1
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
3
* Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001,
4
* 2003,2006,2007,2008,2009 by the Massachusetts Institute of Technology,
5
* Cambridge, MA, USA. All Rights Reserved.
7
* This software is being provided to you, the LICENSEE, by the
8
* Massachusetts Institute of Technology (M.I.T.) under the following
9
* license. By obtaining, using and/or copying this software, you agree
10
* that you have read, understood, and will comply with these terms and
13
* Export of this software from the United States of America may
14
* require a specific license from the United States Government.
15
* It is the responsibility of any person or organization contemplating
16
* export to obtain such a license before exporting.
18
* WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
19
* this software and its documentation for any purpose and without fee or
20
* royalty is hereby granted, provided that you agree to comply with the
21
* following copyright notice and statements, including the disclaimer, and
22
* that the same appear on ALL copies of the software and documentation,
23
* including modifications that you make for internal use or for
26
* THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
27
* OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
28
* limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
29
* MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
30
* THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
31
* PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
33
* The name of the Massachusetts Institute of Technology or M.I.T. may NOT
34
* be used in advertising or publicity pertaining to distribution of the
35
* software. Title to copyright in this software and any associated
36
* documentation shall at all times remain with M.I.T., and USER agrees to
39
* Furthermore if you modify this software you must label
40
* your software as modified software and not distribute it in such a
41
* fashion that it might be confused with the original M.I.T. software.
44
* Copyright (C) 1998 by the FundsXpress, INC.
46
* All rights reserved.
48
* Export of this software from the United States of America may require
49
* a specific license from the United States Government. It is the
50
* responsibility of any person or organization contemplating export to
51
* obtain such a license before exporting.
53
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
54
* distribute this software and its documentation for any purpose and
55
* without fee is hereby granted, provided that the above copyright
56
* notice appear in all copies and that both that copyright notice and
57
* this permission notice appear in supporting documentation, and that
58
* the name of FundsXpress. not be used in advertising or publicity pertaining
59
* to distribution of the software without specific, written prior
60
* permission. FundsXpress makes no representations about the suitability of
61
* this software for any purpose. It is provided "as is" without express
62
* or implied warranty.
64
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
65
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
66
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
70
* This prototype for k5-int.h (Krb5 internals include file)
71
* includes the user-visible definitions from krb5.h and then
72
* includes other definitions that are not user-visible but are
73
* required for compiling Kerberos internal routines.
75
* John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
82
#error krb5.h included before k5-int.h
83
#endif /* KRB5_GENERAL__ */
87
#if defined(__MACH__) && defined(__APPLE__)
88
# include <TargetConditionals.h>
89
# if TARGET_RT_MAC_CFM
90
# error "Use KfM 4.0 SDK headers for CFM compilation."
101
* Machine-type definitions: PC Clone 386 running Microloss Windows
104
#if defined(_MSDOS) || defined(_WIN32)
107
/* Kerberos Windows initialization file */
108
#define KERBEROS_INI "kerberos.ini"
109
#define INI_FILES "Files"
110
#define INI_KRB_CCACHE "krb5cc" /* Location of the ccache */
111
#define INI_KRB5_CONF "krb5.ini" /* Location of krb5.conf file */
113
#define DISABLE_TRACING
116
#include "autoconf.h"
118
#ifndef KRB5_SYSTYPES__
119
#define KRB5_SYSTYPES__
121
#ifdef HAVE_SYS_TYPES_H /* From autoconf.h */
122
#include <sys/types.h>
123
#else /* HAVE_SYS_TYPES_H */
124
typedef unsigned long u_long;
125
typedef unsigned int u_int;
126
typedef unsigned short u_short;
127
typedef unsigned char u_char;
128
#endif /* HAVE_SYS_TYPES_H */
129
#endif /* KRB5_SYSTYPES__ */
132
#include "k5-platform.h"
133
#include "k5-trace.h"
134
/* not used in krb5.h (yet) */
135
typedef UINT64_TYPE krb5_ui_8;
136
typedef INT64_TYPE krb5_int64;
139
#define DEFAULT_PWD_STRING1 "Enter password"
140
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
142
#define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
143
#define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
144
#define KRB5_KDB_EXPIRATION 2145830400 /* Thu Jan 1 00:00:00 2038 UTC */
147
* Windows requires a different api interface to each function. Here
148
* just define it as NULL.
150
#ifndef KRB5_CALLCONV
151
#define KRB5_CALLCONV
152
#define KRB5_CALLCONV_C
158
/* #define KRB5_OLD_CRYPTO is done in krb5.h */
160
#endif /* KRB5_CONFIG__ */
167
* After loading the configuration definitions, load the Kerberos definitions.
171
#include <krb5/plugin.h>
174
#include "port-sockets.h"
175
#include "socket-utils.h"
177
/* Get mutex support; currently used only for the replay cache. */
178
#include "k5-thread.h"
180
/* Get error info support. */
183
/* Get string buffer support. */
186
/* cofiguration variables */
187
#define KRB5_CONF_ACL_FILE "acl_file"
188
#define KRB5_CONF_ADMIN_KEYTAB "admin_keytab"
189
#define KRB5_CONF_ADMIN_SERVER "admin_server"
190
#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
191
#define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type"
192
#define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local"
193
#define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names"
194
#define KRB5_CONF_CANONICALIZE "canonicalize"
195
#define KRB5_CONF_CCACHE_TYPE "ccache_type"
196
#define KRB5_CONF_CLOCKSKEW "clockskew"
197
#define KRB5_CONF_DATABASE_NAME "database_name"
198
#define KRB5_CONF_DB_MODULE_DIR "db_module_dir"
199
#define KRB5_CONF_DEFAULT "default"
200
#define KRB5_CONF_DEFAULT_REALM "default_realm"
201
#define KRB5_CONF_DEFAULT_DOMAIN "default_domain"
202
#define KRB5_CONF_DEFAULT_TKT_ENCTYPES "default_tkt_enctypes"
203
#define KRB5_CONF_DEFAULT_TGS_ENCTYPES "default_tgs_enctypes"
204
#define KRB5_CONF_DEFAULT_KEYTAB_NAME "default_keytab_name"
205
#define KRB5_CONF_DEFAULT_PRINCIPAL_EXPIRATION "default_principal_expiration"
206
#define KRB5_CONF_DEFAULT_PRINCIPAL_FLAGS "default_principal_flags"
207
#define KRB5_CONF_DICT_FILE "dict_file"
208
#define KRB5_CONF_DISABLE "disable"
209
#define KRB5_CONF_DISABLE_LAST_SUCCESS "disable_last_success"
210
#define KRB5_CONF_DISABLE_LOCKOUT "disable_lockout"
211
#define KRB5_CONF_DNS_LOOKUP_KDC "dns_lookup_kdc"
212
#define KRB5_CONF_DNS_LOOKUP_REALM "dns_lookup_realm"
213
#define KRB5_CONF_DNS_FALLBACK "dns_fallback"
214
#define KRB5_CONF_DOMAIN_REALM "domain_realm"
215
#define KRB5_CONF_ENABLE_ONLY "enable_only"
216
#define KRB5_CONF_EXTRA_ADDRESSES "extra_addresses"
217
#define KRB5_CONF_FORWARDABLE "forwardable"
218
#define KRB5_CONF_HOST_BASED_SERVICES "host_based_services"
219
#define KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME "ignore_acceptor_hostname"
220
#define KRB5_CONF_IPROP_ENABLE "iprop_enable"
221
#define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize"
222
#define KRB5_CONF_IPROP_PORT "iprop_port"
223
#define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll"
224
#define KRB5_CONF_IPROP_LOGFILE "iprop_logfile"
225
#define KRB5_CONF_K5LOGIN_AUTHORITATIVE "k5login_authoritative"
226
#define KRB5_CONF_K5LOGIN_DIRECTORY "k5login_directory"
227
#define KRB5_CONF_KADMIND_PORT "kadmind_port"
228
#define KRB5_CONF_KRB524_SERVER "krb524_server"
229
#define KRB5_CONF_KDC "kdc"
230
#define KRB5_CONF_KDCDEFAULTS "kdcdefaults"
231
#define KRB5_CONF_KDC_PORTS "kdc_ports"
232
#define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
233
#define KRB5_CONF_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size"
234
#define KRB5_CONF_KDC_DEFAULT_OPTIONS "kdc_default_options"
235
#define KRB5_CONF_KDC_TIMESYNC "kdc_timesync"
236
#define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type"
237
#define KRB5_CONF_KEY_STASH_FILE "key_stash_file"
238
#define KRB5_CONF_KPASSWD_PORT "kpasswd_port"
239
#define KRB5_CONF_KPASSWD_SERVER "kpasswd_server"
240
#define KRB5_CONF_LDAP_CONNS_PER_SERVER "ldap_conns_per_server"
241
#define KRB5_CONF_LDAP_KADMIN_DN "ldap_kadmind_dn"
242
#define KRB5_CONF_LDAP_KDC_DN "ldap_kdc_dn"
243
#define KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN "ldap_kerberos_container_dn"
244
#define KRB5_CONF_LDAP_KPASSWDD_DN "ldap_kpasswdd_dn"
245
#define KRB5_CONF_LDAP_SERVERS "ldap_servers"
246
#define KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE "ldap_service_password_file"
247
#define KRB5_CONF_LIBDEFAULTS "libdefaults"
248
#define KRB5_CONF_LOGGING "logging"
249
#define KRB5_CONF_MASTER_KEY_NAME "master_key_name"
250
#define KRB5_CONF_MASTER_KEY_TYPE "master_key_type"
251
#define KRB5_CONF_MASTER_KDC "master_kdc"
252
#define KRB5_CONF_MAX_LIFE "max_life"
253
#define KRB5_CONF_MAX_RENEWABLE_LIFE "max_renewable_life"
254
#define KRB5_CONF_MODULE "module"
255
#define KRB5_CONF_NOADDRESSES "noaddresses"
256
#define KRB5_CONF_NO_HOST_REFERRAL "no_host_referral"
257
#define KRB5_CONF_PERMITTED_ENCTYPES "permitted_enctypes"
258
#define KRB5_CONF_PLUGINS "plugins"
259
#define KRB5_CONF_PLUGIN_BASE_DIR "plugin_base_dir"
260
#define KRB5_CONF_PREFERRED_PREAUTH_TYPES "preferred_preauth_types"
261
#define KRB5_CONF_PROXIABLE "proxiable"
262
#define KRB5_CONF_RDNS "rdns"
263
#define KRB5_CONF_REALMS "realms"
264
#define KRB5_CONF_REALM_TRY_DOMAINS "realm_try_domains"
265
#define KRB5_CONF_REJECT_BAD_TRANSIT "reject_bad_transit"
266
#define KRB5_CONF_RENEW_LIFETIME "renew_lifetime"
267
#define KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT "restrict_anonymous_to_tgt"
268
#define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type"
269
#define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes"
270
#define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime"
271
#define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit"
272
#define KRB5_CONF_VERIFY_AP_REQ_NOFAIL "verify_ap_req_nofail"
273
#define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
274
#define KRB5_CONF_V4_REALM "v4_realm"
275
#define KRB5_CONF_ASTERISK "*"
276
#define KRB5_CONF_FAST_AVAIL "fast_avail"
278
/* Error codes used in KRB_ERROR protocol messages.
279
Return values of library routines are based on a different error table
280
(which allows non-ambiguous error codes between subsystems) */
283
#define KDC_ERR_NONE 0 /* No error */
284
#define KDC_ERR_NAME_EXP 1 /* Client's entry in DB expired */
285
#define KDC_ERR_SERVICE_EXP 2 /* Server's entry in DB expired */
286
#define KDC_ERR_BAD_PVNO 3 /* Requested pvno not supported */
287
#define KDC_ERR_C_OLD_MAST_KVNO 4 /* C's key encrypted in old master */
288
#define KDC_ERR_S_OLD_MAST_KVNO 5 /* S's key encrypted in old master */
289
#define KDC_ERR_C_PRINCIPAL_UNKNOWN 6 /* Client not found in Kerberos DB */
290
#define KDC_ERR_S_PRINCIPAL_UNKNOWN 7 /* Server not found in Kerberos DB */
291
#define KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 /* Multiple entries in Kerberos DB */
292
#define KDC_ERR_NULL_KEY 9 /* The C or S has a null key */
293
#define KDC_ERR_CANNOT_POSTDATE 10 /* Tkt ineligible for postdating */
294
#define KDC_ERR_NEVER_VALID 11 /* Requested starttime > endtime */
295
#define KDC_ERR_POLICY 12 /* KDC policy rejects request */
296
#define KDC_ERR_BADOPTION 13 /* KDC can't do requested opt. */
297
#define KDC_ERR_ENCTYPE_NOSUPP 14 /* No support for encryption type */
298
#define KDC_ERR_SUMTYPE_NOSUPP 15 /* No support for checksum type */
299
#define KDC_ERR_PADATA_TYPE_NOSUPP 16 /* No support for padata type */
300
#define KDC_ERR_TRTYPE_NOSUPP 17 /* No support for transited type */
301
#define KDC_ERR_CLIENT_REVOKED 18 /* C's creds have been revoked */
302
#define KDC_ERR_SERVICE_REVOKED 19 /* S's creds have been revoked */
303
#define KDC_ERR_TGT_REVOKED 20 /* TGT has been revoked */
304
#define KDC_ERR_CLIENT_NOTYET 21 /* C not yet valid */
305
#define KDC_ERR_SERVICE_NOTYET 22 /* S not yet valid */
306
#define KDC_ERR_KEY_EXP 23 /* Password has expired */
307
#define KDC_ERR_PREAUTH_FAILED 24 /* Preauthentication failed */
308
#define KDC_ERR_PREAUTH_REQUIRED 25 /* Additional preauthentication */
310
#define KDC_ERR_SERVER_NOMATCH 26 /* Requested server and */
311
/* ticket don't match*/
312
#define KDC_ERR_MUST_USE_USER2USER 27 /* Server principal valid for */
314
#define KDC_ERR_PATH_NOT_ACCEPTED 28 /* KDC policy rejected transited */
316
#define KDC_ERR_SVC_UNAVAILABLE 29 /* A service is not
318
* required to process the
320
/* Application errors */
321
#define KRB_AP_ERR_BAD_INTEGRITY 31 /* Decrypt integrity check failed */
322
#define KRB_AP_ERR_TKT_EXPIRED 32 /* Ticket expired */
323
#define KRB_AP_ERR_TKT_NYV 33 /* Ticket not yet valid */
324
#define KRB_AP_ERR_REPEAT 34 /* Request is a replay */
325
#define KRB_AP_ERR_NOT_US 35 /* The ticket isn't for us */
326
#define KRB_AP_ERR_BADMATCH 36 /* Ticket/authenticator don't match */
327
#define KRB_AP_ERR_SKEW 37 /* Clock skew too great */
328
#define KRB_AP_ERR_BADADDR 38 /* Incorrect net address */
329
#define KRB_AP_ERR_BADVERSION 39 /* Protocol version mismatch */
330
#define KRB_AP_ERR_MSG_TYPE 40 /* Invalid message type */
331
#define KRB_AP_ERR_MODIFIED 41 /* Message stream modified */
332
#define KRB_AP_ERR_BADORDER 42 /* Message out of order */
333
#define KRB_AP_ERR_BADKEYVER 44 /* Key version is not available */
334
#define KRB_AP_ERR_NOKEY 45 /* Service key not available */
335
#define KRB_AP_ERR_MUT_FAIL 46 /* Mutual authentication failed */
336
#define KRB_AP_ERR_BADDIRECTION 47 /* Incorrect message direction */
337
#define KRB_AP_ERR_METHOD 48 /* Alternative authentication */
338
/* method required */
339
#define KRB_AP_ERR_BADSEQ 49 /* Incorrect sequence numnber */
341
#define KRB_AP_ERR_INAPP_CKSUM 50 /* Inappropriate type of */
342
/* checksum in message */
343
#define KRB_AP_PATH_NOT_ACCEPTED 51 /* Policy rejects transited path */
344
#define KRB_ERR_RESPONSE_TOO_BIG 52 /* Response too big for UDP, */
348
#define KRB_ERR_GENERIC 60 /* Generic error (description */
350
#define KRB_ERR_FIELD_TOOLONG 61 /* Field is too long for impl. */
352
/* PKINIT server-reported errors */
353
#define KDC_ERR_CLIENT_NOT_TRUSTED 62 /* client cert not trusted */
354
#define KDC_ERR_KDC_NOT_TRUSTED 63
355
#define KDC_ERR_INVALID_SIG 64 /* client signature verify failed */
356
#define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65 /* invalid Diffie-Hellman parameters */
357
#define KDC_ERR_CERTIFICATE_MISMATCH 66
358
#define KRB_AP_ERR_NO_TGT 67
359
#define KDC_ERR_WRONG_REALM 68
360
#define KRB_AP_ERR_USER_TO_USER_REQUIRED 69
361
#define KDC_ERR_CANT_VERIFY_CERTIFICATE 70 /* client cert not verifiable to */
362
/* trusted root cert */
363
#define KDC_ERR_INVALID_CERTIFICATE 71 /* client cert had invalid signature */
364
#define KDC_ERR_REVOKED_CERTIFICATE 72 /* client cert was revoked */
365
#define KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 /* client cert revoked, reason unknown */
366
#define KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74
367
#define KDC_ERR_CLIENT_NAME_MISMATCH 75 /* mismatch between client cert and */
369
#define KDC_ERR_INCONSISTENT_KEY_PURPOSE 77 /* bad extended key use */
370
#define KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78 /* bad digest algorithm in client cert */
371
#define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79 /* missing paChecksum in PA-PK-AS-REQ */
372
#define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */
373
#define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
374
#define KRB_AP_ERR_IAKERB_KDC_NOT_FOUND 85 /* The IAKERB proxy could
376
#define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE 86 /* The KDC did not respond
377
to the IAKERB proxy */
380
* This structure is returned in the e-data field of the KRB-ERROR
381
* message when the error calling for an alternative form of
382
* authentication is returned, KRB_AP_METHOD.
384
typedef struct _krb5_alt_method {
392
* A null-terminated array of this structure is returned by the KDC as
393
* the data part of the ETYPE_INFO preauth type. It informs the
394
* client which encryption types are supported.
395
* The same data structure is used by both etype-info and etype-info2
396
* but s2kparams must be null when encoding etype-info.
398
typedef struct _krb5_etype_info_entry {
404
} krb5_etype_info_entry;
407
* This is essentially -1 without sign extension which can screw up
408
* comparisons on 64 bit machines. If the length is this value, then
409
* the salt data is not present. This is to distinguish between not
410
* being set and being of 0 length.
412
#define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
414
typedef krb5_etype_info_entry ** krb5_etype_info;
417
typedef struct _krb5_etype_list {
419
krb5_enctype *etypes;
423
* a sam_challenge is returned for alternate preauth
426
SAMFlags ::= BIT STRING {
428
send-encrypted-sad[1],
429
must-pk-encrypt-sad[2]
433
PA-SAM-CHALLENGE ::= SEQUENCE {
435
sam-flags[1] SAMFlags,
436
sam-type-name[2] GeneralString OPTIONAL,
437
sam-track-id[3] GeneralString OPTIONAL,
438
sam-challenge-label[4] GeneralString OPTIONAL,
439
sam-challenge[5] GeneralString OPTIONAL,
440
sam-response-prompt[6] GeneralString OPTIONAL,
441
sam-pk-for-sad[7] EncryptionKey OPTIONAL,
442
sam-nonce[8] INTEGER OPTIONAL,
443
sam-cksum[9] Checksum OPTIONAL
446
/* sam_type values -- informational only */
447
#define PA_SAM_TYPE_ENIGMA 1 /* Enigma Logic */
448
#define PA_SAM_TYPE_DIGI_PATH 2 /* Digital Pathways */
449
#define PA_SAM_TYPE_SKEY_K0 3 /* S/key where KDC has key 0 */
450
#define PA_SAM_TYPE_SKEY 4 /* Traditional S/Key */
451
#define PA_SAM_TYPE_SECURID 5 /* Security Dynamics */
452
#define PA_SAM_TYPE_CRYPTOCARD 6 /* CRYPTOCard */
453
#if 1 /* XXX need to figure out who has which numbers assigned */
454
#define PA_SAM_TYPE_ACTIVCARD_DEC 6 /* ActivCard decimal mode */
455
#define PA_SAM_TYPE_ACTIVCARD_HEX 7 /* ActivCard hex mode */
456
#define PA_SAM_TYPE_DIGI_PATH_HEX 8 /* Digital Pathways hex mode */
458
#define PA_SAM_TYPE_EXP_BASE 128 /* experimental */
459
#define PA_SAM_TYPE_GRAIL (PA_SAM_TYPE_EXP_BASE+0) /* testing */
460
#define PA_SAM_TYPE_SECURID_PREDICT (PA_SAM_TYPE_EXP_BASE+1) /* special */
462
typedef struct _krb5_predicted_sam_response {
464
krb5_keyblock sam_key;
465
krb5_flags sam_flags; /* Makes key munging easier */
466
krb5_timestamp stime; /* time on server, for replay detection */
468
krb5_principal client;
469
krb5_data msd; /* mechanism specific data */
470
} krb5_predicted_sam_response;
472
typedef struct _krb5_sam_challenge {
474
krb5_int32 sam_type; /* information */
475
krb5_flags sam_flags; /* KRB5_SAM_* values */
476
krb5_data sam_type_name;
477
krb5_data sam_track_id;
478
krb5_data sam_challenge_label;
479
krb5_data sam_challenge;
480
krb5_data sam_response_prompt;
481
krb5_data sam_pk_for_sad;
482
krb5_int32 sam_nonce;
483
krb5_checksum sam_cksum;
484
} krb5_sam_challenge;
486
typedef struct _krb5_sam_key { /* reserved for future use */
488
krb5_keyblock sam_key;
491
typedef struct _krb5_enc_sam_response_enc {
493
krb5_int32 sam_nonce;
494
krb5_timestamp sam_timestamp;
497
} krb5_enc_sam_response_enc;
499
typedef struct _krb5_sam_response {
501
krb5_int32 sam_type; /* informational */
502
krb5_flags sam_flags; /* KRB5_SAM_* values */
503
krb5_data sam_track_id; /* copied */
504
krb5_enc_data sam_enc_key; /* krb5_sam_key - future use */
505
krb5_enc_data sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
506
krb5_int32 sam_nonce;
507
krb5_timestamp sam_patimestamp;
510
typedef struct _krb5_sam_challenge_2 {
511
krb5_data sam_challenge_2_body;
512
krb5_checksum **sam_cksum; /* Array of checksums */
513
} krb5_sam_challenge_2;
515
typedef struct _krb5_sam_challenge_2_body {
517
krb5_int32 sam_type; /* information */
518
krb5_flags sam_flags; /* KRB5_SAM_* values */
519
krb5_data sam_type_name;
520
krb5_data sam_track_id;
521
krb5_data sam_challenge_label;
522
krb5_data sam_challenge;
523
krb5_data sam_response_prompt;
524
krb5_data sam_pk_for_sad;
525
krb5_int32 sam_nonce;
526
krb5_enctype sam_etype;
527
} krb5_sam_challenge_2_body;
529
typedef struct _krb5_sam_response_2 {
531
krb5_int32 sam_type; /* informational */
532
krb5_flags sam_flags; /* KRB5_SAM_* values */
533
krb5_data sam_track_id; /* copied */
534
krb5_enc_data sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
535
krb5_int32 sam_nonce;
536
} krb5_sam_response_2;
538
typedef struct _krb5_enc_sam_response_enc_2 {
540
krb5_int32 sam_nonce;
542
} krb5_enc_sam_response_enc_2;
545
* Keep the pkinit definitions in a separate file so that the plugin
546
* only has to include k5-int-pkinit.h rather than k5-int.h
549
#include "k5-int-pkinit.h"
555
extern char *strdup (const char *);
562
#ifdef HAVE_SYS_TIME_H
563
#include <sys/time.h>
564
#ifdef TIME_WITH_SYS_TIME
571
#ifdef HAVE_SYS_STAT_H
572
#include <sys/stat.h> /* struct stat, stat() */
575
#ifdef HAVE_SYS_PARAM_H
576
#include <sys/param.h> /* MAXPATHLEN */
579
#ifdef HAVE_SYS_FILE_H
580
#include <sys/file.h> /* prototypes for file-related
581
syscalls; flags for open &
591
#include "k5-gmt_mktime.h"
593
struct sendto_callback_info;
596
krb5_error_code krb5_lock_file(krb5_context, int, int);
597
krb5_error_code krb5_unlock_file(krb5_context, int);
598
krb5_error_code krb5_sendto_kdc(krb5_context, const krb5_data *,
599
const krb5_data *, krb5_data *, int *, int);
601
krb5_error_code krb5_get_krbhst(krb5_context, const krb5_data *, char *** );
602
krb5_error_code krb5_free_krbhst(krb5_context, char * const * );
603
krb5_error_code krb5_create_secure_file(krb5_context, const char * pathname);
604
krb5_error_code krb5_sync_disk_file(krb5_context, FILE *fp);
606
krb5_error_code krb5int_init_context_kdc(krb5_context *);
608
krb5_error_code krb5_os_init_context(krb5_context context, profile_t profile,
611
void krb5_os_free_context(krb5_context);
613
/* This function is needed by KfM's KerberosPreferences API
614
* because it needs to be able to specify "secure" */
616
os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure);
619
krb5_os_hostaddr(krb5_context, const char *, krb5_address ***);
622
krb5int_get_domain_realm_mapping(krb5_context , const char *, char ***);
627
struct derived_key *next;
630
/* Internal structure of an opaque key identifier */
632
krb5_keyblock keyblock;
634
struct derived_key *derived;
636
* Cache of data private to the cipher implementation, which we
637
* don't want to have to recompute for every operation. This may
638
* include key schedules, iteration counts, etc.
640
* The cipher implementation is responsible for setting this up
641
* whenever needed, and the enc_provider key_cleanup method must
642
* then be provided to dispose of it.
648
krb5int_arcfour_gsscrypt(const krb5_keyblock *keyblock, krb5_keyusage usage,
649
const krb5_data *kd_data, krb5_crypto_iov *data,
653
* Attempt to zero memory in a way that compilers won't optimize out.
655
* This mechanism should work even for heap storage about to be freed,
656
* or automatic storage right before we return from a function.
658
* Then, even if we leak uninitialized memory someplace, or UNIX
659
* "core" files get created with world-read access, some of the most
660
* sensitive data in the process memory will already be safely wiped.
662
* We're not going so far -- yet -- as to try to protect key data that
663
* may have been written into swap space....
666
# define zap(ptr, len) SecureZeroMemory(ptr, len)
667
#elif defined(__GNUC__)
668
static inline void zap(void *ptr, size_t len)
672
* Some versions of gcc have gotten clever enough to eliminate a
673
* memset call right before the block in question is released.
674
* This (empty) asm requires it to assume that we're doing
675
* something interesting with the stored (zero) value, so the
676
* memset can't be eliminated.
678
* An optimizer that looks at assembly or object code may not be
679
* fooled, and may still cause the memset to go away. Address
680
* that problem if and when we encounter it.
682
* This also may not be enough if free() does something
683
* interesting like purge memory locations from a write-back cache
684
* that hasn't written back the zero bytes yet. A memory barrier
685
* instruction would help in that case.
687
asm volatile ("" : : "g" (ptr), "g" (len));
690
/* Use a function from libkrb5support to defeat inlining. */
691
# define zap(ptr, len) krb5int_zap(ptr, len)
694
/* Convenience function: zap and free ptr if it is non-NULL. */
696
zapfree(void *ptr, size_t len)
705
* Combine two keys (normally used by the hardware preauth mechanism)
708
krb5int_c_combine_keys(krb5_context context, krb5_keyblock *key1,
709
krb5_keyblock *key2, krb5_keyblock *outkey);
711
void krb5int_c_free_keyblock(krb5_context, krb5_keyblock *key);
712
void krb5int_c_free_keyblock_contents(krb5_context, krb5_keyblock *);
713
krb5_error_code krb5int_c_init_keyblock(krb5_context, krb5_enctype enctype,
714
size_t length, krb5_keyblock **out);
715
krb5_error_code krb5int_c_copy_keyblock(krb5_context context,
716
const krb5_keyblock *from,
718
krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context,
719
const krb5_keyblock *from,
722
#ifdef KRB5_OLD_CRYPTO
723
/* old provider api */
725
krb5_error_code krb5_crypto_os_localaddr(krb5_address ***);
727
krb5_error_code krb5_crypto_us_timeofday(krb5_int32 *, krb5_int32 *);
729
#endif /* KRB5_OLD_CRYPTO */
731
/* this helper fct is in libkrb5, but it makes sense declared here. */
734
krb5_encrypt_keyhelper(krb5_context context, krb5_key key,
735
krb5_keyusage keyusage, const krb5_data *plain,
736
krb5_enc_data *cipher);
742
typedef struct _krb5_os_context {
744
krb5_int32 time_offset;
745
krb5_int32 usec_offset;
747
char * default_ccname;
751
* Flags for the os_flags field
753
* KRB5_OS_TOFFSET_VALID means that the time offset fields are valid.
754
* The intention is that this facility to correct the system clocks so
755
* that they reflect the "real" time, for systems where for some
756
* reason we can't set the system clock. Instead we calculate the
757
* offset between the system time and real time, and store the offset
758
* in the os context so that we can correct the system clock as necessary.
760
* KRB5_OS_TOFFSET_TIME means that the time offset fields should be
761
* returned as the time by the krb5 time routines. This should only
762
* be used for testing purposes (obviously!)
764
#define KRB5_OS_TOFFSET_VALID 1
765
#define KRB5_OS_TOFFSET_TIME 2
767
/* lock mode flags */
768
#define KRB5_LOCKMODE_SHARED 0x0001
769
#define KRB5_LOCKMODE_EXCLUSIVE 0x0002
770
#define KRB5_LOCKMODE_DONTBLOCK 0x0004
771
#define KRB5_LOCKMODE_UNLOCK 0x0008
774
* Define our view of the size of a DES key.
776
#define KRB5_MIT_DES_KEYSIZE 8
777
#define KRB5_MIT_DES3_KEYSIZE 24
778
#define KRB5_MIT_DES3_KEY_BYTES 21
781
* Check if des_int.h has been included before us. If so, then check to see
782
* that our view of the DES key size is the same as des_int.h's.
784
#ifdef MIT_DES_KEYSIZE
785
#if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
786
error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
787
#endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
788
#endif /* MIT_DES_KEYSIZE */
793
* (Originally written by Glen Machin at Sandia Labs.)
796
* Sandia National Laboratories also makes no representations about the
797
* suitability of the modifications, or additions to this software for
798
* any purpose. It is provided "as is" without express or implied warranty.
800
#ifndef KRB5_PREAUTH__
801
#define KRB5_PREAUTH__
803
#include <krb5/preauth_plugin.h>
805
typedef krb5_error_code
806
(*krb5_gic_get_as_key_fct)(krb5_context, krb5_principal, krb5_enctype,
807
krb5_prompter_fct, void *prompter_data,
808
krb5_data *salt, krb5_data *s2kparams,
809
krb5_keyblock *as_key, void *gak_data);
811
#define CLIENT_ROCK_MAGIC 0x4352434b
813
* This structure is passed into the clpreauth methods and passed back to
814
* clpreauth callbacks so that they can locate the requested information. It
815
* is opaque to the plugin code and can be expanded in the future as new types
816
* of requests are defined which may require other things to be passed through.
817
* All pointer fields are aliases and should not be freed.
819
struct krb5int_fast_request_state;
820
struct krb5_clpreauth_rock_st {
823
struct krb5int_fast_request_state *fast_state;
826
* These fields allow gak_fct to be called via the rock. The
827
* gak_fct and gak_data fields have an extra level of indirection
828
* since they can change in the init_creds context.
830
krb5_keyblock *as_key;
831
krb5_gic_get_as_key_fct *gak_fct;
834
krb5_data *s2kparams;
835
krb5_principal client;
836
krb5_prompter_fct prompter;
840
typedef struct _krb5_pa_enc_ts {
841
krb5_timestamp patimestamp;
845
typedef struct _krb5_pa_for_user {
848
krb5_data auth_package;
851
typedef struct _krb5_s4u_userid {
854
krb5_data subject_cert;
858
#define KRB5_S4U_OPTS_CHECK_LOGON_HOURS 0x40000000 /* check logon hour restrictions */
859
#define KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE 0x20000000 /* sign with usage 27 instead of 26 */
861
typedef struct _krb5_pa_s4u_x509_user {
862
krb5_s4u_userid user_id;
864
} krb5_pa_s4u_x509_user;
867
KRB5_FAST_ARMOR_AP_REQUEST = 0x1
870
typedef struct _krb5_fast_armor {
871
krb5_int32 armor_type;
872
krb5_data armor_value;
874
typedef struct _krb5_fast_armored_req {
876
krb5_fast_armor *armor;
877
krb5_checksum req_checksum;
878
krb5_enc_data enc_part;
879
} krb5_fast_armored_req;
881
typedef struct _krb5_fast_req {
883
krb5_flags fast_options;
884
/* padata from req_body is used*/
885
krb5_kdc_req *req_body;
888
/* Bits 0-15 are critical in fast options.*/
889
#define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff
890
#define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01
892
typedef struct _krb5_fast_finished {
893
krb5_timestamp timestamp;
895
krb5_principal client;
896
krb5_checksum ticket_checksum;
897
} krb5_fast_finished;
899
typedef struct _krb5_fast_response {
901
krb5_pa_data **padata;
902
krb5_keyblock *strengthen_key;
903
krb5_fast_finished *finished;
905
} krb5_fast_response;
907
typedef struct _krb5_ad_kdcissued {
908
krb5_checksum ad_checksum;
909
krb5_principal i_principal;
910
krb5_authdata **elements;
913
typedef struct _krb5_ad_signedpath_data {
914
krb5_principal client;
915
krb5_timestamp authtime;
916
krb5_principal *delegated;
917
krb5_pa_data **method_data;
918
krb5_authdata **authorization_data;
919
} krb5_ad_signedpath_data;
921
typedef struct _krb5_ad_signedpath {
922
krb5_enctype enctype;
923
krb5_checksum checksum;
924
krb5_principal *delegated;
925
krb5_pa_data **method_data;
926
} krb5_ad_signedpath;
928
typedef struct _krb5_iakerb_header {
929
krb5_data target_realm;
931
} krb5_iakerb_header;
933
typedef struct _krb5_iakerb_finished {
934
krb5_checksum checksum;
935
} krb5_iakerb_finished;
937
typedef krb5_error_code
938
(*krb5_preauth_obtain_proc)(krb5_context, krb5_pa_data *,
939
krb5_etype_info, krb5_keyblock *,
940
krb5_error_code (*)(krb5_context,
945
krb5_const_pointer, krb5_creds *,
946
krb5_kdc_req *, krb5_pa_data **);
948
typedef krb5_error_code
949
(*krb5_preauth_process_proc)(krb5_context, krb5_pa_data *, krb5_kdc_req *,
951
krb5_error_code (*)(krb5_context,
957
krb5_error_code (*)(krb5_context,
958
const krb5_keyblock *,
961
krb5_keyblock **, krb5_creds *, krb5_int32 *,
964
typedef struct _krb5_preauth_ops {
968
krb5_preauth_obtain_proc obtain;
969
krb5_preauth_process_proc process;
973
krb5int_find_pa_data(krb5_context, krb5_pa_data *const *, krb5_preauthtype);
974
/* Does not return a copy; original padata sequence responsible for freeing*/
976
void krb5_free_etype_info(krb5_context, krb5_etype_info);
979
* Preauthentication property flags
981
#define KRB5_PREAUTH_FLAGS_ENCRYPT 0x00000001
982
#define KRB5_PREAUTH_FLAGS_HARDWARE 0x00000002
984
#endif /* KRB5_PREAUTH__ */
990
* Extending the krb5_get_init_creds_opt structure. The original
991
* krb5_get_init_creds_opt structure is defined publicly. The
992
* new extended version is private. The original interface
993
* assumed a pre-allocated structure which was passed to
994
* krb5_get_init_creds_init(). The new interface assumes that
995
* the caller will call krb5_get_init_creds_alloc() and
996
* krb5_get_init_creds_free().
998
* Callers MUST NOT call krb5_get_init_creds_init() after allocating an
999
* opts structure using krb5_get_init_creds_alloc(). To do so will
1000
* introduce memory leaks. Unfortunately, there is no way to enforce
1003
* Two private flags are added for backward compatibility.
1004
* KRB5_GET_INIT_CREDS_OPT_EXTENDED says that the structure was allocated
1005
* with the new krb5_get_init_creds_opt_alloc() function.
1006
* KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended
1007
* structure is a shadow copy of an original krb5_get_init_creds_opt
1009
* If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to
1010
* krb5int_gic_opt_to_opte(), the resulting extended structure should be
1011
* freed (using krb5_get_init_creds_free). Otherwise, the original
1012
* structure was already extended and there is no need to free it.
1015
#define KRB5_GET_INIT_CREDS_OPT_EXTENDED 0x80000000
1016
#define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
1018
#define krb5_gic_opt_is_extended(s) \
1019
((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
1020
#define krb5_gic_opt_is_shadowed(s) \
1021
((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
1024
typedef struct _krb5_gic_opt_private {
1025
int num_preauth_data;
1026
krb5_gic_opt_pa_data *preauth_data;
1027
char * fast_ccache_name;
1028
krb5_ccache out_ccache;
1029
krb5_flags fast_flags;
1030
krb5_expire_callback_func expire_cb;
1032
} krb5_gic_opt_private;
1035
* On the Mac, ensure that the layout of krb5_gic_opt_ext matches that
1036
* of krb5_get_init_creds_opt.
1039
# pragma pack(push,2)
1042
typedef struct _krb5_gic_opt_ext {
1044
krb5_deltat tkt_life;
1045
krb5_deltat renew_life;
1048
krb5_enctype *etype_list;
1049
int etype_list_length;
1050
krb5_address **address_list;
1051
krb5_preauthtype *preauth_list;
1052
int preauth_list_length;
1055
* Do not change anything above this point in this structure.
1056
* It is identical to the public krb5_get_init_creds_opt structure.
1057
* New members must be added below.
1059
krb5_gic_opt_private *opt_private;
1067
krb5int_gic_opt_to_opte(krb5_context context, krb5_get_init_creds_opt *opt,
1068
krb5_gic_opt_ext **opte, unsigned int force,
1072
krb5int_copy_data_contents(krb5_context, const krb5_data *, krb5_data *);
1075
krb5int_copy_data_contents_add0(krb5_context, const krb5_data *, krb5_data *);
1078
krb5int_copy_creds_contents(krb5_context, const krb5_creds *, krb5_creds *);
1080
krb5_error_code KRB5_CALLCONV
1081
krb5int_get_init_creds(krb5_context context, krb5_creds *creds,
1082
krb5_principal client, krb5_prompter_fct prompter,
1083
void *prompter_data, krb5_deltat start_time,
1084
char *in_tkt_service, krb5_get_init_creds_opt *options,
1085
krb5_gic_get_as_key_fct gak, void *gak_data,
1086
int *master, krb5_kdc_rep **as_reply);
1089
krb5int_populate_gic_opt (krb5_context, krb5_get_init_creds_opt **,
1090
krb5_flags options, krb5_address *const *addrs,
1091
krb5_enctype *ktypes,
1092
krb5_preauthtype *pre_auth_types, krb5_creds *creds);
1095
krb5_error_code KRB5_CALLCONV
1096
krb5_do_preauth(krb5_context context, krb5_kdc_req *request,
1097
krb5_data *encoded_request_body,
1098
krb5_data *encoded_previous_request, krb5_pa_data **in_padata,
1099
krb5_pa_data ***out_padata, krb5_prompter_fct prompter,
1100
void *prompter_data, krb5_clpreauth_rock preauth_rock,
1101
krb5_gic_opt_ext *opte, krb5_boolean *got_real_out);
1103
krb5_error_code KRB5_CALLCONV
1104
krb5_do_preauth_tryagain(krb5_context context, krb5_kdc_req *request,
1105
krb5_data *encoded_request_body,
1106
krb5_data *encoded_previous_request,
1107
krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1108
krb5_error *err_reply, krb5_pa_data **err_padata,
1109
krb5_prompter_fct prompter, void *prompter_data,
1110
krb5_clpreauth_rock preauth_rock,
1111
krb5_gic_opt_ext *opte);
1113
void KRB5_CALLCONV krb5_init_preauth_context(krb5_context);
1114
void KRB5_CALLCONV krb5_free_preauth_context(krb5_context);
1115
void KRB5_CALLCONV krb5_clear_preauth_context_use_counts(krb5_context);
1116
void KRB5_CALLCONV krb5_preauth_prepare_request(krb5_context,
1119
void KRB5_CALLCONV krb5_preauth_request_context_init(krb5_context);
1120
void KRB5_CALLCONV krb5_preauth_request_context_fini(krb5_context);
1123
krb5_free_sam_challenge(krb5_context, krb5_sam_challenge *);
1126
krb5_free_sam_challenge_2(krb5_context, krb5_sam_challenge_2 *);
1129
krb5_free_sam_challenge_2_body(krb5_context, krb5_sam_challenge_2_body *);
1132
krb5_free_sam_response(krb5_context, krb5_sam_response *);
1135
krb5_free_sam_response_2(krb5_context, krb5_sam_response_2 *);
1138
krb5_free_predicted_sam_response(krb5_context, krb5_predicted_sam_response *);
1141
krb5_free_enc_sam_response_enc(krb5_context, krb5_enc_sam_response_enc *);
1144
krb5_free_enc_sam_response_enc_2(krb5_context, krb5_enc_sam_response_enc_2 *);
1147
krb5_free_sam_challenge_contents(krb5_context, krb5_sam_challenge *);
1150
krb5_free_sam_challenge_2_contents(krb5_context, krb5_sam_challenge_2 *);
1153
krb5_free_sam_challenge_2_body_contents(krb5_context,
1154
krb5_sam_challenge_2_body *);
1157
krb5_free_sam_response_contents(krb5_context, krb5_sam_response *);
1160
krb5_free_sam_response_2_contents(krb5_context, krb5_sam_response_2 *);
1163
krb5_free_predicted_sam_response_contents(krb5_context,
1164
krb5_predicted_sam_response * );
1167
krb5_free_enc_sam_response_enc_contents(krb5_context,
1168
krb5_enc_sam_response_enc * );
1171
krb5_free_enc_sam_response_enc_2_contents(krb5_context,
1172
krb5_enc_sam_response_enc_2 * );
1175
krb5_free_pa_enc_ts(krb5_context, krb5_pa_enc_ts *);
1178
krb5_free_pa_for_user(krb5_context, krb5_pa_for_user *);
1181
krb5_free_s4u_userid_contents(krb5_context, krb5_s4u_userid *);
1184
krb5_free_pa_s4u_x509_user(krb5_context, krb5_pa_s4u_x509_user *);
1187
krb5_free_pa_svr_referral_data(krb5_context, krb5_pa_svr_referral_data *);
1190
krb5_free_pa_server_referral_data(krb5_context,
1191
krb5_pa_server_referral_data * );
1194
krb5_free_pa_pac_req(krb5_context, krb5_pa_pac_req * );
1197
krb5_free_etype_list(krb5_context, krb5_etype_list * );
1199
void KRB5_CALLCONV krb5_free_fast_armor(krb5_context, krb5_fast_armor *);
1200
void KRB5_CALLCONV krb5_free_fast_armored_req(krb5_context,
1201
krb5_fast_armored_req *);
1202
void KRB5_CALLCONV krb5_free_fast_req(krb5_context, krb5_fast_req *);
1203
void KRB5_CALLCONV krb5_free_fast_finished(krb5_context, krb5_fast_finished *);
1204
void KRB5_CALLCONV krb5_free_fast_response(krb5_context, krb5_fast_response *);
1205
void KRB5_CALLCONV krb5_free_ad_kdcissued(krb5_context, krb5_ad_kdcissued *);
1206
void KRB5_CALLCONV krb5_free_ad_signedpath(krb5_context, krb5_ad_signedpath *);
1207
void KRB5_CALLCONV krb5_free_iakerb_header(krb5_context, krb5_iakerb_header *);
1208
void KRB5_CALLCONV krb5_free_iakerb_finished(krb5_context,
1209
krb5_iakerb_finished *);
1211
/* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
1212
#include "com_err.h"
1213
#include "k5-plugin.h"
1215
#include <krb5/authdata_plugin.h>
1217
struct _krb5_authdata_context {
1220
struct _krb5_authdata_context_module {
1221
krb5_authdatatype ad_type;
1222
void *plugin_context;
1223
authdata_client_plugin_fini_proc client_fini;
1225
krb5plugin_authdata_client_ftable_v0 *ftable;
1226
authdata_client_request_init_proc client_req_init;
1227
authdata_client_request_fini_proc client_req_fini;
1229
void *request_context;
1230
void **request_context_pp;
1232
struct plugin_dir_handle plugins;
1235
typedef struct _krb5_authdata_context *krb5_authdata_context;
1238
krb5int_free_data_list(krb5_context context, krb5_data *data);
1240
krb5_error_code KRB5_CALLCONV
1241
krb5_authdata_context_init(krb5_context kcontext,
1242
krb5_authdata_context *pcontext);
1245
krb5_authdata_context_free(krb5_context kcontext,
1246
krb5_authdata_context context);
1248
krb5_error_code KRB5_CALLCONV
1249
krb5_authdata_export_authdata(krb5_context kcontext,
1250
krb5_authdata_context context, krb5_flags usage,
1251
krb5_authdata ***pauthdata);
1253
krb5_error_code KRB5_CALLCONV
1254
krb5_authdata_get_attribute_types(krb5_context kcontext,
1255
krb5_authdata_context context,
1258
krb5_error_code KRB5_CALLCONV
1259
krb5_authdata_get_attribute(krb5_context kcontext,
1260
krb5_authdata_context context,
1261
const krb5_data *attribute,
1262
krb5_boolean *authenticated,
1263
krb5_boolean *complete, krb5_data *value,
1264
krb5_data *display_value, int *more);
1266
krb5_error_code KRB5_CALLCONV
1267
krb5_authdata_set_attribute(krb5_context kcontext,
1268
krb5_authdata_context context,
1269
krb5_boolean complete, const krb5_data *attribute,
1270
const krb5_data *value);
1272
krb5_error_code KRB5_CALLCONV
1273
krb5_authdata_delete_attribute(krb5_context kcontext,
1274
krb5_authdata_context context,
1275
const krb5_data *attribute);
1277
krb5_error_code KRB5_CALLCONV
1278
krb5_authdata_import_attributes(krb5_context kcontext,
1279
krb5_authdata_context context,
1280
krb5_flags usage, const krb5_data *attributes);
1282
krb5_error_code KRB5_CALLCONV
1283
krb5_authdata_export_attributes(krb5_context kcontext,
1284
krb5_authdata_context context,
1285
krb5_flags usage, krb5_data **pattributes);
1287
krb5_error_code KRB5_CALLCONV
1288
krb5_authdata_export_internal(krb5_context kcontext,
1289
krb5_authdata_context context,
1290
krb5_boolean restrict_authenticated,
1291
const char *module, void **ptr);
1293
krb5_error_code KRB5_CALLCONV
1294
krb5_authdata_context_copy(krb5_context kcontext, krb5_authdata_context src,
1295
krb5_authdata_context *dst);
1297
krb5_error_code KRB5_CALLCONV
1298
krb5_authdata_free_internal(krb5_context kcontext,
1299
krb5_authdata_context context, const char *module,
1302
/*** Plugin framework ***/
1305
* This framework can be used to create pluggable interfaces. Not all existing
1306
* pluggable interface use this framework, but new ones should. A new
1307
* pluggable interface entails:
1309
* - An interface ID definition in the list of #defines below.
1311
* - A name in the interface_names array in lib/krb5/krb/plugins.c.
1313
* - An installed public header file in include/krb5. The public header should
1314
* include <krb5/plugin.h> and should declare a vtable structure for each
1315
* supported major version of the interface.
1317
* - A consumer API implementation, located within the code unit which makes
1318
* use of the pluggable interface. The consumer API should consist of:
1320
* . An interface-specific handle type which contains a vtable structure for
1321
* the module (or a union of several such structures, if there are multiple
1322
* supported major versions) and, optionally, resource data bound to the
1325
* . An interface-specific loader function which creates a handle or list of
1326
* handles. A list of handles would be created if the interface is a
1327
* one-to-many interface where the consumer wants to consult all available
1328
* modules; a single handle would be created for an interface where the
1329
* consumer wants to consult a specific module. The loader function should
1330
* use k5_plugin_load or k5_plugin_load_all to produce one or a list of
1331
* vtable initializer functions, and should use those functions to fill in
1332
* the vtable structure for the module (if necessary, trying each supported
1333
* major version starting from the most recent). The loader function can
1334
* also bind resource data into the handle based on caller arguments, if
1337
* . For each plugin method, a wrapper function which accepts a krb5_context,
1338
* a plugin handle, and the method arguments. Wrapper functions should
1339
* invoke the method function contained in the handle's vtable.
1341
* - Possibly, built-in implementations of the interface, also located within
1342
* the code unit which makes use of the interface. Built-in implementations
1343
* must be registered with k5_plugin_register before the first call to
1344
* k5_plugin_load or k5_plugin_load_all.
1346
* A pluggable interface should have one or more currently supported major
1347
* versions, starting at 1. Each major version should have a current minor
1348
* version, also starting at 1. If new methods are added to a vtable, the
1349
* minor version should be incremented and the vtable stucture should document
1350
* where each minor vtable version ends. If method signatures for a vtable are
1351
* changed, the major version should be incremented.
1353
* Plugin module implementations (either built-in or dynamically loaded) should
1354
* define a function named <interfacename>_<modulename>_initvt, matching the
1355
* signature of krb5_plugin_initvt_fn as declared in include/krb5/plugin.h.
1356
* The initvt function should check the given maj_ver argument against its own
1357
* supported major versions, cast the vtable pointer to the appropriate
1358
* interface-specific vtable type, and fill in the vtable methods, stopping as
1359
* appropriate for the given min_ver. Memory for the vtable structure is
1360
* allocated by the caller, not by the module.
1362
* Dynamic plugin modules are registered with the framework through the
1363
* [plugins] section of the profile, as described in the admin documentation
1364
* and krb5.conf man page.
1368
* A linked list entry mapping a module name to a module initvt function. The
1369
* entry may also include a dynamic object handle so that it can be released
1370
* when the context is destroyed.
1372
struct plugin_mapping {
1374
krb5_plugin_initvt_fn module;
1375
struct plugin_file_handle *dyn_handle;
1376
struct plugin_mapping *next;
1379
/* Holds krb5_context information about each pluggable interface. */
1380
struct plugin_interface {
1381
struct plugin_mapping *modules;
1382
krb5_boolean configured;
1385
/* A list of plugin interface IDs. Make sure to increment
1386
* PLUGIN_NUM_INTERFACES when a new interface is added. */
1387
#define PLUGIN_INTERFACE_PWQUAL 0
1388
#define PLUGIN_INTERFACE_KADM5_HOOK 1
1389
#define PLUGIN_INTERFACE_CLPREAUTH 2
1390
#define PLUGIN_INTERFACE_KDCPREAUTH 3
1391
#define PLUGIN_INTERFACE_CCSELECT 4
1392
#define PLUGIN_NUM_INTERFACES 5
1394
/* Retrieve the plugin module of type interface_id and name modname,
1395
* storing the result into module. */
1397
k5_plugin_load(krb5_context context, int interface_id, const char *modname,
1398
krb5_plugin_initvt_fn *module);
1400
/* Retrieve all plugin modules of type interface_id, storing the result
1401
* into modules. Free the result with k5_plugin_free_handles. */
1403
k5_plugin_load_all(krb5_context context, int interface_id,
1404
krb5_plugin_initvt_fn **modules);
1406
/* Release a module list allocated by k5_plugin_load_all. */
1408
k5_plugin_free_modules(krb5_context context, krb5_plugin_initvt_fn *modules);
1410
/* Register a plugin module of type interface_id and name modname. */
1412
k5_plugin_register(krb5_context context, int interface_id, const char *modname,
1413
krb5_plugin_initvt_fn module);
1416
* Register a plugin module which is part of the krb5 tree but is built as a
1417
* dynamic plugin. Look for the module in modsubdir relative to the
1418
* context->base_plugin_dir.
1421
k5_plugin_register_dyn(krb5_context context, int interface_id,
1422
const char *modname, const char *modsubdir);
1424
/* Destroy the module state within context; used by krb5_free_context. */
1426
k5_plugin_free_context(krb5_context context);
1428
struct _kdb5_dal_handle; /* private, in kdb5.h */
1429
typedef struct _kdb5_dal_handle kdb5_dal_handle;
1430
struct _kdb_log_context;
1431
typedef struct krb5_preauth_context_st krb5_preauth_context;
1432
struct ccselect_module_handle;
1433
struct _krb5_context {
1435
krb5_enctype *in_tkt_etypes;
1436
krb5_enctype *tgs_etypes;
1437
struct _krb5_os_context os_context;
1438
char *default_realm;
1440
kdb5_dal_handle *dal_handle;
1443
/* allowable clock skew */
1444
krb5_deltat clockskew;
1445
krb5_cksumtype kdc_req_sumtype;
1446
krb5_cksumtype default_ap_req_sumtype;
1447
krb5_cksumtype default_safe_sumtype;
1448
krb5_flags kdc_default_options;
1449
krb5_flags library_options;
1450
krb5_boolean profile_secure;
1451
int fcc_default_format;
1452
krb5_prompt_type *prompt_types;
1453
/* Message size above which we'll try TCP first in send-to-kdc
1454
type code. Aside from the 2**16 size limit, we put no
1455
absolute limit on the UDP packet size. */
1458
/* Use the config-file ktypes instead of app-specified? */
1459
krb5_boolean use_conf_ktypes;
1461
#ifdef KRB5_DNS_LOOKUP
1462
krb5_boolean profile_in_memory;
1463
#endif /* KRB5_DNS_LOOKUP */
1465
/* locate_kdc module stuff */
1466
struct plugin_dir_handle libkrb5_plugins;
1467
struct krb5plugin_service_locate_ftable *vtbl;
1468
void (**locate_fptrs)(void);
1470
/* preauth module stuff */
1471
krb5_preauth_context *preauth_context;
1473
/* cache module stuff */
1474
struct ccselect_module_handle **ccselect_handles;
1476
/* error detail info */
1479
/* For Sun iprop code; does this really have to be here? */
1480
struct _kdb_log_context *kdblog_context;
1482
krb5_boolean allow_weak_crypto;
1483
krb5_boolean ignore_acceptor_hostname;
1485
krb5_trace_callback trace_callback;
1486
void *trace_callback_data;
1488
struct plugin_interface plugins[PLUGIN_NUM_INTERFACES];
1489
char *plugin_base_dir;
1492
/* could be used in a table to find an etype and initialize a block */
1495
#define KRB5_LIBOPT_SYNC_KDCTIME 0x0001
1497
/* internal message representations */
1499
typedef struct _krb5_safe {
1501
krb5_data user_data; /* user data */
1502
krb5_timestamp timestamp; /* client time, optional */
1503
krb5_int32 usec; /* microsecond portion of time,
1505
krb5_ui_4 seq_number; /* sequence #, optional */
1506
krb5_address *s_address; /* sender address */
1507
krb5_address *r_address; /* recipient address, optional */
1508
krb5_checksum *checksum; /* data integrity checksum */
1511
typedef struct _krb5_priv {
1513
krb5_enc_data enc_part; /* encrypted part */
1516
typedef struct _krb5_priv_enc_part {
1518
krb5_data user_data; /* user data */
1519
krb5_timestamp timestamp; /* client time, optional */
1520
krb5_int32 usec; /* microsecond portion of time, opt. */
1521
krb5_ui_4 seq_number; /* sequence #, optional */
1522
krb5_address *s_address; /* sender address */
1523
krb5_address *r_address; /* recipient address, optional */
1524
} krb5_priv_enc_part;
1526
void KRB5_CALLCONV krb5_free_safe(krb5_context, krb5_safe *);
1527
void KRB5_CALLCONV krb5_free_priv(krb5_context, krb5_priv *);
1528
void KRB5_CALLCONV krb5_free_priv_enc_part(krb5_context, krb5_priv_enc_part *);
1536
/* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
1537
/* here we use some knowledge of ASN.1 encodings */
1539
Ticket is APPLICATION 1.
1540
Authenticator is APPLICATION 2.
1541
AS_REQ is APPLICATION 10.
1542
AS_REP is APPLICATION 11.
1543
TGS_REQ is APPLICATION 12.
1544
TGS_REP is APPLICATION 13.
1545
AP_REQ is APPLICATION 14.
1546
AP_REP is APPLICATION 15.
1547
KRB_SAFE is APPLICATION 20.
1548
KRB_PRIV is APPLICATION 21.
1549
KRB_CRED is APPLICATION 22.
1550
EncASRepPart is APPLICATION 25.
1551
EncTGSRepPart is APPLICATION 26.
1552
EncAPRepPart is APPLICATION 27.
1553
EncKrbPrivPart is APPLICATION 28.
1554
EncKrbCredPart is APPLICATION 29.
1555
KRB_ERROR is APPLICATION 30.
1557
/* allow either constructed or primitive encoding, so check for bit 6
1559
#define krb5int_is_app_tag(dat,tag) \
1560
((dat != NULL) && (dat)->length && \
1561
((((dat)->data[0] & ~0x20) == ((tag) | 0x40))))
1562
#define krb5_is_krb_ticket(dat) krb5int_is_app_tag(dat, 1)
1563
#define krb5_is_krb_authenticator(dat) krb5int_is_app_tag(dat, 2)
1564
#define krb5_is_as_req(dat) krb5int_is_app_tag(dat, 10)
1565
#define krb5_is_as_rep(dat) krb5int_is_app_tag(dat, 11)
1566
#define krb5_is_tgs_req(dat) krb5int_is_app_tag(dat, 12)
1567
#define krb5_is_tgs_rep(dat) krb5int_is_app_tag(dat, 13)
1568
#define krb5_is_ap_req(dat) krb5int_is_app_tag(dat, 14)
1569
#define krb5_is_ap_rep(dat) krb5int_is_app_tag(dat, 15)
1570
#define krb5_is_krb_safe(dat) krb5int_is_app_tag(dat, 20)
1571
#define krb5_is_krb_priv(dat) krb5int_is_app_tag(dat, 21)
1572
#define krb5_is_krb_cred(dat) krb5int_is_app_tag(dat, 22)
1573
#define krb5_is_krb_enc_as_rep_part(dat) krb5int_is_app_tag(dat, 25)
1574
#define krb5_is_krb_enc_tgs_rep_part(dat) krb5int_is_app_tag(dat, 26)
1575
#define krb5_is_krb_enc_ap_rep_part(dat) krb5int_is_app_tag(dat, 27)
1576
#define krb5_is_krb_enc_krb_priv_part(dat) krb5int_is_app_tag(dat, 28)
1577
#define krb5_is_krb_enc_krb_cred_part(dat) krb5int_is_app_tag(dat, 29)
1578
#define krb5_is_krb_error(dat) krb5int_is_app_tag(dat, 30)
1580
/*************************************************************************
1581
* Prototypes for krb5_encode.c
1582
*************************************************************************/
1585
krb5_error_code encode_krb5_structure(const krb5_structure *rep,
1588
effects Returns the ASN.1 encoding of *rep in **code.
1589
Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep.
1590
Returns ENOMEM if memory runs out.
1594
encode_krb5_authenticator(const krb5_authenticator *rep, krb5_data **code);
1597
encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code);
1600
encode_krb5_enc_tkt_part(const krb5_enc_tkt_part *rep, krb5_data **code);
1603
encode_krb5_enc_kdc_rep_part(const krb5_enc_kdc_rep_part *rep,
1606
/* yes, the translation is identical to that used for KDC__REP */
1608
encode_krb5_as_rep(const krb5_kdc_rep *rep, krb5_data **code);
1610
/* yes, the translation is identical to that used for KDC__REP */
1612
encode_krb5_tgs_rep(const krb5_kdc_rep *rep, krb5_data **code);
1615
encode_krb5_ap_req(const krb5_ap_req *rep, krb5_data **code);
1618
encode_krb5_ap_rep(const krb5_ap_rep *rep, krb5_data **code);
1621
encode_krb5_ap_rep_enc_part(const krb5_ap_rep_enc_part *rep, krb5_data **code);
1624
encode_krb5_as_req(const krb5_kdc_req *rep, krb5_data **code);
1627
encode_krb5_tgs_req(const krb5_kdc_req *rep, krb5_data **code);
1630
encode_krb5_kdc_req_body(const krb5_kdc_req *rep, krb5_data **code);
1633
encode_krb5_safe(const krb5_safe *rep, krb5_data **code);
1635
struct krb5_safe_with_body {
1640
encode_krb5_safe_with_body(const struct krb5_safe_with_body *rep,
1644
encode_krb5_priv(const krb5_priv *rep, krb5_data **code);
1647
encode_krb5_enc_priv_part(const krb5_priv_enc_part *rep, krb5_data **code);
1650
encode_krb5_cred(const krb5_cred *rep, krb5_data **code);
1652
encode_krb5_checksum(const krb5_checksum *, krb5_data **);
1655
encode_krb5_enc_cred_part(const krb5_cred_enc_part *rep, krb5_data **code);
1658
encode_krb5_error(const krb5_error *rep, krb5_data **code);
1661
encode_krb5_authdata(krb5_authdata *const *rep, krb5_data **code);
1664
encode_krb5_authdata_elt(const krb5_authdata *rep, krb5_data **code);
1667
encode_krb5_pwd_sequence(const passwd_phrase_element *rep, krb5_data **code);
1670
encode_krb5_pwd_data(const krb5_pwd_data *rep, krb5_data **code);
1673
encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
1676
encode_krb5_alt_method(const krb5_alt_method *, krb5_data **code);
1679
encode_krb5_etype_info(krb5_etype_info_entry *const *, krb5_data **code);
1682
encode_krb5_etype_info2(krb5_etype_info_entry *const *, krb5_data **code);
1685
encode_krb5_pa_enc_ts(const krb5_pa_enc_ts *, krb5_data **);
1688
encode_krb5_sam_challenge(const krb5_sam_challenge * , krb5_data **);
1691
encode_krb5_sam_key(const krb5_sam_key * , krb5_data **);
1694
encode_krb5_enc_sam_response_enc(const krb5_enc_sam_response_enc *,
1698
encode_krb5_sam_response(const krb5_sam_response *, krb5_data **);
1701
encode_krb5_sam_challenge_2(const krb5_sam_challenge_2 * , krb5_data **);
1704
encode_krb5_sam_challenge_2_body(const krb5_sam_challenge_2_body *,
1708
encode_krb5_enc_sam_response_enc_2(const krb5_enc_sam_response_enc_2 *,
1712
encode_krb5_sam_response_2(const krb5_sam_response_2 * , krb5_data **);
1715
encode_krb5_predicted_sam_response(const krb5_predicted_sam_response *,
1718
struct krb5_setpw_req {
1719
krb5_principal target;
1723
encode_krb5_setpw_req(const struct krb5_setpw_req *rep, krb5_data **code);
1726
encode_krb5_pa_for_user(const krb5_pa_for_user *, krb5_data **);
1729
encode_krb5_s4u_userid(const krb5_s4u_userid *, krb5_data **);
1732
encode_krb5_pa_s4u_x509_user(const krb5_pa_s4u_x509_user *, krb5_data **);
1735
encode_krb5_pa_svr_referral_data(const krb5_pa_svr_referral_data *,
1739
encode_krb5_pa_server_referral_data(const krb5_pa_server_referral_data *,
1743
encode_krb5_pa_pac_req(const krb5_pa_pac_req *, krb5_data **);
1746
encode_krb5_etype_list(const krb5_etype_list * , krb5_data **);
1749
encode_krb5_pa_fx_fast_request(const krb5_fast_armored_req *, krb5_data **);
1752
encode_krb5_fast_req(const krb5_fast_req *, krb5_data **);
1755
encode_krb5_pa_fx_fast_reply(const krb5_enc_data *, krb5_data **);
1758
encode_krb5_iakerb_header(const krb5_iakerb_header *, krb5_data **);
1761
encode_krb5_iakerb_finished(const krb5_iakerb_finished *, krb5_data **);
1764
encode_krb5_fast_response(const krb5_fast_response *, krb5_data **);
1767
encode_krb5_ad_kdcissued(const krb5_ad_kdcissued *, krb5_data **);
1770
encode_krb5_ad_signedpath(const krb5_ad_signedpath *, krb5_data **);
1773
encode_krb5_ad_signedpath_data(const krb5_ad_signedpath_data *, krb5_data **);
1775
/*************************************************************************
1776
* End of prototypes for krb5_encode.c
1777
*************************************************************************/
1780
decode_krb5_sam_challenge(const krb5_data *, krb5_sam_challenge **);
1783
decode_krb5_enc_sam_key(const krb5_data *, krb5_sam_key **);
1786
decode_krb5_enc_sam_response_enc(const krb5_data *,
1787
krb5_enc_sam_response_enc **);
1790
decode_krb5_sam_response(const krb5_data *, krb5_sam_response **);
1793
decode_krb5_predicted_sam_response(const krb5_data *,
1794
krb5_predicted_sam_response **);
1797
decode_krb5_sam_challenge_2(const krb5_data *, krb5_sam_challenge_2 **);
1800
decode_krb5_sam_challenge_2_body(const krb5_data *,
1801
krb5_sam_challenge_2_body **);
1804
decode_krb5_enc_sam_response_enc_2(const krb5_data *,
1805
krb5_enc_sam_response_enc_2 **);
1808
decode_krb5_sam_response_2(const krb5_data *, krb5_sam_response_2 **);
1811
/*************************************************************************
1812
* Prototypes for krb5_decode.c
1813
*************************************************************************/
1815
krb5_error_code decode_krb5_structure(const krb5_data *code,
1816
krb5_structure **rep);
1818
requires Expects **rep to not have been allocated;
1819
a new *rep is allocated regardless of the old value.
1820
effects Decodes *code into **rep.
1821
Returns ENOMEM if memory is exhausted.
1822
Returns asn1 and krb5 errors.
1826
decode_krb5_authenticator(const krb5_data *code, krb5_authenticator **rep);
1829
decode_krb5_ticket(const krb5_data *code, krb5_ticket **rep);
1832
decode_krb5_encryption_key(const krb5_data *output, krb5_keyblock **rep);
1835
decode_krb5_enc_tkt_part(const krb5_data *output, krb5_enc_tkt_part **rep);
1838
decode_krb5_enc_kdc_rep_part(const krb5_data *output,
1839
krb5_enc_kdc_rep_part **rep);
1842
decode_krb5_as_rep(const krb5_data *output, krb5_kdc_rep **rep);
1845
decode_krb5_tgs_rep(const krb5_data *output, krb5_kdc_rep **rep);
1848
decode_krb5_ap_req(const krb5_data *output, krb5_ap_req **rep);
1851
decode_krb5_ap_rep(const krb5_data *output, krb5_ap_rep **rep);
1854
decode_krb5_ap_rep_enc_part(const krb5_data *output,
1855
krb5_ap_rep_enc_part **rep);
1858
decode_krb5_as_req(const krb5_data *output, krb5_kdc_req **rep);
1861
decode_krb5_tgs_req(const krb5_data *output, krb5_kdc_req **rep);
1864
decode_krb5_kdc_req_body(const krb5_data *output, krb5_kdc_req **rep);
1867
decode_krb5_safe(const krb5_data *output, krb5_safe **rep);
1870
decode_krb5_safe_with_body(const krb5_data *output, krb5_safe **rep,
1874
decode_krb5_priv(const krb5_data *output, krb5_priv **rep);
1877
decode_krb5_enc_priv_part(const krb5_data *output, krb5_priv_enc_part **rep);
1879
decode_krb5_checksum(const krb5_data *, krb5_checksum **);
1882
decode_krb5_cred(const krb5_data *output, krb5_cred **rep);
1885
decode_krb5_enc_cred_part(const krb5_data *output, krb5_cred_enc_part **rep);
1888
decode_krb5_error(const krb5_data *output, krb5_error **rep);
1891
decode_krb5_authdata(const krb5_data *output, krb5_authdata ***rep);
1894
decode_krb5_pwd_sequence(const krb5_data *output, passwd_phrase_element **rep);
1897
decode_krb5_pwd_data(const krb5_data *output, krb5_pwd_data **rep);
1900
decode_krb5_padata_sequence(const krb5_data *output, krb5_pa_data ***rep);
1903
decode_krb5_alt_method(const krb5_data *output, krb5_alt_method **rep);
1906
decode_krb5_etype_info(const krb5_data *output, krb5_etype_info_entry ***rep);
1909
decode_krb5_etype_info2(const krb5_data *output, krb5_etype_info_entry ***rep);
1912
decode_krb5_enc_data(const krb5_data *output, krb5_enc_data **rep);
1915
decode_krb5_pa_enc_ts(const krb5_data *output, krb5_pa_enc_ts **rep);
1918
decode_krb5_sam_key(const krb5_data *, krb5_sam_key **);
1921
decode_krb5_setpw_req(const krb5_data *, krb5_data **, krb5_principal *);
1924
decode_krb5_pa_for_user(const krb5_data *, krb5_pa_for_user **);
1927
decode_krb5_pa_s4u_x509_user(const krb5_data *, krb5_pa_s4u_x509_user **);
1930
decode_krb5_pa_svr_referral_data(const krb5_data *,
1931
krb5_pa_svr_referral_data **);
1934
decode_krb5_pa_server_referral_data(const krb5_data *,
1935
krb5_pa_server_referral_data **);
1938
decode_krb5_pa_pac_req(const krb5_data *, krb5_pa_pac_req **);
1941
decode_krb5_etype_list(const krb5_data *, krb5_etype_list **);
1944
decode_krb5_pa_fx_fast_request(const krb5_data *, krb5_fast_armored_req **);
1947
decode_krb5_fast_req(const krb5_data *, krb5_fast_req **);
1950
decode_krb5_pa_fx_fast_reply(const krb5_data *, krb5_enc_data **);
1953
decode_krb5_fast_response(const krb5_data *, krb5_fast_response **);
1956
decode_krb5_ad_kdcissued(const krb5_data *, krb5_ad_kdcissued **);
1959
decode_krb5_ad_signedpath(const krb5_data *, krb5_ad_signedpath **);
1962
decode_krb5_iakerb_header(const krb5_data *, krb5_iakerb_header **);
1965
decode_krb5_iakerb_finished(const krb5_data *, krb5_iakerb_finished **);
1967
struct _krb5_key_data; /* kdb.h */
1969
struct ldap_seqof_key_data {
1970
krb5_int32 mkvno; /* Master key version number */
1971
struct _krb5_key_data *key_data;
1972
krb5_int16 n_key_data;
1974
typedef struct ldap_seqof_key_data ldap_seqof_key_data;
1977
krb5int_ldap_encode_sequence_of_keys(const ldap_seqof_key_data *val,
1981
krb5int_ldap_decode_sequence_of_keys(krb5_data *in,
1982
ldap_seqof_key_data **rep);
1984
/*************************************************************************
1985
* End of prototypes for krb5_decode.c
1986
*************************************************************************/
1988
#endif /* KRB5_ASN1__ */
1995
* Internal krb5 library routines
1998
krb5_encrypt_tkt_part(krb5_context, const krb5_keyblock *, krb5_ticket *);
2001
krb5_encode_kdc_rep(krb5_context, krb5_msgtype, const krb5_enc_kdc_rep_part *,
2002
int using_subkey, const krb5_keyblock *, krb5_kdc_rep *,
2006
* [De]Serialization Handle and operations.
2008
struct __krb5_serializer {
2010
krb5_error_code (*sizer) (krb5_context,
2013
krb5_error_code (*externalizer) (krb5_context,
2017
krb5_error_code (*internalizer) (krb5_context,
2022
typedef const struct __krb5_serializer * krb5_ser_handle;
2023
typedef struct __krb5_serializer krb5_ser_entry;
2025
krb5_ser_handle krb5_find_serializer(krb5_context, krb5_magic);
2026
krb5_error_code krb5_register_serializer(krb5_context, const krb5_ser_entry *);
2028
/* Determine the external size of a particular opaque structure */
2029
krb5_error_code KRB5_CALLCONV
2030
krb5_size_opaque(krb5_context, krb5_magic, krb5_pointer, size_t *);
2032
/* Serialize the structure into a buffer */
2033
krb5_error_code KRB5_CALLCONV
2034
krb5_externalize_opaque(krb5_context, krb5_magic, krb5_pointer, krb5_octet **,
2037
/* Deserialize the structure from a buffer */
2038
krb5_error_code KRB5_CALLCONV
2039
krb5_internalize_opaque(krb5_context, krb5_magic, krb5_pointer *,
2040
krb5_octet **, size_t *);
2042
/* Serialize data into a buffer */
2044
krb5_externalize_data(krb5_context, krb5_pointer, krb5_octet **, size_t *);
2046
* Initialization routines.
2049
/* Initialize serialization for krb5_[os_]context */
2050
krb5_error_code KRB5_CALLCONV krb5_ser_context_init(krb5_context);
2052
/* Initialize serialization for krb5_auth_context */
2053
krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init(krb5_context);
2055
/* Initialize serialization for krb5_keytab */
2056
krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init(krb5_context);
2058
/* Initialize serialization for krb5_ccache */
2059
krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init(krb5_context);
2061
/* Initialize serialization for krb5_rcache */
2062
krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init(krb5_context);
2064
/* [De]serialize 4-byte integer */
2065
krb5_error_code KRB5_CALLCONV
2066
krb5_ser_pack_int32(krb5_int32, krb5_octet **, size_t *);
2068
krb5_error_code KRB5_CALLCONV
2069
krb5_ser_unpack_int32(krb5_int32 *, krb5_octet **, size_t *);
2071
/* [De]serialize 8-byte integer */
2072
krb5_error_code KRB5_CALLCONV
2073
krb5_ser_pack_int64(krb5_int64, krb5_octet **, size_t *);
2075
krb5_error_code KRB5_CALLCONV
2076
krb5_ser_unpack_int64(krb5_int64 *, krb5_octet **, size_t *);
2078
/* [De]serialize byte string */
2079
krb5_error_code KRB5_CALLCONV
2080
krb5_ser_pack_bytes(krb5_octet *, size_t, krb5_octet **, size_t *);
2082
krb5_error_code KRB5_CALLCONV
2083
krb5_ser_unpack_bytes(krb5_octet *, size_t, krb5_octet **, size_t *);
2085
krb5_error_code KRB5_CALLCONV
2086
krb5int_cc_default(krb5_context, krb5_ccache *);
2088
krb5_error_code KRB5_CALLCONV
2089
krb5_cc_retrieve_cred_default(krb5_context, krb5_ccache, krb5_flags,
2090
krb5_creds *, krb5_creds *);
2092
krb5_boolean KRB5_CALLCONV
2093
krb5_creds_compare(krb5_context in_context, krb5_creds *in_creds,
2094
krb5_creds *in_compare_creds);
2097
krb5int_set_prompt_types(krb5_context, krb5_prompt_type *);
2100
krb5int_generate_and_save_subkey(krb5_context, krb5_auth_context,
2101
krb5_keyblock * /* Old keyblock, not new! */,
2104
struct srv_dns_entry {
2105
struct srv_dns_entry *next;
2108
unsigned short port;
2112
#define MAX_DNS_NAMELEN (15*(MAXHOSTNAMELEN + 1)+1)
2114
#ifdef KRB5_DNS_LOOKUP
2116
krb5int_make_srv_query_realm(const krb5_data *realm,
2117
const char *service,
2118
const char *protocol,
2119
struct srv_dns_entry **answers);
2120
void krb5int_free_srv_dns_data(struct srv_dns_entry *);
2123
/* value to use when requesting a keytab entry and KVNO doesn't matter */
2124
#define IGNORE_VNO 0
2125
/* value to use when requesting a keytab entry and enctype doesn't matter */
2126
#define IGNORE_ENCTYPE 0
2129
* Convenience function for structure magic number
2131
#define KRB5_VERIFY_MAGIC(structure,magic_number) \
2132
if ((structure)->magic != (magic_number)) return (magic_number);
2134
/* to keep lint happy */
2135
#define krb5_xfree(val) free((char *)(val))
2137
/* To keep happy libraries which are (for now) accessing internal stuff */
2139
/* Make sure to increment by one when changing the struct */
2140
#define KRB5INT_ACCESS_STRUCT_VERSION 18
2143
struct ktext; /* from krb.h, for krb524 support */
2145
typedef struct _krb5int_access {
2147
krb5_error_code (*arcfour_gsscrypt)(const krb5_keyblock *keyblock,
2148
krb5_keyusage usage,
2149
const krb5_data *kd_data,
2150
krb5_crypto_iov *data,
2153
krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context,
2157
krb5_error_code (*clean_hostname)(krb5_context, const char *, char *,
2160
krb5_error_code (*mandatory_cksumtype)(krb5_context, krb5_enctype,
2162
krb5_error_code (KRB5_CALLCONV *ser_pack_int64)(krb5_int64, krb5_octet **,
2164
krb5_error_code (KRB5_CALLCONV *ser_unpack_int64)(krb5_int64 *,
2165
krb5_octet **, size_t *);
2167
/* Used for KDB LDAP back end. */
2169
(*asn1_ldap_encode_sequence_of_keys)(const ldap_seqof_key_data *val,
2173
(*asn1_ldap_decode_sequence_of_keys)(krb5_data *in,
2174
ldap_seqof_key_data **);
2177
* pkinit asn.1 encode/decode functions
2180
(*encode_krb5_auth_pack)(const krb5_auth_pack *rep, krb5_data **code);
2183
(*encode_krb5_auth_pack_draft9)(const krb5_auth_pack_draft9 *rep,
2187
(*encode_krb5_kdc_dh_key_info)(const krb5_kdc_dh_key_info *rep,
2191
(*encode_krb5_pa_pk_as_rep)(const krb5_pa_pk_as_rep *rep,
2195
(*encode_krb5_pa_pk_as_rep_draft9)(const krb5_pa_pk_as_rep_draft9 *rep,
2199
(*encode_krb5_pa_pk_as_req)(const krb5_pa_pk_as_req *rep,
2203
(*encode_krb5_pa_pk_as_req_draft9)(const krb5_pa_pk_as_req_draft9 *rep,
2207
(*encode_krb5_reply_key_pack)(const krb5_reply_key_pack *,
2211
(*encode_krb5_reply_key_pack_draft9)(const krb5_reply_key_pack_draft9 *,
2215
(*encode_krb5_td_dh_parameters)(const krb5_algorithm_identifier **,
2219
(*encode_krb5_td_trusted_certifiers)(const
2220
krb5_external_principal_identifier **,
2224
(*encode_krb5_typed_data)(const krb5_typed_data **, krb5_data **code);
2227
(*decode_krb5_auth_pack)(const krb5_data *, krb5_auth_pack **);
2230
(*decode_krb5_auth_pack_draft9)(const krb5_data *,
2231
krb5_auth_pack_draft9 **);
2234
(*decode_krb5_pa_pk_as_req)(const krb5_data *, krb5_pa_pk_as_req **);
2237
(*decode_krb5_pa_pk_as_req_draft9)(const krb5_data *,
2238
krb5_pa_pk_as_req_draft9 **);
2241
(*decode_krb5_pa_pk_as_rep)(const krb5_data *, krb5_pa_pk_as_rep **);
2244
(*decode_krb5_pa_pk_as_rep_draft9)(const krb5_data *,
2245
krb5_pa_pk_as_rep_draft9 **);
2248
(*decode_krb5_kdc_dh_key_info)(const krb5_data *, krb5_kdc_dh_key_info **);
2251
(*decode_krb5_principal_name)(const krb5_data *, krb5_principal_data **);
2254
(*decode_krb5_reply_key_pack)(const krb5_data *, krb5_reply_key_pack **);
2257
(*decode_krb5_reply_key_pack_draft9)(const krb5_data *,
2258
krb5_reply_key_pack_draft9 **);
2261
(*decode_krb5_td_dh_parameters)(const krb5_data *,
2262
krb5_algorithm_identifier ***);
2265
(*decode_krb5_td_trusted_certifiers)(const krb5_data *,
2266
krb5_external_principal_identifier
2270
(*decode_krb5_typed_data)(const krb5_data *, krb5_typed_data ***);
2273
(*decode_krb5_as_req)(const krb5_data *output, krb5_kdc_req **rep);
2276
(*encode_krb5_kdc_req_body)(const krb5_kdc_req *rep, krb5_data **code);
2279
(KRB5_CALLCONV *free_kdc_req)(krb5_context, krb5_kdc_req * );
2281
(*set_prompt_types)(krb5_context, krb5_prompt_type *);
2284
(*encode_krb5_authdata_elt)(const krb5_authdata *rep, krb5_data **code);
2286
/* Exported for testing only! */
2288
(*encode_krb5_sam_response_2)(const krb5_sam_response_2 *rep,
2291
(*encode_krb5_enc_sam_response_enc_2)(const
2292
krb5_enc_sam_response_enc_2 *rep,
2296
#define KRB5INT_ACCESS_VERSION \
2297
(((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \
2298
(KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF)
2300
krb5_error_code KRB5_CALLCONV
2301
krb5int_accessor(krb5int_access*, krb5_int32);
2303
/* Ick -- some krb524 and krb4 support placed in the krb5 library,
2304
because AFS (and potentially other applications?) use the krb4
2305
object as an opaque token, which (in some implementations) is not
2306
in fact a krb4 ticket, so we don't want to drag in the krb4 support
2307
just to enable this. */
2309
#define KRB524_SERVICE "krb524"
2310
#define KRB524_PORT 4444
2312
/* temporary -- this should be under lib/krb5/ccache somewhere */
2314
struct _krb5_ccache {
2316
const struct _krb5_cc_ops *ops;
2321
* Per-type ccache cursor.
2323
struct krb5_cc_ptcursor_s {
2324
const struct _krb5_cc_ops *ops;
2327
typedef struct krb5_cc_ptcursor_s *krb5_cc_ptcursor;
2329
struct _krb5_cc_ops {
2332
const char * (KRB5_CALLCONV *get_name)(krb5_context, krb5_ccache);
2333
krb5_error_code (KRB5_CALLCONV *resolve)(krb5_context, krb5_ccache *,
2335
krb5_error_code (KRB5_CALLCONV *gen_new)(krb5_context, krb5_ccache *);
2336
krb5_error_code (KRB5_CALLCONV *init)(krb5_context, krb5_ccache,
2338
krb5_error_code (KRB5_CALLCONV *destroy)(krb5_context, krb5_ccache);
2339
krb5_error_code (KRB5_CALLCONV *close)(krb5_context, krb5_ccache);
2340
krb5_error_code (KRB5_CALLCONV *store)(krb5_context, krb5_ccache,
2342
krb5_error_code (KRB5_CALLCONV *retrieve)(krb5_context, krb5_ccache,
2343
krb5_flags, krb5_creds *,
2345
krb5_error_code (KRB5_CALLCONV *get_princ)(krb5_context, krb5_ccache,
2347
krb5_error_code (KRB5_CALLCONV *get_first)(krb5_context, krb5_ccache,
2349
krb5_error_code (KRB5_CALLCONV *get_next)(krb5_context, krb5_ccache,
2350
krb5_cc_cursor *, krb5_creds *);
2351
krb5_error_code (KRB5_CALLCONV *end_get)(krb5_context, krb5_ccache,
2353
krb5_error_code (KRB5_CALLCONV *remove_cred)(krb5_context, krb5_ccache,
2354
krb5_flags, krb5_creds *);
2355
krb5_error_code (KRB5_CALLCONV *set_flags)(krb5_context, krb5_ccache,
2357
krb5_error_code (KRB5_CALLCONV *get_flags)(krb5_context, krb5_ccache,
2359
krb5_error_code (KRB5_CALLCONV *ptcursor_new)(krb5_context,
2360
krb5_cc_ptcursor *);
2361
krb5_error_code (KRB5_CALLCONV *ptcursor_next)(krb5_context,
2364
krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context,
2365
krb5_cc_ptcursor *);
2366
krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache,
2368
krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context,
2369
krb5_ccache, krb5_timestamp *);
2370
krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache,
2372
krb5_error_code (KRB5_CALLCONV *lock)(krb5_context, krb5_ccache);
2373
krb5_error_code (KRB5_CALLCONV *unlock)(krb5_context, krb5_ccache);
2374
krb5_error_code (KRB5_CALLCONV *switch_to)(krb5_context, krb5_ccache);
2377
extern const krb5_cc_ops *krb5_cc_dfl_ops;
2380
krb5int_cc_os_default_name(krb5_context context, char **name);
2382
typedef struct _krb5_donot_replay {
2385
char *server; /* null-terminated */
2386
char *client; /* null-terminated */
2387
char *msghash; /* null-terminated */
2389
krb5_timestamp ctime;
2390
} krb5_donot_replay;
2392
krb5_error_code krb5_rc_default(krb5_context, krb5_rcache *);
2393
krb5_error_code krb5_rc_resolve_type(krb5_context, krb5_rcache *,char *);
2394
krb5_error_code krb5_rc_resolve_full(krb5_context, krb5_rcache *,char *);
2395
char *krb5_rc_get_type(krb5_context, krb5_rcache);
2396
char *krb5_rc_default_type(krb5_context);
2397
char *krb5_rc_default_name(krb5_context);
2398
krb5_error_code krb5_auth_to_rep(krb5_context, krb5_tkt_authent *,
2399
krb5_donot_replay *);
2400
krb5_error_code krb5_rc_hash_message(krb5_context context,
2401
const krb5_data *message, char **out);
2403
krb5_error_code KRB5_CALLCONV
2404
krb5_rc_initialize(krb5_context, krb5_rcache, krb5_deltat);
2406
krb5_error_code KRB5_CALLCONV
2407
krb5_rc_recover_or_initialize(krb5_context, krb5_rcache,krb5_deltat);
2409
krb5_error_code KRB5_CALLCONV
2410
krb5_rc_recover(krb5_context, krb5_rcache);
2412
krb5_error_code KRB5_CALLCONV
2413
krb5_rc_destroy(krb5_context, krb5_rcache);
2415
krb5_error_code KRB5_CALLCONV
2416
krb5_rc_close(krb5_context, krb5_rcache);
2418
krb5_error_code KRB5_CALLCONV
2419
krb5_rc_store(krb5_context, krb5_rcache, krb5_donot_replay *);
2421
krb5_error_code KRB5_CALLCONV
2422
krb5_rc_expunge(krb5_context, krb5_rcache);
2424
krb5_error_code KRB5_CALLCONV
2425
krb5_rc_get_lifespan(krb5_context, krb5_rcache,krb5_deltat *);
2428
krb5_rc_get_name(krb5_context, krb5_rcache);
2430
krb5_error_code KRB5_CALLCONV
2431
krb5_rc_resolve(krb5_context, krb5_rcache, char *);
2434
* This structure was exposed and used in macros in krb5 1.2, so do not
2437
typedef struct _krb5_kt_ops {
2441
/* routines always present */
2442
krb5_error_code (KRB5_CALLCONV *resolve)(krb5_context, const char *,
2444
krb5_error_code (KRB5_CALLCONV *get_name)(krb5_context, krb5_keytab,
2445
char *, unsigned int);
2446
krb5_error_code (KRB5_CALLCONV *close)(krb5_context, krb5_keytab);
2447
krb5_error_code (KRB5_CALLCONV *get)(krb5_context, krb5_keytab,
2448
krb5_const_principal, krb5_kvno,
2449
krb5_enctype, krb5_keytab_entry *);
2450
krb5_error_code (KRB5_CALLCONV *start_seq_get)(krb5_context, krb5_keytab,
2452
krb5_error_code (KRB5_CALLCONV *get_next)(krb5_context, krb5_keytab,
2453
krb5_keytab_entry *,
2455
krb5_error_code (KRB5_CALLCONV *end_get)(krb5_context, krb5_keytab,
2457
/* routines to be included on extended version (write routines) */
2458
krb5_error_code (KRB5_CALLCONV *add)(krb5_context, krb5_keytab,
2459
krb5_keytab_entry *);
2460
krb5_error_code (KRB5_CALLCONV *remove)(krb5_context, krb5_keytab,
2461
krb5_keytab_entry *);
2463
/* Handle for serializer */
2464
const krb5_ser_entry *serializer;
2467
extern const krb5_kt_ops krb5_kt_dfl_ops;
2469
extern krb5_error_code krb5int_translate_gai_error(int);
2471
/* Not sure it's ready for exposure just yet. */
2472
extern krb5_error_code
2473
krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
2476
* Referral definitions, debugging hooks, and subfunctions.
2478
#define KRB5_REFERRAL_MAXHOPS 10
2479
/* #define DEBUG_REFERRALS */
2481
#ifdef DEBUG_REFERRALS
2482
void krb5int_dbgref_dump_principal(char *, krb5_principal);
2485
/* Common hostname-parsing code. */
2487
krb5int_clean_hostname(krb5_context, const char *, char *, size_t);
2491
* There are no IANA assignments for these enctypes or cksumtypes yet. They
2492
* must be defined to local-use negative numbers at build time for Camellia
2493
* support to function at the moment. If one is defined, they should all be
2494
* defined. When IANA assignments exist, these definitions should move to the
2495
* appropriate places in krb5.hin and all CAMELLIA conditional code should be
2496
* made unconditional.
2498
* The present code is experimental and may not be compatible with the
2499
* standardized version.
2501
#define ENCTYPE_CAMELLIA128_CTS_CMAC -XXX /* Camellia CTS mode, 128-bit key */
2502
#define ENCTYPE_CAMELLIA256_CTS_CMAC -YYY /* Camellia CTS mode, 256-bit key */
2503
#define CKSUMTYPE_CMAC_CAMELLIA128 -XXX /* CMAC, 128-bit Camellia key */
2504
#define CKSUMTYPE_CMAC_CAMELLIA256 -YYY /* CMAC, 256-bit Camellia key */
2507
#ifdef ENCTYPE_CAMELLIA128_CTS_CMAC
2511
struct _krb5_kt { /* should move into k5-int.h */
2513
const struct _krb5_kt_ops *ops;
2517
krb5_error_code krb5_set_default_in_tkt_ktypes(krb5_context,
2518
const krb5_enctype *);
2520
krb5_error_code krb5_get_default_in_tkt_ktypes(krb5_context, krb5_enctype **);
2522
krb5_error_code krb5_set_default_tgs_ktypes(krb5_context,
2523
const krb5_enctype *);
2525
krb5_error_code KRB5_CALLCONV
2526
krb5_get_tgs_ktypes(krb5_context, krb5_const_principal, krb5_enctype **);
2528
void KRB5_CALLCONV krb5_free_ktypes(krb5_context, krb5_enctype *);
2530
krb5_boolean krb5_is_permitted_enctype(krb5_context, krb5_enctype);
2534
krb5_enctype *etype;
2535
krb5_boolean *etype_ok;
2536
krb5_int32 etype_count;
2537
} krb5_etypes_permitted;
2539
krb5_boolean krb5_is_permitted_enctype_ext(krb5_context,
2540
krb5_etypes_permitted *);
2542
krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype);
2544
krb5_error_code krb5_kdc_rep_decrypt_proc(krb5_context, const krb5_keyblock *,
2545
krb5_const_pointer, krb5_kdc_rep *);
2546
krb5_error_code KRB5_CALLCONV krb5_decrypt_tkt_part(krb5_context,
2547
const krb5_keyblock *,
2550
krb5_error_code krb5_get_cred_via_tkt(krb5_context, krb5_creds *, krb5_flags,
2551
krb5_address *const *, krb5_creds *,
2554
krb5_error_code KRB5_CALLCONV krb5_copy_addr(krb5_context,
2555
const krb5_address *,
2558
void krb5_init_ets(krb5_context);
2559
void krb5_free_ets(krb5_context);
2560
krb5_error_code krb5_generate_subkey(krb5_context, const krb5_keyblock *,
2562
krb5_error_code krb5_generate_subkey_extended(krb5_context,
2563
const krb5_keyblock *,
2564
krb5_enctype, krb5_keyblock **);
2565
krb5_error_code krb5_generate_seq_number(krb5_context, const krb5_keyblock *,
2568
krb5_error_code KRB5_CALLCONV krb5_kt_register(krb5_context,
2569
const struct _krb5_kt_ops *);
2571
krb5_error_code k5_kt_get_principal(krb5_context context, krb5_keytab keytab,
2572
krb5_principal *princ_out);
2574
krb5_error_code krb5_principal2salt_norealm(krb5_context, krb5_const_principal,
2577
unsigned int KRB5_CALLCONV krb5_get_notification_message(void);
2580
krb5_error_code krb5_check_transited_list(krb5_context, const krb5_data *trans,
2581
const krb5_data *realm1,
2582
const krb5_data *realm2);
2585
void krb5_free_realm_tree(krb5_context, krb5_principal *);
2587
void KRB5_CALLCONV krb5_free_authenticator_contents(krb5_context,
2588
krb5_authenticator *);
2590
void KRB5_CALLCONV krb5_free_address(krb5_context, krb5_address *);
2592
void KRB5_CALLCONV krb5_free_enc_tkt_part(krb5_context, krb5_enc_tkt_part *);
2594
void KRB5_CALLCONV krb5_free_tickets(krb5_context, krb5_ticket **);
2595
void KRB5_CALLCONV krb5_free_kdc_req(krb5_context, krb5_kdc_req *);
2596
void KRB5_CALLCONV krb5_free_kdc_rep(krb5_context, krb5_kdc_rep *);
2597
void KRB5_CALLCONV krb5_free_last_req(krb5_context, krb5_last_req_entry **);
2598
void KRB5_CALLCONV krb5_free_enc_kdc_rep_part(krb5_context,
2599
krb5_enc_kdc_rep_part *);
2600
void KRB5_CALLCONV krb5_free_ap_req(krb5_context, krb5_ap_req *);
2601
void KRB5_CALLCONV krb5_free_ap_rep(krb5_context, krb5_ap_rep *);
2602
void KRB5_CALLCONV krb5_free_cred(krb5_context, krb5_cred *);
2603
void KRB5_CALLCONV krb5_free_cred_enc_part(krb5_context, krb5_cred_enc_part *);
2604
void KRB5_CALLCONV krb5_free_pa_data(krb5_context, krb5_pa_data **);
2605
void KRB5_CALLCONV krb5_free_tkt_authent(krb5_context, krb5_tkt_authent *);
2606
void KRB5_CALLCONV krb5_free_pwd_data(krb5_context, krb5_pwd_data *);
2607
void KRB5_CALLCONV krb5_free_pwd_sequences(krb5_context,
2608
passwd_phrase_element **);
2609
void KRB5_CALLCONV krb5_free_passwd_phrase_element(krb5_context,
2610
passwd_phrase_element *);
2611
void KRB5_CALLCONV krb5_free_alt_method(krb5_context, krb5_alt_method *);
2612
void KRB5_CALLCONV krb5_free_enc_data(krb5_context, krb5_enc_data *);
2613
krb5_error_code krb5_set_config_files(krb5_context, const char **);
2615
krb5_error_code KRB5_CALLCONV krb5_get_default_config_files(char ***filenames);
2617
void KRB5_CALLCONV krb5_free_config_files(char **filenames);
2619
krb5_error_code krb5_rd_req_decoded(krb5_context, krb5_auth_context *,
2620
const krb5_ap_req *, krb5_const_principal,
2621
krb5_keytab, krb5_flags *, krb5_ticket **);
2623
krb5_error_code krb5_rd_req_decoded_anyflag(krb5_context, krb5_auth_context *,
2624
const krb5_ap_req *,
2625
krb5_const_principal, krb5_keytab,
2626
krb5_flags *, krb5_ticket **);
2628
krb5_error_code KRB5_CALLCONV
2629
krb5_cc_register(krb5_context, const krb5_cc_ops *, krb5_boolean );
2631
krb5_error_code krb5_walk_realm_tree(krb5_context, const krb5_data *,
2632
const krb5_data *, krb5_principal **,
2636
k5_client_realm_path(krb5_context context, const krb5_data *client,
2637
const krb5_data *server, krb5_data **rpath_out);
2640
krb5_auth_con_set_safe_cksumtype(krb5_context, krb5_auth_context,
2643
krb5_error_code krb5_auth_con_setivector(krb5_context, krb5_auth_context,
2646
krb5_error_code krb5_auth_con_getivector(krb5_context, krb5_auth_context,
2649
krb5_error_code krb5_auth_con_setpermetypes(krb5_context, krb5_auth_context,
2650
const krb5_enctype *);
2652
krb5_error_code krb5_auth_con_getpermetypes(krb5_context, krb5_auth_context,
2655
krb5_error_code krb5_auth_con_get_subkey_enctype(krb5_context context,
2660
krb5_auth_con_get_authdata_context(krb5_context context,
2661
krb5_auth_context auth_context,
2662
krb5_authdata_context *ad_context);
2665
krb5_auth_con_set_authdata_context(krb5_context context,
2666
krb5_auth_context auth_context,
2667
krb5_authdata_context ad_context);
2669
krb5_error_code KRB5_CALLCONV
2670
krb5int_server_decrypt_ticket_keyblock(krb5_context context,
2671
const krb5_keyblock *key,
2672
krb5_ticket *ticket);
2674
krb5_error_code krb5_read_message(krb5_context, krb5_pointer, krb5_data *);
2675
krb5_error_code krb5_write_message(krb5_context, krb5_pointer, krb5_data *);
2676
krb5_error_code krb5int_write_messages(krb5_context, krb5_pointer, krb5_data *,
2678
int krb5_net_read(krb5_context, int , char *, int);
2679
int krb5_net_write(krb5_context, int , const char *, int);
2681
krb5_error_code KRB5_CALLCONV krb5_get_realm_domain(krb5_context,
2682
const char *, char ** );
2684
krb5_error_code krb5_gen_portaddr(krb5_context, const krb5_address *,
2685
krb5_const_pointer, krb5_address **);
2687
krb5_error_code krb5_gen_replay_name(krb5_context, const krb5_address *,
2688
const char *, char **);
2689
krb5_error_code krb5_make_fulladdr(krb5_context, krb5_address *,
2690
krb5_address *, krb5_address *);
2692
krb5_error_code krb5_set_debugging_time(krb5_context, krb5_timestamp,
2694
krb5_error_code krb5_use_natural_time(krb5_context);
2695
krb5_error_code krb5_set_time_offsets(krb5_context, krb5_timestamp,
2698
* The realm iterator functions
2701
krb5_error_code KRB5_CALLCONV
2702
krb5_realm_iterator_create(krb5_context context, void **iter_p);
2704
krb5_error_code KRB5_CALLCONV
2705
krb5_realm_iterator(krb5_context context, void **iter_p, char **ret_realm);
2708
krb5_realm_iterator_free(krb5_context context, void **iter_p);
2710
void KRB5_CALLCONV krb5_free_realm_string(krb5_context context, char *str);
2712
/* Internal principal function used by KIM to avoid code duplication */
2713
krb5_error_code KRB5_CALLCONV
2714
krb5int_build_principal_alloc_va(krb5_context context,
2715
krb5_principal *princ,
2721
/* Some data comparison and conversion functions. */
2723
data_eq(krb5_data d1, krb5_data d2)
2725
return (d1.length == d2.length && !memcmp(d1.data, d2.data, d1.length));
2729
data_eq_string (krb5_data d, const char *s)
2731
return (d.length == strlen(s) && !memcmp(d.data, s, d.length));
2734
static inline krb5_data
2735
make_data(void *data, unsigned int len)
2739
d.magic = KV5M_DATA;
2740
d.data = (char *) data;
2745
static inline krb5_data
2748
return make_data(NULL, 0);
2751
static inline krb5_data
2752
string2data(char *str)
2754
return make_data(str, strlen(str));
2757
static inline krb5_error_code
2758
alloc_data(krb5_data *data, unsigned int len)
2760
/* Allocate at least one byte since zero-byte allocs may return NULL. */
2761
char *ptr = (char *) calloc((len > 0) ? len : 1, 1);
2765
data->magic = KV5M_DATA;
2772
authdata_eq(krb5_authdata a1, krb5_authdata a2)
2774
return (a1.ad_type == a2.ad_type
2775
&& a1.length == a2.length
2776
&& !memcmp(a1.contents, a2.contents, a1.length));
2779
/* Allocate zeroed memory; set *code to 0 on success or ENOMEM on failure. */
2780
static inline void *
2781
k5alloc(size_t len, krb5_error_code *code)
2785
/* Allocate at least one byte since zero-byte allocs may return NULL. */
2786
ptr = calloc((len > 0) ? len : 1, 1);
2787
*code = (ptr == NULL) ? ENOMEM : 0;
2791
krb5_error_code KRB5_CALLCONV
2792
krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
2794
krb5_creds *in_creds,
2796
krb5_creds **out_creds);
2798
krb5_error_code KRB5_CALLCONV
2799
krb5_get_credentials_for_proxy(krb5_context context,
2802
krb5_creds *in_creds,
2803
krb5_ticket *evidence_tkt,
2804
krb5_creds **out_creds);
2806
krb5_error_code KRB5_CALLCONV
2807
krb5int_get_authdata_containee_types(krb5_context context,
2808
const krb5_authdata *container,
2809
unsigned int *nad_types,
2810
krb5_authdatatype **ad_types);
2812
krb5_error_code krb5int_parse_enctype_list(krb5_context context,
2813
const char *profkey, char *profstr,
2814
krb5_enctype *default_list,
2815
krb5_enctype **result);
2817
#ifdef DEBUG_ERROR_LOCATIONS
2818
#define krb5_set_error_message(ctx, code, ...) \
2819
krb5_set_error_message_fl(ctx, code, __FILE__, __LINE__, __VA_ARGS__)
2821
void KRB5_CALLCONV_C
2822
krb5_set_error_message_fl(krb5_context ctx, krb5_error_code code,
2823
const char *file, int line, const char *fmt, ...)
2825
__attribute__((__format__(printf,5,6)))
2829
#ifndef DISABLE_TRACING
2830
/* Do not use these functions directly; see k5-trace.h. */
2831
void krb5int_init_trace(krb5_context context);
2832
void krb5int_trace(krb5_context context, const char *fmt, ...);
2835
#endif /* _KRB5_INT_H */