2 * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006,2007,2008,2009 by the Massachusetts Institute of Technology,
3 * Cambridge, MA, USA. All Rights Reserved.
5 * This software is being provided to you, the LICENSEE, by the
6 * Massachusetts Institute of Technology (M.I.T.) under the following
7 * license. By obtaining, using and/or copying this software, you agree
8 * that you have read, understood, and will comply with these terms and
11 * Export of this software from the United States of America may
12 * require a specific license from the United States Government.
13 * It is the responsibility of any person or organization contemplating
14 * export to obtain such a license before exporting.
16 * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
17 * this software and its documentation for any purpose and without fee or
18 * royalty is hereby granted, provided that you agree to comply with the
19 * following copyright notice and statements, including the disclaimer, and
20 * that the same appear on ALL copies of the software and documentation,
21 * including modifications that you make for internal use or for
24 * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
25 * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
26 * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
27 * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
28 * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
29 * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
31 * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
32 * be used in advertising or publicity pertaining to distribution of the
33 * software. Title to copyright in this software and any associated
34 * documentation shall at all times remain with M.I.T., and USER agrees to
37 * Furthermore if you modify this software you must label
38 * your software as modified software and not distribute it in such a
39 * fashion that it might be confused with the original M.I.T. software.
43 * Copyright (C) 1998 by the FundsXpress, INC.
45 * All rights reserved.
47 * Export of this software from the United States of America may require
48 * a specific license from the United States Government. It is the
49 * responsibility of any person or organization contemplating export to
50 * obtain such a license before exporting.
52 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
53 * distribute this software and its documentation for any purpose and
54 * without fee is hereby granted, provided that the above copyright
55 * notice appear in all copies and that both that copyright notice and
56 * this permission notice appear in supporting documentation, and that
57 * the name of FundsXpress. not be used in advertising or publicity pertaining
58 * to distribution of the software without specific, written prior
59 * permission. FundsXpress makes no representations about the suitability of
60 * this software for any purpose. It is provided "as is" without express
61 * or implied warranty.
63 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
64 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
65 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
69 * This prototype for k5-int.h (Krb5 internals include file)
70 * includes the user-visible definitions from krb5.h and then
71 * includes other definitions that are not user-visible but are
72 * required for compiling Kerberos internal routines.
74 * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
81 #error krb5.h included before k5-int.h
82 #endif /* KRB5_GENERAL__ */
86 #if defined(__MACH__) && defined(__APPLE__)
87 # include <TargetConditionals.h>
88 # if TARGET_RT_MAC_CFM
89 # error "Use KfM 4.0 SDK headers for CFM compilation."
100 * Machine-type definitions: PC Clone 386 running Microloss Windows
103 #if defined(_MSDOS) || defined(_WIN32)
106 /* Kerberos Windows initialization file */
107 #define KERBEROS_INI "kerberos.ini"
108 #define INI_FILES "Files"
109 #define INI_KRB_CCACHE "krb5cc" /* Location of the ccache */
110 #define INI_KRB5_CONF "krb5.ini" /* Location of krb5.conf file */
114 #include "autoconf.h"
116 #ifndef KRB5_SYSTYPES__
117 #define KRB5_SYSTYPES__
119 #ifdef HAVE_SYS_TYPES_H /* From autoconf.h */
120 #include <sys/types.h>
121 #else /* HAVE_SYS_TYPES_H */
122 typedef unsigned long u_long;
123 typedef unsigned int u_int;
124 typedef unsigned short u_short;
125 typedef unsigned char u_char;
126 #endif /* HAVE_SYS_TYPES_H */
127 #endif /* KRB5_SYSTYPES__ */
130 #include "k5-platform.h"
131 /* not used in krb5.h (yet) */
132 typedef UINT64_TYPE krb5_ui_8;
133 typedef INT64_TYPE krb5_int64;
136 #define DEFAULT_PWD_STRING1 "Enter password"
137 #define DEFAULT_PWD_STRING2 "Re-enter password for verification"
139 #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
140 #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
141 #define KRB5_KDB_EXPIRATION 2145830400 /* Thu Jan 1 00:00:00 2038 UTC */
144 * Windows requires a different api interface to each function. Here
145 * just define it as NULL.
147 #ifndef KRB5_CALLCONV
148 #define KRB5_CALLCONV
149 #define KRB5_CALLCONV_C
155 /* #define KRB5_OLD_CRYPTO is done in krb5.h */
157 #endif /* KRB5_CONFIG__ */
164 * After loading the configuration definitions, load the Kerberos definitions.
170 #include "port-sockets.h"
171 #include "socket-utils.h"
173 /* Get mutex support; currently used only for the replay cache. */
174 #include "k5-thread.h"
176 /* Get error info support. */
179 /* Get string buffer support. */
182 /* cofiguration variables */
183 #define KRB5_CONF_ACL_FILE "acl_file"
184 #define KRB5_CONF_ADMIN_KEYTAB "admin_keytab"
185 #define KRB5_CONF_ADMIN_SERVER "admin_server"
186 #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
187 #define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type"
188 #define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local"
189 #define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names"
190 #define KRB5_CONF_CANONICALIZE "canonicalize"
191 #define KRB5_CONF_CCACHE_TYPE "ccache_type"
192 #define KRB5_CONF_CLOCKSKEW "clockskew"
193 #define KRB5_CONF_DATABASE_NAME "database_name"
194 #define KRB5_CONF_DB_MODULE_DIR "db_module_dir"
195 #define KRB5_CONF_DB_MODULES "db_modules"
196 #define KRB5_CONF_DOMAIN_REALM "domain_realm"
197 #define KRB5_CONF_DEFAULT_REALM "default_realm"
198 #define KRB5_CONF_DEFAULT_DOMAIN "default_domain"
199 #define KRB5_CONF_DEFAULT_TKT_ENCTYPES "default_tkt_enctypes"
200 #define KRB5_CONF_DEFAULT_TGS_ENCTYPES "default_tgs_enctypes"
201 #define KRB5_CONF_DEFAULT_KEYTAB_NAME "default_keytab_name"
202 #define KRB5_CONF_DEFAULT_PRINCIPAL_EXPIRATION "default_principal_expiration"
203 #define KRB5_CONF_DEFAULT_PRINCIPAL_FLAGS "default_principal_flags"
204 #define KRB5_CONF_DICT_FILE "dict_file"
205 #define KRB5_CONF_DNS_LOOKUP_KDC "dns_lookup_kdc"
206 #define KRB5_CONF_DNS_LOOKUP_REALM "dns_lookup_realm"
207 #define KRB5_CONF_DNS_FALLBACK "dns_fallback"
208 #define KRB5_CONF_EXTRA_ADDRESSES "extra_addresses"
209 #define KRB5_CONF_FORWARDABLE "forwardable"
210 #define KRB5_CONF_HOST_BASED_SERVICES "host_based_services"
211 #define KRB5_CONF_IPROP_ENABLE "iprop_enable"
212 #define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize"
213 #define KRB5_CONF_IPROP_PORT "iprop_port"
214 #define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll"
215 #define KRB5_CONF_IPROP_LOGFILE "iprop_logfile"
216 #define KRB5_CONF_KADMIND_PORT "kadmind_port"
217 #define KRB5_CONF_KRB524_SERVER "krb524_server"
218 #define KRB5_CONF_KDC "kdc"
219 #define KRB5_CONF_KDCDEFAULTS "kdcdefaults"
220 #define KRB5_CONF_KDC_PORTS "kdc_ports"
221 #define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
222 #define KRB5_CONF_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size"
223 #define KRB5_CONF_KDC_DEFAULT_OPTIONS "kdc_default_options"
224 #define KRB5_CONF_KDC_TIMESYNC "kdc_timesync"
225 #define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type"
226 #define KRB5_CONF_KEY_STASH_FILE "key_stash_file"
227 #define KRB5_CONF_KPASSWD_PORT "kpasswd_port"
228 #define KRB5_CONF_KPASSWD_SERVER "kpasswd_server"
229 #define KRB5_CONF_LIBDEFAULTS "libdefaults"
230 #define KRB5_CONF_LDAP_KDC_DN "ldap_kdc_dn"
231 #define KRB5_CONF_LDAP_KADMIN_DN "ldap_kadmind_dn"
232 #define KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE "ldap_service_password_file"
233 #define KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE "ldap_root_certificate_file"
234 #define KRB5_CONF_LDAP_SERVERS "ldap_servers"
235 #define KRB5_CONF_LDAP_CONNS_PER_SERVER "ldap_conns_per_server"
236 #define KRB5_CONF_NO_HOST_REFERRAL "no_host_referral"
237 #define KRB5_CONF_MASTER_KEY_NAME "master_key_name"
238 #define KRB5_CONF_MASTER_KEY_TYPE "master_key_type"
239 #define KRB5_CONF_MASTER_KDC "master_kdc"
240 #define KRB5_CONF_MAX_LIFE "max_life"
241 #define KRB5_CONF_MAX_RENEWABLE_LIFE "max_renewable_life"
242 #define KRB5_CONF_NOADDRESSES "noaddresses"
243 #define KRB5_CONF_PERMITTED_ENCTYPES "permitted_enctypes"
244 #define KRB5_CONF_PREFERRED_PREAUTH_TYPES "preferred_preauth_types"
245 #define KRB5_CONF_PROXIABLE "proxiable"
246 #define KRB5_CONF_RDNS "rdns"
247 #define KRB5_CONF_REALMS "realms"
248 #define KRB5_CONF_REALM_TRY_DOMAINS "realm_try_domains"
249 #define KRB5_CONF_REJECT_BAD_TRANSIT "reject_bad_transit"
250 #define KRB5_CONF_RENEW_LIFETIME "renew_lifetime"
251 #define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type"
252 #define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes"
253 #define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime"
254 #define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit"
255 #define KRB5_CONF_VERIFY_AP_REQ_NOFAIL "verify_ap_req_nofail"
256 #define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
257 #define KRB5_CONF_V4_REALM "v4_realm"
258 #define KRB5_CONF_ASTERISK "*"
260 /* Error codes used in KRB_ERROR protocol messages.
261 Return values of library routines are based on a different error table
262 (which allows non-ambiguous error codes between subsystems) */
265 #define KDC_ERR_NONE 0 /* No error */
266 #define KDC_ERR_NAME_EXP 1 /* Client's entry in DB expired */
267 #define KDC_ERR_SERVICE_EXP 2 /* Server's entry in DB expired */
268 #define KDC_ERR_BAD_PVNO 3 /* Requested pvno not supported */
269 #define KDC_ERR_C_OLD_MAST_KVNO 4 /* C's key encrypted in old master */
270 #define KDC_ERR_S_OLD_MAST_KVNO 5 /* S's key encrypted in old master */
271 #define KDC_ERR_C_PRINCIPAL_UNKNOWN 6 /* Client not found in Kerberos DB */
272 #define KDC_ERR_S_PRINCIPAL_UNKNOWN 7 /* Server not found in Kerberos DB */
273 #define KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 /* Multiple entries in Kerberos DB */
274 #define KDC_ERR_NULL_KEY 9 /* The C or S has a null key */
275 #define KDC_ERR_CANNOT_POSTDATE 10 /* Tkt ineligible for postdating */
276 #define KDC_ERR_NEVER_VALID 11 /* Requested starttime > endtime */
277 #define KDC_ERR_POLICY 12 /* KDC policy rejects request */
278 #define KDC_ERR_BADOPTION 13 /* KDC can't do requested opt. */
279 #define KDC_ERR_ENCTYPE_NOSUPP 14 /* No support for encryption type */
280 #define KDC_ERR_SUMTYPE_NOSUPP 15 /* No support for checksum type */
281 #define KDC_ERR_PADATA_TYPE_NOSUPP 16 /* No support for padata type */
282 #define KDC_ERR_TRTYPE_NOSUPP 17 /* No support for transited type */
283 #define KDC_ERR_CLIENT_REVOKED 18 /* C's creds have been revoked */
284 #define KDC_ERR_SERVICE_REVOKED 19 /* S's creds have been revoked */
285 #define KDC_ERR_TGT_REVOKED 20 /* TGT has been revoked */
286 #define KDC_ERR_CLIENT_NOTYET 21 /* C not yet valid */
287 #define KDC_ERR_SERVICE_NOTYET 22 /* S not yet valid */
288 #define KDC_ERR_KEY_EXP 23 /* Password has expired */
289 #define KDC_ERR_PREAUTH_FAILED 24 /* Preauthentication failed */
290 #define KDC_ERR_PREAUTH_REQUIRED 25 /* Additional preauthentication */
292 #define KDC_ERR_SERVER_NOMATCH 26 /* Requested server and */
293 /* ticket don't match*/
294 #define KDC_ERR_MUST_USE_USER2USER 27 /* Server principal valid for */
296 #define KDC_ERR_PATH_NOT_ACCEPTED 28 /* KDC policy rejected transited */
298 #define KDC_ERR_SVC_UNAVAILABLE 29 /* A service is not
300 * required to process the
302 /* Application errors */
303 #define KRB_AP_ERR_BAD_INTEGRITY 31 /* Decrypt integrity check failed */
304 #define KRB_AP_ERR_TKT_EXPIRED 32 /* Ticket expired */
305 #define KRB_AP_ERR_TKT_NYV 33 /* Ticket not yet valid */
306 #define KRB_AP_ERR_REPEAT 34 /* Request is a replay */
307 #define KRB_AP_ERR_NOT_US 35 /* The ticket isn't for us */
308 #define KRB_AP_ERR_BADMATCH 36 /* Ticket/authenticator don't match */
309 #define KRB_AP_ERR_SKEW 37 /* Clock skew too great */
310 #define KRB_AP_ERR_BADADDR 38 /* Incorrect net address */
311 #define KRB_AP_ERR_BADVERSION 39 /* Protocol version mismatch */
312 #define KRB_AP_ERR_MSG_TYPE 40 /* Invalid message type */
313 #define KRB_AP_ERR_MODIFIED 41 /* Message stream modified */
314 #define KRB_AP_ERR_BADORDER 42 /* Message out of order */
315 #define KRB_AP_ERR_BADKEYVER 44 /* Key version is not available */
316 #define KRB_AP_ERR_NOKEY 45 /* Service key not available */
317 #define KRB_AP_ERR_MUT_FAIL 46 /* Mutual authentication failed */
318 #define KRB_AP_ERR_BADDIRECTION 47 /* Incorrect message direction */
319 #define KRB_AP_ERR_METHOD 48 /* Alternative authentication */
320 /* method required */
321 #define KRB_AP_ERR_BADSEQ 49 /* Incorrect sequence numnber */
323 #define KRB_AP_ERR_INAPP_CKSUM 50 /* Inappropriate type of */
324 /* checksum in message */
325 #define KRB_AP_PATH_NOT_ACCEPTED 51 /* Policy rejects transited path */
326 #define KRB_ERR_RESPONSE_TOO_BIG 52 /* Response too big for UDP, */
330 #define KRB_ERR_GENERIC 60 /* Generic error (description */
332 #define KRB_ERR_FIELD_TOOLONG 61 /* Field is too long for impl. */
334 /* PKINIT server-reported errors */
335 #define KDC_ERR_CLIENT_NOT_TRUSTED 62 /* client cert not trusted */
336 #define KDC_ERR_KDC_NOT_TRUSTED 63
337 #define KDC_ERR_INVALID_SIG 64 /* client signature verify failed */
338 #define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65 /* invalid Diffie-Hellman parameters */
339 #define KDC_ERR_CERTIFICATE_MISMATCH 66
340 #define KRB_AP_ERR_NO_TGT 67
341 #define KDC_ERR_WRONG_REALM 68
342 #define KRB_AP_ERR_USER_TO_USER_REQUIRED 69
343 #define KDC_ERR_CANT_VERIFY_CERTIFICATE 70 /* client cert not verifiable to */
344 /* trusted root cert */
345 #define KDC_ERR_INVALID_CERTIFICATE 71 /* client cert had invalid signature */
346 #define KDC_ERR_REVOKED_CERTIFICATE 72 /* client cert was revoked */
347 #define KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 /* client cert revoked, reason unknown */
348 #define KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74
349 #define KDC_ERR_CLIENT_NAME_MISMATCH 75 /* mismatch between client cert and */
351 #define KDC_ERR_INCONSISTENT_KEY_PURPOSE 77 /* bad extended key use */
352 #define KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78 /* bad digest algorithm in client cert */
353 #define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79 /* missing paChecksum in PA-PK-AS-REQ */
354 #define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */
355 #define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
358 * This structure is returned in the e-data field of the KRB-ERROR
359 * message when the error calling for an alternative form of
360 * authentication is returned, KRB_AP_METHOD.
362 typedef struct _krb5_alt_method {
370 * A null-terminated array of this structure is returned by the KDC as
371 * the data part of the ETYPE_INFO preauth type. It informs the
372 * client which encryption types are supported.
373 * The same data structure is used by both etype-info and etype-info2
374 * but s2kparams must be null when encoding etype-info.
376 typedef struct _krb5_etype_info_entry {
382 } krb5_etype_info_entry;
385 * This is essentially -1 without sign extension which can screw up
386 * comparisons on 64 bit machines. If the length is this value, then
387 * the salt data is not present. This is to distinguish between not
388 * being set and being of 0 length.
390 #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
392 typedef krb5_etype_info_entry ** krb5_etype_info;
395 typedef struct _krb5_etype_list {
397 krb5_enctype *etypes;
401 * a sam_challenge is returned for alternate preauth
404 SAMFlags ::= BIT STRING {
406 send-encrypted-sad[1],
407 must-pk-encrypt-sad[2]
411 PA-SAM-CHALLENGE ::= SEQUENCE {
413 sam-flags[1] SAMFlags,
414 sam-type-name[2] GeneralString OPTIONAL,
415 sam-track-id[3] GeneralString OPTIONAL,
416 sam-challenge-label[4] GeneralString OPTIONAL,
417 sam-challenge[5] GeneralString OPTIONAL,
418 sam-response-prompt[6] GeneralString OPTIONAL,
419 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
420 sam-nonce[8] INTEGER OPTIONAL,
421 sam-cksum[9] Checksum OPTIONAL
424 /* sam_type values -- informational only */
425 #define PA_SAM_TYPE_ENIGMA 1 /* Enigma Logic */
426 #define PA_SAM_TYPE_DIGI_PATH 2 /* Digital Pathways */
427 #define PA_SAM_TYPE_SKEY_K0 3 /* S/key where KDC has key 0 */
428 #define PA_SAM_TYPE_SKEY 4 /* Traditional S/Key */
429 #define PA_SAM_TYPE_SECURID 5 /* Security Dynamics */
430 #define PA_SAM_TYPE_CRYPTOCARD 6 /* CRYPTOCard */
431 #if 1 /* XXX need to figure out who has which numbers assigned */
432 #define PA_SAM_TYPE_ACTIVCARD_DEC 6 /* ActivCard decimal mode */
433 #define PA_SAM_TYPE_ACTIVCARD_HEX 7 /* ActivCard hex mode */
434 #define PA_SAM_TYPE_DIGI_PATH_HEX 8 /* Digital Pathways hex mode */
436 #define PA_SAM_TYPE_EXP_BASE 128 /* experimental */
437 #define PA_SAM_TYPE_GRAIL (PA_SAM_TYPE_EXP_BASE+0) /* testing */
438 #define PA_SAM_TYPE_SECURID_PREDICT (PA_SAM_TYPE_EXP_BASE+1) /* special */
440 typedef struct _krb5_predicted_sam_response {
442 krb5_keyblock sam_key;
443 krb5_flags sam_flags; /* Makes key munging easier */
444 krb5_timestamp stime; /* time on server, for replay detection */
446 krb5_principal client;
447 krb5_data msd; /* mechanism specific data */
448 } krb5_predicted_sam_response;
450 typedef struct _krb5_sam_challenge {
452 krb5_int32 sam_type; /* information */
453 krb5_flags sam_flags; /* KRB5_SAM_* values */
454 krb5_data sam_type_name;
455 krb5_data sam_track_id;
456 krb5_data sam_challenge_label;
457 krb5_data sam_challenge;
458 krb5_data sam_response_prompt;
459 krb5_data sam_pk_for_sad;
460 krb5_int32 sam_nonce;
461 krb5_checksum sam_cksum;
462 } krb5_sam_challenge;
464 typedef struct _krb5_sam_key { /* reserved for future use */
466 krb5_keyblock sam_key;
469 typedef struct _krb5_enc_sam_response_enc {
471 krb5_int32 sam_nonce;
472 krb5_timestamp sam_timestamp;
475 } krb5_enc_sam_response_enc;
477 typedef struct _krb5_sam_response {
479 krb5_int32 sam_type; /* informational */
480 krb5_flags sam_flags; /* KRB5_SAM_* values */
481 krb5_data sam_track_id; /* copied */
482 krb5_enc_data sam_enc_key; /* krb5_sam_key - future use */
483 krb5_enc_data sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
484 krb5_int32 sam_nonce;
485 krb5_timestamp sam_patimestamp;
488 typedef struct _krb5_sam_challenge_2 {
489 krb5_data sam_challenge_2_body;
490 krb5_checksum **sam_cksum; /* Array of checksums */
491 } krb5_sam_challenge_2;
493 typedef struct _krb5_sam_challenge_2_body {
495 krb5_int32 sam_type; /* information */
496 krb5_flags sam_flags; /* KRB5_SAM_* values */
497 krb5_data sam_type_name;
498 krb5_data sam_track_id;
499 krb5_data sam_challenge_label;
500 krb5_data sam_challenge;
501 krb5_data sam_response_prompt;
502 krb5_data sam_pk_for_sad;
503 krb5_int32 sam_nonce;
504 krb5_enctype sam_etype;
505 } krb5_sam_challenge_2_body;
507 typedef struct _krb5_sam_response_2 {
509 krb5_int32 sam_type; /* informational */
510 krb5_flags sam_flags; /* KRB5_SAM_* values */
511 krb5_data sam_track_id; /* copied */
512 krb5_enc_data sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
513 krb5_int32 sam_nonce;
514 } krb5_sam_response_2;
516 typedef struct _krb5_enc_sam_response_enc_2 {
518 krb5_int32 sam_nonce;
520 } krb5_enc_sam_response_enc_2;
523 * Keep the pkinit definitions in a separate file so that the plugin
524 * only has to include k5-int-pkinit.h rather than k5-int.h
527 #include "k5-int-pkinit.h"
533 extern char *strdup (const char *);
540 #ifdef HAVE_SYS_TIME_H
541 #include <sys/time.h>
542 #ifdef TIME_WITH_SYS_TIME
549 #ifdef HAVE_SYS_STAT_H
550 #include <sys/stat.h> /* struct stat, stat() */
553 #ifdef HAVE_SYS_PARAM_H
554 #include <sys/param.h> /* MAXPATHLEN */
557 #ifdef HAVE_SYS_FILE_H
558 #include <sys/file.h> /* prototypes for file-related
559 syscalls; flags for open &
569 #include "k5-gmt_mktime.h"
572 struct sendto_callback_info;
575 krb5_error_code krb5_lock_file (krb5_context, int, int);
576 krb5_error_code krb5_unlock_file (krb5_context, int);
577 krb5_error_code krb5_sendto_kdc (krb5_context, const krb5_data *,
578 const krb5_data *, krb5_data *, int *, int);
580 krb5_error_code krb5int_sendto (krb5_context context, const krb5_data *message,
581 const struct addrlist *addrs, struct sendto_callback_info* callback_info,
582 krb5_data *reply, struct sockaddr *localaddr, socklen_t *localaddrlen,
583 struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, int *addr_used,
584 int (*msg_handler)(krb5_context, const krb5_data *, void *),
585 void *msg_handler_data);
587 krb5_error_code krb5_get_krbhst (krb5_context, const krb5_data *, char *** );
588 krb5_error_code krb5_free_krbhst (krb5_context, char * const * );
589 krb5_error_code krb5_create_secure_file (krb5_context, const char * pathname);
590 krb5_error_code krb5_sync_disk_file (krb5_context, FILE *fp);
592 krb5_error_code krb5int_get_fq_local_hostname (char *, size_t);
594 krb5_error_code krb5int_init_context_kdc(krb5_context *);
596 krb5_error_code krb5_os_init_context (krb5_context, krb5_boolean);
598 void krb5_os_free_context (krb5_context);
600 /* This function is needed by KfM's KerberosPreferences API
601 * because it needs to be able to specify "secure" */
602 krb5_error_code os_get_default_config_files
603 (profile_filespec_t **pfiles, krb5_boolean secure);
605 krb5_error_code krb5_os_hostaddr
606 (krb5_context, const char *, krb5_address ***);
608 krb5_error_code krb5int_get_domain_realm_mapping
609 (krb5_context , const char *, char ***);
611 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
612 going to use this structure. */
618 struct undefined_addrinfo *ai;
620 void (*freefn)(void *);
626 #define ADDRLIST_INIT { 0, 0, 0 }
627 extern void krb5int_free_addrlist (struct addrlist *);
628 extern int krb5int_grow_addrlist (struct addrlist *, int);
629 extern int krb5int_add_host_to_list (struct addrlist *, const char *,
632 #include <krb5/locate_plugin.h>
634 krb5int_locate_server (krb5_context, const krb5_data *realm,
635 struct addrlist *, enum locate_service_type svc,
636 int sockettype, int family);
638 /* new encryption provider api */
640 struct krb5_enc_provider {
641 /* keybytes is the input size to make_key;
642 keylength is the output size */
643 size_t block_size, keybytes, keylength;
645 /* cipher-state == 0 fresh state thrown away at end */
646 krb5_error_code (*encrypt) (const krb5_keyblock *key,
647 const krb5_data *cipher_state,
648 const krb5_data *input,
651 krb5_error_code (*decrypt) (const krb5_keyblock *key,
652 const krb5_data *ivec,
653 const krb5_data *input,
656 krb5_error_code (*make_key) (const krb5_data *randombits,
659 krb5_error_code (*init_state) (const krb5_keyblock *key,
660 krb5_keyusage keyusage, krb5_data *out_state);
661 krb5_error_code (*free_state) (krb5_data *state);
663 /* In-place encryption/decryption of multiple buffers */
664 krb5_error_code (*encrypt_iov) (const krb5_keyblock *key,
665 const krb5_data *cipher_state,
666 krb5_crypto_iov *data,
670 krb5_error_code (*decrypt_iov) (const krb5_keyblock *key,
671 const krb5_data *cipher_state,
672 krb5_crypto_iov *data,
677 struct krb5_hash_provider {
678 size_t hashsize, blocksize;
680 /* this takes multiple inputs to avoid lots of copying. */
681 krb5_error_code (*hash) (unsigned int icount, const krb5_data *input,
685 struct krb5_keyhash_provider {
688 krb5_error_code (*hash) (const krb5_keyblock *key,
689 krb5_keyusage keyusage,
690 const krb5_data *ivec,
691 const krb5_data *input,
694 krb5_error_code (*verify) (const krb5_keyblock *key,
695 krb5_keyusage keyusage,
696 const krb5_data *ivec,
697 const krb5_data *input,
698 const krb5_data *hash,
699 krb5_boolean *valid);
701 krb5_error_code (*hash_iov) (const krb5_keyblock *key,
702 krb5_keyusage keyusage,
703 const krb5_data *ivec,
704 const krb5_crypto_iov *data,
708 krb5_error_code (*verify_iov) (const krb5_keyblock *key,
709 krb5_keyusage keyusage,
710 const krb5_data *ivec,
711 const krb5_crypto_iov *data,
713 const krb5_data *hash,
714 krb5_boolean *valid);
717 struct krb5_aead_provider {
718 krb5_error_code (*crypto_length) (const struct krb5_aead_provider *aead,
719 const struct krb5_enc_provider *enc,
720 const struct krb5_hash_provider *hash,
721 krb5_cryptotype type,
722 unsigned int *length);
723 krb5_error_code (*encrypt_iov) (const struct krb5_aead_provider *aead,
724 const struct krb5_enc_provider *enc,
725 const struct krb5_hash_provider *hash,
726 const krb5_keyblock *key,
727 krb5_keyusage keyusage,
728 const krb5_data *ivec,
729 krb5_crypto_iov *data,
731 krb5_error_code (*decrypt_iov) (const struct krb5_aead_provider *aead,
732 const struct krb5_enc_provider *enc,
733 const struct krb5_hash_provider *hash,
734 const krb5_keyblock *key,
735 krb5_keyusage keyusage,
736 const krb5_data *ivec,
737 krb5_crypto_iov *data,
742 * in here to deal with stuff from lib/crypto
746 (unsigned int inbits, const unsigned char *in,
747 unsigned int outbits, unsigned char *out);
749 krb5_error_code krb5_hmac
750 (const struct krb5_hash_provider *hash,
751 const krb5_keyblock *key, unsigned int icount,
752 const krb5_data *input, krb5_data *output);
754 krb5_error_code krb5int_hmac_iov
755 (const struct krb5_hash_provider *hash,
756 const krb5_keyblock *key,
757 const krb5_crypto_iov *data, size_t num_data,
760 krb5_error_code krb5int_pbkdf2_hmac_sha1 (const krb5_data *, unsigned long,
764 /* Make this a function eventually? */
766 # define krb5int_zap_data(ptr, len) SecureZeroMemory(ptr, len)
767 #elif defined(__GNUC__)
768 static inline void krb5int_zap_data(void *ptr, size_t len)
771 asm volatile ("" : : "g" (ptr), "g" (len));
774 # define krb5int_zap_data(ptr, len) memset((volatile void *)ptr, 0, len)
776 #define zap(p,l) krb5int_zap_data(p,l)
778 /* A definition of init_state for DES based encryption systems.
779 * sets up an 8-byte IV of all zeros
782 krb5_error_code krb5int_des_init_state
783 (const krb5_keyblock *key, krb5_keyusage keyusage, krb5_data *new_state);
786 * normally to free a cipher_state you can just memset the length to zero and
789 krb5_error_code krb5int_default_free_state
794 * Combine two keys (normally used by the hardware preauth mechanism)
796 krb5_error_code krb5int_c_combine_keys
797 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
798 krb5_keyblock *outkey);
800 void krb5int_c_free_keyblock
801 (krb5_context, krb5_keyblock *key);
802 void krb5int_c_free_keyblock_contents
803 (krb5_context, krb5_keyblock *);
804 krb5_error_code krb5int_c_init_keyblock
805 (krb5_context, krb5_enctype enctype,
806 size_t length, krb5_keyblock **out);
809 * Internal - for cleanup.
811 extern void krb5int_prng_cleanup (void);
815 * These declarations are here, so both krb5 and k5crypto
817 * krb5 needs to get to them so it can make them available to libgssapi.
819 extern const struct krb5_enc_provider krb5int_enc_arcfour;
820 extern const struct krb5_hash_provider krb5int_hash_md5;
823 #ifdef KRB5_OLD_CRYPTO
824 /* old provider api */
826 krb5_error_code krb5_crypto_os_localaddr
829 krb5_error_code krb5_crypto_us_timeofday
833 #endif /* KRB5_OLD_CRYPTO */
835 /* this helper fct is in libkrb5, but it makes sense declared here. */
837 krb5_error_code krb5_encrypt_helper
838 (krb5_context context, const krb5_keyblock *key,
839 krb5_keyusage keyusage, const krb5_data *plain,
840 krb5_enc_data *cipher);
846 typedef struct _krb5_os_context {
848 krb5_int32 time_offset;
849 krb5_int32 usec_offset;
851 char * default_ccname;
855 * Flags for the os_flags field
857 * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid.
858 * The intention is that this facility to correct the system clocks so
859 * that they reflect the "real" time, for systems where for some
860 * reason we can't set the system clock. Instead we calculate the
861 * offset between the system time and real time, and store the offset
862 * in the os context so that we can correct the system clock as necessary.
864 * KRB5_OS_TOFFSET_TIME means that the time offset fields should be
865 * returned as the time by the krb5 time routines. This should only
866 * be used for testing purposes (obviously!)
868 #define KRB5_OS_TOFFSET_VALID 1
869 #define KRB5_OS_TOFFSET_TIME 2
871 /* lock mode flags */
872 #define KRB5_LOCKMODE_SHARED 0x0001
873 #define KRB5_LOCKMODE_EXCLUSIVE 0x0002
874 #define KRB5_LOCKMODE_DONTBLOCK 0x0004
875 #define KRB5_LOCKMODE_UNLOCK 0x0008
878 * Define our view of the size of a DES key.
880 #define KRB5_MIT_DES_KEYSIZE 8
882 * Check if des_int.h has been included before us. If so, then check to see
883 * that our view of the DES key size is the same as des_int.h's.
885 #ifdef MIT_DES_KEYSIZE
886 #if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
887 error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
888 #endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
889 #endif /* MIT_DES_KEYSIZE */
894 * (Originally written by Glen Machin at Sandia Labs.)
897 * Sandia National Laboratories also makes no representations about the
898 * suitability of the modifications, or additions to this software for
899 * any purpose. It is provided "as is" without express or implied warranty.
902 #ifndef KRB5_PREAUTH__
903 #define KRB5_PREAUTH__
905 #include <krb5/preauth_plugin.h>
907 #define CLIENT_ROCK_MAGIC 0x4352434b
908 /* This structure is passed into the client preauth functions and passed
909 * back to the "get_data_proc" function so that it can locate the
910 * requested information. It is opaque to the plugin code and can be
911 * expanded in the future as new types of requests are defined which
912 * may require other things to be passed through. */
913 struct krb5int_fast_request_state;
914 typedef struct _krb5_preauth_client_rock {
917 struct krb5int_fast_request_state *fast_state;
918 } krb5_preauth_client_rock;
920 /* This structure lets us keep track of all of the modules which are loaded,
921 * turning the list of modules and their lists of implemented preauth types
922 * into a single list which we can walk easily. */
923 typedef struct _krb5_preauth_context {
925 struct _krb5_preauth_context_module {
926 /* Which of the possibly more than one preauth types which the
927 * module supports we're using at this point in the list. */
928 krb5_preauthtype pa_type;
929 /* Encryption types which the client claims to support -- we
930 * copy them directly into the krb5_kdc_req structure during
931 * krb5_preauth_prepare_request(). */
932 krb5_enctype *enctypes;
933 /* The plugin's per-plugin context and a function to clear it. */
934 void *plugin_context;
935 preauth_client_plugin_fini_proc client_fini;
936 /* The module's table, and some of its members, copied here for
937 * convenience when we populated the list. */
938 struct krb5plugin_preauth_client_ftable_v1 *ftable;
940 int flags, use_count;
941 preauth_client_process_proc client_process;
942 preauth_client_tryagain_proc client_tryagain;
943 preauth_client_supply_gic_opts_proc client_supply_gic_opts;
944 preauth_client_request_init_proc client_req_init;
945 preauth_client_request_fini_proc client_req_fini;
946 /* The per-request context which the client_req_init() function
947 * might allocate, which we'll need to clean up later by
948 * calling the client_req_fini() function. */
949 void *request_context;
950 /* A pointer to the request_context pointer. All modules within
951 * a plugin will point at the request_context of the first
952 * module within the plugin. */
953 void **request_context_pp;
955 } krb5_preauth_context;
957 typedef struct _krb5_pa_enc_ts {
958 krb5_timestamp patimestamp;
962 typedef struct _krb5_pa_for_user {
965 krb5_data auth_package;
969 KRB5_FAST_ARMOR_AP_REQUEST = 0x1
972 typedef struct _krb5_fast_armor {
973 krb5_int32 armor_type;
974 krb5_data armor_value;
976 typedef struct _krb5_fast_armored_req {
978 krb5_fast_armor *armor;
979 krb5_checksum req_checksum;
980 krb5_enc_data enc_part;
981 } krb5_fast_armored_req;
983 typedef struct _krb5_fast_req {
985 krb5_flags fast_options;
986 /* padata from req_body is used*/
987 krb5_kdc_req *req_body;
990 /* Bits 0-15 are critical in fast options.*/
991 #define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff
992 #define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01
994 typedef struct _krb5_fast_finished {
995 krb5_timestamp timestamp;
997 krb5_principal client;
998 krb5_checksum ticket_checksum;
999 } krb5_fast_finished;
1001 typedef struct _krb5_fast_response {
1003 krb5_pa_data **padata;
1004 krb5_keyblock *strengthen_key;
1005 krb5_fast_finished *finished;
1007 } krb5_fast_response;
1010 typedef krb5_error_code (*krb5_preauth_obtain_proc)
1015 krb5_error_code ( * )(krb5_context,
1025 typedef krb5_error_code (*krb5_preauth_process_proc)
1030 krb5_error_code ( * )(krb5_context,
1036 krb5_error_code ( * )(krb5_context,
1037 const krb5_keyblock *,
1045 typedef struct _krb5_preauth_ops {
1049 krb5_preauth_obtain_proc obtain;
1050 krb5_preauth_process_proc process;
1053 krb5_error_code krb5_obtain_padata
1056 krb5_error_code ( * )(krb5_context,
1065 krb5_error_code krb5_process_padata
1069 krb5_error_code ( * )(krb5_context,
1075 krb5_error_code ( * )(krb5_context,
1076 const krb5_keyblock *,
1083 krb5_pa_data * krb5int_find_pa_data
1084 (krb5_context, krb5_pa_data * const *, krb5_preauthtype);
1085 /* Does not return a copy; original padata sequence responsible for freeing*/
1087 void krb5_free_etype_info
1088 (krb5_context, krb5_etype_info);
1091 * Preauthentication property flags
1093 #define KRB5_PREAUTH_FLAGS_ENCRYPT 0x00000001
1094 #define KRB5_PREAUTH_FLAGS_HARDWARE 0x00000002
1096 #endif /* KRB5_PREAUTH__ */
1102 * Extending the krb5_get_init_creds_opt structure. The original
1103 * krb5_get_init_creds_opt structure is defined publicly. The
1104 * new extended version is private. The original interface
1105 * assumed a pre-allocated structure which was passed to
1106 * krb5_get_init_creds_init(). The new interface assumes that
1107 * the caller will call krb5_get_init_creds_alloc() and
1108 * krb5_get_init_creds_free().
1110 * Callers MUST NOT call krb5_get_init_creds_init() after allocating an
1111 * opts structure using krb5_get_init_creds_alloc(). To do so will
1112 * introduce memory leaks. Unfortunately, there is no way to enforce
1115 * Two private flags are added for backward compatibility.
1116 * KRB5_GET_INIT_CREDS_OPT_EXTENDED says that the structure was allocated
1117 * with the new krb5_get_init_creds_opt_alloc() function.
1118 * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended
1119 * structure is a shadow copy of an original krb5_get_init_creds_opt
1121 * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to
1122 * krb5int_gic_opt_to_opte(), the resulting extended structure should be
1123 * freed (using krb5_get_init_creds_free). Otherwise, the original
1124 * structure was already extended and there is no need to free it.
1127 #define KRB5_GET_INIT_CREDS_OPT_EXTENDED 0x80000000
1128 #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
1130 #define krb5_gic_opt_is_extended(s) \
1131 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
1132 #define krb5_gic_opt_is_shadowed(s) \
1133 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
1136 typedef struct _krb5_gic_opt_private {
1137 int num_preauth_data;
1138 krb5_gic_opt_pa_data *preauth_data;
1139 char * fast_ccache_name;
1140 } krb5_gic_opt_private;
1143 * On the Mac, ensure that the layout of krb5_gic_opt_ext matches that
1144 * of krb5_get_init_creds_opt.
1147 # pragma pack(push,2)
1150 typedef struct _krb5_gic_opt_ext {
1152 krb5_deltat tkt_life;
1153 krb5_deltat renew_life;
1156 krb5_enctype *etype_list;
1157 int etype_list_length;
1158 krb5_address **address_list;
1159 krb5_preauthtype *preauth_list;
1160 int preauth_list_length;
1163 * Do not change anything above this point in this structure.
1164 * It is identical to the public krb5_get_init_creds_opt structure.
1165 * New members must be added below.
1167 krb5_gic_opt_private *opt_private;
1175 krb5int_gic_opt_to_opte(krb5_context context,
1176 krb5_get_init_creds_opt *opt,
1177 krb5_gic_opt_ext **opte,
1182 krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *);
1185 krb5int_copy_data_contents_add0 (krb5_context, const krb5_data *, krb5_data *);
1188 krb5int_copy_creds_contents (krb5_context, const krb5_creds *, krb5_creds *);
1190 typedef krb5_error_code (*krb5_gic_get_as_key_fct)
1195 void *prompter_data,
1197 krb5_data *s2kparams,
1198 krb5_keyblock *as_key,
1201 krb5_error_code KRB5_CALLCONV
1203 (krb5_context context,
1205 krb5_principal client,
1206 krb5_prompter_fct prompter,
1207 void *prompter_data,
1208 krb5_deltat start_time,
1209 char *in_tkt_service,
1210 krb5_gic_opt_ext *gic_options,
1211 krb5_gic_get_as_key_fct gak,
1214 krb5_kdc_rep **as_reply);
1216 krb5_error_code krb5int_populate_gic_opt (
1217 krb5_context, krb5_gic_opt_ext **,
1218 krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
1219 krb5_preauthtype *pre_auth_types, krb5_creds *creds);
1222 krb5_error_code KRB5_CALLCONV krb5_do_preauth
1223 (krb5_context context,
1224 krb5_kdc_req *request,
1225 krb5_data *encoded_request_body,
1226 krb5_data *encoded_previous_request,
1227 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1228 krb5_data *salt, krb5_data *s2kparams,
1229 krb5_enctype *etype, krb5_keyblock *as_key,
1230 krb5_prompter_fct prompter, void *prompter_data,
1231 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1232 krb5_preauth_client_rock *get_data_rock,
1233 krb5_gic_opt_ext *opte);
1234 krb5_error_code KRB5_CALLCONV krb5_do_preauth_tryagain
1235 (krb5_context context,
1236 krb5_kdc_req *request,
1237 krb5_data *encoded_request_body,
1238 krb5_data *encoded_previous_request,
1239 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1240 krb5_error *err_reply,
1241 krb5_data *salt, krb5_data *s2kparams,
1242 krb5_enctype *etype, krb5_keyblock *as_key,
1243 krb5_prompter_fct prompter, void *prompter_data,
1244 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1245 krb5_preauth_client_rock *get_data_rock,
1246 krb5_gic_opt_ext *opte);
1247 void KRB5_CALLCONV krb5_init_preauth_context
1249 void KRB5_CALLCONV krb5_free_preauth_context
1251 void KRB5_CALLCONV krb5_clear_preauth_context_use_counts
1253 void KRB5_CALLCONV krb5_preauth_prepare_request
1254 (krb5_context, krb5_gic_opt_ext *, krb5_kdc_req *);
1255 void KRB5_CALLCONV krb5_preauth_request_context_init
1257 void KRB5_CALLCONV krb5_preauth_request_context_fini
1260 void KRB5_CALLCONV krb5_free_sam_challenge
1261 (krb5_context, krb5_sam_challenge * );
1262 void KRB5_CALLCONV krb5_free_sam_challenge_2
1263 (krb5_context, krb5_sam_challenge_2 * );
1264 void KRB5_CALLCONV krb5_free_sam_challenge_2_body
1265 (krb5_context, krb5_sam_challenge_2_body *);
1266 void KRB5_CALLCONV krb5_free_sam_response
1267 (krb5_context, krb5_sam_response * );
1268 void KRB5_CALLCONV krb5_free_sam_response_2
1269 (krb5_context, krb5_sam_response_2 * );
1270 void KRB5_CALLCONV krb5_free_predicted_sam_response
1271 (krb5_context, krb5_predicted_sam_response * );
1272 void KRB5_CALLCONV krb5_free_enc_sam_response_enc
1273 (krb5_context, krb5_enc_sam_response_enc * );
1274 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2
1275 (krb5_context, krb5_enc_sam_response_enc_2 * );
1276 void KRB5_CALLCONV krb5_free_sam_challenge_contents
1277 (krb5_context, krb5_sam_challenge * );
1278 void KRB5_CALLCONV krb5_free_sam_challenge_2_contents
1279 (krb5_context, krb5_sam_challenge_2 * );
1280 void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents
1281 (krb5_context, krb5_sam_challenge_2_body * );
1282 void KRB5_CALLCONV krb5_free_sam_response_contents
1283 (krb5_context, krb5_sam_response * );
1284 void KRB5_CALLCONV krb5_free_sam_response_2_contents
1285 (krb5_context, krb5_sam_response_2 *);
1286 void KRB5_CALLCONV krb5_free_predicted_sam_response_contents
1287 (krb5_context, krb5_predicted_sam_response * );
1288 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents
1289 (krb5_context, krb5_enc_sam_response_enc * );
1290 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents
1291 (krb5_context, krb5_enc_sam_response_enc_2 * );
1293 void KRB5_CALLCONV krb5_free_pa_enc_ts
1294 (krb5_context, krb5_pa_enc_ts *);
1295 void KRB5_CALLCONV krb5_free_pa_for_user
1296 (krb5_context, krb5_pa_for_user * );
1297 void KRB5_CALLCONV krb5_free_pa_svr_referral_data
1298 (krb5_context, krb5_pa_svr_referral_data * );
1299 void KRB5_CALLCONV krb5_free_pa_server_referral_data
1300 (krb5_context, krb5_pa_server_referral_data * );
1301 void KRB5_CALLCONV krb5_free_pa_pac_req
1302 (krb5_context, krb5_pa_pac_req * );
1303 void KRB5_CALLCONV krb5_free_etype_list
1304 (krb5_context, krb5_etype_list * );
1306 void KRB5_CALLCONV krb5_free_fast_armor
1307 (krb5_context, krb5_fast_armor *);
1308 void KRB5_CALLCONV krb5_free_fast_armored_req
1309 (krb5_context, krb5_fast_armored_req *);
1310 void KRB5_CALLCONV krb5_free_fast_req(krb5_context, krb5_fast_req *);
1311 void KRB5_CALLCONV krb5_free_fast_finished
1312 (krb5_context, krb5_fast_finished *);
1313 void KRB5_CALLCONV krb5_free_fast_response
1314 (krb5_context, krb5_fast_response *);
1316 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
1317 #include "com_err.h"
1318 #include "k5-plugin.h"
1320 struct _kdb5_dal_handle; /* private, in kdb5.h */
1321 typedef struct _kdb5_dal_handle kdb5_dal_handle;
1322 struct _kdb_log_context;
1323 struct _krb5_context {
1325 krb5_enctype *in_tkt_etypes;
1326 krb5_enctype *tgs_etypes;
1327 struct _krb5_os_context os_context;
1328 char *default_realm;
1330 kdb5_dal_handle *dal_handle;
1333 /* allowable clock skew */
1334 krb5_deltat clockskew;
1335 krb5_cksumtype kdc_req_sumtype;
1336 krb5_cksumtype default_ap_req_sumtype;
1337 krb5_cksumtype default_safe_sumtype;
1338 krb5_flags kdc_default_options;
1339 krb5_flags library_options;
1340 krb5_boolean profile_secure;
1341 int fcc_default_format;
1342 krb5_prompt_type *prompt_types;
1343 /* Message size above which we'll try TCP first in send-to-kdc
1344 type code. Aside from the 2**16 size limit, we put no
1345 absolute limit on the UDP packet size. */
1348 /* Use the config-file ktypes instead of app-specified? */
1349 krb5_boolean use_conf_ktypes;
1351 #ifdef KRB5_DNS_LOOKUP
1352 krb5_boolean profile_in_memory;
1353 #endif /* KRB5_DNS_LOOKUP */
1355 /* locate_kdc module stuff */
1356 struct plugin_dir_handle libkrb5_plugins;
1357 struct krb5plugin_service_locate_ftable *vtbl;
1358 void (**locate_fptrs)(void);
1360 /* preauth module stuff */
1361 struct plugin_dir_handle preauth_plugins;
1362 krb5_preauth_context *preauth_context;
1364 /* error detail info */
1367 /* For Sun iprop code; does this really have to be here? */
1368 struct _kdb_log_context *kdblog_context;
1370 krb5_boolean allow_weak_crypto;
1373 /* could be used in a table to find an etype and initialize a block */
1376 #define KRB5_LIBOPT_SYNC_KDCTIME 0x0001
1378 /* internal message representations */
1380 typedef struct _krb5_safe {
1382 krb5_data user_data; /* user data */
1383 krb5_timestamp timestamp; /* client time, optional */
1384 krb5_int32 usec; /* microsecond portion of time,
1386 krb5_ui_4 seq_number; /* sequence #, optional */
1387 krb5_address *s_address; /* sender address */
1388 krb5_address *r_address; /* recipient address, optional */
1389 krb5_checksum *checksum; /* data integrity checksum */
1392 typedef struct _krb5_priv {
1394 krb5_enc_data enc_part; /* encrypted part */
1397 typedef struct _krb5_priv_enc_part {
1399 krb5_data user_data; /* user data */
1400 krb5_timestamp timestamp; /* client time, optional */
1401 krb5_int32 usec; /* microsecond portion of time, opt. */
1402 krb5_ui_4 seq_number; /* sequence #, optional */
1403 krb5_address *s_address; /* sender address */
1404 krb5_address *r_address; /* recipient address, optional */
1405 } krb5_priv_enc_part;
1407 void KRB5_CALLCONV krb5_free_safe
1408 (krb5_context, krb5_safe * );
1409 void KRB5_CALLCONV krb5_free_priv
1410 (krb5_context, krb5_priv * );
1411 void KRB5_CALLCONV krb5_free_priv_enc_part
1412 (krb5_context, krb5_priv_enc_part * );
1420 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
1421 /* here we use some knowledge of ASN.1 encodings */
1423 Ticket is APPLICATION 1.
1424 Authenticator is APPLICATION 2.
1425 AS_REQ is APPLICATION 10.
1426 AS_REP is APPLICATION 11.
1427 TGS_REQ is APPLICATION 12.
1428 TGS_REP is APPLICATION 13.
1429 AP_REQ is APPLICATION 14.
1430 AP_REP is APPLICATION 15.
1431 KRB_SAFE is APPLICATION 20.
1432 KRB_PRIV is APPLICATION 21.
1433 KRB_CRED is APPLICATION 22.
1434 EncASRepPart is APPLICATION 25.
1435 EncTGSRepPart is APPLICATION 26.
1436 EncAPRepPart is APPLICATION 27.
1437 EncKrbPrivPart is APPLICATION 28.
1438 EncKrbCredPart is APPLICATION 29.
1439 KRB_ERROR is APPLICATION 30.
1441 /* allow either constructed or primitive encoding, so check for bit 6
1443 #define krb5int_is_app_tag(dat,tag)\
1444 ((dat) && (dat)->length && \
1445 ((((dat)->data[0] & ~0x20) == ((tag) | 0x40))))
1446 #define krb5_is_krb_ticket(dat) krb5int_is_app_tag(dat, 1)
1447 #define krb5_is_krb_authenticator(dat) krb5int_is_app_tag(dat, 2)
1448 #define krb5_is_as_req(dat) krb5int_is_app_tag(dat, 10)
1449 #define krb5_is_as_rep(dat) krb5int_is_app_tag(dat, 11)
1450 #define krb5_is_tgs_req(dat) krb5int_is_app_tag(dat, 12)
1451 #define krb5_is_tgs_rep(dat) krb5int_is_app_tag(dat, 13)
1452 #define krb5_is_ap_req(dat) krb5int_is_app_tag(dat, 14)
1453 #define krb5_is_ap_rep(dat) krb5int_is_app_tag(dat, 15)
1454 #define krb5_is_krb_safe(dat) krb5int_is_app_tag(dat, 20)
1455 #define krb5_is_krb_priv(dat) krb5int_is_app_tag(dat, 21)
1456 #define krb5_is_krb_cred(dat) krb5int_is_app_tag(dat, 22)
1457 #define krb5_is_krb_enc_as_rep_part(dat) krb5int_is_app_tag(dat, 25)
1458 #define krb5_is_krb_enc_tgs_rep_part(dat) krb5int_is_app_tag(dat, 26)
1459 #define krb5_is_krb_enc_ap_rep_part(dat) krb5int_is_app_tag(dat, 27)
1460 #define krb5_is_krb_enc_krb_priv_part(dat) krb5int_is_app_tag(dat, 28)
1461 #define krb5_is_krb_enc_krb_cred_part(dat) krb5int_is_app_tag(dat, 29)
1462 #define krb5_is_krb_error(dat) krb5int_is_app_tag(dat, 30)
1464 /*************************************************************************
1465 * Prototypes for krb5_encode.c
1466 *************************************************************************/
1469 krb5_error_code encode_krb5_structure(const krb5_structure *rep,
1472 effects Returns the ASN.1 encoding of *rep in **code.
1473 Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep.
1474 Returns ENOMEM if memory runs out.
1477 krb5_error_code encode_krb5_authenticator
1478 (const krb5_authenticator *rep, krb5_data **code);
1480 krb5_error_code encode_krb5_ticket
1481 (const krb5_ticket *rep, krb5_data **code);
1483 krb5_error_code encode_krb5_encryption_key
1484 (const krb5_keyblock *rep, krb5_data **code);
1486 krb5_error_code encode_krb5_enc_tkt_part
1487 (const krb5_enc_tkt_part *rep, krb5_data **code);
1489 krb5_error_code encode_krb5_enc_kdc_rep_part
1490 (const krb5_enc_kdc_rep_part *rep, krb5_data **code);
1492 /* yes, the translation is identical to that used for KDC__REP */
1493 krb5_error_code encode_krb5_as_rep
1494 (const krb5_kdc_rep *rep, krb5_data **code);
1496 /* yes, the translation is identical to that used for KDC__REP */
1497 krb5_error_code encode_krb5_tgs_rep
1498 (const krb5_kdc_rep *rep, krb5_data **code);
1500 krb5_error_code encode_krb5_ap_req
1501 (const krb5_ap_req *rep, krb5_data **code);
1503 krb5_error_code encode_krb5_ap_rep
1504 (const krb5_ap_rep *rep, krb5_data **code);
1506 krb5_error_code encode_krb5_ap_rep_enc_part
1507 (const krb5_ap_rep_enc_part *rep, krb5_data **code);
1509 krb5_error_code encode_krb5_as_req
1510 (const krb5_kdc_req *rep, krb5_data **code);
1512 krb5_error_code encode_krb5_tgs_req
1513 (const krb5_kdc_req *rep, krb5_data **code);
1515 krb5_error_code encode_krb5_kdc_req_body
1516 (const krb5_kdc_req *rep, krb5_data **code);
1518 krb5_error_code encode_krb5_safe
1519 (const krb5_safe *rep, krb5_data **code);
1521 struct krb5_safe_with_body {
1525 krb5_error_code encode_krb5_safe_with_body
1526 (const struct krb5_safe_with_body *rep, krb5_data **code);
1528 krb5_error_code encode_krb5_priv
1529 (const krb5_priv *rep, krb5_data **code);
1531 krb5_error_code encode_krb5_enc_priv_part
1532 (const krb5_priv_enc_part *rep, krb5_data **code);
1534 krb5_error_code encode_krb5_cred
1535 (const krb5_cred *rep, krb5_data **code);
1537 krb5_error_code encode_krb5_enc_cred_part
1538 (const krb5_cred_enc_part *rep, krb5_data **code);
1540 krb5_error_code encode_krb5_error
1541 (const krb5_error *rep, krb5_data **code);
1543 krb5_error_code encode_krb5_authdata
1544 (krb5_authdata *const *rep, krb5_data **code);
1546 krb5_error_code encode_krb5_authdata_elt
1547 (const krb5_authdata *rep, krb5_data **code);
1549 krb5_error_code encode_krb5_pwd_sequence
1550 (const passwd_phrase_element *rep, krb5_data **code);
1552 krb5_error_code encode_krb5_pwd_data
1553 (const krb5_pwd_data *rep, krb5_data **code);
1555 krb5_error_code encode_krb5_padata_sequence
1556 (krb5_pa_data *const *rep, krb5_data **code);
1558 krb5_error_code encode_krb5_alt_method
1559 (const krb5_alt_method *, krb5_data **code);
1561 krb5_error_code encode_krb5_etype_info
1562 (krb5_etype_info_entry *const *, krb5_data **code);
1563 krb5_error_code encode_krb5_etype_info2
1564 (krb5_etype_info_entry *const *, krb5_data **code);
1566 krb5_error_code encode_krb5_enc_data
1567 (const krb5_enc_data *, krb5_data **);
1569 krb5_error_code encode_krb5_pa_enc_ts
1570 (const krb5_pa_enc_ts *, krb5_data **);
1572 krb5_error_code encode_krb5_sam_challenge
1573 (const krb5_sam_challenge * , krb5_data **);
1575 krb5_error_code encode_krb5_sam_key
1576 (const krb5_sam_key * , krb5_data **);
1578 krb5_error_code encode_krb5_enc_sam_response_enc
1579 (const krb5_enc_sam_response_enc * , krb5_data **);
1581 krb5_error_code encode_krb5_sam_response
1582 (const krb5_sam_response * , krb5_data **);
1584 #if 0 /* currently not compiled because we never use them */
1585 krb5_error_code encode_krb5_sam_challenge_2
1586 (const krb5_sam_challenge_2 * , krb5_data **);
1588 krb5_error_code encode_krb5_sam_challenge_2_body
1589 (const krb5_sam_challenge_2_body * , krb5_data **);
1592 krb5_error_code encode_krb5_enc_sam_response_enc_2
1593 (const krb5_enc_sam_response_enc_2 * , krb5_data **);
1595 krb5_error_code encode_krb5_sam_response_2
1596 (const krb5_sam_response_2 * , krb5_data **);
1598 krb5_error_code encode_krb5_predicted_sam_response
1599 (const krb5_predicted_sam_response * , krb5_data **);
1601 struct krb5_setpw_req {
1602 krb5_principal target;
1605 krb5_error_code encode_krb5_setpw_req
1606 (const struct krb5_setpw_req *rep, krb5_data **code);
1608 krb5_error_code encode_krb5_pa_for_user
1609 (const krb5_pa_for_user * , krb5_data **);
1611 krb5_error_code encode_krb5_pa_svr_referral_data
1612 (const krb5_pa_svr_referral_data * , krb5_data **);
1614 krb5_error_code encode_krb5_pa_server_referral_data
1615 (const krb5_pa_server_referral_data * , krb5_data **);
1617 krb5_error_code encode_krb5_pa_pac_req
1618 (const krb5_pa_pac_req * , krb5_data **);
1620 krb5_error_code encode_krb5_etype_list
1621 (const krb5_etype_list * , krb5_data **);
1623 krb5_error_code encode_krb5_pa_fx_fast_request
1624 (const krb5_fast_armored_req *, krb5_data **);
1625 krb5_error_code encode_krb5_fast_req
1626 (const krb5_fast_req *, krb5_data **);
1627 krb5_error_code encode_krb5_pa_fx_fast_reply
1628 (const krb5_enc_data *, krb5_data **);
1630 krb5_error_code encode_krb5_fast_response
1631 (const krb5_fast_response *, krb5_data **);
1633 /*************************************************************************
1634 * End of prototypes for krb5_encode.c
1635 *************************************************************************/
1637 krb5_error_code decode_krb5_sam_challenge
1638 (const krb5_data *, krb5_sam_challenge **);
1640 krb5_error_code decode_krb5_enc_sam_key
1641 (const krb5_data *, krb5_sam_key **);
1643 krb5_error_code decode_krb5_enc_sam_response_enc
1644 (const krb5_data *, krb5_enc_sam_response_enc **);
1646 krb5_error_code decode_krb5_sam_response
1647 (const krb5_data *, krb5_sam_response **);
1649 krb5_error_code decode_krb5_predicted_sam_response
1650 (const krb5_data *, krb5_predicted_sam_response **);
1652 krb5_error_code decode_krb5_sam_challenge_2
1653 (const krb5_data *, krb5_sam_challenge_2 **);
1655 krb5_error_code decode_krb5_sam_challenge_2_body
1656 (const krb5_data *, krb5_sam_challenge_2_body **);
1658 krb5_error_code decode_krb5_enc_sam_response_enc_2
1659 (const krb5_data *, krb5_enc_sam_response_enc_2 **);
1661 krb5_error_code decode_krb5_sam_response_2
1662 (const krb5_data *, krb5_sam_response_2 **);
1665 /*************************************************************************
1666 * Prototypes for krb5_decode.c
1667 *************************************************************************/
1669 krb5_error_code krb5_validate_times
1671 krb5_ticket_times *);
1674 krb5_error_code decode_krb5_structure(const krb5_data *code,
1675 krb5_structure **rep);
1677 requires Expects **rep to not have been allocated;
1678 a new *rep is allocated regardless of the old value.
1679 effects Decodes *code into **rep.
1680 Returns ENOMEM if memory is exhausted.
1681 Returns asn1 and krb5 errors.
1684 krb5_error_code decode_krb5_authenticator
1685 (const krb5_data *code, krb5_authenticator **rep);
1687 krb5_error_code decode_krb5_ticket
1688 (const krb5_data *code, krb5_ticket **rep);
1690 krb5_error_code decode_krb5_encryption_key
1691 (const krb5_data *output, krb5_keyblock **rep);
1693 krb5_error_code decode_krb5_enc_tkt_part
1694 (const krb5_data *output, krb5_enc_tkt_part **rep);
1696 krb5_error_code decode_krb5_enc_kdc_rep_part
1697 (const krb5_data *output, krb5_enc_kdc_rep_part **rep);
1699 krb5_error_code decode_krb5_as_rep
1700 (const krb5_data *output, krb5_kdc_rep **rep);
1702 krb5_error_code decode_krb5_tgs_rep
1703 (const krb5_data *output, krb5_kdc_rep **rep);
1705 krb5_error_code decode_krb5_ap_req
1706 (const krb5_data *output, krb5_ap_req **rep);
1708 krb5_error_code decode_krb5_ap_rep
1709 (const krb5_data *output, krb5_ap_rep **rep);
1711 krb5_error_code decode_krb5_ap_rep_enc_part
1712 (const krb5_data *output, krb5_ap_rep_enc_part **rep);
1714 krb5_error_code decode_krb5_as_req
1715 (const krb5_data *output, krb5_kdc_req **rep);
1717 krb5_error_code decode_krb5_tgs_req
1718 (const krb5_data *output, krb5_kdc_req **rep);
1720 krb5_error_code decode_krb5_kdc_req_body
1721 (const krb5_data *output, krb5_kdc_req **rep);
1723 krb5_error_code decode_krb5_safe
1724 (const krb5_data *output, krb5_safe **rep);
1726 krb5_error_code decode_krb5_safe_with_body
1727 (const krb5_data *output, krb5_safe **rep, krb5_data *body);
1729 krb5_error_code decode_krb5_priv
1730 (const krb5_data *output, krb5_priv **rep);
1732 krb5_error_code decode_krb5_enc_priv_part
1733 (const krb5_data *output, krb5_priv_enc_part **rep);
1735 krb5_error_code decode_krb5_cred
1736 (const krb5_data *output, krb5_cred **rep);
1738 krb5_error_code decode_krb5_enc_cred_part
1739 (const krb5_data *output, krb5_cred_enc_part **rep);
1741 krb5_error_code decode_krb5_error
1742 (const krb5_data *output, krb5_error **rep);
1744 krb5_error_code decode_krb5_authdata
1745 (const krb5_data *output, krb5_authdata ***rep);
1747 krb5_error_code decode_krb5_pwd_sequence
1748 (const krb5_data *output, passwd_phrase_element **rep);
1750 krb5_error_code decode_krb5_pwd_data
1751 (const krb5_data *output, krb5_pwd_data **rep);
1753 krb5_error_code decode_krb5_padata_sequence
1754 (const krb5_data *output, krb5_pa_data ***rep);
1756 krb5_error_code decode_krb5_alt_method
1757 (const krb5_data *output, krb5_alt_method **rep);
1759 krb5_error_code decode_krb5_etype_info
1760 (const krb5_data *output, krb5_etype_info_entry ***rep);
1762 krb5_error_code decode_krb5_etype_info2
1763 (const krb5_data *output, krb5_etype_info_entry ***rep);
1765 krb5_error_code decode_krb5_enc_data
1766 (const krb5_data *output, krb5_enc_data **rep);
1768 krb5_error_code decode_krb5_pa_enc_ts
1769 (const krb5_data *output, krb5_pa_enc_ts **rep);
1771 krb5_error_code decode_krb5_sam_key
1772 (const krb5_data *, krb5_sam_key **);
1774 krb5_error_code decode_krb5_setpw_req
1775 (const krb5_data *, krb5_data **, krb5_principal *);
1777 krb5_error_code decode_krb5_pa_for_user
1778 (const krb5_data *, krb5_pa_for_user **);
1780 krb5_error_code decode_krb5_pa_svr_referral_data
1781 (const krb5_data *, krb5_pa_svr_referral_data **);
1783 krb5_error_code decode_krb5_pa_server_referral_data
1784 (const krb5_data *, krb5_pa_server_referral_data **);
1786 krb5_error_code decode_krb5_pa_pac_req
1787 (const krb5_data *, krb5_pa_pac_req **);
1789 krb5_error_code decode_krb5_etype_list
1790 (const krb5_data *, krb5_etype_list **);
1792 krb5_error_code decode_krb5_pa_fx_fast_request
1793 (const krb5_data *, krb5_fast_armored_req **);
1795 krb5_error_code decode_krb5_fast_req
1796 (const krb5_data *, krb5_fast_req **);
1799 krb5_error_code decode_krb5_pa_fx_fast_reply
1800 (const krb5_data *, krb5_enc_data **);
1802 krb5_error_code decode_krb5_fast_response
1803 (const krb5_data *, krb5_fast_response **);
1805 struct _krb5_key_data; /* kdb.h */
1807 struct ldap_seqof_key_data {
1808 krb5_int32 mkvno; /* Master key version number */
1809 struct _krb5_key_data *key_data;
1810 krb5_int16 n_key_data;
1812 typedef struct ldap_seqof_key_data ldap_seqof_key_data;
1815 krb5int_ldap_encode_sequence_of_keys (const ldap_seqof_key_data *val,
1819 krb5int_ldap_decode_sequence_of_keys (krb5_data *in,
1820 ldap_seqof_key_data **rep);
1822 /*************************************************************************
1823 * End of prototypes for krb5_decode.c
1824 *************************************************************************/
1826 #endif /* KRB5_ASN1__ */
1833 * Internal krb5 library routines
1835 krb5_error_code krb5_encrypt_tkt_part
1837 const krb5_keyblock *,
1841 krb5_error_code krb5_encode_kdc_rep
1844 const krb5_enc_kdc_rep_part *,
1846 const krb5_keyblock *,
1850 krb5_boolean krb5int_auth_con_chkseqnum
1851 (krb5_context ctx, krb5_auth_context ac, krb5_ui_4 in_seq);
1853 * [De]Serialization Handle and operations.
1855 struct __krb5_serializer {
1857 krb5_error_code (*sizer) (krb5_context,
1860 krb5_error_code (*externalizer) (krb5_context,
1864 krb5_error_code (*internalizer) (krb5_context,
1869 typedef const struct __krb5_serializer * krb5_ser_handle;
1870 typedef struct __krb5_serializer krb5_ser_entry;
1872 krb5_ser_handle krb5_find_serializer
1875 krb5_error_code krb5_register_serializer
1877 const krb5_ser_entry *);
1879 /* Determine the external size of a particular opaque structure */
1880 krb5_error_code KRB5_CALLCONV krb5_size_opaque
1886 /* Serialize the structure into a buffer */
1887 krb5_error_code KRB5_CALLCONV krb5_externalize_opaque
1894 /* Deserialize the structure from a buffer */
1895 krb5_error_code KRB5_CALLCONV krb5_internalize_opaque
1902 /* Serialize data into a buffer */
1903 krb5_error_code krb5_externalize_data
1909 * Initialization routines.
1912 /* Initialize serialization for krb5_[os_]context */
1913 krb5_error_code KRB5_CALLCONV krb5_ser_context_init
1916 /* Initialize serialization for krb5_auth_context */
1917 krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init
1920 /* Initialize serialization for krb5_keytab */
1921 krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init
1924 /* Initialize serialization for krb5_ccache */
1925 krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init
1928 /* Initialize serialization for krb5_rcache */
1929 krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init
1932 /* [De]serialize 4-byte integer */
1933 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32
1937 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32
1941 /* [De]serialize 8-byte integer */
1942 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64
1943 (krb5_int64, krb5_octet **, size_t *);
1944 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64
1945 (krb5_int64 *, krb5_octet **, size_t *);
1946 /* [De]serialize byte string */
1947 krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
1952 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes
1958 krb5_error_code KRB5_CALLCONV krb5int_cc_default
1959 (krb5_context, krb5_ccache *);
1961 krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default
1962 (krb5_context, krb5_ccache, krb5_flags,
1963 krb5_creds *, krb5_creds *);
1965 krb5_boolean KRB5_CALLCONV
1966 krb5_creds_compare (krb5_context in_context,
1967 krb5_creds *in_creds,
1968 krb5_creds *in_compare_creds);
1970 void krb5int_set_prompt_types
1971 (krb5_context, krb5_prompt_type *);
1974 krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
1975 krb5_keyblock * /* Old keyblock, not new! */,
1978 /* set and change password helpers */
1980 krb5_error_code krb5int_mk_chpw_req
1981 (krb5_context context, krb5_auth_context auth_context,
1982 krb5_data *ap_req, char *passwd, krb5_data *packet);
1983 krb5_error_code krb5int_rd_chpw_rep
1984 (krb5_context context, krb5_auth_context auth_context,
1985 krb5_data *packet, int *result_code,
1986 krb5_data *result_data);
1987 krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
1988 (krb5_context context, int result_code,
1989 char **result_codestr);
1990 krb5_error_code krb5int_mk_setpw_req
1991 (krb5_context context, krb5_auth_context auth_context,
1992 krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet);
1993 krb5_error_code krb5int_rd_setpw_rep
1994 (krb5_context context, krb5_auth_context auth_context,
1995 krb5_data *packet, int *result_code,
1996 krb5_data *result_data);
1997 krb5_error_code krb5int_setpw_result_code_string
1998 (krb5_context context, int result_code,
1999 const char **result_codestr);
2001 struct srv_dns_entry {
2002 struct srv_dns_entry *next;
2005 unsigned short port;
2008 #ifdef KRB5_DNS_LOOKUP
2010 krb5int_make_srv_query_realm(const krb5_data *realm,
2011 const char *service,
2012 const char *protocol,
2013 struct srv_dns_entry **answers);
2014 void krb5int_free_srv_dns_data(struct srv_dns_entry *);
2017 /* value to use when requesting a keytab entry and KVNO doesn't matter */
2018 #define IGNORE_VNO 0
2019 /* value to use when requesting a keytab entry and enctype doesn't matter */
2020 #define IGNORE_ENCTYPE 0
2023 * Convenience function for structure magic number
2025 #define KRB5_VERIFY_MAGIC(structure,magic_number) \
2026 if ((structure)->magic != (magic_number)) return (magic_number);
2028 /* to keep lint happy */
2029 #define krb5_xfree(val) free((char *)(val))
2031 /* To keep happy libraries which are (for now) accessing internal stuff */
2033 /* Make sure to increment by one when changing the struct */
2034 #define KRB5INT_ACCESS_STRUCT_VERSION 14
2037 struct ktext; /* from krb.h, for krb524 support */
2039 typedef struct _krb5int_access {
2041 const struct krb5_hash_provider *md5_hash_provider;
2042 const struct krb5_enc_provider *arcfour_enc_provider;
2043 krb5_error_code (* krb5_hmac) (const struct krb5_hash_provider *hash,
2044 const krb5_keyblock *key,
2045 unsigned int icount, const krb5_data *input,
2047 krb5_error_code (* krb5_auth_con_get_subkey_enctype)(krb5_context, krb5_auth_context, krb5_enctype *);
2048 /* service location and communication */
2049 krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
2050 const struct addrlist *, struct sendto_callback_info*, krb5_data *reply,
2051 struct sockaddr *, socklen_t *,struct sockaddr *,
2053 int (*msg_handler)(krb5_context, const krb5_data *, void *),
2054 void *msg_handler_data);
2055 krb5_error_code (*add_host_to_list)(struct addrlist *lp,
2056 const char *hostname,
2057 int port, int secport,
2058 int socktype, int family);
2059 void (*free_addrlist) (struct addrlist *);
2061 krb5_error_code (*make_srv_query_realm)(const krb5_data *realm,
2062 const char *service,
2063 const char *protocol,
2064 struct srv_dns_entry **answers);
2065 void (*free_srv_dns_data)(struct srv_dns_entry *);
2066 int (*use_dns_kdc)(krb5_context);
2067 krb5_error_code (*clean_hostname)(krb5_context, const char *, char *, size_t);
2069 /* krb4 compatibility stuff -- may be null if not enabled */
2070 krb5_int32 (*krb_life_to_time)(krb5_int32, int);
2071 int (*krb_time_to_life)(krb5_int32, krb5_int32);
2072 int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *);
2073 krb5_error_code (*krb5int_c_mandatory_cksumtype)
2074 (krb5_context, krb5_enctype, krb5_cksumtype *);
2075 krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64)
2076 (krb5_int64, krb5_octet **, size_t *);
2077 krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64)
2078 (krb5_int64 *, krb5_octet **, size_t *);
2080 /* Used for KDB LDAP back end. */
2082 (*asn1_ldap_encode_sequence_of_keys) (const ldap_seqof_key_data *val,
2086 (*asn1_ldap_decode_sequence_of_keys) (krb5_data *in,
2087 ldap_seqof_key_data **);
2088 /* Used for encrypted challenge fast factor*/
2089 krb5_error_code (*encode_enc_data)(const krb5_enc_data *, krb5_data **);
2090 krb5_error_code (*decode_enc_data)(const krb5_data *, krb5_enc_data **);
2091 void (*free_enc_data)(krb5_context, krb5_enc_data *);
2092 krb5_error_code (*encode_enc_ts)(const krb5_pa_enc_ts *, krb5_data **);
2093 krb5_error_code (*decode_enc_ts)(const krb5_data *, krb5_pa_enc_ts **);
2094 void (*free_enc_ts)(krb5_context, krb5_pa_enc_ts *);
2095 krb5_error_code (*encrypt_helper)
2096 (krb5_context, const krb5_keyblock *, krb5_keyusage, const krb5_data *,
2100 * pkinit asn.1 encode/decode functions
2102 krb5_error_code (*encode_krb5_auth_pack)
2103 (const krb5_auth_pack *rep, krb5_data **code);
2104 krb5_error_code (*encode_krb5_auth_pack_draft9)
2105 (const krb5_auth_pack_draft9 *rep, krb5_data **code);
2106 krb5_error_code (*encode_krb5_kdc_dh_key_info)
2107 (const krb5_kdc_dh_key_info *rep, krb5_data **code);
2108 krb5_error_code (*encode_krb5_pa_pk_as_rep)
2109 (const krb5_pa_pk_as_rep *rep, krb5_data **code);
2110 krb5_error_code (*encode_krb5_pa_pk_as_rep_draft9)
2111 (const krb5_pa_pk_as_rep_draft9 *rep, krb5_data **code);
2112 krb5_error_code (*encode_krb5_pa_pk_as_req)
2113 (const krb5_pa_pk_as_req *rep, krb5_data **code);
2114 krb5_error_code (*encode_krb5_pa_pk_as_req_draft9)
2115 (const krb5_pa_pk_as_req_draft9 *rep, krb5_data **code);
2116 krb5_error_code (*encode_krb5_reply_key_pack)
2117 (const krb5_reply_key_pack *, krb5_data **code);
2118 krb5_error_code (*encode_krb5_reply_key_pack_draft9)
2119 (const krb5_reply_key_pack_draft9 *, krb5_data **code);
2120 krb5_error_code (*encode_krb5_td_dh_parameters)
2121 (const krb5_algorithm_identifier **, krb5_data **code);
2122 krb5_error_code (*encode_krb5_td_trusted_certifiers)
2123 (const krb5_external_principal_identifier **, krb5_data **code);
2124 krb5_error_code (*encode_krb5_typed_data)
2125 (const krb5_typed_data **, krb5_data **code);
2127 krb5_error_code (*decode_krb5_auth_pack)
2128 (const krb5_data *, krb5_auth_pack **);
2129 krb5_error_code (*decode_krb5_auth_pack_draft9)
2130 (const krb5_data *, krb5_auth_pack_draft9 **);
2131 krb5_error_code (*decode_krb5_pa_pk_as_req)
2132 (const krb5_data *, krb5_pa_pk_as_req **);
2133 krb5_error_code (*decode_krb5_pa_pk_as_req_draft9)
2134 (const krb5_data *, krb5_pa_pk_as_req_draft9 **);
2135 krb5_error_code (*decode_krb5_pa_pk_as_rep)
2136 (const krb5_data *, krb5_pa_pk_as_rep **);
2137 krb5_error_code (*decode_krb5_pa_pk_as_rep_draft9)
2138 (const krb5_data *, krb5_pa_pk_as_rep_draft9 **);
2139 krb5_error_code (*decode_krb5_kdc_dh_key_info)
2140 (const krb5_data *, krb5_kdc_dh_key_info **);
2141 krb5_error_code (*decode_krb5_principal_name)
2142 (const krb5_data *, krb5_principal_data **);
2143 krb5_error_code (*decode_krb5_reply_key_pack)
2144 (const krb5_data *, krb5_reply_key_pack **);
2145 krb5_error_code (*decode_krb5_reply_key_pack_draft9)
2146 (const krb5_data *, krb5_reply_key_pack_draft9 **);
2147 krb5_error_code (*decode_krb5_td_dh_parameters)
2148 (const krb5_data *, krb5_algorithm_identifier ***);
2149 krb5_error_code (*decode_krb5_td_trusted_certifiers)
2150 (const krb5_data *, krb5_external_principal_identifier ***);
2151 krb5_error_code (*decode_krb5_typed_data)
2152 (const krb5_data *, krb5_typed_data ***);
2154 krb5_error_code (*decode_krb5_as_req)
2155 (const krb5_data *output, krb5_kdc_req **rep);
2156 krb5_error_code (*encode_krb5_kdc_req_body)
2157 (const krb5_kdc_req *rep, krb5_data **code);
2158 void (KRB5_CALLCONV *krb5_free_kdc_req)
2159 (krb5_context, krb5_kdc_req * );
2160 void (*krb5int_set_prompt_types)
2161 (krb5_context, krb5_prompt_type *);
2162 krb5_error_code (*encode_krb5_authdata_elt)
2163 (const krb5_authdata *rep, krb5_data **code);
2165 /* Exported for testing only! */
2166 krb5_error_code (*encode_krb5_sam_response_2)
2167 (const krb5_sam_response_2 *rep, krb5_data **code);
2168 krb5_error_code (*encode_krb5_enc_sam_response_enc_2)
2169 (const krb5_enc_sam_response_enc_2 *rep, krb5_data **code);
2173 #define KRB5INT_ACCESS_VERSION \
2174 (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \
2175 (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF)
2177 krb5_error_code KRB5_CALLCONV krb5int_accessor
2178 (krb5int_access*, krb5_int32);
2180 /* Ick -- some krb524 and krb4 support placed in the krb5 library,
2181 because AFS (and potentially other applications?) use the krb4
2182 object as an opaque token, which (in some implementations) is not
2183 in fact a krb4 ticket, so we don't want to drag in the krb4 support
2184 just to enable this. */
2186 #define KRB524_SERVICE "krb524"
2187 #define KRB524_PORT 4444
2189 /* temporary -- this should be under lib/krb5/ccache somewhere */
2191 struct _krb5_ccache {
2193 const struct _krb5_cc_ops *ops;
2198 * Per-type ccache cursor.
2200 struct krb5_cc_ptcursor_s {
2201 const struct _krb5_cc_ops *ops;
2204 typedef struct krb5_cc_ptcursor_s *krb5_cc_ptcursor;
2206 struct _krb5_cc_ops {
2209 const char * (KRB5_CALLCONV *get_name) (krb5_context, krb5_ccache);
2210 krb5_error_code (KRB5_CALLCONV *resolve) (krb5_context, krb5_ccache *,
2212 krb5_error_code (KRB5_CALLCONV *gen_new) (krb5_context, krb5_ccache *);
2213 krb5_error_code (KRB5_CALLCONV *init) (krb5_context, krb5_ccache,
2215 krb5_error_code (KRB5_CALLCONV *destroy) (krb5_context, krb5_ccache);
2216 krb5_error_code (KRB5_CALLCONV *close) (krb5_context, krb5_ccache);
2217 krb5_error_code (KRB5_CALLCONV *store) (krb5_context, krb5_ccache,
2219 krb5_error_code (KRB5_CALLCONV *retrieve) (krb5_context, krb5_ccache,
2220 krb5_flags, krb5_creds *,
2222 krb5_error_code (KRB5_CALLCONV *get_princ) (krb5_context, krb5_ccache,
2224 krb5_error_code (KRB5_CALLCONV *get_first) (krb5_context, krb5_ccache,
2226 krb5_error_code (KRB5_CALLCONV *get_next) (krb5_context, krb5_ccache,
2227 krb5_cc_cursor *, krb5_creds *);
2228 krb5_error_code (KRB5_CALLCONV *end_get) (krb5_context, krb5_ccache,
2230 krb5_error_code (KRB5_CALLCONV *remove_cred) (krb5_context, krb5_ccache,
2231 krb5_flags, krb5_creds *);
2232 krb5_error_code (KRB5_CALLCONV *set_flags) (krb5_context, krb5_ccache,
2234 krb5_error_code (KRB5_CALLCONV *get_flags) (krb5_context, krb5_ccache,
2236 krb5_error_code (KRB5_CALLCONV *ptcursor_new)(krb5_context,
2237 krb5_cc_ptcursor *);
2238 krb5_error_code (KRB5_CALLCONV *ptcursor_next)(krb5_context,
2241 krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context,
2242 krb5_cc_ptcursor *);
2243 krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache,
2245 krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context,
2246 krb5_ccache, krb5_timestamp *);
2247 krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache,
2249 krb5_error_code (KRB5_CALLCONV *lock)(krb5_context, krb5_ccache);
2250 krb5_error_code (KRB5_CALLCONV *unlock)(krb5_context, krb5_ccache);
2253 extern const krb5_cc_ops *krb5_cc_dfl_ops;
2256 krb5int_cc_os_default_name(krb5_context context, char **name);
2258 typedef struct _krb5_donot_replay {
2261 char *server; /* null-terminated */
2262 char *client; /* null-terminated */
2263 char *msghash; /* null-terminated */
2265 krb5_timestamp ctime;
2266 } krb5_donot_replay;
2268 krb5_error_code krb5_rc_default
2271 krb5_error_code krb5_rc_resolve_type
2273 krb5_rcache *,char *);
2274 krb5_error_code krb5_rc_resolve_full
2276 krb5_rcache *,char *);
2277 char * krb5_rc_get_type
2280 char * krb5_rc_default_type
2282 char * krb5_rc_default_name
2284 krb5_error_code krb5_auth_to_rep
2287 krb5_donot_replay *);
2288 krb5_error_code krb5_rc_hash_message
2289 (krb5_context context,
2290 const krb5_data *message, char **out);
2293 krb5_error_code KRB5_CALLCONV krb5_rc_initialize
2294 (krb5_context, krb5_rcache,krb5_deltat);
2295 krb5_error_code KRB5_CALLCONV krb5_rc_recover_or_initialize
2296 (krb5_context, krb5_rcache,krb5_deltat);
2297 krb5_error_code KRB5_CALLCONV krb5_rc_recover
2298 (krb5_context, krb5_rcache);
2299 krb5_error_code KRB5_CALLCONV krb5_rc_destroy
2300 (krb5_context, krb5_rcache);
2301 krb5_error_code KRB5_CALLCONV krb5_rc_close
2302 (krb5_context, krb5_rcache);
2303 krb5_error_code KRB5_CALLCONV krb5_rc_store
2304 (krb5_context, krb5_rcache,krb5_donot_replay *);
2305 krb5_error_code KRB5_CALLCONV krb5_rc_expunge
2306 (krb5_context, krb5_rcache);
2307 krb5_error_code KRB5_CALLCONV krb5_rc_get_lifespan
2308 (krb5_context, krb5_rcache,krb5_deltat *);
2309 char *KRB5_CALLCONV krb5_rc_get_name
2310 (krb5_context, krb5_rcache);
2311 krb5_error_code KRB5_CALLCONV krb5_rc_resolve
2312 (krb5_context, krb5_rcache, char *);
2314 typedef struct _krb5_kt_ops {
2317 /* routines always present */
2318 krb5_error_code (KRB5_CALLCONV *resolve)
2322 krb5_error_code (KRB5_CALLCONV *get_name)
2327 krb5_error_code (KRB5_CALLCONV *close)
2330 krb5_error_code (KRB5_CALLCONV *get)
2333 krb5_const_principal,
2336 krb5_keytab_entry *);
2337 krb5_error_code (KRB5_CALLCONV *start_seq_get)
2341 krb5_error_code (KRB5_CALLCONV *get_next)
2344 krb5_keytab_entry *,
2346 krb5_error_code (KRB5_CALLCONV *end_get)
2350 /* routines to be included on extended version (write routines) */
2351 krb5_error_code (KRB5_CALLCONV *add)
2354 krb5_keytab_entry *);
2355 krb5_error_code (KRB5_CALLCONV *remove)
2358 krb5_keytab_entry *);
2360 /* Handle for serializer */
2361 const krb5_ser_entry *serializer;
2364 extern const krb5_kt_ops krb5_kt_dfl_ops;
2366 extern krb5_error_code krb5int_translate_gai_error (int);
2368 /* Not sure it's ready for exposure just yet. */
2369 extern krb5_error_code
2370 krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *);
2372 extern int krb5int_crypto_init (void);
2373 extern int krb5int_prng_init(void);
2376 * Referral definitions, debugging hooks, and subfunctions.
2378 #define KRB5_REFERRAL_MAXHOPS 10
2379 /* #define DEBUG_REFERRALS */
2381 #ifdef DEBUG_REFERRALS
2382 void krb5int_dbgref_dump_principal(char *, krb5_principal);
2385 /* Common hostname-parsing code. */
2386 krb5_error_code KRB5_CALLCONV krb5int_clean_hostname
2392 /* Use the above four instead. */
2393 krb5_boolean KRB5_CALLCONV valid_enctype
2394 (krb5_enctype ktype);
2395 krb5_boolean KRB5_CALLCONV valid_cksumtype
2396 (krb5_cksumtype ctype);
2397 krb5_boolean KRB5_CALLCONV is_coll_proof_cksum
2398 (krb5_cksumtype ctype);
2399 krb5_boolean KRB5_CALLCONV is_keyed_cksum
2400 (krb5_cksumtype ctype);
2402 krb5_error_code KRB5_CALLCONV krb5_random_confounder
2403 (size_t, krb5_pointer);
2405 krb5_error_code krb5_encrypt_data
2406 (krb5_context context, krb5_keyblock *key,
2407 krb5_pointer ivec, krb5_data *data,
2408 krb5_enc_data *enc_data);
2410 krb5_error_code krb5_decrypt_data
2411 (krb5_context context, krb5_keyblock *key,
2412 krb5_pointer ivec, krb5_enc_data *data,
2413 krb5_data *enc_data);
2416 krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
2417 const krb5_data *input, krb5_data *output);
2419 krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
2420 const krb5_data *input, krb5_data *output);
2422 struct _krb5_kt { /* should move into k5-int.h */
2424 const struct _krb5_kt_ops *ops;
2428 krb5_error_code krb5_set_default_in_tkt_ktypes
2430 const krb5_enctype *);
2431 krb5_error_code krb5_get_default_in_tkt_ktypes
2435 krb5_error_code krb5_set_default_tgs_ktypes
2437 const krb5_enctype *);
2439 krb5_error_code KRB5_CALLCONV krb5_get_tgs_ktypes
2441 krb5_const_principal,
2444 void KRB5_CALLCONV krb5_free_ktypes
2445 (krb5_context, krb5_enctype *);
2447 krb5_boolean krb5_is_permitted_enctype
2448 (krb5_context, krb5_enctype);
2452 krb5_enctype *etype;
2453 krb5_boolean *etype_ok;
2454 krb5_int32 etype_count;
2455 } krb5_etypes_permitted;
2457 krb5_boolean krb5_is_permitted_enctype_ext
2458 ( krb5_context, krb5_etypes_permitted *);
2460 krb5_boolean KRB5_CALLCONV krb5_c_weak_enctype(krb5_enctype);
2462 krb5_error_code krb5_kdc_rep_decrypt_proc
2464 const krb5_keyblock *,
2467 krb5_error_code KRB5_CALLCONV krb5_decrypt_tkt_part
2469 const krb5_keyblock *,
2471 krb5_error_code krb5_get_cred_from_kdc
2473 krb5_ccache, /* not const, as reading may save
2478 krb5_error_code krb5_get_cred_from_kdc_validate
2480 krb5_ccache, /* not const, as reading may save
2485 krb5_error_code krb5_get_cred_from_kdc_renew
2487 krb5_ccache, /* not const, as reading may save
2493 krb5_error_code krb5_get_cred_via_tkt
2497 krb5_address * const *,
2501 krb5_error_code KRB5_CALLCONV krb5_copy_addr
2503 const krb5_address *,
2510 krb5_error_code krb5_generate_subkey
2512 const krb5_keyblock *, krb5_keyblock **);
2513 krb5_error_code krb5_generate_subkey_extended
2515 const krb5_keyblock *,
2518 krb5_error_code krb5_generate_seq_number
2520 const krb5_keyblock *, krb5_ui_4 *);
2522 krb5_error_code KRB5_CALLCONV krb5_kt_register
2524 const struct _krb5_kt_ops * );
2526 /* use krb5_free_keytab_entry_contents instead */
2527 krb5_error_code KRB5_CALLCONV krb5_kt_free_entry
2529 krb5_keytab_entry * );
2531 krb5_error_code krb5_principal2salt_norealm
2533 krb5_const_principal, krb5_data *);
2535 unsigned int KRB5_CALLCONV krb5_get_notification_message
2539 krb5_error_code krb5_check_transited_list
2540 (krb5_context, const krb5_data *trans,
2541 const krb5_data *realm1, const krb5_data *realm2);
2544 void krb5_free_realm_tree
2548 void KRB5_CALLCONV krb5_free_authenticator_contents
2549 (krb5_context, krb5_authenticator * );
2551 void KRB5_CALLCONV krb5_free_address
2552 (krb5_context, krb5_address * );
2554 void KRB5_CALLCONV krb5_free_enc_tkt_part
2555 (krb5_context, krb5_enc_tkt_part * );
2557 void KRB5_CALLCONV krb5_free_tickets
2558 (krb5_context, krb5_ticket ** );
2559 void KRB5_CALLCONV krb5_free_kdc_req
2560 (krb5_context, krb5_kdc_req * );
2561 void KRB5_CALLCONV krb5_free_kdc_rep
2562 (krb5_context, krb5_kdc_rep * );
2563 void KRB5_CALLCONV krb5_free_last_req
2564 (krb5_context, krb5_last_req_entry ** );
2565 void KRB5_CALLCONV krb5_free_enc_kdc_rep_part
2566 (krb5_context, krb5_enc_kdc_rep_part * );
2567 void KRB5_CALLCONV krb5_free_ap_req
2568 (krb5_context, krb5_ap_req * );
2569 void KRB5_CALLCONV krb5_free_ap_rep
2570 (krb5_context, krb5_ap_rep * );
2571 void KRB5_CALLCONV krb5_free_cred
2572 (krb5_context, krb5_cred *);
2573 void KRB5_CALLCONV krb5_free_cred_enc_part
2574 (krb5_context, krb5_cred_enc_part *);
2575 void KRB5_CALLCONV krb5_free_pa_data
2576 (krb5_context, krb5_pa_data **);
2577 void KRB5_CALLCONV krb5_free_tkt_authent
2578 (krb5_context, krb5_tkt_authent *);
2579 void KRB5_CALLCONV krb5_free_pwd_data
2580 (krb5_context, krb5_pwd_data *);
2581 void KRB5_CALLCONV krb5_free_pwd_sequences
2582 (krb5_context, passwd_phrase_element **);
2583 void KRB5_CALLCONV krb5_free_passwd_phrase_element
2584 (krb5_context, passwd_phrase_element *);
2585 void KRB5_CALLCONV krb5_free_alt_method
2586 (krb5_context, krb5_alt_method *);
2587 void KRB5_CALLCONV krb5_free_enc_data
2588 (krb5_context, krb5_enc_data *);
2589 krb5_error_code krb5_set_config_files
2590 (krb5_context, const char **);
2592 krb5_error_code KRB5_CALLCONV krb5_get_default_config_files
2593 (char ***filenames);
2595 void KRB5_CALLCONV krb5_free_config_files
2597 krb5_error_code krb5int_send_tgs
2600 const krb5_ticket_times *,
2601 const krb5_enctype *,
2602 krb5_const_principal,
2603 krb5_address * const *,
2604 krb5_authdata * const *,
2605 krb5_pa_data * const *,
2608 krb5_response * , krb5_keyblock **subkey);
2609 /* The subkey field is an output parameter; if a
2610 * tgs-rep is received then the subkey will be filled
2611 * in with the subkey needed to decrypt the TGS
2612 * response. Otherwise it will be set to null.
2614 krb5_error_code krb5int_decode_tgs_rep
2617 const krb5_keyblock *, krb5_keyusage,
2619 krb5_error_code krb5int_find_authdata
2620 (krb5_context context, krb5_authdata *const * ticket_authdata,
2621 krb5_authdata * const *ap_req_authdata,
2622 krb5_authdatatype ad_type,
2623 krb5_authdata ***results);
2625 krb5_error_code krb5_rd_req_decoded
2627 krb5_auth_context *,
2628 const krb5_ap_req *,
2629 krb5_const_principal,
2634 krb5_error_code krb5_rd_req_decoded_anyflag
2636 krb5_auth_context *,
2637 const krb5_ap_req *,
2638 krb5_const_principal,
2642 krb5_error_code KRB5_CALLCONV krb5_cc_register
2644 const krb5_cc_ops *,
2646 krb5_error_code krb5_walk_realm_tree
2652 krb5_error_code KRB5_CALLCONV krb5_auth_con_set_req_cksumtype
2657 krb5_error_code krb5_auth_con_set_safe_cksumtype
2661 krb5_error_code krb5_auth_con_setivector
2666 krb5_error_code krb5_auth_con_getivector
2671 krb5_error_code krb5_auth_con_setpermetypes
2674 const krb5_enctype *);
2676 krb5_error_code krb5_auth_con_getpermetypes
2681 krb5_error_code krb5_auth_con_get_subkey_enctype
2682 (krb5_context context,
2686 krb5_error_code KRB5_CALLCONV
2687 krb5int_server_decrypt_ticket_keyblock
2688 (krb5_context context,
2689 const krb5_keyblock *key,
2690 krb5_ticket *ticket);
2692 krb5_error_code krb5_read_message (krb5_context, krb5_pointer, krb5_data *);
2693 krb5_error_code krb5_write_message (krb5_context, krb5_pointer, krb5_data *);
2694 krb5_error_code krb5int_write_messages (krb5_context, krb5_pointer, krb5_data *, int);
2695 int krb5_net_read (krb5_context, int , char *, int);
2696 int krb5_net_write (krb5_context, int , const char *, int);
2698 krb5_error_code KRB5_CALLCONV krb5_get_realm_domain
2703 krb5_error_code krb5_gen_portaddr
2705 const krb5_address *,
2708 krb5_error_code krb5_gen_replay_name
2710 const krb5_address *,
2713 krb5_error_code krb5_make_fulladdr
2719 krb5_error_code krb5_set_debugging_time
2720 (krb5_context, krb5_timestamp, krb5_int32);
2721 krb5_error_code krb5_use_natural_time
2723 krb5_error_code krb5_set_time_offsets
2724 (krb5_context, krb5_timestamp, krb5_int32);
2725 krb5_error_code krb5int_check_clockskew(krb5_context, krb5_timestamp);
2727 * The realm iterator functions
2730 krb5_error_code KRB5_CALLCONV krb5_realm_iterator_create
2731 (krb5_context context, void **iter_p);
2733 krb5_error_code KRB5_CALLCONV krb5_realm_iterator
2734 (krb5_context context, void **iter_p, char **ret_realm);
2736 void KRB5_CALLCONV krb5_realm_iterator_free
2737 (krb5_context context, void **iter_p);
2739 void KRB5_CALLCONV krb5_free_realm_string
2740 (krb5_context context, char *str);
2742 /* Internal principal function used by KIM to avoid code duplication */
2743 krb5_error_code KRB5_CALLCONV
2744 krb5int_build_principal_alloc_va(krb5_context context,
2745 krb5_principal *princ,
2751 /* Some data comparison and conversion functions. */
2753 static inline int data_cmp(krb5_data d1, krb5_data d2)
2755 if (d1.length < d2.length) return -1;
2756 if (d1.length > d2.length) return 1;
2757 return memcmp(d1.data, d2.data, d1.length);
2759 static inline int data_eq (krb5_data d1, krb5_data d2)
2761 return data_cmp(d1, d2) == 0;
2764 static inline int data_eq (krb5_data d1, krb5_data d2)
2766 return (d1.length == d2.length
2767 && !memcmp(d1.data, d2.data, d1.length));
2770 static inline krb5_data string2data (char *str)
2773 d.magic = KV5M_DATA;
2774 d.length = strlen(str);
2778 static inline int data_eq_string (krb5_data d, char *s)
2780 return data_eq(d, string2data(s));
2782 static inline int authdata_eq (krb5_authdata a1, krb5_authdata a2)
2784 return (a1.ad_type == a2.ad_type
2785 && a1.length == a2.length
2786 && !memcmp(a1.contents, a2.contents, a1.length));
2789 krb5_error_code KRB5_CALLCONV
2790 krb5int_pac_sign(krb5_context context,
2792 krb5_timestamp authtime,
2793 krb5_const_principal principal,
2794 const krb5_keyblock *server_key,
2795 const krb5_keyblock *privsvr_key,
2798 #ifdef DEBUG_ERROR_LOCATIONS
2799 #define krb5_set_error_message(ctx, code, ...) \
2800 krb5_set_error_message_fl(ctx, code, __FILE__, __LINE__, __VA_ARGS__)
2803 #endif /* _KRB5_INT_H */