memset(ptr, 0, len)
911 #else
912 # define krb5int_zap_data(ptr, len) memset((void *)ptr, 0, len)
913 # if defined(__GNUC__) && defined(__GLIBC__)
914 /* GNU libc generates multiple bogus initialization warnings if we
915    pass memset a volatile pointer.  The compiler should do well enough
916    with memset even without GNU libc's attempt at optimization.  */
917 # undef memset
918 # endif
919 #endif /* WIN32 */
920 #define zap(p,l) krb5int_zap_data(p,l)
921 
922 
923 krb5_error_code krb5int_des_init_state
924 ( krb5_context,
925 	const krb5_keyblock *,
926 	krb5_keyusage, krb5_data *);
927 
928 krb5_error_code krb5int_c_mandatory_cksumtype(
929 	krb5_context,
930 	krb5_enctype,
931 	krb5_cksumtype *);
932 
933 /*
934  * normally to free a cipher_state you can just memset the length to zero and
935  * free it.
936  */
937 krb5_error_code krb5int_default_free_state
938 (krb5_context, krb5_data *);
939 
940 
941 /*
942  * Combine two keys (normally used by the hardware preauth mechanism)
943  */
944 krb5_error_code krb5int_c_combine_keys
945 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
946 		krb5_keyblock *outkey);
947 
948 
949 #ifdef _KERNEL
950 
951 int k5_ef_crypto(
952 	const char *, char *,
953 	long, krb5_keyblock *,
954 	const krb5_data *, int);
955 
956 krb5_error_code
957 krb5_hmac(krb5_context, const krb5_keyblock *,
958 	krb5_const krb5_data *, krb5_data *);
959 
960 #else
961 krb5_error_code krb5_hmac
962 	(krb5_context,
963 	krb5_const struct krb5_hash_provider *,
964 	krb5_const krb5_keyblock *, krb5_const unsigned int,
965 	krb5_const krb5_data *, krb5_data *);
966 
967 #endif /* _KERNEL */
968 
969 
970 /*
971  * These declarations are here, so both krb5 and k5crypto
972  * can get to them.
973  * krb5 needs to get to them so it can  make them available to libgssapi.
974  */
975 extern const struct krb5_enc_provider krb5int_enc_arcfour;
976 extern const struct krb5_hash_provider krb5int_hash_md5;
977 
978 
979 /* #ifdef KRB5_OLD_CRYPTO XXX SUNW14resync */
980 
981 krb5_error_code krb5_crypto_us_timeofday
982 	(krb5_int32 *,
983 		krb5_int32 *);
984 
985 #ifndef _KERNEL
986 /* Solaris kerberos: for convenience */
987 time_t krb5int_gmt_mktime (struct tm *);
988 #endif /* ! _KERNEL */
989 
990 /* #endif KRB5_OLD_CRYPTO */
991 
992 /* this helper fct is in libkrb5, but it makes sense declared here. */
993 
994 krb5_error_code krb5_encrypt_helper
995 (krb5_context context, const krb5_keyblock *key,
996 		krb5_keyusage keyusage, const krb5_data *plain,
997 		krb5_enc_data *cipher);
998 
999 /*
1000  * End "los-proto.h"
1001  */
1002 
1003 /*
1004  * Begin "libos.h"
1005  */
1006 #ifndef KRB5_LIBOS__
1007 #define KRB5_LIBOS__
1008 
1009 typedef struct _krb5_os_context {
1010 	krb5_magic		magic;
1011 	krb5_int32		time_offset;
1012 	krb5_int32		usec_offset;
1013 	krb5_int32		os_flags;
1014 	char *			default_ccname;
1015 } *krb5_os_context;
1016 
1017 /*
1018  * Flags for the os_flags field
1019  *
1020  * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid.
1021  * The intention is that this facility to correct the system clocks so
1022  * that they reflect the "real" time, for systems where for some
1023  * reason we can't set the system clock.  Instead we calculate the
1024  * offset between the system time and real time, and store the offset
1025  * in the os context so that we can correct the system clock as necessary.
1026  *
1027  * KRB5_OS_TOFFSET_TIME means that the time offset fields should be
1028  * returned as the time by the krb5 time routines.  This should only
1029  * be used for testing purposes (obviously!)
1030  */
1031 #define KRB5_OS_TOFFSET_VALID	1
1032 #define KRB5_OS_TOFFSET_TIME	2
1033 
1034 /* lock mode flags */
1035 #define	KRB5_LOCKMODE_SHARED	0x0001
1036 #define	KRB5_LOCKMODE_EXCLUSIVE	0x0002
1037 #define	KRB5_LOCKMODE_DONTBLOCK	0x0004
1038 #define	KRB5_LOCKMODE_UNLOCK	0x0008
1039 
1040 #endif /* KRB5_LIBOS__ */
1041 /*
1042  * End "libos.h"
1043  */
1044 
1045 /*
1046  * Define our view of the size of a DES key.
1047  */
1048 #define	KRB5_MIT_DES_KEYSIZE		8
1049 /*
1050  * Define a couple of SHA1 constants
1051  */
1052 #define	SHS_DATASIZE	64
1053 #define	SHS_DIGESTSIZE	20
1054 
1055 /*
1056  * Check if des_int.h has been included before us.  If so, then check to see
1057  * that our view of the DES key size is the same as des_int.h's.
1058  */
1059 #ifdef	MIT_DES_KEYSIZE
1060 #if	MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
1061 error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
1062 #endif	/* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
1063 #endif	/* MIT_DES_KEYSIZE */
1064 
1065 #ifndef _KERNEL
1066 /* Solaris Kerberos: only define PROVIDE_DES3_CBC_SHA if the following are
1067  * defined.
1068  */
1069 #define PROVIDE_DES3_CBC_SHA 1
1070 #define PROVIDE_NIST_SHA 1
1071 
1072 #endif /* !_KERNEL */
1073 
1074 /*
1075  * Begin "preauth.h"
1076  *
1077  * (Originally written by Glen Machin at Sandia Labs.)
1078  */
1079 /*
1080  * Sandia National Laboratories also makes no representations about the
1081  * suitability of the modifications, or additions to this software for
1082  * any purpose.  It is provided "as is" without express or implied warranty.
1083  *
1084  */
1085 #ifndef KRB5_PREAUTH__
1086 #define KRB5_PREAUTH__
1087 
1088 #include <preauth_plugin.h>
1089 
1090 #define CLIENT_ROCK_MAGIC 0x4352434b
1091 /* This structure is passed into the client preauth functions and passed
1092  * back to the "get_data_proc" function so that it can locate the
1093  * requested information.  It is opaque to the plugin code and can be
1094  * expanded in the future as new types of requests are defined which
1095  * may require other things to be passed through. */
1096 typedef struct _krb5_preauth_client_rock {
1097 	krb5_magic	magic;
1098 	krb5_kdc_rep	*as_reply;
1099 } krb5_preauth_client_rock;
1100 
1101 /* This structure lets us keep track of all of the modules which are loaded,
1102  * turning the list of modules and their lists of implemented preauth types
1103  * into a single list which we can walk easily. */
1104 typedef struct _krb5_preauth_context {
1105     int n_modules;
1106     struct _krb5_preauth_context_module {
1107 	/* Which of the possibly more than one preauth types which the
1108 	 * module supports we're using at this point in the list. */
1109 	krb5_preauthtype pa_type;
1110 	/* Encryption types which the client claims to support -- we
1111 	 * copy them directly into the krb5_kdc_req structure during
1112 	 * krb5_preauth_prepare_request(). */
1113 	krb5_enctype *enctypes;
1114 	/* The plugin's per-plugin context and a function to clear it. */
1115 	void *plugin_context;
1116 	preauth_client_plugin_fini_proc client_fini;
1117 	/* The module's table, and some of its members, copied here for
1118 	 * convenience when we populated the list. */
1119 	struct krb5plugin_preauth_client_ftable_v1 *ftable;
1120 	const char *name;
1121 	int flags, use_count;
1122 	preauth_client_process_proc client_process;
1123 	preauth_client_tryagain_proc client_tryagain;
1124 	preauth_client_supply_gic_opts_proc client_supply_gic_opts;
1125 	preauth_client_request_init_proc client_req_init;
1126 	preauth_client_request_fini_proc client_req_fini;
1127 	/* The per-request context which the client_req_init() function
1128 	 * might allocate, which we'll need to clean up later by
1129 	 * calling the client_req_fini() function. */
1130 	void *request_context;
1131 	/* A pointer to the request_context pointer.  All modules within
1132 	 * a plugin will point at the request_context of the first
1133 	 * module within the plugin. */
1134 	void **request_context_pp;
1135     } *modules;
1136 } krb5_preauth_context;
1137 
1138 typedef struct _krb5_pa_enc_ts {
1139     krb5_timestamp	patimestamp;
1140     krb5_int32		pausec;
1141 } krb5_pa_enc_ts;
1142 
1143 typedef krb5_error_code (*krb5_preauth_obtain_proc)
1144     (krb5_context,
1145 		    krb5_pa_data *,
1146 		    krb5_etype_info,
1147 		    krb5_keyblock *,
1148 		    krb5_error_code ( * )(krb5_context,
1149 					  const krb5_enctype,
1150 					  krb5_data *,
1151 					  krb5_const_pointer,
1152 					  krb5_keyblock **),
1153 		    krb5_const_pointer,
1154 		    krb5_creds *,
1155 		    krb5_kdc_req *,
1156 		    krb5_pa_data **);
1157 
1158 typedef krb5_error_code (*krb5_preauth_process_proc)
1159     (krb5_context,
1160 		    krb5_pa_data *,
1161 		    krb5_kdc_req *,
1162 		    krb5_kdc_rep *,
1163 		    krb5_error_code ( * )(krb5_context,
1164 					  const krb5_enctype,
1165 					  krb5_data *,
1166 					  krb5_const_pointer,
1167 					  krb5_keyblock **),
1168 		    krb5_const_pointer,
1169 		    krb5_error_code ( * )(krb5_context,
1170 					  const krb5_keyblock *,
1171 					  krb5_const_pointer,
1172 					  krb5_kdc_rep * ),
1173 		    krb5_keyblock **,
1174 		    krb5_creds *,
1175 		    krb5_int32 *,
1176 		    krb5_int32 *);
1177 
1178 typedef struct _krb5_preauth_ops {
1179     krb5_magic magic;
1180     int     type;
1181     int	flags;
1182     krb5_preauth_obtain_proc	obtain;
1183     krb5_preauth_process_proc	process;
1184 } krb5_preauth_ops;
1185 
1186 
1187 krb5_error_code krb5_obtain_padata
1188     	(krb5_context,
1189 		krb5_pa_data **,
1190 		krb5_error_code ( * )(krb5_context,
1191 						      const krb5_enctype,
1192 						      krb5_data *,
1193 						      krb5_const_pointer,
1194 						      krb5_keyblock **),
1195 		krb5_const_pointer,
1196 		krb5_creds *,
1197 		krb5_kdc_req *);
1198 
1199 krb5_error_code krb5_process_padata
1200 	(krb5_context,
1201 		krb5_kdc_req *,
1202 		krb5_kdc_rep *,
1203 		krb5_error_code ( * )(krb5_context,
1204 						      const krb5_enctype,
1205 						      krb5_data *,
1206 						      krb5_const_pointer,
1207 						      krb5_keyblock **),
1208 		krb5_const_pointer,
1209 		krb5_error_code ( * )(krb5_context,
1210 						      const krb5_keyblock *,
1211 						      krb5_const_pointer,
1212 						      krb5_kdc_rep * ),
1213 		krb5_keyblock **,
1214 		krb5_creds *,
1215 		krb5_int32 *);
1216 
1217 void krb5_free_etype_info (krb5_context, krb5_etype_info);
1218 
1219 /*
1220  * Preauthentication property flags
1221  */
1222 #define KRB5_PREAUTH_FLAGS_ENCRYPT	0x00000001
1223 #define KRB5_PREAUTH_FLAGS_HARDWARE	0x00000002
1224 
1225 #endif /* KRB5_PREAUTH__ */
1226 /*
1227  * End "preauth.h"
1228  */
1229 
1230 /*
1231  * Extending the krb5_get_init_creds_opt structure.  The original
1232  * krb5_get_init_creds_opt structure is defined publicly.  The
1233  * new extended version is private.  The original interface
1234  * assumed a pre-allocated structure which was passed to
1235  * krb5_get_init_creds_init().  The new interface assumes that
1236  * the caller will call krb5_get_init_creds_alloc() and
1237  * krb5_get_init_creds_free().
1238  *
1239  * Callers MUST NOT call krb5_get_init_creds_init() after allocating an
1240  * opts structure using krb5_get_init_creds_alloc().  To do so will
1241  * introduce memory leaks.  Unfortunately, there is no way to enforce
1242  * this behavior.
1243  *
1244  * Two private flags are added for backward compatibility.
1245  * KRB5_GET_INIT_CREDS_OPT_EXTENDED says that the structure was allocated
1246  * with the new krb5_get_init_creds_opt_alloc() function.
1247  * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended
1248  * structure is a shadow copy of an original krb5_get_init_creds_opt
1249  * structure.
1250  * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to
1251  * krb5int_gic_opt_to_opte(), the resulting extended structure should be
1252  * freed (using krb5_get_init_creds_free).  Otherwise, the original
1253  * structure was already extended and there is no need to free it.
1254  */
1255 
1256 #define KRB5_GET_INIT_CREDS_OPT_EXTENDED 0x80000000
1257 #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
1258 
1259 #define krb5_gic_opt_is_extended(s) \
1260     ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
1261 #define krb5_gic_opt_is_shadowed(s) \
1262     ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
1263 
1264 
1265 typedef struct _krb5_gic_opt_private {
1266     int num_preauth_data;
1267     krb5_gic_opt_pa_data *preauth_data;
1268 } krb5_gic_opt_private;
1269 
1270 typedef struct _krb5_gic_opt_ext {
1271     krb5_flags flags;
1272     krb5_deltat tkt_life;
1273     krb5_deltat renew_life;
1274     int forwardable;
1275     int proxiable;
1276     krb5_enctype *etype_list;
1277     int etype_list_length;
1278     krb5_address **address_list;
1279     krb5_preauthtype *preauth_list;
1280     int preauth_list_length;
1281     krb5_data *salt;
1282     /*
1283      * Do not change anything above this point in this structure.
1284      * It is identical to the public krb5_get_init_creds_opt structure.
1285      * New members must be added below.
1286      */
1287     krb5_gic_opt_private *opt_private;
1288 } krb5_gic_opt_ext;
1289 
1290 krb5_error_code
1291 krb5int_gic_opt_to_opte(krb5_context context,
1292                         krb5_get_init_creds_opt *opt,
1293                         krb5_gic_opt_ext **opte,
1294                         unsigned int force,
1295                         const char *where);
1296 
1297 krb5_error_code
1298 krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *);
1299 
1300 #ifndef _KERNEL /* needed for lib/krb5/krb/ */
1301 typedef krb5_error_code (*krb5_gic_get_as_key_fct)
1302     (krb5_context,
1303 		     krb5_principal,
1304 		     krb5_enctype,
1305 		     krb5_prompter_fct,
1306 		     void *prompter_data,
1307 		     krb5_data *salt,
1308      krb5_data *s2kparams,
1309 		     krb5_keyblock *as_key,
1310 		     void *gak_data);
1311 
1312 krb5_error_code KRB5_CALLCONV
1313 krb5_get_init_creds
1314 (krb5_context context,
1315 		krb5_creds *creds,
1316 		krb5_principal client,
1317 		krb5_prompter_fct prompter,
1318 		void *prompter_data,
1319 		krb5_deltat start_time,
1320 		char *in_tkt_service,
1321 		krb5_gic_opt_ext *gic_options,
1322 		krb5_gic_get_as_key_fct gak,
1323 		void *gak_data,
1324 		int *master,
1325 		krb5_kdc_rep **as_reply);
1326 
1327 krb5_error_code krb5int_populate_gic_opt (
1328     krb5_context, krb5_gic_opt_ext **,
1329     krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
1330     krb5_preauthtype *pre_auth_types, krb5_creds *creds);
1331 
1332 
1333 krb5_error_code KRB5_CALLCONV krb5_do_preauth
1334 	(krb5_context context,
1335 	 krb5_kdc_req *request,
1336 	 krb5_data *encoded_request_body,
1337 	 krb5_data *encoded_previous_request,
1338 	 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1339 	 krb5_data *salt, krb5_data *s2kparams,
1340 	 krb5_enctype *etype, krb5_keyblock *as_key,
1341 	 krb5_prompter_fct prompter, void *prompter_data,
1342 	 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1343 	 krb5_preauth_client_rock *get_data_rock,
1344 	 krb5_gic_opt_ext *opte);
1345 krb5_error_code KRB5_CALLCONV krb5_do_preauth_tryagain
1346 	(krb5_context context,
1347 	 krb5_kdc_req *request,
1348 	 krb5_data *encoded_request_body,
1349 	 krb5_data *encoded_previous_request,
1350 	 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1351 	 krb5_error *err_reply,
1352 	 krb5_data *salt, krb5_data *s2kparams,
1353 	 krb5_enctype *etype, krb5_keyblock *as_key,
1354 	 krb5_prompter_fct prompter, void *prompter_data,
1355 	 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1356 	 krb5_preauth_client_rock *get_data_rock,
1357 	 krb5_gic_opt_ext *opte);
1358 void KRB5_CALLCONV krb5_init_preauth_context
1359 	(krb5_context);
1360 void KRB5_CALLCONV krb5_free_preauth_context
1361 	(krb5_context);
1362 void KRB5_CALLCONV krb5_clear_preauth_context_use_counts
1363 	(krb5_context);
1364 void KRB5_CALLCONV krb5_preauth_prepare_request
1365 	(krb5_context, krb5_gic_opt_ext *, krb5_kdc_req *);
1366 void KRB5_CALLCONV krb5_preauth_request_context_init
1367 	(krb5_context);
1368 void KRB5_CALLCONV krb5_preauth_request_context_fini
1369 	(krb5_context);
1370 
1371 #endif /* _KERNEL */
1372 void KRB5_CALLCONV krb5_free_sam_challenge
1373 	(krb5_context, krb5_sam_challenge * );
1374 void KRB5_CALLCONV krb5_free_sam_challenge_2
1375 	(krb5_context, krb5_sam_challenge_2 * );
1376 void KRB5_CALLCONV krb5_free_sam_challenge_2_body
1377 	(krb5_context, krb5_sam_challenge_2_body *);
1378 void KRB5_CALLCONV krb5_free_sam_response
1379 	(krb5_context, krb5_sam_response * );
1380 void KRB5_CALLCONV krb5_free_sam_response_2
1381 	(krb5_context, krb5_sam_response_2 * );
1382 void KRB5_CALLCONV krb5_free_predicted_sam_response
1383 	(krb5_context, krb5_predicted_sam_response * );
1384 void KRB5_CALLCONV krb5_free_enc_sam_response_enc
1385 	(krb5_context, krb5_enc_sam_response_enc * );
1386 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2
1387 	(krb5_context, krb5_enc_sam_response_enc_2 * );
1388 void KRB5_CALLCONV krb5_free_sam_challenge_contents
1389 	(krb5_context, krb5_sam_challenge * );
1390 void KRB5_CALLCONV krb5_free_sam_challenge_2_contents
1391 	(krb5_context, krb5_sam_challenge_2 * );
1392 void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents
1393 	(krb5_context, krb5_sam_challenge_2_body * );
1394 void KRB5_CALLCONV krb5_free_sam_response_contents
1395 	(krb5_context, krb5_sam_response * );
1396 void KRB5_CALLCONV krb5_free_sam_response_2_contents
1397 	(krb5_context, krb5_sam_response_2 *);
1398 void KRB5_CALLCONV krb5_free_predicted_sam_response_contents
1399 	(krb5_context, krb5_predicted_sam_response * );
1400 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents
1401 	(krb5_context, krb5_enc_sam_response_enc * );
1402 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents
1403 	(krb5_context, krb5_enc_sam_response_enc_2 * );
1404 
1405 void KRB5_CALLCONV krb5_free_pa_enc_ts
1406 	(krb5_context, krb5_pa_enc_ts *);
1407 
1408 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
1409 #ifndef	_KERNEL
1410 #include "com_err.h"
1411 #include <krb5/k5-plugin.h>
1412 #endif /* _KERNEL */
1413 
1414 /*
1415  * Solaris Kerberos: moved from sendto_kdc.c so other code can reference
1416  */
1417 #define	DEFAULT_UDP_PREF_LIMIT   1465
1418 
1419 #ifndef	_KERNEL
1420 #include "profile.h"
1421 #include <strings.h>
1422 #endif /* _KERNEL */
1423 
1424 #define KEY_CHANGED(k1, k2) \
1425 (k1 == NULL || \
1426  k1 != k2 || \
1427  k1->enctype != k2->enctype || \
1428  k1->length != k2->length || \
1429  bcmp(k1->contents, k2->contents, k1->length))
1430 
1431 #ifndef _KERNEL
1432 typedef struct _arcfour_ctx {
1433 	CK_SESSION_HANDLE eSession; /* encrypt session handle */
1434 	CK_SESSION_HANDLE dSession; /* decrypt session handle */
1435 	CK_OBJECT_HANDLE  eKey; /* encrypt key object */
1436 	CK_OBJECT_HANDLE  dKey; /* decrype key object */
1437 	uchar_t           initialized;
1438 }arcfour_ctx_rec;
1439 
1440 #endif /* !_KERNEL */
1441 
1442 struct _krb5_context {
1443 	krb5_magic	magic;
1444 	krb5_enctype	*in_tkt_ktypes;
1445 	unsigned int	in_tkt_ktype_count;
1446 	krb5_enctype	*tgs_ktypes;
1447 	unsigned int	tgs_ktype_count;
1448 	/* This used to be a void*, but since we always allocate them
1449 	   together (though in different source files), and the types
1450 	   are declared in the same header, might as well just combine
1451 	   them.
1452 
1453 	   The array[1] is so the existing code treating the field as
1454 	   a pointer will still work.  For cleanliness, it should
1455 	   eventually get changed to a single element instead of an
1456 	   array.  */
1457 	struct _krb5_os_context	os_context[1];
1458 	char		*default_realm;
1459 	int		ser_ctx_count;
1460 	krb5_boolean	profile_secure;
1461 	void	      	*ser_ctx;
1462 #ifndef _KERNEL
1463 	profile_t	profile;
1464 	void		*db_context;
1465 	void		*kdblog_context;
1466 	/* allowable clock skew */
1467 	krb5_deltat 	clockskew;
1468 	krb5_cksumtype	kdc_req_sumtype;
1469 	krb5_cksumtype	default_ap_req_sumtype;
1470 	krb5_cksumtype	default_safe_sumtype;
1471 	krb5_flags 	kdc_default_options;
1472 	krb5_flags	library_options;
1473 	int		fcc_default_format;
1474 	int		scc_default_format;
1475 	krb5_prompt_type *prompt_types;
1476 	/* Message size above which we'll try TCP first in send-to-kdc
1477 	   type code.  Aside from the 2**16 size limit, we put no
1478 	   absolute limit on the UDP packet size.  */
1479 	int		udp_pref_limit;
1480 
1481 	/* This is the tgs_ktypes list as read from the profile, or
1482 	   set to compiled-in defaults.	 The application code cannot
1483 	   override it.	 This is used for session keys for
1484 	   intermediate ticket-granting tickets used to acquire the
1485 	   requested ticket (the session key of which may be
1486 	   constrained by tgs_ktypes above).  */
1487 	krb5_enctype	*conf_tgs_ktypes;
1488 	int		conf_tgs_ktypes_count;
1489 
1490 	/* Use the _configured version?	 */
1491 	krb5_boolean	use_conf_ktypes;
1492 
1493 #ifdef KRB5_DNS_LOOKUP
1494         krb5_boolean    profile_in_memory;
1495 #endif /* KRB5_DNS_LOOKUP */
1496 
1497     /* locate_kdc module stuff */
1498     struct plugin_dir_handle libkrb5_plugins;
1499     struct krb5plugin_service_locate_ftable *vtbl;
1500     void (**locate_fptrs)(void);
1501 
1502 	pid_t pid;  /* fork safety: PID of process that did last PKCS11 init */
1503 
1504 	/* Solaris Kerberos: handles for PKCS#11 crypto */
1505 	/*
1506 	 * Warning, do not access hSession directly as this is not fork() safe.
1507 	 * Instead use the krb_ctx_hSession() macro below.
1508 	 */
1509 	CK_SESSION_HANDLE hSession;
1510 	int		cryptoki_initialized;
1511 
1512 	/* arcfour_ctx: used only for rcmd stuff so no fork safety issues apply */
1513 	arcfour_ctx_rec arcfour_ctx;
1514 
1515 	/* preauth module stuff */
1516 	struct plugin_dir_handle preauth_plugins;
1517 	krb5_preauth_context *preauth_context;
1518 
1519 	/* error detail info */
1520 	struct errinfo err;
1521 #else /* ! KERNEL */
1522 	crypto_mech_type_t kef_cipher_mt;
1523 	crypto_mech_type_t kef_hash_mt;
1524 	crypto_mech_type_t kef_cksum_mt;
1525 #endif /* ! KERNEL */
1526 };
1527 
1528 #ifndef  _KERNEL
1529 extern pid_t __krb5_current_pid;
1530 
1531 CK_SESSION_HANDLE krb5_reinit_ef_handle(krb5_context);
1532 
1533 /*
1534  * fork safety: barring the ef_init code, every other function must use the
1535  * krb_ctx_hSession() macro to access the hSession field in a krb context.
1536  * Note, if the pid of the krb ctx == the current global pid then it is safe to
1537  * use the ctx hSession otherwise it needs to be re-inited before it is returned
1538  * to the caller.
1539  */
1540 #define krb_ctx_hSession(ctx) \
1541     ((ctx)->pid == __krb5_current_pid) ? (ctx)->hSession : krb5_reinit_ef_handle((ctx))
1542 #endif
1543 
1544 #define MD5_CKSUM_LENGTH 16
1545 #define RSA_MD5_CKSUM_LENGTH 16
1546 #define MD5_BLOCKSIZE 64
1547 
1548 
1549 /*
1550  * Solaris Kerberos:
1551  * This next section of prototypes and constants
1552  * are all unique to the Solaris Kerberos implementation.
1553  * Because Solaris uses the native encryption framework
1554  * to provide crypto support, the following routines
1555  * are needed to support this system.
1556  */
1557 
1558 /*
1559  * Begin Solaris Crypto Prototypes
1560  */
1561 
1562 /*
1563  * define constants that are used for creating the constant
1564  * which is used to make derived keys.
1565  */
1566 #define DK_ENCR_KEY_BYTE 0xAA
1567 #define DK_HASH_KEY_BYTE 0x55
1568 #define DK_CKSUM_KEY_BYTE 0x99
1569 
1570 int init_derived_keydata(krb5_context, const struct krb5_enc_provider *,
1571 			krb5_keyblock *, krb5_keyusage,
1572 			krb5_keyblock **, krb5_keyblock **);
1573 
1574 krb5_error_code add_derived_key(krb5_keyblock *, krb5_keyusage, uchar_t,
1575 				krb5_keyblock *);
1576 
1577 krb5_keyblock *find_derived_key(krb5_keyusage, uchar_t, krb5_keyblock *);
1578 krb5_keyblock *krb5_create_derived_keyblock(int);
1579 
1580 #ifdef _KERNEL
1581 int k5_ef_hash(krb5_context, int, const krb5_data *, krb5_data *);
1582 
1583 int k5_ef_mac(krb5_context, krb5_keyblock *, krb5_data *,
1584         const krb5_data *, krb5_data *);
1585 
1586 void make_kef_key(krb5_keyblock *);
1587 int init_key_kef(crypto_mech_type_t, krb5_keyblock *);
1588 int update_key_template(krb5_keyblock *);
1589 void setup_kef_keytypes();
1590 void setup_kef_cksumtypes();
1591 crypto_mech_type_t get_cipher_mech_type(krb5_context, krb5_keyblock *);
1592 crypto_mech_type_t get_hash_mech_type(krb5_context, krb5_keyblock *);
1593 
1594 #else
1595 /*
1596  * This structure is used to map Kerberos supported OID's,
1597  * to PKCS11 mechanisms
1598  */
1599 #define USE_ENCR	0x01
1600 #define	USE_HASH	0x02
1601 
1602 typedef struct krb5_mech_2_pkcs {
1603 	uchar_t		flags;
1604 	CK_MECHANISM_TYPE enc_algo;
1605 	CK_MECHANISM_TYPE hash_algo;
1606 	CK_MECHANISM_TYPE str2key_algo;
1607 } KRB5_MECH_TO_PKCS;
1608 
1609 #define ENC_DEFINED(x)	(((x).flags & USE_ENCR))
1610 #define HASH_DEFINED(x)	(((x).flags & USE_HASH))
1611 
1612 extern CK_RV get_algo(krb5_enctype etype, KRB5_MECH_TO_PKCS * algos);
1613 extern CK_RV get_key_type (krb5_enctype etype, CK_KEY_TYPE * keyType);
1614 extern krb5_error_code slot_supports_krb5 (CK_SLOT_ID_PTR slotid);
1615 
1616 krb5_error_code init_key_uef(CK_SESSION_HANDLE, krb5_keyblock *);
1617 
1618 krb5_error_code k5_ef_hash(krb5_context, CK_MECHANISM *,
1619 	unsigned int, const krb5_data *, krb5_data *);
1620 
1621 krb5_error_code k5_ef_mac(krb5_context context,
1622 	krb5_keyblock *key, krb5_data *ivec,
1623 	krb5_const krb5_data *input, krb5_data *output);
1624 
1625 #endif	/* !_KERNEL */
1626 
1627 krb5_error_code
1628 derive_3des_keys(krb5_context, struct krb5_enc_provider *,
1629                 krb5_keyblock *, krb5_keyusage,
1630                 krb5_keyblock *, krb5_keyblock *);
1631 
1632 /*
1633  * End Solaris Crypto Prototypes
1634  */
1635 
1636 #define KRB5_LIBOPT_SYNC_KDCTIME	0x0001
1637 
1638 /* internal message representations */
1639 
1640 typedef struct _krb5_safe {
1641     krb5_magic magic;
1642     krb5_data user_data;		/* user data */
1643     krb5_timestamp timestamp;		/* client time, optional */
1644     krb5_int32 usec;			/* microsecond portion of time,
1645 					   optional */
1646     krb5_ui_4 seq_number;		/* sequence #, optional */
1647     krb5_address *s_address;	/* sender address */
1648     krb5_address *r_address;	/* recipient address, optional */
1649     krb5_checksum *checksum;	/* data integrity checksum */
1650 } krb5_safe;
1651 
1652 typedef struct _krb5_priv {
1653     krb5_magic magic;
1654     krb5_enc_data enc_part;		/* encrypted part */
1655 } krb5_priv;
1656 
1657 typedef struct _krb5_priv_enc_part {
1658     krb5_magic magic;
1659     krb5_data user_data;		/* user data */
1660     krb5_timestamp timestamp;		/* client time, optional */
1661     krb5_int32 usec;			/* microsecond portion of time, opt. */
1662     krb5_ui_4 seq_number;		/* sequence #, optional */
1663     krb5_address *s_address;	/* sender address */
1664     krb5_address *r_address;	/* recipient address, optional */
1665 } krb5_priv_enc_part;
1666 
1667 void KRB5_CALLCONV krb5_free_safe
1668 	(krb5_context, krb5_safe * );
1669 void KRB5_CALLCONV krb5_free_priv
1670 	(krb5_context, krb5_priv * );
1671 void KRB5_CALLCONV krb5_free_priv_enc_part
1672 	(krb5_context, krb5_priv_enc_part * );
1673 
1674 /*
1675  * Begin "asn1.h"
1676  */
1677 #ifndef KRB5_ASN1__
1678 #define KRB5_ASN1__
1679 
1680 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
1681 /* here we use some knowledge of ASN.1 encodings */
1682 /*
1683   Ticket is APPLICATION 1.
1684   Authenticator is APPLICATION 2.
1685   AS_REQ is APPLICATION 10.
1686   AS_REP is APPLICATION 11.
1687   TGS_REQ is APPLICATION 12.
1688   TGS_REP is APPLICATION 13.
1689   AP_REQ is APPLICATION 14.
1690   AP_REP is APPLICATION 15.
1691   KRB_SAFE is APPLICATION 20.
1692   KRB_PRIV is APPLICATION 21.
1693   KRB_CRED is APPLICATION 22.
1694   EncASRepPart is APPLICATION 25.
1695   EncTGSRepPart is APPLICATION 26.
1696   EncAPRepPart is APPLICATION 27.
1697   EncKrbPrivPart is APPLICATION 28.
1698   EncKrbCredPart is APPLICATION 29.
1699   KRB_ERROR is APPLICATION 30.
1700  */
1701 /* allow either constructed or primitive encoding, so check for bit 6
1702    set or reset */
1703 #define krb5_is_krb_ticket(dat)\
1704 	((dat) && (dat)->length && ((dat)->data[0] == 0x61 ||\
1705 				    (dat)->data[0] == 0x41))
1706 #define krb5_is_krb_authenticator(dat)\
1707 	((dat) && (dat)->length && ((dat)->data[0] == 0x62 ||\
1708 				    (dat)->data[0] == 0x42))
1709 #define krb5_is_as_req(dat)\
1710 	((dat) && (dat)->length && ((dat)->data[0] == 0x6a ||\
1711 				    (dat)->data[0] == 0x4a))
1712 #define krb5_is_as_rep(dat)\
1713 	((dat) && (dat)->length && ((dat)->data[0] == 0x6b ||\
1714 				    (dat)->data[0] == 0x4b))
1715 #define krb5_is_tgs_req(dat)\
1716 	((dat) && (dat)->length && ((dat)->data[0] == 0x6c ||\
1717 				    (dat)->data[0] == 0x4c))
1718 #define krb5_is_tgs_rep(dat)\
1719 	((dat) && (dat)->length && ((dat)->data[0] == 0x6d ||\
1720 				    (dat)->data[0] == 0x4d))
1721 #define krb5_is_ap_req(dat)\
1722 	((dat) && (dat)->length && ((dat)->data[0] == 0x6e ||\
1723 				    (dat)->data[0] == 0x4e))
1724 #define krb5_is_ap_rep(dat)\
1725 	((dat) && (dat)->length && ((dat)->data[0] == 0x6f ||\
1726 				    (dat)->data[0] == 0x4f))
1727 #define krb5_is_krb_safe(dat)\
1728 	((dat) && (dat)->length && ((dat)->data[0] == 0x74 ||\
1729 				    (dat)->data[0] == 0x54))
1730 #define krb5_is_krb_priv(dat)\
1731 	((dat) && (dat)->length && ((dat)->data[0] == 0x75 ||\
1732 				    (dat)->data[0] == 0x55))
1733 #define krb5_is_krb_cred(dat)\
1734 	((dat) && (dat)->length && ((dat)->data[0] == 0x76 ||\
1735 				    (dat)->data[0] == 0x56))
1736 #define krb5_is_krb_enc_as_rep_part(dat)\
1737 	((dat) && (dat)->length && ((dat)->data[0] == 0x79 ||\
1738 				    (dat)->data[0] == 0x59))
1739 #define krb5_is_krb_enc_tgs_rep_part(dat)\
1740 	((dat) && (dat)->length && ((dat)->data[0] == 0x7a ||\
1741 				    (dat)->data[0] == 0x5a))
1742 #define krb5_is_krb_enc_ap_rep_part(dat)\
1743 	((dat) && (dat)->length && ((dat)->data[0] == 0x7b ||\
1744 				    (dat)->data[0] == 0x5b))
1745 #define krb5_is_krb_enc_krb_priv_part(dat)\
1746 	((dat) && (dat)->length && ((dat)->data[0] == 0x7c ||\
1747 				    (dat)->data[0] == 0x5c))
1748 #define krb5_is_krb_enc_krb_cred_part(dat)\
1749 	((dat) && (dat)->length && ((dat)->data[0] == 0x7d ||\
1750 				    (dat)->data[0] == 0x5d))
1751 #define krb5_is_krb_error(dat)\
1752 	((dat) && (dat)->length && ((dat)->data[0] == 0x7e ||\
1753 				    (dat)->data[0] == 0x5e))
1754 
1755 /*************************************************************************
1756  * Prototypes for krb5_encode.c
1757  *************************************************************************/
1758 
1759 /*
1760    krb5_error_code encode_krb5_structure(const krb5_structure *rep,
1761 					 krb5_data **code);
1762    modifies  *code
1763    effects   Returns the ASN.1 encoding of *rep in **code.
1764              Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep.
1765              Returns ENOMEM if memory runs out.
1766 */
1767 
1768 krb5_error_code encode_krb5_authenticator
1769 	(const krb5_authenticator *rep, krb5_data **code);
1770 
1771 krb5_error_code encode_krb5_ticket
1772 	(const krb5_ticket *rep, krb5_data **code);
1773 
1774 krb5_error_code encode_krb5_encryption_key
1775 	(const krb5_keyblock *rep, krb5_data **code);
1776 
1777 krb5_error_code encode_krb5_enc_tkt_part
1778 	(const krb5_enc_tkt_part *rep, krb5_data **code);
1779 
1780 krb5_error_code encode_krb5_enc_kdc_rep_part
1781 	(const krb5_enc_kdc_rep_part *rep, krb5_data **code);
1782 
1783 /* yes, the translation is identical to that used for KDC__REP */
1784 krb5_error_code encode_krb5_as_rep
1785 	(const krb5_kdc_rep *rep, krb5_data **code);
1786 
1787 /* yes, the translation is identical to that used for KDC__REP */
1788 krb5_error_code encode_krb5_tgs_rep
1789 	(const krb5_kdc_rep *rep, krb5_data **code);
1790 
1791 krb5_error_code encode_krb5_ap_req
1792 	(const krb5_ap_req *rep, krb5_data **code);
1793 
1794 krb5_error_code encode_krb5_ap_rep
1795 	(const krb5_ap_rep *rep, krb5_data **code);
1796 
1797 krb5_error_code encode_krb5_ap_rep_enc_part
1798 	(const krb5_ap_rep_enc_part *rep, krb5_data **code);
1799 
1800 krb5_error_code encode_krb5_as_req
1801 	(const krb5_kdc_req *rep, krb5_data **code);
1802 
1803 krb5_error_code encode_krb5_tgs_req
1804 	(const krb5_kdc_req *rep, krb5_data **code);
1805 
1806 krb5_error_code encode_krb5_kdc_req_body
1807 	(const krb5_kdc_req *rep, krb5_data **code);
1808 
1809 krb5_error_code encode_krb5_safe
1810 	(const krb5_safe *rep, krb5_data **code);
1811 
1812 krb5_error_code encode_krb5_safe_with_body
1813 	(const krb5_safe *rep, const krb5_data *body, krb5_data **code);
1814 
1815 krb5_error_code encode_krb5_priv
1816 	(const krb5_priv *rep, krb5_data **code);
1817 
1818 krb5_error_code encode_krb5_enc_priv_part
1819 	(const krb5_priv_enc_part *rep, krb5_data **code);
1820 
1821 krb5_error_code encode_krb5_cred
1822 	(const krb5_cred *rep, krb5_data **code);
1823 
1824 krb5_error_code encode_krb5_enc_cred_part
1825 	(const krb5_cred_enc_part *rep, krb5_data **code);
1826 
1827 krb5_error_code encode_krb5_error
1828 	(const krb5_error *rep, krb5_data **code);
1829 
1830 krb5_error_code encode_krb5_authdata
1831 	(const krb5_authdata **rep, krb5_data **code);
1832 
1833 krb5_error_code encode_krb5_authdata_elt
1834 	(const krb5_authdata *rep, krb5_data **code);
1835 
1836 krb5_error_code encode_krb5_pwd_sequence
1837 	(const passwd_phrase_element *rep, krb5_data **code);
1838 
1839 krb5_error_code encode_krb5_pwd_data
1840 	(const krb5_pwd_data *rep, krb5_data **code);
1841 
1842 krb5_error_code encode_krb5_padata_sequence
1843 	(const krb5_pa_data ** rep, krb5_data **code);
1844 
1845 krb5_error_code encode_krb5_alt_method
1846 	(const krb5_alt_method *, krb5_data **code);
1847 
1848 krb5_error_code encode_krb5_etype_info
1849 	(const krb5_etype_info_entry **, krb5_data **code);
1850 krb5_error_code encode_krb5_etype_info2
1851 	(const krb5_etype_info_entry **, krb5_data **code);
1852 
1853 krb5_error_code encode_krb5_enc_data
1854     	(const krb5_enc_data *, krb5_data **);
1855 
1856 krb5_error_code encode_krb5_pa_enc_ts
1857     	(const krb5_pa_enc_ts *, krb5_data **);
1858 
1859 krb5_error_code encode_krb5_sam_challenge
1860 	(const krb5_sam_challenge * , krb5_data **);
1861 
1862 krb5_error_code encode_krb5_sam_key
1863 	(const krb5_sam_key * , krb5_data **);
1864 
1865 krb5_error_code encode_krb5_enc_sam_response_enc
1866 	(const krb5_enc_sam_response_enc * , krb5_data **);
1867 
1868 krb5_error_code encode_krb5_sam_response
1869 	(const krb5_sam_response * , krb5_data **);
1870 
1871 krb5_error_code encode_krb5_sam_challenge_2
1872 	(const krb5_sam_challenge_2 * , krb5_data **);
1873 
1874 krb5_error_code encode_krb5_sam_challenge_2_body
1875 	(const krb5_sam_challenge_2_body * , krb5_data **);
1876 
1877 krb5_error_code encode_krb5_enc_sam_response_enc_2
1878 	(const krb5_enc_sam_response_enc_2 * , krb5_data **);
1879 
1880 krb5_error_code encode_krb5_sam_response_2
1881 	(const krb5_sam_response_2 * , krb5_data **);
1882 
1883 krb5_error_code encode_krb5_predicted_sam_response
1884 	(const krb5_predicted_sam_response * , krb5_data **);
1885 
1886 krb5_error_code encode_krb5_setpw_req
1887 (const krb5_principal target, char *password, krb5_data **code);
1888 
1889 /*************************************************************************
1890  * End of prototypes for krb5_encode.c
1891  *************************************************************************/
1892 
1893 krb5_error_code decode_krb5_sam_challenge
1894        (const krb5_data *, krb5_sam_challenge **);
1895 
1896 krb5_error_code decode_krb5_enc_sam_key
1897        (const krb5_data *, krb5_sam_key **);
1898 
1899 krb5_error_code decode_krb5_enc_sam_response_enc
1900        (const krb5_data *, krb5_enc_sam_response_enc **);
1901 
1902 krb5_error_code decode_krb5_sam_response
1903        (const krb5_data *, krb5_sam_response **);
1904 
1905 krb5_error_code decode_krb5_predicted_sam_response
1906        (const krb5_data *, krb5_predicted_sam_response **);
1907 
1908 krb5_error_code decode_krb5_sam_challenge_2
1909 	(const krb5_data *, krb5_sam_challenge_2 **);
1910 
1911 krb5_error_code decode_krb5_sam_challenge_2_body
1912 	(const krb5_data *, krb5_sam_challenge_2_body **);
1913 
1914 krb5_error_code decode_krb5_enc_sam_response_enc_2
1915 	(const krb5_data *, krb5_enc_sam_response_enc_2 **);
1916 
1917 krb5_error_code decode_krb5_sam_response_2
1918 	(const krb5_data *, krb5_sam_response_2 **);
1919 
1920 
1921 /*************************************************************************
1922  * Prototypes for krb5_decode.c
1923  *************************************************************************/
1924 
1925 krb5_error_code krb5_validate_times
1926        (krb5_context,
1927 		       krb5_ticket_times *);
1928 
1929 /*
1930    krb5_error_code decode_krb5_structure(const krb5_data *code,
1931                                          krb5_structure **rep);
1932 
1933    requires  Expects **rep to not have been allocated;
1934               a new *rep is allocated regardless of the old value.
1935    effects   Decodes *code into **rep.
1936 	     Returns ENOMEM if memory is exhausted.
1937              Returns asn1 and krb5 errors.
1938 */
1939 
1940 krb5_error_code decode_krb5_authenticator
1941 	(const krb5_data *code, krb5_authenticator **rep);
1942 
1943 krb5_error_code decode_krb5_ticket
1944 	(const krb5_data *code, krb5_ticket **rep);
1945 
1946 krb5_error_code decode_krb5_encryption_key
1947 	(const krb5_data *output, krb5_keyblock **rep);
1948 
1949 krb5_error_code decode_krb5_enc_tkt_part
1950 	(const krb5_data *output, krb5_enc_tkt_part **rep);
1951 
1952 krb5_error_code decode_krb5_enc_kdc_rep_part
1953 	(const krb5_data *output, krb5_enc_kdc_rep_part **rep);
1954 
1955 krb5_error_code decode_krb5_as_rep
1956 	(const krb5_data *output, krb5_kdc_rep **rep);
1957 
1958 krb5_error_code decode_krb5_tgs_rep
1959 	(const krb5_data *output, krb5_kdc_rep **rep);
1960 
1961 krb5_error_code decode_krb5_ap_req
1962 	(const krb5_data *output, krb5_ap_req **rep);
1963 
1964 krb5_error_code decode_krb5_ap_rep
1965 	(const krb5_data *output, krb5_ap_rep **rep);
1966 
1967 krb5_error_code decode_krb5_ap_rep_enc_part
1968 	(const krb5_data *output, krb5_ap_rep_enc_part **rep);
1969 
1970 krb5_error_code decode_krb5_as_req
1971 	(const krb5_data *output, krb5_kdc_req **rep);
1972 
1973 krb5_error_code decode_krb5_tgs_req
1974 	(const krb5_data *output, krb5_kdc_req **rep);
1975 
1976 krb5_error_code decode_krb5_kdc_req_body
1977 	(const krb5_data *output, krb5_kdc_req **rep);
1978 
1979 krb5_error_code decode_krb5_safe
1980 	(const krb5_data *output, krb5_safe **rep);
1981 
1982 krb5_error_code decode_krb5_safe_with_body
1983 	(const krb5_data *output, krb5_safe **rep, krb5_data *body);
1984 
1985 krb5_error_code decode_krb5_priv
1986 	(const krb5_data *output, krb5_priv **rep);
1987 
1988 krb5_error_code decode_krb5_enc_priv_part
1989 	(const krb5_data *output, krb5_priv_enc_part **rep);
1990 
1991 krb5_error_code decode_krb5_cred
1992 	(const krb5_data *output, krb5_cred **rep);
1993 
1994 krb5_error_code decode_krb5_enc_cred_part
1995 	(const krb5_data *output, krb5_cred_enc_part **rep);
1996 
1997 krb5_error_code decode_krb5_error
1998 	(const krb5_data *output, krb5_error **rep);
1999 
2000 krb5_error_code decode_krb5_authdata
2001 	(const krb5_data *output, krb5_authdata ***rep);
2002 
2003 krb5_error_code decode_krb5_pwd_sequence
2004 	(const krb5_data *output, passwd_phrase_element **rep);
2005 
2006 krb5_error_code decode_krb5_pwd_data
2007 	(const krb5_data *output, krb5_pwd_data **rep);
2008 
2009 krb5_error_code decode_krb5_padata_sequence
2010 	(const krb5_data *output, krb5_pa_data ***rep);
2011 
2012 krb5_error_code decode_krb5_alt_method
2013 	(const krb5_data *output, krb5_alt_method **rep);
2014 
2015 krb5_error_code decode_krb5_etype_info
2016 	(const krb5_data *output, krb5_etype_info_entry ***rep);
2017 
2018 krb5_error_code decode_krb5_etype_info2
2019 	(const krb5_data *output, krb5_etype_info_entry ***rep);
2020 
2021 krb5_error_code decode_krb5_enc_data
2022 	(const krb5_data *output, krb5_enc_data **rep);
2023 
2024 krb5_error_code decode_krb5_pa_enc_ts
2025 	(const krb5_data *output, krb5_pa_enc_ts **rep);
2026 
2027 krb5_error_code decode_krb5_sam_key
2028 	(const krb5_data *, krb5_sam_key **);
2029 
2030 struct _krb5_key_data;		/* kdb.h */
2031 krb5_error_code
2032 krb5int_ldap_encode_sequence_of_keys (struct _krb5_key_data *key_data,
2033 				      krb5_int16 n_key_data,
2034 				      krb5_int32 mkvno,
2035 				      krb5_data **code);
2036 
2037 krb5_error_code
2038 krb5int_ldap_decode_sequence_of_keys (krb5_data *in,
2039 				      struct _krb5_key_data **out,
2040 				      krb5_int16 *n_key_data,
2041 				      int *mkvno);
2042 
2043 /*************************************************************************
2044  * End of prototypes for krb5_decode.c
2045  *************************************************************************/
2046 
2047 #endif /* KRB5_ASN1__ */
2048 /*
2049  * End "asn1.h"
2050  */
2051 
2052 
2053 /*
2054  * Internal krb5 library routines
2055  */
2056 krb5_error_code krb5_encrypt_tkt_part
2057 	(krb5_context,
2058 		const krb5_keyblock *,
2059 		krb5_ticket * );
2060 
2061 
2062 krb5_error_code krb5_encode_kdc_rep
2063 	(krb5_context,
2064 		const krb5_msgtype,
2065 		const krb5_enc_kdc_rep_part *,
2066 		int using_subkey,
2067 		const krb5_keyblock *,
2068 		krb5_kdc_rep *,
2069 		krb5_data ** );
2070 
2071 krb5_boolean krb5int_auth_con_chkseqnum
2072 	(krb5_context ctx, krb5_auth_context ac, krb5_ui_4 in_seq);
2073 /*
2074  * [De]Serialization Handle and operations.
2075  */
2076 struct __krb5_serializer {
2077     krb5_magic		odtype;
2078     krb5_error_code	(*sizer) (krb5_context,
2079 						  krb5_pointer,
2080 						  size_t *);
2081     krb5_error_code	(*externalizer) (krb5_context,
2082 							 krb5_pointer,
2083 							 krb5_octet **,
2084 							 size_t *);
2085     krb5_error_code	(*internalizer) (krb5_context,
2086 							 krb5_pointer *,
2087 							 krb5_octet **,
2088 							 size_t *);
2089 };
2090 typedef const struct __krb5_serializer * krb5_ser_handle;
2091 typedef struct __krb5_serializer krb5_ser_entry;
2092 
2093 krb5_ser_handle krb5_find_serializer
2094 	(krb5_context,
2095 		krb5_magic);
2096 krb5_error_code krb5_register_serializer
2097 	(krb5_context,
2098 			const krb5_ser_entry *);
2099 
2100 /* Determine the external size of a particular opaque structure */
2101 krb5_error_code KRB5_CALLCONV krb5_size_opaque
2102 	(krb5_context,
2103 		krb5_magic,
2104 		krb5_pointer,
2105 		size_t *);
2106 
2107 /* Serialize the structure into a buffer */
2108 krb5_error_code KRB5_CALLCONV krb5_externalize_opaque
2109 	(krb5_context,
2110 		krb5_magic,
2111 		krb5_pointer,
2112 		krb5_octet **,
2113 		size_t *);
2114 
2115 /* Deserialize the structure from a buffer */
2116 krb5_error_code KRB5_CALLCONV krb5_internalize_opaque
2117 	(krb5_context,
2118 		krb5_magic,
2119 		krb5_pointer *,
2120 		krb5_octet **,
2121 		size_t *);
2122 
2123 /* Serialize data into a buffer */
2124 krb5_error_code krb5_externalize_data
2125 	(krb5_context,
2126 		krb5_pointer,
2127 		krb5_octet **,
2128 		size_t *);
2129 /*
2130  * Initialization routines.
2131  */
2132 
2133 /* Initialize serialization for krb5_[os_]context */
2134 krb5_error_code KRB5_CALLCONV krb5_ser_context_init
2135 	(krb5_context);
2136 
2137 /* Initialize serialization for krb5_auth_context */
2138 krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init
2139 	(krb5_context);
2140 
2141 /* Initialize serialization for krb5_keytab */
2142 krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init
2143 	(krb5_context);
2144 
2145 /* Initialize serialization for krb5_ccache */
2146 krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init
2147 	(krb5_context);
2148 
2149 /* Initialize serialization for krb5_rcache */
2150 krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init
2151 	(krb5_context);
2152 
2153 /* [De]serialize 4-byte integer */
2154 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32
2155 	(krb5_int32,
2156 		krb5_octet **,
2157 		size_t *);
2158 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32
2159 	(krb5_int32 *,
2160 		krb5_octet **,
2161 		size_t *);
2162 /* [De]serialize 8-byte integer */
2163 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64
2164 	(krb5_int64, krb5_octet **, size_t *);
2165 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64
2166 	(krb5_int64 *, krb5_octet **, size_t *);
2167 /* [De]serialize byte string */
2168 krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
2169 	(krb5_octet *,
2170 		size_t,
2171 		krb5_octet **,
2172 		size_t *);
2173 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes
2174 	(krb5_octet *,
2175 		size_t,
2176 		krb5_octet **,
2177 		size_t *);
2178 
2179 krb5_error_code KRB5_CALLCONV krb5int_cc_default
2180 	(krb5_context, krb5_ccache *);
2181 
2182 krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default
2183 	(krb5_context, krb5_ccache, krb5_flags,
2184 			krb5_creds *, krb5_creds *);
2185 
2186 krb5_boolean KRB5_CALLCONV
2187 krb5_creds_compare (krb5_context in_context,
2188                     krb5_creds *in_creds,
2189                     krb5_creds *in_compare_creds);
2190 
2191 void krb5int_set_prompt_types
2192 	(krb5_context, krb5_prompt_type *);
2193 
2194 krb5_error_code
2195 krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
2196 				  krb5_keyblock * /* Old keyblock, not new!  */);
2197 
2198 /* set and change password helpers */
2199 
2200 krb5_error_code krb5int_mk_chpw_req
2201 	(krb5_context context, krb5_auth_context auth_context,
2202  			krb5_data *ap_req, char *passwd, krb5_data *packet);
2203 krb5_error_code krb5int_rd_chpw_rep
2204 	(krb5_context context, krb5_auth_context auth_context,
2205 		       krb5_data *packet, int *result_code,
2206 		       krb5_data *result_data);
2207 krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
2208 	(krb5_context context, int result_code,
2209 			char **result_codestr);
2210 krb5_error_code  krb5int_mk_setpw_req
2211 	(krb5_context context, krb5_auth_context auth_context,
2212  			krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet);
2213 krb5_error_code krb5int_rd_setpw_rep
2214 	(krb5_context context, krb5_auth_context auth_context,
2215 		       krb5_data *packet, int *result_code,
2216 		       krb5_data *result_data);
2217 krb5_error_code krb5int_setpw_result_code_string
2218 	(krb5_context context, int result_code,
2219 			const char **result_codestr);
2220 
2221 struct srv_dns_entry {
2222     struct srv_dns_entry *next;
2223     int priority;
2224     int weight;
2225     unsigned short port;
2226     char *host;
2227 };
2228 #ifdef KRB5_DNS_LOOKUP
2229 krb5_error_code
2230 krb5int_make_srv_query_realm(const krb5_data *realm,
2231 			     const char *service,
2232 			     const char *protocol,
2233 			     struct srv_dns_entry **answers);
2234 void krb5int_free_srv_dns_data(struct srv_dns_entry *);
2235 #endif
2236 
2237 /*
2238  * Convenience function for structure magic number
2239  */
2240 #define KRB5_VERIFY_MAGIC(structure,magic_number) \
2241     if ((structure)->magic != (magic_number)) return (magic_number);
2242 
2243 
2244 /* SUNW14resync XXX - see k5-util.h */
2245 #if 0
2246 int krb5_seteuid  (int);
2247 #endif
2248 
2249 char * krb5_getenv(const char *);
2250 int krb5_setenv  (const char *, const char *, int);
2251 void krb5_unsetenv  (const char *);
2252 
2253 
2254 /* SUNW14resync - (from here to EOF) not sure if we need this but will add it
2255    for future resync sake */
2256 
2257 /* To keep happy libraries which are (for now) accessing internal stuff */
2258 
2259 /* Make sure to increment by one when changing the struct */
2260 #define KRB5INT_ACCESS_STRUCT_VERSION 12
2261 
2262 #ifndef ANAME_SZ
2263 struct ktext;			/* from krb.h, for krb524 support */
2264 #endif
2265 typedef struct _krb5int_access {
2266     /* crypto stuff */
2267     const struct krb5_hash_provider *md5_hash_provider;
2268     const struct krb5_enc_provider *arcfour_enc_provider;
2269     krb5_error_code (* krb5_hmac) (krb5_context, const struct krb5_hash_provider *hash,
2270 				   const krb5_keyblock *key,
2271 				   unsigned int icount, const krb5_data *input,
2272 				   krb5_data *output);
2273     /* service location and communication */
2274 #ifndef _KERNEL
2275     krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
2276 				   const struct addrlist *, struct sendto_callback_info*, krb5_data *reply,
2277 				   struct sockaddr *, socklen_t *,struct sockaddr *,
2278 				   socklen_t *, int *,
2279 				   int (*msg_handler)(krb5_context, const krb5_data *, void *),
2280 				   void *msg_handler_data);
2281     krb5_error_code (*add_host_to_list)(struct addrlist *lp,
2282 					const char *hostname,
2283 					int port, int secport,
2284 					int socktype, int family);
2285     void (*free_addrlist) (struct addrlist *);
2286 #endif /* _KERNEL */
2287 
2288     krb5_error_code (*make_srv_query_realm)(const krb5_data *realm,
2289 					    const char *service,
2290 					    const char *protocol,
2291 					    struct srv_dns_entry **answers);
2292     void (*free_srv_dns_data)(struct srv_dns_entry *);
2293     int (*use_dns_kdc)(krb5_context);
2294 
2295     /* krb4 compatibility stuff -- may be null if not enabled */
2296     krb5_int32 (*krb_life_to_time)(krb5_int32, int);
2297     int (*krb_time_to_life)(krb5_int32, krb5_int32);
2298     int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *);
2299     krb5_error_code (*krb5int_c_mandatory_cksumtype)
2300         (krb5_context, krb5_enctype, krb5_cksumtype *);
2301     krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64)
2302         (krb5_int64, krb5_octet **, size_t *);
2303     krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64)
2304         (krb5_int64 *, krb5_octet **, size_t *);
2305 
2306     /* Used for KDB LDAP back end.  */
2307     krb5_error_code
2308     (*asn1_ldap_encode_sequence_of_keys) (struct _krb5_key_data *key_data,
2309 					  krb5_int16 n_key_data,
2310 					  krb5_int32 mkvno,
2311 					  krb5_data **code);
2312 
2313     krb5_error_code
2314     (*asn1_ldap_decode_sequence_of_keys) (krb5_data *in,
2315 					  struct _krb5_key_data **out,
2316 					  krb5_int16 *n_key_data,
2317 					  int *mkvno);
2318 
2319     /*
2320      * pkinit asn.1 encode/decode functions
2321      */
2322     krb5_error_code (*encode_krb5_auth_pack)
2323         (const krb5_auth_pack *rep, krb5_data **code);
2324     krb5_error_code (*encode_krb5_auth_pack_draft9)
2325         (const krb5_auth_pack_draft9 *rep, krb5_data **code);
2326     krb5_error_code (*encode_krb5_kdc_dh_key_info)
2327         (const krb5_kdc_dh_key_info *rep, krb5_data **code);
2328     krb5_error_code (*encode_krb5_pa_pk_as_rep)
2329         (const krb5_pa_pk_as_rep *rep, krb5_data **code);
2330     krb5_error_code (*encode_krb5_pa_pk_as_rep_draft9)
2331         (const krb5_pa_pk_as_rep_draft9 *rep, krb5_data **code);
2332     krb5_error_code (*encode_krb5_pa_pk_as_req)
2333 	(const krb5_pa_pk_as_req *rep, krb5_data **code);
2334     krb5_error_code (*encode_krb5_pa_pk_as_req_draft9)
2335 	(const krb5_pa_pk_as_req_draft9 *rep, krb5_data **code);
2336     krb5_error_code (*encode_krb5_reply_key_pack)
2337         (const krb5_reply_key_pack *, krb5_data **code);
2338     krb5_error_code (*encode_krb5_reply_key_pack_draft9)
2339         (const krb5_reply_key_pack_draft9 *, krb5_data **code);
2340     krb5_error_code (*encode_krb5_td_dh_parameters)
2341         (const krb5_algorithm_identifier **, krb5_data **code);
2342     krb5_error_code (*encode_krb5_td_trusted_certifiers)
2343         (const krb5_external_principal_identifier **, krb5_data **code);
2344     krb5_error_code (*encode_krb5_typed_data)
2345         (const krb5_typed_data **, krb5_data **code);
2346 
2347     krb5_error_code (*decode_krb5_auth_pack)
2348         (const krb5_data *, krb5_auth_pack **);
2349     krb5_error_code (*decode_krb5_auth_pack_draft9)
2350         (const krb5_data *, krb5_auth_pack_draft9 **);
2351     krb5_error_code (*decode_krb5_pa_pk_as_req)
2352         (const krb5_data *, krb5_pa_pk_as_req **);
2353     krb5_error_code (*decode_krb5_pa_pk_as_req_draft9)
2354         (const krb5_data *, krb5_pa_pk_as_req_draft9 **);
2355     krb5_error_code (*decode_krb5_pa_pk_as_rep)
2356         (const krb5_data *, krb5_pa_pk_as_rep **);
2357     krb5_error_code (*decode_krb5_pa_pk_as_rep_draft9)
2358         (const krb5_data *, krb5_pa_pk_as_rep_draft9 **);
2359     krb5_error_code (*decode_krb5_kdc_dh_key_info)
2360         (const krb5_data *, krb5_kdc_dh_key_info **);
2361     krb5_error_code (*decode_krb5_principal_name)
2362         (const krb5_data *, krb5_principal_data **);
2363     krb5_error_code (*decode_krb5_reply_key_pack)
2364         (const krb5_data *, krb5_reply_key_pack **);
2365     krb5_error_code (*decode_krb5_reply_key_pack_draft9)
2366         (const krb5_data *, krb5_reply_key_pack_draft9 **);
2367     krb5_error_code (*decode_krb5_td_dh_parameters)
2368         (const krb5_data *, krb5_algorithm_identifier ***);
2369     krb5_error_code (*decode_krb5_td_trusted_certifiers)
2370         (const krb5_data *, krb5_external_principal_identifier ***);
2371     krb5_error_code (*decode_krb5_typed_data)
2372         (const krb5_data *, krb5_typed_data ***);
2373 
2374     krb5_error_code (*decode_krb5_as_req)
2375 	(const krb5_data *output, krb5_kdc_req **rep);
2376     krb5_error_code (*encode_krb5_kdc_req_body)
2377 	(const krb5_kdc_req *rep, krb5_data **code);
2378     void (KRB5_CALLCONV *krb5_free_kdc_req)
2379 	(krb5_context, krb5_kdc_req * );
2380     void (*krb5int_set_prompt_types)
2381 	(krb5_context, krb5_prompt_type *);
2382     krb5_error_code (*encode_krb5_authdata_elt)
2383 	(const krb5_authdata *rep, krb5_data **code);
2384 
2385 } krb5int_access;
2386 
2387 #define KRB5INT_ACCESS_VERSION \
2388     (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \
2389 		   (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF)
2390 
2391 krb5_error_code KRB5_CALLCONV krb5int_accessor
2392 	(krb5int_access*, krb5_int32);
2393 
2394 /* Ick -- some krb524 and krb4 support placed in the krb5 library,
2395    because AFS (and potentially other applications?) use the krb4
2396    object as an opaque token, which (in some implementations) is not
2397    in fact a krb4 ticket, so we don't want to drag in the krb4 support
2398    just to enable this.  */
2399 
2400 #define KRB524_SERVICE "krb524"
2401 #define KRB524_PORT 4444
2402 
2403 /* v4lifetime.c */
2404 extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int);
2405 extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32);
2406 
2407 /* conv_creds.c */
2408 int krb5int_encode_v4tkt
2409 	(struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
2410 
2411 /* send524.c */
2412 int krb5int_524_sendto_kdc
2413         (krb5_context context, const krb5_data * message,
2414 	 const krb5_data * realm, krb5_data * reply,
2415 	 struct sockaddr *, socklen_t *);
2416 
2417 /* temporary -- this should be under lib/krb5/ccache somewhere */
2418 
2419 struct _krb5_ccache {
2420     krb5_magic magic;
2421     const struct _krb5_cc_ops *ops;
2422     krb5_pointer data;
2423 };
2424 
2425 /*
2426  * Per-type ccache cursor.
2427  */
2428 struct krb5_cc_ptcursor {
2429     const struct _krb5_cc_ops *ops;
2430     krb5_pointer data;
2431 };
2432 typedef struct krb5_cc_ptcursor *krb5_cc_ptcursor;
2433 
2434 struct _krb5_cc_ops {
2435     krb5_magic magic;
2436     char *prefix;
2437     const char * (KRB5_CALLCONV *get_name) (krb5_context, krb5_ccache);
2438     krb5_error_code (KRB5_CALLCONV *resolve) (krb5_context, krb5_ccache *,
2439 					    const char *);
2440     krb5_error_code (KRB5_CALLCONV *gen_new) (krb5_context, krb5_ccache *);
2441     krb5_error_code (KRB5_CALLCONV *init) (krb5_context, krb5_ccache,
2442 					    krb5_principal);
2443     krb5_error_code (KRB5_CALLCONV *destroy) (krb5_context, krb5_ccache);
2444     krb5_error_code (KRB5_CALLCONV *close) (krb5_context, krb5_ccache);
2445     krb5_error_code (KRB5_CALLCONV *store) (krb5_context, krb5_ccache,
2446 					    krb5_creds *);
2447     krb5_error_code (KRB5_CALLCONV *retrieve) (krb5_context, krb5_ccache,
2448 					    krb5_flags, krb5_creds *,
2449 					    krb5_creds *);
2450     krb5_error_code (KRB5_CALLCONV *get_princ) (krb5_context, krb5_ccache,
2451 					    krb5_principal *);
2452     krb5_error_code (KRB5_CALLCONV *get_first) (krb5_context, krb5_ccache,
2453 					    krb5_cc_cursor *);
2454     krb5_error_code (KRB5_CALLCONV *get_next) (krb5_context, krb5_ccache,
2455 					    krb5_cc_cursor *, krb5_creds *);
2456     krb5_error_code (KRB5_CALLCONV *end_get) (krb5_context, krb5_ccache,
2457 					    krb5_cc_cursor *);
2458     krb5_error_code (KRB5_CALLCONV *remove_cred) (krb5_context, krb5_ccache,
2459 					    krb5_flags, krb5_creds *);
2460     krb5_error_code (KRB5_CALLCONV *set_flags) (krb5_context, krb5_ccache,
2461 					    krb5_flags);
2462     krb5_error_code (KRB5_CALLCONV *get_flags) (krb5_context, krb5_ccache,
2463 						krb5_flags *);
2464     krb5_error_code (KRB5_CALLCONV *ptcursor_new)(krb5_context,
2465 						  krb5_cc_ptcursor *);
2466     krb5_error_code (KRB5_CALLCONV *ptcursor_next)(krb5_context,
2467 						   krb5_cc_ptcursor,
2468 						   krb5_ccache *);
2469     krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context,
2470 						   krb5_cc_ptcursor *);
2471     krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache);
2472     krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context,
2473 						krb5_ccache, krb5_timestamp *);
2474     krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache,
2475 						krb5_timestamp *);
2476 };
2477 
2478 extern const krb5_cc_ops *krb5_cc_dfl_ops;
2479 
2480 krb5_error_code
2481 krb5int_cc_os_default_name(krb5_context context, char **name);
2482 
2483 /*
2484  * Cursor for iterating over ccache types
2485  */
2486 struct krb5_cc_typecursor;
2487 typedef struct krb5_cc_typecursor *krb5_cc_typecursor;
2488 
2489 krb5_error_code
2490 krb5int_cc_typecursor_new(krb5_context context, krb5_cc_typecursor *cursor);
2491 
2492 krb5_error_code
2493 krb5int_cc_typecursor_next(
2494     krb5_context context,
2495     krb5_cc_typecursor cursor,
2496     const struct _krb5_cc_ops **ops);
2497 
2498 krb5_error_code
2499 krb5int_cc_typecursor_free(
2500     krb5_context context,
2501     krb5_cc_typecursor *cursor);
2502 
2503 typedef struct _krb5_donot_replay {
2504     krb5_magic magic;
2505     krb5_ui_4 hash;
2506     char *server;			/* null-terminated */
2507     char *client;			/* null-terminated */
2508     krb5_int32 cusec;
2509     krb5_timestamp ctime;
2510 } krb5_donot_replay;
2511 
2512 krb5_error_code krb5_rc_default
2513 	(krb5_context,
2514 		krb5_rcache *);
2515 krb5_error_code krb5_rc_resolve_type
2516 	(krb5_context,
2517 		krb5_rcache *,char *);
2518 krb5_error_code krb5_rc_resolve_full
2519 	(krb5_context,
2520 		krb5_rcache *,char *);
2521 char * krb5_rc_get_type
2522 	(krb5_context,
2523 		krb5_rcache);
2524 char * krb5_rc_default_type
2525 	(krb5_context);
2526 char * krb5_rc_default_name
2527 	(krb5_context);
2528 krb5_error_code krb5_auth_to_rep
2529 	(krb5_context,
2530 		krb5_tkt_authent *,
2531 		krb5_donot_replay *);
2532 
2533 
2534 krb5_error_code KRB5_CALLCONV krb5_rc_initialize
2535 	(krb5_context, krb5_rcache,krb5_deltat);
2536 krb5_error_code KRB5_CALLCONV krb5_rc_recover_or_initialize
2537 	(krb5_context, krb5_rcache,krb5_deltat);
2538 krb5_error_code KRB5_CALLCONV krb5_rc_recover
2539 	(krb5_context, krb5_rcache);
2540 krb5_error_code KRB5_CALLCONV krb5_rc_destroy
2541 	(krb5_context, krb5_rcache);
2542 krb5_error_code KRB5_CALLCONV krb5_rc_close
2543 	(krb5_context, krb5_rcache);
2544 krb5_error_code KRB5_CALLCONV krb5_rc_store
2545 	(krb5_context, krb5_rcache,krb5_donot_replay *);
2546 krb5_error_code KRB5_CALLCONV krb5_rc_expunge
2547 	(krb5_context, krb5_rcache);
2548 krb5_error_code KRB5_CALLCONV krb5_rc_get_lifespan
2549 	(krb5_context, krb5_rcache,krb5_deltat *);
2550 char *KRB5_CALLCONV krb5_rc_get_name
2551 	(krb5_context, krb5_rcache);
2552 krb5_error_code KRB5_CALLCONV krb5_rc_resolve
2553 	(krb5_context, krb5_rcache, char *);
2554 
2555 typedef struct _krb5_kt_ops {
2556     krb5_magic magic;
2557     char *prefix;
2558     /* routines always present */
2559     krb5_error_code (KRB5_CALLCONV *resolve)
2560 	(krb5_context,
2561 		 const char *,
2562 		 krb5_keytab *);
2563     krb5_error_code (KRB5_CALLCONV *get_name)
2564 	(krb5_context,
2565 		 krb5_keytab,
2566 		 char *,
2567 		 unsigned int);
2568     krb5_error_code (KRB5_CALLCONV *close)
2569 	(krb5_context,
2570 		 krb5_keytab);
2571     krb5_error_code (KRB5_CALLCONV *get)
2572 	(krb5_context,
2573 		 krb5_keytab,
2574 		 krb5_const_principal,
2575 		 krb5_kvno,
2576 		 krb5_enctype,
2577 		 krb5_keytab_entry *);
2578     krb5_error_code (KRB5_CALLCONV *start_seq_get)
2579 	(krb5_context,
2580 		 krb5_keytab,
2581 		 krb5_kt_cursor *);
2582     krb5_error_code (KRB5_CALLCONV *get_next)
2583 	(krb5_context,
2584 		 krb5_keytab,
2585 		 krb5_keytab_entry *,
2586 		 krb5_kt_cursor *);
2587     krb5_error_code (KRB5_CALLCONV *end_get)
2588 	(krb5_context,
2589 		 krb5_keytab,
2590 		 krb5_kt_cursor *);
2591     /* routines to be included on extended version (write routines) */
2592     krb5_error_code (KRB5_CALLCONV *add)
2593 	(krb5_context,
2594 		 krb5_keytab,
2595 		 krb5_keytab_entry *);
2596     krb5_error_code (KRB5_CALLCONV *remove)
2597 	(krb5_context,
2598 		 krb5_keytab,
2599 		  krb5_keytab_entry *);
2600 
2601     /* Handle for serializer */
2602     const krb5_ser_entry *serializer;
2603 } krb5_kt_ops;
2604 
2605 extern const krb5_kt_ops krb5_kt_dfl_ops;
2606 
2607 extern krb5_error_code krb5int_translate_gai_error (int);
2608 
2609 /* Not sure it's ready for exposure just yet.  */
2610 extern krb5_error_code
2611 krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *);
2612 
2613 extern int krb5int_crypto_init (void);
2614 extern int krb5int_prng_init(void);
2615 
2616 /*
2617  * SUNW14resync
2618  * Hack (?) to neuter C99 "inline" which causes warnings w/our build.
2619  */
2620 #define inline
2621 
2622 /* Solaris kerberos */
2623 krb5_boolean KRB5_CALLCONV is_in_keytype
2624 	(krb5_const krb5_enctype *keytype,
2625 	int numkeytypes, krb5_enctype enctype);
2626 
2627 /*
2628  * Solaris Kerberos
2629  * Use krb5_getuid() to select the mechanism to obtain the uid.
2630  */
2631 extern uid_t	krb5_getuid();
2632 
2633 /*
2634  * Referral definitions, debugging hooks, and subfunctions.
2635  */
2636 #define        KRB5_REFERRAL_MAXHOPS	5
2637 /* #define DEBUG_REFERRALS */
2638 
2639 #ifdef DEBUG_REFERRALS
2640 void krb5int_dbgref_dump_principal(char *, krb5_principal);
2641 #endif
2642 
2643 /* Common hostname-parsing code. */
2644 krb5_error_code KRB5_CALLCONV krb5int_clean_hostname
2645 	(krb5_context,
2646 		const char *,
2647 		char *,
2648 		size_t);
2649 
2650 #endif /* _KRB5_INT_H */
2651