src/kdc/kdc_util.h

   1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
   2 /*
   3  * kdc/kdc_util.h
   4  *
   5  * Portions Copyright (C) 2007 Apple Inc.
   6  * Copyright 1990, 2007 by the Massachusetts Institute of Technology.
   7  *
   8  * Export of this software from the United States of America may
   9  *   require a specific license from the United States Government.
  10  *   It is the responsibility of any person or organization contemplating
  11  *   export to obtain such a license before exporting.
  12  *
  13  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  14  * distribute this software and its documentation for any purpose and
  15  * without fee is hereby granted, provided that the above copyright
  16  * notice appear in all copies and that both that copyright notice and
  17  * this permission notice appear in supporting documentation, and that
  18  * the name of M.I.T. not be used in advertising or publicity pertaining
  19  * to distribution of the software without specific, written prior
  20  * permission.  Furthermore if you modify this software you must label
  21  * your software as modified software and not distribute it in such a
  22  * fashion that it might be confused with the original M.I.T. software.
  23  * M.I.T. makes no representations about the suitability of
  24  * this software for any purpose.  It is provided "as is" without express
  25  * or implied warranty.
  26  *
  27  *
  28  * Declarations for policy.c
  29  */
  30
  31 #ifndef __KRB5_KDC_UTIL__
  32 #define __KRB5_KDC_UTIL__
  33
  34 #include "kdb.h"
  35 #include "kdb_ext.h"
  36
  37 typedef struct _krb5_fulladdr {
  38     krb5_address *      address;
  39     krb5_ui_4           port;
  40 } krb5_fulladdr;
  41
  42 krb5_error_code check_hot_list (krb5_ticket *);
  43 krb5_boolean realm_compare (krb5_const_principal, krb5_const_principal);
  44 krb5_boolean is_local_principal(krb5_const_principal princ1);
  45 krb5_boolean krb5_is_tgs_principal (krb5_const_principal);
  46 krb5_error_code add_to_transited (krb5_data *,
  47                                   krb5_data *,
  48                                   krb5_principal,
  49                                   krb5_principal,
  50                                   krb5_principal);
  51 krb5_error_code compress_transited (krb5_data *,
  52                                     krb5_principal,
  53                                     krb5_data *);
  54 krb5_error_code concat_authorization_data (krb5_authdata **,
  55                                            krb5_authdata **,
  56                                            krb5_authdata ***);
  57 krb5_error_code fetch_last_req_info (krb5_db_entry *,
  58                                      krb5_last_req_entry ***);
  59
  60 krb5_error_code kdc_convert_key (krb5_keyblock *,
  61                                  krb5_keyblock *,
  62                                  int);
  63 krb5_error_code kdc_process_tgs_req
  64 (krb5_kdc_req *,
  65  const krb5_fulladdr *,
  66  krb5_data *,
  67  krb5_ticket **,
  68  krb5_db_entry *krbtgt,
  69  int *nprincs,
  70  krb5_keyblock **, krb5_keyblock **,
  71  krb5_pa_data **pa_tgs_req);
  72
  73 krb5_error_code kdc_get_server_key (krb5_ticket *, unsigned int,
  74                                     krb5_boolean match_enctype,
  75                                     krb5_db_entry *, int *,
  76                                     krb5_keyblock **, krb5_kvno *);
  77
  78 int validate_as_request (krb5_kdc_req *, krb5_db_entry,
  79                          krb5_db_entry, krb5_timestamp,
  80                          const char **, krb5_data *);
  81
  82 int validate_forwardable(krb5_kdc_req *, krb5_db_entry,
  83                          krb5_db_entry, krb5_timestamp,
  84                          const char **);
  85
  86 int validate_tgs_request (krb5_kdc_req *, krb5_db_entry,
  87                           krb5_ticket *, krb5_timestamp,
  88                           const char **, krb5_data *);
  89
  90 int fetch_asn1_field (unsigned char *, unsigned int, unsigned int,
  91                       krb5_data *);
  92
  93 int
  94 dbentry_has_key_for_enctype (krb5_context context,
  95                              krb5_db_entry *client,
  96                              krb5_enctype enctype);
  97
  98 int
  99 dbentry_supports_enctype (krb5_context context,
 100                           krb5_db_entry *client,
 101                           krb5_enctype enctype);
 102
 103 krb5_enctype
 104 select_session_keytype (krb5_context context,
 105                         krb5_db_entry *server,
 106                         int nktypes,
 107                         krb5_enctype *ktypes);
 108
 109 krb5_error_code
 110 get_salt_from_key (krb5_context, krb5_principal,
 111                    krb5_key_data *, krb5_data *);
 112
 113 void limit_string (char *name);
 114
 115 void
 116 ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype);
 117
 118 void
 119 rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep);
 120
 121 /* do_as_req.c */
 122 krb5_error_code process_as_req (krb5_kdc_req *, krb5_data *,
 123                                 const krb5_fulladdr *,
 124                                 krb5_data ** );
 125
 126 /* do_tgs_req.c */
 127 krb5_error_code process_tgs_req (krb5_data *,
 128                                  const krb5_fulladdr *,
 129                                  krb5_data ** );
 130 /* dispatch.c */
 131 krb5_error_code dispatch (krb5_data *,
 132                           const krb5_fulladdr *,
 133                           krb5_data **);
 134
 135 /* main.c */
 136 krb5_error_code kdc_initialize_rcache (krb5_context, char *);
 137
 138 krb5_error_code setup_server_realm (krb5_principal);
 139 void kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...);
 140
 141 /* network.c */
 142 krb5_error_code listen_and_process (void);
 143 krb5_error_code setup_network (void);
 144 krb5_error_code closedown_network (void);
 145
 146 /* policy.c */
 147 int against_local_policy_as (krb5_kdc_req *, krb5_db_entry,
 148                              krb5_db_entry, krb5_timestamp,
 149                              const char **, krb5_data *);
 150
 151 int against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry,
 152                               krb5_ticket *, const char **,
 153                               krb5_data *);
 154
 155 /* kdc_preauth.c */
 156 krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype);
 157
 158 const char * missing_required_preauth
 159 (krb5_db_entry *client, krb5_db_entry *server,
 160  krb5_enc_tkt_part *enc_tkt_reply);
 161 void get_preauth_hint_list (krb5_kdc_req * request,
 162                             krb5_db_entry *client,
 163                             krb5_db_entry *server,
 164                             krb5_data *e_data);
 165 krb5_error_code load_preauth_plugins(krb5_context context);
 166 krb5_error_code unload_preauth_plugins(krb5_context context);
 167
 168 krb5_error_code check_padata
 169 (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
 170  krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
 171  void **padata_context, krb5_data *e_data);
 172
 173 krb5_error_code return_padata
 174 (krb5_context context, krb5_db_entry *client,
 175  krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
 176  krb5_key_data *client_key, krb5_keyblock *encrypting_key,
 177  void **padata_context);
 178
 179 krb5_error_code free_padata_context
 180 (krb5_context context, void **padata_context);
 181
 182 krb5_pa_data *find_pa_data
 183 (krb5_pa_data **padata, krb5_preauthtype pa_type);
 184
 185 krb5_error_code add_pa_data_element
 186 (krb5_context context,
 187  krb5_pa_data *padata,
 188  krb5_pa_data ***out_padata,
 189  krb5_boolean copy);
 190
 191 /* kdc_authdata.c */
 192 krb5_error_code load_authdata_plugins(krb5_context context);
 193 krb5_error_code unload_authdata_plugins(krb5_context context);
 194
 195 krb5_error_code
 196 handle_authdata (krb5_context context,
 197                  unsigned int flags,
 198                  krb5_db_entry *client,
 199                  krb5_db_entry *server,
 200                  krb5_db_entry *krbtgt,
 201                  krb5_keyblock *client_key,
 202                  krb5_keyblock *server_key,
 203                  krb5_keyblock *krbtgt_key,
 204                  krb5_data *req_pkt,
 205                  krb5_kdc_req *request,
 206                  krb5_const_principal for_user_princ,
 207                  krb5_enc_tkt_part *enc_tkt_request,
 208                  krb5_enc_tkt_part *enc_tkt_reply);
 209
 210 /* replay.c */
 211 krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **);
 212 void kdc_insert_lookaside (krb5_data *, krb5_data *);
 213 void kdc_free_lookaside(krb5_context);
 214
 215 /* kdc_util.c */
 216 krb5_error_code
 217 get_principal_locked (krb5_context kcontext,
 218                       krb5_const_principal search_for,
 219                       krb5_db_entry *entries, int *nentries,
 220                       krb5_boolean *more);
 221 krb5_error_code
 222 get_principal (krb5_context kcontext,
 223                krb5_const_principal search_for,
 224                krb5_db_entry *entries, int *nentries, krb5_boolean *more);
 225
 226 krb5_boolean
 227 include_pac_p(krb5_context context, krb5_kdc_req *request);
 228
 229 krb5_error_code return_svr_referral_data
 230 (krb5_context context,
 231  krb5_db_entry *server,
 232  krb5_enc_kdc_rep_part *reply_encpart);
 233
 234 krb5_error_code sign_db_authdata
 235 (krb5_context context,
 236  unsigned int flags,
 237  krb5_const_principal client_princ,
 238  krb5_db_entry *client,
 239  krb5_db_entry *server,
 240  krb5_db_entry *krbtgt,
 241  krb5_keyblock *client_key,
 242  krb5_keyblock *server_key,
 243  krb5_keyblock *krbtgt_key,
 244  krb5_timestamp authtime,
 245  krb5_authdata **tgs_authdata,
 246  krb5_keyblock *session_key,
 247  krb5_authdata ***ret_authdata);
 248
 249 krb5_error_code kdc_process_s4u2self_req
 250 (krb5_context context,
 251  krb5_kdc_req *request,
 252  krb5_const_principal client_princ,
 253  const krb5_db_entry *server,
 254  krb5_keyblock *tgs_subkey,
 255  krb5_keyblock *tgs_session,
 256  krb5_timestamp kdc_time,
 257  krb5_pa_s4u_x509_user **s4u2self_req,
 258  krb5_db_entry *princ,
 259  int *nprincs,
 260  const char **status);
 261
 262 krb5_error_code kdc_make_s4u2self_rep
 263 (krb5_context context,
 264  krb5_keyblock *tgs_subkey,
 265  krb5_keyblock *tgs_session,
 266  krb5_pa_s4u_x509_user *req_s4u_user,
 267  krb5_kdc_rep *reply,
 268  krb5_enc_kdc_rep_part *reply_encpart);
 269
 270 krb5_error_code kdc_process_s4u2proxy_req
 271 (krb5_context context,
 272  krb5_kdc_req *request,
 273  const krb5_enc_tkt_part *t2enc,
 274  const krb5_db_entry *server,
 275  krb5_const_principal server_princ,
 276  krb5_const_principal proxy_princ,
 277  const char **status);
 278
 279 krb5_error_code kdc_check_transited_list
 280 (krb5_context context,
 281  const krb5_data *trans,
 282  const krb5_data *realm1,
 283  const krb5_data *realm2);
 284
 285 krb5_error_code audit_as_request
 286 (krb5_kdc_req *request,
 287  krb5_db_entry *client,
 288  krb5_db_entry *server,
 289  krb5_timestamp authtime,
 290  krb5_error_code errcode);
 291
 292 krb5_error_code audit_tgs_request
 293 (krb5_kdc_req *request,
 294  krb5_const_principal client,
 295  krb5_db_entry *server,
 296  krb5_timestamp authtime,
 297  krb5_error_code errcode);
 298
 299 krb5_error_code
 300 validate_transit_path(krb5_context context,
 301                       krb5_const_principal client,
 302                       krb5_db_entry *server,
 303                       krb5_db_entry *krbtgt);
 304 void
 305 kdc_get_ticket_endtime(krb5_context context,
 306                        krb5_timestamp now,
 307                        krb5_timestamp endtime,
 308                        krb5_timestamp till,
 309                        krb5_db_entry *client,
 310                        krb5_db_entry *server,
 311                        krb5_timestamp *out_endtime);
 312
 313 void
 314 log_as_req(const krb5_fulladdr *from,
 315            krb5_kdc_req *request, krb5_kdc_rep *reply,
 316            krb5_db_entry *client, const char *cname,
 317            krb5_db_entry *server, const char *sname,
 318            krb5_timestamp authtime,
 319            const char *status, krb5_error_code errcode, const char *emsg);
 320 void
 321 log_tgs_req(const krb5_fulladdr *from,
 322             krb5_kdc_req *request, krb5_kdc_rep *reply,
 323             const char *cname, const char *sname, const char *altcname,
 324             krb5_timestamp authtime,
 325             unsigned int c_flags, const char *s4u_name,
 326             const char *status, krb5_error_code errcode, const char *emsg);
 327 void log_tgs_alt_tgt(krb5_principal p);
 328
 329 /*Request state*/
 330
 331 struct kdc_request_state {
 332     krb5_keyblock *armor_key;
 333     krb5_keyblock *strengthen_key;
 334     krb5_pa_data *cookie;
 335     krb5_int32 fast_options;
 336     krb5_int32 fast_internal_flags;
 337 };
 338
 339 krb5_error_code kdc_make_rstate(struct kdc_request_state **out);
 340 void kdc_free_rstate
 341 (struct kdc_request_state *s);
 342
 343 /* FAST*/
 344 enum krb5_fast_kdc_flags {
 345     KRB5_FAST_REPLY_KEY_USED = 0x1,
 346     KRB5_FAST_REPLY_KEY_REPLACED = 0x02,
 347 };
 348
 349 krb5_error_code  kdc_find_fast
 350 (krb5_kdc_req **requestptr,  krb5_data *checksummed_data,
 351  krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session,
 352  struct kdc_request_state *state);
 353
 354 krb5_error_code kdc_fast_response_handle_padata
 355 (struct kdc_request_state *state,
 356  krb5_kdc_req *request,
 357  krb5_kdc_rep *rep,
 358  krb5_enctype enctype);
 359 krb5_error_code kdc_fast_handle_error
 360 (krb5_context context, struct kdc_request_state *state,
 361  krb5_kdc_req *request,
 362  krb5_pa_data  **in_padata, krb5_error *err);
 363
 364 krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state,
 365                                           krb5_keyblock *existing_key,
 366                                           krb5_keyblock **out_key);
 367
 368
 369 krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state,
 370                                        krb5_pa_data **cookie);
 371
 372
 373
 374
 375 #define isflagset(flagfield, flag) (flagfield & (flag))
 376 #define setflag(flagfield, flag) (flagfield |= (flag))
 377 #define clear(flagfield, flag) (flagfield &= ~(flag))
 378
 379 #ifndef min
 380 #define min(a, b)       ((a) < (b) ? (a) : (b))
 381 #define max(a, b)       ((a) > (b) ? (a) : (b))
 382 #endif
 383
 384 #ifdef KRB5_USE_INET6
 385 #define ADDRTYPE2FAMILY(X)                                              \
 386     ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1)
 387 #else
 388 #define ADDRTYPE2FAMILY(X)                      \
 389     ((X) == ADDRTYPE_INET ? AF_INET : -1)
 390 #endif
 391
 392 /* RFC 4120: KRB5KDC_ERR_KEY_TOO_WEAK
 393  * RFC 4556: KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED */
 394 #define KRB5KDC_ERR_KEY_TOO_WEAK KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
 395
 396 #endif /* __KRB5_KDC_UTIL__ */