4 * Portions Copyright (C) 2007 Apple Inc.
5 * Copyright 1990, 2007 by the Massachusetts Institute of Technology.
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. Furthermore if you modify this software you must label
20 * your software as modified software and not distribute it in such a
21 * fashion that it might be confused with the original M.I.T. software.
22 * M.I.T. makes no representations about the suitability of
23 * this software for any purpose. It is provided "as is" without express
24 * or implied warranty.
27 * Declarations for policy.c
30 #ifndef __KRB5_KDC_UTIL__
31 #define __KRB5_KDC_UTIL__
36 typedef struct _krb5_fulladdr {
37 krb5_address * address;
41 krb5_error_code check_hot_list (krb5_ticket *);
42 krb5_boolean realm_compare (krb5_const_principal, krb5_const_principal);
43 krb5_boolean is_local_principal(krb5_const_principal princ1);
44 krb5_boolean krb5_is_tgs_principal (krb5_const_principal);
45 krb5_error_code add_to_transited (krb5_data *,
50 krb5_error_code compress_transited (krb5_data *,
53 krb5_error_code concat_authorization_data (krb5_authdata **,
56 krb5_error_code fetch_last_req_info (krb5_db_entry *,
57 krb5_last_req_entry ***);
59 krb5_error_code kdc_convert_key (krb5_keyblock *,
62 krb5_error_code kdc_process_tgs_req
64 const krb5_fulladdr *,
67 krb5_db_entry *krbtgt,
71 krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int,
72 krb5_boolean match_enctype,
73 krb5_db_entry *, int *,
74 krb5_keyblock **, krb5_kvno *);
76 int validate_as_request (krb5_kdc_req *, krb5_db_entry,
77 krb5_db_entry, krb5_timestamp,
80 int validate_forwardable(krb5_kdc_req *, krb5_db_entry,
81 krb5_db_entry, krb5_timestamp,
84 int validate_tgs_request (krb5_kdc_req *, krb5_db_entry,
85 krb5_ticket *, krb5_timestamp,
88 int fetch_asn1_field (unsigned char *, unsigned int, unsigned int,
92 dbentry_has_key_for_enctype (krb5_context context,
93 krb5_db_entry *client,
94 krb5_enctype enctype);
97 dbentry_supports_enctype (krb5_context context,
98 krb5_db_entry *client,
99 krb5_enctype enctype);
102 select_session_keytype (krb5_context context,
103 krb5_db_entry *server,
105 krb5_enctype *ktypes);
108 get_salt_from_key (krb5_context, krb5_principal,
109 krb5_key_data *, krb5_data *);
111 void limit_string (char *name);
114 ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype);
117 rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep);
120 krb5_error_code process_as_req (krb5_kdc_req *, krb5_data *,
121 const krb5_fulladdr *,
125 krb5_error_code process_tgs_req (krb5_data *,
126 const krb5_fulladdr *,
129 krb5_error_code dispatch (krb5_data *,
130 const krb5_fulladdr *,
134 krb5_error_code kdc_initialize_rcache (krb5_context, char *);
136 krb5_error_code setup_server_realm (krb5_principal);
137 void kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...);
140 krb5_error_code listen_and_process (void);
141 krb5_error_code setup_network (void);
142 krb5_error_code closedown_network (void);
145 int against_local_policy_as (krb5_kdc_req *, krb5_db_entry,
146 krb5_db_entry, krb5_timestamp,
149 int against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry,
150 krb5_ticket *, const char **);
153 const char * missing_required_preauth
154 (krb5_db_entry *client, krb5_db_entry *server,
155 krb5_enc_tkt_part *enc_tkt_reply);
156 void get_preauth_hint_list (krb5_kdc_req * request,
157 krb5_db_entry *client,
158 krb5_db_entry *server,
160 krb5_error_code load_preauth_plugins(krb5_context context);
161 krb5_error_code unload_preauth_plugins(krb5_context context);
163 krb5_error_code check_padata
164 (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
165 krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
166 void **padata_context, krb5_data *e_data);
168 krb5_error_code return_padata
169 (krb5_context context, krb5_db_entry *client,
170 krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
171 krb5_key_data *client_key, krb5_keyblock *encrypting_key,
172 void **padata_context);
174 krb5_error_code free_padata_context
175 (krb5_context context, void **padata_context);
177 krb5_pa_data *find_pa_data
178 (krb5_pa_data **padata, krb5_preauthtype pa_type);
181 krb5_error_code load_authdata_plugins(krb5_context context);
182 krb5_error_code unload_authdata_plugins(krb5_context context);
185 handle_authdata (krb5_context context,
187 krb5_db_entry *client,
188 krb5_db_entry *server,
189 krb5_db_entry *krbtgt,
190 krb5_keyblock *client_key,
191 krb5_keyblock *server_key,
193 krb5_kdc_req *request,
194 krb5_const_principal for_user_princ,
195 krb5_enc_tkt_part *enc_tkt_request,
196 krb5_enc_tkt_part *enc_tkt_reply);
199 krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **);
200 void kdc_insert_lookaside (krb5_data *, krb5_data *);
201 void kdc_free_lookaside(krb5_context);
205 get_principal_locked (krb5_context kcontext,
206 krb5_const_principal search_for,
207 krb5_db_entry *entries, int *nentries,
210 get_principal (krb5_context kcontext,
211 krb5_const_principal search_for,
212 krb5_db_entry *entries, int *nentries, krb5_boolean *more);
215 include_pac_p(krb5_context context, krb5_kdc_req *request);
217 krb5_error_code return_svr_referral_data
218 (krb5_context context,
219 krb5_db_entry *server,
220 krb5_enc_kdc_rep_part *reply_encpart);
222 krb5_error_code sign_db_authdata
223 (krb5_context context,
225 krb5_const_principal client_princ,
226 krb5_db_entry *client,
227 krb5_db_entry *server,
228 krb5_db_entry *krbtgt,
229 krb5_keyblock *client_key,
230 krb5_keyblock *server_key,
231 krb5_timestamp authtime,
232 krb5_authdata **tgs_authdata,
233 krb5_authdata ***ret_authdata,
234 krb5_db_entry *ad_entry,
237 krb5_error_code kdc_process_s4u2self_req
238 (krb5_context context,
239 krb5_kdc_req *request,
240 krb5_const_principal client_princ,
241 const krb5_db_entry *server,
242 krb5_keyblock *subkey,
243 krb5_timestamp kdc_time,
244 krb5_pa_for_user **s4u2_req,
245 krb5_db_entry *princ,
247 const char **status);
249 krb5_error_code kdc_process_s4u2proxy_req
250 (krb5_context context,
251 krb5_kdc_req *request,
252 const krb5_enc_tkt_part *t2enc,
253 const krb5_db_entry *server,
254 krb5_const_principal server_princ,
255 krb5_const_principal proxy_princ,
256 const char **status);
258 krb5_error_code kdc_check_transited_list
259 (krb5_context context,
260 const krb5_data *trans,
261 const krb5_data *realm1,
262 const krb5_data *realm2);
264 krb5_error_code audit_as_request
265 (krb5_kdc_req *request,
266 krb5_db_entry *client,
267 krb5_db_entry *server,
268 krb5_timestamp authtime,
269 krb5_error_code errcode);
271 krb5_error_code audit_tgs_request
272 (krb5_kdc_req *request,
273 krb5_const_principal client,
274 krb5_db_entry *server,
275 krb5_timestamp authtime,
276 krb5_error_code errcode);
279 validate_transit_path(krb5_context context,
280 krb5_const_principal client,
281 krb5_db_entry *server,
282 krb5_db_entry *krbtgt);
286 log_as_req(const krb5_fulladdr *from,
287 krb5_kdc_req *request, krb5_kdc_rep *reply,
288 krb5_db_entry *client, const char *cname,
289 krb5_db_entry *server, const char *sname,
290 krb5_timestamp authtime,
291 const char *status, krb5_error_code errcode, const char *emsg);
293 log_tgs_req(const krb5_fulladdr *from,
294 krb5_kdc_req *request, krb5_kdc_rep *reply,
295 const char *cname, const char *sname, const char *altcname,
296 krb5_timestamp authtime,
297 unsigned int c_flags, const char *s4u_name,
298 const char *status, krb5_error_code errcode, const char *emsg);
299 void log_tgs_alt_tgt(krb5_principal p);
303 #define isflagset(flagfield, flag) (flagfield & (flag))
304 #define setflag(flagfield, flag) (flagfield |= (flag))
305 #define clear(flagfield, flag) (flagfield &= ~(flag))
308 #define min(a, b) ((a) < (b) ? (a) : (b))
309 #define max(a, b) ((a) > (b) ? (a) : (b))
312 #ifdef KRB5_USE_INET6
313 #define ADDRTYPE2FAMILY(X) \
314 ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1)
316 #define ADDRTYPE2FAMILY(X) \
317 ((X) == ADDRTYPE_INET ? AF_INET : -1)
320 /* RFC 4120: KRB5KDC_ERR_KEY_TOO_WEAK
321 * RFC 4556: KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED */
322 #define KRB5KDC_ERR_KEY_TOO_WEAK KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
324 #endif /* __KRB5_KDC_UTIL__ */