src/kdc/kdc_util.h

   1 /*
   2  * kdc/kdc_util.h
   3  *
   4  * Portions Copyright (C) 2007 Apple Inc.
   5  * Copyright 1990, 2007 by the Massachusetts Institute of Technology.
   6  *
   7  * Export of this software from the United States of America may
   8  *   require a specific license from the United States Government.
   9  *   It is the responsibility of any person or organization contemplating
  10  *   export to obtain such a license before exporting.
  11  *
  12  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  13  * distribute this software and its documentation for any purpose and
  14  * without fee is hereby granted, provided that the above copyright
  15  * notice appear in all copies and that both that copyright notice and
  16  * this permission notice appear in supporting documentation, and that
  17  * the name of M.I.T. not be used in advertising or publicity pertaining
  18  * to distribution of the software without specific, written prior
  19  * permission.  Furthermore if you modify this software you must label
  20  * your software as modified software and not distribute it in such a
  21  * fashion that it might be confused with the original M.I.T. software.
  22  * M.I.T. makes no representations about the suitability of
  23  * this software for any purpose.  It is provided "as is" without express
  24  * or implied warranty.
  25  *
  26  *
  27  * Declarations for policy.c
  28  */
  29
  30 #ifndef __KRB5_KDC_UTIL__
  31 #define __KRB5_KDC_UTIL__
  32
  33 #include "kdb.h"
  34 #include "kdb_ext.h"
  35
  36 typedef struct _krb5_fulladdr {
  37     krb5_address *      address;
  38     krb5_ui_4           port;
  39 } krb5_fulladdr;
  40
  41 krb5_error_code check_hot_list (krb5_ticket *);
  42 krb5_boolean realm_compare (krb5_const_principal, krb5_const_principal);
  43 krb5_boolean is_local_principal(krb5_const_principal princ1);
  44 krb5_boolean krb5_is_tgs_principal (krb5_const_principal);
  45 krb5_error_code add_to_transited (krb5_data *,
  46                                             krb5_data *,
  47                                             krb5_principal,
  48                                             krb5_principal,
  49                                             krb5_principal);
  50 krb5_error_code compress_transited (krb5_data *,
  51                                               krb5_principal,
  52                                               krb5_data *);
  53 krb5_error_code concat_authorization_data (krb5_authdata **,
  54                                                      krb5_authdata **,
  55                                                      krb5_authdata ***);
  56 krb5_error_code fetch_last_req_info (krb5_db_entry *,
  57                                                krb5_last_req_entry ***);
  58
  59 krb5_error_code kdc_convert_key (krb5_keyblock *,
  60                                            krb5_keyblock *,
  61                                            int);
  62 krb5_error_code kdc_process_tgs_req
  63         (krb5_kdc_req *,
  64                    const krb5_fulladdr *,
  65                    krb5_data *,
  66                    krb5_ticket **,
  67                    krb5_db_entry *krbtgt,
  68                    int *nprincs,
  69                    krb5_keyblock **);
  70
  71 krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int,
  72                                     krb5_boolean match_enctype,
  73                                     krb5_db_entry *, int *,
  74                                     krb5_keyblock **, krb5_kvno *);
  75
  76 int validate_as_request (krb5_kdc_req *, krb5_db_entry,
  77                                           krb5_db_entry, krb5_timestamp,
  78                                           const char **);
  79
  80 int validate_forwardable(krb5_kdc_req *, krb5_db_entry,
  81                          krb5_db_entry, krb5_timestamp,
  82                          const char **);
  83
  84 int validate_tgs_request (krb5_kdc_req *, krb5_db_entry,
  85                                           krb5_ticket *, krb5_timestamp,
  86                                           const char **);
  87
  88 int fetch_asn1_field (unsigned char *, unsigned int, unsigned int,
  89                                  krb5_data *);
  90
  91 int
  92 dbentry_has_key_for_enctype (krb5_context context,
  93                                        krb5_db_entry *client,
  94                                        krb5_enctype enctype);
  95
  96 int
  97 dbentry_supports_enctype (krb5_context context,
  98                                     krb5_db_entry *client,
  99                                     krb5_enctype enctype);
 100
 101 krb5_enctype
 102 select_session_keytype (krb5_context context,
 103                                   krb5_db_entry *server,
 104                                   int nktypes,
 105                                   krb5_enctype *ktypes);
 106
 107 krb5_error_code
 108 get_salt_from_key (krb5_context, krb5_principal,
 109                              krb5_key_data *, krb5_data *);
 110
 111 void limit_string (char *name);
 112
 113 void
 114 ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype);
 115
 116 void
 117 rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep);
 118
 119 /* do_as_req.c */
 120 krb5_error_code process_as_req (krb5_kdc_req *, krb5_data *,
 121                                           const krb5_fulladdr *,
 122                                           krb5_data ** );
 123
 124 /* do_tgs_req.c */
 125 krb5_error_code process_tgs_req (krb5_data *,
 126                                            const krb5_fulladdr *,
 127                                            krb5_data ** );
 128 /* dispatch.c */
 129 krb5_error_code dispatch (krb5_data *,
 130                                     const krb5_fulladdr *,
 131                                     krb5_data **);
 132
 133 /* main.c */
 134 krb5_error_code kdc_initialize_rcache (krb5_context, char *);
 135
 136 krb5_error_code setup_server_realm (krb5_principal);
 137 void kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...);
 138
 139 /* network.c */
 140 krb5_error_code listen_and_process (void);
 141 krb5_error_code setup_network (void);
 142 krb5_error_code closedown_network (void);
 143
 144 /* policy.c */
 145 int against_local_policy_as (krb5_kdc_req *, krb5_db_entry,
 146                                         krb5_db_entry, krb5_timestamp,
 147                                         const char **);
 148
 149 int against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry,
 150                                         krb5_ticket *, const char **);
 151
 152 /* kdc_preauth.c */
 153 const char * missing_required_preauth
 154     (krb5_db_entry *client, krb5_db_entry *server,
 155                krb5_enc_tkt_part *enc_tkt_reply);
 156 void get_preauth_hint_list (krb5_kdc_req * request,
 157                                       krb5_db_entry *client,
 158                                       krb5_db_entry *server,
 159                                       krb5_data *e_data);
 160 krb5_error_code load_preauth_plugins(krb5_context context);
 161 krb5_error_code unload_preauth_plugins(krb5_context context);
 162
 163 krb5_error_code check_padata
 164     (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
 165                krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
 166                void **padata_context, krb5_data *e_data);
 167
 168 krb5_error_code return_padata
 169     (krb5_context context, krb5_db_entry *client,
 170                krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
 171                krb5_key_data *client_key, krb5_keyblock *encrypting_key,
 172                void **padata_context);
 173
 174 krb5_error_code free_padata_context
 175     (krb5_context context, void **padata_context);
 176
 177 krb5_pa_data *find_pa_data
 178     (krb5_pa_data **padata, krb5_preauthtype pa_type);
 179
 180 /* kdc_authdata.c */
 181 krb5_error_code load_authdata_plugins(krb5_context context);
 182 krb5_error_code unload_authdata_plugins(krb5_context context);
 183
 184 krb5_error_code
 185 handle_authdata (krb5_context context,
 186                  unsigned int flags,
 187                  krb5_db_entry *client,
 188                  krb5_db_entry *server,
 189                  krb5_db_entry *krbtgt,
 190                  krb5_keyblock *client_key,
 191                  krb5_keyblock *server_key,
 192                  krb5_data *req_pkt,
 193                  krb5_kdc_req *request,
 194                  krb5_const_principal for_user_princ,
 195                  krb5_enc_tkt_part *enc_tkt_request,
 196                  krb5_enc_tkt_part *enc_tkt_reply);
 197
 198 /* replay.c */
 199 krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **);
 200 void kdc_insert_lookaside (krb5_data *, krb5_data *);
 201 void kdc_free_lookaside(krb5_context);
 202
 203 /* kdc_util.c */
 204 krb5_error_code
 205 get_principal_locked (krb5_context kcontext,
 206                       krb5_const_principal search_for,
 207                       krb5_db_entry *entries, int *nentries,
 208                       krb5_boolean *more);
 209 krb5_error_code
 210 get_principal (krb5_context kcontext,
 211                krb5_const_principal search_for,
 212                krb5_db_entry *entries, int *nentries, krb5_boolean *more);
 213
 214 krb5_boolean
 215 include_pac_p(krb5_context context, krb5_kdc_req *request);
 216
 217 krb5_error_code return_svr_referral_data
 218    (krb5_context context,
 219                 krb5_db_entry *server,
 220                 krb5_enc_kdc_rep_part *reply_encpart);
 221
 222 krb5_error_code sign_db_authdata
 223     (krb5_context context,
 224                 unsigned int flags,
 225                 krb5_const_principal client_princ,
 226                 krb5_db_entry *client,
 227                 krb5_db_entry *server,
 228                 krb5_db_entry *krbtgt,
 229                 krb5_keyblock *client_key,
 230                 krb5_keyblock *server_key,
 231                 krb5_timestamp authtime,
 232                 krb5_authdata **tgs_authdata,
 233                 krb5_authdata ***ret_authdata,
 234                 krb5_db_entry *ad_entry,
 235                 int *ad_nprincs);
 236
 237 krb5_error_code kdc_process_s4u2self_req
 238         (krb5_context context,
 239                 krb5_kdc_req *request,
 240                 krb5_const_principal client_princ,
 241                 const krb5_db_entry *server,
 242                 krb5_keyblock *subkey,
 243                 krb5_timestamp kdc_time,
 244                 krb5_pa_for_user **s4u2_req,
 245                 krb5_db_entry *princ,
 246                 int *nprincs,
 247                 const char **status);
 248
 249 krb5_error_code kdc_process_s4u2proxy_req
 250         (krb5_context context,
 251                 krb5_kdc_req *request,
 252                 const krb5_enc_tkt_part *t2enc,
 253                 const krb5_db_entry *server,
 254                 krb5_const_principal server_princ,
 255                 krb5_const_principal proxy_princ,
 256                 const char **status);
 257
 258 krb5_error_code kdc_check_transited_list
 259         (krb5_context context,
 260                 const krb5_data *trans,
 261                 const krb5_data *realm1,
 262                 const krb5_data *realm2);
 263
 264 krb5_error_code audit_as_request
 265         (krb5_kdc_req *request,
 266                 krb5_db_entry *client,
 267                 krb5_db_entry *server,
 268                 krb5_timestamp authtime,
 269                 krb5_error_code errcode);
 270
 271 krb5_error_code audit_tgs_request
 272         (krb5_kdc_req *request,
 273                 krb5_const_principal client,
 274                 krb5_db_entry *server,
 275                 krb5_timestamp authtime,
 276                 krb5_error_code errcode);
 277
 278 krb5_error_code
 279 validate_transit_path(krb5_context context,
 280         krb5_const_principal client,
 281                 krb5_db_entry *server,
 282                       krb5_db_entry *krbtgt);
 283
 284
 285 void
 286 log_as_req(const krb5_fulladdr *from,
 287            krb5_kdc_req *request, krb5_kdc_rep *reply,
 288            krb5_db_entry *client, const char *cname,
 289            krb5_db_entry *server, const char *sname,
 290            krb5_timestamp authtime,
 291            const char *status, krb5_error_code errcode, const char *emsg);
 292 void
 293 log_tgs_req(const krb5_fulladdr *from,
 294             krb5_kdc_req *request, krb5_kdc_rep *reply,
 295             const char *cname, const char *sname, const char *altcname,
 296             krb5_timestamp authtime,
 297             unsigned int c_flags, const char *s4u_name,
 298             const char *status, krb5_error_code errcode, const char *emsg);
 299 void log_tgs_alt_tgt(krb5_principal p);
 300
 301
 302
 303 #define isflagset(flagfield, flag) (flagfield & (flag))
 304 #define setflag(flagfield, flag) (flagfield |= (flag))
 305 #define clear(flagfield, flag) (flagfield &= ~(flag))
 306
 307 #ifndef min
 308 #define min(a, b)       ((a) < (b) ? (a) : (b))
 309 #define max(a, b)       ((a) > (b) ? (a) : (b))
 310 #endif
 311
 312 #ifdef KRB5_USE_INET6
 313 #define ADDRTYPE2FAMILY(X) \
 314   ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1)
 315 #else
 316 #define ADDRTYPE2FAMILY(X) \
 317   ((X) == ADDRTYPE_INET ? AF_INET : -1)
 318 #endif
 319
 320 /* RFC 4120: KRB5KDC_ERR_KEY_TOO_WEAK
 321  * RFC 4556: KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED */
 322 #define KRB5KDC_ERR_KEY_TOO_WEAK KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
 323
 324 #endif /* __KRB5_KDC_UTIL__ */