4 * Copyright 1989,1990,1995 by the Massachusetts Institute of Technology.
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. M.I.T. makes no representations about the suitability of
20 * this software for any purpose. It is provided "as is" without express
21 * or implied warranty.
24 * General definitions for Kerberos version 5.
27 #ifndef KRB5_GENERAL__
28 #define KRB5_GENERAL__
30 #include "k5-config.h"
32 #include "base-defs.h"
35 typedef struct _krb5_context {
37 krb5_enctype * etypes;
42 struct _krb5_auth_context;
43 typedef struct _krb5_auth_context krb5_auth_context;
45 #include "encryption.h"
46 #include "fieldbits.h"
47 #include "k5-errors.h"
50 #include "error_def.h"
53 typedef struct _krb5_ticket_times {
54 krb5_timestamp authtime; /* XXX ? should ktime in KDC_REP == authtime
55 in ticket? otherwise client can't get this */
56 krb5_timestamp starttime; /* optional in ticket, if not present,
58 krb5_timestamp endtime;
59 krb5_timestamp renew_till;
62 /* structure for auth data */
63 typedef struct _krb5_authdata {
65 krb5_authdatatype ad_type;
70 /* structure for transited encoding */
71 typedef struct _krb5_transited {
74 krb5_data tr_contents;
77 typedef struct _krb5_enc_tkt_part {
79 /* to-be-encrypted portion */
80 krb5_flags flags; /* flags */
81 krb5_keyblock *session; /* session key: includes keytype */
82 krb5_principal client; /* client name/realm */
83 krb5_transited transited; /* list of transited realms */
84 krb5_ticket_times times; /* auth, start, end, renew_till */
85 krb5_address **caddrs; /* array of ptrs to addresses */
86 krb5_authdata **authorization_data; /* auth data */
89 typedef struct _krb5_ticket {
91 /* cleartext portion */
92 krb5_principal server; /* server name/realm */
93 krb5_enc_data enc_part; /* encryption type, kvno, encrypted
95 krb5_enc_tkt_part *enc_part2; /* ptr to decrypted version, if
99 /* the unencrypted version */
100 typedef struct _krb5_authenticator {
102 krb5_principal client; /* client name/realm */
103 krb5_checksum *checksum; /* checksum, includes type, optional */
104 krb5_int32 cusec; /* client usec portion */
105 krb5_timestamp ctime; /* client sec portion */
106 krb5_keyblock *subkey; /* true session key, optional */
107 krb5_int32 seq_number; /* sequence #, optional */
108 krb5_authdata **authorization_data; /* New add by Ari, auth data */
109 } krb5_authenticator;
111 typedef struct _krb5_tkt_authent {
114 krb5_authenticator *authenticator;
115 krb5_flags ap_options;
118 /* credentials: Ticket, session key, etc. */
119 typedef struct _krb5_creds {
121 krb5_principal client; /* client's principal identifier */
122 krb5_principal server; /* server's principal identifier */
123 krb5_keyblock keyblock; /* session encryption key info */
124 krb5_ticket_times times; /* lifetime info */
125 krb5_boolean is_skey; /* true if ticket is encrypted in
126 another ticket's skey */
127 krb5_flags ticket_flags; /* flags in ticket */
128 krb5_address **addresses; /* addrs in ticket */
129 krb5_data ticket; /* ticket string itself */
130 krb5_data second_ticket; /* second ticket, if related to
131 ticket (via DUPLICATE-SKEY or
133 krb5_authdata **authdata; /* authorization data */
136 /* Last request fields */
137 typedef struct _krb5_last_req_entry {
140 krb5_timestamp value;
141 } krb5_last_req_entry;
143 /* pre-authentication data */
144 typedef struct _krb5_pa_data {
148 krb5_octet *contents;
151 typedef struct _krb5_kdc_req {
153 krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */
154 krb5_pa_data **padata; /* e.g. encoded AP_REQ */
156 krb5_flags kdc_options; /* requested options */
157 krb5_principal client; /* includes realm; optional */
158 krb5_principal server; /* includes realm (only used if no
160 krb5_timestamp from; /* requested starttime */
161 krb5_timestamp till; /* requested endtime */
162 krb5_timestamp rtime; /* (optional) requested renew_till */
163 krb5_int32 nonce; /* nonce to match request/response */
164 int netypes; /* # of etypes, must be positive */
165 krb5_enctype *etype; /* requested encryption type(s) */
166 krb5_address **addresses; /* requested addresses, optional */
167 krb5_enc_data authorization_data; /* encrypted auth data; OPTIONAL */
168 krb5_authdata **unenc_authdata; /* unencrypted auth data,
170 krb5_ticket **second_ticket; /* second ticket array; OPTIONAL */
173 typedef struct _krb5_enc_kdc_rep_part {
175 /* encrypted part: */
176 krb5_msgtype msg_type; /* krb5 message type */
177 krb5_keyblock *session; /* session key */
178 krb5_last_req_entry **last_req; /* array of ptrs to entries */
179 krb5_int32 nonce; /* nonce from request */
180 krb5_timestamp key_exp; /* expiration date */
181 krb5_flags flags; /* ticket flags */
182 krb5_ticket_times times; /* lifetime info */
183 krb5_principal server; /* server's principal identifier */
184 krb5_address **caddrs; /* array of ptrs to addresses,
186 } krb5_enc_kdc_rep_part;
188 typedef struct _krb5_kdc_rep {
190 /* cleartext part: */
191 krb5_msgtype msg_type; /* AS_REP or KDC_REP? */
192 krb5_pa_data **padata; /* preauthentication data from KDC */
193 krb5_principal client; /* client's principal identifier */
194 krb5_ticket *ticket; /* ticket */
195 krb5_enc_data enc_part; /* encryption type, kvno, encrypted
197 krb5_enc_kdc_rep_part *enc_part2; /* unencrypted version, if available */
200 /* error message structure */
201 typedef struct _krb5_error {
203 /* some of these may be meaningless in certain contexts */
204 krb5_timestamp ctime; /* client sec portion; optional */
205 krb5_int32 cusec; /* client usec portion; optional */
206 krb5_int32 susec; /* server usec portion */
207 krb5_timestamp stime; /* server sec portion */
208 krb5_ui_4 error; /* error code (protocol error #'s) */
209 krb5_principal client; /* client's principal identifier;
211 krb5_principal server; /* server's principal identifier */
212 krb5_data text; /* descriptive text */
213 krb5_data e_data; /* additional error-describing data */
216 typedef struct _krb5_ap_req {
218 krb5_flags ap_options; /* requested options */
219 krb5_ticket *ticket; /* ticket */
220 krb5_enc_data authenticator; /* authenticator (already encrypted) */
223 typedef struct _krb5_ap_rep {
225 krb5_enc_data enc_part;
228 typedef struct _krb5_ap_rep_enc_part {
230 krb5_timestamp ctime; /* client time, seconds portion */
231 krb5_int32 cusec; /* client time, microseconds portion */
232 krb5_keyblock *subkey; /* true session key, optional */
233 krb5_int32 seq_number; /* sequence #, optional */
234 } krb5_ap_rep_enc_part;
236 typedef struct _krb5_response {
238 krb5_octet message_type;
242 typedef struct _krb5_safe {
244 krb5_data user_data; /* user data */
245 krb5_timestamp timestamp; /* client time, optional */
246 krb5_int32 usec; /* microsecond portion of time,
248 krb5_int32 seq_number; /* sequence #, optional */
249 krb5_address *s_address; /* sender address */
250 krb5_address *r_address; /* recipient address, optional */
251 krb5_checksum *checksum; /* data integrity checksum */
254 typedef struct _krb5_priv {
256 krb5_enc_data enc_part; /* encrypted part */
259 typedef struct _krb5_priv_enc_part {
261 krb5_data user_data; /* user data */
262 krb5_timestamp timestamp; /* client time, optional */
263 krb5_int32 usec; /* microsecond portion of time, opt. */
264 krb5_int32 seq_number; /* sequence #, optional */
265 krb5_address *s_address; /* sender address */
266 krb5_address *r_address; /* recipient address, optional */
267 } krb5_priv_enc_part;
269 typedef struct _krb5_cred_info {
271 krb5_keyblock* session; /* session key used to encrypt */
273 krb5_principal client; /* client name/realm, optional */
274 krb5_principal server; /* server name/realm, optional */
275 krb5_flags flags; /* ticket flags, optional */
276 krb5_ticket_times times; /* auth, start, end, renew_till, */
278 krb5_address **caddrs; /* array of ptrs to addresses */
281 typedef struct _krb5_cred_enc_part {
283 krb5_int32 nonce; /* nonce, optional */
284 krb5_timestamp timestamp; /* client time */
285 krb5_int32 usec; /* microsecond portion of time */
286 krb5_address *s_address; /* sender address, optional */
287 krb5_address *r_address; /* recipient address, optional */
288 krb5_cred_info **ticket_info;
289 } krb5_cred_enc_part;
291 typedef struct _krb5_cred {
293 krb5_ticket **tickets; /* tickets */
294 krb5_enc_data enc_part; /* encrypted part */
295 krb5_cred_enc_part *enc_part2; /* unencrypted version, if available*/
298 /* Sandia password generation structures */
299 typedef struct _passwd_phrase_element {
303 } passwd_phrase_element;
305 typedef struct _krb5_pwd_data {
308 passwd_phrase_element **element;
311 /* these need to be here so the typedefs are available for the prototypes */
312 #include "safepriv.h"
316 #include "func-proto.h"
319 /* The name of the Kerberos ticket granting service... and its size */
320 #define KRB5_TGS_NAME "krbtgt"
321 #define KRB5_TGS_NAME_SIZE 6
323 /* flags for recvauth */
324 #define KRB5_RECVAUTH_SKIP_VERSION 0x0001
325 #define KRB5_RECVAUTH_BADAUTHVERS 0x0002
327 #include "adm_defs.h"
329 #endif /* KRB5_GENERAL__ */