xref: /titanic_41/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit.h (revision 6a634c9dca3093f3922e4b7ab826d7bdf17bf78e)
1159d09a2SMark Phalan /*
2159d09a2SMark Phalan  * COPYRIGHT (C) 2006,2007
3159d09a2SMark Phalan  * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
4159d09a2SMark Phalan  * ALL RIGHTS RESERVED
5159d09a2SMark Phalan  *
6159d09a2SMark Phalan  * Permission is granted to use, copy, create derivative works
7159d09a2SMark Phalan  * and redistribute this software and such derivative works
8159d09a2SMark Phalan  * for any purpose, so long as the name of The University of
9159d09a2SMark Phalan  * Michigan is not used in any advertising or publicity
10159d09a2SMark Phalan  * pertaining to the use of distribution of this software
11159d09a2SMark Phalan  * without specific, written prior authorization.  If the
12159d09a2SMark Phalan  * above copyright notice or any other identification of the
13159d09a2SMark Phalan  * University of Michigan is included in any copy of any
14159d09a2SMark Phalan  * portion of this software, then the disclaimer below must
15159d09a2SMark Phalan  * also be included.
16159d09a2SMark Phalan  *
17159d09a2SMark Phalan  * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
18159d09a2SMark Phalan  * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
19159d09a2SMark Phalan  * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
20159d09a2SMark Phalan  * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
21159d09a2SMark Phalan  * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
22159d09a2SMark Phalan  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
23159d09a2SMark Phalan  * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
24159d09a2SMark Phalan  * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
25159d09a2SMark Phalan  * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
26159d09a2SMark Phalan  * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
27159d09a2SMark Phalan  * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
28159d09a2SMark Phalan  * SUCH DAMAGES.
29159d09a2SMark Phalan  */
30159d09a2SMark Phalan 
31488060a6SWill Fiveash /*
32488060a6SWill Fiveash  * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
33488060a6SWill Fiveash  */
34488060a6SWill Fiveash 
35159d09a2SMark Phalan #ifndef _PKINIT_H
36159d09a2SMark Phalan #define _PKINIT_H
37159d09a2SMark Phalan 
38159d09a2SMark Phalan /* Solaris Kerberos */
39159d09a2SMark Phalan #include <preauth_plugin.h>
40159d09a2SMark Phalan #include <k5-int-pkinit.h>
41159d09a2SMark Phalan #include <profile.h>
42159d09a2SMark Phalan #include "pkinit_accessor.h"
43159d09a2SMark Phalan 
44159d09a2SMark Phalan /*
45159d09a2SMark Phalan  * It is anticipated that all the special checks currently
46159d09a2SMark Phalan  * required when talking to a Longhorn server will go away
47159d09a2SMark Phalan  * by the time it is officially released and all references
48159d09a2SMark Phalan  * to the longhorn global can be removed and any code
49159d09a2SMark Phalan  * #ifdef'd with LONGHORN_BETA_COMPAT can be removed.
50159d09a2SMark Phalan  * And this #define!
51159d09a2SMark Phalan  */
52159d09a2SMark Phalan #define LONGHORN_BETA_COMPAT 1
53159d09a2SMark Phalan #ifdef LONGHORN_BETA_COMPAT
54159d09a2SMark Phalan extern int longhorn;	    /* XXX Talking to a Longhorn server? */
55159d09a2SMark Phalan #endif
56159d09a2SMark Phalan 
57159d09a2SMark Phalan 
58159d09a2SMark Phalan #ifndef WITHOUT_PKCS11
59159d09a2SMark Phalan /* Solaris Kerberos */
60159d09a2SMark Phalan #include <security/cryptoki.h>
61159d09a2SMark Phalan #include <security/pkcs11.h>
62159d09a2SMark Phalan 
63159d09a2SMark Phalan /* Solaris Kerberos */
64159d09a2SMark Phalan #define PKCS11_MODNAME "/usr/lib/libpkcs11.so"
65159d09a2SMark Phalan 
66159d09a2SMark Phalan #define PK_SIGLEN_GUESS 1000
67159d09a2SMark Phalan #define PK_NOSLOT 999999
68159d09a2SMark Phalan #endif
69159d09a2SMark Phalan 
70159d09a2SMark Phalan #define DH_PROTOCOL     1
71159d09a2SMark Phalan #define RSA_PROTOCOL    2
72159d09a2SMark Phalan 
73159d09a2SMark Phalan #define TD_TRUSTED_CERTIFIERS 104
74159d09a2SMark Phalan #define TD_INVALID_CERTIFICATES 105
75159d09a2SMark Phalan #define TD_DH_PARAMETERS 109
76159d09a2SMark Phalan 
77159d09a2SMark Phalan #define PKINIT_CTX_MAGIC	0x05551212
78159d09a2SMark Phalan #define PKINIT_REQ_CTX_MAGIC	0xdeadbeef
79159d09a2SMark Phalan 
80159d09a2SMark Phalan #define PKINIT_DEFAULT_DH_MIN_BITS  2048
81159d09a2SMark Phalan 
82159d09a2SMark Phalan /* Make pkiDebug(fmt,...) print, or not.  */
83159d09a2SMark Phalan #ifdef DEBUG
84159d09a2SMark Phalan #define pkiDebug	printf
85159d09a2SMark Phalan #else
86159d09a2SMark Phalan /* Still evaluates for side effects.  */
87159d09a2SMark Phalan /* ARGSUSED */
pkiDebug(const char * fmt,...)88159d09a2SMark Phalan static void pkiDebug (const char *fmt, ...) { }
89159d09a2SMark Phalan /* This is better if the compiler doesn't inline variadic functions
90159d09a2SMark Phalan    well, but gcc will warn about "left-hand operand of comma
91159d09a2SMark Phalan    expression has no effect".  Still evaluates for side effects.  */
92159d09a2SMark Phalan /* #define pkiDebug	(void) */
93159d09a2SMark Phalan #endif
94159d09a2SMark Phalan 
95159d09a2SMark Phalan /* Solaris Kerberos */
96159d09a2SMark Phalan #if (__STDC_VERSION__ >= 199901L) || \
97159d09a2SMark Phalan     (defined(__SUNPRO_C) && defined(__C99FEATURES__))
98159d09a2SMark Phalan #define __FUNCTION__ __func__
99159d09a2SMark Phalan #else
100159d09a2SMark Phalan #define __FUNCTION__ ""
101159d09a2SMark Phalan #endif
102159d09a2SMark Phalan 
103159d09a2SMark Phalan 
104159d09a2SMark Phalan /* Macros to deal with converting between various data types... */
105159d09a2SMark Phalan #define PADATA_TO_KRB5DATA(pad, k5d) \
106159d09a2SMark Phalan     (k5d)->length = (pad)->length; (k5d)->data = (char *)(pad)->contents;
107159d09a2SMark Phalan #define OCTETDATA_TO_KRB5DATA(octd, k5d) \
108159d09a2SMark Phalan     (k5d)->length = (octd)->length; (k5d)->data = (char *)(octd)->data;
109159d09a2SMark Phalan 
110159d09a2SMark Phalan extern const krb5_octet_data dh_oid;
111159d09a2SMark Phalan 
112159d09a2SMark Phalan /*
113159d09a2SMark Phalan  * notes about crypto contexts:
114159d09a2SMark Phalan  *
115159d09a2SMark Phalan  * the basic idea is that there are crypto contexts that live at
116159d09a2SMark Phalan  * both the plugin level and request level. the identity context (that
117159d09a2SMark Phalan  * keeps info about your own certs and such) is separate because
118159d09a2SMark Phalan  * it is needed at different levels for the kdc and and the client.
119159d09a2SMark Phalan  * (the kdc's identity is at the plugin level, the client's identity
120159d09a2SMark Phalan  * information could change per-request.)
121159d09a2SMark Phalan  * the identity context is meant to have the entity's cert,
122159d09a2SMark Phalan  * a list of trusted and intermediate cas, a list of crls, and any
123159d09a2SMark Phalan  * pkcs11 information.  the req context is meant to have the
124159d09a2SMark Phalan  * received certificate and the DH related information. the plugin
125159d09a2SMark Phalan  * context is meant to have global crypto information, i.e., OIDs
126159d09a2SMark Phalan  * and constant DH parameter information.
127159d09a2SMark Phalan  */
128159d09a2SMark Phalan 
129159d09a2SMark Phalan /*
130159d09a2SMark Phalan  * plugin crypto context should keep plugin common information,
131159d09a2SMark Phalan  * eg., OIDs, known DHparams
132159d09a2SMark Phalan  */
133159d09a2SMark Phalan typedef struct _pkinit_plg_crypto_context *pkinit_plg_crypto_context;
134159d09a2SMark Phalan 
135159d09a2SMark Phalan /*
136159d09a2SMark Phalan  * request crypto context should keep reqyest common information,
137159d09a2SMark Phalan  * eg., received credentials, DH parameters of this request
138159d09a2SMark Phalan  */
139159d09a2SMark Phalan typedef struct _pkinit_req_crypto_context *pkinit_req_crypto_context;
140159d09a2SMark Phalan 
141159d09a2SMark Phalan /*
142159d09a2SMark Phalan  * identity context should keep information about credentials
143159d09a2SMark Phalan  * for the request, eg., my credentials, trusted ca certs,
144159d09a2SMark Phalan  * intermediate ca certs, crls, pkcs11 info
145159d09a2SMark Phalan  */
146159d09a2SMark Phalan typedef struct _pkinit_identity_crypto_context *pkinit_identity_crypto_context;
147159d09a2SMark Phalan 
148159d09a2SMark Phalan /*
149159d09a2SMark Phalan  * this structure keeps information about the config options
150159d09a2SMark Phalan  */
151159d09a2SMark Phalan typedef struct _pkinit_plg_opts {
152159d09a2SMark Phalan     int require_eku;	    /* require EKU checking (default is true) */
153159d09a2SMark Phalan     int accept_secondary_eku;/* accept secondary EKU (default is false) */
154159d09a2SMark Phalan     int allow_upn;	    /* allow UPN-SAN instead of pkinit-SAN */
155159d09a2SMark Phalan     int dh_or_rsa;	    /* selects DH or RSA based pkinit */
156159d09a2SMark Phalan     int require_crl_checking; /* require CRL for a CA (default is false) */
157159d09a2SMark Phalan     int dh_min_bits;	    /* minimum DH modulus size allowed */
158159d09a2SMark Phalan } pkinit_plg_opts;
159159d09a2SMark Phalan 
160159d09a2SMark Phalan /*
161159d09a2SMark Phalan  * this structure keeps options used for a given request
162159d09a2SMark Phalan  */
163159d09a2SMark Phalan typedef struct _pkinit_req_opts {
164159d09a2SMark Phalan     int require_eku;
165159d09a2SMark Phalan     int accept_secondary_eku;
166159d09a2SMark Phalan     int allow_upn;
167159d09a2SMark Phalan     int dh_or_rsa;
168159d09a2SMark Phalan     int require_crl_checking;
169159d09a2SMark Phalan     int dh_size;	    /* initial request DH modulus size (default=1024) */
170159d09a2SMark Phalan     int require_hostname_match;
171159d09a2SMark Phalan     int win2k_target;
172159d09a2SMark Phalan     int win2k_require_cksum;
173159d09a2SMark Phalan } pkinit_req_opts;
174159d09a2SMark Phalan 
175159d09a2SMark Phalan /*
176159d09a2SMark Phalan  * information about identity from config file or command line
177159d09a2SMark Phalan  */
178159d09a2SMark Phalan 
179159d09a2SMark Phalan #define PKINIT_ID_OPT_USER_IDENTITY	1
180159d09a2SMark Phalan #define PKINIT_ID_OPT_ANCHOR_CAS	2
181159d09a2SMark Phalan #define PKINIT_ID_OPT_INTERMEDIATE_CAS	3
182159d09a2SMark Phalan #define PKINIT_ID_OPT_CRLS		4
183159d09a2SMark Phalan #define PKINIT_ID_OPT_OCSP		5
184159d09a2SMark Phalan #define PKINIT_ID_OPT_DN_MAPPING	6   /* XXX ? */
185159d09a2SMark Phalan 
186159d09a2SMark Phalan typedef struct _pkinit_identity_opts {
187159d09a2SMark Phalan     char *identity;
188159d09a2SMark Phalan     char **identity_alt;
189159d09a2SMark Phalan     char **anchors;
190159d09a2SMark Phalan     char **intermediates;
191159d09a2SMark Phalan     char **crls;
192159d09a2SMark Phalan     char *ocsp;
193159d09a2SMark Phalan     char *dn_mapping_file;
194159d09a2SMark Phalan     int  idtype;
195159d09a2SMark Phalan     char *cert_filename;
196159d09a2SMark Phalan     char *key_filename;
197159d09a2SMark Phalan #ifndef WITHOUT_PKCS11
198159d09a2SMark Phalan     char *p11_module_name;
199159d09a2SMark Phalan     CK_SLOT_ID slotid;
200159d09a2SMark Phalan     char *token_label;
201159d09a2SMark Phalan     char *cert_id_string;
202159d09a2SMark Phalan     char *cert_label;
203488060a6SWill Fiveash     char *PIN; /* Solaris Kerberos */
204159d09a2SMark Phalan #endif
205159d09a2SMark Phalan } pkinit_identity_opts;
206159d09a2SMark Phalan 
207159d09a2SMark Phalan 
208159d09a2SMark Phalan /*
209159d09a2SMark Phalan  * Client's plugin context
210159d09a2SMark Phalan  */
211159d09a2SMark Phalan struct _pkinit_context {
212159d09a2SMark Phalan     int magic;
213159d09a2SMark Phalan     pkinit_plg_crypto_context cryptoctx;
214159d09a2SMark Phalan     pkinit_plg_opts *opts;
215159d09a2SMark Phalan     pkinit_identity_opts *idopts;
216159d09a2SMark Phalan };
217159d09a2SMark Phalan typedef struct _pkinit_context *pkinit_context;
218159d09a2SMark Phalan 
219159d09a2SMark Phalan /*
220159d09a2SMark Phalan  * Client's per-request context
221159d09a2SMark Phalan  */
222159d09a2SMark Phalan struct _pkinit_req_context {
223159d09a2SMark Phalan     int magic;
224159d09a2SMark Phalan     pkinit_req_crypto_context cryptoctx;
225159d09a2SMark Phalan     pkinit_req_opts *opts;
226159d09a2SMark Phalan     pkinit_identity_crypto_context idctx;
227159d09a2SMark Phalan     pkinit_identity_opts *idopts;
228159d09a2SMark Phalan     krb5_preauthtype pa_type;
229159d09a2SMark Phalan };
230159d09a2SMark Phalan typedef struct _pkinit_kdc_context *pkinit_kdc_context;
231159d09a2SMark Phalan 
232159d09a2SMark Phalan /*
233159d09a2SMark Phalan  * KDC's (per-realm) plugin context
234159d09a2SMark Phalan  */
235159d09a2SMark Phalan struct _pkinit_kdc_context {
236159d09a2SMark Phalan     int magic;
237159d09a2SMark Phalan     pkinit_plg_crypto_context cryptoctx;
238159d09a2SMark Phalan     pkinit_plg_opts *opts;
239159d09a2SMark Phalan     pkinit_identity_crypto_context idctx;
240159d09a2SMark Phalan     pkinit_identity_opts *idopts;
241159d09a2SMark Phalan     char *realmname;
242159d09a2SMark Phalan     unsigned int realmname_len;
243159d09a2SMark Phalan };
244159d09a2SMark Phalan typedef struct _pkinit_req_context *pkinit_req_context;
245159d09a2SMark Phalan 
246159d09a2SMark Phalan /*
247159d09a2SMark Phalan  * KDC's per-request context
248159d09a2SMark Phalan  */
249159d09a2SMark Phalan struct _pkinit_kdc_req_context {
250159d09a2SMark Phalan     int magic;
251159d09a2SMark Phalan     pkinit_req_crypto_context cryptoctx;
252159d09a2SMark Phalan     krb5_auth_pack *rcv_auth_pack;
253159d09a2SMark Phalan     krb5_auth_pack_draft9 *rcv_auth_pack9;
254159d09a2SMark Phalan     krb5_preauthtype pa_type;
255159d09a2SMark Phalan };
256159d09a2SMark Phalan typedef struct _pkinit_kdc_req_context *pkinit_kdc_req_context;
257159d09a2SMark Phalan 
258159d09a2SMark Phalan /*
259159d09a2SMark Phalan  * Functions in pkinit_lib.c
260159d09a2SMark Phalan  */
261159d09a2SMark Phalan 
262159d09a2SMark Phalan krb5_error_code pkinit_init_req_opts(pkinit_req_opts **);
263159d09a2SMark Phalan void pkinit_fini_req_opts(pkinit_req_opts *);
264159d09a2SMark Phalan 
265159d09a2SMark Phalan krb5_error_code pkinit_init_plg_opts(pkinit_plg_opts **);
266159d09a2SMark Phalan void pkinit_fini_plg_opts(pkinit_plg_opts *);
267159d09a2SMark Phalan 
268159d09a2SMark Phalan krb5_error_code pkinit_init_identity_opts(pkinit_identity_opts **idopts);
269159d09a2SMark Phalan void pkinit_fini_identity_opts(pkinit_identity_opts *idopts);
270159d09a2SMark Phalan krb5_error_code pkinit_dup_identity_opts(pkinit_identity_opts *src_opts,
271159d09a2SMark Phalan 					 pkinit_identity_opts **dest_opts);
272159d09a2SMark Phalan 
273159d09a2SMark Phalan /*
274159d09a2SMark Phalan  * Functions in pkinit_identity.c
275159d09a2SMark Phalan  */
276159d09a2SMark Phalan char * idtype2string(int idtype);
277159d09a2SMark Phalan char * catype2string(int catype);
278159d09a2SMark Phalan 
279159d09a2SMark Phalan krb5_error_code pkinit_identity_initialize
280159d09a2SMark Phalan 	(krb5_context context,				/* IN */
281159d09a2SMark Phalan 	 pkinit_plg_crypto_context plg_cryptoctx,	/* IN */
282159d09a2SMark Phalan 	 pkinit_req_crypto_context req_cryptoctx,	/* IN */
283159d09a2SMark Phalan 	 pkinit_identity_opts *idopts,			/* IN */
284159d09a2SMark Phalan 	 pkinit_identity_crypto_context id_cryptoctx,	/* IN/OUT */
285159d09a2SMark Phalan 	 int do_matching,				/* IN */
286159d09a2SMark Phalan 	 krb5_principal princ);				/* IN (optional) */
287159d09a2SMark Phalan 
288159d09a2SMark Phalan krb5_error_code pkinit_cert_matching
289159d09a2SMark Phalan 	(krb5_context context,
290159d09a2SMark Phalan 	pkinit_plg_crypto_context plg_cryptoctx,
291159d09a2SMark Phalan 	pkinit_req_crypto_context req_cryptoctx,
292159d09a2SMark Phalan 	pkinit_identity_crypto_context id_cryptoctx,
293*9e11d51cSWill Fiveash 	krb5_principal princ,
294*9e11d51cSWill Fiveash 	krb5_boolean do_select);
295159d09a2SMark Phalan 
296159d09a2SMark Phalan /*
297159d09a2SMark Phalan  * initialization and free functions
298159d09a2SMark Phalan  */
299159d09a2SMark Phalan void init_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in);
300159d09a2SMark Phalan void init_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in);
301159d09a2SMark Phalan void init_krb5_reply_key_pack(krb5_reply_key_pack **in);
302159d09a2SMark Phalan void init_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in);
303159d09a2SMark Phalan 
304159d09a2SMark Phalan void init_krb5_auth_pack(krb5_auth_pack **in);
305159d09a2SMark Phalan void init_krb5_auth_pack_draft9(krb5_auth_pack_draft9 **in);
306159d09a2SMark Phalan void init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in);
307159d09a2SMark Phalan void init_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in);
308159d09a2SMark Phalan void init_krb5_typed_data(krb5_typed_data **in);
309159d09a2SMark Phalan void init_krb5_subject_pk_info(krb5_subject_pk_info **in);
310159d09a2SMark Phalan 
311159d09a2SMark Phalan void free_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in);
312159d09a2SMark Phalan void free_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in);
313159d09a2SMark Phalan void free_krb5_reply_key_pack(krb5_reply_key_pack **in);
314159d09a2SMark Phalan void free_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in);
315159d09a2SMark Phalan void free_krb5_auth_pack(krb5_auth_pack **in);
316159d09a2SMark Phalan void free_krb5_auth_pack_draft9(krb5_context, krb5_auth_pack_draft9 **in);
317159d09a2SMark Phalan void free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in);
318159d09a2SMark Phalan void free_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in);
319159d09a2SMark Phalan void free_krb5_external_principal_identifier(krb5_external_principal_identifier ***in);
320159d09a2SMark Phalan void free_krb5_trusted_ca(krb5_trusted_ca ***in);
321159d09a2SMark Phalan void free_krb5_typed_data(krb5_typed_data ***in);
322159d09a2SMark Phalan void free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in);
323159d09a2SMark Phalan void free_krb5_algorithm_identifier(krb5_algorithm_identifier *in);
324159d09a2SMark Phalan void free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in);
325159d09a2SMark Phalan void free_krb5_subject_pk_info(krb5_subject_pk_info **in);
326159d09a2SMark Phalan krb5_error_code pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src);
327159d09a2SMark Phalan 
328159d09a2SMark Phalan 
329159d09a2SMark Phalan /*
330159d09a2SMark Phalan  * Functions in pkinit_profile.c
331159d09a2SMark Phalan  */
332159d09a2SMark Phalan krb5_error_code pkinit_kdcdefault_strings
333159d09a2SMark Phalan 	(krb5_context context, const char *realmname, const char *option,
334159d09a2SMark Phalan 	 char ***ret_value);
335159d09a2SMark Phalan krb5_error_code pkinit_kdcdefault_string
336159d09a2SMark Phalan 	(krb5_context context, const char *realmname, const char *option,
337159d09a2SMark Phalan 	 char **ret_value);
338159d09a2SMark Phalan krb5_error_code pkinit_kdcdefault_boolean
339159d09a2SMark Phalan 	(krb5_context context, const char *realmname, const char *option,
340159d09a2SMark Phalan 	 int default_value, int *ret_value);
341159d09a2SMark Phalan krb5_error_code pkinit_kdcdefault_integer
342159d09a2SMark Phalan 	(krb5_context context, const char *realmname, const char *option,
343159d09a2SMark Phalan 	 int default_value, int *ret_value);
344159d09a2SMark Phalan 
345159d09a2SMark Phalan 
346159d09a2SMark Phalan krb5_error_code pkinit_libdefault_strings
347159d09a2SMark Phalan 	(krb5_context context, const krb5_data *realm,
348159d09a2SMark Phalan 	 const char *option, char ***ret_value);
349159d09a2SMark Phalan krb5_error_code pkinit_libdefault_string
350159d09a2SMark Phalan 	(krb5_context context, const krb5_data *realm,
351159d09a2SMark Phalan 	 const char *option, char **ret_value);
352159d09a2SMark Phalan krb5_error_code pkinit_libdefault_boolean
353159d09a2SMark Phalan 	(krb5_context context, const krb5_data *realm, const char *option,
354159d09a2SMark Phalan 	 int default_value, int *ret_value);
355159d09a2SMark Phalan krb5_error_code pkinit_libdefault_integer
356159d09a2SMark Phalan 	(krb5_context context, const krb5_data *realm, const char *option,
357159d09a2SMark Phalan 	 int default_value, int *ret_value);
358159d09a2SMark Phalan 
359159d09a2SMark Phalan /*
360159d09a2SMark Phalan  * debugging functions
361159d09a2SMark Phalan  */
362159d09a2SMark Phalan void print_buffer(unsigned char *, unsigned int);
363159d09a2SMark Phalan void print_buffer_bin(unsigned char *, unsigned int, char *);
364159d09a2SMark Phalan 
365159d09a2SMark Phalan /*
366159d09a2SMark Phalan  * Now get crypto function declarations
367159d09a2SMark Phalan  */
368159d09a2SMark Phalan #include "pkinit_crypto.h"
369159d09a2SMark Phalan 
370159d09a2SMark Phalan #endif	/* _PKINIT_H */
371