1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
3 * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006,2007,2008,2009 by the Massachusetts Institute of Technology,
4 * Cambridge, MA, USA. All Rights Reserved.
6 * This software is being provided to you, the LICENSEE, by the
7 * Massachusetts Institute of Technology (M.I.T.) under the following
8 * license. By obtaining, using and/or copying this software, you agree
9 * that you have read, understood, and will comply with these terms and
12 * Export of this software from the United States of America may
13 * require a specific license from the United States Government.
14 * It is the responsibility of any person or organization contemplating
15 * export to obtain such a license before exporting.
17 * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
18 * this software and its documentation for any purpose and without fee or
19 * royalty is hereby granted, provided that you agree to comply with the
20 * following copyright notice and statements, including the disclaimer, and
21 * that the same appear on ALL copies of the software and documentation,
22 * including modifications that you make for internal use or for
25 * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
26 * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
27 * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
28 * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
29 * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
30 * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
32 * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
33 * be used in advertising or publicity pertaining to distribution of the
34 * software. Title to copyright in this software and any associated
35 * documentation shall at all times remain with M.I.T., and USER agrees to
38 * Furthermore if you modify this software you must label
39 * your software as modified software and not distribute it in such a
40 * fashion that it might be confused with the original M.I.T. software.
44 * Copyright (C) 1998 by the FundsXpress, INC.
46 * All rights reserved.
48 * Export of this software from the United States of America may require
49 * a specific license from the United States Government. It is the
50 * responsibility of any person or organization contemplating export to
51 * obtain such a license before exporting.
53 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
54 * distribute this software and its documentation for any purpose and
55 * without fee is hereby granted, provided that the above copyright
56 * notice appear in all copies and that both that copyright notice and
57 * this permission notice appear in supporting documentation, and that
58 * the name of FundsXpress. not be used in advertising or publicity pertaining
59 * to distribution of the software without specific, written prior
60 * permission. FundsXpress makes no representations about the suitability of
61 * this software for any purpose. It is provided "as is" without express
62 * or implied warranty.
64 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
65 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
66 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
70 * This prototype for k5-int.h (Krb5 internals include file)
71 * includes the user-visible definitions from krb5.h and then
72 * includes other definitions that are not user-visible but are
73 * required for compiling Kerberos internal routines.
75 * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
82 #error krb5.h included before k5-int.h
83 #endif /* KRB5_GENERAL__ */
87 #if defined(__MACH__) && defined(__APPLE__)
88 # include <TargetConditionals.h>
89 # if TARGET_RT_MAC_CFM
90 # error "Use KfM 4.0 SDK headers for CFM compilation."
101 * Machine-type definitions: PC Clone 386 running Microloss Windows
104 #if defined(_MSDOS) || defined(_WIN32)
107 /* Kerberos Windows initialization file */
108 #define KERBEROS_INI "kerberos.ini"
109 #define INI_FILES "Files"
110 #define INI_KRB_CCACHE "krb5cc" /* Location of the ccache */
111 #define INI_KRB5_CONF "krb5.ini" /* Location of krb5.conf file */
115 #include "autoconf.h"
117 #ifndef KRB5_SYSTYPES__
118 #define KRB5_SYSTYPES__
120 #ifdef HAVE_SYS_TYPES_H /* From autoconf.h */
121 #include <sys/types.h>
122 #else /* HAVE_SYS_TYPES_H */
123 typedef unsigned long u_long;
124 typedef unsigned int u_int;
125 typedef unsigned short u_short;
126 typedef unsigned char u_char;
127 #endif /* HAVE_SYS_TYPES_H */
128 #endif /* KRB5_SYSTYPES__ */
131 #include "k5-platform.h"
132 /* not used in krb5.h (yet) */
133 typedef UINT64_TYPE krb5_ui_8;
134 typedef INT64_TYPE krb5_int64;
137 #define DEFAULT_PWD_STRING1 "Enter password"
138 #define DEFAULT_PWD_STRING2 "Re-enter password for verification"
140 #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
141 #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
142 #define KRB5_KDB_EXPIRATION 2145830400 /* Thu Jan 1 00:00:00 2038 UTC */
145 * Windows requires a different api interface to each function. Here
146 * just define it as NULL.
148 #ifndef KRB5_CALLCONV
149 #define KRB5_CALLCONV
150 #define KRB5_CALLCONV_C
156 /* #define KRB5_OLD_CRYPTO is done in krb5.h */
158 #endif /* KRB5_CONFIG__ */
165 * After loading the configuration definitions, load the Kerberos definitions.
171 #include "port-sockets.h"
172 #include "socket-utils.h"
174 /* Get mutex support; currently used only for the replay cache. */
175 #include "k5-thread.h"
177 /* Get error info support. */
180 /* Get string buffer support. */
183 /* cofiguration variables */
184 #define KRB5_CONF_ACL_FILE "acl_file"
185 #define KRB5_CONF_ADMIN_KEYTAB "admin_keytab"
186 #define KRB5_CONF_ADMIN_SERVER "admin_server"
187 #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
188 #define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type"
189 #define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local"
190 #define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names"
191 #define KRB5_CONF_CANONICALIZE "canonicalize"
192 #define KRB5_CONF_CCACHE_TYPE "ccache_type"
193 #define KRB5_CONF_CLOCKSKEW "clockskew"
194 #define KRB5_CONF_DATABASE_NAME "database_name"
195 #define KRB5_CONF_DB_MODULE_DIR "db_module_dir"
196 #define KRB5_CONF_DB_MODULES "db_modules"
197 #define KRB5_CONF_DOMAIN_REALM "domain_realm"
198 #define KRB5_CONF_DEFAULT_REALM "default_realm"
199 #define KRB5_CONF_DEFAULT_DOMAIN "default_domain"
200 #define KRB5_CONF_DEFAULT_TKT_ENCTYPES "default_tkt_enctypes"
201 #define KRB5_CONF_DEFAULT_TGS_ENCTYPES "default_tgs_enctypes"
202 #define KRB5_CONF_DEFAULT_KEYTAB_NAME "default_keytab_name"
203 #define KRB5_CONF_DEFAULT_PRINCIPAL_EXPIRATION "default_principal_expiration"
204 #define KRB5_CONF_DEFAULT_PRINCIPAL_FLAGS "default_principal_flags"
205 #define KRB5_CONF_DICT_FILE "dict_file"
206 #define KRB5_CONF_DNS_LOOKUP_KDC "dns_lookup_kdc"
207 #define KRB5_CONF_DNS_LOOKUP_REALM "dns_lookup_realm"
208 #define KRB5_CONF_DNS_FALLBACK "dns_fallback"
209 #define KRB5_CONF_EXTRA_ADDRESSES "extra_addresses"
210 #define KRB5_CONF_FORWARDABLE "forwardable"
211 #define KRB5_CONF_HOST_BASED_SERVICES "host_based_services"
212 #define KRB5_CONF_IPROP_ENABLE "iprop_enable"
213 #define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize"
214 #define KRB5_CONF_IPROP_PORT "iprop_port"
215 #define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll"
216 #define KRB5_CONF_IPROP_LOGFILE "iprop_logfile"
217 #define KRB5_CONF_KADMIND_PORT "kadmind_port"
218 #define KRB5_CONF_KRB524_SERVER "krb524_server"
219 #define KRB5_CONF_KDC "kdc"
220 #define KRB5_CONF_KDCDEFAULTS "kdcdefaults"
221 #define KRB5_CONF_KDC_PORTS "kdc_ports"
222 #define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
223 #define KRB5_CONF_MAX_DGRAM_REPLY_SIZE "kdc_max_dgram_reply_size"
224 #define KRB5_CONF_KDC_DEFAULT_OPTIONS "kdc_default_options"
225 #define KRB5_CONF_KDC_TIMESYNC "kdc_timesync"
226 #define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type"
227 #define KRB5_CONF_KEY_STASH_FILE "key_stash_file"
228 #define KRB5_CONF_KPASSWD_PORT "kpasswd_port"
229 #define KRB5_CONF_KPASSWD_SERVER "kpasswd_server"
230 #define KRB5_CONF_LIBDEFAULTS "libdefaults"
231 #define KRB5_CONF_LDAP_KDC_DN "ldap_kdc_dn"
232 #define KRB5_CONF_LDAP_KADMIN_DN "ldap_kadmind_dn"
233 #define KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE "ldap_service_password_file"
234 #define KRB5_CONF_LDAP_ROOT_CERTIFICATE_FILE "ldap_root_certificate_file"
235 #define KRB5_CONF_LDAP_SERVERS "ldap_servers"
236 #define KRB5_CONF_LDAP_CONNS_PER_SERVER "ldap_conns_per_server"
237 #define KRB5_CONF_NO_HOST_REFERRAL "no_host_referral"
238 #define KRB5_CONF_MASTER_KEY_NAME "master_key_name"
239 #define KRB5_CONF_MASTER_KEY_TYPE "master_key_type"
240 #define KRB5_CONF_MASTER_KDC "master_kdc"
241 #define KRB5_CONF_MAX_LIFE "max_life"
242 #define KRB5_CONF_MAX_RENEWABLE_LIFE "max_renewable_life"
243 #define KRB5_CONF_NOADDRESSES "noaddresses"
244 #define KRB5_CONF_PERMITTED_ENCTYPES "permitted_enctypes"
245 #define KRB5_CONF_PREFERRED_PREAUTH_TYPES "preferred_preauth_types"
246 #define KRB5_CONF_PROXIABLE "proxiable"
247 #define KRB5_CONF_RDNS "rdns"
248 #define KRB5_CONF_REALMS "realms"
249 #define KRB5_CONF_REALM_TRY_DOMAINS "realm_try_domains"
250 #define KRB5_CONF_REJECT_BAD_TRANSIT "reject_bad_transit"
251 #define KRB5_CONF_RENEW_LIFETIME "renew_lifetime"
252 #define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type"
253 #define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes"
254 #define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime"
255 #define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit"
256 #define KRB5_CONF_VERIFY_AP_REQ_NOFAIL "verify_ap_req_nofail"
257 #define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
258 #define KRB5_CONF_V4_REALM "v4_realm"
259 #define KRB5_CONF_ASTERISK "*"
261 /* Error codes used in KRB_ERROR protocol messages.
262 Return values of library routines are based on a different error table
263 (which allows non-ambiguous error codes between subsystems) */
266 #define KDC_ERR_NONE 0 /* No error */
267 #define KDC_ERR_NAME_EXP 1 /* Client's entry in DB expired */
268 #define KDC_ERR_SERVICE_EXP 2 /* Server's entry in DB expired */
269 #define KDC_ERR_BAD_PVNO 3 /* Requested pvno not supported */
270 #define KDC_ERR_C_OLD_MAST_KVNO 4 /* C's key encrypted in old master */
271 #define KDC_ERR_S_OLD_MAST_KVNO 5 /* S's key encrypted in old master */
272 #define KDC_ERR_C_PRINCIPAL_UNKNOWN 6 /* Client not found in Kerberos DB */
273 #define KDC_ERR_S_PRINCIPAL_UNKNOWN 7 /* Server not found in Kerberos DB */
274 #define KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 /* Multiple entries in Kerberos DB */
275 #define KDC_ERR_NULL_KEY 9 /* The C or S has a null key */
276 #define KDC_ERR_CANNOT_POSTDATE 10 /* Tkt ineligible for postdating */
277 #define KDC_ERR_NEVER_VALID 11 /* Requested starttime > endtime */
278 #define KDC_ERR_POLICY 12 /* KDC policy rejects request */
279 #define KDC_ERR_BADOPTION 13 /* KDC can't do requested opt. */
280 #define KDC_ERR_ENCTYPE_NOSUPP 14 /* No support for encryption type */
281 #define KDC_ERR_SUMTYPE_NOSUPP 15 /* No support for checksum type */
282 #define KDC_ERR_PADATA_TYPE_NOSUPP 16 /* No support for padata type */
283 #define KDC_ERR_TRTYPE_NOSUPP 17 /* No support for transited type */
284 #define KDC_ERR_CLIENT_REVOKED 18 /* C's creds have been revoked */
285 #define KDC_ERR_SERVICE_REVOKED 19 /* S's creds have been revoked */
286 #define KDC_ERR_TGT_REVOKED 20 /* TGT has been revoked */
287 #define KDC_ERR_CLIENT_NOTYET 21 /* C not yet valid */
288 #define KDC_ERR_SERVICE_NOTYET 22 /* S not yet valid */
289 #define KDC_ERR_KEY_EXP 23 /* Password has expired */
290 #define KDC_ERR_PREAUTH_FAILED 24 /* Preauthentication failed */
291 #define KDC_ERR_PREAUTH_REQUIRED 25 /* Additional preauthentication */
293 #define KDC_ERR_SERVER_NOMATCH 26 /* Requested server and */
294 /* ticket don't match*/
295 #define KDC_ERR_MUST_USE_USER2USER 27 /* Server principal valid for */
297 #define KDC_ERR_PATH_NOT_ACCEPTED 28 /* KDC policy rejected transited */
299 #define KDC_ERR_SVC_UNAVAILABLE 29 /* A service is not
301 * required to process the
303 /* Application errors */
304 #define KRB_AP_ERR_BAD_INTEGRITY 31 /* Decrypt integrity check failed */
305 #define KRB_AP_ERR_TKT_EXPIRED 32 /* Ticket expired */
306 #define KRB_AP_ERR_TKT_NYV 33 /* Ticket not yet valid */
307 #define KRB_AP_ERR_REPEAT 34 /* Request is a replay */
308 #define KRB_AP_ERR_NOT_US 35 /* The ticket isn't for us */
309 #define KRB_AP_ERR_BADMATCH 36 /* Ticket/authenticator don't match */
310 #define KRB_AP_ERR_SKEW 37 /* Clock skew too great */
311 #define KRB_AP_ERR_BADADDR 38 /* Incorrect net address */
312 #define KRB_AP_ERR_BADVERSION 39 /* Protocol version mismatch */
313 #define KRB_AP_ERR_MSG_TYPE 40 /* Invalid message type */
314 #define KRB_AP_ERR_MODIFIED 41 /* Message stream modified */
315 #define KRB_AP_ERR_BADORDER 42 /* Message out of order */
316 #define KRB_AP_ERR_BADKEYVER 44 /* Key version is not available */
317 #define KRB_AP_ERR_NOKEY 45 /* Service key not available */
318 #define KRB_AP_ERR_MUT_FAIL 46 /* Mutual authentication failed */
319 #define KRB_AP_ERR_BADDIRECTION 47 /* Incorrect message direction */
320 #define KRB_AP_ERR_METHOD 48 /* Alternative authentication */
321 /* method required */
322 #define KRB_AP_ERR_BADSEQ 49 /* Incorrect sequence numnber */
324 #define KRB_AP_ERR_INAPP_CKSUM 50 /* Inappropriate type of */
325 /* checksum in message */
326 #define KRB_AP_PATH_NOT_ACCEPTED 51 /* Policy rejects transited path */
327 #define KRB_ERR_RESPONSE_TOO_BIG 52 /* Response too big for UDP, */
331 #define KRB_ERR_GENERIC 60 /* Generic error (description */
333 #define KRB_ERR_FIELD_TOOLONG 61 /* Field is too long for impl. */
335 /* PKINIT server-reported errors */
336 #define KDC_ERR_CLIENT_NOT_TRUSTED 62 /* client cert not trusted */
337 #define KDC_ERR_KDC_NOT_TRUSTED 63
338 #define KDC_ERR_INVALID_SIG 64 /* client signature verify failed */
339 #define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65 /* invalid Diffie-Hellman parameters */
340 #define KDC_ERR_CERTIFICATE_MISMATCH 66
341 #define KRB_AP_ERR_NO_TGT 67
342 #define KDC_ERR_WRONG_REALM 68
343 #define KRB_AP_ERR_USER_TO_USER_REQUIRED 69
344 #define KDC_ERR_CANT_VERIFY_CERTIFICATE 70 /* client cert not verifiable to */
345 /* trusted root cert */
346 #define KDC_ERR_INVALID_CERTIFICATE 71 /* client cert had invalid signature */
347 #define KDC_ERR_REVOKED_CERTIFICATE 72 /* client cert was revoked */
348 #define KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 /* client cert revoked, reason unknown */
349 #define KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74
350 #define KDC_ERR_CLIENT_NAME_MISMATCH 75 /* mismatch between client cert and */
352 #define KDC_ERR_INCONSISTENT_KEY_PURPOSE 77 /* bad extended key use */
353 #define KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78 /* bad digest algorithm in client cert */
354 #define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79 /* missing paChecksum in PA-PK-AS-REQ */
355 #define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */
356 #define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
359 * This structure is returned in the e-data field of the KRB-ERROR
360 * message when the error calling for an alternative form of
361 * authentication is returned, KRB_AP_METHOD.
363 typedef struct _krb5_alt_method {
371 * A null-terminated array of this structure is returned by the KDC as
372 * the data part of the ETYPE_INFO preauth type. It informs the
373 * client which encryption types are supported.
374 * The same data structure is used by both etype-info and etype-info2
375 * but s2kparams must be null when encoding etype-info.
377 typedef struct _krb5_etype_info_entry {
383 } krb5_etype_info_entry;
386 * This is essentially -1 without sign extension which can screw up
387 * comparisons on 64 bit machines. If the length is this value, then
388 * the salt data is not present. This is to distinguish between not
389 * being set and being of 0 length.
391 #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
393 typedef krb5_etype_info_entry ** krb5_etype_info;
396 typedef struct _krb5_etype_list {
398 krb5_enctype *etypes;
402 * a sam_challenge is returned for alternate preauth
405 SAMFlags ::= BIT STRING {
407 send-encrypted-sad[1],
408 must-pk-encrypt-sad[2]
412 PA-SAM-CHALLENGE ::= SEQUENCE {
414 sam-flags[1] SAMFlags,
415 sam-type-name[2] GeneralString OPTIONAL,
416 sam-track-id[3] GeneralString OPTIONAL,
417 sam-challenge-label[4] GeneralString OPTIONAL,
418 sam-challenge[5] GeneralString OPTIONAL,
419 sam-response-prompt[6] GeneralString OPTIONAL,
420 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
421 sam-nonce[8] INTEGER OPTIONAL,
422 sam-cksum[9] Checksum OPTIONAL
425 /* sam_type values -- informational only */
426 #define PA_SAM_TYPE_ENIGMA 1 /* Enigma Logic */
427 #define PA_SAM_TYPE_DIGI_PATH 2 /* Digital Pathways */
428 #define PA_SAM_TYPE_SKEY_K0 3 /* S/key where KDC has key 0 */
429 #define PA_SAM_TYPE_SKEY 4 /* Traditional S/Key */
430 #define PA_SAM_TYPE_SECURID 5 /* Security Dynamics */
431 #define PA_SAM_TYPE_CRYPTOCARD 6 /* CRYPTOCard */
432 #if 1 /* XXX need to figure out who has which numbers assigned */
433 #define PA_SAM_TYPE_ACTIVCARD_DEC 6 /* ActivCard decimal mode */
434 #define PA_SAM_TYPE_ACTIVCARD_HEX 7 /* ActivCard hex mode */
435 #define PA_SAM_TYPE_DIGI_PATH_HEX 8 /* Digital Pathways hex mode */
437 #define PA_SAM_TYPE_EXP_BASE 128 /* experimental */
438 #define PA_SAM_TYPE_GRAIL (PA_SAM_TYPE_EXP_BASE+0) /* testing */
439 #define PA_SAM_TYPE_SECURID_PREDICT (PA_SAM_TYPE_EXP_BASE+1) /* special */
441 typedef struct _krb5_predicted_sam_response {
443 krb5_keyblock sam_key;
444 krb5_flags sam_flags; /* Makes key munging easier */
445 krb5_timestamp stime; /* time on server, for replay detection */
447 krb5_principal client;
448 krb5_data msd; /* mechanism specific data */
449 } krb5_predicted_sam_response;
451 typedef struct _krb5_sam_challenge {
453 krb5_int32 sam_type; /* information */
454 krb5_flags sam_flags; /* KRB5_SAM_* values */
455 krb5_data sam_type_name;
456 krb5_data sam_track_id;
457 krb5_data sam_challenge_label;
458 krb5_data sam_challenge;
459 krb5_data sam_response_prompt;
460 krb5_data sam_pk_for_sad;
461 krb5_int32 sam_nonce;
462 krb5_checksum sam_cksum;
463 } krb5_sam_challenge;
465 typedef struct _krb5_sam_key { /* reserved for future use */
467 krb5_keyblock sam_key;
470 typedef struct _krb5_enc_sam_response_enc {
472 krb5_int32 sam_nonce;
473 krb5_timestamp sam_timestamp;
476 } krb5_enc_sam_response_enc;
478 typedef struct _krb5_sam_response {
480 krb5_int32 sam_type; /* informational */
481 krb5_flags sam_flags; /* KRB5_SAM_* values */
482 krb5_data sam_track_id; /* copied */
483 krb5_enc_data sam_enc_key; /* krb5_sam_key - future use */
484 krb5_enc_data sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
485 krb5_int32 sam_nonce;
486 krb5_timestamp sam_patimestamp;
489 typedef struct _krb5_sam_challenge_2 {
490 krb5_data sam_challenge_2_body;
491 krb5_checksum **sam_cksum; /* Array of checksums */
492 } krb5_sam_challenge_2;
494 typedef struct _krb5_sam_challenge_2_body {
496 krb5_int32 sam_type; /* information */
497 krb5_flags sam_flags; /* KRB5_SAM_* values */
498 krb5_data sam_type_name;
499 krb5_data sam_track_id;
500 krb5_data sam_challenge_label;
501 krb5_data sam_challenge;
502 krb5_data sam_response_prompt;
503 krb5_data sam_pk_for_sad;
504 krb5_int32 sam_nonce;
505 krb5_enctype sam_etype;
506 } krb5_sam_challenge_2_body;
508 typedef struct _krb5_sam_response_2 {
510 krb5_int32 sam_type; /* informational */
511 krb5_flags sam_flags; /* KRB5_SAM_* values */
512 krb5_data sam_track_id; /* copied */
513 krb5_enc_data sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
514 krb5_int32 sam_nonce;
515 } krb5_sam_response_2;
517 typedef struct _krb5_enc_sam_response_enc_2 {
519 krb5_int32 sam_nonce;
521 } krb5_enc_sam_response_enc_2;
524 * Keep the pkinit definitions in a separate file so that the plugin
525 * only has to include k5-int-pkinit.h rather than k5-int.h
528 #include "k5-int-pkinit.h"
534 extern char *strdup (const char *);
541 #ifdef HAVE_SYS_TIME_H
542 #include <sys/time.h>
543 #ifdef TIME_WITH_SYS_TIME
550 #ifdef HAVE_SYS_STAT_H
551 #include <sys/stat.h> /* struct stat, stat() */
554 #ifdef HAVE_SYS_PARAM_H
555 #include <sys/param.h> /* MAXPATHLEN */
558 #ifdef HAVE_SYS_FILE_H
559 #include <sys/file.h> /* prototypes for file-related
560 syscalls; flags for open &
570 #include "k5-gmt_mktime.h"
573 struct sendto_callback_info;
576 krb5_error_code krb5_lock_file(krb5_context, int, int);
577 krb5_error_code krb5_unlock_file(krb5_context, int);
578 krb5_error_code krb5_sendto_kdc(krb5_context, const krb5_data *,
579 const krb5_data *, krb5_data *, int *, int);
581 krb5_error_code krb5_get_krbhst(krb5_context, const krb5_data *, char *** );
582 krb5_error_code krb5_free_krbhst(krb5_context, char * const * );
583 krb5_error_code krb5_create_secure_file(krb5_context, const char * pathname);
584 krb5_error_code krb5_sync_disk_file(krb5_context, FILE *fp);
586 krb5_error_code krb5int_init_context_kdc(krb5_context *);
588 krb5_error_code krb5_os_init_context(krb5_context, krb5_boolean);
590 void krb5_os_free_context(krb5_context);
592 /* This function is needed by KfM's KerberosPreferences API
593 * because it needs to be able to specify "secure" */
595 os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure);
598 krb5_os_hostaddr(krb5_context, const char *, krb5_address ***);
601 krb5int_get_domain_realm_mapping(krb5_context , const char *, char ***);
603 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
604 going to use this structure. */
610 struct undefined_addrinfo *ai;
612 void (*freefn)(void *);
618 #define ADDRLIST_INIT { 0, 0, 0 }
619 extern void krb5int_free_addrlist(struct addrlist *);
620 extern int krb5int_grow_addrlist(struct addrlist *, int);
621 extern int krb5int_add_host_to_list(struct addrlist *, const char *,
624 #include <krb5/locate_plugin.h>
626 krb5int_locate_server(krb5_context, const krb5_data *realm,
627 struct addrlist *, enum locate_service_type svc,
628 int sockettype, int family);
633 struct derived_key *next;
636 /* Internal structure of an opaque key identifier */
638 krb5_keyblock keyblock;
640 struct derived_key *derived;
643 /* new encryption provider api */
645 struct krb5_enc_provider {
646 /* keybytes is the input size to make_key;
647 keylength is the output size */
648 size_t block_size, keybytes, keylength;
650 /* cipher-state == 0 fresh state thrown away at end */
651 krb5_error_code (*encrypt)(krb5_key key, const krb5_data *cipher_state,
652 const krb5_data *input, krb5_data *output);
654 krb5_error_code (*decrypt)(krb5_key key, const krb5_data *ivec,
655 const krb5_data *input, krb5_data *output);
657 krb5_error_code (*make_key)(const krb5_data *randombits,
660 krb5_error_code (*init_state)(const krb5_keyblock *key,
661 krb5_keyusage keyusage,
662 krb5_data *out_state);
663 krb5_error_code (*free_state)(krb5_data *state);
665 /* In-place encryption/decryption of multiple buffers */
666 krb5_error_code (*encrypt_iov)(krb5_key key, const krb5_data *cipher_state,
667 krb5_crypto_iov *data, size_t num_data);
669 krb5_error_code (*decrypt_iov)(krb5_key key, const krb5_data *cipher_state,
670 krb5_crypto_iov *data, size_t num_data);
674 struct krb5_hash_provider {
676 size_t hashsize, blocksize;
678 /* this takes multiple inputs to avoid lots of copying. */
679 krb5_error_code (*hash)(unsigned int icount, const krb5_data *input,
683 struct krb5_keyhash_provider {
686 krb5_error_code (*hash)(krb5_key key, krb5_keyusage keyusage,
687 const krb5_data *ivec, const krb5_data *input,
690 krb5_error_code (*verify)(krb5_key key, krb5_keyusage keyusage,
691 const krb5_data *ivec, const krb5_data *input,
692 const krb5_data *hash, krb5_boolean *valid);
694 krb5_error_code (*hash_iov)(krb5_key key, krb5_keyusage keyusage,
695 const krb5_data *ivec,
696 const krb5_crypto_iov *data, size_t num_data,
699 krb5_error_code (*verify_iov)(krb5_key key, krb5_keyusage keyusage,
700 const krb5_data *ivec,
701 const krb5_crypto_iov *data,
702 size_t num_data, const krb5_data *hash,
703 krb5_boolean *valid);
706 struct krb5_aead_provider {
707 krb5_error_code (*crypto_length)(const struct krb5_aead_provider *aead,
708 const struct krb5_enc_provider *enc,
709 const struct krb5_hash_provider *hash,
710 krb5_cryptotype type,
711 unsigned int *length);
712 krb5_error_code (*encrypt_iov)(const struct krb5_aead_provider *aead,
713 const struct krb5_enc_provider *enc,
714 const struct krb5_hash_provider *hash,
715 krb5_key key, krb5_keyusage keyusage,
716 const krb5_data *ivec,
717 krb5_crypto_iov *data, size_t num_data);
718 krb5_error_code (*decrypt_iov)(const struct krb5_aead_provider *aead,
719 const struct krb5_enc_provider *enc,
720 const struct krb5_hash_provider *hash,
721 krb5_key key, krb5_keyusage keyusage,
722 const krb5_data *ivec,
723 krb5_crypto_iov *data, size_t num_data);
727 * in here to deal with stuff from lib/crypto
730 void krb5int_nfold(unsigned int inbits, const unsigned char *in,
731 unsigned int outbits, unsigned char *out);
733 krb5_error_code krb5int_hmac(const struct krb5_hash_provider *hash,
734 krb5_key key, unsigned int icount,
735 const krb5_data *input, krb5_data *output);
737 krb5_error_code krb5int_hmac_iov(const struct krb5_hash_provider *hash,
738 krb5_key key, const krb5_crypto_iov *data,
739 size_t num_data, krb5_data *output);
742 krb5int_hmac_keyblock(const struct krb5_hash_provider *hash,
743 const krb5_keyblock *key, unsigned int icount,
744 const krb5_data *input, krb5_data *output);
747 krb5int_hmac_iov_keyblock(const struct krb5_hash_provider *hash,
748 const krb5_keyblock *key,
749 const krb5_crypto_iov *data, size_t num_data,
752 krb5_error_code krb5int_pbkdf2_hmac_sha1(const krb5_data *, unsigned long,
753 const krb5_data *, const krb5_data *);
755 /* These crypto functions are used by GSSAPI via the accessor. */
758 krb5int_arcfour_gsscrypt(const krb5_keyblock *keyblock, krb5_keyusage usage,
759 const krb5_data *kd_data, krb5_crypto_iov *data,
763 * Attempt to zero memory in a way that compilers won't optimize out.
765 * This mechanism should work even for heap storage about to be freed,
766 * or automatic storage right before we return from a function.
768 * Then, even if we leak uninitialized memory someplace, or UNIX
769 * "core" files get created with world-read access, some of the most
770 * sensitive data in the process memory will already be safely wiped.
772 * We're not going so far -- yet -- as to try to protect key data that
773 * may have been written into swap space....
776 # define zap(ptr, len) SecureZeroMemory(ptr, len)
777 #elif defined(__GNUC__)
778 static inline void zap(void *ptr, size_t len)
782 * Some versions of gcc have gotten clever enough to eliminate a
783 * memset call right before the block in question is released.
784 * This (empty) asm requires it to assume that we're doing
785 * something interesting with the stored (zero) value, so the
786 * memset can't be eliminated.
788 * An optimizer that looks at assembly or object code may not be
789 * fooled, and may still cause the memset to go away. Address
790 * that problem if and when we encounter it.
792 * This also may not be enough if free() does something
793 * interesting like purge memory locations from a write-back cache
794 * that hasn't written back the zero bytes yet. A memory barrier
795 * instruction would help in that case.
797 asm volatile ("" : : "g" (ptr), "g" (len));
800 /* Use a function from libkrb5support to defeat inlining. */
801 # define zap(ptr, len) krb5int_zap(ptr, len)
804 /* Convenience function: zap and free ptr if it is non-NULL. */
806 zapfree(void *ptr, size_t len)
814 /* A definition of init_state for DES based encryption systems.
815 * sets up an 8-byte IV of all zeros
819 krb5int_des_init_state(const krb5_keyblock *key, krb5_keyusage keyusage,
820 krb5_data *new_state);
823 * normally to free a cipher_state you can just memset the length to zero and
826 krb5_error_code krb5int_default_free_state(krb5_data *state);
830 * Combine two keys (normally used by the hardware preauth mechanism)
833 krb5int_c_combine_keys(krb5_context context, krb5_keyblock *key1,
834 krb5_keyblock *key2, krb5_keyblock *outkey);
836 void krb5int_c_free_keyblock(krb5_context, krb5_keyblock *key);
837 void krb5int_c_free_keyblock_contents(krb5_context, krb5_keyblock *);
838 krb5_error_code krb5int_c_init_keyblock(krb5_context, krb5_enctype enctype,
839 size_t length, krb5_keyblock **out);
840 krb5_error_code krb5int_c_copy_keyblock(krb5_context context,
841 const krb5_keyblock *from,
843 krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context,
844 const krb5_keyblock *from,
848 * Internal - for cleanup.
850 extern void krb5int_prng_cleanup(void);
853 #ifdef KRB5_OLD_CRYPTO
854 /* old provider api */
856 krb5_error_code krb5_crypto_os_localaddr(krb5_address ***);
858 krb5_error_code krb5_crypto_us_timeofday(krb5_int32 *, krb5_int32 *);
860 #endif /* KRB5_OLD_CRYPTO */
862 /* this helper fct is in libkrb5, but it makes sense declared here. */
865 krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key,
866 krb5_keyusage keyusage, const krb5_data *plain,
867 krb5_enc_data *cipher);
870 krb5_encrypt_keyhelper(krb5_context context, krb5_key key,
871 krb5_keyusage keyusage, const krb5_data *plain,
872 krb5_enc_data *cipher);
878 typedef struct _krb5_os_context {
880 krb5_int32 time_offset;
881 krb5_int32 usec_offset;
883 char * default_ccname;
887 * Flags for the os_flags field
889 * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid.
890 * The intention is that this facility to correct the system clocks so
891 * that they reflect the "real" time, for systems where for some
892 * reason we can't set the system clock. Instead we calculate the
893 * offset between the system time and real time, and store the offset
894 * in the os context so that we can correct the system clock as necessary.
896 * KRB5_OS_TOFFSET_TIME means that the time offset fields should be
897 * returned as the time by the krb5 time routines. This should only
898 * be used for testing purposes (obviously!)
900 #define KRB5_OS_TOFFSET_VALID 1
901 #define KRB5_OS_TOFFSET_TIME 2
903 /* lock mode flags */
904 #define KRB5_LOCKMODE_SHARED 0x0001
905 #define KRB5_LOCKMODE_EXCLUSIVE 0x0002
906 #define KRB5_LOCKMODE_DONTBLOCK 0x0004
907 #define KRB5_LOCKMODE_UNLOCK 0x0008
910 * Define our view of the size of a DES key.
912 #define KRB5_MIT_DES_KEYSIZE 8
913 #define KRB5_MIT_DES3_KEYSIZE 24
914 #define KRB5_MIT_DES3_KEY_BYTES 21
917 * Check if des_int.h has been included before us. If so, then check to see
918 * that our view of the DES key size is the same as des_int.h's.
920 #ifdef MIT_DES_KEYSIZE
921 #if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
922 error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
923 #endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
924 #endif /* MIT_DES_KEYSIZE */
929 * (Originally written by Glen Machin at Sandia Labs.)
932 * Sandia National Laboratories also makes no representations about the
933 * suitability of the modifications, or additions to this software for
934 * any purpose. It is provided "as is" without express or implied warranty.
937 #ifndef KRB5_PREAUTH__
938 #define KRB5_PREAUTH__
940 #include <krb5/preauth_plugin.h>
942 #define CLIENT_ROCK_MAGIC 0x4352434b
943 /* This structure is passed into the client preauth functions and passed
944 * back to the "get_data_proc" function so that it can locate the
945 * requested information. It is opaque to the plugin code and can be
946 * expanded in the future as new types of requests are defined which
947 * may require other things to be passed through. */
948 struct krb5int_fast_request_state;
949 typedef struct _krb5_preauth_client_rock {
952 struct krb5int_fast_request_state *fast_state;
953 } krb5_preauth_client_rock;
955 /* This structure lets us keep track of all of the modules which are loaded,
956 * turning the list of modules and their lists of implemented preauth types
957 * into a single list which we can walk easily. */
958 typedef struct _krb5_preauth_context {
960 struct _krb5_preauth_context_module {
961 /* Which of the possibly more than one preauth types which the
962 * module supports we're using at this point in the list. */
963 krb5_preauthtype pa_type;
964 /* Encryption types which the client claims to support -- we
965 * copy them directly into the krb5_kdc_req structure during
966 * krb5_preauth_prepare_request(). */
967 krb5_enctype *enctypes;
968 /* The plugin's per-plugin context and a function to clear it. */
969 void *plugin_context;
970 preauth_client_plugin_fini_proc client_fini;
971 /* The module's table, and some of its members, copied here for
972 * convenience when we populated the list. */
973 struct krb5plugin_preauth_client_ftable_v1 *ftable;
975 int flags, use_count;
976 preauth_client_process_proc client_process;
977 preauth_client_tryagain_proc client_tryagain;
978 preauth_client_supply_gic_opts_proc client_supply_gic_opts;
979 preauth_client_request_init_proc client_req_init;
980 preauth_client_request_fini_proc client_req_fini;
981 /* The per-request context which the client_req_init() function
982 * might allocate, which we'll need to clean up later by
983 * calling the client_req_fini() function. */
984 void *request_context;
985 /* A pointer to the request_context pointer. All modules within
986 * a plugin will point at the request_context of the first
987 * module within the plugin. */
988 void **request_context_pp;
990 } krb5_preauth_context;
992 typedef struct _krb5_pa_enc_ts {
993 krb5_timestamp patimestamp;
997 typedef struct _krb5_pa_for_user {
1000 krb5_data auth_package;
1003 typedef struct _krb5_s4u_userid {
1005 krb5_principal user;
1006 krb5_data subject_cert;
1010 #define KRB5_S4U_OPTS_CHECK_LOGON_HOURS 0x40000000 /* check logon hour restrictions */
1011 #define KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE 0x20000000 /* sign with usage 27 instead of 26 */
1013 typedef struct _krb5_pa_s4u_x509_user {
1014 krb5_s4u_userid user_id;
1015 krb5_checksum cksum;
1016 } krb5_pa_s4u_x509_user;
1019 KRB5_FAST_ARMOR_AP_REQUEST = 0x1
1022 typedef struct _krb5_fast_armor {
1023 krb5_int32 armor_type;
1024 krb5_data armor_value;
1026 typedef struct _krb5_fast_armored_req {
1028 krb5_fast_armor *armor;
1029 krb5_checksum req_checksum;
1030 krb5_enc_data enc_part;
1031 } krb5_fast_armored_req;
1033 typedef struct _krb5_fast_req {
1035 krb5_flags fast_options;
1036 /* padata from req_body is used*/
1037 krb5_kdc_req *req_body;
1040 /* Bits 0-15 are critical in fast options.*/
1041 #define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff
1042 #define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01
1044 typedef struct _krb5_fast_finished {
1045 krb5_timestamp timestamp;
1047 krb5_principal client;
1048 krb5_checksum ticket_checksum;
1049 } krb5_fast_finished;
1051 typedef struct _krb5_fast_response {
1053 krb5_pa_data **padata;
1054 krb5_keyblock *strengthen_key;
1055 krb5_fast_finished *finished;
1057 } krb5_fast_response;
1059 typedef struct _krb5_ad_kdcissued {
1060 krb5_checksum ad_checksum;
1061 krb5_principal i_principal;
1062 krb5_authdata **elements;
1063 } krb5_ad_kdcissued;
1065 typedef struct _krb5_ad_signedpath_data {
1066 krb5_principal client;
1067 krb5_timestamp authtime;
1068 krb5_principal *delegated;
1069 krb5_pa_data **method_data;
1070 krb5_authdata **authorization_data;
1071 } krb5_ad_signedpath_data;
1073 typedef struct _krb5_ad_signedpath {
1074 krb5_enctype enctype;
1075 krb5_checksum checksum;
1076 krb5_principal *delegated;
1077 krb5_pa_data **method_data;
1078 } krb5_ad_signedpath;
1080 typedef krb5_error_code
1081 (*krb5_preauth_obtain_proc)(krb5_context, krb5_pa_data *,
1082 krb5_etype_info, krb5_keyblock *,
1083 krb5_error_code (*)(krb5_context,
1088 krb5_const_pointer, krb5_creds *,
1089 krb5_kdc_req *, krb5_pa_data **);
1091 typedef krb5_error_code
1092 (*krb5_preauth_process_proc)(krb5_context, krb5_pa_data *, krb5_kdc_req *,
1094 krb5_error_code (*)(krb5_context,
1100 krb5_error_code (*)(krb5_context,
1101 const krb5_keyblock *,
1104 krb5_keyblock **, krb5_creds *, krb5_int32 *,
1107 typedef struct _krb5_preauth_ops {
1111 krb5_preauth_obtain_proc obtain;
1112 krb5_preauth_process_proc process;
1116 krb5_obtain_padata(krb5_context, krb5_pa_data **,
1117 krb5_error_code (*)(krb5_context, const krb5_enctype,
1118 krb5_data *, krb5_const_pointer,
1120 krb5_const_pointer, krb5_creds *, krb5_kdc_req *);
1123 krb5_process_padata(krb5_context, krb5_kdc_req *, krb5_kdc_rep *,
1124 krb5_error_code (*)(krb5_context, const krb5_enctype,
1125 krb5_data *, krb5_const_pointer,
1128 krb5_error_code (*)(krb5_context, const krb5_keyblock *,
1129 krb5_const_pointer, krb5_kdc_rep *),
1130 krb5_keyblock **, krb5_creds *, krb5_int32 *);
1133 krb5int_find_pa_data(krb5_context, krb5_pa_data *const *, krb5_preauthtype);
1134 /* Does not return a copy; original padata sequence responsible for freeing*/
1136 void krb5_free_etype_info(krb5_context, krb5_etype_info);
1139 * Preauthentication property flags
1141 #define KRB5_PREAUTH_FLAGS_ENCRYPT 0x00000001
1142 #define KRB5_PREAUTH_FLAGS_HARDWARE 0x00000002
1144 #endif /* KRB5_PREAUTH__ */
1150 * Extending the krb5_get_init_creds_opt structure. The original
1151 * krb5_get_init_creds_opt structure is defined publicly. The
1152 * new extended version is private. The original interface
1153 * assumed a pre-allocated structure which was passed to
1154 * krb5_get_init_creds_init(). The new interface assumes that
1155 * the caller will call krb5_get_init_creds_alloc() and
1156 * krb5_get_init_creds_free().
1158 * Callers MUST NOT call krb5_get_init_creds_init() after allocating an
1159 * opts structure using krb5_get_init_creds_alloc(). To do so will
1160 * introduce memory leaks. Unfortunately, there is no way to enforce
1163 * Two private flags are added for backward compatibility.
1164 * KRB5_GET_INIT_CREDS_OPT_EXTENDED says that the structure was allocated
1165 * with the new krb5_get_init_creds_opt_alloc() function.
1166 * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended
1167 * structure is a shadow copy of an original krb5_get_init_creds_opt
1169 * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to
1170 * krb5int_gic_opt_to_opte(), the resulting extended structure should be
1171 * freed (using krb5_get_init_creds_free). Otherwise, the original
1172 * structure was already extended and there is no need to free it.
1175 #define KRB5_GET_INIT_CREDS_OPT_EXTENDED 0x80000000
1176 #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
1178 #define krb5_gic_opt_is_extended(s) \
1179 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
1180 #define krb5_gic_opt_is_shadowed(s) \
1181 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
1184 typedef struct _krb5_gic_opt_private {
1185 int num_preauth_data;
1186 krb5_gic_opt_pa_data *preauth_data;
1187 char * fast_ccache_name;
1188 } krb5_gic_opt_private;
1191 * On the Mac, ensure that the layout of krb5_gic_opt_ext matches that
1192 * of krb5_get_init_creds_opt.
1195 # pragma pack(push,2)
1198 typedef struct _krb5_gic_opt_ext {
1200 krb5_deltat tkt_life;
1201 krb5_deltat renew_life;
1204 krb5_enctype *etype_list;
1205 int etype_list_length;
1206 krb5_address **address_list;
1207 krb5_preauthtype *preauth_list;
1208 int preauth_list_length;
1211 * Do not change anything above this point in this structure.
1212 * It is identical to the public krb5_get_init_creds_opt structure.
1213 * New members must be added below.
1215 krb5_gic_opt_private *opt_private;
1223 krb5int_gic_opt_to_opte(krb5_context context, krb5_get_init_creds_opt *opt,
1224 krb5_gic_opt_ext **opte, unsigned int force,
1228 krb5int_copy_data_contents(krb5_context, const krb5_data *, krb5_data *);
1231 krb5int_copy_data_contents_add0(krb5_context, const krb5_data *, krb5_data *);
1234 krb5int_copy_creds_contents(krb5_context, const krb5_creds *, krb5_creds *);
1236 typedef krb5_error_code
1237 (*krb5_gic_get_as_key_fct)(krb5_context, krb5_principal, krb5_enctype,
1238 krb5_prompter_fct, void *prompter_data,
1239 krb5_data *salt, krb5_data *s2kparams,
1240 krb5_keyblock *as_key, void *gak_data);
1242 krb5_error_code KRB5_CALLCONV
1243 krb5int_get_init_creds(krb5_context context, krb5_creds *creds,
1244 krb5_principal client, krb5_prompter_fct prompter,
1245 void *prompter_data, krb5_deltat start_time,
1246 char *in_tkt_service, krb5_get_init_creds_opt *options,
1247 krb5_gic_get_as_key_fct gak, void *gak_data,
1248 int *master, krb5_kdc_rep **as_reply);
1251 krb5int_populate_gic_opt (krb5_context, krb5_get_init_creds_opt **,
1252 krb5_flags options, krb5_address *const *addrs,
1253 krb5_enctype *ktypes,
1254 krb5_preauthtype *pre_auth_types, krb5_creds *creds);
1257 krb5_error_code KRB5_CALLCONV
1258 krb5_do_preauth(krb5_context context, krb5_kdc_req *request,
1259 krb5_data *encoded_request_body,
1260 krb5_data *encoded_previous_request, krb5_pa_data **in_padata,
1261 krb5_pa_data ***out_padata, krb5_data *salt,
1262 krb5_data *s2kparams, krb5_enctype *etype,
1263 krb5_keyblock *as_key, krb5_prompter_fct prompter,
1264 void *prompter_data, krb5_gic_get_as_key_fct gak_fct,
1265 void *gak_data, krb5_preauth_client_rock *get_data_rock,
1266 krb5_gic_opt_ext *opte);
1268 krb5_error_code KRB5_CALLCONV
1269 krb5_do_preauth_tryagain(krb5_context context, krb5_kdc_req *request,
1270 krb5_data *encoded_request_body,
1271 krb5_data *encoded_previous_request,
1272 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1273 krb5_error *err_reply,
1274 krb5_data *salt, krb5_data *s2kparams,
1275 krb5_enctype *etype, krb5_keyblock *as_key,
1276 krb5_prompter_fct prompter, void *prompter_data,
1277 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1278 krb5_preauth_client_rock *get_data_rock,
1279 krb5_gic_opt_ext *opte);
1281 void KRB5_CALLCONV krb5_init_preauth_context(krb5_context);
1282 void KRB5_CALLCONV krb5_free_preauth_context(krb5_context);
1283 void KRB5_CALLCONV krb5_clear_preauth_context_use_counts(krb5_context);
1284 void KRB5_CALLCONV krb5_preauth_prepare_request(krb5_context,
1287 void KRB5_CALLCONV krb5_preauth_request_context_init(krb5_context);
1288 void KRB5_CALLCONV krb5_preauth_request_context_fini(krb5_context);
1291 krb5_free_sam_challenge(krb5_context, krb5_sam_challenge *);
1294 krb5_free_sam_challenge_2(krb5_context, krb5_sam_challenge_2 *);
1297 krb5_free_sam_challenge_2_body(krb5_context, krb5_sam_challenge_2_body *);
1300 krb5_free_sam_response(krb5_context, krb5_sam_response *);
1303 krb5_free_sam_response_2(krb5_context, krb5_sam_response_2 *);
1306 krb5_free_predicted_sam_response(krb5_context, krb5_predicted_sam_response *);
1309 krb5_free_enc_sam_response_enc(krb5_context, krb5_enc_sam_response_enc *);
1312 krb5_free_enc_sam_response_enc_2(krb5_context, krb5_enc_sam_response_enc_2 *);
1315 krb5_free_sam_challenge_contents(krb5_context, krb5_sam_challenge *);
1318 krb5_free_sam_challenge_2_contents(krb5_context, krb5_sam_challenge_2 *);
1321 krb5_free_sam_challenge_2_body_contents(krb5_context,
1322 krb5_sam_challenge_2_body *);
1325 krb5_free_sam_response_contents(krb5_context, krb5_sam_response *);
1328 krb5_free_sam_response_2_contents(krb5_context, krb5_sam_response_2 *);
1331 krb5_free_predicted_sam_response_contents(krb5_context,
1332 krb5_predicted_sam_response * );
1335 krb5_free_enc_sam_response_enc_contents(krb5_context,
1336 krb5_enc_sam_response_enc * );
1339 krb5_free_enc_sam_response_enc_2_contents(krb5_context,
1340 krb5_enc_sam_response_enc_2 * );
1343 krb5_free_pa_enc_ts(krb5_context, krb5_pa_enc_ts *);
1346 krb5_free_pa_for_user(krb5_context, krb5_pa_for_user *);
1349 krb5_free_s4u_userid_contents(krb5_context, krb5_s4u_userid *);
1352 krb5_free_pa_s4u_x509_user(krb5_context, krb5_pa_s4u_x509_user *);
1355 krb5_free_pa_svr_referral_data(krb5_context, krb5_pa_svr_referral_data *);
1358 krb5_free_pa_server_referral_data(krb5_context,
1359 krb5_pa_server_referral_data * );
1362 krb5_free_pa_pac_req(krb5_context, krb5_pa_pac_req * );
1365 krb5_free_etype_list(krb5_context, krb5_etype_list * );
1367 void KRB5_CALLCONV krb5_free_fast_armor(krb5_context, krb5_fast_armor *);
1368 void KRB5_CALLCONV krb5_free_fast_armored_req(krb5_context,
1369 krb5_fast_armored_req *);
1370 void KRB5_CALLCONV krb5_free_fast_req(krb5_context, krb5_fast_req *);
1371 void KRB5_CALLCONV krb5_free_fast_finished(krb5_context, krb5_fast_finished *);
1372 void KRB5_CALLCONV krb5_free_fast_response(krb5_context, krb5_fast_response *);
1373 void KRB5_CALLCONV krb5_free_ad_kdcissued(krb5_context, krb5_ad_kdcissued *);
1374 void KRB5_CALLCONV krb5_free_ad_signedpath(krb5_context, krb5_ad_signedpath *);
1376 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
1377 #include "com_err.h"
1378 #include "k5-plugin.h"
1380 #include <krb5/authdata_plugin.h>
1382 struct _krb5_authdata_context {
1385 struct _krb5_authdata_context_module {
1386 krb5_authdatatype ad_type;
1387 void *plugin_context;
1388 authdata_client_plugin_fini_proc client_fini;
1390 krb5plugin_authdata_client_ftable_v0 *ftable;
1391 authdata_client_request_init_proc client_req_init;
1392 authdata_client_request_fini_proc client_req_fini;
1394 void *request_context;
1395 void **request_context_pp;
1397 struct plugin_dir_handle plugins;
1400 typedef struct _krb5_authdata_context *krb5_authdata_context;
1403 krb5int_free_data_list(krb5_context context, krb5_data *data);
1405 krb5_error_code KRB5_CALLCONV
1406 krb5_authdata_context_init(krb5_context kcontext,
1407 krb5_authdata_context *pcontext);
1410 krb5_authdata_context_free(krb5_context kcontext,
1411 krb5_authdata_context context);
1413 krb5_error_code KRB5_CALLCONV
1414 krb5_authdata_export_authdata(krb5_context kcontext,
1415 krb5_authdata_context context, krb5_flags usage,
1416 krb5_authdata ***pauthdata);
1418 krb5_error_code KRB5_CALLCONV
1419 krb5_authdata_get_attribute_types(krb5_context kcontext,
1420 krb5_authdata_context context,
1423 krb5_error_code KRB5_CALLCONV
1424 krb5_authdata_get_attribute(krb5_context kcontext,
1425 krb5_authdata_context context,
1426 const krb5_data *attribute,
1427 krb5_boolean *authenticated,
1428 krb5_boolean *complete, krb5_data *value,
1429 krb5_data *display_value, int *more);
1431 krb5_error_code KRB5_CALLCONV
1432 krb5_authdata_set_attribute(krb5_context kcontext,
1433 krb5_authdata_context context,
1434 krb5_boolean complete, const krb5_data *attribute,
1435 const krb5_data *value);
1437 krb5_error_code KRB5_CALLCONV
1438 krb5_authdata_delete_attribute(krb5_context kcontext,
1439 krb5_authdata_context context,
1440 const krb5_data *attribute);
1442 krb5_error_code KRB5_CALLCONV
1443 krb5_authdata_import_attributes(krb5_context kcontext,
1444 krb5_authdata_context context,
1445 krb5_flags usage, const krb5_data *attributes);
1447 krb5_error_code KRB5_CALLCONV
1448 krb5_authdata_export_attributes(krb5_context kcontext,
1449 krb5_authdata_context context,
1450 krb5_flags usage, krb5_data **pattributes);
1452 krb5_error_code KRB5_CALLCONV
1453 krb5_authdata_export_internal(krb5_context kcontext,
1454 krb5_authdata_context context,
1455 krb5_boolean restrict_authenticated,
1456 const char *module, void **ptr);
1458 krb5_error_code KRB5_CALLCONV
1459 krb5_authdata_context_copy(krb5_context kcontext, krb5_authdata_context src,
1460 krb5_authdata_context *dst);
1462 krb5_error_code KRB5_CALLCONV
1463 krb5_authdata_free_internal(krb5_context kcontext,
1464 krb5_authdata_context context, const char *module,
1467 struct _kdb5_dal_handle; /* private, in kdb5.h */
1468 typedef struct _kdb5_dal_handle kdb5_dal_handle;
1469 struct _kdb_log_context;
1470 struct _krb5_context {
1472 krb5_enctype *in_tkt_etypes;
1473 krb5_enctype *tgs_etypes;
1474 struct _krb5_os_context os_context;
1475 char *default_realm;
1477 kdb5_dal_handle *dal_handle;
1480 /* allowable clock skew */
1481 krb5_deltat clockskew;
1482 krb5_cksumtype kdc_req_sumtype;
1483 krb5_cksumtype default_ap_req_sumtype;
1484 krb5_cksumtype default_safe_sumtype;
1485 krb5_flags kdc_default_options;
1486 krb5_flags library_options;
1487 krb5_boolean profile_secure;
1488 int fcc_default_format;
1489 krb5_prompt_type *prompt_types;
1490 /* Message size above which we'll try TCP first in send-to-kdc
1491 type code. Aside from the 2**16 size limit, we put no
1492 absolute limit on the UDP packet size. */
1495 /* Use the config-file ktypes instead of app-specified? */
1496 krb5_boolean use_conf_ktypes;
1498 #ifdef KRB5_DNS_LOOKUP
1499 krb5_boolean profile_in_memory;
1500 #endif /* KRB5_DNS_LOOKUP */
1502 /* locate_kdc module stuff */
1503 struct plugin_dir_handle libkrb5_plugins;
1504 struct krb5plugin_service_locate_ftable *vtbl;
1505 void (**locate_fptrs)(void);
1507 /* preauth module stuff */
1508 struct plugin_dir_handle preauth_plugins;
1509 krb5_preauth_context *preauth_context;
1511 /* error detail info */
1514 /* For Sun iprop code; does this really have to be here? */
1515 struct _kdb_log_context *kdblog_context;
1517 krb5_boolean allow_weak_crypto;
1520 /* could be used in a table to find an etype and initialize a block */
1523 #define KRB5_LIBOPT_SYNC_KDCTIME 0x0001
1525 /* internal message representations */
1527 typedef struct _krb5_safe {
1529 krb5_data user_data; /* user data */
1530 krb5_timestamp timestamp; /* client time, optional */
1531 krb5_int32 usec; /* microsecond portion of time,
1533 krb5_ui_4 seq_number; /* sequence #, optional */
1534 krb5_address *s_address; /* sender address */
1535 krb5_address *r_address; /* recipient address, optional */
1536 krb5_checksum *checksum; /* data integrity checksum */
1539 typedef struct _krb5_priv {
1541 krb5_enc_data enc_part; /* encrypted part */
1544 typedef struct _krb5_priv_enc_part {
1546 krb5_data user_data; /* user data */
1547 krb5_timestamp timestamp; /* client time, optional */
1548 krb5_int32 usec; /* microsecond portion of time, opt. */
1549 krb5_ui_4 seq_number; /* sequence #, optional */
1550 krb5_address *s_address; /* sender address */
1551 krb5_address *r_address; /* recipient address, optional */
1552 } krb5_priv_enc_part;
1554 void KRB5_CALLCONV krb5_free_safe(krb5_context, krb5_safe *);
1555 void KRB5_CALLCONV krb5_free_priv(krb5_context, krb5_priv *);
1556 void KRB5_CALLCONV krb5_free_priv_enc_part(krb5_context, krb5_priv_enc_part *);
1564 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
1565 /* here we use some knowledge of ASN.1 encodings */
1567 Ticket is APPLICATION 1.
1568 Authenticator is APPLICATION 2.
1569 AS_REQ is APPLICATION 10.
1570 AS_REP is APPLICATION 11.
1571 TGS_REQ is APPLICATION 12.
1572 TGS_REP is APPLICATION 13.
1573 AP_REQ is APPLICATION 14.
1574 AP_REP is APPLICATION 15.
1575 KRB_SAFE is APPLICATION 20.
1576 KRB_PRIV is APPLICATION 21.
1577 KRB_CRED is APPLICATION 22.
1578 EncASRepPart is APPLICATION 25.
1579 EncTGSRepPart is APPLICATION 26.
1580 EncAPRepPart is APPLICATION 27.
1581 EncKrbPrivPart is APPLICATION 28.
1582 EncKrbCredPart is APPLICATION 29.
1583 KRB_ERROR is APPLICATION 30.
1585 /* allow either constructed or primitive encoding, so check for bit 6
1587 #define krb5int_is_app_tag(dat,tag) \
1588 ((dat) && (dat)->length && \
1589 ((((dat)->data[0] & ~0x20) == ((tag) | 0x40))))
1590 #define krb5_is_krb_ticket(dat) krb5int_is_app_tag(dat, 1)
1591 #define krb5_is_krb_authenticator(dat) krb5int_is_app_tag(dat, 2)
1592 #define krb5_is_as_req(dat) krb5int_is_app_tag(dat, 10)
1593 #define krb5_is_as_rep(dat) krb5int_is_app_tag(dat, 11)
1594 #define krb5_is_tgs_req(dat) krb5int_is_app_tag(dat, 12)
1595 #define krb5_is_tgs_rep(dat) krb5int_is_app_tag(dat, 13)
1596 #define krb5_is_ap_req(dat) krb5int_is_app_tag(dat, 14)
1597 #define krb5_is_ap_rep(dat) krb5int_is_app_tag(dat, 15)
1598 #define krb5_is_krb_safe(dat) krb5int_is_app_tag(dat, 20)
1599 #define krb5_is_krb_priv(dat) krb5int_is_app_tag(dat, 21)
1600 #define krb5_is_krb_cred(dat) krb5int_is_app_tag(dat, 22)
1601 #define krb5_is_krb_enc_as_rep_part(dat) krb5int_is_app_tag(dat, 25)
1602 #define krb5_is_krb_enc_tgs_rep_part(dat) krb5int_is_app_tag(dat, 26)
1603 #define krb5_is_krb_enc_ap_rep_part(dat) krb5int_is_app_tag(dat, 27)
1604 #define krb5_is_krb_enc_krb_priv_part(dat) krb5int_is_app_tag(dat, 28)
1605 #define krb5_is_krb_enc_krb_cred_part(dat) krb5int_is_app_tag(dat, 29)
1606 #define krb5_is_krb_error(dat) krb5int_is_app_tag(dat, 30)
1608 /*************************************************************************
1609 * Prototypes for krb5_encode.c
1610 *************************************************************************/
1613 krb5_error_code encode_krb5_structure(const krb5_structure *rep,
1616 effects Returns the ASN.1 encoding of *rep in **code.
1617 Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep.
1618 Returns ENOMEM if memory runs out.
1622 encode_krb5_authenticator(const krb5_authenticator *rep, krb5_data **code);
1625 encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code);
1628 encode_krb5_encryption_key(const krb5_keyblock *rep, krb5_data **code);
1631 encode_krb5_enc_tkt_part(const krb5_enc_tkt_part *rep, krb5_data **code);
1634 encode_krb5_enc_kdc_rep_part(const krb5_enc_kdc_rep_part *rep,
1637 /* yes, the translation is identical to that used for KDC__REP */
1639 encode_krb5_as_rep(const krb5_kdc_rep *rep, krb5_data **code);
1641 /* yes, the translation is identical to that used for KDC__REP */
1643 encode_krb5_tgs_rep(const krb5_kdc_rep *rep, krb5_data **code);
1646 encode_krb5_ap_req(const krb5_ap_req *rep, krb5_data **code);
1649 encode_krb5_ap_rep(const krb5_ap_rep *rep, krb5_data **code);
1652 encode_krb5_ap_rep_enc_part(const krb5_ap_rep_enc_part *rep, krb5_data **code);
1655 encode_krb5_as_req(const krb5_kdc_req *rep, krb5_data **code);
1658 encode_krb5_tgs_req(const krb5_kdc_req *rep, krb5_data **code);
1661 encode_krb5_kdc_req_body(const krb5_kdc_req *rep, krb5_data **code);
1664 encode_krb5_safe(const krb5_safe *rep, krb5_data **code);
1666 struct krb5_safe_with_body {
1671 encode_krb5_safe_with_body(const struct krb5_safe_with_body *rep,
1675 encode_krb5_priv(const krb5_priv *rep, krb5_data **code);
1678 encode_krb5_enc_priv_part(const krb5_priv_enc_part *rep, krb5_data **code);
1681 encode_krb5_cred(const krb5_cred *rep, krb5_data **code);
1684 encode_krb5_enc_cred_part(const krb5_cred_enc_part *rep, krb5_data **code);
1687 encode_krb5_error(const krb5_error *rep, krb5_data **code);
1690 encode_krb5_authdata(krb5_authdata *const *rep, krb5_data **code);
1693 encode_krb5_authdata_elt(const krb5_authdata *rep, krb5_data **code);
1696 encode_krb5_pwd_sequence(const passwd_phrase_element *rep, krb5_data **code);
1699 encode_krb5_pwd_data(const krb5_pwd_data *rep, krb5_data **code);
1702 encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
1705 encode_krb5_alt_method(const krb5_alt_method *, krb5_data **code);
1708 encode_krb5_etype_info(krb5_etype_info_entry *const *, krb5_data **code);
1711 encode_krb5_etype_info2(krb5_etype_info_entry *const *, krb5_data **code);
1714 encode_krb5_enc_data(const krb5_enc_data *, krb5_data **);
1717 encode_krb5_pa_enc_ts(const krb5_pa_enc_ts *, krb5_data **);
1720 encode_krb5_sam_challenge(const krb5_sam_challenge * , krb5_data **);
1723 encode_krb5_sam_key(const krb5_sam_key * , krb5_data **);
1726 encode_krb5_enc_sam_response_enc(const krb5_enc_sam_response_enc *,
1730 encode_krb5_sam_response(const krb5_sam_response *, krb5_data **);
1732 #if 0 /* currently not compiled because we never use them */
1734 encode_krb5_sam_challenge_2(const krb5_sam_challenge_2 * , krb5_data **);
1737 encode_krb5_sam_challenge_2_body(const krb5_sam_challenge_2_body *,
1742 encode_krb5_enc_sam_response_enc_2(const krb5_enc_sam_response_enc_2 *,
1746 encode_krb5_sam_response_2(const krb5_sam_response_2 * , krb5_data **);
1749 encode_krb5_predicted_sam_response(const krb5_predicted_sam_response *,
1752 struct krb5_setpw_req {
1753 krb5_principal target;
1757 encode_krb5_setpw_req(const struct krb5_setpw_req *rep, krb5_data **code);
1760 encode_krb5_pa_for_user(const krb5_pa_for_user *, krb5_data **);
1763 encode_krb5_s4u_userid(const krb5_s4u_userid *, krb5_data **);
1766 encode_krb5_pa_s4u_x509_user(const krb5_pa_s4u_x509_user *, krb5_data **);
1769 encode_krb5_pa_svr_referral_data(const krb5_pa_svr_referral_data *,
1773 encode_krb5_pa_server_referral_data(const krb5_pa_server_referral_data *,
1777 encode_krb5_pa_pac_req(const krb5_pa_pac_req *, krb5_data **);
1780 encode_krb5_etype_list(const krb5_etype_list * , krb5_data **);
1783 encode_krb5_pa_fx_fast_request(const krb5_fast_armored_req *, krb5_data **);
1786 encode_krb5_fast_req(const krb5_fast_req *, krb5_data **);
1789 encode_krb5_pa_fx_fast_reply(const krb5_enc_data *, krb5_data **);
1792 encode_krb5_fast_response(const krb5_fast_response *, krb5_data **);
1795 encode_krb5_ad_kdcissued(const krb5_ad_kdcissued *, krb5_data **);
1798 encode_krb5_ad_signedpath(const krb5_ad_signedpath *, krb5_data **);
1801 encode_krb5_ad_signedpath_data(const krb5_ad_signedpath_data *, krb5_data **);
1803 /*************************************************************************
1804 * End of prototypes for krb5_encode.c
1805 *************************************************************************/
1808 decode_krb5_sam_challenge(const krb5_data *, krb5_sam_challenge **);
1811 decode_krb5_enc_sam_key(const krb5_data *, krb5_sam_key **);
1814 decode_krb5_enc_sam_response_enc(const krb5_data *,
1815 krb5_enc_sam_response_enc **);
1818 decode_krb5_sam_response(const krb5_data *, krb5_sam_response **);
1821 decode_krb5_predicted_sam_response(const krb5_data *,
1822 krb5_predicted_sam_response **);
1825 decode_krb5_sam_challenge_2(const krb5_data *, krb5_sam_challenge_2 **);
1828 decode_krb5_sam_challenge_2_body(const krb5_data *,
1829 krb5_sam_challenge_2_body **);
1832 decode_krb5_enc_sam_response_enc_2(const krb5_data *,
1833 krb5_enc_sam_response_enc_2 **);
1836 decode_krb5_sam_response_2(const krb5_data *, krb5_sam_response_2 **);
1839 /*************************************************************************
1840 * Prototypes for krb5_decode.c
1841 *************************************************************************/
1844 krb5_validate_times(krb5_context, krb5_ticket_times *);
1847 krb5_error_code decode_krb5_structure(const krb5_data *code,
1848 krb5_structure **rep);
1850 requires Expects **rep to not have been allocated;
1851 a new *rep is allocated regardless of the old value.
1852 effects Decodes *code into **rep.
1853 Returns ENOMEM if memory is exhausted.
1854 Returns asn1 and krb5 errors.
1858 decode_krb5_authenticator(const krb5_data *code, krb5_authenticator **rep);
1861 decode_krb5_ticket(const krb5_data *code, krb5_ticket **rep);
1864 decode_krb5_encryption_key(const krb5_data *output, krb5_keyblock **rep);
1867 decode_krb5_enc_tkt_part(const krb5_data *output, krb5_enc_tkt_part **rep);
1870 decode_krb5_enc_kdc_rep_part(const krb5_data *output,
1871 krb5_enc_kdc_rep_part **rep);
1874 decode_krb5_as_rep(const krb5_data *output, krb5_kdc_rep **rep);
1877 decode_krb5_tgs_rep(const krb5_data *output, krb5_kdc_rep **rep);
1880 decode_krb5_ap_req(const krb5_data *output, krb5_ap_req **rep);
1883 decode_krb5_ap_rep(const krb5_data *output, krb5_ap_rep **rep);
1886 decode_krb5_ap_rep_enc_part(const krb5_data *output,
1887 krb5_ap_rep_enc_part **rep);
1890 decode_krb5_as_req(const krb5_data *output, krb5_kdc_req **rep);
1893 decode_krb5_tgs_req(const krb5_data *output, krb5_kdc_req **rep);
1896 decode_krb5_kdc_req_body(const krb5_data *output, krb5_kdc_req **rep);
1899 decode_krb5_safe(const krb5_data *output, krb5_safe **rep);
1902 decode_krb5_safe_with_body(const krb5_data *output, krb5_safe **rep,
1906 decode_krb5_priv(const krb5_data *output, krb5_priv **rep);
1909 decode_krb5_enc_priv_part(const krb5_data *output, krb5_priv_enc_part **rep);
1912 decode_krb5_cred(const krb5_data *output, krb5_cred **rep);
1915 decode_krb5_enc_cred_part(const krb5_data *output, krb5_cred_enc_part **rep);
1918 decode_krb5_error(const krb5_data *output, krb5_error **rep);
1921 decode_krb5_authdata(const krb5_data *output, krb5_authdata ***rep);
1924 decode_krb5_pwd_sequence(const krb5_data *output, passwd_phrase_element **rep);
1927 decode_krb5_pwd_data(const krb5_data *output, krb5_pwd_data **rep);
1930 decode_krb5_padata_sequence(const krb5_data *output, krb5_pa_data ***rep);
1933 decode_krb5_alt_method(const krb5_data *output, krb5_alt_method **rep);
1936 decode_krb5_etype_info(const krb5_data *output, krb5_etype_info_entry ***rep);
1939 decode_krb5_etype_info2(const krb5_data *output, krb5_etype_info_entry ***rep);
1942 decode_krb5_enc_data(const krb5_data *output, krb5_enc_data **rep);
1945 decode_krb5_pa_enc_ts(const krb5_data *output, krb5_pa_enc_ts **rep);
1948 decode_krb5_sam_key(const krb5_data *, krb5_sam_key **);
1951 decode_krb5_setpw_req(const krb5_data *, krb5_data **, krb5_principal *);
1954 decode_krb5_pa_for_user(const krb5_data *, krb5_pa_for_user **);
1957 decode_krb5_pa_s4u_x509_user(const krb5_data *, krb5_pa_s4u_x509_user **);
1960 decode_krb5_pa_svr_referral_data(const krb5_data *,
1961 krb5_pa_svr_referral_data **);
1964 decode_krb5_pa_server_referral_data(const krb5_data *,
1965 krb5_pa_server_referral_data **);
1968 decode_krb5_pa_pac_req(const krb5_data *, krb5_pa_pac_req **);
1971 decode_krb5_etype_list(const krb5_data *, krb5_etype_list **);
1974 decode_krb5_pa_fx_fast_request(const krb5_data *, krb5_fast_armored_req **);
1977 decode_krb5_fast_req(const krb5_data *, krb5_fast_req **);
1980 decode_krb5_pa_fx_fast_reply(const krb5_data *, krb5_enc_data **);
1983 decode_krb5_fast_response(const krb5_data *, krb5_fast_response **);
1986 decode_krb5_ad_kdcissued(const krb5_data *, krb5_ad_kdcissued **);
1989 decode_krb5_ad_signedpath(const krb5_data *, krb5_ad_signedpath **);
1991 struct _krb5_key_data; /* kdb.h */
1993 struct ldap_seqof_key_data {
1994 krb5_int32 mkvno; /* Master key version number */
1995 struct _krb5_key_data *key_data;
1996 krb5_int16 n_key_data;
1998 typedef struct ldap_seqof_key_data ldap_seqof_key_data;
2001 krb5int_ldap_encode_sequence_of_keys(const ldap_seqof_key_data *val,
2005 krb5int_ldap_decode_sequence_of_keys(krb5_data *in,
2006 ldap_seqof_key_data **rep);
2008 /*************************************************************************
2009 * End of prototypes for krb5_decode.c
2010 *************************************************************************/
2012 #endif /* KRB5_ASN1__ */
2019 * Internal krb5 library routines
2022 krb5_encrypt_tkt_part(krb5_context, const krb5_keyblock *, krb5_ticket *);
2025 krb5_encode_kdc_rep(krb5_context, krb5_msgtype, const krb5_enc_kdc_rep_part *,
2026 int using_subkey, const krb5_keyblock *, krb5_kdc_rep *,
2030 krb5int_auth_con_chkseqnum(krb5_context ctx, krb5_auth_context ac,
2033 * [De]Serialization Handle and operations.
2035 struct __krb5_serializer {
2037 krb5_error_code (*sizer) (krb5_context,
2040 krb5_error_code (*externalizer) (krb5_context,
2044 krb5_error_code (*internalizer) (krb5_context,
2049 typedef const struct __krb5_serializer * krb5_ser_handle;
2050 typedef struct __krb5_serializer krb5_ser_entry;
2052 krb5_ser_handle krb5_find_serializer(krb5_context, krb5_magic);
2053 krb5_error_code krb5_register_serializer(krb5_context, const krb5_ser_entry *);
2055 /* Determine the external size of a particular opaque structure */
2056 krb5_error_code KRB5_CALLCONV
2057 krb5_size_opaque(krb5_context, krb5_magic, krb5_pointer, size_t *);
2059 /* Serialize the structure into a buffer */
2060 krb5_error_code KRB5_CALLCONV
2061 krb5_externalize_opaque(krb5_context, krb5_magic, krb5_pointer, krb5_octet **,
2064 /* Deserialize the structure from a buffer */
2065 krb5_error_code KRB5_CALLCONV
2066 krb5_internalize_opaque(krb5_context, krb5_magic, krb5_pointer *,
2067 krb5_octet **, size_t *);
2069 /* Serialize data into a buffer */
2071 krb5_externalize_data(krb5_context, krb5_pointer, krb5_octet **, size_t *);
2073 * Initialization routines.
2076 /* Initialize serialization for krb5_[os_]context */
2077 krb5_error_code KRB5_CALLCONV krb5_ser_context_init(krb5_context);
2079 /* Initialize serialization for krb5_auth_context */
2080 krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init(krb5_context);
2082 /* Initialize serialization for krb5_keytab */
2083 krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init(krb5_context);
2085 /* Initialize serialization for krb5_ccache */
2086 krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init(krb5_context);
2088 /* Initialize serialization for krb5_rcache */
2089 krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init(krb5_context);
2091 /* [De]serialize 4-byte integer */
2092 krb5_error_code KRB5_CALLCONV
2093 krb5_ser_pack_int32(krb5_int32, krb5_octet **, size_t *);
2095 krb5_error_code KRB5_CALLCONV
2096 krb5_ser_unpack_int32(krb5_int32 *, krb5_octet **, size_t *);
2098 /* [De]serialize 8-byte integer */
2099 krb5_error_code KRB5_CALLCONV
2100 krb5_ser_pack_int64(krb5_int64, krb5_octet **, size_t *);
2102 krb5_error_code KRB5_CALLCONV
2103 krb5_ser_unpack_int64(krb5_int64 *, krb5_octet **, size_t *);
2105 /* [De]serialize byte string */
2106 krb5_error_code KRB5_CALLCONV
2107 krb5_ser_pack_bytes(krb5_octet *, size_t, krb5_octet **, size_t *);
2109 krb5_error_code KRB5_CALLCONV
2110 krb5_ser_unpack_bytes(krb5_octet *, size_t, krb5_octet **, size_t *);
2112 krb5_error_code KRB5_CALLCONV
2113 krb5int_cc_default(krb5_context, krb5_ccache *);
2115 krb5_error_code KRB5_CALLCONV
2116 krb5_cc_retrieve_cred_default(krb5_context, krb5_ccache, krb5_flags,
2117 krb5_creds *, krb5_creds *);
2119 krb5_boolean KRB5_CALLCONV
2120 krb5_creds_compare(krb5_context in_context, krb5_creds *in_creds,
2121 krb5_creds *in_compare_creds);
2124 krb5int_set_prompt_types(krb5_context, krb5_prompt_type *);
2127 krb5int_generate_and_save_subkey(krb5_context, krb5_auth_context,
2128 krb5_keyblock * /* Old keyblock, not new! */,
2131 /* set and change password helpers */
2134 krb5int_mk_chpw_req(krb5_context context, krb5_auth_context auth_context,
2135 krb5_data *ap_req, char *passwd, krb5_data *packet);
2138 krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context,
2139 krb5_data *packet, int *result_code,
2140 krb5_data *result_data);
2142 krb5_error_code KRB5_CALLCONV
2143 krb5_chpw_result_code_string(krb5_context context, int result_code,
2144 char **result_codestr);
2147 krb5int_mk_setpw_req(krb5_context context, krb5_auth_context auth_context,
2148 krb5_data *ap_req, krb5_principal targetprinc,
2149 char *passwd, krb5_data *packet);
2152 krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context,
2153 krb5_data *packet, int *result_code,
2154 krb5_data *result_data);
2157 krb5int_setpw_result_code_string(krb5_context context, int result_code,
2158 const char **result_codestr);
2160 struct srv_dns_entry {
2161 struct srv_dns_entry *next;
2164 unsigned short port;
2167 #ifdef KRB5_DNS_LOOKUP
2169 krb5int_make_srv_query_realm(const krb5_data *realm,
2170 const char *service,
2171 const char *protocol,
2172 struct srv_dns_entry **answers);
2173 void krb5int_free_srv_dns_data(struct srv_dns_entry *);
2176 /* value to use when requesting a keytab entry and KVNO doesn't matter */
2177 #define IGNORE_VNO 0
2178 /* value to use when requesting a keytab entry and enctype doesn't matter */
2179 #define IGNORE_ENCTYPE 0
2182 * Convenience function for structure magic number
2184 #define KRB5_VERIFY_MAGIC(structure,magic_number) \
2185 if ((structure)->magic != (magic_number)) return (magic_number);
2187 /* to keep lint happy */
2188 #define krb5_xfree(val) free((char *)(val))
2190 /* To keep happy libraries which are (for now) accessing internal stuff */
2192 /* Make sure to increment by one when changing the struct */
2193 #define KRB5INT_ACCESS_STRUCT_VERSION 16
2196 struct ktext; /* from krb.h, for krb524 support */
2198 typedef struct _krb5int_access {
2200 krb5_error_code (*arcfour_gsscrypt)(const krb5_keyblock *keyblock,
2201 krb5_keyusage usage,
2202 const krb5_data *kd_data,
2203 krb5_crypto_iov *data,
2206 krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context,
2209 /* service location and communication */
2210 krb5_error_code (*sendto_udp)(krb5_context, const krb5_data *msg,
2211 const struct addrlist *,
2212 struct sendto_callback_info *,
2213 krb5_data *reply, struct sockaddr *,
2214 socklen_t *, struct sockaddr *,
2216 int (*msg_handler)(krb5_context,
2219 void *msg_handler_data);
2220 krb5_error_code (*add_host_to_list)(struct addrlist *lp,
2221 const char *hostname,
2222 int port, int secport,
2223 int socktype, int family);
2224 void (*free_addrlist)(struct addrlist *);
2226 krb5_error_code (*make_srv_query_realm)(const krb5_data *realm,
2227 const char *service,
2228 const char *protocol,
2229 struct srv_dns_entry **answers);
2230 void (*free_srv_dns_data)(struct srv_dns_entry *);
2231 int (*use_dns_kdc)(krb5_context);
2232 krb5_error_code (*clean_hostname)(krb5_context, const char *, char *,
2235 krb5_error_code (*mandatory_cksumtype)(krb5_context, krb5_enctype,
2237 krb5_error_code (KRB5_CALLCONV *ser_pack_int64)(krb5_int64, krb5_octet **,
2239 krb5_error_code (KRB5_CALLCONV *ser_unpack_int64)(krb5_int64 *,
2240 krb5_octet **, size_t *);
2242 /* Used for KDB LDAP back end. */
2244 (*asn1_ldap_encode_sequence_of_keys)(const ldap_seqof_key_data *val,
2248 (*asn1_ldap_decode_sequence_of_keys)(krb5_data *in,
2249 ldap_seqof_key_data **);
2251 /* Used for encrypted challenge fast factor*/
2252 krb5_error_code (*encode_enc_data)(const krb5_enc_data *, krb5_data **);
2253 krb5_error_code (*decode_enc_data)(const krb5_data *, krb5_enc_data **);
2254 void (*free_enc_data)(krb5_context, krb5_enc_data *);
2255 krb5_error_code (*encode_enc_ts)(const krb5_pa_enc_ts *, krb5_data **);
2256 krb5_error_code (*decode_enc_ts)(const krb5_data *, krb5_pa_enc_ts **);
2257 void (*free_enc_ts)(krb5_context, krb5_pa_enc_ts *);
2259 (*encrypt_helper)(krb5_context, const krb5_keyblock *, krb5_keyusage,
2260 const krb5_data *, krb5_enc_data *);
2263 * pkinit asn.1 encode/decode functions
2266 (*encode_krb5_auth_pack)(const krb5_auth_pack *rep, krb5_data **code);
2269 (*encode_krb5_auth_pack_draft9)(const krb5_auth_pack_draft9 *rep,
2273 (*encode_krb5_kdc_dh_key_info)(const krb5_kdc_dh_key_info *rep,
2277 (*encode_krb5_pa_pk_as_rep)(const krb5_pa_pk_as_rep *rep,
2281 (*encode_krb5_pa_pk_as_rep_draft9)(const krb5_pa_pk_as_rep_draft9 *rep,
2285 (*encode_krb5_pa_pk_as_req)(const krb5_pa_pk_as_req *rep,
2289 (*encode_krb5_pa_pk_as_req_draft9)(const krb5_pa_pk_as_req_draft9 *rep,
2293 (*encode_krb5_reply_key_pack)(const krb5_reply_key_pack *,
2297 (*encode_krb5_reply_key_pack_draft9)(const krb5_reply_key_pack_draft9 *,
2301 (*encode_krb5_td_dh_parameters)(const krb5_algorithm_identifier **,
2305 (*encode_krb5_td_trusted_certifiers)(const
2306 krb5_external_principal_identifier **,
2310 (*encode_krb5_typed_data)(const krb5_typed_data **, krb5_data **code);
2313 (*decode_krb5_auth_pack)(const krb5_data *, krb5_auth_pack **);
2316 (*decode_krb5_auth_pack_draft9)(const krb5_data *,
2317 krb5_auth_pack_draft9 **);
2320 (*decode_krb5_pa_pk_as_req)(const krb5_data *, krb5_pa_pk_as_req **);
2323 (*decode_krb5_pa_pk_as_req_draft9)(const krb5_data *,
2324 krb5_pa_pk_as_req_draft9 **);
2327 (*decode_krb5_pa_pk_as_rep)(const krb5_data *, krb5_pa_pk_as_rep **);
2330 (*decode_krb5_pa_pk_as_rep_draft9)(const krb5_data *,
2331 krb5_pa_pk_as_rep_draft9 **);
2334 (*decode_krb5_kdc_dh_key_info)(const krb5_data *, krb5_kdc_dh_key_info **);
2337 (*decode_krb5_principal_name)(const krb5_data *, krb5_principal_data **);
2340 (*decode_krb5_reply_key_pack)(const krb5_data *, krb5_reply_key_pack **);
2343 (*decode_krb5_reply_key_pack_draft9)(const krb5_data *,
2344 krb5_reply_key_pack_draft9 **);
2347 (*decode_krb5_td_dh_parameters)(const krb5_data *,
2348 krb5_algorithm_identifier ***);
2351 (*decode_krb5_td_trusted_certifiers)(const krb5_data *,
2352 krb5_external_principal_identifier
2356 (*decode_krb5_typed_data)(const krb5_data *, krb5_typed_data ***);
2359 (*decode_krb5_as_req)(const krb5_data *output, krb5_kdc_req **rep);
2362 (*encode_krb5_kdc_req_body)(const krb5_kdc_req *rep, krb5_data **code);
2365 (KRB5_CALLCONV *free_kdc_req)(krb5_context, krb5_kdc_req * );
2367 (*set_prompt_types)(krb5_context, krb5_prompt_type *);
2370 (*encode_krb5_authdata_elt)(const krb5_authdata *rep, krb5_data **code);
2372 /* Exported for testing only! */
2374 (*encode_krb5_sam_response_2)(const krb5_sam_response_2 *rep,
2377 (*encode_krb5_enc_sam_response_enc_2)(const
2378 krb5_enc_sam_response_enc_2 *rep,
2382 #define KRB5INT_ACCESS_VERSION \
2383 (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \
2384 (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF)
2386 krb5_error_code KRB5_CALLCONV
2387 krb5int_accessor(krb5int_access*, krb5_int32);
2389 /* Ick -- some krb524 and krb4 support placed in the krb5 library,
2390 because AFS (and potentially other applications?) use the krb4
2391 object as an opaque token, which (in some implementations) is not
2392 in fact a krb4 ticket, so we don't want to drag in the krb4 support
2393 just to enable this. */
2395 #define KRB524_SERVICE "krb524"
2396 #define KRB524_PORT 4444
2398 /* temporary -- this should be under lib/krb5/ccache somewhere */
2400 struct _krb5_ccache {
2402 const struct _krb5_cc_ops *ops;
2407 * Per-type ccache cursor.
2409 struct krb5_cc_ptcursor_s {
2410 const struct _krb5_cc_ops *ops;
2413 typedef struct krb5_cc_ptcursor_s *krb5_cc_ptcursor;
2415 struct _krb5_cc_ops {
2418 const char * (KRB5_CALLCONV *get_name)(krb5_context, krb5_ccache);
2419 krb5_error_code (KRB5_CALLCONV *resolve)(krb5_context, krb5_ccache *,
2421 krb5_error_code (KRB5_CALLCONV *gen_new)(krb5_context, krb5_ccache *);
2422 krb5_error_code (KRB5_CALLCONV *init)(krb5_context, krb5_ccache,
2424 krb5_error_code (KRB5_CALLCONV *destroy)(krb5_context, krb5_ccache);
2425 krb5_error_code (KRB5_CALLCONV *close)(krb5_context, krb5_ccache);
2426 krb5_error_code (KRB5_CALLCONV *store)(krb5_context, krb5_ccache,
2428 krb5_error_code (KRB5_CALLCONV *retrieve)(krb5_context, krb5_ccache,
2429 krb5_flags, krb5_creds *,
2431 krb5_error_code (KRB5_CALLCONV *get_princ)(krb5_context, krb5_ccache,
2433 krb5_error_code (KRB5_CALLCONV *get_first)(krb5_context, krb5_ccache,
2435 krb5_error_code (KRB5_CALLCONV *get_next)(krb5_context, krb5_ccache,
2436 krb5_cc_cursor *, krb5_creds *);
2437 krb5_error_code (KRB5_CALLCONV *end_get)(krb5_context, krb5_ccache,
2439 krb5_error_code (KRB5_CALLCONV *remove_cred)(krb5_context, krb5_ccache,
2440 krb5_flags, krb5_creds *);
2441 krb5_error_code (KRB5_CALLCONV *set_flags)(krb5_context, krb5_ccache,
2443 krb5_error_code (KRB5_CALLCONV *get_flags)(krb5_context, krb5_ccache,
2445 krb5_error_code (KRB5_CALLCONV *ptcursor_new)(krb5_context,
2446 krb5_cc_ptcursor *);
2447 krb5_error_code (KRB5_CALLCONV *ptcursor_next)(krb5_context,
2450 krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context,
2451 krb5_cc_ptcursor *);
2452 krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache,
2454 krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context,
2455 krb5_ccache, krb5_timestamp *);
2456 krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache,
2458 krb5_error_code (KRB5_CALLCONV *lock)(krb5_context, krb5_ccache);
2459 krb5_error_code (KRB5_CALLCONV *unlock)(krb5_context, krb5_ccache);
2462 extern const krb5_cc_ops *krb5_cc_dfl_ops;
2465 krb5int_cc_os_default_name(krb5_context context, char **name);
2467 typedef struct _krb5_donot_replay {
2470 char *server; /* null-terminated */
2471 char *client; /* null-terminated */
2472 char *msghash; /* null-terminated */
2474 krb5_timestamp ctime;
2475 } krb5_donot_replay;
2477 krb5_error_code krb5_rc_default(krb5_context, krb5_rcache *);
2478 krb5_error_code krb5_rc_resolve_type(krb5_context, krb5_rcache *,char *);
2479 krb5_error_code krb5_rc_resolve_full(krb5_context, krb5_rcache *,char *);
2480 char *krb5_rc_get_type(krb5_context, krb5_rcache);
2481 char *krb5_rc_default_type(krb5_context);
2482 char *krb5_rc_default_name(krb5_context);
2483 krb5_error_code krb5_auth_to_rep(krb5_context, krb5_tkt_authent *,
2484 krb5_donot_replay *);
2485 krb5_error_code krb5_rc_hash_message(krb5_context context,
2486 const krb5_data *message, char **out);
2488 krb5_error_code KRB5_CALLCONV
2489 krb5_rc_initialize(krb5_context, krb5_rcache, krb5_deltat);
2491 krb5_error_code KRB5_CALLCONV
2492 krb5_rc_recover_or_initialize(krb5_context, krb5_rcache,krb5_deltat);
2494 krb5_error_code KRB5_CALLCONV
2495 krb5_rc_recover(krb5_context, krb5_rcache);
2497 krb5_error_code KRB5_CALLCONV
2498 krb5_rc_destroy(krb5_context, krb5_rcache);
2500 krb5_error_code KRB5_CALLCONV
2501 krb5_rc_close(krb5_context, krb5_rcache);
2503 krb5_error_code KRB5_CALLCONV
2504 krb5_rc_store(krb5_context, krb5_rcache, krb5_donot_replay *);
2506 krb5_error_code KRB5_CALLCONV
2507 krb5_rc_expunge(krb5_context, krb5_rcache);
2509 krb5_error_code KRB5_CALLCONV
2510 krb5_rc_get_lifespan(krb5_context, krb5_rcache,krb5_deltat *);
2513 krb5_rc_get_name(krb5_context, krb5_rcache);
2515 krb5_error_code KRB5_CALLCONV
2516 krb5_rc_resolve(krb5_context, krb5_rcache, char *);
2519 * This structure was exposed and used in macros in krb5 1.2, so do not
2522 typedef struct _krb5_kt_ops {
2526 /* routines always present */
2527 krb5_error_code (KRB5_CALLCONV *resolve)(krb5_context, const char *,
2529 krb5_error_code (KRB5_CALLCONV *get_name)(krb5_context, krb5_keytab,
2530 char *, unsigned int);
2531 krb5_error_code (KRB5_CALLCONV *close)(krb5_context, krb5_keytab);
2532 krb5_error_code (KRB5_CALLCONV *get)(krb5_context, krb5_keytab,
2533 krb5_const_principal, krb5_kvno,
2534 krb5_enctype, krb5_keytab_entry *);
2535 krb5_error_code (KRB5_CALLCONV *start_seq_get)(krb5_context, krb5_keytab,
2537 krb5_error_code (KRB5_CALLCONV *get_next)(krb5_context, krb5_keytab,
2538 krb5_keytab_entry *,
2540 krb5_error_code (KRB5_CALLCONV *end_get)(krb5_context, krb5_keytab,
2542 /* routines to be included on extended version (write routines) */
2543 krb5_error_code (KRB5_CALLCONV *add)(krb5_context, krb5_keytab,
2544 krb5_keytab_entry *);
2545 krb5_error_code (KRB5_CALLCONV *remove)(krb5_context, krb5_keytab,
2546 krb5_keytab_entry *);
2548 /* Handle for serializer */
2549 const krb5_ser_entry *serializer;
2552 extern const krb5_kt_ops krb5_kt_dfl_ops;
2554 extern krb5_error_code krb5int_translate_gai_error(int);
2556 /* Not sure it's ready for exposure just yet. */
2557 extern krb5_error_code
2558 krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
2560 extern int krb5int_crypto_init (void);
2561 extern int krb5int_prng_init(void);
2564 * Referral definitions, debugging hooks, and subfunctions.
2566 #define KRB5_REFERRAL_MAXHOPS 10
2567 /* #define DEBUG_REFERRALS */
2569 #ifdef DEBUG_REFERRALS
2570 void krb5int_dbgref_dump_principal(char *, krb5_principal);
2573 /* Common hostname-parsing code. */
2574 krb5_error_code KRB5_CALLCONV
2575 krb5int_clean_hostname(krb5_context, const char *, char *, size_t);
2578 krb5int_aes_encrypt(krb5_key key, const krb5_data *ivec,
2579 const krb5_data *input, krb5_data *output);
2581 krb5int_aes_decrypt(krb5_key key, const krb5_data *ivec,
2582 const krb5_data *input, krb5_data *output);
2584 struct _krb5_kt { /* should move into k5-int.h */
2586 const struct _krb5_kt_ops *ops;
2590 krb5_error_code krb5_set_default_in_tkt_ktypes(krb5_context,
2591 const krb5_enctype *);
2593 krb5_error_code krb5_get_default_in_tkt_ktypes(krb5_context, krb5_enctype **);
2595 krb5_error_code krb5_set_default_tgs_ktypes(krb5_context,
2596 const krb5_enctype *);
2598 krb5_error_code KRB5_CALLCONV
2599 krb5_get_tgs_ktypes(krb5_context, krb5_const_principal, krb5_enctype **);
2601 void KRB5_CALLCONV krb5_free_ktypes(krb5_context, krb5_enctype *);
2603 krb5_boolean krb5_is_permitted_enctype(krb5_context, krb5_enctype);
2607 krb5_enctype *etype;
2608 krb5_boolean *etype_ok;
2609 krb5_int32 etype_count;
2610 } krb5_etypes_permitted;
2612 krb5_boolean krb5_is_permitted_enctype_ext(krb5_context,
2613 krb5_etypes_permitted *);
2615 krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype);
2617 krb5_error_code krb5_kdc_rep_decrypt_proc(krb5_context, const krb5_keyblock *,
2618 krb5_const_pointer, krb5_kdc_rep *);
2619 krb5_error_code KRB5_CALLCONV krb5_decrypt_tkt_part(krb5_context,
2620 const krb5_keyblock *,
2622 krb5_error_code krb5_get_cred_from_kdc(krb5_context, krb5_ccache,
2623 krb5_creds *, krb5_creds **,
2625 krb5_error_code krb5_get_cred_from_kdc_validate(krb5_context, krb5_ccache,
2626 krb5_creds *, krb5_creds **,
2628 krb5_error_code krb5_get_cred_from_kdc_renew(krb5_context, krb5_ccache,
2629 krb5_creds *, krb5_creds **,
2632 krb5_error_code krb5_get_cred_via_tkt(krb5_context, krb5_creds *, krb5_flags,
2633 krb5_address *const *, krb5_creds *,
2636 krb5_error_code KRB5_CALLCONV krb5_copy_addr(krb5_context,
2637 const krb5_address *,
2640 void krb5_init_ets(krb5_context);
2641 void krb5_free_ets(krb5_context);
2642 krb5_error_code krb5_generate_subkey(krb5_context, const krb5_keyblock *,
2644 krb5_error_code krb5_generate_subkey_extended(krb5_context,
2645 const krb5_keyblock *,
2646 krb5_enctype, krb5_keyblock **);
2647 krb5_error_code krb5_generate_seq_number(krb5_context, const krb5_keyblock *,
2650 krb5_error_code KRB5_CALLCONV krb5_kt_register(krb5_context,
2651 const struct _krb5_kt_ops *);
2653 /* use krb5_free_keytab_entry_contents instead */
2654 krb5_error_code KRB5_CALLCONV krb5_kt_free_entry(krb5_context,
2655 krb5_keytab_entry * );
2657 krb5_error_code krb5_principal2salt_norealm(krb5_context, krb5_const_principal,
2660 unsigned int KRB5_CALLCONV krb5_get_notification_message(void);
2663 krb5_error_code krb5_check_transited_list(krb5_context, const krb5_data *trans,
2664 const krb5_data *realm1,
2665 const krb5_data *realm2);
2668 void krb5_free_realm_tree(krb5_context, krb5_principal *);
2670 void KRB5_CALLCONV krb5_free_authenticator_contents(krb5_context,
2671 krb5_authenticator *);
2673 void KRB5_CALLCONV krb5_free_address(krb5_context, krb5_address *);
2675 void KRB5_CALLCONV krb5_free_enc_tkt_part(krb5_context, krb5_enc_tkt_part *);
2677 void KRB5_CALLCONV krb5_free_tickets(krb5_context, krb5_ticket **);
2678 void KRB5_CALLCONV krb5_free_kdc_req(krb5_context, krb5_kdc_req *);
2679 void KRB5_CALLCONV krb5_free_kdc_rep(krb5_context, krb5_kdc_rep *);
2680 void KRB5_CALLCONV krb5_free_last_req(krb5_context, krb5_last_req_entry **);
2681 void KRB5_CALLCONV krb5_free_enc_kdc_rep_part(krb5_context,
2682 krb5_enc_kdc_rep_part *);
2683 void KRB5_CALLCONV krb5_free_ap_req(krb5_context, krb5_ap_req *);
2684 void KRB5_CALLCONV krb5_free_ap_rep(krb5_context, krb5_ap_rep *);
2685 void KRB5_CALLCONV krb5_free_cred(krb5_context, krb5_cred *);
2686 void KRB5_CALLCONV krb5_free_cred_enc_part(krb5_context, krb5_cred_enc_part *);
2687 void KRB5_CALLCONV krb5_free_pa_data(krb5_context, krb5_pa_data **);
2688 void KRB5_CALLCONV krb5_free_tkt_authent(krb5_context, krb5_tkt_authent *);
2689 void KRB5_CALLCONV krb5_free_pwd_data(krb5_context, krb5_pwd_data *);
2690 void KRB5_CALLCONV krb5_free_pwd_sequences(krb5_context,
2691 passwd_phrase_element **);
2692 void KRB5_CALLCONV krb5_free_passwd_phrase_element(krb5_context,
2693 passwd_phrase_element *);
2694 void KRB5_CALLCONV krb5_free_alt_method(krb5_context, krb5_alt_method *);
2695 void KRB5_CALLCONV krb5_free_enc_data(krb5_context, krb5_enc_data *);
2696 krb5_error_code krb5_set_config_files(krb5_context, const char **);
2698 krb5_error_code KRB5_CALLCONV krb5_get_default_config_files(char ***filenames);
2700 void KRB5_CALLCONV krb5_free_config_files(char **filenames);
2702 krb5_error_code krb5int_find_authdata(krb5_context context,
2703 krb5_authdata *const *ticket_authdata,
2704 krb5_authdata *const *ap_req_authdata,
2705 krb5_authdatatype ad_type,
2706 krb5_authdata ***results);
2708 krb5_error_code krb5_rd_req_decoded(krb5_context, krb5_auth_context *,
2709 const krb5_ap_req *, krb5_const_principal,
2710 krb5_keytab, krb5_flags *, krb5_ticket **);
2712 krb5_error_code krb5_rd_req_decoded_anyflag(krb5_context, krb5_auth_context *,
2713 const krb5_ap_req *,
2714 krb5_const_principal, krb5_keytab,
2715 krb5_flags *, krb5_ticket **);
2717 krb5_error_code KRB5_CALLCONV
2718 krb5_cc_register(krb5_context, const krb5_cc_ops *, krb5_boolean );
2720 krb5_error_code krb5_walk_realm_tree(krb5_context, const krb5_data *,
2721 const krb5_data *, krb5_principal **,
2725 krb5_auth_con_set_safe_cksumtype(krb5_context, krb5_auth_context,
2728 krb5_error_code krb5_auth_con_setivector(krb5_context, krb5_auth_context,
2731 krb5_error_code krb5_auth_con_getivector(krb5_context, krb5_auth_context,
2734 krb5_error_code krb5_auth_con_setpermetypes(krb5_context, krb5_auth_context,
2735 const krb5_enctype *);
2737 krb5_error_code krb5_auth_con_getpermetypes(krb5_context, krb5_auth_context,
2740 krb5_error_code krb5_auth_con_get_subkey_enctype(krb5_context context,
2745 krb5_auth_con_get_authdata_context(krb5_context context,
2746 krb5_auth_context auth_context,
2747 krb5_authdata_context *ad_context);
2750 krb5_auth_con_set_authdata_context(krb5_context context,
2751 krb5_auth_context auth_context,
2752 krb5_authdata_context ad_context);
2754 krb5_error_code KRB5_CALLCONV
2755 krb5int_server_decrypt_ticket_keyblock(krb5_context context,
2756 const krb5_keyblock *key,
2757 krb5_ticket *ticket);
2759 krb5_error_code krb5_read_message(krb5_context, krb5_pointer, krb5_data *);
2760 krb5_error_code krb5_write_message(krb5_context, krb5_pointer, krb5_data *);
2761 krb5_error_code krb5int_write_messages(krb5_context, krb5_pointer, krb5_data *,
2763 int krb5_net_read(krb5_context, int , char *, int);
2764 int krb5_net_write(krb5_context, int , const char *, int);
2766 krb5_error_code KRB5_CALLCONV krb5_get_realm_domain(krb5_context,
2767 const char *, char ** );
2769 krb5_error_code krb5_gen_portaddr(krb5_context, const krb5_address *,
2770 krb5_const_pointer, krb5_address **);
2772 krb5_error_code krb5_gen_replay_name(krb5_context, const krb5_address *,
2773 const char *, char **);
2774 krb5_error_code krb5_make_fulladdr(krb5_context, krb5_address *,
2775 krb5_address *, krb5_address *);
2777 krb5_error_code krb5_set_debugging_time(krb5_context, krb5_timestamp,
2779 krb5_error_code krb5_use_natural_time(krb5_context);
2780 krb5_error_code krb5_set_time_offsets(krb5_context, krb5_timestamp,
2782 krb5_error_code krb5int_check_clockskew(krb5_context, krb5_timestamp);
2784 * The realm iterator functions
2787 krb5_error_code KRB5_CALLCONV
2788 krb5_realm_iterator_create(krb5_context context, void **iter_p);
2790 krb5_error_code KRB5_CALLCONV
2791 krb5_realm_iterator(krb5_context context, void **iter_p, char **ret_realm);
2794 krb5_realm_iterator_free(krb5_context context, void **iter_p);
2796 void KRB5_CALLCONV krb5_free_realm_string(krb5_context context, char *str);
2798 /* Internal principal function used by KIM to avoid code duplication */
2799 krb5_error_code KRB5_CALLCONV
2800 krb5int_build_principal_alloc_va(krb5_context context,
2801 krb5_principal *princ,
2807 /* Some data comparison and conversion functions. */
2809 data_eq(krb5_data d1, krb5_data d2)
2811 return (d1.length == d2.length
2812 && !memcmp(d1.data, d2.data, d1.length));
2815 static inline krb5_data
2816 make_data(void *data, unsigned int len)
2820 d.magic = KV5M_DATA;
2821 d.data = (char *) data;
2826 static inline krb5_data
2829 return make_data(NULL, 0);
2832 static inline krb5_data
2833 string2data(char *str)
2835 return make_data(str, strlen(str));
2838 static inline krb5_error_code
2839 alloc_data(krb5_data *data, unsigned int len)
2841 char *ptr = (char *) calloc(len, 1);
2845 data->magic = KV5M_DATA;
2852 data_eq_string (krb5_data d, char *s)
2854 return data_eq(d, string2data(s));
2858 authdata_eq(krb5_authdata a1, krb5_authdata a2)
2860 return (a1.ad_type == a2.ad_type
2861 && a1.length == a2.length
2862 && !memcmp(a1.contents, a2.contents, a1.length));
2865 /* Allocate zeroed memory; set *code to 0 on success or ENOMEM on failure. */
2866 static inline void *
2867 k5alloc(size_t size, krb5_error_code *code)
2871 ptr = calloc(size, 1);
2872 *code = (ptr == NULL) ? ENOMEM : 0;
2876 krb5_error_code KRB5_CALLCONV
2877 krb5int_pac_sign(krb5_context context,
2879 krb5_timestamp authtime,
2880 krb5_const_principal principal,
2881 const krb5_keyblock *server_key,
2882 const krb5_keyblock *privsvr_key,
2885 krb5_error_code KRB5_CALLCONV
2886 krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
2888 krb5_creds *in_creds,
2890 krb5_creds **out_creds);
2892 krb5_error_code KRB5_CALLCONV
2893 krb5_get_credentials_for_proxy(krb5_context context,
2896 krb5_creds *in_creds,
2897 krb5_ticket *evidence_tkt,
2898 krb5_creds **out_creds);
2900 krb5_error_code KRB5_CALLCONV
2901 krb5int_get_authdata_containee_types(krb5_context context,
2902 const krb5_authdata *container,
2903 unsigned int *nad_types,
2904 krb5_authdatatype **ad_types);
2906 krb5_error_code krb5int_parse_enctype_list(krb5_context context, char *profstr,
2907 krb5_enctype *default_list,
2908 krb5_enctype **result);
2910 #ifdef DEBUG_ERROR_LOCATIONS
2911 #define krb5_set_error_message(ctx, code, ...) \
2912 krb5_set_error_message_fl(ctx, code, __FILE__, __LINE__, __VA_ARGS__)
2915 #endif /* _KRB5_INT_H */