1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
5 * Portions Copyright (C) 2007 Apple Inc.
6 * Copyright 1990, 2007 by the Massachusetts Institute of Technology.
8 * Export of this software from the United States of America may
9 * require a specific license from the United States Government.
10 * It is the responsibility of any person or organization contemplating
11 * export to obtain such a license before exporting.
13 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
14 * distribute this software and its documentation for any purpose and
15 * without fee is hereby granted, provided that the above copyright
16 * notice appear in all copies and that both that copyright notice and
17 * this permission notice appear in supporting documentation, and that
18 * the name of M.I.T. not be used in advertising or publicity pertaining
19 * to distribution of the software without specific, written prior
20 * permission. Furthermore if you modify this software you must label
21 * your software as modified software and not distribute it in such a
22 * fashion that it might be confused with the original M.I.T. software.
23 * M.I.T. makes no representations about the suitability of
24 * this software for any purpose. It is provided "as is" without express
25 * or implied warranty.
28 * Declarations for policy.c
31 #ifndef __KRB5_KDC_UTIL__
32 #define __KRB5_KDC_UTIL__
37 typedef struct _krb5_fulladdr {
38 krb5_address * address;
42 krb5_error_code check_hot_list (krb5_ticket *);
43 krb5_boolean realm_compare (krb5_const_principal, krb5_const_principal);
44 krb5_boolean is_local_principal(krb5_const_principal princ1);
45 krb5_boolean krb5_is_tgs_principal (krb5_const_principal);
46 krb5_error_code add_to_transited (krb5_data *,
51 krb5_error_code compress_transited (krb5_data *,
54 krb5_error_code concat_authorization_data (krb5_authdata **,
57 krb5_error_code fetch_last_req_info (krb5_db_entry *,
58 krb5_last_req_entry ***);
60 krb5_error_code kdc_convert_key (krb5_keyblock *,
63 krb5_error_code kdc_process_tgs_req
65 const krb5_fulladdr *,
68 krb5_db_entry *krbtgt,
70 krb5_keyblock **, krb5_keyblock **,
71 krb5_pa_data **pa_tgs_req);
73 krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int,
74 krb5_boolean match_enctype,
75 krb5_db_entry *, int *,
76 krb5_keyblock **, krb5_kvno *);
78 int validate_as_request (krb5_kdc_req *, krb5_db_entry,
79 krb5_db_entry, krb5_timestamp,
80 const char **, krb5_data *);
82 int validate_forwardable(krb5_kdc_req *, krb5_db_entry,
83 krb5_db_entry, krb5_timestamp,
86 int validate_tgs_request (krb5_kdc_req *, krb5_db_entry,
87 krb5_ticket *, krb5_timestamp,
88 const char **, krb5_data *);
90 int fetch_asn1_field (unsigned char *, unsigned int, unsigned int,
94 dbentry_has_key_for_enctype (krb5_context context,
95 krb5_db_entry *client,
96 krb5_enctype enctype);
99 dbentry_supports_enctype (krb5_context context,
100 krb5_db_entry *client,
101 krb5_enctype enctype);
104 select_session_keytype (krb5_context context,
105 krb5_db_entry *server,
107 krb5_enctype *ktypes);
110 get_salt_from_key (krb5_context, krb5_principal,
111 krb5_key_data *, krb5_data *);
113 void limit_string (char *name);
116 ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype);
119 rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep);
122 krb5_error_code process_as_req (krb5_kdc_req *, krb5_data *,
123 const krb5_fulladdr *,
127 krb5_error_code process_tgs_req (krb5_data *,
128 const krb5_fulladdr *,
131 krb5_error_code dispatch (krb5_data *,
132 const krb5_fulladdr *,
136 krb5_error_code kdc_initialize_rcache (krb5_context, char *);
138 krb5_error_code setup_server_realm (krb5_principal);
139 void kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...);
142 krb5_error_code listen_and_process (void);
143 krb5_error_code setup_network (void);
144 krb5_error_code closedown_network (void);
147 int against_local_policy_as (krb5_kdc_req *, krb5_db_entry,
148 krb5_db_entry, krb5_timestamp,
149 const char **, krb5_data *);
151 int against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry,
152 krb5_ticket *, const char **,
156 krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype);
158 const char * missing_required_preauth
159 (krb5_db_entry *client, krb5_db_entry *server,
160 krb5_enc_tkt_part *enc_tkt_reply);
161 void get_preauth_hint_list (krb5_kdc_req * request,
162 krb5_db_entry *client,
163 krb5_db_entry *server,
165 krb5_error_code load_preauth_plugins(krb5_context context);
166 krb5_error_code unload_preauth_plugins(krb5_context context);
168 krb5_error_code check_padata
169 (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
170 krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
171 void **padata_context, krb5_data *e_data);
173 krb5_error_code return_padata
174 (krb5_context context, krb5_db_entry *client,
175 krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
176 krb5_key_data *client_key, krb5_keyblock *encrypting_key,
177 void **padata_context);
179 krb5_error_code free_padata_context
180 (krb5_context context, void **padata_context);
182 krb5_pa_data *find_pa_data
183 (krb5_pa_data **padata, krb5_preauthtype pa_type);
185 krb5_error_code add_pa_data_element
186 (krb5_context context,
187 krb5_pa_data *padata,
188 krb5_pa_data ***out_padata,
192 krb5_error_code load_authdata_plugins(krb5_context context);
193 krb5_error_code unload_authdata_plugins(krb5_context context);
196 handle_authdata (krb5_context context,
198 krb5_db_entry *client,
199 krb5_db_entry *server,
200 krb5_db_entry *krbtgt,
201 krb5_keyblock *client_key,
202 krb5_keyblock *server_key,
203 krb5_keyblock *krbtgt_key,
205 krb5_kdc_req *request,
206 krb5_const_principal for_user_princ,
207 krb5_enc_tkt_part *enc_tkt_request,
208 krb5_enc_tkt_part *enc_tkt_reply);
211 krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **);
212 void kdc_insert_lookaside (krb5_data *, krb5_data *);
213 void kdc_free_lookaside(krb5_context);
217 get_principal_locked (krb5_context kcontext,
218 krb5_const_principal search_for,
219 krb5_db_entry *entries, int *nentries,
222 get_principal (krb5_context kcontext,
223 krb5_const_principal search_for,
224 krb5_db_entry *entries, int *nentries, krb5_boolean *more);
227 include_pac_p(krb5_context context, krb5_kdc_req *request);
229 krb5_error_code return_svr_referral_data
230 (krb5_context context,
231 krb5_db_entry *server,
232 krb5_enc_kdc_rep_part *reply_encpart);
234 krb5_error_code sign_db_authdata
235 (krb5_context context,
237 krb5_const_principal client_princ,
238 krb5_db_entry *client,
239 krb5_db_entry *server,
240 krb5_db_entry *krbtgt,
241 krb5_keyblock *client_key,
242 krb5_keyblock *server_key,
243 krb5_keyblock *krbtgt_key,
244 krb5_timestamp authtime,
245 krb5_authdata **tgs_authdata,
246 krb5_keyblock *session_key,
247 krb5_authdata ***ret_authdata);
249 krb5_error_code kdc_process_s4u2self_req
250 (krb5_context context,
251 krb5_kdc_req *request,
252 krb5_const_principal client_princ,
253 const krb5_db_entry *server,
254 krb5_keyblock *tgs_subkey,
255 krb5_keyblock *tgs_session,
256 krb5_timestamp kdc_time,
257 krb5_pa_s4u_x509_user **s4u2self_req,
258 krb5_db_entry *princ,
260 const char **status);
262 krb5_error_code kdc_make_s4u2self_rep
263 (krb5_context context,
264 krb5_keyblock *tgs_subkey,
265 krb5_keyblock *tgs_session,
266 krb5_pa_s4u_x509_user *req_s4u_user,
268 krb5_enc_kdc_rep_part *reply_encpart);
270 krb5_error_code kdc_process_s4u2proxy_req
271 (krb5_context context,
272 krb5_kdc_req *request,
273 const krb5_enc_tkt_part *t2enc,
274 const krb5_db_entry *server,
275 krb5_const_principal server_princ,
276 krb5_const_principal proxy_princ,
277 const char **status);
279 krb5_error_code kdc_check_transited_list
280 (krb5_context context,
281 const krb5_data *trans,
282 const krb5_data *realm1,
283 const krb5_data *realm2);
285 krb5_error_code audit_as_request
286 (krb5_kdc_req *request,
287 krb5_db_entry *client,
288 krb5_db_entry *server,
289 krb5_timestamp authtime,
290 krb5_error_code errcode);
292 krb5_error_code audit_tgs_request
293 (krb5_kdc_req *request,
294 krb5_const_principal client,
295 krb5_db_entry *server,
296 krb5_timestamp authtime,
297 krb5_error_code errcode);
300 validate_transit_path(krb5_context context,
301 krb5_const_principal client,
302 krb5_db_entry *server,
303 krb5_db_entry *krbtgt);
305 kdc_get_ticket_endtime(krb5_context context,
307 krb5_timestamp endtime,
309 krb5_db_entry *client,
310 krb5_db_entry *server,
311 krb5_timestamp *out_endtime);
314 log_as_req(const krb5_fulladdr *from,
315 krb5_kdc_req *request, krb5_kdc_rep *reply,
316 krb5_db_entry *client, const char *cname,
317 krb5_db_entry *server, const char *sname,
318 krb5_timestamp authtime,
319 const char *status, krb5_error_code errcode, const char *emsg);
321 log_tgs_req(const krb5_fulladdr *from,
322 krb5_kdc_req *request, krb5_kdc_rep *reply,
323 const char *cname, const char *sname, const char *altcname,
324 krb5_timestamp authtime,
325 unsigned int c_flags, const char *s4u_name,
326 const char *status, krb5_error_code errcode, const char *emsg);
327 void log_tgs_alt_tgt(krb5_principal p);
331 struct kdc_request_state {
332 krb5_keyblock *armor_key;
333 krb5_keyblock *strengthen_key;
334 krb5_pa_data *cookie;
335 krb5_int32 fast_options;
336 krb5_int32 fast_internal_flags;
339 krb5_error_code kdc_make_rstate(struct kdc_request_state **out);
341 (struct kdc_request_state *s);
344 enum krb5_fast_kdc_flags {
345 KRB5_FAST_REPLY_KEY_USED = 0x1,
346 KRB5_FAST_REPLY_KEY_REPLACED = 0x02,
349 krb5_error_code kdc_find_fast
350 (krb5_kdc_req **requestptr, krb5_data *checksummed_data,
351 krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session,
352 struct kdc_request_state *state);
354 krb5_error_code kdc_fast_response_handle_padata
355 (struct kdc_request_state *state,
356 krb5_kdc_req *request,
358 krb5_enctype enctype);
359 krb5_error_code kdc_fast_handle_error
360 (krb5_context context, struct kdc_request_state *state,
361 krb5_kdc_req *request,
362 krb5_pa_data **in_padata, krb5_error *err);
364 krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state,
365 krb5_keyblock *existing_key,
366 krb5_keyblock **out_key);
369 krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state,
370 krb5_pa_data **cookie);
375 #define isflagset(flagfield, flag) (flagfield & (flag))
376 #define setflag(flagfield, flag) (flagfield |= (flag))
377 #define clear(flagfield, flag) (flagfield &= ~(flag))
380 #define min(a, b) ((a) < (b) ? (a) : (b))
381 #define max(a, b) ((a) > (b) ? (a) : (b))
384 #ifdef KRB5_USE_INET6
385 #define ADDRTYPE2FAMILY(X) \
386 ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1)
388 #define ADDRTYPE2FAMILY(X) \
389 ((X) == ADDRTYPE_INET ? AF_INET : -1)
392 /* RFC 4120: KRB5KDC_ERR_KEY_TOO_WEAK
393 * RFC 4556: KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED */
394 #define KRB5KDC_ERR_KEY_TOO_WEAK KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
396 #endif /* __KRB5_KDC_UTIL__ */