1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
3 * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006,2007,2008,2009 by the Massachusetts Institute of Technology,
4 * Cambridge, MA, USA. All Rights Reserved.
6 * This software is being provided to you, the LICENSEE, by the
7 * Massachusetts Institute of Technology (M.I.T.) under the following
8 * license. By obtaining, using and/or copying this software, you agree
9 * that you have read, understood, and will comply with these terms and
12 * Export of this software from the United States of America may
13 * require a specific license from the United States Government.
14 * It is the responsibility of any person or organization contemplating
15 * export to obtain such a license before exporting.
17 * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
18 * this software and its documentation for any purpose and without fee or
19 * royalty is hereby granted, provided that you agree to comply with the
20 * following copyright notice and statements, including the disclaimer, and
21 * that the same appear on ALL copies of the software and documentation,
22 * including modifications that you make for internal use or for
25 * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
26 * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
27 * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
28 * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
29 * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
30 * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
32 * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
33 * be used in advertising or publicity pertaining to distribution of the
34 * software. Title to copyright in this software and any associated
35 * documentation shall at all times remain with M.I.T., and USER agrees to
38 * Furthermore if you modify this software you must label
39 * your software as modified software and not distribute it in such a
40 * fashion that it might be confused with the original M.I.T. software.
44 * Copyright (C) 1998 by the FundsXpress, INC.
46 * All rights reserved.
48 * Export of this software from the United States of America may require
49 * a specific license from the United States Government. It is the
50 * responsibility of any person or organization contemplating export to
51 * obtain such a license before exporting.
53 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
54 * distribute this software and its documentation for any purpose and
55 * without fee is hereby granted, provided that the above copyright
56 * notice appear in all copies and that both that copyright notice and
57 * this permission notice appear in supporting documentation, and that
58 * the name of FundsXpress. not be used in advertising or publicity pertaining
59 * to distribution of the software without specific, written prior
60 * permission. FundsXpress makes no representations about the suitability of
61 * this software for any purpose. It is provided "as is" without express
62 * or implied warranty.
64 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
65 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
66 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
70 * This prototype for k5-int.h (Krb5 internals include file)
71 * includes the user-visible definitions from krb5.h and then
72 * includes other definitions that are not user-visible but are
73 * required for compiling Kerberos internal routines.
75 * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
82 #error krb5.h included before k5-int.h
83 #endif /* KRB5_GENERAL__ */
87 #if defined(__MACH__) && defined(__APPLE__)
88 # include <TargetConditionals.h>
89 # if TARGET_RT_MAC_CFM
90 # error "Use KfM 4.0 SDK headers for CFM compilation."
101 * Machine-type definitions: PC Clone 386 running Microloss Windows
104 #if defined(_MSDOS) || defined(_WIN32)
107 /* Kerberos Windows initialization file */
108 #define KERBEROS_INI "kerberos.ini"
109 #define INI_FILES "Files"
110 #define INI_KRB_CCACHE "krb5cc" /* Location of the ccache */
111 #define INI_KRB5_CONF "krb5.ini" /* Location of krb5.conf file */
113 #define DISABLE_TRACING
116 #include "autoconf.h"
118 #ifndef KRB5_SYSTYPES__
119 #define KRB5_SYSTYPES__
121 #ifdef HAVE_SYS_TYPES_H /* From autoconf.h */
122 #include <sys/types.h>
123 #else /* HAVE_SYS_TYPES_H */
124 typedef unsigned long u_long;
125 typedef unsigned int u_int;
126 typedef unsigned short u_short;
127 typedef unsigned char u_char;
128 #endif /* HAVE_SYS_TYPES_H */
129 #endif /* KRB5_SYSTYPES__ */
132 #include "k5-platform.h"
133 #include "k5-trace.h"
134 /* not used in krb5.h (yet) */
135 typedef UINT64_TYPE krb5_ui_8;
136 typedef INT64_TYPE krb5_int64;
139 #define DEFAULT_PWD_STRING1 "Enter password"
140 #define DEFAULT_PWD_STRING2 "Re-enter password for verification"
142 #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
143 #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
144 #define KRB5_KDB_EXPIRATION 2145830400 /* Thu Jan 1 00:00:00 2038 UTC */
147 * Windows requires a different api interface to each function. Here
148 * just define it as NULL.
150 #ifndef KRB5_CALLCONV
151 #define KRB5_CALLCONV
152 #define KRB5_CALLCONV_C
158 /* #define KRB5_OLD_CRYPTO is done in krb5.h */
160 #endif /* KRB5_CONFIG__ */
167 * After loading the configuration definitions, load the Kerberos definitions.
171 #include <krb5/plugin.h>
174 #include "port-sockets.h"
175 #include "socket-utils.h"
177 /* Get mutex support; currently used only for the replay cache. */
178 #include "k5-thread.h"
180 /* Get error info support. */
183 /* Get string buffer support. */
186 /* cofiguration variables */
187 #define KRB5_CONF_ACL_FILE "acl_file"
188 #define KRB5_CONF_ADMIN_KEYTAB "admin_keytab"
189 #define KRB5_CONF_ADMIN_SERVER "admin_server"
190 #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
191 #define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type"
192 #define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local"
193 #define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names"
194 #define KRB5_CONF_CANONICALIZE "canonicalize"
195 #define KRB5_CONF_CCACHE_TYPE "ccache_type"
196 #define KRB5_CONF_CLOCKSKEW "clockskew"
197 #define KRB5_CONF_DATABASE_NAME "database_name"
198 #define KRB5_CONF_DB_MODULE_DIR "db_module_dir"
199 #define KRB5_CONF_DB_MODULES "db_modules"
200 #define KRB5_CONF_DEFAULT "default"
201 #define KRB5_CONF_DEFAULT_REALM "default_realm"
202 #define KRB5_CONF_DEFAULT_DOMAIN "default_domain"
203 #define KRB5_CONF_DEFAULT_TKT_ENCTYPES "default_tkt_enctypes"
204 #define KRB5_CONF_DEFAULT_TGS_ENCTYPES "default_tgs_enctypes"
205 #define KRB5_CONF_DEFAULT_KEYTAB_NAME "default_keytab_name"
206 #define KRB5_CONF_DEFAULT_PRINCIPAL_EXPIRATION "default_principal_expiration"
207 #define KRB5_CONF_DEFAULT_PRINCIPAL_FLAGS "default_principal_flags"
208 #define KRB5_CONF_DICT_FILE "dict_file"
209 #define KRB5_CONF_DISABLE "disable"
210 #define KRB5_CONF_DISABLE_LAST_SUCCESS "disable_last_success"
211 #define KRB5_CONF_DISABLE_LOCKOUT "disable_lockout"
212 #define KRB5_CONF_DNS_LOOKUP_KDC "dns_lookup_kdc"
213 #define KRB5_CONF_DNS_LOOKUP_REALM "dns_lookup_realm"
214 #define KRB5_CONF_DNS_FALLBACK "dns_fallback"
215 #define KRB5_CONF_DOMAIN_REALM "domain_realm"
216 #define KRB5_CONF_ENABLE_ONLY "enable_only"
217 #define KRB5_CONF_EXTRA_ADDRESSES "extra_addresses"
218 #define KRB5_CONF_FORWARDABLE "forwardable"
219 #define KRB5_CONF_HOST_BASED_SERVICES "host_based_services"
220 #define KRB5_CONF_IPROP_ENABLE "iprop_enable"
221 #define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize"
222 #define KRB5_CONF_IPROP_PORT "iprop_port"
223 #define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll"
224 #define KRB5_CONF_IPROP_LOGFILE "iprop_logfile"
225 #define KRB5_CONF_K5LOGIN_AUTHORITATIVE "k5login_authoritative"
226 #define KRB5_CONF_K5LOGIN_DIRECTORY "k5login_directory"
227 #define KRB5_CONF_KADMIND_PORT "kadmind_port"
228 #define KRB5_CONF_KRB524_SERVER "krb524_server"
229 #define KRB5_CONF_KDC "kdc"
230 #define KRB5_CONF_KDCDEFAULTS "kdcdefaults"
231 #define KRB5_CONF_KDC_PORTS "kdc_ports"
232 #define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
233 #define KRB5_CONF_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size"
234 #define KRB5_CONF_KDC_DEFAULT_OPTIONS "kdc_default_options"
235 #define KRB5_CONF_KDC_TIMESYNC "kdc_timesync"
236 #define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type"
237 #define KRB5_CONF_KEY_STASH_FILE "key_stash_file"
238 #define KRB5_CONF_KPASSWD_PORT "kpasswd_port"
239 #define KRB5_CONF_KPASSWD_SERVER "kpasswd_server"
240 #define KRB5_CONF_LDAP_KDC_DN "ldap_kdc_dn"
241 #define KRB5_CONF_LDAP_KADMIN_DN "ldap_kadmind_dn"
242 #define KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE "ldap_service_password_file"
243 #define KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE "ldap_root_certificate_file"
244 #define KRB5_CONF_LDAP_SERVERS "ldap_servers"
245 #define KRB5_CONF_LDAP_CONNS_PER_SERVER "ldap_conns_per_server"
246 #define KRB5_CONF_LIBDEFAULTS "libdefaults"
247 #define KRB5_CONF_LOGGING "logging"
248 #define KRB5_CONF_MASTER_KEY_NAME "master_key_name"
249 #define KRB5_CONF_MASTER_KEY_TYPE "master_key_type"
250 #define KRB5_CONF_MASTER_KDC "master_kdc"
251 #define KRB5_CONF_MAX_LIFE "max_life"
252 #define KRB5_CONF_MAX_RENEWABLE_LIFE "max_renewable_life"
253 #define KRB5_CONF_MODULE "module"
254 #define KRB5_CONF_NOADDRESSES "noaddresses"
255 #define KRB5_CONF_NO_HOST_REFERRAL "no_host_referral"
256 #define KRB5_CONF_PERMITTED_ENCTYPES "permitted_enctypes"
257 #define KRB5_CONF_PLUGINS "plugins"
258 #define KRB5_CONF_PREAUTH_MODULE_DIR "preauth_module_dir"
259 #define KRB5_CONF_PREFERRED_PREAUTH_TYPES "preferred_preauth_types"
260 #define KRB5_CONF_PROXIABLE "proxiable"
261 #define KRB5_CONF_RDNS "rdns"
262 #define KRB5_CONF_REALMS "realms"
263 #define KRB5_CONF_REALM_TRY_DOMAINS "realm_try_domains"
264 #define KRB5_CONF_REJECT_BAD_TRANSIT "reject_bad_transit"
265 #define KRB5_CONF_RENEW_LIFETIME "renew_lifetime"
266 #define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type"
267 #define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes"
268 #define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime"
269 #define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit"
270 #define KRB5_CONF_VERIFY_AP_REQ_NOFAIL "verify_ap_req_nofail"
271 #define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
272 #define KRB5_CONF_V4_REALM "v4_realm"
273 #define KRB5_CONF_ASTERISK "*"
274 #define KRB5_CONF_FAST_AVAIL "fast_avail"
276 /* Error codes used in KRB_ERROR protocol messages.
277 Return values of library routines are based on a different error table
278 (which allows non-ambiguous error codes between subsystems) */
281 #define KDC_ERR_NONE 0 /* No error */
282 #define KDC_ERR_NAME_EXP 1 /* Client's entry in DB expired */
283 #define KDC_ERR_SERVICE_EXP 2 /* Server's entry in DB expired */
284 #define KDC_ERR_BAD_PVNO 3 /* Requested pvno not supported */
285 #define KDC_ERR_C_OLD_MAST_KVNO 4 /* C's key encrypted in old master */
286 #define KDC_ERR_S_OLD_MAST_KVNO 5 /* S's key encrypted in old master */
287 #define KDC_ERR_C_PRINCIPAL_UNKNOWN 6 /* Client not found in Kerberos DB */
288 #define KDC_ERR_S_PRINCIPAL_UNKNOWN 7 /* Server not found in Kerberos DB */
289 #define KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 /* Multiple entries in Kerberos DB */
290 #define KDC_ERR_NULL_KEY 9 /* The C or S has a null key */
291 #define KDC_ERR_CANNOT_POSTDATE 10 /* Tkt ineligible for postdating */
292 #define KDC_ERR_NEVER_VALID 11 /* Requested starttime > endtime */
293 #define KDC_ERR_POLICY 12 /* KDC policy rejects request */
294 #define KDC_ERR_BADOPTION 13 /* KDC can't do requested opt. */
295 #define KDC_ERR_ENCTYPE_NOSUPP 14 /* No support for encryption type */
296 #define KDC_ERR_SUMTYPE_NOSUPP 15 /* No support for checksum type */
297 #define KDC_ERR_PADATA_TYPE_NOSUPP 16 /* No support for padata type */
298 #define KDC_ERR_TRTYPE_NOSUPP 17 /* No support for transited type */
299 #define KDC_ERR_CLIENT_REVOKED 18 /* C's creds have been revoked */
300 #define KDC_ERR_SERVICE_REVOKED 19 /* S's creds have been revoked */
301 #define KDC_ERR_TGT_REVOKED 20 /* TGT has been revoked */
302 #define KDC_ERR_CLIENT_NOTYET 21 /* C not yet valid */
303 #define KDC_ERR_SERVICE_NOTYET 22 /* S not yet valid */
304 #define KDC_ERR_KEY_EXP 23 /* Password has expired */
305 #define KDC_ERR_PREAUTH_FAILED 24 /* Preauthentication failed */
306 #define KDC_ERR_PREAUTH_REQUIRED 25 /* Additional preauthentication */
308 #define KDC_ERR_SERVER_NOMATCH 26 /* Requested server and */
309 /* ticket don't match*/
310 #define KDC_ERR_MUST_USE_USER2USER 27 /* Server principal valid for */
312 #define KDC_ERR_PATH_NOT_ACCEPTED 28 /* KDC policy rejected transited */
314 #define KDC_ERR_SVC_UNAVAILABLE 29 /* A service is not
316 * required to process the
318 /* Application errors */
319 #define KRB_AP_ERR_BAD_INTEGRITY 31 /* Decrypt integrity check failed */
320 #define KRB_AP_ERR_TKT_EXPIRED 32 /* Ticket expired */
321 #define KRB_AP_ERR_TKT_NYV 33 /* Ticket not yet valid */
322 #define KRB_AP_ERR_REPEAT 34 /* Request is a replay */
323 #define KRB_AP_ERR_NOT_US 35 /* The ticket isn't for us */
324 #define KRB_AP_ERR_BADMATCH 36 /* Ticket/authenticator don't match */
325 #define KRB_AP_ERR_SKEW 37 /* Clock skew too great */
326 #define KRB_AP_ERR_BADADDR 38 /* Incorrect net address */
327 #define KRB_AP_ERR_BADVERSION 39 /* Protocol version mismatch */
328 #define KRB_AP_ERR_MSG_TYPE 40 /* Invalid message type */
329 #define KRB_AP_ERR_MODIFIED 41 /* Message stream modified */
330 #define KRB_AP_ERR_BADORDER 42 /* Message out of order */
331 #define KRB_AP_ERR_BADKEYVER 44 /* Key version is not available */
332 #define KRB_AP_ERR_NOKEY 45 /* Service key not available */
333 #define KRB_AP_ERR_MUT_FAIL 46 /* Mutual authentication failed */
334 #define KRB_AP_ERR_BADDIRECTION 47 /* Incorrect message direction */
335 #define KRB_AP_ERR_METHOD 48 /* Alternative authentication */
336 /* method required */
337 #define KRB_AP_ERR_BADSEQ 49 /* Incorrect sequence numnber */
339 #define KRB_AP_ERR_INAPP_CKSUM 50 /* Inappropriate type of */
340 /* checksum in message */
341 #define KRB_AP_PATH_NOT_ACCEPTED 51 /* Policy rejects transited path */
342 #define KRB_ERR_RESPONSE_TOO_BIG 52 /* Response too big for UDP, */
346 #define KRB_ERR_GENERIC 60 /* Generic error (description */
348 #define KRB_ERR_FIELD_TOOLONG 61 /* Field is too long for impl. */
350 /* PKINIT server-reported errors */
351 #define KDC_ERR_CLIENT_NOT_TRUSTED 62 /* client cert not trusted */
352 #define KDC_ERR_KDC_NOT_TRUSTED 63
353 #define KDC_ERR_INVALID_SIG 64 /* client signature verify failed */
354 #define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65 /* invalid Diffie-Hellman parameters */
355 #define KDC_ERR_CERTIFICATE_MISMATCH 66
356 #define KRB_AP_ERR_NO_TGT 67
357 #define KDC_ERR_WRONG_REALM 68
358 #define KRB_AP_ERR_USER_TO_USER_REQUIRED 69
359 #define KDC_ERR_CANT_VERIFY_CERTIFICATE 70 /* client cert not verifiable to */
360 /* trusted root cert */
361 #define KDC_ERR_INVALID_CERTIFICATE 71 /* client cert had invalid signature */
362 #define KDC_ERR_REVOKED_CERTIFICATE 72 /* client cert was revoked */
363 #define KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 /* client cert revoked, reason unknown */
364 #define KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74
365 #define KDC_ERR_CLIENT_NAME_MISMATCH 75 /* mismatch between client cert and */
367 #define KDC_ERR_INCONSISTENT_KEY_PURPOSE 77 /* bad extended key use */
368 #define KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78 /* bad digest algorithm in client cert */
369 #define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79 /* missing paChecksum in PA-PK-AS-REQ */
370 #define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */
371 #define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
372 #define KRB_AP_ERR_IAKERB_KDC_NOT_FOUND 85 /* The IAKERB proxy could
374 #define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE 86 /* The KDC did not respond
375 to the IAKERB proxy */
378 * This structure is returned in the e-data field of the KRB-ERROR
379 * message when the error calling for an alternative form of
380 * authentication is returned, KRB_AP_METHOD.
382 typedef struct _krb5_alt_method {
390 * A null-terminated array of this structure is returned by the KDC as
391 * the data part of the ETYPE_INFO preauth type. It informs the
392 * client which encryption types are supported.
393 * The same data structure is used by both etype-info and etype-info2
394 * but s2kparams must be null when encoding etype-info.
396 typedef struct _krb5_etype_info_entry {
402 } krb5_etype_info_entry;
405 * This is essentially -1 without sign extension which can screw up
406 * comparisons on 64 bit machines. If the length is this value, then
407 * the salt data is not present. This is to distinguish between not
408 * being set and being of 0 length.
410 #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
412 typedef krb5_etype_info_entry ** krb5_etype_info;
415 typedef struct _krb5_etype_list {
417 krb5_enctype *etypes;
421 * a sam_challenge is returned for alternate preauth
424 SAMFlags ::= BIT STRING {
426 send-encrypted-sad[1],
427 must-pk-encrypt-sad[2]
431 PA-SAM-CHALLENGE ::= SEQUENCE {
433 sam-flags[1] SAMFlags,
434 sam-type-name[2] GeneralString OPTIONAL,
435 sam-track-id[3] GeneralString OPTIONAL,
436 sam-challenge-label[4] GeneralString OPTIONAL,
437 sam-challenge[5] GeneralString OPTIONAL,
438 sam-response-prompt[6] GeneralString OPTIONAL,
439 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
440 sam-nonce[8] INTEGER OPTIONAL,
441 sam-cksum[9] Checksum OPTIONAL
444 /* sam_type values -- informational only */
445 #define PA_SAM_TYPE_ENIGMA 1 /* Enigma Logic */
446 #define PA_SAM_TYPE_DIGI_PATH 2 /* Digital Pathways */
447 #define PA_SAM_TYPE_SKEY_K0 3 /* S/key where KDC has key 0 */
448 #define PA_SAM_TYPE_SKEY 4 /* Traditional S/Key */
449 #define PA_SAM_TYPE_SECURID 5 /* Security Dynamics */
450 #define PA_SAM_TYPE_CRYPTOCARD 6 /* CRYPTOCard */
451 #if 1 /* XXX need to figure out who has which numbers assigned */
452 #define PA_SAM_TYPE_ACTIVCARD_DEC 6 /* ActivCard decimal mode */
453 #define PA_SAM_TYPE_ACTIVCARD_HEX 7 /* ActivCard hex mode */
454 #define PA_SAM_TYPE_DIGI_PATH_HEX 8 /* Digital Pathways hex mode */
456 #define PA_SAM_TYPE_EXP_BASE 128 /* experimental */
457 #define PA_SAM_TYPE_GRAIL (PA_SAM_TYPE_EXP_BASE+0) /* testing */
458 #define PA_SAM_TYPE_SECURID_PREDICT (PA_SAM_TYPE_EXP_BASE+1) /* special */
460 typedef struct _krb5_predicted_sam_response {
462 krb5_keyblock sam_key;
463 krb5_flags sam_flags; /* Makes key munging easier */
464 krb5_timestamp stime; /* time on server, for replay detection */
466 krb5_principal client;
467 krb5_data msd; /* mechanism specific data */
468 } krb5_predicted_sam_response;
470 typedef struct _krb5_sam_challenge {
472 krb5_int32 sam_type; /* information */
473 krb5_flags sam_flags; /* KRB5_SAM_* values */
474 krb5_data sam_type_name;
475 krb5_data sam_track_id;
476 krb5_data sam_challenge_label;
477 krb5_data sam_challenge;
478 krb5_data sam_response_prompt;
479 krb5_data sam_pk_for_sad;
480 krb5_int32 sam_nonce;
481 krb5_checksum sam_cksum;
482 } krb5_sam_challenge;
484 typedef struct _krb5_sam_key { /* reserved for future use */
486 krb5_keyblock sam_key;
489 typedef struct _krb5_enc_sam_response_enc {
491 krb5_int32 sam_nonce;
492 krb5_timestamp sam_timestamp;
495 } krb5_enc_sam_response_enc;
497 typedef struct _krb5_sam_response {
499 krb5_int32 sam_type; /* informational */
500 krb5_flags sam_flags; /* KRB5_SAM_* values */
501 krb5_data sam_track_id; /* copied */
502 krb5_enc_data sam_enc_key; /* krb5_sam_key - future use */
503 krb5_enc_data sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
504 krb5_int32 sam_nonce;
505 krb5_timestamp sam_patimestamp;
508 typedef struct _krb5_sam_challenge_2 {
509 krb5_data sam_challenge_2_body;
510 krb5_checksum **sam_cksum; /* Array of checksums */
511 } krb5_sam_challenge_2;
513 typedef struct _krb5_sam_challenge_2_body {
515 krb5_int32 sam_type; /* information */
516 krb5_flags sam_flags; /* KRB5_SAM_* values */
517 krb5_data sam_type_name;
518 krb5_data sam_track_id;
519 krb5_data sam_challenge_label;
520 krb5_data sam_challenge;
521 krb5_data sam_response_prompt;
522 krb5_data sam_pk_for_sad;
523 krb5_int32 sam_nonce;
524 krb5_enctype sam_etype;
525 } krb5_sam_challenge_2_body;
527 typedef struct _krb5_sam_response_2 {
529 krb5_int32 sam_type; /* informational */
530 krb5_flags sam_flags; /* KRB5_SAM_* values */
531 krb5_data sam_track_id; /* copied */
532 krb5_enc_data sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
533 krb5_int32 sam_nonce;
534 } krb5_sam_response_2;
536 typedef struct _krb5_enc_sam_response_enc_2 {
538 krb5_int32 sam_nonce;
540 } krb5_enc_sam_response_enc_2;
543 * Keep the pkinit definitions in a separate file so that the plugin
544 * only has to include k5-int-pkinit.h rather than k5-int.h
547 #include "k5-int-pkinit.h"
553 extern char *strdup (const char *);
560 #ifdef HAVE_SYS_TIME_H
561 #include <sys/time.h>
562 #ifdef TIME_WITH_SYS_TIME
569 #ifdef HAVE_SYS_STAT_H
570 #include <sys/stat.h> /* struct stat, stat() */
573 #ifdef HAVE_SYS_PARAM_H
574 #include <sys/param.h> /* MAXPATHLEN */
577 #ifdef HAVE_SYS_FILE_H
578 #include <sys/file.h> /* prototypes for file-related
579 syscalls; flags for open &
589 #include "k5-gmt_mktime.h"
592 struct sendto_callback_info;
595 krb5_error_code krb5_lock_file(krb5_context, int, int);
596 krb5_error_code krb5_unlock_file(krb5_context, int);
597 krb5_error_code krb5_sendto_kdc(krb5_context, const krb5_data *,
598 const krb5_data *, krb5_data *, int *, int);
600 krb5_error_code krb5_get_krbhst(krb5_context, const krb5_data *, char *** );
601 krb5_error_code krb5_free_krbhst(krb5_context, char * const * );
602 krb5_error_code krb5_create_secure_file(krb5_context, const char * pathname);
603 krb5_error_code krb5_sync_disk_file(krb5_context, FILE *fp);
605 krb5_error_code krb5int_init_context_kdc(krb5_context *);
607 krb5_error_code krb5_os_init_context(krb5_context, krb5_boolean);
609 void krb5_os_free_context(krb5_context);
611 /* This function is needed by KfM's KerberosPreferences API
612 * because it needs to be able to specify "secure" */
614 os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure);
617 krb5_os_hostaddr(krb5_context, const char *, krb5_address ***);
620 krb5int_get_domain_realm_mapping(krb5_context , const char *, char ***);
622 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
623 going to use this structure. */
629 struct undefined_addrinfo *ai;
631 void (*freefn)(void *);
637 #define ADDRLIST_INIT { 0, 0, 0 }
638 extern void krb5int_free_addrlist(struct addrlist *);
639 extern int krb5int_grow_addrlist(struct addrlist *, int);
640 extern int krb5int_add_host_to_list(struct addrlist *, const char *,
643 #include <krb5/locate_plugin.h>
645 krb5int_locate_server(krb5_context, const krb5_data *realm,
646 struct addrlist *, enum locate_service_type svc,
647 int sockettype, int family);
652 struct derived_key *next;
655 /* Internal structure of an opaque key identifier */
657 krb5_keyblock keyblock;
659 struct derived_key *derived;
661 * Cache of data private to the cipher implementation, which we
662 * don't want to have to recompute for every operation. This may
663 * include key schedules, iteration counts, etc.
665 * The cipher implementation is responsible for setting this up
666 * whenever needed, and the enc_provider key_cleanup method must
667 * then be provided to dispose of it.
672 /* new encryption provider api */
674 struct krb5_enc_provider {
675 /* keybytes is the input size to make_key;
676 keylength is the output size */
677 size_t block_size, keybytes, keylength;
679 krb5_error_code (*encrypt)(krb5_key key, const krb5_data *cipher_state,
680 krb5_crypto_iov *data, size_t num_data);
682 krb5_error_code (*decrypt)(krb5_key key, const krb5_data *cipher_state,
683 krb5_crypto_iov *data, size_t num_data);
685 /* May be NULL if the cipher is not used for a cbc-mac checksum. */
686 krb5_error_code (*cbc_mac)(krb5_key key, const krb5_crypto_iov *data,
687 size_t num_data, const krb5_data *ivec,
690 krb5_error_code (*make_key)(const krb5_data *randombits,
693 krb5_error_code (*init_state)(const krb5_keyblock *key,
694 krb5_keyusage keyusage,
695 krb5_data *out_state);
696 krb5_error_code (*free_state)(krb5_data *state);
698 /* May be NULL if there is no key-derived data cached. */
699 void (*key_cleanup)(krb5_key key);
702 struct krb5_hash_provider {
704 size_t hashsize, blocksize;
706 krb5_error_code (*hash)(const krb5_crypto_iov *data, size_t num_data,
711 * in here to deal with stuff from lib/crypto
714 void krb5int_nfold(unsigned int inbits, const unsigned char *in,
715 unsigned int outbits, unsigned char *out);
717 krb5_error_code krb5int_hmac(const struct krb5_hash_provider *hash,
718 krb5_key key, const krb5_crypto_iov *data,
719 size_t num_data, krb5_data *output);
722 krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
723 const krb5_keyblock *keyblock,
724 const krb5_crypto_iov *data, size_t num_data,
727 krb5_error_code krb5int_pbkdf2_hmac_sha1(const krb5_data *, unsigned long,
728 const krb5_data *, const krb5_data *);
730 /* These crypto functions are used by GSSAPI via the accessor. */
733 krb5int_arcfour_gsscrypt(const krb5_keyblock *keyblock, krb5_keyusage usage,
734 const krb5_data *kd_data, krb5_crypto_iov *data,
738 * Attempt to zero memory in a way that compilers won't optimize out.
740 * This mechanism should work even for heap storage about to be freed,
741 * or automatic storage right before we return from a function.
743 * Then, even if we leak uninitialized memory someplace, or UNIX
744 * "core" files get created with world-read access, some of the most
745 * sensitive data in the process memory will already be safely wiped.
747 * We're not going so far -- yet -- as to try to protect key data that
748 * may have been written into swap space....
751 # define zap(ptr, len) SecureZeroMemory(ptr, len)
752 #elif defined(__GNUC__)
753 static inline void zap(void *ptr, size_t len)
757 * Some versions of gcc have gotten clever enough to eliminate a
758 * memset call right before the block in question is released.
759 * This (empty) asm requires it to assume that we're doing
760 * something interesting with the stored (zero) value, so the
761 * memset can't be eliminated.
763 * An optimizer that looks at assembly or object code may not be
764 * fooled, and may still cause the memset to go away. Address
765 * that problem if and when we encounter it.
767 * This also may not be enough if free() does something
768 * interesting like purge memory locations from a write-back cache
769 * that hasn't written back the zero bytes yet. A memory barrier
770 * instruction would help in that case.
772 asm volatile ("" : : "g" (ptr), "g" (len));
775 /* Use a function from libkrb5support to defeat inlining. */
776 # define zap(ptr, len) krb5int_zap(ptr, len)
779 /* Convenience function: zap and free ptr if it is non-NULL. */
781 zapfree(void *ptr, size_t len)
789 /* A definition of init_state for DES based encryption systems.
790 * sets up an 8-byte IV of all zeros
794 krb5int_des_init_state(const krb5_keyblock *key, krb5_keyusage keyusage,
795 krb5_data *new_state);
798 * normally to free a cipher_state you can just memset the length to zero and
801 krb5_error_code krb5int_default_free_state(krb5_data *state);
805 * Combine two keys (normally used by the hardware preauth mechanism)
808 krb5int_c_combine_keys(krb5_context context, krb5_keyblock *key1,
809 krb5_keyblock *key2, krb5_keyblock *outkey);
811 void krb5int_c_free_keyblock(krb5_context, krb5_keyblock *key);
812 void krb5int_c_free_keyblock_contents(krb5_context, krb5_keyblock *);
813 krb5_error_code krb5int_c_init_keyblock(krb5_context, krb5_enctype enctype,
814 size_t length, krb5_keyblock **out);
815 krb5_error_code krb5int_c_copy_keyblock(krb5_context context,
816 const krb5_keyblock *from,
818 krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context,
819 const krb5_keyblock *from,
823 * Internal - for cleanup.
825 extern void krb5int_prng_cleanup(void);
826 extern void krb5int_crypto_impl_cleanup(void);
829 #ifdef KRB5_OLD_CRYPTO
830 /* old provider api */
832 krb5_error_code krb5_crypto_os_localaddr(krb5_address ***);
834 krb5_error_code krb5_crypto_us_timeofday(krb5_int32 *, krb5_int32 *);
836 #endif /* KRB5_OLD_CRYPTO */
838 /* this helper fct is in libkrb5, but it makes sense declared here. */
841 krb5_encrypt_keyhelper(krb5_context context, krb5_key key,
842 krb5_keyusage keyusage, const krb5_data *plain,
843 krb5_enc_data *cipher);
849 typedef struct _krb5_os_context {
851 krb5_int32 time_offset;
852 krb5_int32 usec_offset;
854 char * default_ccname;
858 * Flags for the os_flags field
860 * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid.
861 * The intention is that this facility to correct the system clocks so
862 * that they reflect the "real" time, for systems where for some
863 * reason we can't set the system clock. Instead we calculate the
864 * offset between the system time and real time, and store the offset
865 * in the os context so that we can correct the system clock as necessary.
867 * KRB5_OS_TOFFSET_TIME means that the time offset fields should be
868 * returned as the time by the krb5 time routines. This should only
869 * be used for testing purposes (obviously!)
871 #define KRB5_OS_TOFFSET_VALID 1
872 #define KRB5_OS_TOFFSET_TIME 2
874 /* lock mode flags */
875 #define KRB5_LOCKMODE_SHARED 0x0001
876 #define KRB5_LOCKMODE_EXCLUSIVE 0x0002
877 #define KRB5_LOCKMODE_DONTBLOCK 0x0004
878 #define KRB5_LOCKMODE_UNLOCK 0x0008
881 * Define our view of the size of a DES key.
883 #define KRB5_MIT_DES_KEYSIZE 8
884 #define KRB5_MIT_DES3_KEYSIZE 24
885 #define KRB5_MIT_DES3_KEY_BYTES 21
888 * Check if des_int.h has been included before us. If so, then check to see
889 * that our view of the DES key size is the same as des_int.h's.
891 #ifdef MIT_DES_KEYSIZE
892 #if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
893 error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
894 #endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
895 #endif /* MIT_DES_KEYSIZE */
900 * (Originally written by Glen Machin at Sandia Labs.)
903 * Sandia National Laboratories also makes no representations about the
904 * suitability of the modifications, or additions to this software for
905 * any purpose. It is provided "as is" without express or implied warranty.
908 #ifndef KRB5_PREAUTH__
909 #define KRB5_PREAUTH__
911 #include <krb5/preauth_plugin.h>
913 #define CLIENT_ROCK_MAGIC 0x4352434b
914 /* This structure is passed into the client preauth functions and passed
915 * back to the "get_data_proc" function so that it can locate the
916 * requested information. It is opaque to the plugin code and can be
917 * expanded in the future as new types of requests are defined which
918 * may require other things to be passed through. */
919 struct krb5int_fast_request_state;
920 typedef struct _krb5_preauth_client_rock {
923 struct krb5int_fast_request_state *fast_state;
924 } krb5_preauth_client_rock;
926 /* This structure lets us keep track of all of the modules which are loaded,
927 * turning the list of modules and their lists of implemented preauth types
928 * into a single list which we can walk easily. */
929 typedef struct _krb5_preauth_context {
931 struct _krb5_preauth_context_module {
932 /* Which of the possibly more than one preauth types which the
933 * module supports we're using at this point in the list. */
934 krb5_preauthtype pa_type;
935 /* Encryption types which the client claims to support -- we
936 * copy them directly into the krb5_kdc_req structure during
937 * krb5_preauth_prepare_request(). */
938 krb5_enctype *enctypes;
939 /* The plugin's per-plugin context and a function to clear it. */
940 void *plugin_context;
941 preauth_client_plugin_fini_proc client_fini;
942 /* The module's table, and some of its members, copied here for
943 * convenience when we populated the list. */
944 struct krb5plugin_preauth_client_ftable_v1 *ftable;
946 int flags, use_count;
947 preauth_client_process_proc client_process;
948 preauth_client_tryagain_proc client_tryagain;
949 preauth_client_supply_gic_opts_proc client_supply_gic_opts;
950 preauth_client_request_init_proc client_req_init;
951 preauth_client_request_fini_proc client_req_fini;
952 /* The per-request context which the client_req_init() function
953 * might allocate, which we'll need to clean up later by
954 * calling the client_req_fini() function. */
955 void *request_context;
956 /* A pointer to the request_context pointer. All modules within
957 * a plugin will point at the request_context of the first
958 * module within the plugin. */
959 void **request_context_pp;
961 } krb5_preauth_context;
963 typedef struct _krb5_pa_enc_ts {
964 krb5_timestamp patimestamp;
968 typedef struct _krb5_pa_for_user {
971 krb5_data auth_package;
974 typedef struct _krb5_s4u_userid {
977 krb5_data subject_cert;
981 #define KRB5_S4U_OPTS_CHECK_LOGON_HOURS 0x40000000 /* check logon hour restrictions */
982 #define KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE 0x20000000 /* sign with usage 27 instead of 26 */
984 typedef struct _krb5_pa_s4u_x509_user {
985 krb5_s4u_userid user_id;
987 } krb5_pa_s4u_x509_user;
990 KRB5_FAST_ARMOR_AP_REQUEST = 0x1
993 typedef struct _krb5_fast_armor {
994 krb5_int32 armor_type;
995 krb5_data armor_value;
997 typedef struct _krb5_fast_armored_req {
999 krb5_fast_armor *armor;
1000 krb5_checksum req_checksum;
1001 krb5_enc_data enc_part;
1002 } krb5_fast_armored_req;
1004 typedef struct _krb5_fast_req {
1006 krb5_flags fast_options;
1007 /* padata from req_body is used*/
1008 krb5_kdc_req *req_body;
1011 /* Bits 0-15 are critical in fast options.*/
1012 #define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff
1013 #define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01
1015 typedef struct _krb5_fast_finished {
1016 krb5_timestamp timestamp;
1018 krb5_principal client;
1019 krb5_checksum ticket_checksum;
1020 } krb5_fast_finished;
1022 typedef struct _krb5_fast_response {
1024 krb5_pa_data **padata;
1025 krb5_keyblock *strengthen_key;
1026 krb5_fast_finished *finished;
1028 } krb5_fast_response;
1030 typedef struct _krb5_ad_kdcissued {
1031 krb5_checksum ad_checksum;
1032 krb5_principal i_principal;
1033 krb5_authdata **elements;
1034 } krb5_ad_kdcissued;
1036 typedef struct _krb5_ad_signedpath_data {
1037 krb5_principal client;
1038 krb5_timestamp authtime;
1039 krb5_principal *delegated;
1040 krb5_pa_data **method_data;
1041 krb5_authdata **authorization_data;
1042 } krb5_ad_signedpath_data;
1044 typedef struct _krb5_ad_signedpath {
1045 krb5_enctype enctype;
1046 krb5_checksum checksum;
1047 krb5_principal *delegated;
1048 krb5_pa_data **method_data;
1049 } krb5_ad_signedpath;
1051 typedef struct _krb5_iakerb_header {
1052 krb5_data target_realm;
1054 } krb5_iakerb_header;
1056 typedef struct _krb5_iakerb_finished {
1057 krb5_checksum checksum;
1058 } krb5_iakerb_finished;
1060 typedef krb5_error_code
1061 (*krb5_preauth_obtain_proc)(krb5_context, krb5_pa_data *,
1062 krb5_etype_info, krb5_keyblock *,
1063 krb5_error_code (*)(krb5_context,
1068 krb5_const_pointer, krb5_creds *,
1069 krb5_kdc_req *, krb5_pa_data **);
1071 typedef krb5_error_code
1072 (*krb5_preauth_process_proc)(krb5_context, krb5_pa_data *, krb5_kdc_req *,
1074 krb5_error_code (*)(krb5_context,
1080 krb5_error_code (*)(krb5_context,
1081 const krb5_keyblock *,
1084 krb5_keyblock **, krb5_creds *, krb5_int32 *,
1087 typedef struct _krb5_preauth_ops {
1091 krb5_preauth_obtain_proc obtain;
1092 krb5_preauth_process_proc process;
1096 krb5int_find_pa_data(krb5_context, krb5_pa_data *const *, krb5_preauthtype);
1097 /* Does not return a copy; original padata sequence responsible for freeing*/
1099 void krb5_free_etype_info(krb5_context, krb5_etype_info);
1102 * Preauthentication property flags
1104 #define KRB5_PREAUTH_FLAGS_ENCRYPT 0x00000001
1105 #define KRB5_PREAUTH_FLAGS_HARDWARE 0x00000002
1107 #endif /* KRB5_PREAUTH__ */
1113 * Extending the krb5_get_init_creds_opt structure. The original
1114 * krb5_get_init_creds_opt structure is defined publicly. The
1115 * new extended version is private. The original interface
1116 * assumed a pre-allocated structure which was passed to
1117 * krb5_get_init_creds_init(). The new interface assumes that
1118 * the caller will call krb5_get_init_creds_alloc() and
1119 * krb5_get_init_creds_free().
1121 * Callers MUST NOT call krb5_get_init_creds_init() after allocating an
1122 * opts structure using krb5_get_init_creds_alloc(). To do so will
1123 * introduce memory leaks. Unfortunately, there is no way to enforce
1126 * Two private flags are added for backward compatibility.
1127 * KRB5_GET_INIT_CREDS_OPT_EXTENDED says that the structure was allocated
1128 * with the new krb5_get_init_creds_opt_alloc() function.
1129 * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended
1130 * structure is a shadow copy of an original krb5_get_init_creds_opt
1132 * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to
1133 * krb5int_gic_opt_to_opte(), the resulting extended structure should be
1134 * freed (using krb5_get_init_creds_free). Otherwise, the original
1135 * structure was already extended and there is no need to free it.
1138 #define KRB5_GET_INIT_CREDS_OPT_EXTENDED 0x80000000
1139 #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
1141 #define krb5_gic_opt_is_extended(s) \
1142 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
1143 #define krb5_gic_opt_is_shadowed(s) \
1144 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
1147 typedef struct _krb5_gic_opt_private {
1148 int num_preauth_data;
1149 krb5_gic_opt_pa_data *preauth_data;
1150 char * fast_ccache_name;
1151 krb5_ccache out_ccache;
1152 krb5_flags fast_flags;
1153 krb5_expire_callback_func *expire_cb;
1155 } krb5_gic_opt_private;
1158 * On the Mac, ensure that the layout of krb5_gic_opt_ext matches that
1159 * of krb5_get_init_creds_opt.
1162 # pragma pack(push,2)
1165 typedef struct _krb5_gic_opt_ext {
1167 krb5_deltat tkt_life;
1168 krb5_deltat renew_life;
1171 krb5_enctype *etype_list;
1172 int etype_list_length;
1173 krb5_address **address_list;
1174 krb5_preauthtype *preauth_list;
1175 int preauth_list_length;
1178 * Do not change anything above this point in this structure.
1179 * It is identical to the public krb5_get_init_creds_opt structure.
1180 * New members must be added below.
1182 krb5_gic_opt_private *opt_private;
1190 krb5int_gic_opt_to_opte(krb5_context context, krb5_get_init_creds_opt *opt,
1191 krb5_gic_opt_ext **opte, unsigned int force,
1195 krb5int_copy_data_contents(krb5_context, const krb5_data *, krb5_data *);
1198 krb5int_copy_data_contents_add0(krb5_context, const krb5_data *, krb5_data *);
1201 krb5int_copy_creds_contents(krb5_context, const krb5_creds *, krb5_creds *);
1203 typedef krb5_error_code
1204 (*krb5_gic_get_as_key_fct)(krb5_context, krb5_principal, krb5_enctype,
1205 krb5_prompter_fct, void *prompter_data,
1206 krb5_data *salt, krb5_data *s2kparams,
1207 krb5_keyblock *as_key, void *gak_data);
1209 krb5_error_code KRB5_CALLCONV
1210 krb5int_get_init_creds(krb5_context context, krb5_creds *creds,
1211 krb5_principal client, krb5_prompter_fct prompter,
1212 void *prompter_data, krb5_deltat start_time,
1213 char *in_tkt_service, krb5_get_init_creds_opt *options,
1214 krb5_gic_get_as_key_fct gak, void *gak_data,
1215 int *master, krb5_kdc_rep **as_reply);
1218 krb5int_populate_gic_opt (krb5_context, krb5_get_init_creds_opt **,
1219 krb5_flags options, krb5_address *const *addrs,
1220 krb5_enctype *ktypes,
1221 krb5_preauthtype *pre_auth_types, krb5_creds *creds);
1224 krb5_error_code KRB5_CALLCONV
1225 krb5_do_preauth(krb5_context context, krb5_kdc_req *request,
1226 krb5_data *encoded_request_body,
1227 krb5_data *encoded_previous_request, krb5_pa_data **in_padata,
1228 krb5_pa_data ***out_padata, krb5_data *salt,
1229 krb5_data *s2kparams, krb5_enctype *etype,
1230 krb5_keyblock *as_key, krb5_prompter_fct prompter,
1231 void *prompter_data, krb5_gic_get_as_key_fct gak_fct,
1232 void *gak_data, krb5_preauth_client_rock *get_data_rock,
1233 krb5_gic_opt_ext *opte);
1235 krb5_error_code KRB5_CALLCONV
1236 krb5_do_preauth_tryagain(krb5_context context, krb5_kdc_req *request,
1237 krb5_data *encoded_request_body,
1238 krb5_data *encoded_previous_request,
1239 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1240 krb5_error *err_reply,
1241 krb5_data *salt, krb5_data *s2kparams,
1242 krb5_enctype *etype, krb5_keyblock *as_key,
1243 krb5_prompter_fct prompter, void *prompter_data,
1244 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1245 krb5_preauth_client_rock *get_data_rock,
1246 krb5_gic_opt_ext *opte);
1248 void KRB5_CALLCONV krb5_init_preauth_context(krb5_context);
1249 void KRB5_CALLCONV krb5_free_preauth_context(krb5_context);
1250 void KRB5_CALLCONV krb5_clear_preauth_context_use_counts(krb5_context);
1251 void KRB5_CALLCONV krb5_preauth_prepare_request(krb5_context,
1254 void KRB5_CALLCONV krb5_preauth_request_context_init(krb5_context);
1255 void KRB5_CALLCONV krb5_preauth_request_context_fini(krb5_context);
1258 krb5_free_sam_challenge(krb5_context, krb5_sam_challenge *);
1261 krb5_free_sam_challenge_2(krb5_context, krb5_sam_challenge_2 *);
1264 krb5_free_sam_challenge_2_body(krb5_context, krb5_sam_challenge_2_body *);
1267 krb5_free_sam_response(krb5_context, krb5_sam_response *);
1270 krb5_free_sam_response_2(krb5_context, krb5_sam_response_2 *);
1273 krb5_free_predicted_sam_response(krb5_context, krb5_predicted_sam_response *);
1276 krb5_free_enc_sam_response_enc(krb5_context, krb5_enc_sam_response_enc *);
1279 krb5_free_enc_sam_response_enc_2(krb5_context, krb5_enc_sam_response_enc_2 *);
1282 krb5_free_sam_challenge_contents(krb5_context, krb5_sam_challenge *);
1285 krb5_free_sam_challenge_2_contents(krb5_context, krb5_sam_challenge_2 *);
1288 krb5_free_sam_challenge_2_body_contents(krb5_context,
1289 krb5_sam_challenge_2_body *);
1292 krb5_free_sam_response_contents(krb5_context, krb5_sam_response *);
1295 krb5_free_sam_response_2_contents(krb5_context, krb5_sam_response_2 *);
1298 krb5_free_predicted_sam_response_contents(krb5_context,
1299 krb5_predicted_sam_response * );
1302 krb5_free_enc_sam_response_enc_contents(krb5_context,
1303 krb5_enc_sam_response_enc * );
1306 krb5_free_enc_sam_response_enc_2_contents(krb5_context,
1307 krb5_enc_sam_response_enc_2 * );
1310 krb5_free_pa_enc_ts(krb5_context, krb5_pa_enc_ts *);
1313 krb5_free_pa_for_user(krb5_context, krb5_pa_for_user *);
1316 krb5_free_s4u_userid_contents(krb5_context, krb5_s4u_userid *);
1319 krb5_free_pa_s4u_x509_user(krb5_context, krb5_pa_s4u_x509_user *);
1322 krb5_free_pa_svr_referral_data(krb5_context, krb5_pa_svr_referral_data *);
1325 krb5_free_pa_server_referral_data(krb5_context,
1326 krb5_pa_server_referral_data * );
1329 krb5_free_pa_pac_req(krb5_context, krb5_pa_pac_req * );
1332 krb5_free_etype_list(krb5_context, krb5_etype_list * );
1334 void KRB5_CALLCONV krb5_free_fast_armor(krb5_context, krb5_fast_armor *);
1335 void KRB5_CALLCONV krb5_free_fast_armored_req(krb5_context,
1336 krb5_fast_armored_req *);
1337 void KRB5_CALLCONV krb5_free_fast_req(krb5_context, krb5_fast_req *);
1338 void KRB5_CALLCONV krb5_free_fast_finished(krb5_context, krb5_fast_finished *);
1339 void KRB5_CALLCONV krb5_free_fast_response(krb5_context, krb5_fast_response *);
1340 void KRB5_CALLCONV krb5_free_ad_kdcissued(krb5_context, krb5_ad_kdcissued *);
1341 void KRB5_CALLCONV krb5_free_ad_signedpath(krb5_context, krb5_ad_signedpath *);
1342 void KRB5_CALLCONV krb5_free_iakerb_header(krb5_context, krb5_iakerb_header *);
1343 void KRB5_CALLCONV krb5_free_iakerb_finished(krb5_context,
1344 krb5_iakerb_finished *);
1346 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
1347 #include "com_err.h"
1348 #include "k5-plugin.h"
1350 #include <krb5/authdata_plugin.h>
1352 struct _krb5_authdata_context {
1355 struct _krb5_authdata_context_module {
1356 krb5_authdatatype ad_type;
1357 void *plugin_context;
1358 authdata_client_plugin_fini_proc client_fini;
1360 krb5plugin_authdata_client_ftable_v0 *ftable;
1361 authdata_client_request_init_proc client_req_init;
1362 authdata_client_request_fini_proc client_req_fini;
1364 void *request_context;
1365 void **request_context_pp;
1367 struct plugin_dir_handle plugins;
1370 typedef struct _krb5_authdata_context *krb5_authdata_context;
1373 krb5int_free_data_list(krb5_context context, krb5_data *data);
1375 krb5_error_code KRB5_CALLCONV
1376 krb5_authdata_context_init(krb5_context kcontext,
1377 krb5_authdata_context *pcontext);
1380 krb5_authdata_context_free(krb5_context kcontext,
1381 krb5_authdata_context context);
1383 krb5_error_code KRB5_CALLCONV
1384 krb5_authdata_export_authdata(krb5_context kcontext,
1385 krb5_authdata_context context, krb5_flags usage,
1386 krb5_authdata ***pauthdata);
1388 krb5_error_code KRB5_CALLCONV
1389 krb5_authdata_get_attribute_types(krb5_context kcontext,
1390 krb5_authdata_context context,
1393 krb5_error_code KRB5_CALLCONV
1394 krb5_authdata_get_attribute(krb5_context kcontext,
1395 krb5_authdata_context context,
1396 const krb5_data *attribute,
1397 krb5_boolean *authenticated,
1398 krb5_boolean *complete, krb5_data *value,
1399 krb5_data *display_value, int *more);
1401 krb5_error_code KRB5_CALLCONV
1402 krb5_authdata_set_attribute(krb5_context kcontext,
1403 krb5_authdata_context context,
1404 krb5_boolean complete, const krb5_data *attribute,
1405 const krb5_data *value);
1407 krb5_error_code KRB5_CALLCONV
1408 krb5_authdata_delete_attribute(krb5_context kcontext,
1409 krb5_authdata_context context,
1410 const krb5_data *attribute);
1412 krb5_error_code KRB5_CALLCONV
1413 krb5_authdata_import_attributes(krb5_context kcontext,
1414 krb5_authdata_context context,
1415 krb5_flags usage, const krb5_data *attributes);
1417 krb5_error_code KRB5_CALLCONV
1418 krb5_authdata_export_attributes(krb5_context kcontext,
1419 krb5_authdata_context context,
1420 krb5_flags usage, krb5_data **pattributes);
1422 krb5_error_code KRB5_CALLCONV
1423 krb5_authdata_export_internal(krb5_context kcontext,
1424 krb5_authdata_context context,
1425 krb5_boolean restrict_authenticated,
1426 const char *module, void **ptr);
1428 krb5_error_code KRB5_CALLCONV
1429 krb5_authdata_context_copy(krb5_context kcontext, krb5_authdata_context src,
1430 krb5_authdata_context *dst);
1432 krb5_error_code KRB5_CALLCONV
1433 krb5_authdata_free_internal(krb5_context kcontext,
1434 krb5_authdata_context context, const char *module,
1437 /*** Plugin framework ***/
1440 * This framework can be used to create pluggable interfaces. Not all existing
1441 * pluggable interface use this framework, but new ones should. A new
1442 * pluggable interface entails:
1444 * - An interface ID definition in the list of #defines below.
1446 * - A name in the interface_names array in lib/krb5/krb/plugins.c.
1448 * - An installed public header file in include/krb5. The public header should
1449 * include <krb5/plugin.h> and should declare a vtable structure for each
1450 * supported major version of the interface.
1452 * - A consumer API implementation, located within the code unit which makes
1453 * use of the pluggable interface. The consumer API should consist of:
1455 * . An interface-specific handle type which contains a vtable structure for
1456 * the module (or a union of several such structures, if there are multiple
1457 * supported major versions) and, optionally, resource data bound to the
1460 * . An interface-specific loader function which creates a handle or list of
1461 * handles. A list of handles would be created if the interface is a
1462 * one-to-many interface where the consumer wants to consult all available
1463 * modules; a single handle would be created for an interface where the
1464 * consumer wants to consult a specific module. The loader function should
1465 * use k5_plugin_load or k5_plugin_load_all to produce one or a list of
1466 * vtable initializer functions, and should use those functions to fill in
1467 * the vtable structure for the module (if necessary, trying each supported
1468 * major version starting from the most recent). The loader function can
1469 * also bind resource data into the handle based on caller arguments, if
1472 * . For each plugin method, a wrapper function which accepts a krb5_context,
1473 * a plugin handle, and the method arguments. Wrapper functions should
1474 * invoke the method function contained in the handle's vtable.
1476 * - Possibly, built-in implementations of the interface, also located within
1477 * the code unit which makes use of the interface. Built-in implementations
1478 * must be registered with k5_plugin_register before the first call to
1479 * k5_plugin_load or k5_plugin_load_all.
1481 * A pluggable interface should have one or more currently supported major
1482 * versions, starting at 1. Each major version should have a current minor
1483 * version, also starting at 1. If new methods are added to a vtable, the
1484 * minor version should be incremented and the vtable stucture should document
1485 * where each minor vtable version ends. If method signatures for a vtable are
1486 * changed, the major version should be incremented.
1488 * Plugin module implementations (either built-in or dynamically loaded) should
1489 * define a function named <interfacename>_<modulename>_initvt, matching the
1490 * signature of krb5_plugin_initvt_fn as declared in include/krb5/plugin.h.
1491 * The initvt function should check the given maj_ver argument against its own
1492 * supported major versions, cast the vtable pointer to the appropriate
1493 * interface-specific vtable type, and fill in the vtable methods, stopping as
1494 * appropriate for the given min_ver. Memory for the vtable structure is
1495 * allocated by the caller, not by the module.
1497 * Dynamic plugin modules are registered with the framework through the
1498 * [plugins] section of the profile, as described in the admin documentation
1499 * and krb5.conf man page.
1503 * A linked list entry mapping a module name to a module initvt function. The
1504 * entry may also include a dynamic object handle so that it can be released
1505 * when the context is destroyed.
1507 struct plugin_mapping {
1509 krb5_plugin_initvt_fn module;
1510 struct plugin_file_handle *dyn_handle;
1511 struct plugin_mapping *next;
1514 /* Holds krb5_context information about each pluggable interface. */
1515 struct plugin_interface {
1516 struct plugin_mapping *modules;
1517 krb5_boolean configured;
1520 /* A list of plugin interface IDs. Make sure to increment
1521 * PLUGIN_NUM_INTERFACES when a new interface is added. */
1522 #define PLUGIN_INTERFACE_PWQUAL 0
1523 #define PLUGIN_INTERFACE_KADM5_HOOK 1
1524 #define PLUGIN_NUM_INTERFACES 2
1526 /* Retrieve the plugin module of type interface_id and name modname,
1527 * storing the result into module. */
1529 k5_plugin_load(krb5_context context, int interface_id, const char *modname,
1530 krb5_plugin_initvt_fn *module);
1532 /* Retrieve all plugin modules of type interface_id, storing the result
1533 * into modules. Free the result with k5_plugin_free_handles. */
1535 k5_plugin_load_all(krb5_context context, int interface_id,
1536 krb5_plugin_initvt_fn **modules);
1538 /* Release a module list allocated by k5_plugin_load_all. */
1540 k5_plugin_free_modules(krb5_context context, krb5_plugin_initvt_fn *modules);
1542 /* Register a plugin module of type interface_id and name modname. */
1544 k5_plugin_register(krb5_context context, int interface_id, const char *modname,
1545 krb5_plugin_initvt_fn module);
1547 /* Destroy the module state within context; used by krb5_free_context. */
1549 k5_plugin_free_context(krb5_context context);
1551 struct _kdb5_dal_handle; /* private, in kdb5.h */
1552 typedef struct _kdb5_dal_handle kdb5_dal_handle;
1553 struct _kdb_log_context;
1554 struct _krb5_context {
1556 krb5_enctype *in_tkt_etypes;
1557 krb5_enctype *tgs_etypes;
1558 struct _krb5_os_context os_context;
1559 char *default_realm;
1561 kdb5_dal_handle *dal_handle;
1564 /* allowable clock skew */
1565 krb5_deltat clockskew;
1566 krb5_cksumtype kdc_req_sumtype;
1567 krb5_cksumtype default_ap_req_sumtype;
1568 krb5_cksumtype default_safe_sumtype;
1569 krb5_flags kdc_default_options;
1570 krb5_flags library_options;
1571 krb5_boolean profile_secure;
1572 int fcc_default_format;
1573 krb5_prompt_type *prompt_types;
1574 /* Message size above which we'll try TCP first in send-to-kdc
1575 type code. Aside from the 2**16 size limit, we put no
1576 absolute limit on the UDP packet size. */
1579 /* Use the config-file ktypes instead of app-specified? */
1580 krb5_boolean use_conf_ktypes;
1582 #ifdef KRB5_DNS_LOOKUP
1583 krb5_boolean profile_in_memory;
1584 #endif /* KRB5_DNS_LOOKUP */
1586 /* locate_kdc module stuff */
1587 struct plugin_dir_handle libkrb5_plugins;
1588 struct krb5plugin_service_locate_ftable *vtbl;
1589 void (**locate_fptrs)(void);
1591 /* preauth module stuff */
1592 struct plugin_dir_handle preauth_plugins;
1593 krb5_preauth_context *preauth_context;
1595 /* error detail info */
1598 /* For Sun iprop code; does this really have to be here? */
1599 struct _kdb_log_context *kdblog_context;
1601 krb5_boolean allow_weak_crypto;
1603 krb5_trace_callback trace_callback;
1604 void *trace_callback_data;
1606 struct plugin_interface plugins[PLUGIN_NUM_INTERFACES];
1609 /* could be used in a table to find an etype and initialize a block */
1612 #define KRB5_LIBOPT_SYNC_KDCTIME 0x0001
1614 /* internal message representations */
1616 typedef struct _krb5_safe {
1618 krb5_data user_data; /* user data */
1619 krb5_timestamp timestamp; /* client time, optional */
1620 krb5_int32 usec; /* microsecond portion of time,
1622 krb5_ui_4 seq_number; /* sequence #, optional */
1623 krb5_address *s_address; /* sender address */
1624 krb5_address *r_address; /* recipient address, optional */
1625 krb5_checksum *checksum; /* data integrity checksum */
1628 typedef struct _krb5_priv {
1630 krb5_enc_data enc_part; /* encrypted part */
1633 typedef struct _krb5_priv_enc_part {
1635 krb5_data user_data; /* user data */
1636 krb5_timestamp timestamp; /* client time, optional */
1637 krb5_int32 usec; /* microsecond portion of time, opt. */
1638 krb5_ui_4 seq_number; /* sequence #, optional */
1639 krb5_address *s_address; /* sender address */
1640 krb5_address *r_address; /* recipient address, optional */
1641 } krb5_priv_enc_part;
1643 void KRB5_CALLCONV krb5_free_safe(krb5_context, krb5_safe *);
1644 void KRB5_CALLCONV krb5_free_priv(krb5_context, krb5_priv *);
1645 void KRB5_CALLCONV krb5_free_priv_enc_part(krb5_context, krb5_priv_enc_part *);
1653 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
1654 /* here we use some knowledge of ASN.1 encodings */
1656 Ticket is APPLICATION 1.
1657 Authenticator is APPLICATION 2.
1658 AS_REQ is APPLICATION 10.
1659 AS_REP is APPLICATION 11.
1660 TGS_REQ is APPLICATION 12.
1661 TGS_REP is APPLICATION 13.
1662 AP_REQ is APPLICATION 14.
1663 AP_REP is APPLICATION 15.
1664 KRB_SAFE is APPLICATION 20.
1665 KRB_PRIV is APPLICATION 21.
1666 KRB_CRED is APPLICATION 22.
1667 EncASRepPart is APPLICATION 25.
1668 EncTGSRepPart is APPLICATION 26.
1669 EncAPRepPart is APPLICATION 27.
1670 EncKrbPrivPart is APPLICATION 28.
1671 EncKrbCredPart is APPLICATION 29.
1672 KRB_ERROR is APPLICATION 30.
1674 /* allow either constructed or primitive encoding, so check for bit 6
1676 #define krb5int_is_app_tag(dat,tag) \
1677 ((dat != NULL) && (dat)->length && \
1678 ((((dat)->data[0] & ~0x20) == ((tag) | 0x40))))
1679 #define krb5_is_krb_ticket(dat) krb5int_is_app_tag(dat, 1)
1680 #define krb5_is_krb_authenticator(dat) krb5int_is_app_tag(dat, 2)
1681 #define krb5_is_as_req(dat) krb5int_is_app_tag(dat, 10)
1682 #define krb5_is_as_rep(dat) krb5int_is_app_tag(dat, 11)
1683 #define krb5_is_tgs_req(dat) krb5int_is_app_tag(dat, 12)
1684 #define krb5_is_tgs_rep(dat) krb5int_is_app_tag(dat, 13)
1685 #define krb5_is_ap_req(dat) krb5int_is_app_tag(dat, 14)
1686 #define krb5_is_ap_rep(dat) krb5int_is_app_tag(dat, 15)
1687 #define krb5_is_krb_safe(dat) krb5int_is_app_tag(dat, 20)
1688 #define krb5_is_krb_priv(dat) krb5int_is_app_tag(dat, 21)
1689 #define krb5_is_krb_cred(dat) krb5int_is_app_tag(dat, 22)
1690 #define krb5_is_krb_enc_as_rep_part(dat) krb5int_is_app_tag(dat, 25)
1691 #define krb5_is_krb_enc_tgs_rep_part(dat) krb5int_is_app_tag(dat, 26)
1692 #define krb5_is_krb_enc_ap_rep_part(dat) krb5int_is_app_tag(dat, 27)
1693 #define krb5_is_krb_enc_krb_priv_part(dat) krb5int_is_app_tag(dat, 28)
1694 #define krb5_is_krb_enc_krb_cred_part(dat) krb5int_is_app_tag(dat, 29)
1695 #define krb5_is_krb_error(dat) krb5int_is_app_tag(dat, 30)
1697 /*************************************************************************
1698 * Prototypes for krb5_encode.c
1699 *************************************************************************/
1702 krb5_error_code encode_krb5_structure(const krb5_structure *rep,
1705 effects Returns the ASN.1 encoding of *rep in **code.
1706 Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep.
1707 Returns ENOMEM if memory runs out.
1711 encode_krb5_authenticator(const krb5_authenticator *rep, krb5_data **code);
1714 encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code);
1717 encode_krb5_enc_tkt_part(const krb5_enc_tkt_part *rep, krb5_data **code);
1720 encode_krb5_enc_kdc_rep_part(const krb5_enc_kdc_rep_part *rep,
1723 /* yes, the translation is identical to that used for KDC__REP */
1725 encode_krb5_as_rep(const krb5_kdc_rep *rep, krb5_data **code);
1727 /* yes, the translation is identical to that used for KDC__REP */
1729 encode_krb5_tgs_rep(const krb5_kdc_rep *rep, krb5_data **code);
1732 encode_krb5_ap_req(const krb5_ap_req *rep, krb5_data **code);
1735 encode_krb5_ap_rep(const krb5_ap_rep *rep, krb5_data **code);
1738 encode_krb5_ap_rep_enc_part(const krb5_ap_rep_enc_part *rep, krb5_data **code);
1741 encode_krb5_as_req(const krb5_kdc_req *rep, krb5_data **code);
1744 encode_krb5_tgs_req(const krb5_kdc_req *rep, krb5_data **code);
1747 encode_krb5_kdc_req_body(const krb5_kdc_req *rep, krb5_data **code);
1750 encode_krb5_safe(const krb5_safe *rep, krb5_data **code);
1752 struct krb5_safe_with_body {
1757 encode_krb5_safe_with_body(const struct krb5_safe_with_body *rep,
1761 encode_krb5_priv(const krb5_priv *rep, krb5_data **code);
1764 encode_krb5_enc_priv_part(const krb5_priv_enc_part *rep, krb5_data **code);
1767 encode_krb5_cred(const krb5_cred *rep, krb5_data **code);
1769 encode_krb5_checksum(const krb5_checksum *, krb5_data **);
1772 encode_krb5_enc_cred_part(const krb5_cred_enc_part *rep, krb5_data **code);
1775 encode_krb5_error(const krb5_error *rep, krb5_data **code);
1778 encode_krb5_authdata(krb5_authdata *const *rep, krb5_data **code);
1781 encode_krb5_authdata_elt(const krb5_authdata *rep, krb5_data **code);
1784 encode_krb5_pwd_sequence(const passwd_phrase_element *rep, krb5_data **code);
1787 encode_krb5_pwd_data(const krb5_pwd_data *rep, krb5_data **code);
1790 encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
1793 encode_krb5_alt_method(const krb5_alt_method *, krb5_data **code);
1796 encode_krb5_etype_info(krb5_etype_info_entry *const *, krb5_data **code);
1799 encode_krb5_etype_info2(krb5_etype_info_entry *const *, krb5_data **code);
1802 encode_krb5_pa_enc_ts(const krb5_pa_enc_ts *, krb5_data **);
1805 encode_krb5_sam_challenge(const krb5_sam_challenge * , krb5_data **);
1808 encode_krb5_sam_key(const krb5_sam_key * , krb5_data **);
1811 encode_krb5_enc_sam_response_enc(const krb5_enc_sam_response_enc *,
1815 encode_krb5_sam_response(const krb5_sam_response *, krb5_data **);
1818 encode_krb5_sam_challenge_2(const krb5_sam_challenge_2 * , krb5_data **);
1821 encode_krb5_sam_challenge_2_body(const krb5_sam_challenge_2_body *,
1825 encode_krb5_enc_sam_response_enc_2(const krb5_enc_sam_response_enc_2 *,
1829 encode_krb5_sam_response_2(const krb5_sam_response_2 * , krb5_data **);
1832 encode_krb5_predicted_sam_response(const krb5_predicted_sam_response *,
1835 struct krb5_setpw_req {
1836 krb5_principal target;
1840 encode_krb5_setpw_req(const struct krb5_setpw_req *rep, krb5_data **code);
1843 encode_krb5_pa_for_user(const krb5_pa_for_user *, krb5_data **);
1846 encode_krb5_s4u_userid(const krb5_s4u_userid *, krb5_data **);
1849 encode_krb5_pa_s4u_x509_user(const krb5_pa_s4u_x509_user *, krb5_data **);
1852 encode_krb5_pa_svr_referral_data(const krb5_pa_svr_referral_data *,
1856 encode_krb5_pa_server_referral_data(const krb5_pa_server_referral_data *,
1860 encode_krb5_pa_pac_req(const krb5_pa_pac_req *, krb5_data **);
1863 encode_krb5_etype_list(const krb5_etype_list * , krb5_data **);
1866 encode_krb5_pa_fx_fast_request(const krb5_fast_armored_req *, krb5_data **);
1869 encode_krb5_fast_req(const krb5_fast_req *, krb5_data **);
1872 encode_krb5_pa_fx_fast_reply(const krb5_enc_data *, krb5_data **);
1875 encode_krb5_iakerb_header(const krb5_iakerb_header *, krb5_data **);
1878 encode_krb5_iakerb_finished(const krb5_iakerb_finished *, krb5_data **);
1881 encode_krb5_fast_response(const krb5_fast_response *, krb5_data **);
1884 encode_krb5_ad_kdcissued(const krb5_ad_kdcissued *, krb5_data **);
1887 encode_krb5_ad_signedpath(const krb5_ad_signedpath *, krb5_data **);
1890 encode_krb5_ad_signedpath_data(const krb5_ad_signedpath_data *, krb5_data **);
1892 /*************************************************************************
1893 * End of prototypes for krb5_encode.c
1894 *************************************************************************/
1897 decode_krb5_sam_challenge(const krb5_data *, krb5_sam_challenge **);
1900 decode_krb5_enc_sam_key(const krb5_data *, krb5_sam_key **);
1903 decode_krb5_enc_sam_response_enc(const krb5_data *,
1904 krb5_enc_sam_response_enc **);
1907 decode_krb5_sam_response(const krb5_data *, krb5_sam_response **);
1910 decode_krb5_predicted_sam_response(const krb5_data *,
1911 krb5_predicted_sam_response **);
1914 decode_krb5_sam_challenge_2(const krb5_data *, krb5_sam_challenge_2 **);
1917 decode_krb5_sam_challenge_2_body(const krb5_data *,
1918 krb5_sam_challenge_2_body **);
1921 decode_krb5_enc_sam_response_enc_2(const krb5_data *,
1922 krb5_enc_sam_response_enc_2 **);
1925 decode_krb5_sam_response_2(const krb5_data *, krb5_sam_response_2 **);
1928 /*************************************************************************
1929 * Prototypes for krb5_decode.c
1930 *************************************************************************/
1932 krb5_error_code decode_krb5_structure(const krb5_data *code,
1933 krb5_structure **rep);
1935 requires Expects **rep to not have been allocated;
1936 a new *rep is allocated regardless of the old value.
1937 effects Decodes *code into **rep.
1938 Returns ENOMEM if memory is exhausted.
1939 Returns asn1 and krb5 errors.
1943 decode_krb5_authenticator(const krb5_data *code, krb5_authenticator **rep);
1946 decode_krb5_ticket(const krb5_data *code, krb5_ticket **rep);
1949 decode_krb5_encryption_key(const krb5_data *output, krb5_keyblock **rep);
1952 decode_krb5_enc_tkt_part(const krb5_data *output, krb5_enc_tkt_part **rep);
1955 decode_krb5_enc_kdc_rep_part(const krb5_data *output,
1956 krb5_enc_kdc_rep_part **rep);
1959 decode_krb5_as_rep(const krb5_data *output, krb5_kdc_rep **rep);
1962 decode_krb5_tgs_rep(const krb5_data *output, krb5_kdc_rep **rep);
1965 decode_krb5_ap_req(const krb5_data *output, krb5_ap_req **rep);
1968 decode_krb5_ap_rep(const krb5_data *output, krb5_ap_rep **rep);
1971 decode_krb5_ap_rep_enc_part(const krb5_data *output,
1972 krb5_ap_rep_enc_part **rep);
1975 decode_krb5_as_req(const krb5_data *output, krb5_kdc_req **rep);
1978 decode_krb5_tgs_req(const krb5_data *output, krb5_kdc_req **rep);
1981 decode_krb5_kdc_req_body(const krb5_data *output, krb5_kdc_req **rep);
1984 decode_krb5_safe(const krb5_data *output, krb5_safe **rep);
1987 decode_krb5_safe_with_body(const krb5_data *output, krb5_safe **rep,
1991 decode_krb5_priv(const krb5_data *output, krb5_priv **rep);
1994 decode_krb5_enc_priv_part(const krb5_data *output, krb5_priv_enc_part **rep);
1996 decode_krb5_checksum(const krb5_data *, krb5_checksum **);
1999 decode_krb5_cred(const krb5_data *output, krb5_cred **rep);
2002 decode_krb5_enc_cred_part(const krb5_data *output, krb5_cred_enc_part **rep);
2005 decode_krb5_error(const krb5_data *output, krb5_error **rep);
2008 decode_krb5_authdata(const krb5_data *output, krb5_authdata ***rep);
2011 decode_krb5_pwd_sequence(const krb5_data *output, passwd_phrase_element **rep);
2014 decode_krb5_pwd_data(const krb5_data *output, krb5_pwd_data **rep);
2017 decode_krb5_padata_sequence(const krb5_data *output, krb5_pa_data ***rep);
2020 decode_krb5_alt_method(const krb5_data *output, krb5_alt_method **rep);
2023 decode_krb5_etype_info(const krb5_data *output, krb5_etype_info_entry ***rep);
2026 decode_krb5_etype_info2(const krb5_data *output, krb5_etype_info_entry ***rep);
2029 decode_krb5_enc_data(const krb5_data *output, krb5_enc_data **rep);
2032 decode_krb5_pa_enc_ts(const krb5_data *output, krb5_pa_enc_ts **rep);
2035 decode_krb5_sam_key(const krb5_data *, krb5_sam_key **);
2038 decode_krb5_setpw_req(const krb5_data *, krb5_data **, krb5_principal *);
2041 decode_krb5_pa_for_user(const krb5_data *, krb5_pa_for_user **);
2044 decode_krb5_pa_s4u_x509_user(const krb5_data *, krb5_pa_s4u_x509_user **);
2047 decode_krb5_pa_svr_referral_data(const krb5_data *,
2048 krb5_pa_svr_referral_data **);
2051 decode_krb5_pa_server_referral_data(const krb5_data *,
2052 krb5_pa_server_referral_data **);
2055 decode_krb5_pa_pac_req(const krb5_data *, krb5_pa_pac_req **);
2058 decode_krb5_etype_list(const krb5_data *, krb5_etype_list **);
2061 decode_krb5_pa_fx_fast_request(const krb5_data *, krb5_fast_armored_req **);
2064 decode_krb5_fast_req(const krb5_data *, krb5_fast_req **);
2067 decode_krb5_pa_fx_fast_reply(const krb5_data *, krb5_enc_data **);
2070 decode_krb5_fast_response(const krb5_data *, krb5_fast_response **);
2073 decode_krb5_ad_kdcissued(const krb5_data *, krb5_ad_kdcissued **);
2076 decode_krb5_ad_signedpath(const krb5_data *, krb5_ad_signedpath **);
2079 decode_krb5_iakerb_header(const krb5_data *, krb5_iakerb_header **);
2082 decode_krb5_iakerb_finished(const krb5_data *, krb5_iakerb_finished **);
2084 struct _krb5_key_data; /* kdb.h */
2086 struct ldap_seqof_key_data {
2087 krb5_int32 mkvno; /* Master key version number */
2088 struct _krb5_key_data *key_data;
2089 krb5_int16 n_key_data;
2091 typedef struct ldap_seqof_key_data ldap_seqof_key_data;
2094 krb5int_ldap_encode_sequence_of_keys(const ldap_seqof_key_data *val,
2098 krb5int_ldap_decode_sequence_of_keys(krb5_data *in,
2099 ldap_seqof_key_data **rep);
2101 /*************************************************************************
2102 * End of prototypes for krb5_decode.c
2103 *************************************************************************/
2105 #endif /* KRB5_ASN1__ */
2112 * Internal krb5 library routines
2115 krb5_encrypt_tkt_part(krb5_context, const krb5_keyblock *, krb5_ticket *);
2118 krb5_encode_kdc_rep(krb5_context, krb5_msgtype, const krb5_enc_kdc_rep_part *,
2119 int using_subkey, const krb5_keyblock *, krb5_kdc_rep *,
2123 krb5int_auth_con_chkseqnum(krb5_context ctx, krb5_auth_context ac,
2126 * [De]Serialization Handle and operations.
2128 struct __krb5_serializer {
2130 krb5_error_code (*sizer) (krb5_context,
2133 krb5_error_code (*externalizer) (krb5_context,
2137 krb5_error_code (*internalizer) (krb5_context,
2142 typedef const struct __krb5_serializer * krb5_ser_handle;
2143 typedef struct __krb5_serializer krb5_ser_entry;
2145 krb5_ser_handle krb5_find_serializer(krb5_context, krb5_magic);
2146 krb5_error_code krb5_register_serializer(krb5_context, const krb5_ser_entry *);
2148 /* Determine the external size of a particular opaque structure */
2149 krb5_error_code KRB5_CALLCONV
2150 krb5_size_opaque(krb5_context, krb5_magic, krb5_pointer, size_t *);
2152 /* Serialize the structure into a buffer */
2153 krb5_error_code KRB5_CALLCONV
2154 krb5_externalize_opaque(krb5_context, krb5_magic, krb5_pointer, krb5_octet **,
2157 /* Deserialize the structure from a buffer */
2158 krb5_error_code KRB5_CALLCONV
2159 krb5_internalize_opaque(krb5_context, krb5_magic, krb5_pointer *,
2160 krb5_octet **, size_t *);
2162 /* Serialize data into a buffer */
2164 krb5_externalize_data(krb5_context, krb5_pointer, krb5_octet **, size_t *);
2166 * Initialization routines.
2169 /* Initialize serialization for krb5_[os_]context */
2170 krb5_error_code KRB5_CALLCONV krb5_ser_context_init(krb5_context);
2172 /* Initialize serialization for krb5_auth_context */
2173 krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init(krb5_context);
2175 /* Initialize serialization for krb5_keytab */
2176 krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init(krb5_context);
2178 /* Initialize serialization for krb5_ccache */
2179 krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init(krb5_context);
2181 /* Initialize serialization for krb5_rcache */
2182 krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init(krb5_context);
2184 /* [De]serialize 4-byte integer */
2185 krb5_error_code KRB5_CALLCONV
2186 krb5_ser_pack_int32(krb5_int32, krb5_octet **, size_t *);
2188 krb5_error_code KRB5_CALLCONV
2189 krb5_ser_unpack_int32(krb5_int32 *, krb5_octet **, size_t *);
2191 /* [De]serialize 8-byte integer */
2192 krb5_error_code KRB5_CALLCONV
2193 krb5_ser_pack_int64(krb5_int64, krb5_octet **, size_t *);
2195 krb5_error_code KRB5_CALLCONV
2196 krb5_ser_unpack_int64(krb5_int64 *, krb5_octet **, size_t *);
2198 /* [De]serialize byte string */
2199 krb5_error_code KRB5_CALLCONV
2200 krb5_ser_pack_bytes(krb5_octet *, size_t, krb5_octet **, size_t *);
2202 krb5_error_code KRB5_CALLCONV
2203 krb5_ser_unpack_bytes(krb5_octet *, size_t, krb5_octet **, size_t *);
2205 krb5_error_code KRB5_CALLCONV
2206 krb5int_cc_default(krb5_context, krb5_ccache *);
2208 krb5_error_code KRB5_CALLCONV
2209 krb5_cc_retrieve_cred_default(krb5_context, krb5_ccache, krb5_flags,
2210 krb5_creds *, krb5_creds *);
2212 krb5_boolean KRB5_CALLCONV
2213 krb5_creds_compare(krb5_context in_context, krb5_creds *in_creds,
2214 krb5_creds *in_compare_creds);
2217 krb5int_set_prompt_types(krb5_context, krb5_prompt_type *);
2220 krb5int_generate_and_save_subkey(krb5_context, krb5_auth_context,
2221 krb5_keyblock * /* Old keyblock, not new! */,
2224 /* set and change password helpers */
2227 krb5int_mk_chpw_req(krb5_context context, krb5_auth_context auth_context,
2228 krb5_data *ap_req, char *passwd, krb5_data *packet);
2231 krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context,
2232 krb5_data *packet, int *result_code,
2233 krb5_data *result_data);
2235 krb5_error_code KRB5_CALLCONV
2236 krb5_chpw_result_code_string(krb5_context context, int result_code,
2237 char **result_codestr);
2240 krb5int_mk_setpw_req(krb5_context context, krb5_auth_context auth_context,
2241 krb5_data *ap_req, krb5_principal targetprinc,
2242 char *passwd, krb5_data *packet);
2245 krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context,
2246 krb5_data *packet, int *result_code,
2247 krb5_data *result_data);
2250 krb5int_setpw_result_code_string(krb5_context context, int result_code,
2251 const char **result_codestr);
2253 struct srv_dns_entry {
2254 struct srv_dns_entry *next;
2257 unsigned short port;
2260 #ifdef KRB5_DNS_LOOKUP
2262 #define MAX_DNS_NAMELEN (15*(MAXHOSTNAMELEN + 1)+1)
2265 krb5int_make_srv_query_realm(const krb5_data *realm,
2266 const char *service,
2267 const char *protocol,
2268 struct srv_dns_entry **answers);
2269 void krb5int_free_srv_dns_data(struct srv_dns_entry *);
2272 /* value to use when requesting a keytab entry and KVNO doesn't matter */
2273 #define IGNORE_VNO 0
2274 /* value to use when requesting a keytab entry and enctype doesn't matter */
2275 #define IGNORE_ENCTYPE 0
2278 * Convenience function for structure magic number
2280 #define KRB5_VERIFY_MAGIC(structure,magic_number) \
2281 if ((structure)->magic != (magic_number)) return (magic_number);
2283 /* to keep lint happy */
2284 #define krb5_xfree(val) free((char *)(val))
2286 /* To keep happy libraries which are (for now) accessing internal stuff */
2288 /* Make sure to increment by one when changing the struct */
2289 #define KRB5INT_ACCESS_STRUCT_VERSION 16
2292 struct ktext; /* from krb.h, for krb524 support */
2294 typedef struct _krb5int_access {
2296 krb5_error_code (*arcfour_gsscrypt)(const krb5_keyblock *keyblock,
2297 krb5_keyusage usage,
2298 const krb5_data *kd_data,
2299 krb5_crypto_iov *data,
2302 krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context,
2305 /* service location and communication */
2306 krb5_error_code (*sendto_udp)(krb5_context, const krb5_data *msg,
2307 const struct addrlist *,
2308 struct sendto_callback_info *,
2309 krb5_data *reply, struct sockaddr *,
2310 socklen_t *, struct sockaddr *,
2312 int (*msg_handler)(krb5_context,
2315 void *msg_handler_data);
2316 krb5_error_code (*add_host_to_list)(struct addrlist *lp,
2317 const char *hostname,
2318 int port, int secport,
2319 int socktype, int family);
2320 void (*free_addrlist)(struct addrlist *);
2322 krb5_error_code (*make_srv_query_realm)(const krb5_data *realm,
2323 const char *service,
2324 const char *protocol,
2325 struct srv_dns_entry **answers);
2326 void (*free_srv_dns_data)(struct srv_dns_entry *);
2327 int (*use_dns_kdc)(krb5_context);
2328 krb5_error_code (*clean_hostname)(krb5_context, const char *, char *,
2331 krb5_error_code (*mandatory_cksumtype)(krb5_context, krb5_enctype,
2333 krb5_error_code (KRB5_CALLCONV *ser_pack_int64)(krb5_int64, krb5_octet **,
2335 krb5_error_code (KRB5_CALLCONV *ser_unpack_int64)(krb5_int64 *,
2336 krb5_octet **, size_t *);
2338 /* Used for KDB LDAP back end. */
2340 (*asn1_ldap_encode_sequence_of_keys)(const ldap_seqof_key_data *val,
2344 (*asn1_ldap_decode_sequence_of_keys)(krb5_data *in,
2345 ldap_seqof_key_data **);
2347 /* Used for encrypted challenge fast factor*/
2348 krb5_error_code (*encode_enc_data)(const krb5_enc_data *, krb5_data **);
2349 krb5_error_code (*decode_enc_data)(const krb5_data *, krb5_enc_data **);
2350 void (*free_enc_data)(krb5_context, krb5_enc_data *);
2351 krb5_error_code (*encode_enc_ts)(const krb5_pa_enc_ts *, krb5_data **);
2352 krb5_error_code (*decode_enc_ts)(const krb5_data *, krb5_pa_enc_ts **);
2353 void (*free_enc_ts)(krb5_context, krb5_pa_enc_ts *);
2355 (*encrypt_helper)(krb5_context, const krb5_keyblock *, krb5_keyusage,
2356 const krb5_data *, krb5_enc_data *);
2359 * pkinit asn.1 encode/decode functions
2362 (*encode_krb5_auth_pack)(const krb5_auth_pack *rep, krb5_data **code);
2365 (*encode_krb5_auth_pack_draft9)(const krb5_auth_pack_draft9 *rep,
2369 (*encode_krb5_kdc_dh_key_info)(const krb5_kdc_dh_key_info *rep,
2373 (*encode_krb5_pa_pk_as_rep)(const krb5_pa_pk_as_rep *rep,
2377 (*encode_krb5_pa_pk_as_rep_draft9)(const krb5_pa_pk_as_rep_draft9 *rep,
2381 (*encode_krb5_pa_pk_as_req)(const krb5_pa_pk_as_req *rep,
2385 (*encode_krb5_pa_pk_as_req_draft9)(const krb5_pa_pk_as_req_draft9 *rep,
2389 (*encode_krb5_reply_key_pack)(const krb5_reply_key_pack *,
2393 (*encode_krb5_reply_key_pack_draft9)(const krb5_reply_key_pack_draft9 *,
2397 (*encode_krb5_td_dh_parameters)(const krb5_algorithm_identifier **,
2401 (*encode_krb5_td_trusted_certifiers)(const
2402 krb5_external_principal_identifier **,
2406 (*encode_krb5_typed_data)(const krb5_typed_data **, krb5_data **code);
2409 (*decode_krb5_auth_pack)(const krb5_data *, krb5_auth_pack **);
2412 (*decode_krb5_auth_pack_draft9)(const krb5_data *,
2413 krb5_auth_pack_draft9 **);
2416 (*decode_krb5_pa_pk_as_req)(const krb5_data *, krb5_pa_pk_as_req **);
2419 (*decode_krb5_pa_pk_as_req_draft9)(const krb5_data *,
2420 krb5_pa_pk_as_req_draft9 **);
2423 (*decode_krb5_pa_pk_as_rep)(const krb5_data *, krb5_pa_pk_as_rep **);
2426 (*decode_krb5_pa_pk_as_rep_draft9)(const krb5_data *,
2427 krb5_pa_pk_as_rep_draft9 **);
2430 (*decode_krb5_kdc_dh_key_info)(const krb5_data *, krb5_kdc_dh_key_info **);
2433 (*decode_krb5_principal_name)(const krb5_data *, krb5_principal_data **);
2436 (*decode_krb5_reply_key_pack)(const krb5_data *, krb5_reply_key_pack **);
2439 (*decode_krb5_reply_key_pack_draft9)(const krb5_data *,
2440 krb5_reply_key_pack_draft9 **);
2443 (*decode_krb5_td_dh_parameters)(const krb5_data *,
2444 krb5_algorithm_identifier ***);
2447 (*decode_krb5_td_trusted_certifiers)(const krb5_data *,
2448 krb5_external_principal_identifier
2452 (*decode_krb5_typed_data)(const krb5_data *, krb5_typed_data ***);
2455 (*decode_krb5_as_req)(const krb5_data *output, krb5_kdc_req **rep);
2458 (*encode_krb5_kdc_req_body)(const krb5_kdc_req *rep, krb5_data **code);
2461 (KRB5_CALLCONV *free_kdc_req)(krb5_context, krb5_kdc_req * );
2463 (*set_prompt_types)(krb5_context, krb5_prompt_type *);
2466 (*encode_krb5_authdata_elt)(const krb5_authdata *rep, krb5_data **code);
2468 /* Exported for testing only! */
2470 (*encode_krb5_sam_response_2)(const krb5_sam_response_2 *rep,
2473 (*encode_krb5_enc_sam_response_enc_2)(const
2474 krb5_enc_sam_response_enc_2 *rep,
2478 #define KRB5INT_ACCESS_VERSION \
2479 (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \
2480 (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF)
2482 krb5_error_code KRB5_CALLCONV
2483 krb5int_accessor(krb5int_access*, krb5_int32);
2485 /* Ick -- some krb524 and krb4 support placed in the krb5 library,
2486 because AFS (and potentially other applications?) use the krb4
2487 object as an opaque token, which (in some implementations) is not
2488 in fact a krb4 ticket, so we don't want to drag in the krb4 support
2489 just to enable this. */
2491 #define KRB524_SERVICE "krb524"
2492 #define KRB524_PORT 4444
2494 /* temporary -- this should be under lib/krb5/ccache somewhere */
2496 struct _krb5_ccache {
2498 const struct _krb5_cc_ops *ops;
2503 * Per-type ccache cursor.
2505 struct krb5_cc_ptcursor_s {
2506 const struct _krb5_cc_ops *ops;
2509 typedef struct krb5_cc_ptcursor_s *krb5_cc_ptcursor;
2511 struct _krb5_cc_ops {
2514 const char * (KRB5_CALLCONV *get_name)(krb5_context, krb5_ccache);
2515 krb5_error_code (KRB5_CALLCONV *resolve)(krb5_context, krb5_ccache *,
2517 krb5_error_code (KRB5_CALLCONV *gen_new)(krb5_context, krb5_ccache *);
2518 krb5_error_code (KRB5_CALLCONV *init)(krb5_context, krb5_ccache,
2520 krb5_error_code (KRB5_CALLCONV *destroy)(krb5_context, krb5_ccache);
2521 krb5_error_code (KRB5_CALLCONV *close)(krb5_context, krb5_ccache);
2522 krb5_error_code (KRB5_CALLCONV *store)(krb5_context, krb5_ccache,
2524 krb5_error_code (KRB5_CALLCONV *retrieve)(krb5_context, krb5_ccache,
2525 krb5_flags, krb5_creds *,
2527 krb5_error_code (KRB5_CALLCONV *get_princ)(krb5_context, krb5_ccache,
2529 krb5_error_code (KRB5_CALLCONV *get_first)(krb5_context, krb5_ccache,
2531 krb5_error_code (KRB5_CALLCONV *get_next)(krb5_context, krb5_ccache,
2532 krb5_cc_cursor *, krb5_creds *);
2533 krb5_error_code (KRB5_CALLCONV *end_get)(krb5_context, krb5_ccache,
2535 krb5_error_code (KRB5_CALLCONV *remove_cred)(krb5_context, krb5_ccache,
2536 krb5_flags, krb5_creds *);
2537 krb5_error_code (KRB5_CALLCONV *set_flags)(krb5_context, krb5_ccache,
2539 krb5_error_code (KRB5_CALLCONV *get_flags)(krb5_context, krb5_ccache,
2541 krb5_error_code (KRB5_CALLCONV *ptcursor_new)(krb5_context,
2542 krb5_cc_ptcursor *);
2543 krb5_error_code (KRB5_CALLCONV *ptcursor_next)(krb5_context,
2546 krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context,
2547 krb5_cc_ptcursor *);
2548 krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache,
2550 krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context,
2551 krb5_ccache, krb5_timestamp *);
2552 krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache,
2554 krb5_error_code (KRB5_CALLCONV *lock)(krb5_context, krb5_ccache);
2555 krb5_error_code (KRB5_CALLCONV *unlock)(krb5_context, krb5_ccache);
2558 extern const krb5_cc_ops *krb5_cc_dfl_ops;
2561 krb5int_cc_os_default_name(krb5_context context, char **name);
2563 typedef struct _krb5_donot_replay {
2566 char *server; /* null-terminated */
2567 char *client; /* null-terminated */
2568 char *msghash; /* null-terminated */
2570 krb5_timestamp ctime;
2571 } krb5_donot_replay;
2573 krb5_error_code krb5_rc_default(krb5_context, krb5_rcache *);
2574 krb5_error_code krb5_rc_resolve_type(krb5_context, krb5_rcache *,char *);
2575 krb5_error_code krb5_rc_resolve_full(krb5_context, krb5_rcache *,char *);
2576 char *krb5_rc_get_type(krb5_context, krb5_rcache);
2577 char *krb5_rc_default_type(krb5_context);
2578 char *krb5_rc_default_name(krb5_context);
2579 krb5_error_code krb5_auth_to_rep(krb5_context, krb5_tkt_authent *,
2580 krb5_donot_replay *);
2581 krb5_error_code krb5_rc_hash_message(krb5_context context,
2582 const krb5_data *message, char **out);
2584 krb5_error_code KRB5_CALLCONV
2585 krb5_rc_initialize(krb5_context, krb5_rcache, krb5_deltat);
2587 krb5_error_code KRB5_CALLCONV
2588 krb5_rc_recover_or_initialize(krb5_context, krb5_rcache,krb5_deltat);
2590 krb5_error_code KRB5_CALLCONV
2591 krb5_rc_recover(krb5_context, krb5_rcache);
2593 krb5_error_code KRB5_CALLCONV
2594 krb5_rc_destroy(krb5_context, krb5_rcache);
2596 krb5_error_code KRB5_CALLCONV
2597 krb5_rc_close(krb5_context, krb5_rcache);
2599 krb5_error_code KRB5_CALLCONV
2600 krb5_rc_store(krb5_context, krb5_rcache, krb5_donot_replay *);
2602 krb5_error_code KRB5_CALLCONV
2603 krb5_rc_expunge(krb5_context, krb5_rcache);
2605 krb5_error_code KRB5_CALLCONV
2606 krb5_rc_get_lifespan(krb5_context, krb5_rcache,krb5_deltat *);
2609 krb5_rc_get_name(krb5_context, krb5_rcache);
2611 krb5_error_code KRB5_CALLCONV
2612 krb5_rc_resolve(krb5_context, krb5_rcache, char *);
2615 * This structure was exposed and used in macros in krb5 1.2, so do not
2618 typedef struct _krb5_kt_ops {
2622 /* routines always present */
2623 krb5_error_code (KRB5_CALLCONV *resolve)(krb5_context, const char *,
2625 krb5_error_code (KRB5_CALLCONV *get_name)(krb5_context, krb5_keytab,
2626 char *, unsigned int);
2627 krb5_error_code (KRB5_CALLCONV *close)(krb5_context, krb5_keytab);
2628 krb5_error_code (KRB5_CALLCONV *get)(krb5_context, krb5_keytab,
2629 krb5_const_principal, krb5_kvno,
2630 krb5_enctype, krb5_keytab_entry *);
2631 krb5_error_code (KRB5_CALLCONV *start_seq_get)(krb5_context, krb5_keytab,
2633 krb5_error_code (KRB5_CALLCONV *get_next)(krb5_context, krb5_keytab,
2634 krb5_keytab_entry *,
2636 krb5_error_code (KRB5_CALLCONV *end_get)(krb5_context, krb5_keytab,
2638 /* routines to be included on extended version (write routines) */
2639 krb5_error_code (KRB5_CALLCONV *add)(krb5_context, krb5_keytab,
2640 krb5_keytab_entry *);
2641 krb5_error_code (KRB5_CALLCONV *remove)(krb5_context, krb5_keytab,
2642 krb5_keytab_entry *);
2644 /* Handle for serializer */
2645 const krb5_ser_entry *serializer;
2648 extern const krb5_kt_ops krb5_kt_dfl_ops;
2650 extern krb5_error_code krb5int_translate_gai_error(int);
2652 /* Not sure it's ready for exposure just yet. */
2653 extern krb5_error_code
2654 krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
2656 extern int krb5int_crypto_init (void);
2657 extern int krb5int_prng_init(void);
2658 extern int krb5int_crypto_impl_init(void);
2661 * Referral definitions, debugging hooks, and subfunctions.
2663 #define KRB5_REFERRAL_MAXHOPS 10
2664 /* #define DEBUG_REFERRALS */
2666 #ifdef DEBUG_REFERRALS
2667 void krb5int_dbgref_dump_principal(char *, krb5_principal);
2670 /* Common hostname-parsing code. */
2671 krb5_error_code KRB5_CALLCONV
2672 krb5int_clean_hostname(krb5_context, const char *, char *, size_t);
2675 krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
2679 krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec, krb5_crypto_iov *data,
2683 krb5int_camellia_cbc_mac(krb5_key key, const krb5_crypto_iov *data,
2684 size_t num_data, const krb5_data *iv,
2689 * There are no IANA assignments for these enctypes or cksumtypes yet. They
2690 * must be defined to local-use negative numbers at build time for Camellia-CCM
2691 * support to function at the moment. If one is defined, they should all be
2692 * defined. When IANA assignments exist, these definitions should move to the
2693 * appropriate places in krb5.hin and all CAMELLIA_CCM conditional code should
2694 * be made unconditional.
2696 #define ENCTYPE_CAMELLIA128_CCM_128 -XXX /* Camellia CCM mode, 128-bit key */
2697 #define ENCTYPE_CAMELLIA256_CCM_128 -YYY /* Camellia CCM mode, 256-bit key */
2698 #define CKSUMTYPE_CMAC_128_CAMELLIA128 -XXX /* CMAC, 128-bit Camellia key */
2699 #define CKSUMTYPE_CMAC_128_CAMELLIA256 -YYY /* CMAC, 256-bit Camellia key */
2702 #ifdef ENCTYPE_CAMELLIA128_CCM_128
2703 #define CAMELLIA_CCM
2706 struct _krb5_kt { /* should move into k5-int.h */
2708 const struct _krb5_kt_ops *ops;
2712 krb5_error_code krb5_set_default_in_tkt_ktypes(krb5_context,
2713 const krb5_enctype *);
2715 krb5_error_code krb5_get_default_in_tkt_ktypes(krb5_context, krb5_enctype **);
2717 krb5_error_code krb5_set_default_tgs_ktypes(krb5_context,
2718 const krb5_enctype *);
2720 krb5_error_code KRB5_CALLCONV
2721 krb5_get_tgs_ktypes(krb5_context, krb5_const_principal, krb5_enctype **);
2723 void KRB5_CALLCONV krb5_free_ktypes(krb5_context, krb5_enctype *);
2725 krb5_boolean krb5_is_permitted_enctype(krb5_context, krb5_enctype);
2729 krb5_enctype *etype;
2730 krb5_boolean *etype_ok;
2731 krb5_int32 etype_count;
2732 } krb5_etypes_permitted;
2734 krb5_boolean krb5_is_permitted_enctype_ext(krb5_context,
2735 krb5_etypes_permitted *);
2737 krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype);
2739 krb5_error_code krb5_kdc_rep_decrypt_proc(krb5_context, const krb5_keyblock *,
2740 krb5_const_pointer, krb5_kdc_rep *);
2741 krb5_error_code KRB5_CALLCONV krb5_decrypt_tkt_part(krb5_context,
2742 const krb5_keyblock *,
2745 krb5_error_code krb5_get_cred_via_tkt(krb5_context, krb5_creds *, krb5_flags,
2746 krb5_address *const *, krb5_creds *,
2749 krb5_error_code KRB5_CALLCONV krb5_copy_addr(krb5_context,
2750 const krb5_address *,
2753 void krb5_init_ets(krb5_context);
2754 void krb5_free_ets(krb5_context);
2755 krb5_error_code krb5_generate_subkey(krb5_context, const krb5_keyblock *,
2757 krb5_error_code krb5_generate_subkey_extended(krb5_context,
2758 const krb5_keyblock *,
2759 krb5_enctype, krb5_keyblock **);
2760 krb5_error_code krb5_generate_seq_number(krb5_context, const krb5_keyblock *,
2763 krb5_error_code KRB5_CALLCONV krb5_kt_register(krb5_context,
2764 const struct _krb5_kt_ops *);
2766 krb5_error_code krb5_principal2salt_norealm(krb5_context, krb5_const_principal,
2769 unsigned int KRB5_CALLCONV krb5_get_notification_message(void);
2772 krb5_error_code krb5_check_transited_list(krb5_context, const krb5_data *trans,
2773 const krb5_data *realm1,
2774 const krb5_data *realm2);
2777 void krb5_free_realm_tree(krb5_context, krb5_principal *);
2779 void KRB5_CALLCONV krb5_free_authenticator_contents(krb5_context,
2780 krb5_authenticator *);
2782 void KRB5_CALLCONV krb5_free_address(krb5_context, krb5_address *);
2784 void KRB5_CALLCONV krb5_free_enc_tkt_part(krb5_context, krb5_enc_tkt_part *);
2786 void KRB5_CALLCONV krb5_free_tickets(krb5_context, krb5_ticket **);
2787 void KRB5_CALLCONV krb5_free_kdc_req(krb5_context, krb5_kdc_req *);
2788 void KRB5_CALLCONV krb5_free_kdc_rep(krb5_context, krb5_kdc_rep *);
2789 void KRB5_CALLCONV krb5_free_last_req(krb5_context, krb5_last_req_entry **);
2790 void KRB5_CALLCONV krb5_free_enc_kdc_rep_part(krb5_context,
2791 krb5_enc_kdc_rep_part *);
2792 void KRB5_CALLCONV krb5_free_ap_req(krb5_context, krb5_ap_req *);
2793 void KRB5_CALLCONV krb5_free_ap_rep(krb5_context, krb5_ap_rep *);
2794 void KRB5_CALLCONV krb5_free_cred(krb5_context, krb5_cred *);
2795 void KRB5_CALLCONV krb5_free_cred_enc_part(krb5_context, krb5_cred_enc_part *);
2796 void KRB5_CALLCONV krb5_free_pa_data(krb5_context, krb5_pa_data **);
2797 void KRB5_CALLCONV krb5_free_tkt_authent(krb5_context, krb5_tkt_authent *);
2798 void KRB5_CALLCONV krb5_free_pwd_data(krb5_context, krb5_pwd_data *);
2799 void KRB5_CALLCONV krb5_free_pwd_sequences(krb5_context,
2800 passwd_phrase_element **);
2801 void KRB5_CALLCONV krb5_free_passwd_phrase_element(krb5_context,
2802 passwd_phrase_element *);
2803 void KRB5_CALLCONV krb5_free_alt_method(krb5_context, krb5_alt_method *);
2804 void KRB5_CALLCONV krb5_free_enc_data(krb5_context, krb5_enc_data *);
2805 krb5_error_code krb5_set_config_files(krb5_context, const char **);
2807 krb5_error_code KRB5_CALLCONV krb5_get_default_config_files(char ***filenames);
2809 void KRB5_CALLCONV krb5_free_config_files(char **filenames);
2811 krb5_error_code krb5int_find_authdata(krb5_context context,
2812 krb5_authdata *const *ticket_authdata,
2813 krb5_authdata *const *ap_req_authdata,
2814 krb5_authdatatype ad_type,
2815 krb5_authdata ***results);
2817 krb5_error_code krb5_rd_req_decoded(krb5_context, krb5_auth_context *,
2818 const krb5_ap_req *, krb5_const_principal,
2819 krb5_keytab, krb5_flags *, krb5_ticket **);
2821 krb5_error_code krb5_rd_req_decoded_anyflag(krb5_context, krb5_auth_context *,
2822 const krb5_ap_req *,
2823 krb5_const_principal, krb5_keytab,
2824 krb5_flags *, krb5_ticket **);
2826 krb5_error_code KRB5_CALLCONV
2827 krb5_cc_register(krb5_context, const krb5_cc_ops *, krb5_boolean );
2829 krb5_error_code krb5_walk_realm_tree(krb5_context, const krb5_data *,
2830 const krb5_data *, krb5_principal **,
2834 krb5_auth_con_set_safe_cksumtype(krb5_context, krb5_auth_context,
2837 krb5_error_code krb5_auth_con_setivector(krb5_context, krb5_auth_context,
2840 krb5_error_code krb5_auth_con_getivector(krb5_context, krb5_auth_context,
2843 krb5_error_code krb5_auth_con_setpermetypes(krb5_context, krb5_auth_context,
2844 const krb5_enctype *);
2846 krb5_error_code krb5_auth_con_getpermetypes(krb5_context, krb5_auth_context,
2849 krb5_error_code krb5_auth_con_get_subkey_enctype(krb5_context context,
2854 krb5_auth_con_get_authdata_context(krb5_context context,
2855 krb5_auth_context auth_context,
2856 krb5_authdata_context *ad_context);
2859 krb5_auth_con_set_authdata_context(krb5_context context,
2860 krb5_auth_context auth_context,
2861 krb5_authdata_context ad_context);
2863 krb5_error_code KRB5_CALLCONV
2864 krb5int_server_decrypt_ticket_keyblock(krb5_context context,
2865 const krb5_keyblock *key,
2866 krb5_ticket *ticket);
2868 krb5_error_code krb5_read_message(krb5_context, krb5_pointer, krb5_data *);
2869 krb5_error_code krb5_write_message(krb5_context, krb5_pointer, krb5_data *);
2870 krb5_error_code krb5int_write_messages(krb5_context, krb5_pointer, krb5_data *,
2872 int krb5_net_read(krb5_context, int , char *, int);
2873 int krb5_net_write(krb5_context, int , const char *, int);
2875 krb5_error_code KRB5_CALLCONV krb5_get_realm_domain(krb5_context,
2876 const char *, char ** );
2878 krb5_error_code krb5_gen_portaddr(krb5_context, const krb5_address *,
2879 krb5_const_pointer, krb5_address **);
2881 krb5_error_code krb5_gen_replay_name(krb5_context, const krb5_address *,
2882 const char *, char **);
2883 krb5_error_code krb5_make_fulladdr(krb5_context, krb5_address *,
2884 krb5_address *, krb5_address *);
2886 krb5_error_code krb5_set_debugging_time(krb5_context, krb5_timestamp,
2888 krb5_error_code krb5_use_natural_time(krb5_context);
2889 krb5_error_code krb5_set_time_offsets(krb5_context, krb5_timestamp,
2891 krb5_error_code krb5int_check_clockskew(krb5_context, krb5_timestamp);
2893 * The realm iterator functions
2896 krb5_error_code KRB5_CALLCONV
2897 krb5_realm_iterator_create(krb5_context context, void **iter_p);
2899 krb5_error_code KRB5_CALLCONV
2900 krb5_realm_iterator(krb5_context context, void **iter_p, char **ret_realm);
2903 krb5_realm_iterator_free(krb5_context context, void **iter_p);
2905 void KRB5_CALLCONV krb5_free_realm_string(krb5_context context, char *str);
2907 /* Internal principal function used by KIM to avoid code duplication */
2908 krb5_error_code KRB5_CALLCONV
2909 krb5int_build_principal_alloc_va(krb5_context context,
2910 krb5_principal *princ,
2916 /* Some data comparison and conversion functions. */
2918 data_eq(krb5_data d1, krb5_data d2)
2920 return (d1.length == d2.length
2921 && !memcmp(d1.data, d2.data, d1.length));
2924 static inline krb5_data
2925 make_data(void *data, unsigned int len)
2929 d.magic = KV5M_DATA;
2930 d.data = (char *) data;
2935 static inline krb5_data
2938 return make_data(NULL, 0);
2941 static inline krb5_data
2942 string2data(char *str)
2944 return make_data(str, strlen(str));
2947 static inline krb5_error_code
2948 alloc_data(krb5_data *data, unsigned int len)
2950 /* Allocate at least one byte since zero-byte allocs may return NULL. */
2951 char *ptr = (char *) calloc((len > 0) ? len : 1, 1);
2955 data->magic = KV5M_DATA;
2962 data_eq_string (krb5_data d, char *s)
2964 return data_eq(d, string2data(s));
2968 authdata_eq(krb5_authdata a1, krb5_authdata a2)
2970 return (a1.ad_type == a2.ad_type
2971 && a1.length == a2.length
2972 && !memcmp(a1.contents, a2.contents, a1.length));
2975 /* Allocate zeroed memory; set *code to 0 on success or ENOMEM on failure. */
2976 static inline void *
2977 k5alloc(size_t len, krb5_error_code *code)
2981 /* Allocate at least one byte since zero-byte allocs may return NULL. */
2982 ptr = calloc((len > 0) ? len : 1, 1);
2983 *code = (ptr == NULL) ? ENOMEM : 0;
2987 krb5_error_code KRB5_CALLCONV
2988 krb5int_pac_sign(krb5_context context,
2990 krb5_timestamp authtime,
2991 krb5_const_principal principal,
2992 const krb5_keyblock *server_key,
2993 const krb5_keyblock *privsvr_key,
2996 krb5_error_code KRB5_CALLCONV
2997 krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
2999 krb5_creds *in_creds,
3001 krb5_creds **out_creds);
3003 krb5_error_code KRB5_CALLCONV
3004 krb5_get_credentials_for_proxy(krb5_context context,
3007 krb5_creds *in_creds,
3008 krb5_ticket *evidence_tkt,
3009 krb5_creds **out_creds);
3011 krb5_error_code KRB5_CALLCONV
3012 krb5int_get_authdata_containee_types(krb5_context context,
3013 const krb5_authdata *container,
3014 unsigned int *nad_types,
3015 krb5_authdatatype **ad_types);
3017 krb5_error_code krb5int_parse_enctype_list(krb5_context context, char *profstr,
3018 krb5_enctype *default_list,
3019 krb5_enctype **result);
3021 #ifdef DEBUG_ERROR_LOCATIONS
3022 #define krb5_set_error_message(ctx, code, ...) \
3023 krb5_set_error_message_fl(ctx, code, __FILE__, __LINE__, __VA_ARGS__)
3025 void KRB5_CALLCONV_C
3026 krb5_set_error_message_fl (krb5_context ctx, krb5_error_code code,
3027 const char *file, int line, const char *fmt, ...)
3029 __attribute__((__format__(printf,5,6)))
3033 #ifndef DISABLE_TRACING
3034 /* Do not use these functions directly; see k5-trace.h. */
3035 void krb5int_init_trace(krb5_context context);
3036 void krb5int_trace(krb5_context context, const char *fmt, ...);
3039 #endif /* _KRB5_INT_H */