src/kdc/kdc_util.h

   1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
   2 /*
   3  * kdc/kdc_util.h
   4  *
   5  * Portions Copyright (C) 2007 Apple Inc.
   6  * Copyright 1990, 2007 by the Massachusetts Institute of Technology.
   7  *
   8  * Export of this software from the United States of America may
   9  *   require a specific license from the United States Government.
  10  *   It is the responsibility of any person or organization contemplating
  11  *   export to obtain such a license before exporting.
  12  *
  13  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  14  * distribute this software and its documentation for any purpose and
  15  * without fee is hereby granted, provided that the above copyright
  16  * notice appear in all copies and that both that copyright notice and
  17  * this permission notice appear in supporting documentation, and that
  18  * the name of M.I.T. not be used in advertising or publicity pertaining
  19  * to distribution of the software without specific, written prior
  20  * permission.  Furthermore if you modify this software you must label
  21  * your software as modified software and not distribute it in such a
  22  * fashion that it might be confused with the original M.I.T. software.
  23  * M.I.T. makes no representations about the suitability of
  24  * this software for any purpose.  It is provided "as is" without express
  25  * or implied warranty.
  26  *
  27  *
  28  * Declarations for policy.c
  29  */
  30
  31 #ifndef __KRB5_KDC_UTIL__
  32 #define __KRB5_KDC_UTIL__
  33
  34 #include "kdb.h"
  35
  36 typedef struct _krb5_fulladdr {
  37     krb5_address *      address;
  38     krb5_ui_4           port;
  39 } krb5_fulladdr;
  40
  41 krb5_error_code check_hot_list (krb5_ticket *);
  42 krb5_boolean realm_compare (krb5_const_principal, krb5_const_principal);
  43 krb5_boolean is_local_principal(krb5_const_principal princ1);
  44 krb5_boolean krb5_is_tgs_principal (krb5_const_principal);
  45 krb5_error_code
  46 add_to_transited (krb5_data *,
  47                   krb5_data *,
  48                   krb5_principal,
  49                   krb5_principal,
  50                   krb5_principal);
  51 krb5_error_code
  52 compress_transited (krb5_data *,
  53                     krb5_principal,
  54                     krb5_data *);
  55 krb5_error_code
  56 concat_authorization_data (krb5_authdata **,
  57                            krb5_authdata **,
  58                            krb5_authdata ***);
  59 krb5_error_code
  60 fetch_last_req_info (krb5_db_entry *, krb5_last_req_entry ***);
  61
  62 krb5_error_code
  63 kdc_convert_key (krb5_keyblock *, krb5_keyblock *, int);
  64 krb5_error_code
  65 kdc_process_tgs_req (krb5_kdc_req *,
  66                      const krb5_fulladdr *,
  67                      krb5_data *,
  68                      krb5_ticket **,
  69                      krb5_db_entry *krbtgt,
  70                      int *nprincs,
  71                      krb5_keyblock **, krb5_keyblock **,
  72                      krb5_pa_data **pa_tgs_req);
  73
  74 krb5_error_code
  75 kdc_get_server_key (krb5_ticket *, unsigned int,
  76                     krb5_boolean match_enctype,
  77                     krb5_db_entry *, int *,
  78                     krb5_keyblock **, krb5_kvno *);
  79
  80 int
  81 validate_as_request (krb5_kdc_req *, krb5_db_entry,
  82                      krb5_db_entry, krb5_timestamp,
  83                      const char **, krb5_data *);
  84
  85 int
  86 validate_forwardable(krb5_kdc_req *, krb5_db_entry,
  87                      krb5_db_entry, krb5_timestamp,
  88                      const char **);
  89
  90 int
  91 validate_tgs_request (krb5_kdc_req *, krb5_db_entry,
  92                       krb5_ticket *, krb5_timestamp,
  93                       const char **, krb5_data *);
  94
  95 int
  96 fetch_asn1_field (unsigned char *, unsigned int, unsigned int, krb5_data *);
  97
  98 int
  99 dbentry_has_key_for_enctype (krb5_context context,
 100                              krb5_db_entry *client,
 101                              krb5_enctype enctype);
 102
 103 int
 104 dbentry_supports_enctype (krb5_context context,
 105                           krb5_db_entry *client,
 106                           krb5_enctype enctype);
 107
 108 krb5_enctype
 109 select_session_keytype (krb5_context context,
 110                         krb5_db_entry *server,
 111                         int nktypes,
 112                         krb5_enctype *ktypes);
 113
 114 krb5_error_code
 115 get_salt_from_key (krb5_context, krb5_principal,
 116                    krb5_key_data *, krb5_data *);
 117
 118 void limit_string (char *name);
 119
 120 void
 121 ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype);
 122
 123 void
 124 rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep);
 125
 126 /* do_as_req.c */
 127 krb5_error_code
 128 process_as_req (krb5_kdc_req *, krb5_data *,
 129                 const krb5_fulladdr *,
 130                 krb5_data ** );
 131
 132 /* do_tgs_req.c */
 133 krb5_error_code
 134 process_tgs_req (krb5_data *,
 135                  const krb5_fulladdr *,
 136                  krb5_data ** );
 137 /* dispatch.c */
 138 krb5_error_code
 139 dispatch (krb5_data *,
 140           const krb5_fulladdr *,
 141           krb5_data **);
 142
 143 /* main.c */
 144 krb5_error_code kdc_initialize_rcache (krb5_context, char *);
 145
 146 krb5_error_code
 147 setup_server_realm (krb5_principal);
 148 void
 149 kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...)
 150 #if !defined(__cplusplus) && (__GNUC__ > 2)
 151     __attribute__((__format__(__printf__, 3, 4)))
 152 #endif
 153 ;
 154
 155 /* network.c */
 156 krb5_error_code listen_and_process (void);
 157 krb5_error_code setup_network (void);
 158 krb5_error_code closedown_network (void);
 159
 160 /* policy.c */
 161 int
 162 against_local_policy_as (krb5_kdc_req *, krb5_db_entry,
 163                          krb5_db_entry, krb5_timestamp,
 164                          const char **, krb5_data *);
 165
 166 int
 167 against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry,
 168                           krb5_ticket *, const char **,
 169                           krb5_data *);
 170
 171 /* kdc_preauth.c */
 172 krb5_boolean
 173 enctype_requires_etype_info_2(krb5_enctype enctype);
 174
 175 const char *
 176 missing_required_preauth (krb5_db_entry *client,
 177                           krb5_db_entry *server,
 178                           krb5_enc_tkt_part *enc_tkt_reply);
 179 void
 180 get_preauth_hint_list (krb5_kdc_req * request,
 181                        krb5_db_entry *client,
 182                        krb5_db_entry *server,
 183                        krb5_data *e_data);
 184 krb5_error_code
 185 load_preauth_plugins(krb5_context context);
 186 krb5_error_code
 187 unload_preauth_plugins(krb5_context context);
 188
 189 krb5_error_code
 190 check_padata (krb5_context context,
 191               krb5_db_entry *client, krb5_data *req_pkt,
 192               krb5_kdc_req *request,
 193               krb5_enc_tkt_part *enc_tkt_reply,
 194               void **padata_context, krb5_data *e_data);
 195
 196 krb5_error_code
 197 return_padata (krb5_context context, krb5_db_entry *client,
 198                krb5_data *req_pkt, krb5_kdc_req *request,
 199                krb5_kdc_rep *reply,
 200                krb5_key_data *client_key, krb5_keyblock *encrypting_key,
 201                void **padata_context);
 202
 203 krb5_error_code
 204 free_padata_context (krb5_context context, void **padata_context);
 205
 206 krb5_pa_data *
 207 find_pa_data (krb5_pa_data **padata, krb5_preauthtype pa_type);
 208
 209 krb5_error_code
 210 add_pa_data_element (krb5_context context,
 211                      krb5_pa_data *padata,
 212                      krb5_pa_data ***out_padata,
 213                      krb5_boolean copy);
 214
 215 /* kdc_authdata.c */
 216 krb5_error_code
 217 load_authdata_plugins(krb5_context context);
 218 krb5_error_code
 219 unload_authdata_plugins(krb5_context context);
 220
 221 krb5_error_code
 222 handle_authdata (krb5_context context,
 223                  unsigned int flags,
 224                  krb5_db_entry *client,
 225                  krb5_db_entry *server,
 226                  krb5_db_entry *krbtgt,
 227                  krb5_keyblock *client_key,
 228                  krb5_keyblock *server_key,
 229                  krb5_keyblock *krbtgt_key,
 230                  krb5_data *req_pkt,
 231                  krb5_kdc_req *request,
 232                  krb5_const_principal for_user_princ,
 233                  krb5_enc_tkt_part *enc_tkt_request,
 234                  krb5_enc_tkt_part *enc_tkt_reply);
 235
 236 /* replay.c */
 237 krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **);
 238 void kdc_insert_lookaside (krb5_data *, krb5_data *);
 239 void kdc_free_lookaside(krb5_context);
 240
 241 /* kdc_util.c */
 242 krb5_error_code
 243 get_principal_locked (krb5_context kcontext,
 244                       krb5_const_principal search_for,
 245                       krb5_db_entry *entries, int *nentries,
 246                       krb5_boolean *more);
 247 krb5_error_code
 248 get_principal (krb5_context kcontext,
 249                krb5_const_principal search_for,
 250                krb5_db_entry *entries, int *nentries, krb5_boolean *more);
 251
 252 krb5_boolean
 253 include_pac_p(krb5_context context, krb5_kdc_req *request);
 254
 255 krb5_error_code
 256 return_enc_padata(krb5_context context,
 257                   krb5_data *req_pkt, krb5_kdc_req *request,
 258                   krb5_keyblock *reply_key,
 259                   krb5_db_entry *server,
 260                   krb5_enc_kdc_rep_part *reply_encpart);
 261
 262 krb5_error_code
 263 sign_db_authdata (krb5_context context,
 264                   unsigned int flags,
 265                   krb5_const_principal client_princ,
 266                   krb5_db_entry *client,
 267                   krb5_db_entry *server,
 268                   krb5_db_entry *krbtgt,
 269                   krb5_keyblock *client_key,
 270                   krb5_keyblock *server_key,
 271                   krb5_keyblock *krbtgt_key,
 272                   krb5_timestamp authtime,
 273                   krb5_authdata **tgs_authdata,
 274                   krb5_keyblock *session_key,
 275                   krb5_authdata ***ret_authdata);
 276
 277 krb5_error_code
 278 kdc_process_s4u2self_req (krb5_context context,
 279                           krb5_kdc_req *request,
 280                           krb5_const_principal client_princ,
 281                           const krb5_db_entry *server,
 282                           krb5_keyblock *tgs_subkey,
 283                           krb5_keyblock *tgs_session,
 284                           krb5_timestamp kdc_time,
 285                           krb5_pa_s4u_x509_user **s4u2self_req,
 286                           krb5_db_entry *princ,
 287                           int *nprincs,
 288                           const char **status);
 289
 290 krb5_error_code
 291 kdc_make_s4u2self_rep (krb5_context context,
 292                        krb5_keyblock *tgs_subkey,
 293                        krb5_keyblock *tgs_session,
 294                        krb5_pa_s4u_x509_user *req_s4u_user,
 295                        krb5_kdc_rep *reply,
 296                        krb5_enc_kdc_rep_part *reply_encpart);
 297
 298 krb5_error_code
 299 kdc_process_s4u2proxy_req (krb5_context context,
 300                            krb5_kdc_req *request,
 301                            const krb5_enc_tkt_part *t2enc,
 302                            const krb5_db_entry *server,
 303                            krb5_const_principal server_princ,
 304                            krb5_const_principal proxy_princ,
 305                            const char **status);
 306
 307 krb5_error_code
 308 kdc_check_transited_list (krb5_context context,
 309                           const krb5_data *trans,
 310                           const krb5_data *realm1,
 311                           const krb5_data *realm2);
 312
 313 krb5_error_code
 314 audit_as_request (krb5_kdc_req *request,
 315                   krb5_db_entry *client,
 316                   krb5_db_entry *server,
 317                   krb5_timestamp authtime,
 318                   krb5_error_code errcode);
 319
 320 krb5_error_code
 321 audit_tgs_request (krb5_kdc_req *request,
 322                    krb5_const_principal client,
 323                    krb5_db_entry *server,
 324                    krb5_timestamp authtime,
 325                    krb5_error_code errcode);
 326
 327 krb5_error_code
 328 validate_transit_path(krb5_context context,
 329                       krb5_const_principal client,
 330                       krb5_db_entry *server,
 331                       krb5_db_entry *krbtgt);
 332 void
 333 kdc_get_ticket_endtime(krb5_context context,
 334                        krb5_timestamp now,
 335                        krb5_timestamp endtime,
 336                        krb5_timestamp till,
 337                        krb5_db_entry *client,
 338                        krb5_db_entry *server,
 339                        krb5_timestamp *out_endtime);
 340
 341 void
 342 log_as_req(const krb5_fulladdr *from,
 343            krb5_kdc_req *request, krb5_kdc_rep *reply,
 344            krb5_db_entry *client, const char *cname,
 345            krb5_db_entry *server, const char *sname,
 346            krb5_timestamp authtime,
 347            const char *status, krb5_error_code errcode, const char *emsg);
 348 void
 349 log_tgs_req(const krb5_fulladdr *from,
 350             krb5_kdc_req *request, krb5_kdc_rep *reply,
 351             const char *cname, const char *sname, const char *altcname,
 352             krb5_timestamp authtime,
 353             unsigned int c_flags, const char *s4u_name,
 354             const char *status, krb5_error_code errcode, const char *emsg);
 355 void
 356 log_tgs_alt_tgt(krb5_principal p);
 357
 358 /*Request state*/
 359
 360 struct kdc_request_state {
 361     krb5_keyblock *armor_key;
 362     krb5_keyblock *strengthen_key;
 363     krb5_pa_data *cookie;
 364     krb5_int32 fast_options;
 365     krb5_int32 fast_internal_flags;
 366 };
 367
 368 krb5_error_code kdc_make_rstate(struct kdc_request_state **out);
 369 void kdc_free_rstate (struct kdc_request_state *s);
 370
 371 /* FAST*/
 372 enum krb5_fast_kdc_flags {
 373     KRB5_FAST_REPLY_KEY_USED = 0x1,
 374     KRB5_FAST_REPLY_KEY_REPLACED = 0x02
 375 };
 376
 377 krb5_error_code
 378 kdc_find_fast (krb5_kdc_req **requestptr,  krb5_data *checksummed_data,
 379                krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session,
 380                struct kdc_request_state *state);
 381
 382 krb5_error_code
 383 kdc_fast_response_handle_padata (struct kdc_request_state *state,
 384                                  krb5_kdc_req *request,
 385                                  krb5_kdc_rep *rep,
 386                                  krb5_enctype enctype);
 387 krb5_error_code
 388 kdc_fast_handle_error (krb5_context context,
 389                        struct kdc_request_state *state,
 390                        krb5_kdc_req *request,
 391                        krb5_pa_data  **in_padata, krb5_error *err);
 392
 393 krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state,
 394                                           krb5_keyblock *existing_key,
 395                                           krb5_keyblock **out_key);
 396
 397
 398 krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state,
 399                                        krb5_pa_data **cookie);
 400 krb5_error_code
 401 kdc_handle_protected_negotiation( krb5_data *req_pkt, krb5_kdc_req *request,
 402                                   const krb5_keyblock *reply_key,
 403                                   krb5_pa_data **out_enc_padata, int *idx);
 404 krb5_error_code
 405 krb5int_get_domain_realm_mapping(krb5_context context,
 406                                  const char *host, char ***realmsp);
 407
 408
 409 #define isflagset(flagfield, flag) (flagfield & (flag))
 410 #define setflag(flagfield, flag) (flagfield |= (flag))
 411 #define clear(flagfield, flag) (flagfield &= ~(flag))
 412
 413 #ifndef min
 414 #define min(a, b)       ((a) < (b) ? (a) : (b))
 415 #define max(a, b)       ((a) > (b) ? (a) : (b))
 416 #endif
 417
 418 #ifdef KRB5_USE_INET6
 419 #define ADDRTYPE2FAMILY(X)                                              \
 420     ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1)
 421 #else
 422 #define ADDRTYPE2FAMILY(X)                      \
 423     ((X) == ADDRTYPE_INET ? AF_INET : -1)
 424 #endif
 425
 426 /* RFC 4120: KRB5KDC_ERR_KEY_TOO_WEAK
 427  * RFC 4556: KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED */
 428 #define KRB5KDC_ERR_KEY_TOO_WEAK KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
 429
 430 #endif /* __KRB5_KDC_UTIL__ */