/*
- * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006,2007 by the Massachusetts Institute of Technology,
+ * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006,2007,2008,2009 by the Massachusetts Institute of Technology,
* Cambridge, MA, USA. All Rights Reserved.
- *
- * This software is being provided to you, the LICENSEE, by the
- * Massachusetts Institute of Technology (M.I.T.) under the following
- * license. By obtaining, using and/or copying this software, you agree
- * that you have read, understood, and will comply with these terms and
- * conditions:
- *
+ *
+ * This software is being provided to you, the LICENSEE, by the
+ * Massachusetts Institute of Technology (M.I.T.) under the following
+ * license. By obtaining, using and/or copying this software, you agree
+ * that you have read, understood, and will comply with these terms and
+ * conditions:
+ *
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
- *
- * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
- * this software and its documentation for any purpose and without fee or
- * royalty is hereby granted, provided that you agree to comply with the
- * following copyright notice and statements, including the disclaimer, and
- * that the same appear on ALL copies of the software and documentation,
- * including modifications that you make for internal use or for
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
+ * this software and its documentation for any purpose and without fee or
+ * royalty is hereby granted, provided that you agree to comply with the
+ * following copyright notice and statements, including the disclaimer, and
+ * that the same appear on ALL copies of the software and documentation,
+ * including modifications that you make for internal use or for
* distribution:
- *
- * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
- * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
- * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
- * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
- * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
- * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
- *
- * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
- * be used in advertising or publicity pertaining to distribution of the
- * software. Title to copyright in this software and any associated
- * documentation shall at all times remain with M.I.T., and USER agrees to
+ *
+ * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
+ * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
+ * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
+ * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
+ * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
+ * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
+ *
+ * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
+ * be used in advertising or publicity pertaining to distribution of the
+ * software. Title to copyright in this software and any associated
+ * documentation shall at all times remain with M.I.T., and USER agrees to
* preserve same.
*
* Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
- * fashion that it might be confused with the original M.I.T. software.
+ * fashion that it might be confused with the original M.I.T. software.
*/
/*
* Copyright (C) 1998 by the FundsXpress, INC.
- *
+ *
* All rights reserved.
- *
+ *
* Export of this software from the United States of America may require
* a specific license from the United States Government. It is the
* responsibility of any person or organization contemplating export to
* obtain such a license before exporting.
- *
+ *
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* permission. FundsXpress makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
- *
+ *
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
#include "osconf.h"
+#if defined(__MACH__) && defined(__APPLE__)
+# include <TargetConditionals.h>
+# if TARGET_RT_MAC_CFM
+# error "Use KfM 4.0 SDK headers for CFM compilation."
+# endif
+#endif
+
/*
* Begin "k5-config.h"
*/
#ifndef KRB5_CONFIG__
#define KRB5_CONFIG__
-/*
+/*
* Machine-type definitions: PC Clone 386 running Microloss Windows
*/
#define ANSI_STDIO
#endif
-#ifndef KRB5_AUTOCONF__
-#define KRB5_AUTOCONF__
#include "autoconf.h"
-#endif
#ifndef KRB5_SYSTYPES__
#define KRB5_SYSTYPES__
#define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
#define KRB5_KDB_EXPIRATION 2145830400 /* Thu Jan 1 00:00:00 2038 UTC */
-/*
+/*
* Windows requires a different api interface to each function. Here
* just define it as NULL.
*/
/* Get error info support. */
#include "k5-err.h"
-/* krb5/krb5.h includes many other .h files in the krb5 subdirectory.
- The ones that it doesn't include, we include below. */
-
-/*
- * Begin "k5-errors.h"
- */
-#ifndef KRB5_ERRORS__
-#define KRB5_ERRORS__
-
+/* Get string buffer support. */
+#include "k5-buf.h"
+
+/* cofiguration variables */
+#define KRB5_CONF_ACL_FILE "acl_file"
+#define KRB5_CONF_ADMIN_KEYTAB "admin_keytab"
+#define KRB5_CONF_ADMIN_SERVER "admin_server"
+#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
+#define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type"
+#define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local"
+#define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names"
+#define KRB5_CONF_CANONICALIZE "canonicalize"
+#define KRB5_CONF_CCACHE_TYPE "ccache_type"
+#define KRB5_CONF_CLOCKSKEW "clockskew"
+#define KRB5_CONF_DATABASE_NAME "database_name"
+#define KRB5_CONF_DB_MODULE_DIR "db_module_dir"
+#define KRB5_CONF_DB_MODULES "db_modules"
+#define KRB5_CONF_DOMAIN_REALM "domain_realm"
+#define KRB5_CONF_DEFAULT_REALM "default_realm"
+#define KRB5_CONF_DEFAULT_DOMAIN "default_domain"
+#define KRB5_CONF_DEFAULT_TKT_ENCTYPES "default_tkt_enctypes"
+#define KRB5_CONF_DEFAULT_TGS_ENCTYPES "default_tgs_enctypes"
+#define KRB5_CONF_DEFAULT_KEYTAB_NAME "default_keytab_name"
+#define KRB5_CONF_DEFAULT_PRINCIPAL_EXPIRATION "default_principal_expiration"
+#define KRB5_CONF_DEFAULT_PRINCIPAL_FLAGS "default_principal_flags"
+#define KRB5_CONF_DICT_FILE "dict_file"
+#define KRB5_CONF_DNS_LOOKUP_KDC "dns_lookup_kdc"
+#define KRB5_CONF_DNS_LOOKUP_REALM "dns_lookup_realm"
+#define KRB5_CONF_DNS_FALLBACK "dns_fallback"
+#define KRB5_CONF_EXTRA_ADDRESSES "extra_addresses"
+#define KRB5_CONF_FORWARDABLE "forwardable"
+#define KRB5_CONF_HOST_BASED_SERVICES "host_based_services"
+#define KRB5_CONF_IPROP_ENABLE "iprop_enable"
+#define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize"
+#define KRB5_CONF_IPROP_PORT "iprop_port"
+#define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll"
+#define KRB5_CONF_IPROP_LOGFILE "iprop_logfile"
+#define KRB5_CONF_KADMIND_PORT "kadmind_port"
+#define KRB5_CONF_KRB524_SERVER "krb524_server"
+#define KRB5_CONF_KDC "kdc"
+#define KRB5_CONF_KDCDEFAULTS "kdcdefaults"
+#define KRB5_CONF_KDC_PORTS "kdc_ports"
+#define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
+#define KRB5_CONF_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size"
+#define KRB5_CONF_KDC_DEFAULT_OPTIONS "kdc_default_options"
+#define KRB5_CONF_KDC_TIMESYNC "kdc_timesync"
+#define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type"
+#define KRB5_CONF_KEY_STASH_FILE "key_stash_file"
+#define KRB5_CONF_KPASSWD_PORT "kpasswd_port"
+#define KRB5_CONF_KPASSWD_SERVER "kpasswd_server"
+#define KRB5_CONF_LIBDEFAULTS "libdefaults"
+#define KRB5_CONF_LDAP_KDC_DN "ldap_kdc_dn"
+#define KRB5_CONF_LDAP_KADMIN_DN "ldap_kadmind_dn"
+#define KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE "ldap_service_password_file"
+#define KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE "ldap_root_certificate_file"
+#define KRB5_CONF_LDAP_SERVERS "ldap_servers"
+#define KRB5_CONF_LDAP_CONNS_PER_SERVER "ldap_conns_per_server"
+#define KRB5_CONF_NO_HOST_REFERRAL "no_host_referral"
+#define KRB5_CONF_MASTER_KEY_NAME "master_key_name"
+#define KRB5_CONF_MASTER_KEY_TYPE "master_key_type"
+#define KRB5_CONF_MASTER_KDC "master_kdc"
+#define KRB5_CONF_MAX_LIFE "max_life"
+#define KRB5_CONF_MAX_RENEWABLE_LIFE "max_renewable_life"
+#define KRB5_CONF_NOADDRESSES "noaddresses"
+#define KRB5_CONF_PERMITTED_ENCTYPES "permitted_enctypes"
+#define KRB5_CONF_PREFERRED_PREAUTH_TYPES "preferred_preauth_types"
+#define KRB5_CONF_PROXIABLE "proxiable"
+#define KRB5_CONF_RDNS "rdns"
+#define KRB5_CONF_REALMS "realms"
+#define KRB5_CONF_REALM_TRY_DOMAINS "realm_try_domains"
+#define KRB5_CONF_REJECT_BAD_TRANSIT "reject_bad_transit"
+#define KRB5_CONF_RENEW_LIFETIME "renew_lifetime"
+#define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type"
+#define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes"
+#define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime"
+#define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit"
+#define KRB5_CONF_VERIFY_AP_REQ_NOFAIL "verify_ap_req_nofail"
+#define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
+#define KRB5_CONF_V4_REALM "v4_realm"
+#define KRB5_CONF_ASTERISK "*"
/* Error codes used in KRB_ERROR protocol messages.
Return values of library routines are based on a different error table
/* required */
#define KDC_ERR_SERVER_NOMATCH 26 /* Requested server and */
/* ticket don't match*/
+#define KDC_ERR_MUST_USE_USER2USER 27 /* Server principal valid for */
+ /* user2user only */
+#define KDC_ERR_PATH_NOT_ACCEPTED 28 /* KDC policy rejected transited */
+ /* path */
#define KDC_ERR_SVC_UNAVAILABLE 29 /* A service is not
* available that is
* required to process the
/* PKINIT server-reported errors */
#define KDC_ERR_CLIENT_NOT_TRUSTED 62 /* client cert not trusted */
+#define KDC_ERR_KDC_NOT_TRUSTED 63
#define KDC_ERR_INVALID_SIG 64 /* client signature verify failed */
#define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65 /* invalid Diffie-Hellman parameters */
+#define KDC_ERR_CERTIFICATE_MISMATCH 66
+#define KRB_AP_ERR_NO_TGT 67
+#define KDC_ERR_WRONG_REALM 68
+#define KRB_AP_ERR_USER_TO_USER_REQUIRED 69
#define KDC_ERR_CANT_VERIFY_CERTIFICATE 70 /* client cert not verifiable to */
/* trusted root cert */
#define KDC_ERR_INVALID_CERTIFICATE 71 /* client cert had invalid signature */
#define KDC_ERR_REVOKED_CERTIFICATE 72 /* client cert was revoked */
#define KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 /* client cert revoked, reason unknown */
+#define KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74
#define KDC_ERR_CLIENT_NAME_MISMATCH 75 /* mismatch between client cert and */
/* principal name */
#define KDC_ERR_INCONSISTENT_KEY_PURPOSE 77 /* bad extended key use */
#define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */
#define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
-#endif /* KRB5_ERRORS__ */
-/*
- * End "k5-errors.h"
- */
-
/*
* This structure is returned in the e-data field of the KRB-ERROR
* message when the error calling for an alternative form of
krb5_data s2kparams;
} krb5_etype_info_entry;
-/*
+/*
* This is essentially -1 without sign extension which can screw up
* comparisons on 64 bit machines. If the length is this value, then
* the salt data is not present. This is to distinguish between not
- * being set and being of 0 length.
+ * being set and being of 0 length.
*/
#define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
typedef krb5_etype_info_entry ** krb5_etype_info;
+/* RFC 4537 */
+typedef struct _krb5_etype_list {
+ int length;
+ krb5_enctype *etypes;
+} krb5_etype_list;
+
/*
- * a sam_challenge is returned for alternate preauth
+ * a sam_challenge is returned for alternate preauth
*/
/*
SAMFlags ::= BIT STRING {
#include "k5-int-pkinit.h"
-/*
- * Begin "ext-proto.h"
- */
-#ifndef KRB5_EXT_PROTO__
-#define KRB5_EXT_PROTO__
-
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#endif
-#endif /* KRB5_EXT_PROTO__ */
-/*
- * End "ext-proto.h"
- */
-
-/*
- * Begin "sysincl.h"
- */
-#ifndef KRB5_SYSINCL__
-#define KRB5_SYSINCL__
-
-#ifndef KRB5_SYSTYPES__
-#define KRB5_SYSTYPES__
-/* needed for much of the rest -- but already handled in krb5.h? */
-/* #include <sys/types.h> */
-#endif /* KRB5_SYSTYPES__ */
-
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
#ifdef TIME_WITH_SYS_TIME
#include <fcntl.h>
#endif
-#endif /* KRB5_SYSINCL__ */
-/*
- * End "sysincl.h"
- */
-
-/*
- * Begin "los-proto.h"
- */
-#ifndef KRB5_LIBOS_PROTO__
-#define KRB5_LIBOS_PROTO__
-
#include <stdio.h>
+#include "k5-gmt_mktime.h"
+
struct addrlist;
struct sendto_callback_info;
void krb5_os_free_context (krb5_context);
-/* This function is needed by KfM's KerberosPreferences API
+/* This function is needed by KfM's KerberosPreferences API
* because it needs to be able to specify "secure" */
-krb5_error_code os_get_default_config_files
+krb5_error_code os_get_default_config_files
(profile_filespec_t **pfiles, krb5_boolean secure);
krb5_error_code krb5_os_hostaddr
(krb5_context, const char *, krb5_address ***);
+krb5_error_code krb5int_get_domain_realm_mapping
+ (krb5_context , const char *, char ***);
+
/* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
going to use this structure. */
struct addrlist {
void (*freefn)(void *);
void *data;
} *addrs;
- int naddrs;
- int space;
+ size_t naddrs;
+ size_t space;
};
#define ADDRLIST_INIT { 0, 0, 0 }
extern void krb5int_free_addrlist (struct addrlist *);
struct addrlist *, enum locate_service_type svc,
int sockettype, int family);
-#endif /* KRB5_LIBOS_PROTO__ */
+struct derived_key {
+ krb5_data constant;
+ krb5_key dkey;
+ struct derived_key *next;
+};
+
+/* Internal structure of an opaque key identifier */
+struct krb5_key_st {
+ krb5_keyblock keyblock;
+ int refcount;
+ struct derived_key *derived;
+};
/* new encryption provider api */
struct krb5_enc_provider {
- /* keybytes is the input size to make_key;
+ /* keybytes is the input size to make_key;
keylength is the output size */
size_t block_size, keybytes, keylength;
/* cipher-state == 0 fresh state thrown away at end */
- krb5_error_code (*encrypt) (const krb5_keyblock *key,
+ krb5_error_code (*encrypt) (krb5_key key,
const krb5_data *cipher_state,
const krb5_data *input,
krb5_data *output);
- krb5_error_code (*decrypt) (const krb5_keyblock *key,
+ krb5_error_code (*decrypt) (krb5_key key,
const krb5_data *ivec,
const krb5_data *input,
krb5_data *output);
krb5_error_code (*init_state) (const krb5_keyblock *key,
krb5_keyusage keyusage, krb5_data *out_state);
krb5_error_code (*free_state) (krb5_data *state);
-
+
+ /* In-place encryption/decryption of multiple buffers */
+ krb5_error_code (*encrypt_iov) (krb5_key key,
+ const krb5_data *cipher_state,
+ krb5_crypto_iov *data,
+ size_t num_data);
+
+
+ krb5_error_code (*decrypt_iov) (krb5_key key,
+ const krb5_data *cipher_state,
+ krb5_crypto_iov *data,
+ size_t num_data);
+
};
struct krb5_hash_provider {
+ char hash_name[8];
size_t hashsize, blocksize;
/* this takes multiple inputs to avoid lots of copying. */
struct krb5_keyhash_provider {
size_t hashsize;
- krb5_error_code (*hash) (const krb5_keyblock *key,
+ krb5_error_code (*hash) (krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
const krb5_data *input,
krb5_data *output);
- krb5_error_code (*verify) (const krb5_keyblock *key,
+ krb5_error_code (*verify) (krb5_key key,
krb5_keyusage keyusage,
const krb5_data *ivec,
const krb5_data *input,
const krb5_data *hash,
krb5_boolean *valid);
-};
-typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- size_t inputlen, size_t *length);
-
-typedef krb5_error_code (*krb5_crypt_func) (const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- const krb5_keyblock *key, krb5_keyusage keyusage,
- const krb5_data *ivec,
- const krb5_data *input, krb5_data *output);
-
-typedef krb5_error_code (*krb5_str2key_func) (const struct krb5_enc_provider *enc, const krb5_data *string,
- const krb5_data *salt, const krb5_data *parm, krb5_keyblock *key);
-
-typedef krb5_error_code (*krb5_prf_func)(
- const struct krb5_enc_provider *enc,
- const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
- const krb5_data *in, krb5_data *out);
-
-struct krb5_keytypes {
- krb5_enctype etype;
- char *in_string;
- char *out_string;
- const struct krb5_enc_provider *enc;
- const struct krb5_hash_provider *hash;
- size_t prf_length;
- krb5_encrypt_length_func encrypt_len;
- krb5_crypt_func encrypt;
- krb5_crypt_func decrypt;
- krb5_str2key_func str2key;
- krb5_prf_func prf;
- krb5_cksumtype required_ctype;
+ krb5_error_code (*hash_iov) (krb5_key key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ const krb5_crypto_iov *data,
+ size_t num_data,
+ krb5_data *output);
+
+ krb5_error_code (*verify_iov) (krb5_key key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ const krb5_crypto_iov *data,
+ size_t num_data,
+ const krb5_data *hash,
+ krb5_boolean *valid);
};
-struct krb5_cksumtypes {
- krb5_cksumtype ctype;
- unsigned int flags;
- char *in_string;
- char *out_string;
- /* if the hash is keyed, this is the etype it is keyed with.
- Actually, it can be keyed by any etype which has the same
- enc_provider as the specified etype. DERIVE checksums can
- be keyed with any valid etype. */
- krb5_enctype keyed_etype;
- /* I can't statically initialize a union, so I'm just going to use
- two pointers here. The keyhash is used if non-NULL. If NULL,
- then HMAC/hash with derived keys is used if the relevant flag
- is set. Otherwise, a non-keyed hash is computed. This is all
- kind of messy, but so is the krb5 api. */
- const struct krb5_keyhash_provider *keyhash;
- const struct krb5_hash_provider *hash;
- /* This just gets uglier and uglier. In the key derivation case,
- we produce an hmac. To make the hmac code work, we can't hack
- the output size indicated by the hash provider, but we may want
- a truncated hmac. If we want truncation, this is the number of
- bytes we truncate to; it should be 0 otherwise. */
- unsigned int trunc_size;
+struct krb5_aead_provider {
+ krb5_error_code (*crypto_length) (const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ krb5_cryptotype type,
+ unsigned int *length);
+ krb5_error_code (*encrypt_iov) (const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ krb5_key key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data);
+ krb5_error_code (*decrypt_iov) (const struct krb5_aead_provider *aead,
+ const struct krb5_enc_provider *enc,
+ const struct krb5_hash_provider *hash,
+ krb5_key key,
+ krb5_keyusage keyusage,
+ const krb5_data *ivec,
+ krb5_crypto_iov *data,
+ size_t num_data);
};
-#define KRB5_CKSUMFLAG_DERIVE 0x0001
-#define KRB5_CKSUMFLAG_NOT_COLL_PROOF 0x0002
-
/*
* in here to deal with stuff from lib/crypto
*/
-void krb5_nfold
+void krb5int_nfold
(unsigned int inbits, const unsigned char *in,
unsigned int outbits, unsigned char *out);
-krb5_error_code krb5_hmac
+krb5_error_code krb5int_hmac
+(const struct krb5_hash_provider *hash,
+ krb5_key key, unsigned int icount,
+ const krb5_data *input, krb5_data *output);
+
+krb5_error_code krb5int_hmac_iov
+(const struct krb5_hash_provider *hash,
+ krb5_key key,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output);
+
+krb5_error_code krb5int_hmac_keyblock
(const struct krb5_hash_provider *hash,
const krb5_keyblock *key, unsigned int icount,
const krb5_data *input, krb5_data *output);
+krb5_error_code krb5int_hmac_iov_keyblock
+(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ const krb5_crypto_iov *data, size_t num_data,
+ krb5_data *output);
+
krb5_error_code krb5int_pbkdf2_hmac_sha1 (const krb5_data *, unsigned long,
const krb5_data *,
const krb5_data *);
#endif /* WIN32 */
#define zap(p,l) krb5int_zap_data(p,l)
+/* Convenience function: zap and free ptr if it is non-NULL. */
+static inline void
+zapfree(void *ptr, size_t len)
+{
+ if (ptr != NULL) {
+ zap(ptr, len);
+ free(ptr);
+ }
+}
+
/* A definition of init_state for DES based encryption systems.
* sets up an 8-byte IV of all zeros
*/
krb5_error_code krb5int_des_init_state
(const krb5_keyblock *key, krb5_keyusage keyusage, krb5_data *new_state);
-/*
+/*
* normally to free a cipher_state you can just memset the length to zero and
* free it.
*/
(krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
krb5_keyblock *outkey);
+
void krb5int_c_free_keyblock
(krb5_context, krb5_keyblock *key);
void krb5int_c_free_keyblock_contents
(krb5_context, krb5_keyblock *);
-krb5_error_code krb5int_c_init_keyblock
+krb5_error_code krb5int_c_init_keyblock
(krb5_context, krb5_enctype enctype,
- size_t length, krb5_keyblock **out);
+ size_t length, krb5_keyblock **out);
+krb5_error_code krb5int_c_copy_keyblock
+(krb5_context context, const krb5_keyblock *from, krb5_keyblock **to);
+krb5_error_code krb5int_c_copy_keyblock_contents
+(krb5_context context, const krb5_keyblock *from, krb5_keyblock *to);
/*
* Internal - for cleanup.
extern void krb5int_prng_cleanup (void);
-/*
+/*
* These declarations are here, so both krb5 and k5crypto
* can get to them.
* krb5 needs to get to them so it can make them available to libgssapi.
(krb5_int32 *,
krb5_int32 *);
-time_t krb5int_gmt_mktime (struct tm *);
-
#endif /* KRB5_OLD_CRYPTO */
/* this helper fct is in libkrb5, but it makes sense declared here. */
krb5_keyusage keyusage, const krb5_data *plain,
krb5_enc_data *cipher);
-/*
- * End "los-proto.h"
- */
+krb5_error_code krb5_encrypt_keyhelper
+(krb5_context context, krb5_key key,
+ krb5_keyusage keyusage, const krb5_data *plain,
+ krb5_enc_data *cipher);
/*
- * Begin "libos.h"
+ * End "los-proto.h"
*/
-#ifndef KRB5_LIBOS__
-#define KRB5_LIBOS__
typedef struct _krb5_os_context {
krb5_magic magic;
#define KRB5_LOCKMODE_DONTBLOCK 0x0004
#define KRB5_LOCKMODE_UNLOCK 0x0008
-#endif /* KRB5_LIBOS__ */
-/*
- * End "libos.h"
- */
-
/*
* Define our view of the size of a DES key.
*/
#define KRB5_MIT_DES_KEYSIZE 8
+#define KRB5_MIT_DES3_KEYSIZE 24
+#define KRB5_MIT_DES3_KEY_BYTES 21
+
/*
* Check if des_int.h has been included before us. If so, then check to see
* that our view of the DES key size is the same as des_int.h's.
* (Originally written by Glen Machin at Sandia Labs.)
*/
/*
- * Sandia National Laboratories also makes no representations about the
- * suitability of the modifications, or additions to this software for
+ * Sandia National Laboratories also makes no representations about the
+ * suitability of the modifications, or additions to this software for
* any purpose. It is provided "as is" without express or implied warranty.
- *
+ *
*/
#ifndef KRB5_PREAUTH__
#define KRB5_PREAUTH__
* requested information. It is opaque to the plugin code and can be
* expanded in the future as new types of requests are defined which
* may require other things to be passed through. */
+ struct krb5int_fast_request_state;
typedef struct _krb5_preauth_client_rock {
krb5_magic magic;
- krb5_kdc_rep *as_reply;
+ krb5_enctype *etype;
+ struct krb5int_fast_request_state *fast_state;
} krb5_preauth_client_rock;
/* This structure lets us keep track of all of the modules which are loaded,
preauth_client_plugin_fini_proc client_fini;
/* The module's table, and some of its members, copied here for
* convenience when we populated the list. */
- struct krb5plugin_preauth_client_ftable_v0 *ftable;
+ struct krb5plugin_preauth_client_ftable_v1 *ftable;
const char *name;
int flags, use_count;
preauth_client_process_proc client_process;
krb5_int32 pausec;
} krb5_pa_enc_ts;
+typedef struct _krb5_pa_for_user {
+ krb5_principal user;
+ krb5_checksum cksum;
+ krb5_data auth_package;
+} krb5_pa_for_user;
+
+typedef struct _krb5_s4u_userid {
+ krb5_int32 nonce;
+ krb5_principal user;
+ krb5_data subject_cert;
+ krb5_flags options;
+} krb5_s4u_userid;
+
+#define KRB5_S4U_OPTS_CHECK_LOGON_HOURS 0x40000000 /* check logon hour restrictions */
+#define KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE 0x20000000 /* sign with usage 27 instead of 26 */
+
+typedef struct _krb5_pa_s4u_x509_user {
+ krb5_s4u_userid user_id;
+ krb5_checksum cksum;
+} krb5_pa_s4u_x509_user;
+
+enum {
+ KRB5_FAST_ARMOR_AP_REQUEST = 0x1
+};
+
+typedef struct _krb5_fast_armor {
+ krb5_int32 armor_type;
+ krb5_data armor_value;
+} krb5_fast_armor;
+typedef struct _krb5_fast_armored_req {
+ krb5_magic magic;
+ krb5_fast_armor *armor;
+ krb5_checksum req_checksum;
+ krb5_enc_data enc_part;
+} krb5_fast_armored_req;
+
+typedef struct _krb5_fast_req {
+ krb5_magic magic;
+ krb5_flags fast_options;
+ /* padata from req_body is used*/
+ krb5_kdc_req *req_body;
+} krb5_fast_req;
+
+/* Bits 0-15 are critical in fast options.*/
+#define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff
+#define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01
+
+typedef struct _krb5_fast_finished {
+ krb5_timestamp timestamp;
+ krb5_int32 usec;
+ krb5_principal client;
+ krb5_checksum ticket_checksum;
+} krb5_fast_finished;
+
+typedef struct _krb5_fast_response {
+ krb5_magic magic;
+ krb5_pa_data **padata;
+ krb5_keyblock *strengthen_key;
+ krb5_fast_finished *finished;
+ krb5_int32 nonce;
+} krb5_fast_response;
+
+typedef struct _krb5_ad_kdcissued {
+ krb5_checksum ad_checksum;
+ krb5_principal i_principal;
+ krb5_authdata **elements;
+} krb5_ad_kdcissued;
+
typedef krb5_error_code (*krb5_preauth_obtain_proc)
(krb5_context,
krb5_pa_data *,
krb5_etype_info,
- krb5_keyblock *,
+ krb5_keyblock *,
krb5_error_code ( * )(krb5_context,
const krb5_enctype,
krb5_data *,
krb5_const_pointer,
krb5_kdc_rep * ),
krb5_keyblock **,
- krb5_creds *,
+ krb5_creds *,
krb5_int32 *,
krb5_int32 *);
krb5_data *,
krb5_const_pointer,
krb5_keyblock **),
- krb5_const_pointer,
+ krb5_const_pointer,
krb5_creds *,
krb5_kdc_req *);
const krb5_keyblock *,
krb5_const_pointer,
krb5_kdc_rep * ),
- krb5_keyblock **,
- krb5_creds *,
- krb5_int32 *);
+ krb5_keyblock **,
+ krb5_creds *,
+ krb5_int32 *);
+
+krb5_pa_data * krb5int_find_pa_data
+(krb5_context, krb5_pa_data * const *, krb5_preauthtype);
+/* Does not return a copy; original padata sequence responsible for freeing*/
void krb5_free_etype_info
(krb5_context, krb5_etype_info);
* with the new krb5_get_init_creds_opt_alloc() function.
* KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended
* structure is a shadow copy of an original krb5_get_init_creds_opt
- * structure.
+ * structure.
* If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to
* krb5int_gic_opt_to_opte(), the resulting extended structure should be
* freed (using krb5_get_init_creds_free). Otherwise, the original
typedef struct _krb5_gic_opt_private {
int num_preauth_data;
krb5_gic_opt_pa_data *preauth_data;
+ char * fast_ccache_name;
} krb5_gic_opt_private;
+/*
+ * On the Mac, ensure that the layout of krb5_gic_opt_ext matches that
+ * of krb5_get_init_creds_opt.
+ */
+#if TARGET_OS_MAC
+# pragma pack(push,2)
+#endif
+
typedef struct _krb5_gic_opt_ext {
krb5_flags flags;
krb5_deltat tkt_life;
krb5_gic_opt_private *opt_private;
} krb5_gic_opt_ext;
+#if TARGET_OS_MAC
+# pragma pack(pop)
+#endif
+
krb5_error_code
krb5int_gic_opt_to_opte(krb5_context context,
krb5_get_init_creds_opt *opt,
krb5_error_code
krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *);
+krb5_error_code
+krb5int_copy_data_contents_add0 (krb5_context, const krb5_data *, krb5_data *);
+
krb5_error_code
krb5int_copy_creds_contents (krb5_context, const krb5_creds *, krb5_creds *);
(krb5_context, krb5_enc_sam_response_enc * );
void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents
(krb5_context, krb5_enc_sam_response_enc_2 * );
-
+
void KRB5_CALLCONV krb5_free_pa_enc_ts
(krb5_context, krb5_pa_enc_ts *);
+void KRB5_CALLCONV krb5_free_pa_for_user
+ (krb5_context, krb5_pa_for_user * );
+void KRB5_CALLCONV krb5_free_s4u_userid_contents
+ (krb5_context, krb5_s4u_userid * );
+void KRB5_CALLCONV krb5_free_pa_s4u_x509_user
+ (krb5_context, krb5_pa_s4u_x509_user * );
+void KRB5_CALLCONV krb5_free_pa_svr_referral_data
+ (krb5_context, krb5_pa_svr_referral_data * );
+void KRB5_CALLCONV krb5_free_pa_server_referral_data
+ (krb5_context, krb5_pa_server_referral_data * );
+void KRB5_CALLCONV krb5_free_pa_pac_req
+ (krb5_context, krb5_pa_pac_req * );
+void KRB5_CALLCONV krb5_free_etype_list
+ (krb5_context, krb5_etype_list * );
+
+void KRB5_CALLCONV krb5_free_fast_armor
+(krb5_context, krb5_fast_armor *);
+void KRB5_CALLCONV krb5_free_fast_armored_req
+(krb5_context, krb5_fast_armored_req *);
+void KRB5_CALLCONV krb5_free_fast_req(krb5_context, krb5_fast_req *);
+void KRB5_CALLCONV krb5_free_fast_finished
+(krb5_context, krb5_fast_finished *);
+void KRB5_CALLCONV krb5_free_fast_response
+(krb5_context, krb5_fast_response *);
+void KRB5_CALLCONV krb5_free_ad_kdcissued
+(krb5_context, krb5_ad_kdcissued *);
/* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
#include "com_err.h"
#include "k5-plugin.h"
+#include <krb5/authdata_plugin.h>
+
+struct _krb5_authdata_context {
+ krb5_magic magic;
+ int n_modules;
+ struct _krb5_authdata_context_module {
+ krb5_authdatatype ad_type;
+ void *plugin_context;
+ authdata_client_plugin_fini_proc client_fini;
+ krb5_flags flags;
+ krb5plugin_authdata_client_ftable_v0 *ftable;
+ authdata_client_request_init_proc client_req_init;
+ authdata_client_request_fini_proc client_req_fini;
+ const char *name;
+ void *request_context;
+ void **request_context_pp;
+ } *modules;
+ struct plugin_dir_handle plugins;
+};
+
+typedef struct _krb5_authdata_context *krb5_authdata_context;
+
+void KRB5_CALLCONV krb5int_free_data_list
+(krb5_context context, krb5_data *data);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_context_init
+(krb5_context kcontext, krb5_authdata_context *pcontext);
+
+void KRB5_CALLCONV
+krb5_authdata_context_free
+(krb5_context kcontext, krb5_authdata_context context);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_authdata
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ krb5_authdata ***pauthdata);
+
+krb5_error_code KRB5_CALLCONV
+krb5_authdata_get_attribute_types
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_data **attrs);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_get_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const krb5_data *attribute,
+ krb5_boolean *authenticated,
+ krb5_boolean *complete,
+ krb5_data *value,
+ krb5_data *display_value,
+ int *more);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_set_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_boolean complete,
+ const krb5_data *attribute,
+ const krb5_data *value);
+
+krb5_error_code KRB5_CALLCONV
+krb5_authdata_delete_attribute
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const krb5_data *attribute);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_import_attributes
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ const krb5_data *attributes);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_attributes
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_flags usage,
+ krb5_data **pattributes);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_export_internal
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ krb5_boolean restrict_authenticated,
+ const char *module,
+ void **ptr);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_context_copy
+(krb5_context kcontext,
+ krb5_authdata_context src,
+ krb5_authdata_context *dst);
+
+krb5_error_code KRB5_CALLCONV krb5_authdata_free_internal
+(krb5_context kcontext,
+ krb5_authdata_context context,
+ const char *module,
+ void *ptr);
+
+
+struct _kdb5_dal_handle; /* private, in kdb5.h */
+typedef struct _kdb5_dal_handle kdb5_dal_handle;
+struct _kdb_log_context;
struct _krb5_context {
krb5_magic magic;
- krb5_enctype *in_tkt_ktypes;
- unsigned int in_tkt_ktype_count;
- krb5_enctype *tgs_ktypes;
- unsigned int tgs_ktype_count;
+ krb5_enctype *in_tkt_etypes;
+ krb5_enctype *tgs_etypes;
struct _krb5_os_context os_context;
char *default_realm;
profile_t profile;
- void *db_context;
+ kdb5_dal_handle *dal_handle;
int ser_ctx_count;
void *ser_ctx;
/* allowable clock skew */
/* error detail info */
struct errinfo err;
+
+ /* For Sun iprop code; does this really have to be here? */
+ struct _kdb_log_context *kdblog_context;
+
+ krb5_boolean allow_weak_crypto;
};
/* could be used in a table to find an etype and initialize a block */
/* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
/* here we use some knowledge of ASN.1 encodings */
-/*
+/*
Ticket is APPLICATION 1.
Authenticator is APPLICATION 2.
AS_REQ is APPLICATION 10.
*/
/* allow either constructed or primitive encoding, so check for bit 6
set or reset */
-#define krb5_is_krb_ticket(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x61 ||\
- (dat)->data[0] == 0x41))
-#define krb5_is_krb_authenticator(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x62 ||\
- (dat)->data[0] == 0x42))
-#define krb5_is_as_req(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x6a ||\
- (dat)->data[0] == 0x4a))
-#define krb5_is_as_rep(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x6b ||\
- (dat)->data[0] == 0x4b))
-#define krb5_is_tgs_req(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x6c ||\
- (dat)->data[0] == 0x4c))
-#define krb5_is_tgs_rep(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x6d ||\
- (dat)->data[0] == 0x4d))
-#define krb5_is_ap_req(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x6e ||\
- (dat)->data[0] == 0x4e))
-#define krb5_is_ap_rep(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x6f ||\
- (dat)->data[0] == 0x4f))
-#define krb5_is_krb_safe(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x74 ||\
- (dat)->data[0] == 0x54))
-#define krb5_is_krb_priv(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x75 ||\
- (dat)->data[0] == 0x55))
-#define krb5_is_krb_cred(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x76 ||\
- (dat)->data[0] == 0x56))
-#define krb5_is_krb_enc_as_rep_part(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x79 ||\
- (dat)->data[0] == 0x59))
-#define krb5_is_krb_enc_tgs_rep_part(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x7a ||\
- (dat)->data[0] == 0x5a))
-#define krb5_is_krb_enc_ap_rep_part(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x7b ||\
- (dat)->data[0] == 0x5b))
-#define krb5_is_krb_enc_krb_priv_part(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x7c ||\
- (dat)->data[0] == 0x5c))
-#define krb5_is_krb_enc_krb_cred_part(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x7d ||\
- (dat)->data[0] == 0x5d))
-#define krb5_is_krb_error(dat)\
- ((dat) && (dat)->length && ((dat)->data[0] == 0x7e ||\
- (dat)->data[0] == 0x5e))
+#define krb5int_is_app_tag(dat,tag)\
+ ((dat) && (dat)->length && \
+ ((((dat)->data[0] & ~0x20) == ((tag) | 0x40))))
+#define krb5_is_krb_ticket(dat) krb5int_is_app_tag(dat, 1)
+#define krb5_is_krb_authenticator(dat) krb5int_is_app_tag(dat, 2)
+#define krb5_is_as_req(dat) krb5int_is_app_tag(dat, 10)
+#define krb5_is_as_rep(dat) krb5int_is_app_tag(dat, 11)
+#define krb5_is_tgs_req(dat) krb5int_is_app_tag(dat, 12)
+#define krb5_is_tgs_rep(dat) krb5int_is_app_tag(dat, 13)
+#define krb5_is_ap_req(dat) krb5int_is_app_tag(dat, 14)
+#define krb5_is_ap_rep(dat) krb5int_is_app_tag(dat, 15)
+#define krb5_is_krb_safe(dat) krb5int_is_app_tag(dat, 20)
+#define krb5_is_krb_priv(dat) krb5int_is_app_tag(dat, 21)
+#define krb5_is_krb_cred(dat) krb5int_is_app_tag(dat, 22)
+#define krb5_is_krb_enc_as_rep_part(dat) krb5int_is_app_tag(dat, 25)
+#define krb5_is_krb_enc_tgs_rep_part(dat) krb5int_is_app_tag(dat, 26)
+#define krb5_is_krb_enc_ap_rep_part(dat) krb5int_is_app_tag(dat, 27)
+#define krb5_is_krb_enc_krb_priv_part(dat) krb5int_is_app_tag(dat, 28)
+#define krb5_is_krb_enc_krb_cred_part(dat) krb5int_is_app_tag(dat, 29)
+#define krb5_is_krb_error(dat) krb5int_is_app_tag(dat, 30)
/*************************************************************************
* Prototypes for krb5_encode.c
krb5_error_code encode_krb5_enc_kdc_rep_part
(const krb5_enc_kdc_rep_part *rep, krb5_data **code);
-/* yes, the translation is identical to that used for KDC__REP */
+/* yes, the translation is identical to that used for KDC__REP */
krb5_error_code encode_krb5_as_rep
(const krb5_kdc_rep *rep, krb5_data **code);
-/* yes, the translation is identical to that used for KDC__REP */
+/* yes, the translation is identical to that used for KDC__REP */
krb5_error_code encode_krb5_tgs_rep
(const krb5_kdc_rep *rep, krb5_data **code);
krb5_error_code encode_krb5_safe
(const krb5_safe *rep, krb5_data **code);
+struct krb5_safe_with_body {
+ krb5_safe *safe;
+ krb5_data *body;
+};
krb5_error_code encode_krb5_safe_with_body
- (const krb5_safe *rep, const krb5_data *body, krb5_data **code);
+ (const struct krb5_safe_with_body *rep, krb5_data **code);
krb5_error_code encode_krb5_priv
(const krb5_priv *rep, krb5_data **code);
(const krb5_error *rep, krb5_data **code);
krb5_error_code encode_krb5_authdata
- (const krb5_authdata **rep, krb5_data **code);
+ (krb5_authdata *const *rep, krb5_data **code);
krb5_error_code encode_krb5_authdata_elt
(const krb5_authdata *rep, krb5_data **code);
(const krb5_pwd_data *rep, krb5_data **code);
krb5_error_code encode_krb5_padata_sequence
- (const krb5_pa_data ** rep, krb5_data **code);
+ (krb5_pa_data *const *rep, krb5_data **code);
krb5_error_code encode_krb5_alt_method
(const krb5_alt_method *, krb5_data **code);
krb5_error_code encode_krb5_etype_info
- (const krb5_etype_info_entry **, krb5_data **code);
+ (krb5_etype_info_entry *const *, krb5_data **code);
krb5_error_code encode_krb5_etype_info2
- (const krb5_etype_info_entry **, krb5_data **code);
+ (krb5_etype_info_entry *const *, krb5_data **code);
krb5_error_code encode_krb5_enc_data
(const krb5_enc_data *, krb5_data **);
krb5_error_code encode_krb5_sam_response
(const krb5_sam_response * , krb5_data **);
+#if 0 /* currently not compiled because we never use them */
krb5_error_code encode_krb5_sam_challenge_2
(const krb5_sam_challenge_2 * , krb5_data **);
krb5_error_code encode_krb5_sam_challenge_2_body
(const krb5_sam_challenge_2_body * , krb5_data **);
+#endif
krb5_error_code encode_krb5_enc_sam_response_enc_2
(const krb5_enc_sam_response_enc_2 * , krb5_data **);
krb5_error_code encode_krb5_predicted_sam_response
(const krb5_predicted_sam_response * , krb5_data **);
+struct krb5_setpw_req {
+ krb5_principal target;
+ krb5_data password;
+};
krb5_error_code encode_krb5_setpw_req
-(const krb5_principal target, char *password, krb5_data **code);
+ (const struct krb5_setpw_req *rep, krb5_data **code);
+
+krb5_error_code encode_krb5_pa_for_user
+ (const krb5_pa_for_user * , krb5_data **);
+
+krb5_error_code encode_krb5_s4u_userid
+ (const krb5_s4u_userid * , krb5_data **);
+
+krb5_error_code encode_krb5_pa_s4u_x509_user
+ (const krb5_pa_s4u_x509_user * , krb5_data **);
+
+krb5_error_code encode_krb5_pa_svr_referral_data
+ (const krb5_pa_svr_referral_data * , krb5_data **);
+
+krb5_error_code encode_krb5_pa_server_referral_data
+ (const krb5_pa_server_referral_data * , krb5_data **);
+
+krb5_error_code encode_krb5_pa_pac_req
+ (const krb5_pa_pac_req * , krb5_data **);
+
+krb5_error_code encode_krb5_etype_list
+ (const krb5_etype_list * , krb5_data **);
+
+krb5_error_code encode_krb5_pa_fx_fast_request
+(const krb5_fast_armored_req *, krb5_data **);
+krb5_error_code encode_krb5_fast_req
+(const krb5_fast_req *, krb5_data **);
+krb5_error_code encode_krb5_pa_fx_fast_reply
+(const krb5_enc_data *, krb5_data **);
+
+krb5_error_code encode_krb5_fast_response
+(const krb5_fast_response *, krb5_data **);
+
+krb5_error_code encode_krb5_ad_kdcissued
+(const krb5_ad_kdcissued *, krb5_data **);
/*************************************************************************
* End of prototypes for krb5_encode.c
*************************************************************************/
krb5_error_code krb5_validate_times
- (krb5_context,
+ (krb5_context,
krb5_ticket_times *);
/*
krb5_error_code decode_krb5_structure(const krb5_data *code,
krb5_structure **rep);
-
+
requires Expects **rep to not have been allocated;
a new *rep is allocated regardless of the old value.
effects Decodes *code into **rep.
krb5_error_code decode_krb5_sam_key
(const krb5_data *, krb5_sam_key **);
+krb5_error_code decode_krb5_setpw_req
+ (const krb5_data *, krb5_data **, krb5_principal *);
+
+krb5_error_code decode_krb5_pa_for_user
+ (const krb5_data *, krb5_pa_for_user **);
+
+krb5_error_code decode_krb5_pa_s4u_x509_user
+ (const krb5_data *, krb5_pa_s4u_x509_user **);
+
+krb5_error_code decode_krb5_pa_svr_referral_data
+ (const krb5_data *, krb5_pa_svr_referral_data **);
+
+krb5_error_code decode_krb5_pa_server_referral_data
+ (const krb5_data *, krb5_pa_server_referral_data **);
+
+krb5_error_code decode_krb5_pa_pac_req
+ (const krb5_data *, krb5_pa_pac_req **);
+
+krb5_error_code decode_krb5_etype_list
+ (const krb5_data *, krb5_etype_list **);
+
+krb5_error_code decode_krb5_pa_fx_fast_request
+(const krb5_data *, krb5_fast_armored_req **);
+
+krb5_error_code decode_krb5_fast_req
+(const krb5_data *, krb5_fast_req **);
+
+
+krb5_error_code decode_krb5_pa_fx_fast_reply
+(const krb5_data *, krb5_enc_data **);
+
+krb5_error_code decode_krb5_fast_response
+(const krb5_data *, krb5_fast_response **);
+
+krb5_error_code decode_krb5_ad_kdcissued
+(const krb5_data *, krb5_ad_kdcissued **);
+
struct _krb5_key_data; /* kdb.h */
+
+struct ldap_seqof_key_data {
+ krb5_int32 mkvno; /* Master key version number */
+ struct _krb5_key_data *key_data;
+ krb5_int16 n_key_data;
+};
+typedef struct ldap_seqof_key_data ldap_seqof_key_data;
+
krb5_error_code
-krb5int_ldap_encode_sequence_of_keys (struct _krb5_key_data *key_data,
- krb5_int16 n_key_data,
- krb5_int32 mkvno,
+krb5int_ldap_encode_sequence_of_keys (const ldap_seqof_key_data *val,
krb5_data **code);
krb5_error_code
krb5int_ldap_decode_sequence_of_keys (krb5_data *in,
- struct _krb5_key_data **out,
- krb5_int16 *n_key_data,
- int *mkvno);
+ ldap_seqof_key_data **rep);
/*************************************************************************
* End of prototypes for krb5_decode.c
krb5_error_code
krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
- krb5_keyblock * /* Old keyblock, not new! */);
+ krb5_keyblock * /* Old keyblock, not new! */,
+ krb5_enctype);
/* set and change password helpers */
krb5_error_code krb5int_mk_chpw_req
- (krb5_context context, krb5_auth_context auth_context,
+ (krb5_context context, krb5_auth_context auth_context,
krb5_data *ap_req, char *passwd, krb5_data *packet);
krb5_error_code krb5int_rd_chpw_rep
(krb5_context context, krb5_auth_context auth_context,
void krb5int_free_srv_dns_data(struct srv_dns_entry *);
#endif
+/* value to use when requesting a keytab entry and KVNO doesn't matter */
+#define IGNORE_VNO 0
+/* value to use when requesting a keytab entry and enctype doesn't matter */
+#define IGNORE_ENCTYPE 0
+
/*
* Convenience function for structure magic number
*/
/* To keep happy libraries which are (for now) accessing internal stuff */
/* Make sure to increment by one when changing the struct */
-#define KRB5INT_ACCESS_STRUCT_VERSION 11
+#define KRB5INT_ACCESS_STRUCT_VERSION 15
#ifndef ANAME_SZ
struct ktext; /* from krb.h, for krb524 support */
/* crypto stuff */
const struct krb5_hash_provider *md5_hash_provider;
const struct krb5_enc_provider *arcfour_enc_provider;
- krb5_error_code (* krb5_hmac) (const struct krb5_hash_provider *hash,
- const krb5_keyblock *key,
- unsigned int icount, const krb5_data *input,
- krb5_data *output);
+ krb5_error_code (*hmac)(const struct krb5_hash_provider *hash,
+ const krb5_keyblock *key,
+ unsigned int icount, const krb5_data *input,
+ krb5_data *output);
+ krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context,
+ krb5_auth_context,
+ krb5_enctype *);
/* service location and communication */
krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
const struct addrlist *, struct sendto_callback_info*, krb5_data *reply,
struct srv_dns_entry **answers);
void (*free_srv_dns_data)(struct srv_dns_entry *);
int (*use_dns_kdc)(krb5_context);
+ krb5_error_code (*clean_hostname)(krb5_context, const char *, char *, size_t);
- /* krb4 compatibility stuff -- may be null if not enabled */
- krb5_int32 (*krb_life_to_time)(krb5_int32, int);
- int (*krb_time_to_life)(krb5_int32, krb5_int32);
- int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *);
- krb5_error_code (*krb5int_c_mandatory_cksumtype)
- (krb5_context, krb5_enctype, krb5_cksumtype *);
- krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64)
- (krb5_int64, krb5_octet **, size_t *);
- krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64)
- (krb5_int64 *, krb5_octet **, size_t *);
+ krb5_error_code (*mandatory_cksumtype)(krb5_context, krb5_enctype,
+ krb5_cksumtype *);
+ krb5_error_code (KRB5_CALLCONV *ser_pack_int64)(krb5_int64, krb5_octet **,
+ size_t *);
+ krb5_error_code (KRB5_CALLCONV *ser_unpack_int64)(krb5_int64 *,
+ krb5_octet **, size_t *);
/* Used for KDB LDAP back end. */
krb5_error_code
- (*asn1_ldap_encode_sequence_of_keys) (struct _krb5_key_data *key_data,
- krb5_int16 n_key_data,
- krb5_int32 mkvno,
+ (*asn1_ldap_encode_sequence_of_keys) (const ldap_seqof_key_data *val,
krb5_data **code);
krb5_error_code
(*asn1_ldap_decode_sequence_of_keys) (krb5_data *in,
- struct _krb5_key_data **out,
- krb5_int16 *n_key_data,
- int *mkvno);
+ ldap_seqof_key_data **);
+ /* Used for encrypted challenge fast factor*/
+ krb5_error_code (*encode_enc_data)(const krb5_enc_data *, krb5_data **);
+ krb5_error_code (*decode_enc_data)(const krb5_data *, krb5_enc_data **);
+ void (*free_enc_data)(krb5_context, krb5_enc_data *);
+ krb5_error_code (*encode_enc_ts)(const krb5_pa_enc_ts *, krb5_data **);
+ krb5_error_code (*decode_enc_ts)(const krb5_data *, krb5_pa_enc_ts **);
+ void (*free_enc_ts)(krb5_context, krb5_pa_enc_ts *);
+ krb5_error_code (*encrypt_helper)
+ (krb5_context, const krb5_keyblock *, krb5_keyusage, const krb5_data *,
+ krb5_enc_data *);
/*
* pkinit asn.1 encode/decode functions
(const krb5_data *output, krb5_kdc_req **rep);
krb5_error_code (*encode_krb5_kdc_req_body)
(const krb5_kdc_req *rep, krb5_data **code);
- void KRB5_CALLCONV (*krb5_free_kdc_req)
+ void (KRB5_CALLCONV *free_kdc_req)
(krb5_context, krb5_kdc_req * );
- void (*krb5int_set_prompt_types)
+ void (*set_prompt_types)
(krb5_context, krb5_prompt_type *);
krb5_error_code (*encode_krb5_authdata_elt)
(const krb5_authdata *rep, krb5_data **code);
+ /* Exported for testing only! */
+ krb5_error_code (*encode_krb5_sam_response_2)
+ (const krb5_sam_response_2 *rep, krb5_data **code);
+ krb5_error_code (*encode_krb5_enc_sam_response_enc_2)
+ (const krb5_enc_sam_response_enc_2 *rep, krb5_data **code);
+
} krb5int_access;
#define KRB5INT_ACCESS_VERSION \
#define KRB524_SERVICE "krb524"
#define KRB524_PORT 4444
-/* v4lifetime.c */
-extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int);
-extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32);
-
-/* conv_creds.c */
-int krb5int_encode_v4tkt
- (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
-
-/* send524.c */
-int krb5int_524_sendto_kdc
- (krb5_context context, const krb5_data * message,
- const krb5_data * realm, krb5_data * reply,
- struct sockaddr *, socklen_t *);
-
/* temporary -- this should be under lib/krb5/ccache somewhere */
struct _krb5_ccache {
/*
* Per-type ccache cursor.
*/
-struct krb5_cc_ptcursor {
+struct krb5_cc_ptcursor_s {
const struct _krb5_cc_ops *ops;
krb5_pointer data;
};
-typedef struct krb5_cc_ptcursor *krb5_cc_ptcursor;
+typedef struct krb5_cc_ptcursor_s *krb5_cc_ptcursor;
struct _krb5_cc_ops {
krb5_magic magic;
krb5_ccache *);
krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context,
krb5_cc_ptcursor *);
- krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache);
+ krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache,
+ krb5_ccache);
krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context,
krb5_ccache, krb5_timestamp *);
krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache,
krb5_timestamp *);
+ krb5_error_code (KRB5_CALLCONV *lock)(krb5_context, krb5_ccache);
+ krb5_error_code (KRB5_CALLCONV *unlock)(krb5_context, krb5_ccache);
};
extern const krb5_cc_ops *krb5_cc_dfl_ops;
krb5_error_code
krb5int_cc_os_default_name(krb5_context context, char **name);
-/*
- * Cursor for iterating over ccache types
- */
-struct krb5_cc_typecursor;
-typedef struct krb5_cc_typecursor *krb5_cc_typecursor;
-
-krb5_error_code
-krb5int_cc_typecursor_new(krb5_context context, krb5_cc_typecursor *cursor);
-
-krb5_error_code
-krb5int_cc_typecursor_next(
- krb5_context context,
- krb5_cc_typecursor cursor,
- const struct _krb5_cc_ops **ops);
-
-krb5_error_code
-krb5int_cc_typecursor_free(
- krb5_context context,
- krb5_cc_typecursor *cursor);
-
typedef struct _krb5_donot_replay {
krb5_magic magic;
krb5_ui_4 hash;
char *server; /* null-terminated */
char *client; /* null-terminated */
+ char *msghash; /* null-terminated */
krb5_int32 cusec;
krb5_timestamp ctime;
} krb5_donot_replay;
-krb5_error_code krb5_rc_default
+krb5_error_code krb5_rc_default
(krb5_context,
krb5_rcache *);
-krb5_error_code krb5_rc_resolve_type
+krb5_error_code krb5_rc_resolve_type
(krb5_context,
krb5_rcache *,char *);
-krb5_error_code krb5_rc_resolve_full
+krb5_error_code krb5_rc_resolve_full
(krb5_context,
krb5_rcache *,char *);
-char * krb5_rc_get_type
+char * krb5_rc_get_type
(krb5_context,
krb5_rcache);
-char * krb5_rc_default_type
+char * krb5_rc_default_type
(krb5_context);
-char * krb5_rc_default_name
+char * krb5_rc_default_name
(krb5_context);
-krb5_error_code krb5_auth_to_rep
+krb5_error_code krb5_auth_to_rep
(krb5_context,
krb5_tkt_authent *,
krb5_donot_replay *);
+krb5_error_code krb5_rc_hash_message
+ (krb5_context context,
+ const krb5_data *message, char **out);
krb5_error_code KRB5_CALLCONV krb5_rc_initialize
krb5_magic magic;
char *prefix;
/* routines always present */
- krb5_error_code (KRB5_CALLCONV *resolve)
+ krb5_error_code (KRB5_CALLCONV *resolve)
(krb5_context,
const char *,
krb5_keytab *);
- krb5_error_code (KRB5_CALLCONV *get_name)
+ krb5_error_code (KRB5_CALLCONV *get_name)
(krb5_context,
krb5_keytab,
char *,
unsigned int);
- krb5_error_code (KRB5_CALLCONV *close)
+ krb5_error_code (KRB5_CALLCONV *close)
(krb5_context,
krb5_keytab);
- krb5_error_code (KRB5_CALLCONV *get)
+ krb5_error_code (KRB5_CALLCONV *get)
(krb5_context,
krb5_keytab,
krb5_const_principal,
krb5_kvno,
krb5_enctype,
krb5_keytab_entry *);
- krb5_error_code (KRB5_CALLCONV *start_seq_get)
+ krb5_error_code (KRB5_CALLCONV *start_seq_get)
(krb5_context,
krb5_keytab,
- krb5_kt_cursor *);
- krb5_error_code (KRB5_CALLCONV *get_next)
+ krb5_kt_cursor *);
+ krb5_error_code (KRB5_CALLCONV *get_next)
(krb5_context,
krb5_keytab,
krb5_keytab_entry *,
krb5_kt_cursor *);
- krb5_error_code (KRB5_CALLCONV *end_get)
+ krb5_error_code (KRB5_CALLCONV *end_get)
(krb5_context,
krb5_keytab,
krb5_kt_cursor *);
/* routines to be included on extended version (write routines) */
- krb5_error_code (KRB5_CALLCONV *add)
+ krb5_error_code (KRB5_CALLCONV *add)
(krb5_context,
krb5_keytab,
krb5_keytab_entry *);
- krb5_error_code (KRB5_CALLCONV *remove)
+ krb5_error_code (KRB5_CALLCONV *remove)
(krb5_context,
krb5_keytab,
krb5_keytab_entry *);
extern int krb5int_crypto_init (void);
extern int krb5int_prng_init(void);
-#define krb5_copy_error_state(CTX, OCTX) \
- krb5int_set_error(&(CTX)->errinfo, (OCTX)->errinfo.code, "%s", (OCTX)->errinfo.msg)
-
/*
* Referral definitions, debugging hooks, and subfunctions.
*/
-#define KRB5_REFERRAL_MAXHOPS 5
+#define KRB5_REFERRAL_MAXHOPS 10
/* #define DEBUG_REFERRALS */
#ifdef DEBUG_REFERRALS
char *,
size_t);
-/* Use the above four instead. */
-krb5_boolean KRB5_CALLCONV valid_enctype
- (krb5_enctype ktype);
-krb5_boolean KRB5_CALLCONV valid_cksumtype
- (krb5_cksumtype ctype);
-krb5_boolean KRB5_CALLCONV is_coll_proof_cksum
- (krb5_cksumtype ctype);
-krb5_boolean KRB5_CALLCONV is_keyed_cksum
- (krb5_cksumtype ctype);
-
-krb5_error_code KRB5_CALLCONV krb5_random_confounder
- (size_t, krb5_pointer);
-
-krb5_error_code krb5_encrypt_data
- (krb5_context context, krb5_keyblock *key,
- krb5_pointer ivec, krb5_data *data,
- krb5_enc_data *enc_data);
-
-krb5_error_code krb5_decrypt_data
- (krb5_context context, krb5_keyblock *key,
- krb5_pointer ivec, krb5_enc_data *data,
- krb5_data *enc_data);
-
-struct _krb5_kt_ops;
+krb5_error_code
+krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output);
+krb5_error_code
+krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
+ const krb5_data *input, krb5_data *output);
+
struct _krb5_kt { /* should move into k5-int.h */
krb5_magic magic;
const struct _krb5_kt_ops *ops;
krb5_boolean krb5_is_permitted_enctype
(krb5_context, krb5_enctype);
+typedef struct
+{
+ krb5_enctype *etype;
+ krb5_boolean *etype_ok;
+ krb5_int32 etype_count;
+} krb5_etypes_permitted;
+
+krb5_boolean krb5_is_permitted_enctype_ext
+ ( krb5_context, krb5_etypes_permitted *);
+
+krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype);
+
krb5_error_code krb5_kdc_rep_decrypt_proc
(krb5_context,
const krb5_keyblock *,
krb5_error_code krb5_generate_subkey
(krb5_context,
const krb5_keyblock *, krb5_keyblock **);
+krb5_error_code krb5_generate_subkey_extended
+ (krb5_context,
+ const krb5_keyblock *,
+ krb5_enctype,
+ krb5_keyblock **);
krb5_error_code krb5_generate_seq_number
(krb5_context,
const krb5_keyblock *, krb5_ui_4 *);
(krb5_context, krb5_pwd_data *);
void KRB5_CALLCONV krb5_free_pwd_sequences
(krb5_context, passwd_phrase_element **);
+void KRB5_CALLCONV krb5_free_passwd_phrase_element
+ (krb5_context, passwd_phrase_element *);
+void KRB5_CALLCONV krb5_free_alt_method
+ (krb5_context, krb5_alt_method *);
+void KRB5_CALLCONV krb5_free_enc_data
+ (krb5_context, krb5_enc_data *);
krb5_error_code krb5_set_config_files
(krb5_context, const char **);
void KRB5_CALLCONV krb5_free_config_files
(char **filenames);
-krb5_error_code krb5_send_tgs
+krb5_error_code krb5int_send_tgs
(krb5_context,
krb5_flags,
const krb5_ticket_times *,
krb5_pa_data * const *,
const krb5_data *,
krb5_creds *,
- krb5_response * );
-krb5_error_code krb5_decode_kdc_rep
+ krb5_error_code (*gcvt_fct)(krb5_context,
+ krb5_keyblock *,
+ krb5_kdc_req *,
+ void *),
+ void *gcvt_data,
+ krb5_response * , krb5_keyblock **subkey);
+ /* The subkey field is an output parameter; if a
+ * tgs-rep is received then the subkey will be filled
+ * in with the subkey needed to decrypt the TGS
+ * response. Otherwise it will be set to null.
+ */
+krb5_error_code krb5int_decode_tgs_rep
(krb5_context,
krb5_data *,
- const krb5_keyblock *,
+ const krb5_keyblock *, krb5_keyusage,
krb5_kdc_rep ** );
+krb5_error_code krb5int_find_authdata
+(krb5_context context, krb5_authdata *const * ticket_authdata,
+ krb5_authdata * const *ap_req_authdata,
+ krb5_authdatatype ad_type,
+ krb5_authdata ***results);
krb5_error_code krb5_rd_req_decoded
(krb5_context,
krb5_keytab,
krb5_flags *,
krb5_ticket **);
+
krb5_error_code KRB5_CALLCONV krb5_cc_register
(krb5_context,
const krb5_cc_ops *,
krb5_auth_context,
krb5_enctype **);
+krb5_error_code krb5_auth_con_get_subkey_enctype
+ (krb5_context context,
+ krb5_auth_context,
+ krb5_enctype *);
+
+krb5_error_code
+krb5_auth_con_get_authdata_context
+ (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_authdata_context *ad_context);
+
+krb5_error_code
+krb5_auth_con_set_authdata_context
+ (krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_authdata_context ad_context);
+
krb5_error_code KRB5_CALLCONV
krb5int_server_decrypt_ticket_keyblock
(krb5_context context,
krb5_error_code krb5_read_message (krb5_context, krb5_pointer, krb5_data *);
krb5_error_code krb5_write_message (krb5_context, krb5_pointer, krb5_data *);
+krb5_error_code krb5int_write_messages (krb5_context, krb5_pointer, krb5_data *, int);
int krb5_net_read (krb5_context, int , char *, int);
int krb5_net_write (krb5_context, int , const char *, int);
void KRB5_CALLCONV krb5_free_realm_string
(krb5_context context, char *str);
+/* Internal principal function used by KIM to avoid code duplication */
+krb5_error_code KRB5_CALLCONV
+krb5int_build_principal_alloc_va(krb5_context context,
+ krb5_principal *princ,
+ unsigned int rlen,
+ const char *realm,
+ const char *first,
+ va_list ap);
+
/* Some data comparison and conversion functions. */
-#if 0
-static inline int data_cmp(krb5_data d1, krb5_data d2)
-{
- if (d1.length < d2.length) return -1;
- if (d1.length > d2.length) return 1;
- return memcmp(d1.data, d2.data, d1.length);
-}
-static inline int data_eq (krb5_data d1, krb5_data d2)
-{
- return data_cmp(d1, d2) == 0;
-}
-#else
-static inline int data_eq (krb5_data d1, krb5_data d2)
+static inline int
+data_eq(krb5_data d1, krb5_data d2)
{
return (d1.length == d2.length
&& !memcmp(d1.data, d2.data, d1.length));
}
-#endif
-static inline krb5_data string2data (char *str)
+
+static inline krb5_data
+make_data(void *data, unsigned int len)
{
krb5_data d;
+
d.magic = KV5M_DATA;
- d.length = strlen(str);
- d.data = str;
+ d.data = (char *) data;
+ d.length = len;
return d;
}
-static inline int data_eq_string (krb5_data d, char *s)
+
+static inline krb5_data
+empty_data()
+{
+ return make_data(NULL, 0);
+}
+
+static inline krb5_data
+string2data(char *str)
+{
+ return make_data(str, strlen(str));
+}
+
+static inline int
+data_eq_string (krb5_data d, char *s)
{
return data_eq(d, string2data(s));
}
-static inline int authdata_eq (krb5_authdata a1, krb5_authdata a2)
+
+static inline int
+authdata_eq(krb5_authdata a1, krb5_authdata a2)
{
return (a1.ad_type == a2.ad_type
&& a1.length == a2.length
&& !memcmp(a1.contents, a2.contents, a1.length));
}
+
+/* Allocate zeroed memory; set *code to 0 on success or ENOMEM on failure. */
+static inline void *
+k5alloc(size_t size, krb5_error_code *code)
+{
+ void *ptr;
+
+ ptr = calloc(size, 1);
+ *code = (ptr == NULL) ? ENOMEM : 0;
+ return ptr;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5int_pac_sign(krb5_context context,
+ krb5_pac pac,
+ krb5_timestamp authtime,
+ krb5_const_principal principal,
+ const krb5_keyblock *server_key,
+ const krb5_keyblock *privsvr_key,
+ krb5_data *data);
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
+ krb5_ccache ccache,
+ krb5_creds *in_creds,
+ krb5_data *cert,
+ krb5_creds **out_creds);
+
+krb5_error_code KRB5_CALLCONV
+krb5_get_credentials_for_proxy(krb5_context context,
+ krb5_flags options,
+ krb5_ccache ccache,
+ krb5_creds *in_creds,
+ krb5_ticket *evidence_tkt,
+ krb5_creds **out_creds);
+
+krb5_error_code krb5int_parse_enctype_list(krb5_context context, char *profstr,
+ krb5_enctype *default_list,
+ krb5_enctype **result);
+
+#ifdef DEBUG_ERROR_LOCATIONS
+#define krb5_set_error_message(ctx, code, ...) \
+ krb5_set_error_message_fl(ctx, code, __FILE__, __LINE__, __VA_ARGS__)
+#endif
+
#endif /* _KRB5_INT_H */