/* cofiguration variables */
#define KRB5_CONF_ACL_FILE "acl_file"
-#define KRB5_CONF_ADMIN_KEYTAB "admin_keytab"
#define KRB5_CONF_ADMIN_SERVER "admin_server"
#define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto"
#define KRB5_CONF_AP_REQ_CHECKSUM_TYPE "ap_req_checksum_type"
#define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
#define KRB5_CONF_V4_REALM "v4_realm"
#define KRB5_CONF_ASTERISK "*"
+
+/* Cache configuration variables */
#define KRB5_CONF_FAST_AVAIL "fast_avail"
+#define KRB5_CONF_PROXY_IMPERSONATOR "proxy_impersonator"
/* Error codes used in KRB_ERROR protocol messages.
Return values of library routines are based on a different error table
#define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE 86 /* The KDC did not respond
to the IAKERB proxy */
-/*
- * This structure is returned in the e-data field of the KRB-ERROR
- * message when the error calling for an alternative form of
- * authentication is returned, KRB_AP_METHOD.
- */
-typedef struct _krb5_alt_method {
- krb5_magic magic;
- krb5_int32 method;
- unsigned int length;
- krb5_octet *data;
-} krb5_alt_method;
-
/*
* A null-terminated array of this structure is returned by the KDC as
* the data part of the ETYPE_INFO preauth type. It informs the
krb5_enctype *etypes;
} krb5_etype_list;
-/*
- * a sam_challenge is returned for alternate preauth
- */
-/*
- SAMFlags ::= BIT STRING {
- use-sad-as-key[0],
- send-encrypted-sad[1],
- must-pk-encrypt-sad[2]
- }
-*/
-/*
- PA-SAM-CHALLENGE ::= SEQUENCE {
- sam-type[0] INTEGER,
- sam-flags[1] SAMFlags,
- sam-type-name[2] GeneralString OPTIONAL,
- sam-track-id[3] GeneralString OPTIONAL,
- sam-challenge-label[4] GeneralString OPTIONAL,
- sam-challenge[5] GeneralString OPTIONAL,
- sam-response-prompt[6] GeneralString OPTIONAL,
- sam-pk-for-sad[7] EncryptionKey OPTIONAL,
- sam-nonce[8] INTEGER OPTIONAL,
- sam-cksum[9] Checksum OPTIONAL
- }
-*/
/* sam_type values -- informational only */
#define PA_SAM_TYPE_ENIGMA 1 /* Enigma Logic */
#define PA_SAM_TYPE_DIGI_PATH 2 /* Digital Pathways */
#define PA_SAM_TYPE_GRAIL (PA_SAM_TYPE_EXP_BASE+0) /* testing */
#define PA_SAM_TYPE_SECURID_PREDICT (PA_SAM_TYPE_EXP_BASE+1) /* special */
-typedef struct _krb5_predicted_sam_response {
- krb5_magic magic;
- krb5_keyblock sam_key;
- krb5_flags sam_flags; /* Makes key munging easier */
- krb5_timestamp stime; /* time on server, for replay detection */
- krb5_int32 susec;
- krb5_principal client;
- krb5_data msd; /* mechanism specific data */
-} krb5_predicted_sam_response;
-
-typedef struct _krb5_sam_challenge {
- krb5_magic magic;
- krb5_int32 sam_type; /* information */
- krb5_flags sam_flags; /* KRB5_SAM_* values */
- krb5_data sam_type_name;
- krb5_data sam_track_id;
- krb5_data sam_challenge_label;
- krb5_data sam_challenge;
- krb5_data sam_response_prompt;
- krb5_data sam_pk_for_sad;
- krb5_int32 sam_nonce;
- krb5_checksum sam_cksum;
-} krb5_sam_challenge;
-
-typedef struct _krb5_sam_key { /* reserved for future use */
- krb5_magic magic;
- krb5_keyblock sam_key;
-} krb5_sam_key;
-
-typedef struct _krb5_enc_sam_response_enc {
- krb5_magic magic;
- krb5_int32 sam_nonce;
- krb5_timestamp sam_timestamp;
- krb5_int32 sam_usec;
- krb5_data sam_sad;
-} krb5_enc_sam_response_enc;
-
-typedef struct _krb5_sam_response {
- krb5_magic magic;
- krb5_int32 sam_type; /* informational */
- krb5_flags sam_flags; /* KRB5_SAM_* values */
- krb5_data sam_track_id; /* copied */
- krb5_enc_data sam_enc_key; /* krb5_sam_key - future use */
- krb5_enc_data sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
- krb5_int32 sam_nonce;
- krb5_timestamp sam_patimestamp;
-} krb5_sam_response;
-
typedef struct _krb5_sam_challenge_2 {
krb5_data sam_challenge_2_body;
krb5_checksum **sam_cksum; /* Array of checksums */
char * default_ccname;
} *krb5_os_context;
+/* Get the current time of day plus a specified offset. */
+krb5_error_code k5_time_with_offset(krb5_timestamp offset,
+ krb5_int32 offset_usec,
+ krb5_timestamp *time_out,
+ krb5_int32 *usec_out);
+
/*
* Flags for the os_flags field
*
#include <krb5/preauth_plugin.h>
+typedef krb5_error_code
+(*krb5_gic_get_as_key_fct)(krb5_context, krb5_principal, krb5_enctype,
+ krb5_prompter_fct, void *prompter_data,
+ krb5_data *salt, krb5_data *s2kparams,
+ krb5_keyblock *as_key, void *gak_data);
+
#define CLIENT_ROCK_MAGIC 0x4352434b
-/* This structure is passed into the client preauth functions and passed
- * back to the "get_data_proc" function so that it can locate the
- * requested information. It is opaque to the plugin code and can be
- * expanded in the future as new types of requests are defined which
- * may require other things to be passed through. */
+/*
+ * This structure is passed into the clpreauth methods and passed back to
+ * clpreauth callbacks so that they can locate the requested information. It
+ * is opaque to the plugin code and can be expanded in the future as new types
+ * of requests are defined which may require other things to be passed through.
+ * All pointer fields are aliases and should not be freed.
+ */
struct krb5int_fast_request_state;
struct krb5_clpreauth_rock_st {
krb5_magic magic;
krb5_enctype *etype;
struct krb5int_fast_request_state *fast_state;
+
+ /*
+ * These fields allow gak_fct to be called via the rock. The
+ * gak_fct and gak_data fields have an extra level of indirection
+ * since they can change in the init_creds context.
+ */
+ krb5_keyblock *as_key;
+ krb5_gic_get_as_key_fct *gak_fct;
+ void **gak_data;
+ krb5_boolean *default_salt;
+ krb5_data *salt;
+ krb5_data *s2kparams;
+ krb5_principal client;
+ krb5_prompter_fct prompter;
+ void *prompter_data;
+
+ /* Discovered offset of server time during preauth */
+ krb5_timestamp pa_offset;
+ krb5_int32 pa_offset_usec;
+ enum { NO_OFFSET = 0, UNAUTH_OFFSET, AUTH_OFFSET } pa_offset_state;
};
typedef struct _krb5_pa_enc_ts {
krb5_error_code
krb5int_copy_creds_contents(krb5_context, const krb5_creds *, krb5_creds *);
-typedef krb5_error_code
-(*krb5_gic_get_as_key_fct)(krb5_context, krb5_principal, krb5_enctype,
- krb5_prompter_fct, void *prompter_data,
- krb5_data *salt, krb5_data *s2kparams,
- krb5_keyblock *as_key, void *gak_data);
-
krb5_error_code KRB5_CALLCONV
krb5int_get_init_creds(krb5_context context, krb5_creds *creds,
krb5_principal client, krb5_prompter_fct prompter,
krb5_do_preauth(krb5_context context, krb5_kdc_req *request,
krb5_data *encoded_request_body,
krb5_data *encoded_previous_request, krb5_pa_data **in_padata,
- krb5_pa_data ***out_padata, krb5_data *salt,
- krb5_data *s2kparams, krb5_enctype *etype,
- krb5_keyblock *as_key, krb5_prompter_fct prompter,
- void *prompter_data, krb5_gic_get_as_key_fct gak_fct,
- void *gak_data, krb5_clpreauth_rock preauth_rock,
- krb5_gic_opt_ext *opte);
+ krb5_pa_data ***out_padata, krb5_prompter_fct prompter,
+ void *prompter_data, krb5_clpreauth_rock preauth_rock,
+ krb5_gic_opt_ext *opte, krb5_boolean *got_real_out);
krb5_error_code KRB5_CALLCONV
krb5_do_preauth_tryagain(krb5_context context, krb5_kdc_req *request,
krb5_data *encoded_request_body,
krb5_data *encoded_previous_request,
krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
- krb5_error *err_reply,
- krb5_data *salt, krb5_data *s2kparams,
- krb5_enctype *etype, krb5_keyblock *as_key,
+ krb5_error *err_reply, krb5_pa_data **err_padata,
krb5_prompter_fct prompter, void *prompter_data,
- krb5_gic_get_as_key_fct gak_fct, void *gak_data,
krb5_clpreauth_rock preauth_rock,
krb5_gic_opt_ext *opte);
void KRB5_CALLCONV krb5_preauth_request_context_init(krb5_context);
void KRB5_CALLCONV krb5_preauth_request_context_fini(krb5_context);
-void KRB5_CALLCONV
-krb5_free_sam_challenge(krb5_context, krb5_sam_challenge *);
-
void KRB5_CALLCONV
krb5_free_sam_challenge_2(krb5_context, krb5_sam_challenge_2 *);
void KRB5_CALLCONV
krb5_free_sam_challenge_2_body(krb5_context, krb5_sam_challenge_2_body *);
-void KRB5_CALLCONV
-krb5_free_sam_response(krb5_context, krb5_sam_response *);
-
void KRB5_CALLCONV
krb5_free_sam_response_2(krb5_context, krb5_sam_response_2 *);
-void KRB5_CALLCONV
-krb5_free_predicted_sam_response(krb5_context, krb5_predicted_sam_response *);
-
-void KRB5_CALLCONV
-krb5_free_enc_sam_response_enc(krb5_context, krb5_enc_sam_response_enc *);
-
void KRB5_CALLCONV
krb5_free_enc_sam_response_enc_2(krb5_context, krb5_enc_sam_response_enc_2 *);
-void KRB5_CALLCONV
-krb5_free_sam_challenge_contents(krb5_context, krb5_sam_challenge *);
-
void KRB5_CALLCONV
krb5_free_sam_challenge_2_contents(krb5_context, krb5_sam_challenge_2 *);
krb5_free_sam_challenge_2_body_contents(krb5_context,
krb5_sam_challenge_2_body *);
-void KRB5_CALLCONV
-krb5_free_sam_response_contents(krb5_context, krb5_sam_response *);
-
void KRB5_CALLCONV
krb5_free_sam_response_2_contents(krb5_context, krb5_sam_response_2 *);
-void KRB5_CALLCONV
-krb5_free_predicted_sam_response_contents(krb5_context,
- krb5_predicted_sam_response * );
-
-void KRB5_CALLCONV
-krb5_free_enc_sam_response_enc_contents(krb5_context,
- krb5_enc_sam_response_enc * );
-
void KRB5_CALLCONV
krb5_free_enc_sam_response_enc_2_contents(krb5_context,
krb5_enc_sam_response_enc_2 * );
void KRB5_CALLCONV
krb5_free_pa_s4u_x509_user(krb5_context, krb5_pa_s4u_x509_user *);
-void KRB5_CALLCONV
-krb5_free_pa_svr_referral_data(krb5_context, krb5_pa_svr_referral_data *);
-
-void KRB5_CALLCONV
-krb5_free_pa_server_referral_data(krb5_context,
- krb5_pa_server_referral_data * );
-
void KRB5_CALLCONV
krb5_free_pa_pac_req(krb5_context, krb5_pa_pac_req * );
};
/* A list of plugin interface IDs. Make sure to increment
- * PLUGIN_NUM_INTERFACES when a new interface is added. */
+ * PLUGIN_NUM_INTERFACES when a new interface is added, and add an entry to the
+ * interface_names table in lib/krb5/krb/plugin.c. */
#define PLUGIN_INTERFACE_PWQUAL 0
#define PLUGIN_INTERFACE_KADM5_HOOK 1
#define PLUGIN_INTERFACE_CLPREAUTH 2
krb5_error_code
encode_krb5_authdata(krb5_authdata *const *rep, krb5_data **code);
-krb5_error_code
-encode_krb5_authdata_elt(const krb5_authdata *rep, krb5_data **code);
-
-krb5_error_code
-encode_krb5_pwd_sequence(const passwd_phrase_element *rep, krb5_data **code);
-
-krb5_error_code
-encode_krb5_pwd_data(const krb5_pwd_data *rep, krb5_data **code);
-
krb5_error_code
encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
krb5_error_code
-encode_krb5_alt_method(const krb5_alt_method *, krb5_data **code);
+encode_krb5_typed_data(krb5_pa_data *const *rep, krb5_data **code);
krb5_error_code
encode_krb5_etype_info(krb5_etype_info_entry *const *, krb5_data **code);
krb5_error_code
encode_krb5_pa_enc_ts(const krb5_pa_enc_ts *, krb5_data **);
-krb5_error_code
-encode_krb5_sam_challenge(const krb5_sam_challenge * , krb5_data **);
-
-krb5_error_code
-encode_krb5_sam_key(const krb5_sam_key * , krb5_data **);
-
-krb5_error_code
-encode_krb5_enc_sam_response_enc(const krb5_enc_sam_response_enc *,
- krb5_data **);
-
-krb5_error_code
-encode_krb5_sam_response(const krb5_sam_response *, krb5_data **);
-
krb5_error_code
encode_krb5_sam_challenge_2(const krb5_sam_challenge_2 * , krb5_data **);
krb5_error_code
encode_krb5_sam_response_2(const krb5_sam_response_2 * , krb5_data **);
-krb5_error_code
-encode_krb5_predicted_sam_response(const krb5_predicted_sam_response *,
- krb5_data **);
-
struct krb5_setpw_req {
krb5_principal target;
krb5_data password;
krb5_error_code
encode_krb5_pa_s4u_x509_user(const krb5_pa_s4u_x509_user *, krb5_data **);
-krb5_error_code
-encode_krb5_pa_svr_referral_data(const krb5_pa_svr_referral_data *,
- krb5_data **);
-
-krb5_error_code
-encode_krb5_pa_server_referral_data(const krb5_pa_server_referral_data *,
- krb5_data **);
-
krb5_error_code
encode_krb5_pa_pac_req(const krb5_pa_pac_req *, krb5_data **);
* End of prototypes for krb5_encode.c
*************************************************************************/
-krb5_error_code
-decode_krb5_sam_challenge(const krb5_data *, krb5_sam_challenge **);
-
-krb5_error_code
-decode_krb5_enc_sam_key(const krb5_data *, krb5_sam_key **);
-
-krb5_error_code
-decode_krb5_enc_sam_response_enc(const krb5_data *,
- krb5_enc_sam_response_enc **);
-
-krb5_error_code
-decode_krb5_sam_response(const krb5_data *, krb5_sam_response **);
-
-krb5_error_code
-decode_krb5_predicted_sam_response(const krb5_data *,
- krb5_predicted_sam_response **);
-
krb5_error_code
decode_krb5_sam_challenge_2(const krb5_data *, krb5_sam_challenge_2 **);
krb5_error_code
decode_krb5_safe_with_body(const krb5_data *output, krb5_safe **rep,
- krb5_data *body);
+ krb5_data **body);
krb5_error_code
decode_krb5_priv(const krb5_data *output, krb5_priv **rep);
krb5_error_code
decode_krb5_authdata(const krb5_data *output, krb5_authdata ***rep);
-krb5_error_code
-decode_krb5_pwd_sequence(const krb5_data *output, passwd_phrase_element **rep);
-
-krb5_error_code
-decode_krb5_pwd_data(const krb5_data *output, krb5_pwd_data **rep);
-
krb5_error_code
decode_krb5_padata_sequence(const krb5_data *output, krb5_pa_data ***rep);
krb5_error_code
-decode_krb5_alt_method(const krb5_data *output, krb5_alt_method **rep);
+decode_krb5_typed_data(const krb5_data *, krb5_pa_data ***);
krb5_error_code
decode_krb5_etype_info(const krb5_data *output, krb5_etype_info_entry ***rep);
krb5_error_code
decode_krb5_pa_enc_ts(const krb5_data *output, krb5_pa_enc_ts **rep);
-krb5_error_code
-decode_krb5_sam_key(const krb5_data *, krb5_sam_key **);
-
krb5_error_code
decode_krb5_setpw_req(const krb5_data *, krb5_data **, krb5_principal *);
krb5_error_code
decode_krb5_pa_s4u_x509_user(const krb5_data *, krb5_pa_s4u_x509_user **);
-krb5_error_code
-decode_krb5_pa_svr_referral_data(const krb5_data *,
- krb5_pa_svr_referral_data **);
-
-krb5_error_code
-decode_krb5_pa_server_referral_data(const krb5_data *,
- krb5_pa_server_referral_data **);
-
krb5_error_code
decode_krb5_pa_pac_req(const krb5_data *, krb5_pa_pac_req **);
struct ldap_seqof_key_data {
krb5_int32 mkvno; /* Master key version number */
+ krb5_int16 kvno; /* kvno of key_data elements (all the same) */
struct _krb5_key_data *key_data;
krb5_int16 n_key_data;
};
krb5_data **code);
krb5_error_code
-krb5int_ldap_decode_sequence_of_keys(krb5_data *in,
+krb5int_ldap_decode_sequence_of_keys(const krb5_data *in,
ldap_seqof_key_data **rep);
/*************************************************************************
/* To keep happy libraries which are (for now) accessing internal stuff */
/* Make sure to increment by one when changing the struct */
-#define KRB5INT_ACCESS_STRUCT_VERSION 18
+#define KRB5INT_ACCESS_STRUCT_VERSION 21
-#ifndef ANAME_SZ
-struct ktext; /* from krb.h, for krb524 support */
-#endif
typedef struct _krb5int_access {
- /* crypto stuff */
- krb5_error_code (*arcfour_gsscrypt)(const krb5_keyblock *keyblock,
- krb5_keyusage usage,
- const krb5_data *kd_data,
- krb5_crypto_iov *data,
- size_t num_data);
-
krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context,
krb5_auth_context,
krb5_enctype *);
krb5_external_principal_identifier **,
krb5_data **code);
- krb5_error_code
- (*encode_krb5_typed_data)(const krb5_typed_data **, krb5_data **code);
-
krb5_error_code
(*decode_krb5_auth_pack)(const krb5_data *, krb5_auth_pack **);
krb5_error_code
(*decode_krb5_pa_pk_as_rep)(const krb5_data *, krb5_pa_pk_as_rep **);
- krb5_error_code
- (*decode_krb5_pa_pk_as_rep_draft9)(const krb5_data *,
- krb5_pa_pk_as_rep_draft9 **);
-
krb5_error_code
(*decode_krb5_kdc_dh_key_info)(const krb5_data *, krb5_kdc_dh_key_info **);
krb5_external_principal_identifier
***);
- krb5_error_code
- (*decode_krb5_typed_data)(const krb5_data *, krb5_typed_data ***);
-
- krb5_error_code
- (*decode_krb5_as_req)(const krb5_data *output, krb5_kdc_req **rep);
-
krb5_error_code
(*encode_krb5_kdc_req_body)(const krb5_kdc_req *rep, krb5_data **code);
(KRB5_CALLCONV *free_kdc_req)(krb5_context, krb5_kdc_req * );
void
(*set_prompt_types)(krb5_context, krb5_prompt_type *);
-
- krb5_error_code
- (*encode_krb5_authdata_elt)(const krb5_authdata *rep, krb5_data **code);
-
- /* Exported for testing only! */
- krb5_error_code
- (*encode_krb5_sam_response_2)(const krb5_sam_response_2 *rep,
- krb5_data **code);
- krb5_error_code
- (*encode_krb5_enc_sam_response_enc_2)(const
- krb5_enc_sam_response_enc_2 *rep,
- krb5_data **code);
} krb5int_access;
#define KRB5INT_ACCESS_VERSION \
void KRB5_CALLCONV krb5_free_cred_enc_part(krb5_context, krb5_cred_enc_part *);
void KRB5_CALLCONV krb5_free_pa_data(krb5_context, krb5_pa_data **);
void KRB5_CALLCONV krb5_free_tkt_authent(krb5_context, krb5_tkt_authent *);
-void KRB5_CALLCONV krb5_free_pwd_data(krb5_context, krb5_pwd_data *);
-void KRB5_CALLCONV krb5_free_pwd_sequences(krb5_context,
- passwd_phrase_element **);
-void KRB5_CALLCONV krb5_free_passwd_phrase_element(krb5_context,
- passwd_phrase_element *);
-void KRB5_CALLCONV krb5_free_alt_method(krb5_context, krb5_alt_method *);
void KRB5_CALLCONV krb5_free_enc_data(krb5_context, krb5_enc_data *);
krb5_error_code krb5_set_config_files(krb5_context, const char **);
void KRB5_CALLCONV krb5_free_config_files(char **filenames);
-krb5_error_code krb5int_find_authdata(krb5_context context,
- krb5_authdata *const *ticket_authdata,
- krb5_authdata *const *ap_req_authdata,
- krb5_authdatatype ad_type,
- krb5_authdata ***results);
-
krb5_error_code krb5_rd_req_decoded(krb5_context, krb5_auth_context *,
const krb5_ap_req *, krb5_const_principal,
krb5_keytab, krb5_flags *, krb5_ticket **);
const krb5_data *, krb5_principal **,
int);
+krb5_error_code
+k5_client_realm_path(krb5_context context, const krb5_data *client,
+ const krb5_data *server, krb5_data **rpath_out);
+
krb5_error_code
krb5_auth_con_set_safe_cksumtype(krb5_context, krb5_auth_context,
krb5_cksumtype);
krb5_error_code krb5_use_natural_time(krb5_context);
krb5_error_code krb5_set_time_offsets(krb5_context, krb5_timestamp,
krb5_int32);
-krb5_error_code krb5int_check_clockskew(krb5_context, krb5_timestamp);
-/*
- * The realm iterator functions
- */
-
-krb5_error_code KRB5_CALLCONV
-krb5_realm_iterator_create(krb5_context context, void **iter_p);
-
-krb5_error_code KRB5_CALLCONV
-krb5_realm_iterator(krb5_context context, void **iter_p, char **ret_realm);
-
-void KRB5_CALLCONV
-krb5_realm_iterator_free(krb5_context context, void **iter_p);
-
-void KRB5_CALLCONV krb5_free_realm_string(krb5_context context, char *str);
/* Internal principal function used by KIM to avoid code duplication */
krb5_error_code KRB5_CALLCONV
return ptr;
}
-krb5_error_code KRB5_CALLCONV
-krb5int_pac_sign(krb5_context context,
- krb5_pac pac,
- krb5_timestamp authtime,
- krb5_const_principal principal,
- const krb5_keyblock *server_key,
- const krb5_keyblock *privsvr_key,
- krb5_data *data);
-
krb5_error_code KRB5_CALLCONV
krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
krb5_ccache ccache,
projects / krb5.git / blobdiff