1 /* 2 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006 by the Massachusetts Institute of Technology, 8 * Cambridge, MA, USA. All Rights Reserved. 9 * 10 * This software is being provided to you, the LICENSEE, by the 11 * Massachusetts Institute of Technology (M.I.T.) under the following 12 * license. By obtaining, using and/or copying this software, you agree 13 * that you have read, understood, and will comply with these terms and 14 * conditions: 15 * 16 * Export of this software from the United States of America may 17 * require a specific license from the United States Government. 18 * It is the responsibility of any person or organization contemplating 19 * export to obtain such a license before exporting. 20 * 21 * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute 22 * this software and its documentation for any purpose and without fee or 23 * royalty is hereby granted, provided that you agree to comply with the 24 * following copyright notice and statements, including the disclaimer, and 25 * that the same appear on ALL copies of the software and documentation, 26 * including modifications that you make for internal use or for 27 * distribution: 28 * 29 * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS 30 * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not 31 * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF 32 * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF 33 * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY 34 * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. 35 * 36 * The name of the Massachusetts Institute of Technology or M.I.T. may NOT 37 * be used in advertising or publicity pertaining to distribution of the 38 * software. Title to copyright in this software and any associated 39 * documentation shall at all times remain with M.I.T., and USER agrees to 40 * preserve same. 41 * 42 * Furthermore if you modify this software you must label 43 * your software as modified software and not distribute it in such a 44 * fashion that it might be confused with the original M.I.T. software. 45 */ 46 47 /* 48 * Copyright (C) 1998 by the FundsXpress, INC. 49 * 50 * All rights reserved. 51 * 52 * Export of this software from the United States of America may require 53 * a specific license from the United States Government. It is the 54 * responsibility of any person or organization contemplating export to 55 * obtain such a license before exporting. 56 * 57 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 58 * distribute this software and its documentation for any purpose and 59 * without fee is hereby granted, provided that the above copyright 60 * notice appear in all copies and that both that copyright notice and 61 * this permission notice appear in supporting documentation, and that 62 * the name of FundsXpress. not be used in advertising or publicity pertaining 63 * to distribution of the software without specific, written prior 64 * permission. FundsXpress makes no representations about the suitability of 65 * this software for any purpose. It is provided "as is" without express 66 * or implied warranty. 67 * 68 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 69 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 70 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 71 */ 72 73 /* 74 * This prototype for k5-int.h (Krb5 internals include file) 75 * includes the user-visible definitions from krb5.h and then 76 * includes other definitions that are not user-visible but are 77 * required for compiling Kerberos internal routines. 78 * 79 * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995 80 */ 81 82 #ifndef _KRB5_INT_H 83 #define _KRB5_INT_H 84 85 #ifdef KRB5_GENERAL__ 86 #error krb5.h included before k5-int.h 87 #endif /* KRB5_GENERAL__ */ 88 89 #ifndef _KERNEL 90 #include <osconf.h> 91 #include <security/cryptoki.h> 92 #else 93 #include <sys/crypto/common.h> 94 #include <sys/crypto/api.h> 95 #endif 96 97 #ifdef DEBUG 98 #if !defined(KRB5_DEBUG) 99 #define KRB5_DEBUG 100 #endif 101 #ifndef KRB5_LOG_LVL 102 #define KRB5_LOG_LVL KRB5_ERR 103 #endif 104 #endif /* DEBUG */ 105 106 #ifdef _KERNEL 107 108 #ifdef DEBUG 109 #include <sys/types.h> 110 #include <sys/cmn_err.h> 111 extern void prom_printf(); 112 #endif /* DEBUG */ 113 114 #else /* !_KERNEL */ 115 116 #define prom_printf printf 117 118 #endif /* !_KERNEL */ 119 120 #ifdef KRB5_LOG_LVL 121 122 /* krb5_log is used to set the logging level to determine what class of messages 123 * are output by the mech. Note, more than one logging level can be used by 124 * bit or'ing the log values together. 125 * 126 * All log messages are captured by syslog. 127 */ 128 129 extern unsigned int krb5_log; 130 131 /* Note, these defines should be mutually exclusive bit fields */ 132 #define KRB5_ERR 1 /* Use this debug log level for error path logging. */ 133 #define KRB5_INFO 2 /* Use this debug log level for informational messages. */ 134 135 #ifdef _KERNEL 136 137 #define KRB5_LOG1(A, B, C, D) \ 138 ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C), (D)), TRUE))) 139 #define KRB5_LOG(A, B, C) \ 140 ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C)), TRUE))) 141 #define KRB5_LOG0(A, B) \ 142 ((void)((krb5_log) && (krb5_log & (A)) && (printf((B)), TRUE))) 143 144 #else /* !_KERNEL */ 145 146 #include <syslog.h> 147 148 #define KRB5_LOG1(A, B, C, D) \ 149 ((void)((krb5_log) && (krb5_log & (A)) && \ 150 (syslog(LOG_DEBUG, (B), (C), (D)), TRUE))) 151 #define KRB5_LOG(A, B, C) \ 152 ((void)((krb5_log) && (krb5_log & (A)) && \ 153 (syslog(LOG_DEBUG, (B), (C)), TRUE))) 154 #define KRB5_LOG0(A, B) \ 155 ((void)((krb5_log) && (krb5_log & (A)) && \ 156 (syslog(LOG_DEBUG, B), TRUE))) 157 158 #endif /* _KERNEL */ 159 160 #else /* ! KRB5_LOG_LVL */ 161 162 #define KRB5_LOG1(A, B, C, D) 163 #define KRB5_LOG(A, B, C) 164 #define KRB5_LOG0(A, B) 165 166 #endif /* KRB5_LOG_LVL */ 167 168 #ifdef POSIX_TYPES 169 #define timetype time_t 170 #else 171 #define timetype long 172 #endif 173 174 /* 175 * Begin "k5-config.h" 176 */ 177 #ifndef KRB5_CONFIG__ 178 #define KRB5_CONFIG__ 179 180 /* 181 * Machine-type definitions: PC Clone 386 running Microloss Windows 182 */ 183 184 #if defined(_MSDOS) || defined(_WIN32) 185 #include "win-mac.h" 186 187 /* Kerberos Windows initialization file */ 188 #define KERBEROS_INI "kerberos.ini" 189 #define INI_FILES "Files" 190 #define INI_KRB_CCACHE "krb5cc" /* Location of the ccache */ 191 #define INI_KRB5_CONF "krb5.ini" /* Location of krb5.conf file */ 192 #define ANSI_STDIO 193 #endif 194 195 #ifndef _KERNEL 196 #ifndef KRB5_AUTOCONF__ 197 #define KRB5_AUTOCONF__ 198 #include "autoconf.h" 199 #endif 200 #endif /* !_KERNEL */ 201 202 #ifndef KRB5_SYSTYPES__ 203 #define KRB5_SYSTYPES__ 204 205 #ifndef _KERNEL 206 #ifdef HAVE_SYS_TYPES_H /* From autoconf.h */ 207 #include <sys/types.h> 208 #else /* HAVE_SYS_TYPES_H */ 209 typedef unsigned long u_long; 210 typedef unsigned int u_int; 211 typedef unsigned short u_short; 212 typedef unsigned char u_char; 213 #endif /* HAVE_SYS_TYPES_H */ 214 #endif /* KRB5_SYSTYPES__ */ 215 #endif /* !_KERNEL */ 216 217 218 /* #include "k5-platform.h" SUNW XXX */ 219 /* not used in krb5.h (yet) */ 220 typedef uint64_t krb5_ui_8; 221 typedef int64_t krb5_int64; 222 223 224 225 #define DEFAULT_PWD_STRING1 "Enter password:" 226 #define DEFAULT_PWD_STRING2 "Re-enter password for verification:" 227 #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ 228 #define KRB5_KDB_MAX_RLIFE (60*60*24*365) /* one year */ 229 #define KRB5_KDB_EXPIRATION 2145830400 /* Thu Jan 1 00:00:00 2038 UTC */ 230 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 231 #define KRB5_DEFAULT_RENEW_LIFE 7*24*60*60 /* 7 Days */ 232 233 /* 234 * Windows requires a different api interface to each function. Here 235 * just define it as NULL. 236 */ 237 #ifndef KRB5_CALLCONV 238 #define KRB5_CALLCONV 239 #define KRB5_CALLCONV_C 240 #endif 241 #ifndef O_BINARY 242 #define O_BINARY 0 243 #endif 244 245 #endif /* KRB5_CONFIG__ */ 246 247 /* 248 * End "k5-config.h" 249 */ 250 251 /* 252 * After loading the configuration definitions, load the Kerberos definitions. 253 */ 254 #ifndef _KERNEL 255 #include <errno.h> 256 #include "profile.h" 257 #endif 258 259 #include <krb5.h> 260 261 #ifndef _KERNEL 262 #if 1 /* def NEED_SOCKETS */ 263 #include <port-sockets.h> 264 #include <socket-utils.h> 265 #else 266 #ifndef SOCK_DGRAM 267 struct sockaddr; 268 #endif 269 #endif 270 #endif 271 272 /* Get mutex support; currently used only for the replay cache. */ 273 #include "k5-thread.h" 274 275 276 /* krb5/krb5.h includes many other .h files in the krb5 subdirectory. 277 The ones that it doesn't include, we include below. */ 278 279 /* 280 * Begin "k5-errors.h" 281 */ 282 #ifndef KRB5_ERRORS__ 283 #define KRB5_ERRORS__ 284 285 286 /* Error codes used in KRB_ERROR protocol messages. 287 Return values of library routines are based on a different error table 288 (which allows non-ambiguous error codes between subsystems) */ 289 290 /* KDC errors */ 291 #define KDC_ERR_NONE 0 /* No error */ 292 #define KDC_ERR_NAME_EXP 1 /* Client's entry in DB expired */ 293 #define KDC_ERR_SERVICE_EXP 2 /* Server's entry in DB expired */ 294 #define KDC_ERR_BAD_PVNO 3 /* Requested pvno not supported */ 295 #define KDC_ERR_C_OLD_MAST_KVNO 4 /* C's key encrypted in old master */ 296 #define KDC_ERR_S_OLD_MAST_KVNO 5 /* S's key encrypted in old master */ 297 #define KDC_ERR_C_PRINCIPAL_UNKNOWN 6 /* Client not found in Kerberos DB */ 298 #define KDC_ERR_S_PRINCIPAL_UNKNOWN 7 /* Server not found in Kerberos DB */ 299 #define KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 /* Multiple entries in Kerberos DB */ 300 #define KDC_ERR_NULL_KEY 9 /* The C or S has a null key */ 301 #define KDC_ERR_CANNOT_POSTDATE 10 /* Tkt ineligible for postdating */ 302 #define KDC_ERR_NEVER_VALID 11 /* Requested starttime > endtime */ 303 #define KDC_ERR_POLICY 12 /* KDC policy rejects request */ 304 #define KDC_ERR_BADOPTION 13 /* KDC can't do requested opt. */ 305 #define KDC_ERR_ENCTYPE_NOSUPP 14 /* No support for encryption type */ 306 #define KDC_ERR_SUMTYPE_NOSUPP 15 /* No support for checksum type */ 307 #define KDC_ERR_PADATA_TYPE_NOSUPP 16 /* No support for padata type */ 308 #define KDC_ERR_TRTYPE_NOSUPP 17 /* No support for transited type */ 309 #define KDC_ERR_CLIENT_REVOKED 18 /* C's creds have been revoked */ 310 #define KDC_ERR_SERVICE_REVOKED 19 /* S's creds have been revoked */ 311 #define KDC_ERR_TGT_REVOKED 20 /* TGT has been revoked */ 312 #define KDC_ERR_CLIENT_NOTYET 21 /* C not yet valid */ 313 #define KDC_ERR_SERVICE_NOTYET 22 /* S not yet valid */ 314 #define KDC_ERR_KEY_EXP 23 /* Password has expired */ 315 #define KDC_ERR_PREAUTH_FAILED 24 /* Preauthentication failed */ 316 #define KDC_ERR_PREAUTH_REQUIRED 25 /* Additional preauthentication */ 317 /* required */ 318 #define KDC_ERR_SERVER_NOMATCH 26 /* Requested server and */ 319 /* ticket don't match*/ 320 #define KDC_ERR_SVC_UNAVAILABLE 29 /* A service is not 321 * available that is 322 * required to process the 323 * request */ 324 /* Application errors */ 325 #define KRB_AP_ERR_BAD_INTEGRITY 31 /* Decrypt integrity check failed */ 326 #define KRB_AP_ERR_TKT_EXPIRED 32 /* Ticket expired */ 327 #define KRB_AP_ERR_TKT_NYV 33 /* Ticket not yet valid */ 328 #define KRB_AP_ERR_REPEAT 34 /* Request is a replay */ 329 #define KRB_AP_ERR_NOT_US 35 /* The ticket isn't for us */ 330 #define KRB_AP_ERR_BADMATCH 36 /* Ticket/authenticator don't match */ 331 #define KRB_AP_ERR_SKEW 37 /* Clock skew too great */ 332 #define KRB_AP_ERR_BADADDR 38 /* Incorrect net address */ 333 #define KRB_AP_ERR_BADVERSION 39 /* Protocol version mismatch */ 334 #define KRB_AP_ERR_MSG_TYPE 40 /* Invalid message type */ 335 #define KRB_AP_ERR_MODIFIED 41 /* Message stream modified */ 336 #define KRB_AP_ERR_BADORDER 42 /* Message out of order */ 337 #define KRB_AP_ERR_BADKEYVER 44 /* Key version is not available */ 338 #define KRB_AP_ERR_NOKEY 45 /* Service key not available */ 339 #define KRB_AP_ERR_MUT_FAIL 46 /* Mutual authentication failed */ 340 #define KRB_AP_ERR_BADDIRECTION 47 /* Incorrect message direction */ 341 #define KRB_AP_ERR_METHOD 48 /* Alternative authentication */ 342 /* method required */ 343 #define KRB_AP_ERR_BADSEQ 49 /* Incorrect sequence numnber */ 344 /* in message */ 345 #define KRB_AP_ERR_INAPP_CKSUM 50 /* Inappropriate type of */ 346 /* checksum in message */ 347 #define KRB_AP_PATH_NOT_ACCEPTED 51 /* Policy rejects transited path */ 348 #define KRB_ERR_RESPONSE_TOO_BIG 52 /* Response too big for UDP, */ 349 /* retry with TCP */ 350 351 /* other errors */ 352 #define KRB_ERR_GENERIC 60 /* Generic error (description */ 353 /* in e-text) */ 354 #define KRB_ERR_FIELD_TOOLONG 61 /* Field is too long for impl. */ 355 356 /* PKINIT server-reported errors */ 357 #define KDC_ERR_CLIENT_NOT_TRUSTED 62 /* client cert not trusted */ 358 #define KDC_ERR_INVALID_SIG 64 /* client signature verify failed */ 359 #define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65 /* invalid Diffie-Hellman parameters */ 360 #define KDC_ERR_CANT_VERIFY_CERTIFICATE 70 /* client cert not verifiable to */ 361 /* trusted root cert */ 362 #define KDC_ERR_INVALID_CERTIFICATE 71 /* client cert had invalid signature */ 363 #define KDC_ERR_REVOKED_CERTIFICATE 72 /* client cert was revoked */ 364 #define KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 /* client cert revoked, reason unknown */ 365 #define KDC_ERR_CLIENT_NAME_MISMATCH 75 /* mismatch between client cert and */ 366 /* principal name */ 367 #define KDC_ERR_INCONSISTENT_KEY_PURPOSE 77 /* bad extended key use */ 368 #define KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78 /* bad digest algorithm in client cert */ 369 #define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79 /* missing paChecksum in PA-PK-AS-REQ */ 370 #define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */ 371 #define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81 372 373 #endif /* KRB5_ERRORS__ */ 374 /* 375 * End "k5-errors.h" 376 */ 377 378 /* 379 * This structure is returned in the e-data field of the KRB-ERROR 380 * message when the error calling for an alternative form of 381 * authentication is returned, KRB_AP_METHOD. 382 */ 383 typedef struct _krb5_alt_method { 384 krb5_magic magic; 385 krb5_int32 method; 386 unsigned int length; 387 krb5_octet *data; 388 } krb5_alt_method; 389 390 /* 391 * A null-terminated array of this structure is returned by the KDC as 392 * the data part of the ETYPE_INFO preauth type. It informs the 393 * client which encryption types are supported. 394 * The same data structure is used by both etype-info and etype-info2 395 * but s2kparams must be null when encoding etype-info. 396 */ 397 typedef struct _krb5_etype_info_entry { 398 krb5_magic magic; 399 krb5_enctype etype; 400 unsigned int length; 401 krb5_octet *salt; 402 krb5_data s2kparams; 403 } krb5_etype_info_entry; 404 405 /* 406 * This is essentially -1 without sign extension which can screw up 407 * comparisons on 64 bit machines. If the length is this value, then 408 * the salt data is not present. This is to distinguish between not 409 * being set and being of 0 length. 410 */ 411 #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS 412 413 typedef krb5_etype_info_entry ** krb5_etype_info; 414 415 /* RFC 4537 */ 416 typedef struct _krb5_etype_list { 417 int length; 418 krb5_enctype *etypes; 419 } krb5_etype_list; 420 421 /* 422 * a sam_challenge is returned for alternate preauth 423 */ 424 /* 425 SAMFlags ::= BIT STRING { 426 use-sad-as-key[0], 427 send-encrypted-sad[1], 428 must-pk-encrypt-sad[2] 429 } 430 */ 431 /* 432 PA-SAM-CHALLENGE ::= SEQUENCE { 433 sam-type[0] INTEGER, 434 sam-flags[1] SAMFlags, 435 sam-type-name[2] GeneralString OPTIONAL, 436 sam-track-id[3] GeneralString OPTIONAL, 437 sam-challenge-label[4] GeneralString OPTIONAL, 438 sam-challenge[5] GeneralString OPTIONAL, 439 sam-response-prompt[6] GeneralString OPTIONAL, 440 sam-pk-for-sad[7] EncryptionKey OPTIONAL, 441 sam-nonce[8] INTEGER OPTIONAL, 442 sam-cksum[9] Checksum OPTIONAL 443 } 444 */ 445 /* sam_type values -- informational only */ 446 #define PA_SAM_TYPE_ENIGMA 1 /* Enigma Logic */ 447 #define PA_SAM_TYPE_DIGI_PATH 2 /* Digital Pathways */ 448 #define PA_SAM_TYPE_SKEY_K0 3 /* S/key where KDC has key 0 */ 449 #define PA_SAM_TYPE_SKEY 4 /* Traditional S/Key */ 450 #define PA_SAM_TYPE_SECURID 5 /* Security Dynamics */ 451 #define PA_SAM_TYPE_CRYPTOCARD 6 /* CRYPTOCard */ 452 #if 1 /* XXX need to figure out who has which numbers assigned */ 453 #define PA_SAM_TYPE_ACTIVCARD_DEC 6 /* ActivCard decimal mode */ 454 #define PA_SAM_TYPE_ACTIVCARD_HEX 7 /* ActivCard hex mode */ 455 #define PA_SAM_TYPE_DIGI_PATH_HEX 8 /* Digital Pathways hex mode */ 456 #endif 457 #define PA_SAM_TYPE_EXP_BASE 128 /* experimental */ 458 #define PA_SAM_TYPE_GRAIL (PA_SAM_TYPE_EXP_BASE+0) /* testing */ 459 #define PA_SAM_TYPE_SECURID_PREDICT (PA_SAM_TYPE_EXP_BASE+1) /* special */ 460 461 typedef struct _krb5_predicted_sam_response { 462 krb5_magic magic; 463 krb5_keyblock sam_key; 464 krb5_flags sam_flags; /* Makes key munging easier */ 465 krb5_timestamp stime; /* time on server, for replay detection */ 466 krb5_int32 susec; 467 krb5_principal client; 468 krb5_data msd; /* mechanism specific data */ 469 } krb5_predicted_sam_response; 470 471 typedef struct _krb5_sam_challenge { 472 krb5_magic magic; 473 krb5_int32 sam_type; /* information */ 474 krb5_flags sam_flags; /* KRB5_SAM_* values */ 475 krb5_data sam_type_name; 476 krb5_data sam_track_id; 477 krb5_data sam_challenge_label; 478 krb5_data sam_challenge; 479 krb5_data sam_response_prompt; 480 krb5_data sam_pk_for_sad; 481 krb5_int32 sam_nonce; 482 krb5_checksum sam_cksum; 483 } krb5_sam_challenge; 484 485 typedef struct _krb5_sam_key { /* reserved for future use */ 486 krb5_magic magic; 487 krb5_keyblock sam_key; 488 } krb5_sam_key; 489 490 typedef struct _krb5_enc_sam_response_enc { 491 krb5_magic magic; 492 krb5_int32 sam_nonce; 493 krb5_timestamp sam_timestamp; 494 krb5_int32 sam_usec; 495 krb5_data sam_sad; 496 } krb5_enc_sam_response_enc; 497 498 typedef struct _krb5_sam_response { 499 krb5_magic magic; 500 krb5_int32 sam_type; /* informational */ 501 krb5_flags sam_flags; /* KRB5_SAM_* values */ 502 krb5_data sam_track_id; /* copied */ 503 krb5_enc_data sam_enc_key; /* krb5_sam_key - future use */ 504 krb5_enc_data sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */ 505 krb5_int32 sam_nonce; 506 krb5_timestamp sam_patimestamp; 507 } krb5_sam_response; 508 509 typedef struct _krb5_sam_challenge_2 { 510 krb5_data sam_challenge_2_body; 511 krb5_checksum **sam_cksum; /* Array of checksums */ 512 } krb5_sam_challenge_2; 513 514 typedef struct _krb5_sam_challenge_2_body { 515 krb5_magic magic; 516 krb5_int32 sam_type; /* information */ 517 krb5_flags sam_flags; /* KRB5_SAM_* values */ 518 krb5_data sam_type_name; 519 krb5_data sam_track_id; 520 krb5_data sam_challenge_label; 521 krb5_data sam_challenge; 522 krb5_data sam_response_prompt; 523 krb5_data sam_pk_for_sad; 524 krb5_int32 sam_nonce; 525 krb5_enctype sam_etype; 526 } krb5_sam_challenge_2_body; 527 528 typedef struct _krb5_sam_response_2 { 529 krb5_magic magic; 530 krb5_int32 sam_type; /* informational */ 531 krb5_flags sam_flags; /* KRB5_SAM_* values */ 532 krb5_data sam_track_id; /* copied */ 533 krb5_enc_data sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */ 534 krb5_int32 sam_nonce; 535 } krb5_sam_response_2; 536 537 typedef struct _krb5_enc_sam_response_enc_2 { 538 krb5_magic magic; 539 krb5_int32 sam_nonce; 540 krb5_data sam_sad; 541 } krb5_enc_sam_response_enc_2; 542 543 /* 544 * Keep the pkinit definitions in a separate file so that the plugin 545 * only has to include k5-int-pkinit.h rather than k5-int.h 546 */ 547 548 #include "k5-int-pkinit.h" 549 550 /* 551 * Begin "dbm.h" 552 */ 553 #ifndef _KERNEL 554 555 /* 556 * Since we are always using db, use the db-ndbm include header file. 557 */ 558 559 #include "db-ndbm.h" 560 561 #endif /* !KERNEL */ 562 /* 563 * End "dbm.h" 564 */ 565 566 /* 567 * Begin "ext-proto.h" 568 */ 569 #ifndef KRB5_EXT_PROTO__ 570 #define KRB5_EXT_PROTO__ 571 572 #ifndef _KERNEL 573 #include <stdlib.h> 574 #include <string.h> 575 #endif /* !_KERNEL */ 576 577 #ifndef HAVE_STRDUP 578 extern char *strdup (const char *); 579 #endif 580 581 #ifndef _KERNEL 582 #ifdef HAVE_UNISTD_H 583 #include <unistd.h> 584 #endif 585 #endif /* !_KERNEL */ 586 587 #endif /* KRB5_EXT_PROTO__ */ 588 /* 589 * End "ext-proto.h" 590 */ 591 592 /* 593 * Begin "sysincl.h" 594 */ 595 #ifndef KRB5_SYSINCL__ 596 #define KRB5_SYSINCL__ 597 598 #ifndef KRB5_SYSTYPES__ 599 #define KRB5_SYSTYPES__ 600 /* needed for much of the rest -- but already handled in krb5.h? */ 601 /* #include <sys/types.h> */ 602 #endif /* KRB5_SYSTYPES__ */ 603 604 #ifdef _KERNEL 605 #include <sys/time.h> 606 #else 607 #ifdef HAVE_SYS_TIME_H 608 #include <sys/time.h> 609 #ifdef TIME_WITH_SYS_TIME 610 #include <time.h> 611 #endif 612 #else 613 #include <time.h> 614 #endif 615 #endif /* _KERNEL */ 616 617 #ifdef HAVE_SYS_STAT_H 618 #include <sys/stat.h> /* struct stat, stat() */ 619 #endif 620 621 #ifdef HAVE_SYS_PARAM_H 622 #include <sys/param.h> /* MAXPATHLEN */ 623 #endif 624 625 #ifdef HAVE_SYS_FILE_H 626 #include <sys/file.h> /* prototypes for file-related 627 syscalls; flags for open & 628 friends */ 629 #endif 630 631 #ifdef _KERNEL 632 #include <sys/fcntl.h> 633 #else 634 #include <fcntl.h> 635 #endif 636 637 #endif /* KRB5_SYSINCL__ */ 638 /* 639 * End "sysincl.h" 640 */ 641 642 /* 643 * Begin "los-proto.h" 644 */ 645 #ifndef KRB5_LIBOS_PROTO__ 646 #define KRB5_LIBOS_PROTO__ 647 #endif 648 649 #ifndef _KERNEL 650 #include <stdio.h> 651 652 struct addrlist; 653 struct sendto_callback_info; 654 #endif 655 656 /* libos.spec */ 657 krb5_error_code krb5_lock_file (krb5_context, int, int); 658 krb5_error_code krb5_unlock_file (krb5_context, int); 659 krb5_error_code krb5_sendto_kdc (krb5_context, const krb5_data *, 660 const krb5_data *, krb5_data *, int *, int); 661 662 663 krb5_error_code krb5_get_krbhst (krb5_context, const krb5_data *, char *** ); 664 krb5_error_code krb5_free_krbhst (krb5_context, char * const * ); 665 krb5_error_code krb5_create_secure_file (krb5_context, const char * pathname); 666 667 int krb5_net_read (krb5_context, int , char *, int); 668 669 int krb5_net_write 670 (krb5_context, int , const char *, int); 671 672 673 krb5_error_code krb5_gen_replay_name 674 (krb5_context, const krb5_address *, const char *, char **); 675 676 677 #ifndef _KERNEL 678 679 krb5_error_code krb5_sync_disk_file (krb5_context, FILE *fp); 680 681 krb5_error_code 682 krb5_open_pkcs11_session(CK_SESSION_HANDLE *); 683 684 685 krb5_error_code krb5_read_message 686 (krb5_context, krb5_pointer, krb5_data *); 687 688 krb5_error_code krb5_write_message 689 (krb5_context, krb5_pointer, krb5_data *); 690 krb5_error_code krb5int_sendto (krb5_context context, const krb5_data *message, 691 const struct addrlist *addrs, struct sendto_callback_info* callback_info, 692 krb5_data *reply, struct sockaddr *localaddr, socklen_t *localaddrlen, 693 struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, int *addr_used, 694 int (*msg_handler)(krb5_context, const krb5_data *, void *), 695 void *msg_handler_data); 696 697 krb5_error_code krb5int_get_fq_local_hostname (char *, size_t); 698 699 krb5_error_code krb5_set_debugging_time 700 (krb5_context, krb5_timestamp, krb5_int32); 701 krb5_error_code krb5_use_natural_time 702 (krb5_context); 703 krb5_error_code krb5_set_time_offsets 704 (krb5_context, krb5_timestamp, krb5_int32); 705 krb5_error_code krb5int_check_clockskew(krb5_context, krb5_timestamp); 706 #endif 707 708 /* 709 * Solaris Kerberos 710 * The following two functions are needed for better realm 711 * determination based on the DNS domain name. 712 */ 713 krb5_error_code krb5int_lookup_host(int , const char *, char **); 714 715 krb5_error_code krb5int_domain_get_realm(krb5_context, const char *, 716 char **); 717 krb5_error_code krb5int_fqdn_get_realm(krb5_context, const char *, 718 char **); 719 720 krb5_error_code krb5int_init_context_kdc(krb5_context *); 721 722 krb5_error_code krb5_os_init_context (krb5_context, krb5_boolean); 723 724 void krb5_os_free_context (krb5_context); 725 726 /* This function is needed by KfM's KerberosPreferences API 727 * because it needs to be able to specify "secure" */ 728 #ifndef _KERNEL 729 krb5_error_code os_get_default_config_files 730 (profile_filespec_t **pfiles, krb5_boolean secure); 731 #endif 732 733 krb5_error_code krb5_os_hostaddr 734 (krb5_context, const char *, krb5_address ***); 735 736 #ifndef _KERNEL 737 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're 738 going to use this structure. */ 739 struct addrlist { 740 struct { 741 #ifdef FAI_DEFINED 742 struct addrinfo *ai; 743 #else 744 struct undefined_addrinfo *ai; 745 #endif 746 void (*freefn)(void *); 747 void *data; 748 } *addrs; 749 int naddrs; 750 int space; 751 }; 752 #define ADDRLIST_INIT { 0, 0, 0 } 753 extern void krb5int_free_addrlist (struct addrlist *); 754 extern int krb5int_grow_addrlist (struct addrlist *, int); 755 extern int krb5int_add_host_to_list (struct addrlist *, const char *, 756 int, int, int, int); 757 758 #include <locate_plugin.h> 759 krb5_error_code 760 krb5int_locate_server (krb5_context, const krb5_data *realm, 761 struct addrlist *, enum locate_service_type svc, 762 int sockettype, int family); 763 764 #endif /* _KERNEL */ 765 766 /* new encryption provider api */ 767 768 struct krb5_enc_provider { 769 /* keybytes is the input size to make_key; 770 keylength is the output size */ 771 size_t block_size, keybytes, keylength; 772 773 /* cipher-state == 0 fresh state thrown away at end */ 774 krb5_error_code (*encrypt) ( 775 krb5_context context, 776 krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec, 777 krb5_const krb5_data *input, krb5_data *output); 778 779 krb5_error_code (*decrypt) ( 780 krb5_context context, 781 krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec, 782 krb5_const krb5_data *input, krb5_data *output); 783 784 krb5_error_code (*make_key) 785 (krb5_context, krb5_const krb5_data *, krb5_keyblock *); 786 787 krb5_error_code (*init_state) (krb5_context, 788 const krb5_keyblock *, 789 krb5_keyusage, krb5_data *); 790 krb5_error_code (*free_state) (krb5_context, krb5_data *); 791 792 }; 793 794 struct krb5_hash_provider { 795 size_t hashsize, blocksize; 796 797 /* this takes multiple inputs to avoid lots of copying. */ 798 krb5_error_code (*hash) (krb5_context context, 799 unsigned int icount, krb5_const krb5_data *input, 800 krb5_data *output); 801 }; 802 803 struct krb5_keyhash_provider { 804 size_t hashsize; 805 806 krb5_error_code (*hash) ( 807 krb5_context context, 808 krb5_const krb5_keyblock *key, 809 krb5_keyusage keyusage, 810 krb5_const krb5_data *ivec, 811 krb5_const krb5_data *input, krb5_data *output); 812 813 krb5_error_code (*verify) ( 814 krb5_context context, 815 krb5_const krb5_keyblock *key, 816 krb5_keyusage keyusage, 817 krb5_const krb5_data *ivec, 818 krb5_const krb5_data *input, 819 krb5_const krb5_data *hash, 820 krb5_boolean *valid); 821 822 }; 823 824 typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc, 825 const struct krb5_hash_provider *hash, 826 size_t inputlen, size_t *length); 827 828 typedef krb5_error_code (*krb5_crypt_func) ( 829 krb5_context context, 830 krb5_const struct krb5_enc_provider *enc, 831 krb5_const struct krb5_hash_provider *hash, 832 krb5_const krb5_keyblock *key, krb5_keyusage usage, 833 krb5_const krb5_data *ivec, 834 krb5_const krb5_data *input, krb5_data *output); 835 836 #ifndef _KERNEL 837 typedef krb5_error_code (*krb5_str2key_func) ( 838 krb5_context context, 839 krb5_const struct krb5_enc_provider *enc, krb5_const krb5_data *string, 840 krb5_const krb5_data *salt, krb5_const krb5_data *params, 841 krb5_keyblock *key); 842 #endif /* _KERNEL */ 843 844 typedef krb5_error_code (*krb5_prf_func)( 845 const struct krb5_enc_provider *enc, 846 const struct krb5_hash_provider *hash, 847 const krb5_keyblock *key, 848 const krb5_data *in, krb5_data *out); 849 850 struct krb5_keytypes { 851 krb5_enctype etype; 852 char *in_string; 853 char *out_string; 854 const struct krb5_enc_provider *enc; 855 const struct krb5_hash_provider *hash; 856 krb5_encrypt_length_func encrypt_len; 857 krb5_crypt_func encrypt; 858 krb5_crypt_func decrypt; 859 krb5_cksumtype required_ctype; 860 #ifndef _KERNEL 861 /* Solaris Kerberos: strings to key conversion not done in the kernel */ 862 krb5_str2key_func str2key; 863 #else /* _KERNEL */ 864 char *mt_e_name; 865 char *mt_h_name; 866 crypto_mech_type_t kef_cipher_mt; 867 crypto_mech_type_t kef_hash_mt; 868 #endif /* _KERNEL */ 869 }; 870 871 struct krb5_cksumtypes { 872 krb5_cksumtype ctype; 873 unsigned int flags; 874 char *in_string; 875 char *out_string; 876 /* if the hash is keyed, this is the etype it is keyed with. 877 Actually, it can be keyed by any etype which has the same 878 enc_provider as the specified etype. DERIVE checksums can 879 be keyed with any valid etype. */ 880 krb5_enctype keyed_etype; 881 /* I can't statically initialize a union, so I'm just going to use 882 two pointers here. The keyhash is used if non-NULL. If NULL, 883 then HMAC/hash with derived keys is used if the relevant flag 884 is set. Otherwise, a non-keyed hash is computed. This is all 885 kind of messy, but so is the krb5 api. */ 886 const struct krb5_keyhash_provider *keyhash; 887 const struct krb5_hash_provider *hash; 888 /* This just gets uglier and uglier. In the key derivation case, 889 we produce an hmac. To make the hmac code work, we can't hack 890 the output size indicated by the hash provider, but we may want 891 a truncated hmac. If we want truncation, this is the number of 892 bytes we truncate to; it should be 0 otherwise. */ 893 unsigned int trunc_size; 894 #ifdef _KERNEL 895 char *mt_c_name; 896 crypto_mech_type_t kef_cksum_mt; 897 #endif /* _KERNEL */ 898 }; 899 900 #define KRB5_CKSUMFLAG_DERIVE 0x0001 901 #define KRB5_CKSUMFLAG_NOT_COLL_PROOF 0x0002 902 903 /* 904 * in here to deal with stuff from lib/crypto 905 */ 906 907 void krb5_nfold 908 (unsigned int inbits, const unsigned char *in, 909 unsigned int outbits, unsigned char *out); 910 911 krb5_error_code krb5int_pbkdf2_hmac_sha1 (krb5_context, 912 const krb5_data *, 913 unsigned long, 914 krb5_enctype, 915 const krb5_data *, 916 const krb5_data *); 917 918 /* Make this a function eventually? */ 919 #ifdef _WIN32 920 # define krb5int_zap_data(ptr, len) SecureZeroMemory(ptr, len) 921 #elif defined(__palmos__) && !defined(__GNUC__) 922 /* CodeWarrior 8.3 complains about passing a pointer to volatile in to 923 memset. On the other hand, we probably want it for gcc. */ 924 # define krb5int_zap_data(ptr, len) memset(ptr, 0, len) 925 #else 926 # define krb5int_zap_data(ptr, len) memset((void *)ptr, 0, len) 927 # if defined(__GNUC__) && defined(__GLIBC__) 928 /* GNU libc generates multiple bogus initialization warnings if we 929 pass memset a volatile pointer. The compiler should do well enough 930 with memset even without GNU libc's attempt at optimization. */ 931 # undef memset 932 # endif 933 #endif /* WIN32 */ 934 #define zap(p,l) krb5int_zap_data(p,l) 935 936 937 krb5_error_code krb5int_des_init_state 938 ( krb5_context, 939 const krb5_keyblock *, 940 krb5_keyusage, krb5_data *); 941 942 krb5_error_code krb5int_c_mandatory_cksumtype( 943 krb5_context, 944 krb5_enctype, 945 krb5_cksumtype *); 946 947 /* 948 * normally to free a cipher_state you can just memset the length to zero and 949 * free it. 950 */ 951 krb5_error_code krb5int_default_free_state 952 (krb5_context, krb5_data *); 953 954 955 /* 956 * Combine two keys (normally used by the hardware preauth mechanism) 957 */ 958 krb5_error_code krb5int_c_combine_keys 959 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2, 960 krb5_keyblock *outkey); 961 962 963 #ifdef _KERNEL 964 965 int k5_ef_crypto( 966 const char *, char *, 967 long, krb5_keyblock *, 968 const krb5_data *, int); 969 970 krb5_error_code 971 krb5_hmac(krb5_context, const krb5_keyblock *, 972 krb5_const krb5_data *, krb5_data *); 973 974 #else 975 krb5_error_code krb5_hmac 976 (krb5_context, 977 krb5_const struct krb5_hash_provider *, 978 krb5_const krb5_keyblock *, krb5_const unsigned int, 979 krb5_const krb5_data *, krb5_data *); 980 981 #endif /* _KERNEL */ 982 983 984 /* 985 * These declarations are here, so both krb5 and k5crypto 986 * can get to them. 987 * krb5 needs to get to them so it can make them available to libgssapi. 988 */ 989 extern const struct krb5_enc_provider krb5int_enc_arcfour; 990 extern const struct krb5_hash_provider krb5int_hash_md5; 991 992 993 /* #ifdef KRB5_OLD_CRYPTO XXX SUNW14resync */ 994 995 krb5_error_code krb5_crypto_us_timeofday 996 (krb5_int32 *, 997 krb5_int32 *); 998 999 #ifndef _KERNEL 1000 /* Solaris kerberos: for convenience */ 1001 time_t krb5int_gmt_mktime (struct tm *); 1002 #endif /* ! _KERNEL */ 1003 1004 /* #endif KRB5_OLD_CRYPTO */ 1005 1006 /* this helper fct is in libkrb5, but it makes sense declared here. */ 1007 1008 krb5_error_code krb5_encrypt_helper 1009 (krb5_context context, const krb5_keyblock *key, 1010 krb5_keyusage keyusage, const krb5_data *plain, 1011 krb5_enc_data *cipher); 1012 1013 /* 1014 * End "los-proto.h" 1015 */ 1016 1017 /* 1018 * Begin "libos.h" 1019 */ 1020 #ifndef KRB5_LIBOS__ 1021 #define KRB5_LIBOS__ 1022 1023 typedef struct _krb5_os_context { 1024 krb5_magic magic; 1025 krb5_int32 time_offset; 1026 krb5_int32 usec_offset; 1027 krb5_int32 os_flags; 1028 char * default_ccname; 1029 } *krb5_os_context; 1030 1031 /* 1032 * Flags for the os_flags field 1033 * 1034 * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid. 1035 * The intention is that this facility to correct the system clocks so 1036 * that they reflect the "real" time, for systems where for some 1037 * reason we can't set the system clock. Instead we calculate the 1038 * offset between the system time and real time, and store the offset 1039 * in the os context so that we can correct the system clock as necessary. 1040 * 1041 * KRB5_OS_TOFFSET_TIME means that the time offset fields should be 1042 * returned as the time by the krb5 time routines. This should only 1043 * be used for testing purposes (obviously!) 1044 */ 1045 #define KRB5_OS_TOFFSET_VALID 1 1046 #define KRB5_OS_TOFFSET_TIME 2 1047 1048 /* lock mode flags */ 1049 #define KRB5_LOCKMODE_SHARED 0x0001 1050 #define KRB5_LOCKMODE_EXCLUSIVE 0x0002 1051 #define KRB5_LOCKMODE_DONTBLOCK 0x0004 1052 #define KRB5_LOCKMODE_UNLOCK 0x0008 1053 1054 #endif /* KRB5_LIBOS__ */ 1055 /* 1056 * End "libos.h" 1057 */ 1058 1059 /* 1060 * Define our view of the size of a DES key. 1061 */ 1062 #define KRB5_MIT_DES_KEYSIZE 8 1063 /* 1064 * Define a couple of SHA1 constants 1065 */ 1066 #define SHS_DATASIZE 64 1067 #define SHS_DIGESTSIZE 20 1068 1069 /* 1070 * Check if des_int.h has been included before us. If so, then check to see 1071 * that our view of the DES key size is the same as des_int.h's. 1072 */ 1073 #ifdef MIT_DES_KEYSIZE 1074 #if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE 1075 error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE) 1076 #endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */ 1077 #endif /* MIT_DES_KEYSIZE */ 1078 1079 #ifndef _KERNEL 1080 /* Solaris Kerberos: only define PROVIDE_DES3_CBC_SHA if the following are 1081 * defined. 1082 */ 1083 #define PROVIDE_DES3_CBC_SHA 1 1084 #define PROVIDE_NIST_SHA 1 1085 1086 #endif /* !_KERNEL */ 1087 1088 /* 1089 * Begin "preauth.h" 1090 * 1091 * (Originally written by Glen Machin at Sandia Labs.) 1092 */ 1093 /* 1094 * Sandia National Laboratories also makes no representations about the 1095 * suitability of the modifications, or additions to this software for 1096 * any purpose. It is provided "as is" without express or implied warranty. 1097 * 1098 */ 1099 #ifndef KRB5_PREAUTH__ 1100 #define KRB5_PREAUTH__ 1101 1102 #include <preauth_plugin.h> 1103 1104 #define CLIENT_ROCK_MAGIC 0x4352434b 1105 /* This structure is passed into the client preauth functions and passed 1106 * back to the "get_data_proc" function so that it can locate the 1107 * requested information. It is opaque to the plugin code and can be 1108 * expanded in the future as new types of requests are defined which 1109 * may require other things to be passed through. */ 1110 typedef struct _krb5_preauth_client_rock { 1111 krb5_magic magic; 1112 krb5_kdc_rep *as_reply; 1113 } krb5_preauth_client_rock; 1114 1115 /* This structure lets us keep track of all of the modules which are loaded, 1116 * turning the list of modules and their lists of implemented preauth types 1117 * into a single list which we can walk easily. */ 1118 typedef struct _krb5_preauth_context { 1119 int n_modules; 1120 struct _krb5_preauth_context_module { 1121 /* Which of the possibly more than one preauth types which the 1122 * module supports we're using at this point in the list. */ 1123 krb5_preauthtype pa_type; 1124 /* Encryption types which the client claims to support -- we 1125 * copy them directly into the krb5_kdc_req structure during 1126 * krb5_preauth_prepare_request(). */ 1127 krb5_enctype *enctypes; 1128 /* The plugin's per-plugin context and a function to clear it. */ 1129 void *plugin_context; 1130 preauth_client_plugin_fini_proc client_fini; 1131 /* The module's table, and some of its members, copied here for 1132 * convenience when we populated the list. */ 1133 struct krb5plugin_preauth_client_ftable_v1 *ftable; 1134 const char *name; 1135 int flags, use_count; 1136 preauth_client_process_proc client_process; 1137 preauth_client_tryagain_proc client_tryagain; 1138 preauth_client_supply_gic_opts_proc client_supply_gic_opts; 1139 preauth_client_request_init_proc client_req_init; 1140 preauth_client_request_fini_proc client_req_fini; 1141 /* The per-request context which the client_req_init() function 1142 * might allocate, which we'll need to clean up later by 1143 * calling the client_req_fini() function. */ 1144 void *request_context; 1145 /* A pointer to the request_context pointer. All modules within 1146 * a plugin will point at the request_context of the first 1147 * module within the plugin. */ 1148 void **request_context_pp; 1149 } *modules; 1150 } krb5_preauth_context; 1151 1152 typedef struct _krb5_pa_enc_ts { 1153 krb5_timestamp patimestamp; 1154 krb5_int32 pausec; 1155 } krb5_pa_enc_ts; 1156 1157 typedef struct _krb5_pa_for_user { 1158 krb5_principal user; 1159 krb5_checksum cksum; 1160 krb5_data auth_package; 1161 } krb5_pa_for_user; 1162 1163 enum { 1164 KRB5_FAST_ARMOR_AP_REQUEST = 0x1 1165 }; 1166 1167 typedef struct _krb5_fast_armor { 1168 krb5_int32 armor_type; 1169 krb5_data armor_value; 1170 } krb5_fast_armor; 1171 typedef struct _krb5_fast_armored_req { 1172 krb5_magic magic; 1173 krb5_fast_armor *armor; 1174 krb5_checksum req_checksum; 1175 krb5_enc_data enc_part; 1176 } krb5_fast_armored_req; 1177 1178 typedef struct _krb5_fast_req { 1179 krb5_magic magic; 1180 krb5_flags fast_options; 1181 /* padata from req_body is used*/ 1182 krb5_kdc_req *req_body; 1183 } krb5_fast_req; 1184 1185 1186 /* Bits 0-15 are critical in fast options.*/ 1187 #define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff 1188 #define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01 1189 1190 typedef struct _krb5_fast_finished { 1191 krb5_timestamp timestamp; 1192 krb5_int32 usec; 1193 krb5_principal client; 1194 krb5_checksum ticket_checksum; 1195 } krb5_fast_finished; 1196 1197 typedef struct _krb5_fast_response { 1198 krb5_magic magic; 1199 krb5_pa_data **padata; 1200 krb5_keyblock *strengthen_key; 1201 krb5_fast_finished *finished; 1202 krb5_int32 nonce; 1203 } krb5_fast_response; 1204 1205 typedef krb5_error_code (*krb5_preauth_obtain_proc) 1206 (krb5_context, 1207 krb5_pa_data *, 1208 krb5_etype_info, 1209 krb5_keyblock *, 1210 krb5_error_code ( * )(krb5_context, 1211 const krb5_enctype, 1212 krb5_data *, 1213 krb5_const_pointer, 1214 krb5_keyblock **), 1215 krb5_const_pointer, 1216 krb5_creds *, 1217 krb5_kdc_req *, 1218 krb5_pa_data **); 1219 1220 typedef krb5_error_code (*krb5_preauth_process_proc) 1221 (krb5_context, 1222 krb5_pa_data *, 1223 krb5_kdc_req *, 1224 krb5_kdc_rep *, 1225 krb5_error_code ( * )(krb5_context, 1226 const krb5_enctype, 1227 krb5_data *, 1228 krb5_const_pointer, 1229 krb5_keyblock **), 1230 krb5_const_pointer, 1231 krb5_error_code ( * )(krb5_context, 1232 const krb5_keyblock *, 1233 krb5_const_pointer, 1234 krb5_kdc_rep * ), 1235 krb5_keyblock **, 1236 krb5_creds *, 1237 krb5_int32 *, 1238 krb5_int32 *); 1239 1240 typedef struct _krb5_preauth_ops { 1241 krb5_magic magic; 1242 int type; 1243 int flags; 1244 krb5_preauth_obtain_proc obtain; 1245 krb5_preauth_process_proc process; 1246 } krb5_preauth_ops; 1247 1248 1249 krb5_error_code krb5_obtain_padata 1250 (krb5_context, 1251 krb5_pa_data **, 1252 krb5_error_code ( * )(krb5_context, 1253 const krb5_enctype, 1254 krb5_data *, 1255 krb5_const_pointer, 1256 krb5_keyblock **), 1257 krb5_const_pointer, 1258 krb5_creds *, 1259 krb5_kdc_req *); 1260 1261 krb5_error_code krb5_process_padata 1262 (krb5_context, 1263 krb5_kdc_req *, 1264 krb5_kdc_rep *, 1265 krb5_error_code ( * )(krb5_context, 1266 const krb5_enctype, 1267 krb5_data *, 1268 krb5_const_pointer, 1269 krb5_keyblock **), 1270 krb5_const_pointer, 1271 krb5_error_code ( * )(krb5_context, 1272 const krb5_keyblock *, 1273 krb5_const_pointer, 1274 krb5_kdc_rep * ), 1275 krb5_keyblock **, 1276 krb5_creds *, 1277 krb5_int32 *); 1278 1279 void krb5_free_etype_info (krb5_context, krb5_etype_info); 1280 1281 /* 1282 * Preauthentication property flags 1283 */ 1284 #define KRB5_PREAUTH_FLAGS_ENCRYPT 0x00000001 1285 #define KRB5_PREAUTH_FLAGS_HARDWARE 0x00000002 1286 1287 #endif /* KRB5_PREAUTH__ */ 1288 /* 1289 * End "preauth.h" 1290 */ 1291 1292 /* 1293 * Extending the krb5_get_init_creds_opt structure. The original 1294 * krb5_get_init_creds_opt structure is defined publicly. The 1295 * new extended version is private. The original interface 1296 * assumed a pre-allocated structure which was passed to 1297 * krb5_get_init_creds_init(). The new interface assumes that 1298 * the caller will call krb5_get_init_creds_alloc() and 1299 * krb5_get_init_creds_free(). 1300 * 1301 * Callers MUST NOT call krb5_get_init_creds_init() after allocating an 1302 * opts structure using krb5_get_init_creds_alloc(). To do so will 1303 * introduce memory leaks. Unfortunately, there is no way to enforce 1304 * this behavior. 1305 * 1306 * Two private flags are added for backward compatibility. 1307 * KRB5_GET_INIT_CREDS_OPT_EXTENDED says that the structure was allocated 1308 * with the new krb5_get_init_creds_opt_alloc() function. 1309 * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended 1310 * structure is a shadow copy of an original krb5_get_init_creds_opt 1311 * structure. 1312 * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to 1313 * krb5int_gic_opt_to_opte(), the resulting extended structure should be 1314 * freed (using krb5_get_init_creds_free). Otherwise, the original 1315 * structure was already extended and there is no need to free it. 1316 */ 1317 1318 #define KRB5_GET_INIT_CREDS_OPT_EXTENDED 0x80000000 1319 #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000 1320 1321 #define krb5_gic_opt_is_extended(s) \ 1322 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0) 1323 #define krb5_gic_opt_is_shadowed(s) \ 1324 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0) 1325 1326 1327 typedef struct _krb5_gic_opt_private { 1328 int num_preauth_data; 1329 krb5_gic_opt_pa_data *preauth_data; 1330 } krb5_gic_opt_private; 1331 1332 typedef struct _krb5_gic_opt_ext { 1333 krb5_flags flags; 1334 krb5_deltat tkt_life; 1335 krb5_deltat renew_life; 1336 int forwardable; 1337 int proxiable; 1338 krb5_enctype *etype_list; 1339 int etype_list_length; 1340 krb5_address **address_list; 1341 krb5_preauthtype *preauth_list; 1342 int preauth_list_length; 1343 krb5_data *salt; 1344 /* 1345 * Do not change anything above this point in this structure. 1346 * It is identical to the public krb5_get_init_creds_opt structure. 1347 * New members must be added below. 1348 */ 1349 krb5_gic_opt_private *opt_private; 1350 } krb5_gic_opt_ext; 1351 1352 krb5_error_code 1353 krb5int_gic_opt_to_opte(krb5_context context, 1354 krb5_get_init_creds_opt *opt, 1355 krb5_gic_opt_ext **opte, 1356 unsigned int force, 1357 const char *where); 1358 1359 krb5_error_code 1360 krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *); 1361 1362 #ifndef _KERNEL /* needed for lib/krb5/krb/ */ 1363 typedef krb5_error_code (*krb5_gic_get_as_key_fct) 1364 (krb5_context, 1365 krb5_principal, 1366 krb5_enctype, 1367 krb5_prompter_fct, 1368 void *prompter_data, 1369 krb5_data *salt, 1370 krb5_data *s2kparams, 1371 krb5_keyblock *as_key, 1372 void *gak_data); 1373 1374 krb5_error_code KRB5_CALLCONV 1375 krb5_get_init_creds 1376 (krb5_context context, 1377 krb5_creds *creds, 1378 krb5_principal client, 1379 krb5_prompter_fct prompter, 1380 void *prompter_data, 1381 krb5_deltat start_time, 1382 char *in_tkt_service, 1383 krb5_gic_opt_ext *gic_options, 1384 krb5_gic_get_as_key_fct gak, 1385 void *gak_data, 1386 int *master, 1387 krb5_kdc_rep **as_reply); 1388 1389 krb5_error_code krb5int_populate_gic_opt ( 1390 krb5_context, krb5_gic_opt_ext **, 1391 krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes, 1392 krb5_preauthtype *pre_auth_types, krb5_creds *creds); 1393 1394 1395 krb5_error_code KRB5_CALLCONV krb5_do_preauth 1396 (krb5_context context, 1397 krb5_kdc_req *request, 1398 krb5_data *encoded_request_body, 1399 krb5_data *encoded_previous_request, 1400 krb5_pa_data **in_padata, krb5_pa_data ***out_padata, 1401 krb5_data *salt, krb5_data *s2kparams, 1402 krb5_enctype *etype, krb5_keyblock *as_key, 1403 krb5_prompter_fct prompter, void *prompter_data, 1404 krb5_gic_get_as_key_fct gak_fct, void *gak_data, 1405 krb5_preauth_client_rock *get_data_rock, 1406 krb5_gic_opt_ext *opte); 1407 krb5_error_code KRB5_CALLCONV krb5_do_preauth_tryagain 1408 (krb5_context context, 1409 krb5_kdc_req *request, 1410 krb5_data *encoded_request_body, 1411 krb5_data *encoded_previous_request, 1412 krb5_pa_data **in_padata, krb5_pa_data ***out_padata, 1413 krb5_error *err_reply, 1414 krb5_data *salt, krb5_data *s2kparams, 1415 krb5_enctype *etype, krb5_keyblock *as_key, 1416 krb5_prompter_fct prompter, void *prompter_data, 1417 krb5_gic_get_as_key_fct gak_fct, void *gak_data, 1418 krb5_preauth_client_rock *get_data_rock, 1419 krb5_gic_opt_ext *opte); 1420 void KRB5_CALLCONV krb5_init_preauth_context 1421 (krb5_context); 1422 void KRB5_CALLCONV krb5_free_preauth_context 1423 (krb5_context); 1424 void KRB5_CALLCONV krb5_clear_preauth_context_use_counts 1425 (krb5_context); 1426 void KRB5_CALLCONV krb5_preauth_prepare_request 1427 (krb5_context, krb5_gic_opt_ext *, krb5_kdc_req *); 1428 void KRB5_CALLCONV krb5_preauth_request_context_init 1429 (krb5_context); 1430 void KRB5_CALLCONV krb5_preauth_request_context_fini 1431 (krb5_context); 1432 1433 #endif /* _KERNEL */ 1434 void KRB5_CALLCONV krb5_free_sam_challenge 1435 (krb5_context, krb5_sam_challenge * ); 1436 void KRB5_CALLCONV krb5_free_sam_challenge_2 1437 (krb5_context, krb5_sam_challenge_2 * ); 1438 void KRB5_CALLCONV krb5_free_sam_challenge_2_body 1439 (krb5_context, krb5_sam_challenge_2_body *); 1440 void KRB5_CALLCONV krb5_free_sam_response 1441 (krb5_context, krb5_sam_response * ); 1442 void KRB5_CALLCONV krb5_free_sam_response_2 1443 (krb5_context, krb5_sam_response_2 * ); 1444 void KRB5_CALLCONV krb5_free_predicted_sam_response 1445 (krb5_context, krb5_predicted_sam_response * ); 1446 void KRB5_CALLCONV krb5_free_enc_sam_response_enc 1447 (krb5_context, krb5_enc_sam_response_enc * ); 1448 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2 1449 (krb5_context, krb5_enc_sam_response_enc_2 * ); 1450 void KRB5_CALLCONV krb5_free_sam_challenge_contents 1451 (krb5_context, krb5_sam_challenge * ); 1452 void KRB5_CALLCONV krb5_free_sam_challenge_2_contents 1453 (krb5_context, krb5_sam_challenge_2 * ); 1454 void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents 1455 (krb5_context, krb5_sam_challenge_2_body * ); 1456 void KRB5_CALLCONV krb5_free_sam_response_contents 1457 (krb5_context, krb5_sam_response * ); 1458 void KRB5_CALLCONV krb5_free_sam_response_2_contents 1459 (krb5_context, krb5_sam_response_2 *); 1460 void KRB5_CALLCONV krb5_free_predicted_sam_response_contents 1461 (krb5_context, krb5_predicted_sam_response * ); 1462 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents 1463 (krb5_context, krb5_enc_sam_response_enc * ); 1464 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents 1465 (krb5_context, krb5_enc_sam_response_enc_2 * ); 1466 1467 void KRB5_CALLCONV krb5_free_pa_enc_ts 1468 (krb5_context, krb5_pa_enc_ts *); 1469 1470 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */ 1471 #ifndef _KERNEL 1472 #include "com_err.h" 1473 #include <krb5/k5-plugin.h> 1474 #endif /* _KERNEL */ 1475 1476 /* 1477 * Solaris Kerberos: moved from sendto_kdc.c so other code can reference 1478 */ 1479 #define DEFAULT_UDP_PREF_LIMIT 1465 1480 1481 #ifndef _KERNEL 1482 #include "profile.h" 1483 #include <strings.h> 1484 #endif /* _KERNEL */ 1485 1486 #define KEY_CHANGED(k1, k2) \ 1487 (k1 == NULL || \ 1488 k1 != k2 || \ 1489 k1->enctype != k2->enctype || \ 1490 k1->length != k2->length || \ 1491 bcmp(k1->contents, k2->contents, k1->length)) 1492 1493 #ifndef _KERNEL 1494 typedef struct _arcfour_ctx { 1495 CK_SESSION_HANDLE eSession; /* encrypt session handle */ 1496 CK_SESSION_HANDLE dSession; /* decrypt session handle */ 1497 CK_OBJECT_HANDLE eKey; /* encrypt key object */ 1498 CK_OBJECT_HANDLE dKey; /* decrype key object */ 1499 uchar_t initialized; 1500 }arcfour_ctx_rec; 1501 1502 #endif /* !_KERNEL */ 1503 1504 struct _krb5_context { 1505 krb5_magic magic; 1506 krb5_enctype *in_tkt_ktypes; 1507 unsigned int in_tkt_ktype_count; 1508 krb5_enctype *tgs_ktypes; 1509 unsigned int tgs_ktype_count; 1510 /* This used to be a void*, but since we always allocate them 1511 together (though in different source files), and the types 1512 are declared in the same header, might as well just combine 1513 them. 1514 1515 The array[1] is so the existing code treating the field as 1516 a pointer will still work. For cleanliness, it should 1517 eventually get changed to a single element instead of an 1518 array. */ 1519 struct _krb5_os_context os_context[1]; 1520 char *default_realm; 1521 int ser_ctx_count; 1522 krb5_boolean profile_secure; 1523 void *ser_ctx; 1524 #ifndef _KERNEL 1525 profile_t profile; 1526 void *db_context; 1527 void *kdblog_context; 1528 /* allowable clock skew */ 1529 krb5_deltat clockskew; 1530 krb5_cksumtype kdc_req_sumtype; 1531 krb5_cksumtype default_ap_req_sumtype; 1532 krb5_cksumtype default_safe_sumtype; 1533 krb5_flags kdc_default_options; 1534 krb5_flags library_options; 1535 int fcc_default_format; 1536 int scc_default_format; 1537 krb5_prompt_type *prompt_types; 1538 /* Message size above which we'll try TCP first in send-to-kdc 1539 type code. Aside from the 2**16 size limit, we put no 1540 absolute limit on the UDP packet size. */ 1541 int udp_pref_limit; 1542 1543 /* This is the tgs_ktypes list as read from the profile, or 1544 set to compiled-in defaults. The application code cannot 1545 override it. This is used for session keys for 1546 intermediate ticket-granting tickets used to acquire the 1547 requested ticket (the session key of which may be 1548 constrained by tgs_ktypes above). */ 1549 krb5_enctype *conf_tgs_ktypes; 1550 int conf_tgs_ktypes_count; 1551 1552 /* Use the _configured version? */ 1553 krb5_boolean use_conf_ktypes; 1554 1555 #ifdef KRB5_DNS_LOOKUP 1556 krb5_boolean profile_in_memory; 1557 #endif /* KRB5_DNS_LOOKUP */ 1558 1559 /* locate_kdc module stuff */ 1560 struct plugin_dir_handle libkrb5_plugins; 1561 struct krb5plugin_service_locate_ftable *vtbl; 1562 void (**locate_fptrs)(void); 1563 1564 pid_t pid; /* fork safety: PID of process that did last PKCS11 init */ 1565 1566 /* Solaris Kerberos: handles for PKCS#11 crypto */ 1567 /* 1568 * Warning, do not access hSession directly as this is not fork() safe. 1569 * Instead use the krb_ctx_hSession() macro below. 1570 */ 1571 CK_SESSION_HANDLE hSession; 1572 int cryptoki_initialized; 1573 1574 /* arcfour_ctx: used only for rcmd stuff so no fork safety issues apply */ 1575 arcfour_ctx_rec arcfour_ctx; 1576 1577 /* preauth module stuff */ 1578 struct plugin_dir_handle preauth_plugins; 1579 krb5_preauth_context *preauth_context; 1580 1581 /* error detail info */ 1582 struct errinfo err; 1583 #else /* ! KERNEL */ 1584 crypto_mech_type_t kef_cipher_mt; 1585 crypto_mech_type_t kef_hash_mt; 1586 crypto_mech_type_t kef_cksum_mt; 1587 #endif /* ! KERNEL */ 1588 }; 1589 1590 #ifndef _KERNEL 1591 extern pid_t __krb5_current_pid; 1592 1593 CK_SESSION_HANDLE krb5_reinit_ef_handle(krb5_context); 1594 1595 /* 1596 * fork safety: barring the ef_init code, every other function must use the 1597 * krb_ctx_hSession() macro to access the hSession field in a krb context. 1598 * Note, if the pid of the krb ctx == the current global pid then it is safe to 1599 * use the ctx hSession otherwise it needs to be re-inited before it is returned 1600 * to the caller. 1601 */ 1602 #define krb_ctx_hSession(ctx) \ 1603 ((ctx)->pid == __krb5_current_pid) ? (ctx)->hSession : krb5_reinit_ef_handle((ctx)) 1604 #endif 1605 1606 #define MD5_CKSUM_LENGTH 16 1607 #define RSA_MD5_CKSUM_LENGTH 16 1608 #define MD5_BLOCKSIZE 64 1609 1610 1611 /* 1612 * Solaris Kerberos: 1613 * This next section of prototypes and constants 1614 * are all unique to the Solaris Kerberos implementation. 1615 * Because Solaris uses the native encryption framework 1616 * to provide crypto support, the following routines 1617 * are needed to support this system. 1618 */ 1619 1620 /* 1621 * Begin Solaris Crypto Prototypes 1622 */ 1623 1624 /* 1625 * define constants that are used for creating the constant 1626 * which is used to make derived keys. 1627 */ 1628 #define DK_ENCR_KEY_BYTE 0xAA 1629 #define DK_HASH_KEY_BYTE 0x55 1630 #define DK_CKSUM_KEY_BYTE 0x99 1631 1632 int init_derived_keydata(krb5_context, const struct krb5_enc_provider *, 1633 krb5_keyblock *, krb5_keyusage, 1634 krb5_keyblock **, krb5_keyblock **); 1635 1636 krb5_error_code add_derived_key(krb5_keyblock *, krb5_keyusage, uchar_t, 1637 krb5_keyblock *); 1638 1639 krb5_keyblock *find_derived_key(krb5_keyusage, uchar_t, krb5_keyblock *); 1640 krb5_keyblock *krb5_create_derived_keyblock(int); 1641 1642 #ifdef _KERNEL 1643 int k5_ef_hash(krb5_context, int, const krb5_data *, krb5_data *); 1644 1645 int k5_ef_mac(krb5_context, krb5_keyblock *, krb5_data *, 1646 const krb5_data *, krb5_data *); 1647 1648 void make_kef_key(krb5_keyblock *); 1649 int init_key_kef(crypto_mech_type_t, krb5_keyblock *); 1650 int update_key_template(krb5_keyblock *); 1651 void setup_kef_keytypes(); 1652 void setup_kef_cksumtypes(); 1653 crypto_mech_type_t get_cipher_mech_type(krb5_context, krb5_keyblock *); 1654 crypto_mech_type_t get_hash_mech_type(krb5_context, krb5_keyblock *); 1655 1656 #else 1657 /* 1658 * This structure is used to map Kerberos supported OID's, 1659 * to PKCS11 mechanisms 1660 */ 1661 #define USE_ENCR 0x01 1662 #define USE_HASH 0x02 1663 1664 typedef struct krb5_mech_2_pkcs { 1665 uchar_t flags; 1666 CK_MECHANISM_TYPE enc_algo; 1667 CK_MECHANISM_TYPE hash_algo; 1668 CK_MECHANISM_TYPE str2key_algo; 1669 } KRB5_MECH_TO_PKCS; 1670 1671 #define ENC_DEFINED(x) (((x).flags & USE_ENCR)) 1672 #define HASH_DEFINED(x) (((x).flags & USE_HASH)) 1673 1674 extern CK_RV get_algo(krb5_enctype etype, KRB5_MECH_TO_PKCS * algos); 1675 extern CK_RV get_key_type (krb5_enctype etype, CK_KEY_TYPE * keyType); 1676 extern krb5_error_code slot_supports_krb5 (CK_SLOT_ID_PTR slotid); 1677 1678 krb5_error_code init_key_uef(CK_SESSION_HANDLE, krb5_keyblock *); 1679 1680 krb5_error_code k5_ef_hash(krb5_context, CK_MECHANISM *, 1681 unsigned int, const krb5_data *, krb5_data *); 1682 1683 krb5_error_code k5_ef_mac(krb5_context context, 1684 krb5_keyblock *key, krb5_data *ivec, 1685 krb5_const krb5_data *input, krb5_data *output); 1686 1687 #endif /* !_KERNEL */ 1688 1689 krb5_error_code 1690 derive_3des_keys(krb5_context, struct krb5_enc_provider *, 1691 krb5_keyblock *, krb5_keyusage, 1692 krb5_keyblock *, krb5_keyblock *); 1693 1694 /* 1695 * End Solaris Crypto Prototypes 1696 */ 1697 1698 #define KRB5_LIBOPT_SYNC_KDCTIME 0x0001 1699 1700 /* internal message representations */ 1701 1702 typedef struct _krb5_safe { 1703 krb5_magic magic; 1704 krb5_data user_data; /* user data */ 1705 krb5_timestamp timestamp; /* client time, optional */ 1706 krb5_int32 usec; /* microsecond portion of time, 1707 optional */ 1708 krb5_ui_4 seq_number; /* sequence #, optional */ 1709 krb5_address *s_address; /* sender address */ 1710 krb5_address *r_address; /* recipient address, optional */ 1711 krb5_checksum *checksum; /* data integrity checksum */ 1712 } krb5_safe; 1713 1714 typedef struct _krb5_priv { 1715 krb5_magic magic; 1716 krb5_enc_data enc_part; /* encrypted part */ 1717 } krb5_priv; 1718 1719 typedef struct _krb5_priv_enc_part { 1720 krb5_magic magic; 1721 krb5_data user_data; /* user data */ 1722 krb5_timestamp timestamp; /* client time, optional */ 1723 krb5_int32 usec; /* microsecond portion of time, opt. */ 1724 krb5_ui_4 seq_number; /* sequence #, optional */ 1725 krb5_address *s_address; /* sender address */ 1726 krb5_address *r_address; /* recipient address, optional */ 1727 } krb5_priv_enc_part; 1728 1729 void KRB5_CALLCONV krb5_free_safe 1730 (krb5_context, krb5_safe * ); 1731 void KRB5_CALLCONV krb5_free_priv 1732 (krb5_context, krb5_priv * ); 1733 void KRB5_CALLCONV krb5_free_priv_enc_part 1734 (krb5_context, krb5_priv_enc_part * ); 1735 1736 /* 1737 * Begin "asn1.h" 1738 */ 1739 #ifndef KRB5_ASN1__ 1740 #define KRB5_ASN1__ 1741 1742 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */ 1743 /* here we use some knowledge of ASN.1 encodings */ 1744 /* 1745 Ticket is APPLICATION 1. 1746 Authenticator is APPLICATION 2. 1747 AS_REQ is APPLICATION 10. 1748 AS_REP is APPLICATION 11. 1749 TGS_REQ is APPLICATION 12. 1750 TGS_REP is APPLICATION 13. 1751 AP_REQ is APPLICATION 14. 1752 AP_REP is APPLICATION 15. 1753 KRB_SAFE is APPLICATION 20. 1754 KRB_PRIV is APPLICATION 21. 1755 KRB_CRED is APPLICATION 22. 1756 EncASRepPart is APPLICATION 25. 1757 EncTGSRepPart is APPLICATION 26. 1758 EncAPRepPart is APPLICATION 27. 1759 EncKrbPrivPart is APPLICATION 28. 1760 EncKrbCredPart is APPLICATION 29. 1761 KRB_ERROR is APPLICATION 30. 1762 */ 1763 /* allow either constructed or primitive encoding, so check for bit 6 1764 set or reset */ 1765 #define krb5_is_krb_ticket(dat)\ 1766 ((dat) && (dat)->length && ((dat)->data[0] == 0x61 ||\ 1767 (dat)->data[0] == 0x41)) 1768 #define krb5_is_krb_authenticator(dat)\ 1769 ((dat) && (dat)->length && ((dat)->data[0] == 0x62 ||\ 1770 (dat)->data[0] == 0x42)) 1771 #define krb5_is_as_req(dat)\ 1772 ((dat) && (dat)->length && ((dat)->data[0] == 0x6a ||\ 1773 (dat)->data[0] == 0x4a)) 1774 #define krb5_is_as_rep(dat)\ 1775 ((dat) && (dat)->length && ((dat)->data[0] == 0x6b ||\ 1776 (dat)->data[0] == 0x4b)) 1777 #define krb5_is_tgs_req(dat)\ 1778 ((dat) && (dat)->length && ((dat)->data[0] == 0x6c ||\ 1779 (dat)->data[0] == 0x4c)) 1780 #define krb5_is_tgs_rep(dat)\ 1781 ((dat) && (dat)->length && ((dat)->data[0] == 0x6d ||\ 1782 (dat)->data[0] == 0x4d)) 1783 #define krb5_is_ap_req(dat)\ 1784 ((dat) && (dat)->length && ((dat)->data[0] == 0x6e ||\ 1785 (dat)->data[0] == 0x4e)) 1786 #define krb5_is_ap_rep(dat)\ 1787 ((dat) && (dat)->length && ((dat)->data[0] == 0x6f ||\ 1788 (dat)->data[0] == 0x4f)) 1789 #define krb5_is_krb_safe(dat)\ 1790 ((dat) && (dat)->length && ((dat)->data[0] == 0x74 ||\ 1791 (dat)->data[0] == 0x54)) 1792 #define krb5_is_krb_priv(dat)\ 1793 ((dat) && (dat)->length && ((dat)->data[0] == 0x75 ||\ 1794 (dat)->data[0] == 0x55)) 1795 #define krb5_is_krb_cred(dat)\ 1796 ((dat) && (dat)->length && ((dat)->data[0] == 0x76 ||\ 1797 (dat)->data[0] == 0x56)) 1798 #define krb5_is_krb_enc_as_rep_part(dat)\ 1799 ((dat) && (dat)->length && ((dat)->data[0] == 0x79 ||\ 1800 (dat)->data[0] == 0x59)) 1801 #define krb5_is_krb_enc_tgs_rep_part(dat)\ 1802 ((dat) && (dat)->length && ((dat)->data[0] == 0x7a ||\ 1803 (dat)->data[0] == 0x5a)) 1804 #define krb5_is_krb_enc_ap_rep_part(dat)\ 1805 ((dat) && (dat)->length && ((dat)->data[0] == 0x7b ||\ 1806 (dat)->data[0] == 0x5b)) 1807 #define krb5_is_krb_enc_krb_priv_part(dat)\ 1808 ((dat) && (dat)->length && ((dat)->data[0] == 0x7c ||\ 1809 (dat)->data[0] == 0x5c)) 1810 #define krb5_is_krb_enc_krb_cred_part(dat)\ 1811 ((dat) && (dat)->length && ((dat)->data[0] == 0x7d ||\ 1812 (dat)->data[0] == 0x5d)) 1813 #define krb5_is_krb_error(dat)\ 1814 ((dat) && (dat)->length && ((dat)->data[0] == 0x7e ||\ 1815 (dat)->data[0] == 0x5e)) 1816 1817 /************************************************************************* 1818 * Prototypes for krb5_encode.c 1819 *************************************************************************/ 1820 1821 /* 1822 krb5_error_code encode_krb5_structure(const krb5_structure *rep, 1823 krb5_data **code); 1824 modifies *code 1825 effects Returns the ASN.1 encoding of *rep in **code. 1826 Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep. 1827 Returns ENOMEM if memory runs out. 1828 */ 1829 1830 krb5_error_code encode_krb5_authenticator 1831 (const krb5_authenticator *rep, krb5_data **code); 1832 1833 krb5_error_code encode_krb5_ticket 1834 (const krb5_ticket *rep, krb5_data **code); 1835 1836 krb5_error_code encode_krb5_encryption_key 1837 (const krb5_keyblock *rep, krb5_data **code); 1838 1839 krb5_error_code encode_krb5_enc_tkt_part 1840 (const krb5_enc_tkt_part *rep, krb5_data **code); 1841 1842 krb5_error_code encode_krb5_enc_kdc_rep_part 1843 (const krb5_enc_kdc_rep_part *rep, krb5_data **code); 1844 1845 /* yes, the translation is identical to that used for KDC__REP */ 1846 krb5_error_code encode_krb5_as_rep 1847 (const krb5_kdc_rep *rep, krb5_data **code); 1848 1849 /* yes, the translation is identical to that used for KDC__REP */ 1850 krb5_error_code encode_krb5_tgs_rep 1851 (const krb5_kdc_rep *rep, krb5_data **code); 1852 1853 krb5_error_code encode_krb5_ap_req 1854 (const krb5_ap_req *rep, krb5_data **code); 1855 1856 krb5_error_code encode_krb5_ap_rep 1857 (const krb5_ap_rep *rep, krb5_data **code); 1858 1859 krb5_error_code encode_krb5_ap_rep_enc_part 1860 (const krb5_ap_rep_enc_part *rep, krb5_data **code); 1861 1862 krb5_error_code encode_krb5_as_req 1863 (const krb5_kdc_req *rep, krb5_data **code); 1864 1865 krb5_error_code encode_krb5_tgs_req 1866 (const krb5_kdc_req *rep, krb5_data **code); 1867 1868 krb5_error_code encode_krb5_kdc_req_body 1869 (const krb5_kdc_req *rep, krb5_data **code); 1870 1871 krb5_error_code encode_krb5_safe 1872 (const krb5_safe *rep, krb5_data **code); 1873 1874 struct krb5_safe_with_body { 1875 krb5_safe *safe; 1876 krb5_data *body; 1877 }; 1878 1879 krb5_error_code encode_krb5_safe_with_body 1880 (const struct krb5_safe_with_body *rep, krb5_data **code); 1881 1882 krb5_error_code encode_krb5_priv 1883 (const krb5_priv *rep, krb5_data **code); 1884 1885 krb5_error_code encode_krb5_enc_priv_part 1886 (const krb5_priv_enc_part *rep, krb5_data **code); 1887 1888 krb5_error_code encode_krb5_cred 1889 (const krb5_cred *rep, krb5_data **code); 1890 1891 krb5_error_code encode_krb5_enc_cred_part 1892 (const krb5_cred_enc_part *rep, krb5_data **code); 1893 1894 krb5_error_code encode_krb5_error 1895 (const krb5_error *rep, krb5_data **code); 1896 1897 krb5_error_code encode_krb5_authdata 1898 (krb5_authdata *const *rep, krb5_data **code); 1899 1900 krb5_error_code encode_krb5_authdata_elt 1901 (const krb5_authdata *rep, krb5_data **code); 1902 1903 krb5_error_code encode_krb5_pwd_sequence 1904 (const passwd_phrase_element *rep, krb5_data **code); 1905 1906 krb5_error_code encode_krb5_pwd_data 1907 (const krb5_pwd_data *rep, krb5_data **code); 1908 1909 krb5_error_code encode_krb5_padata_sequence 1910 (krb5_pa_data *const *rep, krb5_data **code); 1911 1912 krb5_error_code encode_krb5_alt_method 1913 (const krb5_alt_method *, krb5_data **code); 1914 1915 krb5_error_code encode_krb5_etype_info 1916 (krb5_etype_info_entry *const *, krb5_data **code); 1917 krb5_error_code encode_krb5_etype_info2 1918 (krb5_etype_info_entry *const *, krb5_data **code); 1919 1920 krb5_error_code encode_krb5_enc_data 1921 (const krb5_enc_data *, krb5_data **); 1922 1923 krb5_error_code encode_krb5_pa_enc_ts 1924 (const krb5_pa_enc_ts *, krb5_data **); 1925 1926 krb5_error_code encode_krb5_sam_challenge 1927 (const krb5_sam_challenge * , krb5_data **); 1928 1929 krb5_error_code encode_krb5_sam_key 1930 (const krb5_sam_key * , krb5_data **); 1931 1932 krb5_error_code encode_krb5_enc_sam_response_enc 1933 (const krb5_enc_sam_response_enc * , krb5_data **); 1934 1935 krb5_error_code encode_krb5_sam_response 1936 (const krb5_sam_response * , krb5_data **); 1937 1938 krb5_error_code encode_krb5_sam_challenge_2 1939 (const krb5_sam_challenge_2 * , krb5_data **); 1940 1941 krb5_error_code encode_krb5_sam_challenge_2_body 1942 (const krb5_sam_challenge_2_body * , krb5_data **); 1943 1944 krb5_error_code encode_krb5_enc_sam_response_enc_2 1945 (const krb5_enc_sam_response_enc_2 * , krb5_data **); 1946 1947 krb5_error_code encode_krb5_sam_response_2 1948 (const krb5_sam_response_2 * , krb5_data **); 1949 1950 krb5_error_code encode_krb5_predicted_sam_response 1951 (const krb5_predicted_sam_response * , krb5_data **); 1952 1953 struct krb5_setpw_req { 1954 krb5_principal target; 1955 krb5_data password; 1956 }; 1957 krb5_error_code encode_krb5_setpw_req 1958 (const struct krb5_setpw_req *rep, krb5_data **code); 1959 1960 /************************************************************************* 1961 * End of prototypes for krb5_encode.c 1962 *************************************************************************/ 1963 1964 krb5_error_code decode_krb5_sam_challenge 1965 (const krb5_data *, krb5_sam_challenge **); 1966 1967 krb5_error_code decode_krb5_enc_sam_key 1968 (const krb5_data *, krb5_sam_key **); 1969 1970 krb5_error_code decode_krb5_enc_sam_response_enc 1971 (const krb5_data *, krb5_enc_sam_response_enc **); 1972 1973 krb5_error_code decode_krb5_sam_response 1974 (const krb5_data *, krb5_sam_response **); 1975 1976 krb5_error_code decode_krb5_predicted_sam_response 1977 (const krb5_data *, krb5_predicted_sam_response **); 1978 1979 krb5_error_code decode_krb5_sam_challenge_2 1980 (const krb5_data *, krb5_sam_challenge_2 **); 1981 1982 krb5_error_code decode_krb5_sam_challenge_2_body 1983 (const krb5_data *, krb5_sam_challenge_2_body **); 1984 1985 krb5_error_code decode_krb5_enc_sam_response_enc_2 1986 (const krb5_data *, krb5_enc_sam_response_enc_2 **); 1987 1988 krb5_error_code decode_krb5_sam_response_2 1989 (const krb5_data *, krb5_sam_response_2 **); 1990 1991 1992 /************************************************************************* 1993 * Prototypes for krb5_decode.c 1994 *************************************************************************/ 1995 1996 krb5_error_code krb5_validate_times 1997 (krb5_context, 1998 krb5_ticket_times *); 1999 2000 /* 2001 krb5_error_code decode_krb5_structure(const krb5_data *code, 2002 krb5_structure **rep); 2003 2004 requires Expects **rep to not have been allocated; 2005 a new *rep is allocated regardless of the old value. 2006 effects Decodes *code into **rep. 2007 Returns ENOMEM if memory is exhausted. 2008 Returns asn1 and krb5 errors. 2009 */ 2010 2011 krb5_error_code decode_krb5_authenticator 2012 (const krb5_data *code, krb5_authenticator **rep); 2013 2014 krb5_error_code decode_krb5_ticket 2015 (const krb5_data *code, krb5_ticket **rep); 2016 2017 krb5_error_code decode_krb5_encryption_key 2018 (const krb5_data *output, krb5_keyblock **rep); 2019 2020 krb5_error_code decode_krb5_enc_tkt_part 2021 (const krb5_data *output, krb5_enc_tkt_part **rep); 2022 2023 krb5_error_code decode_krb5_enc_kdc_rep_part 2024 (const krb5_data *output, krb5_enc_kdc_rep_part **rep); 2025 2026 krb5_error_code decode_krb5_as_rep 2027 (const krb5_data *output, krb5_kdc_rep **rep); 2028 2029 krb5_error_code decode_krb5_tgs_rep 2030 (const krb5_data *output, krb5_kdc_rep **rep); 2031 2032 krb5_error_code decode_krb5_ap_req 2033 (const krb5_data *output, krb5_ap_req **rep); 2034 2035 krb5_error_code decode_krb5_ap_rep 2036 (const krb5_data *output, krb5_ap_rep **rep); 2037 2038 krb5_error_code decode_krb5_ap_rep_enc_part 2039 (const krb5_data *output, krb5_ap_rep_enc_part **rep); 2040 2041 krb5_error_code decode_krb5_as_req 2042 (const krb5_data *output, krb5_kdc_req **rep); 2043 2044 krb5_error_code decode_krb5_tgs_req 2045 (const krb5_data *output, krb5_kdc_req **rep); 2046 2047 krb5_error_code decode_krb5_kdc_req_body 2048 (const krb5_data *output, krb5_kdc_req **rep); 2049 2050 krb5_error_code decode_krb5_safe 2051 (const krb5_data *output, krb5_safe **rep); 2052 2053 krb5_error_code decode_krb5_safe_with_body 2054 (const krb5_data *output, krb5_safe **rep, krb5_data *body); 2055 2056 krb5_error_code decode_krb5_priv 2057 (const krb5_data *output, krb5_priv **rep); 2058 2059 krb5_error_code decode_krb5_enc_priv_part 2060 (const krb5_data *output, krb5_priv_enc_part **rep); 2061 2062 krb5_error_code decode_krb5_cred 2063 (const krb5_data *output, krb5_cred **rep); 2064 2065 krb5_error_code decode_krb5_enc_cred_part 2066 (const krb5_data *output, krb5_cred_enc_part **rep); 2067 2068 krb5_error_code decode_krb5_error 2069 (const krb5_data *output, krb5_error **rep); 2070 2071 krb5_error_code decode_krb5_authdata 2072 (const krb5_data *output, krb5_authdata ***rep); 2073 2074 krb5_error_code decode_krb5_pwd_sequence 2075 (const krb5_data *output, passwd_phrase_element **rep); 2076 2077 krb5_error_code decode_krb5_pwd_data 2078 (const krb5_data *output, krb5_pwd_data **rep); 2079 2080 krb5_error_code decode_krb5_padata_sequence 2081 (const krb5_data *output, krb5_pa_data ***rep); 2082 2083 krb5_error_code decode_krb5_alt_method 2084 (const krb5_data *output, krb5_alt_method **rep); 2085 2086 krb5_error_code decode_krb5_etype_info 2087 (const krb5_data *output, krb5_etype_info_entry ***rep); 2088 2089 krb5_error_code decode_krb5_etype_info2 2090 (const krb5_data *output, krb5_etype_info_entry ***rep); 2091 2092 krb5_error_code decode_krb5_enc_data 2093 (const krb5_data *output, krb5_enc_data **rep); 2094 2095 krb5_error_code decode_krb5_pa_enc_ts 2096 (const krb5_data *output, krb5_pa_enc_ts **rep); 2097 2098 krb5_error_code decode_krb5_sam_key 2099 (const krb5_data *, krb5_sam_key **); 2100 2101 struct _krb5_key_data; /* kdb.h */ 2102 krb5_error_code 2103 krb5int_ldap_encode_sequence_of_keys (struct _krb5_key_data *key_data, 2104 krb5_int16 n_key_data, 2105 krb5_int32 mkvno, 2106 krb5_data **code); 2107 2108 krb5_error_code 2109 krb5int_ldap_decode_sequence_of_keys (krb5_data *in, 2110 struct _krb5_key_data **out, 2111 krb5_int16 *n_key_data, 2112 int *mkvno); 2113 2114 /************************************************************************* 2115 * End of prototypes for krb5_decode.c 2116 *************************************************************************/ 2117 2118 #endif /* KRB5_ASN1__ */ 2119 /* 2120 * End "asn1.h" 2121 */ 2122 2123 2124 /* 2125 * Internal krb5 library routines 2126 */ 2127 krb5_error_code krb5_encrypt_tkt_part 2128 (krb5_context, 2129 const krb5_keyblock *, 2130 krb5_ticket * ); 2131 2132 2133 krb5_error_code krb5_encode_kdc_rep 2134 (krb5_context, 2135 const krb5_msgtype, 2136 const krb5_enc_kdc_rep_part *, 2137 int using_subkey, 2138 const krb5_keyblock *, 2139 krb5_kdc_rep *, 2140 krb5_data ** ); 2141 2142 krb5_boolean krb5int_auth_con_chkseqnum 2143 (krb5_context ctx, krb5_auth_context ac, krb5_ui_4 in_seq); 2144 /* 2145 * [De]Serialization Handle and operations. 2146 */ 2147 struct __krb5_serializer { 2148 krb5_magic odtype; 2149 krb5_error_code (*sizer) (krb5_context, 2150 krb5_pointer, 2151 size_t *); 2152 krb5_error_code (*externalizer) (krb5_context, 2153 krb5_pointer, 2154 krb5_octet **, 2155 size_t *); 2156 krb5_error_code (*internalizer) (krb5_context, 2157 krb5_pointer *, 2158 krb5_octet **, 2159 size_t *); 2160 }; 2161 typedef const struct __krb5_serializer * krb5_ser_handle; 2162 typedef struct __krb5_serializer krb5_ser_entry; 2163 2164 krb5_ser_handle krb5_find_serializer 2165 (krb5_context, 2166 krb5_magic); 2167 krb5_error_code krb5_register_serializer 2168 (krb5_context, 2169 const krb5_ser_entry *); 2170 2171 /* Determine the external size of a particular opaque structure */ 2172 krb5_error_code KRB5_CALLCONV krb5_size_opaque 2173 (krb5_context, 2174 krb5_magic, 2175 krb5_pointer, 2176 size_t *); 2177 2178 /* Serialize the structure into a buffer */ 2179 krb5_error_code KRB5_CALLCONV krb5_externalize_opaque 2180 (krb5_context, 2181 krb5_magic, 2182 krb5_pointer, 2183 krb5_octet **, 2184 size_t *); 2185 2186 /* Deserialize the structure from a buffer */ 2187 krb5_error_code KRB5_CALLCONV krb5_internalize_opaque 2188 (krb5_context, 2189 krb5_magic, 2190 krb5_pointer *, 2191 krb5_octet **, 2192 size_t *); 2193 2194 /* Serialize data into a buffer */ 2195 krb5_error_code krb5_externalize_data 2196 (krb5_context, 2197 krb5_pointer, 2198 krb5_octet **, 2199 size_t *); 2200 /* 2201 * Initialization routines. 2202 */ 2203 2204 /* Initialize serialization for krb5_[os_]context */ 2205 krb5_error_code KRB5_CALLCONV krb5_ser_context_init 2206 (krb5_context); 2207 2208 /* Initialize serialization for krb5_auth_context */ 2209 krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init 2210 (krb5_context); 2211 2212 /* Initialize serialization for krb5_keytab */ 2213 krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init 2214 (krb5_context); 2215 2216 /* Initialize serialization for krb5_ccache */ 2217 krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init 2218 (krb5_context); 2219 2220 /* Initialize serialization for krb5_rcache */ 2221 krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init 2222 (krb5_context); 2223 2224 /* [De]serialize 4-byte integer */ 2225 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32 2226 (krb5_int32, 2227 krb5_octet **, 2228 size_t *); 2229 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32 2230 (krb5_int32 *, 2231 krb5_octet **, 2232 size_t *); 2233 /* [De]serialize 8-byte integer */ 2234 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64 2235 (krb5_int64, krb5_octet **, size_t *); 2236 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64 2237 (krb5_int64 *, krb5_octet **, size_t *); 2238 /* [De]serialize byte string */ 2239 krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes 2240 (krb5_octet *, 2241 size_t, 2242 krb5_octet **, 2243 size_t *); 2244 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes 2245 (krb5_octet *, 2246 size_t, 2247 krb5_octet **, 2248 size_t *); 2249 2250 krb5_error_code KRB5_CALLCONV krb5int_cc_default 2251 (krb5_context, krb5_ccache *); 2252 2253 krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default 2254 (krb5_context, krb5_ccache, krb5_flags, 2255 krb5_creds *, krb5_creds *); 2256 2257 krb5_boolean KRB5_CALLCONV 2258 krb5_creds_compare (krb5_context in_context, 2259 krb5_creds *in_creds, 2260 krb5_creds *in_compare_creds); 2261 2262 void krb5int_set_prompt_types 2263 (krb5_context, krb5_prompt_type *); 2264 2265 krb5_error_code 2266 krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context, 2267 krb5_keyblock * /* Old keyblock, not new! */); 2268 2269 /* set and change password helpers */ 2270 2271 krb5_error_code krb5int_mk_chpw_req 2272 (krb5_context context, krb5_auth_context auth_context, 2273 krb5_data *ap_req, char *passwd, krb5_data *packet); 2274 krb5_error_code krb5int_rd_chpw_rep 2275 (krb5_context context, krb5_auth_context auth_context, 2276 krb5_data *packet, int *result_code, 2277 krb5_data *result_data); 2278 krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string 2279 (krb5_context context, int result_code, 2280 char **result_codestr); 2281 krb5_error_code krb5int_mk_setpw_req 2282 (krb5_context context, krb5_auth_context auth_context, 2283 krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet); 2284 krb5_error_code krb5int_rd_setpw_rep 2285 (krb5_context context, krb5_auth_context auth_context, 2286 krb5_data *packet, int *result_code, 2287 krb5_data *result_data); 2288 krb5_error_code krb5int_setpw_result_code_string 2289 (krb5_context context, int result_code, 2290 const char **result_codestr); 2291 2292 struct srv_dns_entry { 2293 struct srv_dns_entry *next; 2294 int priority; 2295 int weight; 2296 unsigned short port; 2297 char *host; 2298 }; 2299 #ifdef KRB5_DNS_LOOKUP 2300 krb5_error_code 2301 krb5int_make_srv_query_realm(const krb5_data *realm, 2302 const char *service, 2303 const char *protocol, 2304 struct srv_dns_entry **answers); 2305 void krb5int_free_srv_dns_data(struct srv_dns_entry *); 2306 #endif 2307 2308 /* 2309 * Convenience function for structure magic number 2310 */ 2311 #define KRB5_VERIFY_MAGIC(structure,magic_number) \ 2312 if ((structure)->magic != (magic_number)) return (magic_number); 2313 2314 2315 /* SUNW14resync XXX - see k5-util.h */ 2316 #if 0 2317 int krb5_seteuid (int); 2318 #endif 2319 2320 char * krb5_getenv(const char *); 2321 int krb5_setenv (const char *, const char *, int); 2322 void krb5_unsetenv (const char *); 2323 2324 2325 /* SUNW14resync - (from here to EOF) not sure if we need this but will add it 2326 for future resync sake */ 2327 2328 /* To keep happy libraries which are (for now) accessing internal stuff */ 2329 2330 /* Make sure to increment by one when changing the struct */ 2331 #define KRB5INT_ACCESS_STRUCT_VERSION 12 2332 2333 #ifndef ANAME_SZ 2334 struct ktext; /* from krb.h, for krb524 support */ 2335 #endif 2336 typedef struct _krb5int_access { 2337 /* crypto stuff */ 2338 const struct krb5_hash_provider *md5_hash_provider; 2339 const struct krb5_enc_provider *arcfour_enc_provider; 2340 krb5_error_code (* krb5_hmac) (krb5_context, const struct krb5_hash_provider *hash, 2341 const krb5_keyblock *key, 2342 unsigned int icount, const krb5_data *input, 2343 krb5_data *output); 2344 /* service location and communication */ 2345 #ifndef _KERNEL 2346 krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg, 2347 const struct addrlist *, struct sendto_callback_info*, krb5_data *reply, 2348 struct sockaddr *, socklen_t *,struct sockaddr *, 2349 socklen_t *, int *, 2350 int (*msg_handler)(krb5_context, const krb5_data *, void *), 2351 void *msg_handler_data); 2352 krb5_error_code (*add_host_to_list)(struct addrlist *lp, 2353 const char *hostname, 2354 int port, int secport, 2355 int socktype, int family); 2356 void (*free_addrlist) (struct addrlist *); 2357 #endif /* _KERNEL */ 2358 2359 krb5_error_code (*make_srv_query_realm)(const krb5_data *realm, 2360 const char *service, 2361 const char *protocol, 2362 struct srv_dns_entry **answers); 2363 void (*free_srv_dns_data)(struct srv_dns_entry *); 2364 int (*use_dns_kdc)(krb5_context); 2365 krb5_error_code (*clean_hostname)(krb5_context, const char *, char *, size_t); 2366 2367 /* krb4 compatibility stuff -- may be null if not enabled */ 2368 krb5_int32 (*krb_life_to_time)(krb5_int32, int); 2369 int (*krb_time_to_life)(krb5_int32, krb5_int32); 2370 int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *); 2371 krb5_error_code (*krb5int_c_mandatory_cksumtype) 2372 (krb5_context, krb5_enctype, krb5_cksumtype *); 2373 krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64) 2374 (krb5_int64, krb5_octet **, size_t *); 2375 krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64) 2376 (krb5_int64 *, krb5_octet **, size_t *); 2377 2378 /* Used for KDB LDAP back end. */ 2379 krb5_error_code 2380 (*asn1_ldap_encode_sequence_of_keys) (struct _krb5_key_data *key_data, 2381 krb5_int16 n_key_data, 2382 krb5_int32 mkvno, 2383 krb5_data **code); 2384 2385 krb5_error_code 2386 (*asn1_ldap_decode_sequence_of_keys) (krb5_data *in, 2387 struct _krb5_key_data **out, 2388 krb5_int16 *n_key_data, 2389 int *mkvno); 2390 2391 /* 2392 * pkinit asn.1 encode/decode functions 2393 */ 2394 krb5_error_code (*encode_krb5_auth_pack) 2395 (const krb5_auth_pack *rep, krb5_data **code); 2396 krb5_error_code (*encode_krb5_auth_pack_draft9) 2397 (const krb5_auth_pack_draft9 *rep, krb5_data **code); 2398 krb5_error_code (*encode_krb5_kdc_dh_key_info) 2399 (const krb5_kdc_dh_key_info *rep, krb5_data **code); 2400 krb5_error_code (*encode_krb5_pa_pk_as_rep) 2401 (const krb5_pa_pk_as_rep *rep, krb5_data **code); 2402 krb5_error_code (*encode_krb5_pa_pk_as_rep_draft9) 2403 (const krb5_pa_pk_as_rep_draft9 *rep, krb5_data **code); 2404 krb5_error_code (*encode_krb5_pa_pk_as_req) 2405 (const krb5_pa_pk_as_req *rep, krb5_data **code); 2406 krb5_error_code (*encode_krb5_pa_pk_as_req_draft9) 2407 (const krb5_pa_pk_as_req_draft9 *rep, krb5_data **code); 2408 krb5_error_code (*encode_krb5_reply_key_pack) 2409 (const krb5_reply_key_pack *, krb5_data **code); 2410 krb5_error_code (*encode_krb5_reply_key_pack_draft9) 2411 (const krb5_reply_key_pack_draft9 *, krb5_data **code); 2412 krb5_error_code (*encode_krb5_td_dh_parameters) 2413 (const krb5_algorithm_identifier **, krb5_data **code); 2414 krb5_error_code (*encode_krb5_td_trusted_certifiers) 2415 (const krb5_external_principal_identifier **, krb5_data **code); 2416 krb5_error_code (*encode_krb5_typed_data) 2417 (const krb5_typed_data **, krb5_data **code); 2418 2419 krb5_error_code (*decode_krb5_auth_pack) 2420 (const krb5_data *, krb5_auth_pack **); 2421 krb5_error_code (*decode_krb5_auth_pack_draft9) 2422 (const krb5_data *, krb5_auth_pack_draft9 **); 2423 krb5_error_code (*decode_krb5_pa_pk_as_req) 2424 (const krb5_data *, krb5_pa_pk_as_req **); 2425 krb5_error_code (*decode_krb5_pa_pk_as_req_draft9) 2426 (const krb5_data *, krb5_pa_pk_as_req_draft9 **); 2427 krb5_error_code (*decode_krb5_pa_pk_as_rep) 2428 (const krb5_data *, krb5_pa_pk_as_rep **); 2429 krb5_error_code (*decode_krb5_pa_pk_as_rep_draft9) 2430 (const krb5_data *, krb5_pa_pk_as_rep_draft9 **); 2431 krb5_error_code (*decode_krb5_kdc_dh_key_info) 2432 (const krb5_data *, krb5_kdc_dh_key_info **); 2433 krb5_error_code (*decode_krb5_principal_name) 2434 (const krb5_data *, krb5_principal_data **); 2435 krb5_error_code (*decode_krb5_reply_key_pack) 2436 (const krb5_data *, krb5_reply_key_pack **); 2437 krb5_error_code (*decode_krb5_reply_key_pack_draft9) 2438 (const krb5_data *, krb5_reply_key_pack_draft9 **); 2439 krb5_error_code (*decode_krb5_td_dh_parameters) 2440 (const krb5_data *, krb5_algorithm_identifier ***); 2441 krb5_error_code (*decode_krb5_td_trusted_certifiers) 2442 (const krb5_data *, krb5_external_principal_identifier ***); 2443 krb5_error_code (*decode_krb5_typed_data) 2444 (const krb5_data *, krb5_typed_data ***); 2445 2446 krb5_error_code (*decode_krb5_as_req) 2447 (const krb5_data *output, krb5_kdc_req **rep); 2448 krb5_error_code (*encode_krb5_kdc_req_body) 2449 (const krb5_kdc_req *rep, krb5_data **code); 2450 void (KRB5_CALLCONV *krb5_free_kdc_req) 2451 (krb5_context, krb5_kdc_req * ); 2452 void (*krb5int_set_prompt_types) 2453 (krb5_context, krb5_prompt_type *); 2454 krb5_error_code (*encode_krb5_authdata_elt) 2455 (const krb5_authdata *rep, krb5_data **code); 2456 2457 } krb5int_access; 2458 2459 #define KRB5INT_ACCESS_VERSION \ 2460 (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \ 2461 (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF) 2462 2463 krb5_error_code KRB5_CALLCONV krb5int_accessor 2464 (krb5int_access*, krb5_int32); 2465 2466 /* Ick -- some krb524 and krb4 support placed in the krb5 library, 2467 because AFS (and potentially other applications?) use the krb4 2468 object as an opaque token, which (in some implementations) is not 2469 in fact a krb4 ticket, so we don't want to drag in the krb4 support 2470 just to enable this. */ 2471 2472 #define KRB524_SERVICE "krb524" 2473 #define KRB524_PORT 4444 2474 2475 /* v4lifetime.c */ 2476 extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int); 2477 extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32); 2478 2479 /* conv_creds.c */ 2480 int krb5int_encode_v4tkt 2481 (struct ktext *v4tkt, char *buf, unsigned int *encoded_len); 2482 2483 /* send524.c */ 2484 int krb5int_524_sendto_kdc 2485 (krb5_context context, const krb5_data * message, 2486 const krb5_data * realm, krb5_data * reply, 2487 struct sockaddr *, socklen_t *); 2488 2489 /* temporary -- this should be under lib/krb5/ccache somewhere */ 2490 2491 struct _krb5_ccache { 2492 krb5_magic magic; 2493 const struct _krb5_cc_ops *ops; 2494 krb5_pointer data; 2495 }; 2496 2497 /* 2498 * Per-type ccache cursor. 2499 */ 2500 struct krb5_cc_ptcursor { 2501 const struct _krb5_cc_ops *ops; 2502 krb5_pointer data; 2503 }; 2504 typedef struct krb5_cc_ptcursor *krb5_cc_ptcursor; 2505 2506 struct _krb5_cc_ops { 2507 krb5_magic magic; 2508 char *prefix; 2509 const char * (KRB5_CALLCONV *get_name) (krb5_context, krb5_ccache); 2510 krb5_error_code (KRB5_CALLCONV *resolve) (krb5_context, krb5_ccache *, 2511 const char *); 2512 krb5_error_code (KRB5_CALLCONV *gen_new) (krb5_context, krb5_ccache *); 2513 krb5_error_code (KRB5_CALLCONV *init) (krb5_context, krb5_ccache, 2514 krb5_principal); 2515 krb5_error_code (KRB5_CALLCONV *destroy) (krb5_context, krb5_ccache); 2516 krb5_error_code (KRB5_CALLCONV *close) (krb5_context, krb5_ccache); 2517 krb5_error_code (KRB5_CALLCONV *store) (krb5_context, krb5_ccache, 2518 krb5_creds *); 2519 krb5_error_code (KRB5_CALLCONV *retrieve) (krb5_context, krb5_ccache, 2520 krb5_flags, krb5_creds *, 2521 krb5_creds *); 2522 krb5_error_code (KRB5_CALLCONV *get_princ) (krb5_context, krb5_ccache, 2523 krb5_principal *); 2524 krb5_error_code (KRB5_CALLCONV *get_first) (krb5_context, krb5_ccache, 2525 krb5_cc_cursor *); 2526 krb5_error_code (KRB5_CALLCONV *get_next) (krb5_context, krb5_ccache, 2527 krb5_cc_cursor *, krb5_creds *); 2528 krb5_error_code (KRB5_CALLCONV *end_get) (krb5_context, krb5_ccache, 2529 krb5_cc_cursor *); 2530 krb5_error_code (KRB5_CALLCONV *remove_cred) (krb5_context, krb5_ccache, 2531 krb5_flags, krb5_creds *); 2532 krb5_error_code (KRB5_CALLCONV *set_flags) (krb5_context, krb5_ccache, 2533 krb5_flags); 2534 krb5_error_code (KRB5_CALLCONV *get_flags) (krb5_context, krb5_ccache, 2535 krb5_flags *); 2536 krb5_error_code (KRB5_CALLCONV *ptcursor_new)(krb5_context, 2537 krb5_cc_ptcursor *); 2538 krb5_error_code (KRB5_CALLCONV *ptcursor_next)(krb5_context, 2539 krb5_cc_ptcursor, 2540 krb5_ccache *); 2541 krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context, 2542 krb5_cc_ptcursor *); 2543 krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache); 2544 krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context, 2545 krb5_ccache, krb5_timestamp *); 2546 krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache, 2547 krb5_timestamp *); 2548 }; 2549 2550 extern const krb5_cc_ops *krb5_cc_dfl_ops; 2551 2552 krb5_error_code 2553 krb5int_cc_os_default_name(krb5_context context, char **name); 2554 2555 /* 2556 * Cursor for iterating over ccache types 2557 */ 2558 struct krb5_cc_typecursor; 2559 typedef struct krb5_cc_typecursor *krb5_cc_typecursor; 2560 2561 krb5_error_code 2562 krb5int_cc_typecursor_new(krb5_context context, krb5_cc_typecursor *cursor); 2563 2564 krb5_error_code 2565 krb5int_cc_typecursor_next( 2566 krb5_context context, 2567 krb5_cc_typecursor cursor, 2568 const struct _krb5_cc_ops **ops); 2569 2570 krb5_error_code 2571 krb5int_cc_typecursor_free( 2572 krb5_context context, 2573 krb5_cc_typecursor *cursor); 2574 2575 typedef struct _krb5_donot_replay { 2576 krb5_magic magic; 2577 krb5_ui_4 hash; 2578 char *server; /* null-terminated */ 2579 char *client; /* null-terminated */ 2580 char *msghash; /* null-terminated */ 2581 krb5_int32 cusec; 2582 krb5_timestamp ctime; 2583 } krb5_donot_replay; 2584 2585 krb5_error_code krb5_rc_default 2586 (krb5_context, 2587 krb5_rcache *); 2588 krb5_error_code krb5_rc_resolve_type 2589 (krb5_context, 2590 krb5_rcache *,char *); 2591 krb5_error_code krb5_rc_resolve_full 2592 (krb5_context, 2593 krb5_rcache *,char *); 2594 char * krb5_rc_get_type 2595 (krb5_context, 2596 krb5_rcache); 2597 char * krb5_rc_default_type 2598 (krb5_context); 2599 char * krb5_rc_default_name 2600 (krb5_context); 2601 krb5_error_code krb5_auth_to_rep 2602 (krb5_context, 2603 krb5_tkt_authent *, 2604 krb5_donot_replay *); 2605 2606 2607 krb5_error_code KRB5_CALLCONV krb5_rc_initialize 2608 (krb5_context, krb5_rcache,krb5_deltat); 2609 krb5_error_code KRB5_CALLCONV krb5_rc_recover_or_initialize 2610 (krb5_context, krb5_rcache,krb5_deltat); 2611 krb5_error_code KRB5_CALLCONV krb5_rc_recover 2612 (krb5_context, krb5_rcache); 2613 krb5_error_code KRB5_CALLCONV krb5_rc_destroy 2614 (krb5_context, krb5_rcache); 2615 krb5_error_code KRB5_CALLCONV krb5_rc_close 2616 (krb5_context, krb5_rcache); 2617 krb5_error_code KRB5_CALLCONV krb5_rc_store 2618 (krb5_context, krb5_rcache,krb5_donot_replay *); 2619 krb5_error_code KRB5_CALLCONV krb5_rc_expunge 2620 (krb5_context, krb5_rcache); 2621 krb5_error_code KRB5_CALLCONV krb5_rc_get_lifespan 2622 (krb5_context, krb5_rcache,krb5_deltat *); 2623 char *KRB5_CALLCONV krb5_rc_get_name 2624 (krb5_context, krb5_rcache); 2625 krb5_error_code KRB5_CALLCONV krb5_rc_resolve 2626 (krb5_context, krb5_rcache, char *); 2627 2628 typedef struct _krb5_kt_ops { 2629 krb5_magic magic; 2630 char *prefix; 2631 /* routines always present */ 2632 krb5_error_code (KRB5_CALLCONV *resolve) 2633 (krb5_context, 2634 const char *, 2635 krb5_keytab *); 2636 krb5_error_code (KRB5_CALLCONV *get_name) 2637 (krb5_context, 2638 krb5_keytab, 2639 char *, 2640 unsigned int); 2641 krb5_error_code (KRB5_CALLCONV *close) 2642 (krb5_context, 2643 krb5_keytab); 2644 krb5_error_code (KRB5_CALLCONV *get) 2645 (krb5_context, 2646 krb5_keytab, 2647 krb5_const_principal, 2648 krb5_kvno, 2649 krb5_enctype, 2650 krb5_keytab_entry *); 2651 krb5_error_code (KRB5_CALLCONV *start_seq_get) 2652 (krb5_context, 2653 krb5_keytab, 2654 krb5_kt_cursor *); 2655 krb5_error_code (KRB5_CALLCONV *get_next) 2656 (krb5_context, 2657 krb5_keytab, 2658 krb5_keytab_entry *, 2659 krb5_kt_cursor *); 2660 krb5_error_code (KRB5_CALLCONV *end_get) 2661 (krb5_context, 2662 krb5_keytab, 2663 krb5_kt_cursor *); 2664 /* routines to be included on extended version (write routines) */ 2665 krb5_error_code (KRB5_CALLCONV *add) 2666 (krb5_context, 2667 krb5_keytab, 2668 krb5_keytab_entry *); 2669 krb5_error_code (KRB5_CALLCONV *remove) 2670 (krb5_context, 2671 krb5_keytab, 2672 krb5_keytab_entry *); 2673 2674 /* Handle for serializer */ 2675 const krb5_ser_entry *serializer; 2676 } krb5_kt_ops; 2677 2678 extern const krb5_kt_ops krb5_kt_dfl_ops; 2679 2680 extern krb5_error_code krb5int_translate_gai_error (int); 2681 2682 /* Not sure it's ready for exposure just yet. */ 2683 extern krb5_error_code 2684 krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *); 2685 2686 extern int krb5int_crypto_init (void); 2687 extern int krb5int_prng_init(void); 2688 2689 /* 2690 * SUNW14resync 2691 * Hack (?) to neuter C99 "inline" which causes warnings w/our build. 2692 */ 2693 #define inline 2694 2695 /* Solaris kerberos */ 2696 krb5_boolean KRB5_CALLCONV is_in_keytype 2697 (krb5_const krb5_enctype *keytype, 2698 int numkeytypes, krb5_enctype enctype); 2699 2700 /* 2701 * Solaris Kerberos 2702 * Use krb5_getuid() to select the mechanism to obtain the uid. 2703 */ 2704 extern uid_t krb5_getuid(); 2705 2706 /* 2707 * Referral definitions, debugging hooks, and subfunctions. 2708 */ 2709 #define KRB5_REFERRAL_MAXHOPS 5 2710 /* #define DEBUG_REFERRALS */ 2711 2712 #ifdef DEBUG_REFERRALS 2713 void krb5int_dbgref_dump_principal(char *, krb5_principal); 2714 #endif 2715 2716 /* Common hostname-parsing code. */ 2717 krb5_error_code KRB5_CALLCONV krb5int_clean_hostname 2718 (krb5_context, 2719 const char *, 2720 char *, 2721 size_t); 2722 2723 /* 2724 * Solaris Kerberos 2725 * Kernel & user space realloc. 2726 */ 2727 void *krb5int_realloc 2728 (void *oldp, 2729 size_t new_size, 2730 size_t old_size); 2731 #endif /* _KRB5_INT_H */ 2732