1
/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2
/*
3
 * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001,
4
 * 2003,2006,2007,2008,2009 by the Massachusetts Institute of Technology,
5
 * Cambridge, MA, USA.  All Rights Reserved.
6
 *
7
 * This software is being provided to you, the LICENSEE, by the
8
 * Massachusetts Institute of Technology (M.I.T.) under the following
9
 * license.  By obtaining, using and/or copying this software, you agree
10
 * that you have read, understood, and will comply with these terms and
11
 * conditions:
12
 *
13
 * Export of this software from the United States of America may
14
 * require a specific license from the United States Government.
15
 * It is the responsibility of any person or organization contemplating
16
 * export to obtain such a license before exporting.
17
 *
18
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
19
 * this software and its documentation for any purpose and without fee or
20
 * royalty is hereby granted, provided that you agree to comply with the
21
 * following copyright notice and statements, including the disclaimer, and
22
 * that the same appear on ALL copies of the software and documentation,
23
 * including modifications that you make for internal use or for
24
 * distribution:
25
 *
26
 * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
27
 * OR WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
28
 * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
29
 * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
30
 * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
31
 * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
32
 *
33
 * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
34
 * be used in advertising or publicity pertaining to distribution of the
35
 * software.  Title to copyright in this software and any associated
36
 * documentation shall at all times remain with M.I.T., and USER agrees to
37
 * preserve same.
38
 *
39
 * Furthermore if you modify this software you must label
40
 * your software as modified software and not distribute it in such a
41
 * fashion that it might be confused with the original M.I.T. software.
42
 */
43
/*
44
 * Copyright (C) 1998 by the FundsXpress, INC.
45
 *
46
 * All rights reserved.
47
 *
48
 * Export of this software from the United States of America may require
49
 * a specific license from the United States Government.  It is the
50
 * responsibility of any person or organization contemplating export to
51
 * obtain such a license before exporting.
52
 *
53
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
54
 * distribute this software and its documentation for any purpose and
55
 * without fee is hereby granted, provided that the above copyright
56
 * notice appear in all copies and that both that copyright notice and
57
 * this permission notice appear in supporting documentation, and that
58
 * the name of FundsXpress. not be used in advertising or publicity pertaining
59
 * to distribution of the software without specific, written prior
60
 * permission.  FundsXpress makes no representations about the suitability of
61
 * this software for any purpose.  It is provided "as is" without express
62
 * or implied warranty.
63
 *
64
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
65
 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
66
 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
67
 */
68

69
/*
70
 * This prototype for k5-int.h (Krb5 internals include file)
71
 * includes the user-visible definitions from krb5.h and then
72
 * includes other definitions that are not user-visible but are
73
 * required for compiling Kerberos internal routines.
74
 *
75
 * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
76
 */
77

78
#ifndef _KRB5_INT_H
79
#define _KRB5_INT_H
80

81
#ifdef KRB5_GENERAL__
82
#error krb5.h included before k5-int.h
83
#endif /* KRB5_GENERAL__ */
84

85
#include "osconf.h"
86

87
#if defined(__MACH__) && defined(__APPLE__)
88
#       include <TargetConditionals.h>
89
#    if TARGET_RT_MAC_CFM
90
#       error "Use KfM 4.0 SDK headers for CFM compilation."
91
#    endif
92
#endif
93

94
/*
95
 * Begin "k5-config.h"
96
 */
97
#ifndef KRB5_CONFIG__
98
#define KRB5_CONFIG__
99

100
/*
101
 * Machine-type definitions: PC Clone 386 running Microloss Windows
102
 */
103

104
#if defined(_MSDOS) || defined(_WIN32)
105
#include "win-mac.h"
106

107
/* Kerberos Windows initialization file */
108
#define KERBEROS_INI    "kerberos.ini"
109
#define INI_FILES       "Files"
110
#define INI_KRB_CCACHE  "krb5cc"        /* Location of the ccache */
111
#define INI_KRB5_CONF   "krb5.ini"      /* Location of krb5.conf file */
112
#endif
113

114
#include "autoconf.h"
115

116
#ifndef KRB5_SYSTYPES__
117
#define KRB5_SYSTYPES__
118

119
#ifdef HAVE_SYS_TYPES_H         /* From autoconf.h */
120
#include <sys/types.h>
121
#else /* HAVE_SYS_TYPES_H */
122
typedef unsigned long   u_long;
123
typedef unsigned int    u_int;
124
typedef unsigned short  u_short;
125
typedef unsigned char   u_char;
126
#endif /* HAVE_SYS_TYPES_H */
127
#endif /* KRB5_SYSTYPES__ */
128

129

130
#include "k5-platform.h"
131

132
#define KRB5_KDB_MAX_LIFE       (60*60*24) /* one day */
133
#define KRB5_KDB_MAX_RLIFE      (60*60*24*7) /* one week */
134
#define KRB5_KDB_EXPIRATION     2145830400 /* Thu Jan  1 00:00:00 2038 UTC */
135

136
/*
137
 * Windows requires a different api interface to each function. Here
138
 * just define it as NULL.
139
 */
140
#ifndef KRB5_CALLCONV
141
#define KRB5_CALLCONV
142
#define KRB5_CALLCONV_C
143
#endif
144
#ifndef O_BINARY
145
#define O_BINARY 0
146
#endif
147

148
/* #define KRB5_OLD_CRYPTO is done in krb5.h */
149

150
#endif /* KRB5_CONFIG__ */
151

152
/*
153
 * End "k5-config.h"
154
 */
155

156
/*
157
 * After loading the configuration definitions, load the Kerberos definitions.
158
 */
159
#include <errno.h>
160
#include "krb5.h"
161
#include <krb5/plugin.h>
162
#include "profile.h"
163

164
#include "port-sockets.h"
165
#include "socket-utils.h"
166

167
/* Get mutex support; currently used only for the replay cache.  */
168
#include "k5-thread.h"
169

170
/* Get error info support.  */
171
#include "k5-err.h"
172

173
/* Get string buffer support. */
174
#include "k5-buf.h"
175

176
/* Define tracing macros. */
177
#include "k5-trace.h"
178

179
/* Profile variables.  Constants are named KRB5_CONF_STRING, where STRING
180
 * matches the variable name.  Keep these alphabetized. */
181
#define KRB5_CONF_ACL_FILE                     "acl_file"
182
#define KRB5_CONF_ADMIN_SERVER                 "admin_server"
183
#define KRB5_CONF_ALLOW_DES3                   "allow_des3"
184
#define KRB5_CONF_ALLOW_RC4                    "allow_rc4"
185
#define KRB5_CONF_ALLOW_WEAK_CRYPTO            "allow_weak_crypto"
186
#define KRB5_CONF_AUTH_TO_LOCAL                "auth_to_local"
187
#define KRB5_CONF_AUTH_TO_LOCAL_NAMES          "auth_to_local_names"
188
#define KRB5_CONF_CANONICALIZE                 "canonicalize"
189
#define KRB5_CONF_CCACHE_TYPE                  "ccache_type"
190
#define KRB5_CONF_CLOCKSKEW                    "clockskew"
191
#define KRB5_CONF_DATABASE_NAME                "database_name"
192
#define KRB5_CONF_DB_MODULE_DIR                "db_module_dir"
193
#define KRB5_CONF_DEBUG                        "debug"
194
#define KRB5_CONF_DEFAULT                      "default"
195
#define KRB5_CONF_DEFAULT_CCACHE_NAME          "default_ccache_name"
196
#define KRB5_CONF_DEFAULT_CLIENT_KEYTAB_NAME   "default_client_keytab_name"
197
#define KRB5_CONF_DEFAULT_DOMAIN               "default_domain"
198
#define KRB5_CONF_DEFAULT_KEYTAB_NAME          "default_keytab_name"
199
#define KRB5_CONF_DEFAULT_PRINCIPAL_EXPIRATION "default_principal_expiration"
200
#define KRB5_CONF_DEFAULT_PRINCIPAL_FLAGS      "default_principal_flags"
201
#define KRB5_CONF_DEFAULT_RCACHE_NAME          "default_rcache_name"
202
#define KRB5_CONF_DEFAULT_REALM                "default_realm"
203
#define KRB5_CONF_DEFAULT_TGS_ENCTYPES         "default_tgs_enctypes"
204
#define KRB5_CONF_DEFAULT_TKT_ENCTYPES         "default_tkt_enctypes"
205
#define KRB5_CONF_DICT_FILE                    "dict_file"
206
#define KRB5_CONF_DISABLE                      "disable"
207
#define KRB5_CONF_DISABLE_ENCRYPTED_TIMESTAMP  "disable_encrypted_timestamp"
208
#define KRB5_CONF_DISABLE_LAST_SUCCESS         "disable_last_success"
209
#define KRB5_CONF_DISABLE_LOCKOUT              "disable_lockout"
210
#define KRB5_CONF_DISABLE_PAC                  "disable_pac"
211
#define KRB5_CONF_DNS_CANONICALIZE_HOSTNAME    "dns_canonicalize_hostname"
212
#define KRB5_CONF_DNS_FALLBACK                 "dns_fallback"
213
#define KRB5_CONF_DNS_LOOKUP_KDC               "dns_lookup_kdc"
214
#define KRB5_CONF_DNS_LOOKUP_REALM             "dns_lookup_realm"
215
#define KRB5_CONF_DNS_URI_LOOKUP               "dns_uri_lookup"
216
#define KRB5_CONF_DOMAIN_REALM                 "domain_realm"
217
#define KRB5_CONF_ENABLE_ONLY                  "enable_only"
218
#define KRB5_CONF_ENCRYPTED_CHALLENGE_INDICATOR "encrypted_challenge_indicator"
219
#define KRB5_CONF_ENFORCE_OK_AS_DELEGATE       "enforce_ok_as_delegate"
220
#define KRB5_CONF_ERR_FMT                      "err_fmt"
221
#define KRB5_CONF_EXTRA_ADDRESSES              "extra_addresses"
222
#define KRB5_CONF_FORWARDABLE                  "forwardable"
223
#define KRB5_CONF_HOST_BASED_SERVICES          "host_based_services"
224
#define KRB5_CONF_HTTP_ANCHORS                 "http_anchors"
225
#define KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME     "ignore_acceptor_hostname"
226
#define KRB5_CONF_IPROP_ENABLE                 "iprop_enable"
227
#define KRB5_CONF_IPROP_LISTEN                 "iprop_listen"
228
#define KRB5_CONF_IPROP_LOGFILE                "iprop_logfile"
229
#define KRB5_CONF_IPROP_MASTER_ULOGSIZE        "iprop_master_ulogsize"
230
#define KRB5_CONF_IPROP_PORT                   "iprop_port"
231
#define KRB5_CONF_IPROP_RESYNC_TIMEOUT         "iprop_resync_timeout"
232
#define KRB5_CONF_IPROP_REPLICA_POLL           "iprop_replica_poll"
233
#define KRB5_CONF_IPROP_SLAVE_POLL             "iprop_slave_poll"
234
#define KRB5_CONF_IPROP_ULOGSIZE               "iprop_ulogsize"
235
#define KRB5_CONF_K5LOGIN_AUTHORITATIVE        "k5login_authoritative"
236
#define KRB5_CONF_K5LOGIN_DIRECTORY            "k5login_directory"
237
#define KRB5_CONF_KADMIND_LISTEN               "kadmind_listen"
238
#define KRB5_CONF_KADMIND_PORT                 "kadmind_port"
239
#define KRB5_CONF_KCM_MACH_SERVICE             "kcm_mach_service"
240
#define KRB5_CONF_KCM_SOCKET                   "kcm_socket"
241
#define KRB5_CONF_KDC                          "kdc"
242
#define KRB5_CONF_KDCDEFAULTS                  "kdcdefaults"
243
#define KRB5_CONF_KDC_DEFAULT_OPTIONS          "kdc_default_options"
244
#define KRB5_CONF_KDC_LISTEN                   "kdc_listen"
245
#define KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE     "kdc_max_dgram_reply_size"
246
#define KRB5_CONF_KDC_PORTS                    "kdc_ports"
247
#define KRB5_CONF_KDC_TCP_PORTS                "kdc_tcp_ports"
248
#define KRB5_CONF_KDC_TCP_LISTEN               "kdc_tcp_listen"
249
#define KRB5_CONF_KDC_TCP_LISTEN_BACKLOG       "kdc_tcp_listen_backlog"
250
#define KRB5_CONF_KDC_TIMESYNC                 "kdc_timesync"
251
#define KRB5_CONF_KDC_UNIXSOCK_LISTEN          "kdc_unixsock_listen"
252
#define KRB5_CONF_KEY_STASH_FILE               "key_stash_file"
253
#define KRB5_CONF_KPASSWD_LISTEN               "kpasswd_listen"
254
#define KRB5_CONF_KPASSWD_PORT                 "kpasswd_port"
255
#define KRB5_CONF_KPASSWD_SERVER               "kpasswd_server"
256
#define KRB5_CONF_KRB524_SERVER                "krb524_server"
257
#define KRB5_CONF_LDAP_CONNS_PER_SERVER        "ldap_conns_per_server"
258
#define KRB5_CONF_LDAP_KADMIND_DN              "ldap_kadmind_dn"
259
#define KRB5_CONF_LDAP_KADMIND_SASL_AUTHCID    "ldap_kadmind_sasl_authcid"
260
#define KRB5_CONF_LDAP_KADMIND_SASL_AUTHZID    "ldap_kadmind_sasl_authzid"
261
#define KRB5_CONF_LDAP_KADMIND_SASL_MECH       "ldap_kadmind_sasl_mech"
262
#define KRB5_CONF_LDAP_KADMIND_SASL_REALM      "ldap_kadmind_sasl_realm"
263
#define KRB5_CONF_LDAP_KDC_DN                  "ldap_kdc_dn"
264
#define KRB5_CONF_LDAP_KDC_SASL_AUTHCID        "ldap_kdc_sasl_authcid"
265
#define KRB5_CONF_LDAP_KDC_SASL_AUTHZID        "ldap_kdc_sasl_authzid"
266
#define KRB5_CONF_LDAP_KDC_SASL_MECH           "ldap_kdc_sasl_mech"
267
#define KRB5_CONF_LDAP_KDC_SASL_REALM          "ldap_kdc_sasl_realm"
268
#define KRB5_CONF_LDAP_KERBEROS_CONTAINER_DN   "ldap_kerberos_container_dn"
269
#define KRB5_CONF_LDAP_SERVERS                 "ldap_servers"
270
#define KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE   "ldap_service_password_file"
271
#define KRB5_CONF_LIBDEFAULTS                  "libdefaults"
272
#define KRB5_CONF_LOGGING                      "logging"
273
#define KRB5_CONF_MAPSIZE                      "mapsize"
274
#define KRB5_CONF_MASTER_KDC                   "master_kdc"
275
#define KRB5_CONF_MASTER_KEY_NAME              "master_key_name"
276
#define KRB5_CONF_MASTER_KEY_TYPE              "master_key_type"
277
#define KRB5_CONF_MAX_LIFE                     "max_life"
278
#define KRB5_CONF_MAX_READERS                  "max_readers"
279
#define KRB5_CONF_MAX_RENEWABLE_LIFE           "max_renewable_life"
280
#define KRB5_CONF_MODULE                       "module"
281
#define KRB5_CONF_NOADDRESSES                  "noaddresses"
282
#define KRB5_CONF_NOSYNC                       "nosync"
283
#define KRB5_CONF_NO_HOST_REFERRAL             "no_host_referral"
284
#define KRB5_CONF_PERMITTED_ENCTYPES           "permitted_enctypes"
285
#define KRB5_CONF_PLUGINS                      "plugins"
286
#define KRB5_CONF_PLUGIN_BASE_DIR              "plugin_base_dir"
287
#define KRB5_CONF_PREFERRED_PREAUTH_TYPES      "preferred_preauth_types"
288
#define KRB5_CONF_PRIMARY_KDC                  "primary_kdc"
289
#define KRB5_CONF_PROXIABLE                    "proxiable"
290
#define KRB5_CONF_QUALIFY_SHORTNAME            "qualify_shortname"
291
#define KRB5_CONF_RDNS                         "rdns"
292
#define KRB5_CONF_REALMS                       "realms"
293
#define KRB5_CONF_REALM_TRY_DOMAINS            "realm_try_domains"
294
#define KRB5_CONF_REJECT_BAD_TRANSIT           "reject_bad_transit"
295
#define KRB5_CONF_RENEW_LIFETIME               "renew_lifetime"
296
#define KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT    "restrict_anonymous_to_tgt"
297
#define KRB5_CONF_SITENAME                     "sitename"
298
#define KRB5_CONF_SUPPORTED_ENCTYPES           "supported_enctypes"
299
#define KRB5_CONF_SPAKE_PREAUTH_INDICATOR      "spake_preauth_indicator"
300
#define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE  "spake_preauth_kdc_challenge"
301
#define KRB5_CONF_SPAKE_PREAUTH_GROUPS         "spake_preauth_groups"
302
#define KRB5_CONF_REQUEST_TIMEOUT              "request_timeout"
303
#define KRB5_CONF_TICKET_LIFETIME              "ticket_lifetime"
304
#define KRB5_CONF_UDP_PREFERENCE_LIMIT         "udp_preference_limit"
305
#define KRB5_CONF_UNLOCKITER                   "unlockiter"
306
#define KRB5_CONF_V4_INSTANCE_CONVERT          "v4_instance_convert"
307
#define KRB5_CONF_V4_REALM                     "v4_realm"
308
#define KRB5_CONF_VERIFY_AP_REQ_NOFAIL         "verify_ap_req_nofail"
309
#define KRB5_CONF_CLIENT_AWARE_GSS_BINDINGS    "client_aware_channel_bindings"
310

311
/* Cache configuration variables */
312
#define KRB5_CC_CONF_FAST_AVAIL                "fast_avail"
313
#define KRB5_CC_CONF_PA_CONFIG_DATA            "pa_config_data"
314
#define KRB5_CC_CONF_PA_TYPE                   "pa_type"
315
#define KRB5_CC_CONF_PROXY_IMPERSONATOR        "proxy_impersonator"
316
#define KRB5_CC_CONF_REFRESH_TIME              "refresh_time"
317
#define KRB5_CC_CONF_START_REALM               "start_realm"
318

319
/* Error codes used in KRB_ERROR protocol messages.
320
   Return values of library routines are based on a different error table
321
   (which allows non-ambiguous error codes between subsystems) */
322

323
/* KDC errors */
324
#define KDC_ERR_NONE                    0 /* No error */
325
#define KDC_ERR_NAME_EXP                1 /* Client's entry in DB expired */
326
#define KDC_ERR_SERVICE_EXP             2 /* Server's entry in DB expired */
327
#define KDC_ERR_BAD_PVNO                3 /* Requested pvno not supported */
328
#define KDC_ERR_C_OLD_MAST_KVNO         4 /* C's key encrypted in old master */
329
#define KDC_ERR_S_OLD_MAST_KVNO         5 /* S's key encrypted in old master */
330
#define KDC_ERR_C_PRINCIPAL_UNKNOWN     6 /* Client not found in Kerberos DB */
331
#define KDC_ERR_S_PRINCIPAL_UNKNOWN     7 /* Server not found in Kerberos DB */
332
#define KDC_ERR_PRINCIPAL_NOT_UNIQUE    8 /* Multiple entries in Kerberos DB */
333
#define KDC_ERR_NULL_KEY                9 /* The C or S has a null key */
334
#define KDC_ERR_CANNOT_POSTDATE         10 /* Tkt ineligible for postdating */
335
#define KDC_ERR_NEVER_VALID             11 /* Requested starttime > endtime */
336
#define KDC_ERR_POLICY                  12 /* KDC policy rejects request */
337
#define KDC_ERR_BADOPTION               13 /* KDC can't do requested opt. */
338
#define KDC_ERR_ENCTYPE_NOSUPP          14 /* No support for encryption type */
339
#define KDC_ERR_SUMTYPE_NOSUPP          15 /* No support for checksum type */
340
#define KDC_ERR_PADATA_TYPE_NOSUPP      16 /* No support for padata type */
341
#define KDC_ERR_TRTYPE_NOSUPP           17 /* No support for transited type */
342
#define KDC_ERR_CLIENT_REVOKED          18 /* C's creds have been revoked */
343
#define KDC_ERR_SERVICE_REVOKED         19 /* S's creds have been revoked */
344
#define KDC_ERR_TGT_REVOKED             20 /* TGT has been revoked */
345
#define KDC_ERR_CLIENT_NOTYET           21 /* C not yet valid */
346
#define KDC_ERR_SERVICE_NOTYET          22 /* S not yet valid */
347
#define KDC_ERR_KEY_EXP                 23 /* Password has expired */
348
#define KDC_ERR_PREAUTH_FAILED          24 /* Preauthentication failed */
349
#define KDC_ERR_PREAUTH_REQUIRED        25 /* Additional preauthentication */
350
                                           /* required */
351
#define KDC_ERR_SERVER_NOMATCH          26 /* Requested server and */
352
                                           /* ticket don't match*/
353
#define KDC_ERR_MUST_USE_USER2USER      27 /* Server principal valid for */
354
                                           /*   user2user only */
355
#define KDC_ERR_PATH_NOT_ACCEPTED       28 /* KDC policy rejected transited */
356
                                           /*   path */
357
#define KDC_ERR_SVC_UNAVAILABLE         29 /* A service is not
358
                                            * available that is
359
                                            * required to process the
360
                                            * request */
361
/* Application errors */
362
#define KRB_AP_ERR_BAD_INTEGRITY 31     /* Decrypt integrity check failed */
363
#define KRB_AP_ERR_TKT_EXPIRED  32      /* Ticket expired */
364
#define KRB_AP_ERR_TKT_NYV      33      /* Ticket not yet valid */
365
#define KRB_AP_ERR_REPEAT       34      /* Request is a replay */
366
#define KRB_AP_ERR_NOT_US       35      /* The ticket isn't for us */
367
#define KRB_AP_ERR_BADMATCH     36      /* Ticket/authenticator don't match */
368
#define KRB_AP_ERR_SKEW         37      /* Clock skew too great */
369
#define KRB_AP_ERR_BADADDR      38      /* Incorrect net address */
370
#define KRB_AP_ERR_BADVERSION   39      /* Protocol version mismatch */
371
#define KRB_AP_ERR_MSG_TYPE     40      /* Invalid message type */
372
#define KRB_AP_ERR_MODIFIED     41      /* Message stream modified */
373
#define KRB_AP_ERR_BADORDER     42      /* Message out of order */
374
#define KRB_AP_ERR_BADKEYVER    44      /* Key version is not available */
375
#define KRB_AP_ERR_NOKEY        45      /* Service key not available */
376
#define KRB_AP_ERR_MUT_FAIL     46      /* Mutual authentication failed */
377
#define KRB_AP_ERR_BADDIRECTION 47      /* Incorrect message direction */
378
#define KRB_AP_ERR_METHOD       48      /* Alternative authentication */
379
                                        /* method required */
380
#define KRB_AP_ERR_BADSEQ       49      /* Incorrect sequence numnber */
381
                                        /* in message */
382
#define KRB_AP_ERR_INAPP_CKSUM  50      /* Inappropriate type of */
383
                                        /* checksum in message */
384
#define KRB_AP_PATH_NOT_ACCEPTED 51     /* Policy rejects transited path */
385
#define KRB_ERR_RESPONSE_TOO_BIG 52     /* Response too big for UDP, */
386
                                        /*   retry with TCP */
387

388
/* other errors */
389
#define KRB_ERR_GENERIC         60      /* Generic error (description */
390
                                        /* in e-text) */
391
#define KRB_ERR_FIELD_TOOLONG   61      /* Field is too long for impl. */
392

393
/* PKINIT server-reported errors */
394
#define KDC_ERR_CLIENT_NOT_TRUSTED              62 /* client cert not trusted */
395
#define KDC_ERR_KDC_NOT_TRUSTED                 63
396
#define KDC_ERR_INVALID_SIG                     64 /* client signature verify failed */
397
#define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED  65 /* invalid Diffie-Hellman parameters */
398
#define KDC_ERR_CERTIFICATE_MISMATCH            66
399
#define KRB_AP_ERR_NO_TGT                       67
400
#define KDC_ERR_WRONG_REALM                     68
401
#define KRB_AP_ERR_USER_TO_USER_REQUIRED        69
402
#define KDC_ERR_CANT_VERIFY_CERTIFICATE         70 /* client cert not verifiable to */
403
                                                   /* trusted root cert */
404
#define KDC_ERR_INVALID_CERTIFICATE             71 /* client cert had invalid signature */
405
#define KDC_ERR_REVOKED_CERTIFICATE             72 /* client cert was revoked */
406
#define KDC_ERR_REVOCATION_STATUS_UNKNOWN       73 /* client cert revoked, reason unknown */
407
#define KDC_ERR_REVOCATION_STATUS_UNAVAILABLE   74
408
#define KDC_ERR_CLIENT_NAME_MISMATCH            75 /* mismatch between client cert and */
409
                                                   /* principal name */
410
#define KDC_ERR_INCONSISTENT_KEY_PURPOSE        77 /* bad extended key use */
411
#define KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED     78 /* bad digest algorithm in client cert */
412
#define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED    79 /* missing paChecksum in PA-PK-AS-REQ */
413
#define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */
414
#define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
415
#define KRB_AP_ERR_IAKERB_KDC_NOT_FOUND         85 /* The IAKERB proxy could
416
                                                      not find a KDC */
417
#define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE       86 /* The KDC did not respond
418
                                                      to the IAKERB proxy */
419
#define KDC_ERR_PREAUTH_EXPIRED                 90 /* RFC 6113 */
420
#define KDC_ERR_MORE_PREAUTH_DATA_REQUIRED      91 /* RFC 6113 */
421
#define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */
422

423
/*
424
 * A null-terminated array of this structure is returned by the KDC as
425
 * the data part of the ETYPE_INFO preauth type.  It informs the
426
 * client which encryption types are supported.
427
 * The  same data structure is used by both etype-info and etype-info2
428
 * but s2kparams must be null when encoding etype-info.
429
 */
430
typedef struct _krb5_etype_info_entry {
431
    krb5_magic      magic;
432
    krb5_enctype    etype;
433
    unsigned int    length;
434
    krb5_octet      *salt;
435
    krb5_data s2kparams;
436
} krb5_etype_info_entry;
437

438
/*
439
 *  This is essentially -1 without sign extension which can screw up
440
 *  comparisons on 64 bit machines. If the length is this value, then
441
 *  the salt data is not present. This is to distinguish between not
442
 *  being set and being of 0 length.
443
 */
444
#define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
445

446
typedef krb5_etype_info_entry ** krb5_etype_info;
447

448
/* RFC 4537 */
449
typedef struct _krb5_etype_list {
450
    int             length;
451
    krb5_enctype    *etypes;
452
} krb5_etype_list;
453

454
/* sam_type values -- informational only */
455
#define PA_SAM_TYPE_ENIGMA     1   /*  Enigma Logic */
456
#define PA_SAM_TYPE_DIGI_PATH  2   /*  Digital Pathways */
457
#define PA_SAM_TYPE_SKEY_K0    3   /*  S/key where  KDC has key 0 */
458
#define PA_SAM_TYPE_SKEY       4   /*  Traditional S/Key */
459
#define PA_SAM_TYPE_SECURID    5   /*  Security Dynamics */
460
#define PA_SAM_TYPE_CRYPTOCARD 6   /*  CRYPTOCard */
461
#if 1 /* XXX need to figure out who has which numbers assigned */
462
#define PA_SAM_TYPE_ACTIVCARD_DEC  6   /*  ActivCard decimal mode */
463
#define PA_SAM_TYPE_ACTIVCARD_HEX  7   /*  ActivCard hex mode */
464
#define PA_SAM_TYPE_DIGI_PATH_HEX  8   /*  Digital Pathways hex mode */
465
#endif
466
#define PA_SAM_TYPE_EXP_BASE    128 /* experimental */
467
#define PA_SAM_TYPE_GRAIL               (PA_SAM_TYPE_EXP_BASE+0) /* testing */
468
#define PA_SAM_TYPE_SECURID_PREDICT     (PA_SAM_TYPE_EXP_BASE+1) /* special */
469

470
typedef struct _krb5_sam_challenge_2 {
471
    krb5_data       sam_challenge_2_body;
472
    krb5_checksum   **sam_cksum;            /* Array of checksums */
473
} krb5_sam_challenge_2;
474

475
typedef struct _krb5_sam_challenge_2_body {
476
    krb5_magic      magic;
477
    krb5_int32      sam_type; /* information */
478
    krb5_flags      sam_flags; /* KRB5_SAM_* values */
479
    krb5_data       sam_type_name;
480
    krb5_data       sam_track_id;
481
    krb5_data       sam_challenge_label;
482
    krb5_data       sam_challenge;
483
    krb5_data       sam_response_prompt;
484
    krb5_data       sam_pk_for_sad;
485
    krb5_int32      sam_nonce;
486
    krb5_enctype    sam_etype;
487
} krb5_sam_challenge_2_body;
488

489
typedef struct _krb5_sam_response_2 {
490
    krb5_magic      magic;
491
    krb5_int32      sam_type; /* informational */
492
    krb5_flags      sam_flags; /* KRB5_SAM_* values */
493
    krb5_data       sam_track_id; /* copied */
494
    krb5_enc_data   sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
495
    krb5_int32      sam_nonce;
496
} krb5_sam_response_2;
497

498
typedef struct _krb5_enc_sam_response_enc_2 {
499
    krb5_magic      magic;
500
    krb5_int32      sam_nonce;
501
    krb5_data       sam_sad;
502
} krb5_enc_sam_response_enc_2;
503

504
/*
505
 * Keep the pkinit definitions in a separate file so that the plugin
506
 * only has to include k5-int-pkinit.h rather than k5-int.h
507
 */
508

509
#include "k5-int-pkinit.h"
510

511
#define KRB5_OTP_FLAG_NEXTOTP        0x40000000
512
#define KRB5_OTP_FLAG_COMBINE        0x20000000
513
#define KRB5_OTP_FLAG_COLLECT_PIN    0x10000000
514
#define KRB5_OTP_FLAG_NO_COLLECT_PIN 0x08000000
515
#define KRB5_OTP_FLAG_ENCRYPT_NONCE  0x04000000
516
#define KRB5_OTP_FLAG_SEPARATE_PIN   0x02000000
517
#define KRB5_OTP_FLAG_CHECK_DIGIT    0x01000000
518

519
#define KRB5_OTP_FORMAT_DECIMAL      0x00000000
520
#define KRB5_OTP_FORMAT_HEXADECIMAL  0x00000001
521
#define KRB5_OTP_FORMAT_ALPHANUMERIC 0x00000002
522
#define KRB5_OTP_FORMAT_BINARY       0x00000003
523
#define KRB5_OTP_FORMAT_BASE64       0x00000004
524

525
typedef struct _krb5_otp_tokeninfo {
526
    krb5_flags flags;
527
    krb5_data vendor;
528
    krb5_data challenge;
529
    krb5_int32 length;          /* -1 for unspecified */
530
    krb5_int32 format;          /* -1 for unspecified */
531
    krb5_data token_id;
532
    krb5_data alg_id;
533
    krb5_algorithm_identifier **supported_hash_alg;
534
    krb5_int32 iteration_count; /* -1 for unspecified */
535
} krb5_otp_tokeninfo;
536

537
typedef struct _krb5_pa_otp_challenge {
538
    krb5_data nonce;
539
    krb5_data service;
540
    krb5_otp_tokeninfo **tokeninfo;
541
    krb5_data salt;
542
    krb5_data s2kparams;
543
} krb5_pa_otp_challenge;
544

545
typedef struct _krb5_pa_otp_req {
546
    krb5_int32 flags;
547
    krb5_data nonce;
548
    krb5_enc_data enc_data;
549
    krb5_algorithm_identifier *hash_alg;
550
    krb5_int32 iteration_count; /* -1 for unspecified */
551
    krb5_data otp_value;
552
    krb5_data pin;
553
    krb5_data challenge;
554
    krb5_timestamp time;
555
    krb5_data counter;
556
    krb5_int32 format;          /* -1 for unspecified */
557
    krb5_data token_id;
558
    krb5_data alg_id;
559
    krb5_data vendor;
560
} krb5_pa_otp_req;
561

562
typedef struct _krb5_kkdcp_message {
563
    krb5_data kerb_message;
564
    krb5_data target_domain;
565
    krb5_int32 dclocator_hint;
566
} krb5_kkdcp_message;
567

568
/* Plain text of an encrypted PA-FX-COOKIE value produced by the KDC. */
569
typedef struct _krb5_secure_cookie {
570
    time_t time;
571
    krb5_pa_data **data;
572
} krb5_secure_cookie;
573

574
typedef struct _krb5_pa_pac_options {
575
    krb5_flags options;
576
} krb5_pa_pac_options;
577

578
/* In PAC options, indicates Resource-Based Constrained Delegation support. */
579
#define KRB5_PA_PAC_OPTIONS_RBCD 0x10000000
580

581
#include <stdlib.h>
582
#include <string.h>
583

584
#ifndef HAVE_STRDUP
585
extern char *strdup (const char *);
586
#endif
587

588
#ifdef HAVE_UNISTD_H
589
#include <unistd.h>
590
#endif
591

592
#ifdef HAVE_SYS_TIME_H
593
#include <sys/time.h>
594
#endif
595
#include <time.h>
596

597
#ifdef HAVE_SYS_STAT_H
598
#include <sys/stat.h>                   /* struct stat, stat() */
599
#endif
600

601
#ifdef HAVE_SYS_PARAM_H
602
#include <sys/param.h>                  /* MAXPATHLEN */
603
#endif
604

605
#ifdef HAVE_SYS_FILE_H
606
#include <sys/file.h>                   /* prototypes for file-related
607
                                           syscalls; flags for open &
608
                                           friends */
609
#endif
610

611
#ifdef HAVE_FCNTL_H
612
#include <fcntl.h>
613
#endif
614

615
#include <stdio.h>
616

617
#include "k5-gmt_mktime.h"
618

619
/* libos.spec */
620
krb5_error_code krb5_lock_file(krb5_context, int, int);
621
krb5_error_code krb5_unlock_file(krb5_context, int);
622
krb5_error_code krb5_sendto_kdc(krb5_context, const krb5_data *,
623
                                const krb5_data *, krb5_data *, int *, int);
624

625
krb5_error_code krb5int_init_context_kdc(krb5_context *);
626

627
struct derived_key {
628
    krb5_data constant;
629
    krb5_key dkey;
630
    struct derived_key *next;
631
};
632

633
/* Internal structure of an opaque key identifier */
634
struct krb5_key_st {
635
    krb5_keyblock keyblock;
636
    int refcount;
637
    struct derived_key *derived;
638
    /*
639
     * Cache of data private to the cipher implementation, which we
640
     * don't want to have to recompute for every operation.  This may
641
     * include key schedules, iteration counts, etc.
642
     *
643
     * The cipher implementation is responsible for setting this up
644
     * whenever needed, and the enc_provider key_cleanup method must
645
     * then be provided to dispose of it.
646
     */
647
    void *cache;
648
};
649

650
krb5_error_code
651
krb5int_arcfour_gsscrypt(const krb5_keyblock *keyblock, krb5_keyusage usage,
652
                         const krb5_data *kd_data, krb5_crypto_iov *data,
653
                         size_t num_data);
654

655
#define K5_SHA256_HASHLEN (256 / 8)
656

657
/* Write the SHA-256 hash of in (containing n elements) to out. */
658
krb5_error_code
659
k5_sha256(const krb5_data *in, size_t n, uint8_t out[K5_SHA256_HASHLEN]);
660

661
/* Convenience function: zap and free ptr if it is non-NULL. */
662
static inline void
663
zapfree(void *ptr, size_t len)
664
{
665
    if (ptr != NULL) {
666
        zap(ptr, len);
667
        free(ptr);
668
    }
669
}
670

671
/* Convenience function: zap and free zero-terminated str if it is non-NULL. */
672
static inline void
673
zapfreestr(void *str)
674
{
675
    if (str != NULL) {
676
        zap(str, strlen((char *)str));
677
        free(str);
678
    }
679
}
680

681
/* Convenience function: zap and free krb5_data pointer if it is non-NULL. */
682
static inline void
683
zapfreedata(krb5_data *data)
684
{
685
    if (data != NULL) {
686
        zapfree(data->data, data->length);
687
        free(data);
688
    }
689
}
690

691
void krb5int_c_free_keyblock(krb5_context, krb5_keyblock *key);
692
void krb5int_c_free_keyblock_contents(krb5_context, krb5_keyblock *);
693
krb5_error_code krb5int_c_init_keyblock(krb5_context, krb5_enctype enctype,
694
                                        size_t length, krb5_keyblock **out);
695
krb5_error_code krb5int_c_copy_keyblock(krb5_context context,
696
                                        const krb5_keyblock *from,
697
                                        krb5_keyblock **to);
698
krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context,
699
                                                 const krb5_keyblock *from,
700
                                                 krb5_keyblock *to);
701

702
krb5_error_code k5_us_timeofday(krb5_timestamp *, krb5_int32 *);
703
krb5_error_code krb5_crypto_us_timeofday(krb5_timestamp *, krb5_int32 *);
704

705
/*
706
 * End "los-proto.h"
707
 */
708

709
typedef struct _krb5_os_context {
710
    krb5_magic              magic;
711
    krb5_int32              time_offset;
712
    krb5_int32              usec_offset;
713
    krb5_int32              os_flags;
714
    char *                  default_ccname;
715
} *krb5_os_context;
716

717
/*
718
 * Flags for the os_flags field
719
 *
720
 * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid.
721
 * The intention is that this facility to correct the system clocks so
722
 * that they reflect the "real" time, for systems where for some
723
 * reason we can't set the system clock.  Instead we calculate the
724
 * offset between the system time and real time, and store the offset
725
 * in the os context so that we can correct the system clock as necessary.
726
 *
727
 * KRB5_OS_TOFFSET_TIME means that the time offset fields should be
728
 * returned as the time by the krb5 time routines.  This should only
729
 * be used for testing purposes (obviously!)
730
 */
731
#define KRB5_OS_TOFFSET_VALID   1
732
#define KRB5_OS_TOFFSET_TIME    2
733

734
/* lock mode flags */
735
#define KRB5_LOCKMODE_SHARED    0x0001
736
#define KRB5_LOCKMODE_EXCLUSIVE 0x0002
737
#define KRB5_LOCKMODE_DONTBLOCK 0x0004
738
#define KRB5_LOCKMODE_UNLOCK    0x0008
739

740
/*
741
 * Begin "preauth.h"
742
 *
743
 * (Originally written by Glen Machin at Sandia Labs.)
744
 */
745
/*
746
 * Sandia National Laboratories also makes no representations about the
747
 * suitability of the modifications, or additions to this software for
748
 * any purpose.  It is provided "as is" without express or implied warranty.
749
 */
750
#ifndef KRB5_PREAUTH__
751
#define KRB5_PREAUTH__
752

753
typedef struct _krb5_pa_enc_ts {
754
    krb5_timestamp      patimestamp;
755
    krb5_int32          pausec;
756
} krb5_pa_enc_ts;
757

758
typedef struct _krb5_pa_for_user {
759
    krb5_principal      user;
760
    krb5_checksum       cksum;
761
    krb5_data           auth_package;
762
} krb5_pa_for_user;
763

764
typedef struct _krb5_s4u_userid {
765
    krb5_int32          nonce;
766
    krb5_principal      user;
767
    krb5_data           subject_cert;
768
    krb5_flags          options;
769
} krb5_s4u_userid;
770

771
#define KRB5_S4U_OPTS_CHECK_LOGON_HOURS         0x40000000 /* check logon hour restrictions */
772
#define KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE       0x20000000 /* sign with usage 27 instead of 26 */
773

774
typedef struct _krb5_pa_s4u_x509_user {
775
    krb5_s4u_userid     user_id;
776
    krb5_checksum       cksum;
777
} krb5_pa_s4u_x509_user;
778

779
enum {
780
    KRB5_FAST_ARMOR_AP_REQUEST = 0x1
781
};
782

783
typedef struct _krb5_fast_armor {
784
    krb5_int32 armor_type;
785
    krb5_data armor_value;
786
} krb5_fast_armor;
787
typedef struct _krb5_fast_armored_req {
788
    krb5_magic magic;
789
    krb5_fast_armor *armor;
790
    krb5_checksum req_checksum;
791
    krb5_enc_data enc_part;
792
} krb5_fast_armored_req;
793

794
typedef struct _krb5_fast_req {
795
    krb5_magic magic;
796
    krb5_flags fast_options;
797
    /* padata from req_body is used*/
798
    krb5_kdc_req *req_body;
799
} krb5_fast_req;
800

801
/* Bits 0-15 are critical in FAST options (RFC 6113 section 7.3). */
802
#define UNSUPPORTED_CRITICAL_FAST_OPTIONS   0xbfff0000
803
#define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES  0x40000000
804

805
typedef struct _krb5_fast_finished {
806
    krb5_timestamp timestamp;
807
    krb5_int32 usec;
808
    krb5_principal client;
809
    krb5_checksum ticket_checksum;
810
} krb5_fast_finished;
811

812
typedef struct _krb5_fast_response {
813
    krb5_magic magic;
814
    krb5_pa_data **padata;
815
    krb5_keyblock *strengthen_key;
816
    krb5_fast_finished *finished;
817
    krb5_int32 nonce;
818
} krb5_fast_response;
819

820
typedef struct _krb5_ad_kdcissued {
821
    krb5_checksum ad_checksum;
822
    krb5_principal i_principal;
823
    krb5_authdata **elements;
824
} krb5_ad_kdcissued;
825

826
typedef struct _krb5_iakerb_header {
827
    krb5_data target_realm;
828
    krb5_data *cookie;
829
} krb5_iakerb_header;
830

831
typedef struct _krb5_iakerb_finished {
832
    krb5_checksum checksum;
833
} krb5_iakerb_finished;
834

835
typedef struct _krb5_verifier_mac {
836
    krb5_principal princ;
837
    krb5_kvno kvno;
838
    krb5_enctype enctype;
839
    krb5_checksum checksum;
840
} krb5_verifier_mac;
841

842
/*
843
 * AD-CAMMAC's other-verifiers field is a sequence of Verifier, which is an
844
 * extensible choice with only one selection, Verifier-MAC.  For the time being
845
 * we will represent this field directly as an array of krb5_verifier_mac.
846
 * That will have to change if other selections are added.
847
 */
848
typedef struct _krb5_cammac {
849
    krb5_authdata **elements;
850
    krb5_verifier_mac *kdc_verifier;
851
    krb5_verifier_mac *svc_verifier;
852
    krb5_verifier_mac **other_verifiers;
853
} krb5_cammac;
854

855
void krb5_free_etype_info(krb5_context, krb5_etype_info);
856

857
krb5_pa_data *
858
krb5int_find_pa_data(krb5_context, krb5_pa_data *const *, krb5_preauthtype);
859
/* Does not return a copy; original padata sequence responsible for freeing*/
860

861
/* Allocate a pa-data object with uninitialized contents of size len.  If len
862
 * is 0, set the contents field to NULL. */
863
krb5_error_code
864
k5_alloc_pa_data(krb5_preauthtype pa_type, size_t len, krb5_pa_data **out);
865

866
/* Free a single pa-data object. */
867
void
868
k5_free_pa_data_element(krb5_pa_data *pa);
869

870
/* Without copying, add single element *pa to *list, reallocating as necessary.
871
 * If *list is NULL, allocate a new list.  Set *pa to NULL on success. */
872
krb5_error_code
873
k5_add_pa_data_element(krb5_pa_data ***list, krb5_pa_data **pa);
874

875
/* Without copying, add a pa-data element of type pa_type to *list with the
876
 * contents in data.  Set *data to empty_data() on success. */
877
krb5_error_code
878
k5_add_pa_data_from_data(krb5_pa_data ***list, krb5_preauthtype pa_type,
879
                         krb5_data *data);
880

881
/* Add an empty pa-data element of type pa_type to *list. */
882
krb5_error_code
883
k5_add_empty_pa_data(krb5_pa_data ***list, krb5_preauthtype pa_type);
884

885
#endif /* KRB5_PREAUTH__ */
886
/*
887
 * End "preauth.h"
888
 */
889

890
krb5_error_code
891
krb5int_copy_data_contents(krb5_context, const krb5_data *, krb5_data *);
892

893
krb5_error_code
894
krb5int_copy_data_contents_add0(krb5_context, const krb5_data *, krb5_data *);
895

896
void KRB5_CALLCONV
897
krb5_free_sam_challenge_2(krb5_context, krb5_sam_challenge_2 *);
898

899
void KRB5_CALLCONV
900
krb5_free_sam_challenge_2_body(krb5_context, krb5_sam_challenge_2_body *);
901

902
void KRB5_CALLCONV
903
krb5_free_sam_response_2(krb5_context, krb5_sam_response_2 *);
904

905
void KRB5_CALLCONV
906
krb5_free_enc_sam_response_enc_2(krb5_context, krb5_enc_sam_response_enc_2 *);
907

908
void KRB5_CALLCONV
909
krb5_free_sam_challenge_2_contents(krb5_context, krb5_sam_challenge_2 *);
910

911
void KRB5_CALLCONV
912
krb5_free_sam_challenge_2_body_contents(krb5_context,
913
                                        krb5_sam_challenge_2_body *);
914

915
void KRB5_CALLCONV
916
krb5_free_sam_response_2_contents(krb5_context, krb5_sam_response_2 *);
917

918
void KRB5_CALLCONV
919
krb5_free_enc_sam_response_enc_2_contents(krb5_context,
920
                                          krb5_enc_sam_response_enc_2 * );
921

922
void KRB5_CALLCONV
923
krb5_free_pa_enc_ts(krb5_context, krb5_pa_enc_ts *);
924

925
void KRB5_CALLCONV
926
krb5_free_pa_for_user(krb5_context, krb5_pa_for_user *);
927

928
void KRB5_CALLCONV
929
krb5_free_s4u_userid_contents(krb5_context, krb5_s4u_userid *);
930

931
void KRB5_CALLCONV
932
krb5_free_pa_s4u_x509_user(krb5_context, krb5_pa_s4u_x509_user *);
933

934
void KRB5_CALLCONV
935
krb5_free_pa_pac_req(krb5_context, krb5_pa_pac_req * );
936

937
void KRB5_CALLCONV krb5_free_fast_armor(krb5_context, krb5_fast_armor *);
938
void KRB5_CALLCONV krb5_free_fast_armored_req(krb5_context,
939
                                              krb5_fast_armored_req *);
940
void KRB5_CALLCONV krb5_free_fast_req(krb5_context, krb5_fast_req *);
941
void KRB5_CALLCONV krb5_free_fast_finished(krb5_context, krb5_fast_finished *);
942
void KRB5_CALLCONV krb5_free_fast_response(krb5_context, krb5_fast_response *);
943
void KRB5_CALLCONV krb5_free_ad_kdcissued(krb5_context, krb5_ad_kdcissued *);
944
void KRB5_CALLCONV krb5_free_iakerb_header(krb5_context, krb5_iakerb_header *);
945
void KRB5_CALLCONV krb5_free_iakerb_finished(krb5_context,
946
                                             krb5_iakerb_finished *);
947
void k5_free_algorithm_identifier(krb5_context context,
948
                                  krb5_algorithm_identifier *val);
949
void k5_free_otp_tokeninfo(krb5_context context, krb5_otp_tokeninfo *val);
950
void k5_free_pa_otp_challenge(krb5_context context,
951
                              krb5_pa_otp_challenge *val);
952
void k5_free_pa_otp_req(krb5_context context, krb5_pa_otp_req *val);
953
void k5_free_kkdcp_message(krb5_context context, krb5_kkdcp_message *val);
954
void k5_free_cammac(krb5_context context, krb5_cammac *val);
955
void k5_free_secure_cookie(krb5_context context, krb5_secure_cookie *val);
956

957
krb5_error_code
958
k5_unwrap_cammac_svc(krb5_context context, const krb5_authdata *ad,
959
                     const krb5_keyblock *key, krb5_authdata ***adata_out);
960
krb5_error_code
961
k5_authind_decode(const krb5_authdata *ad, krb5_data ***indicators);
962

963
/* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
964
#include "com_err.h"
965
#include "k5-plugin.h"
966

967
#include <krb5/authdata_plugin.h>
968

969
struct _krb5_authdata_context {
970
    krb5_magic magic;
971
    int n_modules;
972
    struct _krb5_authdata_context_module {
973
        krb5_authdatatype ad_type;
974
        void *plugin_context;
975
        authdata_client_plugin_fini_proc client_fini;
976
        krb5_flags flags;
977
        krb5plugin_authdata_client_ftable_v0 *ftable;
978
        authdata_client_request_init_proc client_req_init;
979
        authdata_client_request_fini_proc client_req_fini;
980
        const char *name;
981
        void *request_context;
982
        void **request_context_pp;
983
    } *modules;
984
    struct plugin_dir_handle plugins;
985
};
986

987
typedef struct _krb5_authdata_context *krb5_authdata_context;
988

989
void
990
k5_free_data_ptr_list(krb5_data **list);
991

992
void
993
k5_zapfree_pa_data(krb5_pa_data **val);
994

995
void KRB5_CALLCONV
996
krb5int_free_data_list(krb5_context context, krb5_data *data);
997

998
krb5_error_code KRB5_CALLCONV
999
krb5_authdata_context_init(krb5_context kcontext,
1000
                           krb5_authdata_context *pcontext);
1001

1002
void KRB5_CALLCONV
1003
krb5_authdata_context_free(krb5_context kcontext,
1004
                           krb5_authdata_context context);
1005

1006
krb5_error_code KRB5_CALLCONV
1007
krb5_authdata_export_authdata(krb5_context kcontext,
1008
                              krb5_authdata_context context, krb5_flags usage,
1009
                              krb5_authdata ***pauthdata);
1010

1011
krb5_error_code KRB5_CALLCONV
1012
krb5_authdata_get_attribute_types(krb5_context kcontext,
1013
                                  krb5_authdata_context context,
1014
                                  krb5_data **attrs);
1015

1016
krb5_error_code KRB5_CALLCONV
1017
krb5_authdata_get_attribute(krb5_context kcontext,
1018
                            krb5_authdata_context context,
1019
                            const krb5_data *attribute,
1020
                            krb5_boolean *authenticated,
1021
                            krb5_boolean *complete, krb5_data *value,
1022
                            krb5_data *display_value, int *more);
1023

1024
krb5_error_code KRB5_CALLCONV
1025
krb5_authdata_set_attribute(krb5_context kcontext,
1026
                            krb5_authdata_context context,
1027
                            krb5_boolean complete, const krb5_data *attribute,
1028
                            const krb5_data *value);
1029

1030
krb5_error_code KRB5_CALLCONV
1031
krb5_authdata_delete_attribute(krb5_context kcontext,
1032
                               krb5_authdata_context context,
1033
                               const krb5_data *attribute);
1034

1035
krb5_error_code KRB5_CALLCONV
1036
krb5_authdata_import_attributes(krb5_context kcontext,
1037
                                krb5_authdata_context context,
1038
                                krb5_flags usage, const krb5_data *attributes);
1039

1040
krb5_error_code KRB5_CALLCONV
1041
krb5_authdata_export_attributes(krb5_context kcontext,
1042
                                krb5_authdata_context context,
1043
                                krb5_flags usage, krb5_data **pattributes);
1044

1045
krb5_error_code KRB5_CALLCONV
1046
krb5_authdata_export_internal(krb5_context kcontext,
1047
                              krb5_authdata_context context,
1048
                              krb5_boolean restrict_authenticated,
1049
                              const char *module, void **ptr);
1050

1051
krb5_error_code KRB5_CALLCONV
1052
krb5_authdata_context_copy(krb5_context kcontext, krb5_authdata_context src,
1053
                           krb5_authdata_context *dst);
1054

1055
krb5_error_code KRB5_CALLCONV
1056
krb5_authdata_free_internal(krb5_context kcontext,
1057
                            krb5_authdata_context context, const char *module,
1058
                            void *ptr);
1059

1060
/*** Plugin framework ***/
1061

1062
/*
1063
 * This framework can be used to create pluggable interfaces.  Not all existing
1064
 * pluggable interface use this framework, but new ones should.  A new
1065
 * pluggable interface entails:
1066
 *
1067
 * - An interface ID definition in the list of #defines below.
1068
 *
1069
 * - A name in the interface_names array in lib/krb5/krb/plugins.c.
1070
 *
1071
 * - An installed public header file in include/krb5.  The public header should
1072
 *   include <krb5/plugin.h> and should declare a vtable structure for each
1073
 *   supported major version of the interface.
1074
 *
1075
 * - A consumer API implementation, located within the code unit which makes
1076
 *   use of the pluggable interface.  The consumer API should consist of:
1077
 *
1078
 *   . An interface-specific handle type which contains a vtable structure for
1079
 *     the module (or a union of several such structures, if there are multiple
1080
 *     supported major versions) and, optionally, resource data bound to the
1081
 *     handle.
1082
 *
1083
 *   . An interface-specific loader function which creates a handle or list of
1084
 *     handles.  A list of handles would be created if the interface is a
1085
 *     one-to-many interface where the consumer wants to consult all available
1086
 *     modules; a single handle would be created for an interface where the
1087
 *     consumer wants to consult a specific module.  The loader function should
1088
 *     use k5_plugin_load or k5_plugin_load_all to produce one or a list of
1089
 *     vtable initializer functions, and should use those functions to fill in
1090
 *     the vtable structure for the module (if necessary, trying each supported
1091
 *     major version starting from the most recent).  The loader function can
1092
 *     also bind resource data into the handle based on caller arguments, if
1093
 *     appropriate.
1094
 *
1095
 *   . For each plugin method, a wrapper function which accepts a krb5_context,
1096
 *     a plugin handle, and the method arguments.  Wrapper functions should
1097
 *     invoke the method function contained in the handle's vtable.
1098
 *
1099
 * - Possibly, built-in implementations of the interface, also located within
1100
 *   the code unit which makes use of the interface.  Built-in implementations
1101
 *   must be registered with k5_plugin_register before the first call to
1102
 *   k5_plugin_load or k5_plugin_load_all.
1103
 *
1104
 * A pluggable interface should have one or more currently supported major
1105
 * versions, starting at 1.  Each major version should have a current minor
1106
 * version, also starting at 1.  If new methods are added to a vtable, the
1107
 * minor version should be incremented and the vtable structure should document
1108
 * where each minor vtable version ends.  If method signatures for a vtable are
1109
 * changed, the major version should be incremented.
1110
 *
1111
 * Plugin module implementations (either built-in or dynamically loaded) should
1112
 * define a function named <interfacename>_<modulename>_initvt, matching the
1113
 * signature of krb5_plugin_initvt_fn as declared in include/krb5/plugin.h.
1114
 * The initvt function should check the given maj_ver argument against its own
1115
 * supported major versions, cast the vtable pointer to the appropriate
1116
 * interface-specific vtable type, and fill in the vtable methods, stopping as
1117
 * appropriate for the given min_ver.  Memory for the vtable structure is
1118
 * allocated by the caller, not by the module.
1119
 *
1120
 * Dynamic plugin modules are registered with the framework through the
1121
 * [plugins] section of the profile, as described in the admin documentation
1122
 * and krb5.conf man page.
1123
 */
1124

1125
struct plugin_mapping;
1126

1127
/* Holds krb5_context information about each pluggable interface. */
1128
struct plugin_interface {
1129
    struct plugin_mapping **modules;
1130
    krb5_boolean configured;
1131
};
1132

1133
/* A list of plugin interface IDs.  Make sure to increment
1134
 * PLUGIN_NUM_INTERFACES when a new interface is added, and add an entry to the
1135
 * interface_names table in lib/krb5/krb/plugin.c. */
1136
#define PLUGIN_INTERFACE_PWQUAL      0
1137
#define PLUGIN_INTERFACE_KADM5_HOOK  1
1138
#define PLUGIN_INTERFACE_CLPREAUTH   2
1139
#define PLUGIN_INTERFACE_KDCPREAUTH  3
1140
#define PLUGIN_INTERFACE_CCSELECT    4
1141
#define PLUGIN_INTERFACE_LOCALAUTH   5
1142
#define PLUGIN_INTERFACE_HOSTREALM   6
1143
#define PLUGIN_INTERFACE_AUDIT       7
1144
#define PLUGIN_INTERFACE_TLS         8
1145
#define PLUGIN_INTERFACE_KDCAUTHDATA 9
1146
#define PLUGIN_INTERFACE_CERTAUTH    10
1147
#define PLUGIN_INTERFACE_KADM5_AUTH  11
1148
#define PLUGIN_INTERFACE_KDCPOLICY   12
1149
#define PLUGIN_NUM_INTERFACES        13
1150

1151
/* Retrieve the plugin module of type interface_id and name modname,
1152
 * storing the result into module. */
1153
krb5_error_code
1154
k5_plugin_load(krb5_context context, int interface_id, const char *modname,
1155
               krb5_plugin_initvt_fn *module);
1156

1157
/* Retrieve all plugin modules of type interface_id, storing the result
1158
 * into modules.  Free the result with k5_plugin_free_handles. */
1159
krb5_error_code
1160
k5_plugin_load_all(krb5_context context, int interface_id,
1161
                   krb5_plugin_initvt_fn **modules);
1162

1163
/* Release a module list allocated by k5_plugin_load_all. */
1164
void
1165
k5_plugin_free_modules(krb5_context context, krb5_plugin_initvt_fn *modules);
1166

1167
/* Register a plugin module of type interface_id and name modname. */
1168
krb5_error_code
1169
k5_plugin_register(krb5_context context, int interface_id, const char *modname,
1170
                   krb5_plugin_initvt_fn module);
1171

1172
/*
1173
 * Register a plugin module which is part of the krb5 tree but is built as a
1174
 * dynamic plugin.  Look for the module in modsubdir relative to the
1175
 * context->base_plugin_dir.
1176
 */
1177
krb5_error_code
1178
k5_plugin_register_dyn(krb5_context context, int interface_id,
1179
                       const char *modname, const char *modsubdir);
1180

1181
/* Destroy the module state within context; used by krb5_free_context. */
1182
void
1183
k5_plugin_free_context(krb5_context context);
1184

1185
enum dns_canonhost {
1186
    CANONHOST_FALSE = 0,
1187
    CANONHOST_TRUE = 1,
1188
    CANONHOST_FALLBACK = 2
1189
};
1190

1191
struct _kdb5_dal_handle;        /* private, in kdb5.h */
1192
typedef struct _kdb5_dal_handle kdb5_dal_handle;
1193
struct _kdb_log_context;
1194
typedef struct krb5_preauth_context_st *krb5_preauth_context;
1195
struct ccselect_module_handle;
1196
struct localauth_module_handle;
1197
struct hostrealm_module_handle;
1198
struct k5_tls_vtable_st;
1199
struct _krb5_context {
1200
    krb5_magic      magic;
1201
    krb5_enctype    *tgs_etypes;
1202
    struct _krb5_os_context os_context;
1203
    char            *default_realm;
1204
    profile_t       profile;
1205
    kdb5_dal_handle *dal_handle;
1206
    /* allowable clock skew */
1207
    krb5_deltat     clockskew;
1208
    krb5_deltat     req_timeout;
1209
    krb5_flags      kdc_default_options;
1210
    krb5_flags      library_options;
1211
    krb5_boolean    profile_secure;
1212
    int             fcc_default_format;
1213
    krb5_prompt_type *prompt_types;
1214
    /* Message size above which we'll try TCP first in send-to-kdc
1215
       type code.  Aside from the 2**16 size limit, we put no
1216
       absolute limit on the UDP packet size.  */
1217
    int             udp_pref_limit;
1218

1219
    /* Use the config-file ktypes instead of app-specified?  */
1220
    krb5_boolean    use_conf_ktypes;
1221

1222
    /* locate_kdc module stuff */
1223
    struct plugin_dir_handle libkrb5_plugins;
1224

1225
    /* preauth module stuff */
1226
    krb5_preauth_context preauth_context;
1227

1228
    /* cache module stuff */
1229
    struct ccselect_module_handle **ccselect_handles;
1230

1231
    /* localauth module stuff */
1232
    struct localauth_module_handle **localauth_handles;
1233

1234
    /* hostrealm module stuff */
1235
    struct hostrealm_module_handle **hostrealm_handles;
1236

1237
    /* TLS module vtable (if loaded) */
1238
    struct k5_tls_vtable_st *tls;
1239

1240
    /* error detail info */
1241
    struct errinfo err;
1242
    char *err_fmt;
1243

1244
    /* For Sun iprop code; does this really have to be here?  */
1245
    struct _kdb_log_context *kdblog_context;
1246

1247
    krb5_boolean allow_weak_crypto;
1248
    krb5_boolean allow_des3;
1249
    krb5_boolean allow_rc4;
1250
    krb5_boolean ignore_acceptor_hostname;
1251
    krb5_boolean enforce_ok_as_delegate;
1252
    enum dns_canonhost dns_canonicalize_hostname;
1253

1254
    krb5_trace_callback trace_callback;
1255
    void *trace_callback_data;
1256

1257
    krb5_pre_send_fn kdc_send_hook;
1258
    void *kdc_send_hook_data;
1259

1260
    krb5_post_recv_fn kdc_recv_hook;
1261
    void *kdc_recv_hook_data;
1262

1263
    struct plugin_interface plugins[PLUGIN_NUM_INTERFACES];
1264
    char *plugin_base_dir;
1265
};
1266

1267
/* could be used in a table to find an etype and initialize a block */
1268

1269

1270
#define KRB5_LIBOPT_SYNC_KDCTIME        0x0001
1271

1272
/* internal message representations */
1273

1274
typedef struct _krb5_safe {
1275
    krb5_magic magic;
1276
    krb5_data user_data;                /* user data */
1277
    krb5_timestamp timestamp;           /* client time, optional */
1278
    krb5_int32 usec;                    /* microsecond portion of time,
1279
                                           optional */
1280
    krb5_ui_4 seq_number;               /* sequence #, optional */
1281
    krb5_address *s_address;    /* sender address */
1282
    krb5_address *r_address;    /* recipient address, optional */
1283
    krb5_checksum *checksum;    /* data integrity checksum */
1284
} krb5_safe;
1285

1286
typedef struct _krb5_priv {
1287
    krb5_magic magic;
1288
    krb5_enc_data enc_part;             /* encrypted part */
1289
} krb5_priv;
1290

1291
typedef struct _krb5_priv_enc_part {
1292
    krb5_magic magic;
1293
    krb5_data user_data;                /* user data */
1294
    krb5_timestamp timestamp;           /* client time, optional */
1295
    krb5_int32 usec;                    /* microsecond portion of time, opt. */
1296
    krb5_ui_4 seq_number;               /* sequence #, optional */
1297
    krb5_address *s_address;    /* sender address */
1298
    krb5_address *r_address;    /* recipient address, optional */
1299
} krb5_priv_enc_part;
1300

1301
void KRB5_CALLCONV krb5_free_safe(krb5_context, krb5_safe *);
1302
void KRB5_CALLCONV krb5_free_priv(krb5_context, krb5_priv *);
1303
void KRB5_CALLCONV krb5_free_priv_enc_part(krb5_context, krb5_priv_enc_part *);
1304

1305
/*
1306
 * Begin "asn1.h"
1307
 */
1308
#ifndef KRB5_ASN1__
1309
#define KRB5_ASN1__
1310

1311
/* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
1312
/* here we use some knowledge of ASN.1 encodings */
1313
/*
1314
  Ticket is APPLICATION 1.
1315
  Authenticator is APPLICATION 2.
1316
  AS_REQ is APPLICATION 10.
1317
  AS_REP is APPLICATION 11.
1318
  TGS_REQ is APPLICATION 12.
1319
  TGS_REP is APPLICATION 13.
1320
  AP_REQ is APPLICATION 14.
1321
  AP_REP is APPLICATION 15.
1322
  KRB_SAFE is APPLICATION 20.
1323
  KRB_PRIV is APPLICATION 21.
1324
  KRB_CRED is APPLICATION 22.
1325
  EncASRepPart is APPLICATION 25.
1326
  EncTGSRepPart is APPLICATION 26.
1327
  EncAPRepPart is APPLICATION 27.
1328
  EncKrbPrivPart is APPLICATION 28.
1329
  EncKrbCredPart is APPLICATION 29.
1330
  KRB_ERROR is APPLICATION 30.
1331
*/
1332
/* allow either constructed or primitive encoding, so check for bit 6
1333
   set or reset */
1334
#define krb5int_is_app_tag(dat,tag)                     \
1335
    ((dat != NULL) && (dat)->length &&                  \
1336
     ((((dat)->data[0] & ~0x20) == ((tag) | 0x40))))
1337
#define krb5_is_krb_ticket(dat)               krb5int_is_app_tag(dat, 1)
1338
#define krb5_is_krb_authenticator(dat)        krb5int_is_app_tag(dat, 2)
1339
#define krb5_is_as_req(dat)                   krb5int_is_app_tag(dat, 10)
1340
#define krb5_is_as_rep(dat)                   krb5int_is_app_tag(dat, 11)
1341
#define krb5_is_tgs_req(dat)                  krb5int_is_app_tag(dat, 12)
1342
#define krb5_is_tgs_rep(dat)                  krb5int_is_app_tag(dat, 13)
1343
#define krb5_is_ap_req(dat)                   krb5int_is_app_tag(dat, 14)
1344
#define krb5_is_ap_rep(dat)                   krb5int_is_app_tag(dat, 15)
1345
#define krb5_is_krb_safe(dat)                 krb5int_is_app_tag(dat, 20)
1346
#define krb5_is_krb_priv(dat)                 krb5int_is_app_tag(dat, 21)
1347
#define krb5_is_krb_cred(dat)                 krb5int_is_app_tag(dat, 22)
1348
#define krb5_is_krb_enc_as_rep_part(dat)      krb5int_is_app_tag(dat, 25)
1349
#define krb5_is_krb_enc_tgs_rep_part(dat)     krb5int_is_app_tag(dat, 26)
1350
#define krb5_is_krb_enc_ap_rep_part(dat)      krb5int_is_app_tag(dat, 27)
1351
#define krb5_is_krb_enc_krb_priv_part(dat)    krb5int_is_app_tag(dat, 28)
1352
#define krb5_is_krb_enc_krb_cred_part(dat)    krb5int_is_app_tag(dat, 29)
1353
#define krb5_is_krb_error(dat)                krb5int_is_app_tag(dat, 30)
1354

1355
/*************************************************************************
1356
 * Prototypes for krb5_encode.c
1357
 *************************************************************************/
1358

1359
/*
1360
  krb5_error_code encode_krb5_structure(const krb5_structure *rep,
1361
  krb5_data **code);
1362
  modifies  *code
1363
  effects   Returns the ASN.1 encoding of *rep in **code.
1364
  Returns ASN1_MISSING_FIELD if a required field is empty in *rep.
1365
  Returns ENOMEM if memory runs out.
1366
*/
1367

1368
krb5_error_code
1369
encode_krb5_authenticator(const krb5_authenticator *rep, krb5_data **code);
1370

1371
krb5_error_code
1372
encode_krb5_ticket(const krb5_ticket *rep, krb5_data **code);
1373

1374
krb5_error_code
1375
encode_krb5_enc_tkt_part(const krb5_enc_tkt_part *rep, krb5_data **code);
1376

1377
krb5_error_code
1378
encode_krb5_enc_kdc_rep_part(const krb5_enc_kdc_rep_part *rep,
1379
                             krb5_data **code);
1380

1381
/* yes, the translation is identical to that used for KDC__REP */
1382
krb5_error_code
1383
encode_krb5_as_rep(const krb5_kdc_rep *rep, krb5_data **code);
1384

1385
/* yes, the translation is identical to that used for KDC__REP */
1386
krb5_error_code
1387
encode_krb5_tgs_rep(const krb5_kdc_rep *rep, krb5_data **code);
1388

1389
krb5_error_code
1390
encode_krb5_ap_req(const krb5_ap_req *rep, krb5_data **code);
1391

1392
krb5_error_code
1393
encode_krb5_ap_rep(const krb5_ap_rep *rep, krb5_data **code);
1394

1395
krb5_error_code
1396
encode_krb5_ap_rep_enc_part(const krb5_ap_rep_enc_part *rep, krb5_data **code);
1397

1398
krb5_error_code
1399
encode_krb5_as_req(const krb5_kdc_req *rep, krb5_data **code);
1400

1401
krb5_error_code
1402
encode_krb5_tgs_req(const krb5_kdc_req *rep, krb5_data **code);
1403

1404
krb5_error_code
1405
encode_krb5_kdc_req_body(const krb5_kdc_req *rep, krb5_data **code);
1406

1407
krb5_error_code
1408
encode_krb5_safe(const krb5_safe *rep, krb5_data **code);
1409

1410
struct krb5_safe_with_body {
1411
    krb5_safe *safe;
1412
    krb5_data *body;
1413
};
1414
krb5_error_code
1415
encode_krb5_safe_with_body(const struct krb5_safe_with_body *rep,
1416
                           krb5_data **code);
1417

1418
krb5_error_code
1419
encode_krb5_priv(const krb5_priv *rep, krb5_data **code);
1420

1421
krb5_error_code
1422
encode_krb5_enc_priv_part(const krb5_priv_enc_part *rep, krb5_data **code);
1423

1424
krb5_error_code
1425
encode_krb5_cred(const krb5_cred *rep, krb5_data **code);
1426
krb5_error_code
1427
encode_krb5_checksum(const krb5_checksum *, krb5_data **);
1428

1429
krb5_error_code
1430
encode_krb5_enc_cred_part(const krb5_cred_enc_part *rep, krb5_data **code);
1431

1432
krb5_error_code
1433
encode_krb5_error(const krb5_error *rep, krb5_data **code);
1434

1435
krb5_error_code
1436
encode_krb5_authdata(krb5_authdata *const *rep, krb5_data **code);
1437

1438
krb5_error_code
1439
encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
1440

1441
krb5_error_code
1442
encode_krb5_typed_data(krb5_pa_data *const *rep, krb5_data **code);
1443

1444
krb5_error_code
1445
encode_krb5_etype_info(krb5_etype_info_entry *const *, krb5_data **code);
1446

1447
krb5_error_code
1448
encode_krb5_etype_info2(krb5_etype_info_entry *const *, krb5_data **code);
1449

1450
krb5_error_code
1451
encode_krb5_pa_enc_ts(const krb5_pa_enc_ts *, krb5_data **);
1452

1453
krb5_error_code
1454
encode_krb5_sam_challenge_2(const krb5_sam_challenge_2 * , krb5_data **);
1455

1456
krb5_error_code
1457
encode_krb5_sam_challenge_2_body(const krb5_sam_challenge_2_body *,
1458
                                 krb5_data **);
1459

1460
krb5_error_code
1461
encode_krb5_enc_sam_response_enc_2(const krb5_enc_sam_response_enc_2 *,
1462
                                   krb5_data **);
1463

1464
krb5_error_code
1465
encode_krb5_sam_response_2(const krb5_sam_response_2 * , krb5_data **);
1466

1467
struct krb5_setpw_req {
1468
    krb5_principal target;
1469
    krb5_data password;
1470
};
1471
krb5_error_code
1472
encode_krb5_setpw_req(const struct krb5_setpw_req *rep, krb5_data **code);
1473

1474
krb5_error_code
1475
encode_krb5_pa_for_user(const krb5_pa_for_user *, krb5_data **);
1476

1477
krb5_error_code
1478
encode_krb5_s4u_userid(const krb5_s4u_userid *, krb5_data **);
1479

1480
krb5_error_code
1481
encode_krb5_pa_s4u_x509_user(const krb5_pa_s4u_x509_user *, krb5_data **);
1482

1483
krb5_error_code
1484
encode_krb5_pa_pac_req(const krb5_pa_pac_req *, krb5_data **);
1485

1486
krb5_error_code
1487
encode_krb5_etype_list(const krb5_etype_list * , krb5_data **);
1488

1489
krb5_error_code
1490
encode_krb5_pa_fx_fast_request(const krb5_fast_armored_req *, krb5_data **);
1491

1492
krb5_error_code
1493
encode_krb5_fast_req(const krb5_fast_req *, krb5_data **);
1494

1495
krb5_error_code
1496
encode_krb5_pa_fx_fast_reply(const krb5_enc_data *, krb5_data **);
1497

1498
krb5_error_code
1499
encode_krb5_iakerb_header(const krb5_iakerb_header *, krb5_data **);
1500

1501
krb5_error_code
1502
encode_krb5_iakerb_finished(const krb5_iakerb_finished *, krb5_data **);
1503

1504
krb5_error_code
1505
encode_krb5_fast_response(const krb5_fast_response *, krb5_data **);
1506

1507
krb5_error_code
1508
encode_krb5_ad_kdcissued(const krb5_ad_kdcissued *, krb5_data **);
1509

1510
krb5_error_code
1511
encode_krb5_otp_tokeninfo(const krb5_otp_tokeninfo *, krb5_data **);
1512

1513
krb5_error_code
1514
encode_krb5_pa_otp_challenge(const krb5_pa_otp_challenge *, krb5_data **);
1515

1516
krb5_error_code
1517
encode_krb5_pa_otp_req(const krb5_pa_otp_req *, krb5_data **);
1518

1519
krb5_error_code
1520
encode_krb5_pa_otp_enc_req(const krb5_data *, krb5_data **);
1521

1522
krb5_error_code
1523
encode_krb5_kkdcp_message(const krb5_kkdcp_message *, krb5_data **);
1524

1525
krb5_error_code
1526
encode_krb5_cammac(const krb5_cammac *, krb5_data **);
1527

1528
krb5_error_code
1529
encode_utf8_strings(krb5_data *const *ut8fstrings, krb5_data **);
1530

1531
krb5_error_code
1532
encode_krb5_secure_cookie(const krb5_secure_cookie *, krb5_data **);
1533

1534
krb5_error_code
1535
encode_krb5_pa_pac_options(const krb5_pa_pac_options *, krb5_data **);
1536

1537
/*************************************************************************
1538
 * End of prototypes for krb5_encode.c
1539
 *************************************************************************/
1540

1541
krb5_error_code
1542
decode_krb5_sam_challenge_2(const krb5_data *, krb5_sam_challenge_2 **);
1543

1544
krb5_error_code
1545
decode_krb5_sam_challenge_2_body(const krb5_data *,
1546
                                 krb5_sam_challenge_2_body **);
1547

1548
krb5_error_code
1549
decode_krb5_enc_sam_response_enc_2(const krb5_data *,
1550
                                   krb5_enc_sam_response_enc_2 **);
1551

1552
krb5_error_code
1553
decode_krb5_sam_response_2(const krb5_data *, krb5_sam_response_2 **);
1554

1555

1556
/*************************************************************************
1557
 * Prototypes for krb5_decode.c
1558
 *************************************************************************/
1559
/*
1560
  krb5_error_code decode_krb5_structure(const krb5_data *code,
1561
  krb5_structure **rep);
1562

1563
  requires  Expects **rep to not have been allocated;
1564
  a new *rep is allocated regardless of the old value.
1565
  effects   Decodes *code into **rep.
1566
  Returns ENOMEM if memory is exhausted.
1567
  Returns asn1 and krb5 errors.
1568
*/
1569

1570
krb5_error_code
1571
decode_krb5_authenticator(const krb5_data *code, krb5_authenticator **rep);
1572

1573
krb5_error_code
1574
decode_krb5_ticket(const krb5_data *code, krb5_ticket **rep);
1575

1576
krb5_error_code
1577
decode_krb5_encryption_key(const krb5_data *output, krb5_keyblock **rep);
1578

1579
krb5_error_code
1580
decode_krb5_enc_tkt_part(const krb5_data *output, krb5_enc_tkt_part **rep);
1581

1582
krb5_error_code
1583
decode_krb5_enc_kdc_rep_part(const krb5_data *output,
1584
                             krb5_enc_kdc_rep_part **rep);
1585

1586
krb5_error_code
1587
decode_krb5_as_rep(const krb5_data *output, krb5_kdc_rep **rep);
1588

1589
krb5_error_code
1590
decode_krb5_tgs_rep(const krb5_data *output, krb5_kdc_rep **rep);
1591

1592
krb5_error_code
1593
decode_krb5_ap_req(const krb5_data *output, krb5_ap_req **rep);
1594

1595
krb5_error_code
1596
decode_krb5_ap_rep(const krb5_data *output, krb5_ap_rep **rep);
1597

1598
krb5_error_code
1599
decode_krb5_ap_rep_enc_part(const krb5_data *output,
1600
                            krb5_ap_rep_enc_part **rep);
1601

1602
krb5_error_code
1603
decode_krb5_as_req(const krb5_data *output, krb5_kdc_req **rep);
1604

1605
krb5_error_code
1606
decode_krb5_tgs_req(const krb5_data *output, krb5_kdc_req **rep);
1607

1608
krb5_error_code
1609
decode_krb5_kdc_req_body(const krb5_data *output, krb5_kdc_req **rep);
1610

1611
krb5_error_code
1612
decode_krb5_safe(const krb5_data *output, krb5_safe **rep);
1613

1614
krb5_error_code
1615
decode_krb5_safe_with_body(const krb5_data *output, krb5_safe **rep,
1616
                           krb5_data **body);
1617

1618
krb5_error_code
1619
decode_krb5_priv(const krb5_data *output, krb5_priv **rep);
1620

1621
krb5_error_code
1622
decode_krb5_enc_priv_part(const krb5_data *output, krb5_priv_enc_part **rep);
1623
krb5_error_code
1624
decode_krb5_checksum(const krb5_data *, krb5_checksum **);
1625

1626
krb5_error_code
1627
decode_krb5_cred(const krb5_data *output, krb5_cred **rep);
1628

1629
krb5_error_code
1630
decode_krb5_enc_cred_part(const krb5_data *output, krb5_cred_enc_part **rep);
1631

1632
krb5_error_code
1633
decode_krb5_error(const krb5_data *output, krb5_error **rep);
1634

1635
krb5_error_code
1636
decode_krb5_authdata(const krb5_data *output, krb5_authdata ***rep);
1637

1638
krb5_error_code
1639
decode_krb5_padata_sequence(const krb5_data *output, krb5_pa_data ***rep);
1640

1641
krb5_error_code
1642
decode_krb5_typed_data(const krb5_data *, krb5_pa_data ***);
1643

1644
krb5_error_code
1645
decode_krb5_etype_info(const krb5_data *output, krb5_etype_info_entry ***rep);
1646

1647
krb5_error_code
1648
decode_krb5_etype_info2(const krb5_data *output, krb5_etype_info_entry ***rep);
1649

1650
krb5_error_code
1651
decode_krb5_enc_data(const krb5_data *output, krb5_enc_data **rep);
1652

1653
krb5_error_code
1654
decode_krb5_pa_enc_ts(const krb5_data *output, krb5_pa_enc_ts **rep);
1655

1656
krb5_error_code
1657
decode_krb5_setpw_req(const krb5_data *, krb5_data **, krb5_principal *);
1658

1659
krb5_error_code
1660
decode_krb5_pa_for_user(const krb5_data *, krb5_pa_for_user **);
1661

1662
krb5_error_code
1663
decode_krb5_pa_s4u_x509_user(const krb5_data *, krb5_pa_s4u_x509_user **);
1664

1665
krb5_error_code
1666
decode_krb5_pa_pac_req(const krb5_data *, krb5_pa_pac_req **);
1667

1668
krb5_error_code
1669
decode_krb5_etype_list(const krb5_data *, krb5_etype_list **);
1670

1671
krb5_error_code
1672
decode_krb5_pa_fx_fast_request(const krb5_data *, krb5_fast_armored_req **);
1673

1674
krb5_error_code
1675
decode_krb5_fast_req(const krb5_data *, krb5_fast_req **);
1676

1677
krb5_error_code
1678
decode_krb5_pa_fx_fast_reply(const krb5_data *, krb5_enc_data **);
1679

1680
krb5_error_code
1681
decode_krb5_fast_response(const krb5_data *, krb5_fast_response **);
1682

1683
krb5_error_code
1684
decode_krb5_ad_kdcissued(const krb5_data *, krb5_ad_kdcissued **);
1685

1686
krb5_error_code
1687
decode_krb5_iakerb_header(const krb5_data *, krb5_iakerb_header **);
1688

1689
krb5_error_code
1690
decode_krb5_iakerb_finished(const krb5_data *, krb5_iakerb_finished **);
1691

1692
krb5_error_code
1693
decode_krb5_otp_tokeninfo(const krb5_data *, krb5_otp_tokeninfo **);
1694

1695
krb5_error_code
1696
decode_krb5_pa_otp_challenge(const krb5_data *, krb5_pa_otp_challenge **);
1697

1698
krb5_error_code
1699
decode_krb5_pa_otp_req(const krb5_data *, krb5_pa_otp_req **);
1700

1701
krb5_error_code
1702
decode_krb5_pa_otp_enc_req(const krb5_data *, krb5_data **);
1703

1704
krb5_error_code
1705
decode_krb5_kkdcp_message(const krb5_data *, krb5_kkdcp_message **);
1706

1707
krb5_error_code
1708
decode_krb5_cammac(const krb5_data *, krb5_cammac **);
1709

1710
krb5_error_code
1711
decode_utf8_strings(const krb5_data *, krb5_data ***);
1712

1713
krb5_error_code
1714
decode_krb5_secure_cookie(const krb5_data *, krb5_secure_cookie **);
1715

1716
krb5_error_code
1717
decode_krb5_pa_pac_options(const krb5_data *, krb5_pa_pac_options **);
1718

1719
struct _krb5_key_data;          /* kdb.h */
1720

1721
struct ldap_seqof_key_data {
1722
    krb5_int32 mkvno;           /* Master key version number */
1723
    krb5_ui_2 kvno;             /* kvno of key_data elements (all the same) */
1724
    struct _krb5_key_data *key_data;
1725
    krb5_int16 n_key_data;
1726
};
1727
typedef struct ldap_seqof_key_data ldap_seqof_key_data;
1728

1729
krb5_error_code
1730
krb5int_ldap_encode_sequence_of_keys(const ldap_seqof_key_data *val,
1731
                                     krb5_data **code);
1732

1733
krb5_error_code
1734
krb5int_ldap_decode_sequence_of_keys(const krb5_data *in,
1735
                                     ldap_seqof_key_data **rep);
1736

1737
/*************************************************************************
1738
 * End of prototypes for krb5_decode.c
1739
 *************************************************************************/
1740

1741
#endif /* KRB5_ASN1__ */
1742
/*
1743
 * End "asn1.h"
1744
 */
1745

1746

1747
/*
1748
 * Internal krb5 library routines
1749
 */
1750
krb5_error_code
1751
krb5_encrypt_tkt_part(krb5_context, const krb5_keyblock *, krb5_ticket *);
1752

1753
krb5_error_code
1754
krb5_encode_kdc_rep(krb5_context, krb5_msgtype, const krb5_enc_kdc_rep_part *,
1755
                    int using_subkey, const krb5_keyblock *, krb5_kdc_rep *,
1756
                    krb5_data ** );
1757

1758
/* Return true if s is non-empty and composed solely of digits. */
1759
krb5_boolean
1760
k5_is_string_numeric(const char *s);
1761

1762
krb5_error_code
1763
k5_parse_host_string(const char *address, int default_port, char **host_out,
1764
                     int *port_out);
1765

1766
krb5_error_code
1767
k5_size_authdata_context(krb5_context kcontext, krb5_authdata_context context,
1768
                         size_t *sizep);
1769

1770
krb5_error_code
1771
k5_externalize_authdata_context(krb5_context kcontext,
1772
                                krb5_authdata_context context,
1773
                                krb5_octet **buffer, size_t *lenremain);
1774

1775
krb5_error_code
1776
k5_internalize_authdata_context(krb5_context kcontext,
1777
                                krb5_authdata_context *ptr,
1778
                                krb5_octet **buffer, size_t *lenremain);
1779

1780
krb5_error_code
1781
k5_size_auth_context(krb5_auth_context auth_context, size_t *sizep);
1782

1783
krb5_error_code
1784
k5_externalize_auth_context(krb5_auth_context auth_context,
1785
                            krb5_octet **buffer, size_t *lenremain);
1786
krb5_error_code
1787
k5_internalize_auth_context(krb5_auth_context *argp,
1788
                            krb5_octet **buffer, size_t *lenremain);
1789

1790
krb5_error_code
1791
k5_size_authdata(krb5_authdata *authdata, size_t *sizep);
1792

1793
krb5_error_code
1794
k5_externalize_authdata(krb5_authdata *authdata,
1795
                        krb5_octet **buffer, size_t *lenremain);
1796

1797
krb5_error_code
1798
k5_internalize_authdata(krb5_authdata **authdata,
1799
                        krb5_octet **buffer, size_t *lenremain);
1800

1801
krb5_error_code
1802
k5_size_address(krb5_address *address, size_t *sizep);
1803

1804
krb5_error_code
1805
k5_externalize_address(krb5_address *address,
1806
                       krb5_octet **buffer, size_t *lenremain);
1807

1808
krb5_error_code
1809
k5_internalize_address(krb5_address **argp,
1810
                       krb5_octet **buffer, size_t *lenremain);
1811

1812
krb5_error_code
1813
k5_size_authenticator(krb5_authenticator *authenticator, size_t *sizep);
1814

1815
krb5_error_code
1816
k5_externalize_authenticator(krb5_authenticator *authenticator,
1817
                             krb5_octet **buffer, size_t *lenremain);
1818

1819
krb5_error_code
1820
k5_internalize_authenticator(krb5_authenticator **argp,
1821
                             krb5_octet **buffer, size_t *lenremain);
1822

1823
krb5_error_code
1824
k5_size_checksum(krb5_checksum *checksum, size_t *sizep);
1825

1826
krb5_error_code
1827
k5_externalize_checksum(krb5_checksum *checksum,
1828
                        krb5_octet **buffer, size_t *lenremain);
1829

1830
krb5_error_code
1831
k5_internalize_checksum(krb5_checksum **argp,
1832
                        krb5_octet **buffer, size_t *lenremain);
1833

1834
krb5_error_code
1835
k5_size_context(krb5_context context, size_t *sizep);
1836

1837
krb5_error_code
1838
k5_externalize_context(krb5_context context,
1839
                       krb5_octet **buffer, size_t *lenremain);
1840

1841
krb5_error_code
1842
k5_internalize_context(krb5_context *argp,
1843
                       krb5_octet **buffer, size_t *lenremain);
1844

1845
krb5_error_code
1846
k5_size_keyblock(krb5_keyblock *keyblock, size_t *sizep);
1847

1848
krb5_error_code
1849
k5_externalize_keyblock(krb5_keyblock *keyblock,
1850
                        krb5_octet **buffer, size_t *lenremain);
1851

1852
krb5_error_code
1853
k5_internalize_keyblock(krb5_keyblock **argp,
1854
                        krb5_octet **buffer, size_t *lenremain);
1855

1856
krb5_error_code
1857
k5_size_principal(krb5_principal principal, size_t *sizep);
1858

1859
krb5_error_code
1860
k5_externalize_principal(krb5_principal principal,
1861
                         krb5_octet **buffer, size_t *lenremain);
1862

1863
krb5_error_code
1864
k5_internalize_principal(krb5_principal *argp,
1865
                         krb5_octet **buffer, size_t *lenremain);
1866

1867
/*
1868
 * Initialization routines.
1869
 */
1870

1871
/* [De]serialize 4-byte integer */
1872
krb5_error_code KRB5_CALLCONV
1873
krb5_ser_pack_int32(krb5_int32, krb5_octet **, size_t *);
1874

1875
krb5_error_code KRB5_CALLCONV
1876
krb5_ser_unpack_int32(krb5_int32 *, krb5_octet **, size_t *);
1877

1878
/* [De]serialize 8-byte integer */
1879
krb5_error_code KRB5_CALLCONV
1880
krb5_ser_pack_int64(int64_t, krb5_octet **, size_t *);
1881

1882
krb5_error_code KRB5_CALLCONV
1883
krb5_ser_unpack_int64(int64_t *, krb5_octet **, size_t *);
1884

1885
/* [De]serialize byte string */
1886
krb5_error_code KRB5_CALLCONV
1887
krb5_ser_pack_bytes(krb5_octet *, size_t, krb5_octet **, size_t *);
1888

1889
krb5_error_code KRB5_CALLCONV
1890
krb5_ser_unpack_bytes(krb5_octet *, size_t, krb5_octet **, size_t *);
1891

1892
krb5_error_code KRB5_CALLCONV
1893
krb5int_cc_default(krb5_context, krb5_ccache *);
1894

1895
krb5_error_code
1896
k5_cc_store_primary_cred(krb5_context, krb5_ccache, krb5_creds *);
1897

1898
/* Fill in the buffer with random alphanumeric data. */
1899
krb5_error_code
1900
krb5int_random_string(krb5_context, char *string, unsigned int length);
1901

1902
/* value to use when requesting a keytab entry and KVNO doesn't matter */
1903
#define IGNORE_VNO 0
1904
/* value to use when requesting a keytab entry and enctype doesn't matter */
1905
#define IGNORE_ENCTYPE 0
1906

1907
/* To keep happy libraries which are (for now) accessing internal stuff */
1908

1909
/* Make sure to increment by one when changing the struct */
1910
#define KRB5INT_ACCESS_STRUCT_VERSION 23
1911

1912
typedef struct _krb5int_access {
1913
    krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context,
1914
                                                   krb5_auth_context,
1915
                                                   krb5_enctype *);
1916

1917
    krb5_error_code (*mandatory_cksumtype)(krb5_context, krb5_enctype,
1918
                                           krb5_cksumtype *);
1919
    krb5_error_code (KRB5_CALLCONV *ser_pack_int64)(int64_t, krb5_octet **,
1920
                                                    size_t *);
1921
    krb5_error_code (KRB5_CALLCONV *ser_unpack_int64)(int64_t *, krb5_octet **,
1922
                                                      size_t *);
1923

1924
    /* Used for KDB LDAP back end.  */
1925
    krb5_error_code
1926
    (*asn1_ldap_encode_sequence_of_keys)(const ldap_seqof_key_data *val,
1927
                                         krb5_data **code);
1928

1929
    krb5_error_code
1930
    (*asn1_ldap_decode_sequence_of_keys)(const krb5_data *in,
1931
                                         ldap_seqof_key_data **);
1932

1933
    /*
1934
     * pkinit asn.1 encode/decode functions
1935
     */
1936
    krb5_error_code
1937
    (*encode_krb5_auth_pack)(const krb5_auth_pack *rep, krb5_data **code);
1938

1939
    krb5_error_code
1940
    (*encode_krb5_kdc_dh_key_info)(const krb5_kdc_dh_key_info *rep,
1941
                                   krb5_data **code);
1942

1943
    krb5_error_code
1944
    (*encode_krb5_pa_pk_as_rep)(const krb5_pa_pk_as_rep *rep,
1945
                                krb5_data **code);
1946

1947
    krb5_error_code
1948
    (*encode_krb5_pa_pk_as_req)(const krb5_pa_pk_as_req *rep,
1949
                                krb5_data **code);
1950

1951
    krb5_error_code
1952
    (*encode_krb5_reply_key_pack)(const krb5_reply_key_pack *,
1953
                                  krb5_data **code);
1954

1955
    krb5_error_code
1956
    (*encode_krb5_td_dh_parameters)(krb5_algorithm_identifier *const *,
1957
                                    krb5_data **code);
1958

1959
    krb5_error_code
1960
    (*encode_krb5_td_trusted_certifiers)(krb5_external_principal_identifier *
1961
                                         const *, krb5_data **code);
1962

1963
    krb5_error_code
1964
    (*decode_krb5_auth_pack)(const krb5_data *, krb5_auth_pack **);
1965

1966
    krb5_error_code
1967
    (*decode_krb5_pa_pk_as_req)(const krb5_data *, krb5_pa_pk_as_req **);
1968

1969
    krb5_error_code
1970
    (*decode_krb5_pa_pk_as_rep)(const krb5_data *, krb5_pa_pk_as_rep **);
1971

1972
    krb5_error_code
1973
    (*decode_krb5_kdc_dh_key_info)(const krb5_data *, krb5_kdc_dh_key_info **);
1974

1975
    krb5_error_code
1976
    (*decode_krb5_principal_name)(const krb5_data *, krb5_principal_data **);
1977

1978
    krb5_error_code
1979
    (*decode_krb5_reply_key_pack)(const krb5_data *, krb5_reply_key_pack **);
1980

1981
    krb5_error_code
1982
    (*decode_krb5_td_dh_parameters)(const krb5_data *,
1983
                                    krb5_algorithm_identifier ***);
1984

1985
    krb5_error_code
1986
    (*decode_krb5_td_trusted_certifiers)(const krb5_data *,
1987
                                         krb5_external_principal_identifier
1988
                                         ***);
1989

1990
    krb5_error_code
1991
    (*encode_krb5_kdc_req_body)(const krb5_kdc_req *rep, krb5_data **code);
1992

1993
    void
1994
    (KRB5_CALLCONV *free_kdc_req)(krb5_context, krb5_kdc_req * );
1995
    void
1996
    (*set_prompt_types)(krb5_context, krb5_prompt_type *);
1997
} krb5int_access;
1998

1999
#define KRB5INT_ACCESS_VERSION                                          \
2000
    (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) |                  \
2001
                   (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF)
2002

2003
krb5_error_code KRB5_CALLCONV
2004
krb5int_accessor(krb5int_access*, krb5_int32);
2005

2006
krb5_error_code KRB5_CALLCONV
2007
krb5int_cc_user_set_default_name(krb5_context context, const char *name);
2008

2009
krb5_error_code k5_rc_default(krb5_context context, krb5_rcache *rc_out);
2010
krb5_error_code k5_rc_resolve(krb5_context context, const char *name,
2011
                              krb5_rcache *rc_out);
2012
void k5_rc_close(krb5_context context, krb5_rcache rc);
2013
krb5_error_code k5_rc_store(krb5_context context, krb5_rcache rc,
2014
                            const krb5_enc_data *authenticator);
2015
const char *k5_rc_get_name(krb5_context context, krb5_rcache rc);
2016

2017
/* Set *tag_out to the integrity tag of *enc.  (Does not allocate memory;
2018
 * returned buffer is a subrange of *ctext.) */
2019
krb5_error_code
2020
k5_rc_tag_from_ciphertext(krb5_context context, const krb5_enc_data *enc,
2021
                          krb5_data *tag_out);
2022

2023
/*
2024
 * This structure was exposed and used in macros in krb5 1.2, so do not
2025
 * change its ABI.
2026
 */
2027
typedef struct _krb5_kt_ops {
2028
    krb5_magic magic;
2029
    char *prefix;
2030

2031
    /* routines always present */
2032
    krb5_error_code (KRB5_CALLCONV *resolve)(krb5_context, const char *,
2033
                                             krb5_keytab *);
2034
    krb5_error_code (KRB5_CALLCONV *get_name)(krb5_context, krb5_keytab,
2035
                                              char *, unsigned int);
2036
    krb5_error_code (KRB5_CALLCONV *close)(krb5_context, krb5_keytab);
2037
    krb5_error_code (KRB5_CALLCONV *get)(krb5_context, krb5_keytab,
2038
                                         krb5_const_principal, krb5_kvno,
2039
                                         krb5_enctype, krb5_keytab_entry *);
2040
    krb5_error_code (KRB5_CALLCONV *start_seq_get)(krb5_context, krb5_keytab,
2041
                                                   krb5_kt_cursor *);
2042
    krb5_error_code (KRB5_CALLCONV *get_next)(krb5_context, krb5_keytab,
2043
                                              krb5_keytab_entry *,
2044
                                              krb5_kt_cursor *);
2045
    krb5_error_code (KRB5_CALLCONV *end_get)(krb5_context, krb5_keytab,
2046
                                             krb5_kt_cursor *);
2047
    /* routines to be included on extended version (write routines) */
2048
    krb5_error_code (KRB5_CALLCONV *add)(krb5_context, krb5_keytab,
2049
                                         krb5_keytab_entry *);
2050
    krb5_error_code (KRB5_CALLCONV *remove)(krb5_context, krb5_keytab,
2051
                                            krb5_keytab_entry *);
2052
} krb5_kt_ops;
2053

2054
/* Not sure it's ready for exposure just yet.  */
2055
extern krb5_error_code
2056
krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
2057

2058
/*
2059
 * Referral definitions and subfunctions.
2060
 */
2061
#define        KRB5_REFERRAL_MAXHOPS    10
2062

2063
struct _krb5_kt {       /* should move into k5-int.h */
2064
    krb5_magic magic;
2065
    const struct _krb5_kt_ops *ops;
2066
    krb5_pointer data;
2067
};
2068

2069
krb5_error_code krb5_get_default_in_tkt_ktypes(krb5_context, krb5_enctype **);
2070

2071
krb5_error_code KRB5_CALLCONV
2072
krb5_get_tgs_ktypes(krb5_context, krb5_const_principal, krb5_enctype **);
2073

2074
krb5_boolean krb5_is_permitted_enctype(krb5_context, krb5_enctype);
2075

2076
krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype);
2077
krb5_boolean KRB5_CALLCONV krb5int_c_deprecated_enctype(krb5_enctype);
2078
krb5_error_code k5_enctype_to_ssf(krb5_enctype enctype, unsigned int *ssf_out);
2079

2080
krb5_error_code krb5_kdc_rep_decrypt_proc(krb5_context, const krb5_keyblock *,
2081
                                          krb5_const_pointer, krb5_kdc_rep *);
2082
krb5_error_code KRB5_CALLCONV krb5_decrypt_tkt_part(krb5_context,
2083
                                                    const krb5_keyblock *,
2084
                                                    krb5_ticket * );
2085

2086
krb5_error_code krb5_get_cred_via_tkt(krb5_context, krb5_creds *, krb5_flags,
2087
                                      krb5_address *const *, krb5_creds *,
2088
                                      krb5_creds **);
2089

2090
krb5_error_code KRB5_CALLCONV krb5_copy_addr(krb5_context,
2091
                                             const krb5_address *,
2092
                                             krb5_address **);
2093

2094
void krb5_init_ets(krb5_context);
2095
void krb5_free_ets(krb5_context);
2096
krb5_error_code krb5_generate_subkey(krb5_context, const krb5_keyblock *,
2097
                                     krb5_keyblock **);
2098
krb5_error_code krb5_generate_subkey_extended(krb5_context,
2099
                                              const krb5_keyblock *,
2100
                                              krb5_enctype, krb5_keyblock **);
2101
krb5_error_code krb5_generate_seq_number(krb5_context, const krb5_keyblock *,
2102
                                         krb5_ui_4 *);
2103

2104
krb5_error_code KRB5_CALLCONV krb5_kt_register(krb5_context,
2105
                                               const struct _krb5_kt_ops *);
2106

2107
krb5_error_code k5_kt_get_principal(krb5_context context, krb5_keytab keytab,
2108
                                    krb5_principal *princ_out);
2109

2110
krb5_error_code k5_kt_have_match(krb5_context context, krb5_keytab keytab,
2111
                                 krb5_principal mprinc);
2112

2113
krb5_error_code krb5_principal2salt_norealm(krb5_context, krb5_const_principal,
2114
                                            krb5_data *);
2115

2116
unsigned int KRB5_CALLCONV krb5_get_notification_message(void);
2117

2118
/* chk_trans.c */
2119
krb5_error_code krb5_check_transited_list(krb5_context, const krb5_data *trans,
2120
                                          const krb5_data *realm1,
2121
                                          const krb5_data *realm2);
2122

2123
/* free_rtree.c */
2124
void krb5_free_realm_tree(krb5_context, krb5_principal *);
2125

2126
void KRB5_CALLCONV krb5_free_authenticator_contents(krb5_context,
2127
                                                    krb5_authenticator *);
2128

2129
void KRB5_CALLCONV krb5_free_address(krb5_context, krb5_address *);
2130

2131
void KRB5_CALLCONV krb5_free_enc_tkt_part(krb5_context, krb5_enc_tkt_part *);
2132

2133
void KRB5_CALLCONV krb5_free_tickets(krb5_context, krb5_ticket **);
2134
void KRB5_CALLCONV krb5_free_kdc_req(krb5_context, krb5_kdc_req *);
2135
void KRB5_CALLCONV krb5_free_kdc_rep(krb5_context, krb5_kdc_rep *);
2136
void KRB5_CALLCONV krb5_free_last_req(krb5_context, krb5_last_req_entry **);
2137
void KRB5_CALLCONV krb5_free_enc_kdc_rep_part(krb5_context,
2138
                                              krb5_enc_kdc_rep_part *);
2139
void KRB5_CALLCONV krb5_free_ap_req(krb5_context, krb5_ap_req *);
2140
void KRB5_CALLCONV krb5_free_ap_rep(krb5_context, krb5_ap_rep *);
2141
void KRB5_CALLCONV krb5_free_cred(krb5_context, krb5_cred *);
2142
void KRB5_CALLCONV krb5_free_cred_enc_part(krb5_context, krb5_cred_enc_part *);
2143
void KRB5_CALLCONV krb5_free_pa_data(krb5_context, krb5_pa_data **);
2144
void KRB5_CALLCONV krb5_free_tkt_authent(krb5_context, krb5_tkt_authent *);
2145
void KRB5_CALLCONV krb5_free_enc_data(krb5_context, krb5_enc_data *);
2146
krb5_error_code krb5_set_config_files(krb5_context, const char **);
2147

2148
krb5_error_code krb5_rd_req_decoded(krb5_context, krb5_auth_context *,
2149
                                    const krb5_ap_req *, krb5_const_principal,
2150
                                    krb5_keytab, krb5_flags *, krb5_ticket **);
2151

2152
krb5_error_code krb5_rd_req_decoded_anyflag(krb5_context, krb5_auth_context *,
2153
                                            const krb5_ap_req *,
2154
                                            krb5_const_principal, krb5_keytab,
2155
                                            krb5_flags *, krb5_ticket **);
2156

2157
krb5_error_code KRB5_CALLCONV
2158
krb5_cc_register(krb5_context, const krb5_cc_ops *, krb5_boolean );
2159

2160
krb5_error_code krb5_walk_realm_tree(krb5_context, const krb5_data *,
2161
                                     const krb5_data *, krb5_principal **,
2162
                                     int);
2163

2164
krb5_error_code
2165
krb5_auth_con_set_safe_cksumtype(krb5_context, krb5_auth_context,
2166
                                 krb5_cksumtype);
2167

2168
krb5_error_code krb5_auth_con_setivector(krb5_context, krb5_auth_context,
2169
                                         krb5_pointer);
2170

2171
krb5_error_code krb5_auth_con_getivector(krb5_context, krb5_auth_context,
2172
                                         krb5_pointer *);
2173

2174
krb5_error_code krb5_auth_con_setpermetypes(krb5_context, krb5_auth_context,
2175
                                            const krb5_enctype *);
2176

2177
krb5_error_code krb5_auth_con_getpermetypes(krb5_context, krb5_auth_context,
2178
                                            krb5_enctype **);
2179

2180
krb5_error_code krb5_auth_con_get_subkey_enctype(krb5_context context,
2181
                                                 krb5_auth_context,
2182
                                                 krb5_enctype *);
2183

2184
krb5_error_code
2185
krb5_auth_con_get_authdata_context(krb5_context context,
2186
                                   krb5_auth_context auth_context,
2187
                                   krb5_authdata_context *ad_context);
2188

2189
krb5_error_code
2190
krb5_auth_con_set_authdata_context(krb5_context context,
2191
                                   krb5_auth_context auth_context,
2192
                                   krb5_authdata_context ad_context);
2193

2194
krb5_error_code krb5_read_message(krb5_context, krb5_pointer, krb5_data *);
2195
krb5_error_code krb5_write_message(krb5_context, krb5_pointer, krb5_data *);
2196
int krb5_net_read(krb5_context, int , char *, int);
2197
int krb5_net_write(krb5_context, int , const char *, int);
2198

2199
krb5_error_code KRB5_CALLCONV krb5_get_realm_domain(krb5_context,
2200
                                                    const char *, char ** );
2201

2202
krb5_error_code krb5_gen_portaddr(krb5_context, const krb5_address *,
2203
                                  krb5_const_pointer, krb5_address **);
2204

2205
krb5_error_code krb5_gen_replay_name(krb5_context, const krb5_address *,
2206
                                     const char *, char **);
2207
krb5_error_code krb5_make_fulladdr(krb5_context, krb5_address *,
2208
                                   krb5_address *, krb5_address *);
2209

2210
krb5_error_code krb5_set_debugging_time(krb5_context, krb5_timestamp,
2211
                                        krb5_int32);
2212
krb5_error_code krb5_use_natural_time(krb5_context);
2213
krb5_error_code krb5_set_time_offsets(krb5_context, krb5_timestamp,
2214
                                      krb5_int32);
2215

2216
/* Some data comparison and conversion functions.  */
2217
static inline int
2218
data_eq(krb5_data d1, krb5_data d2)
2219
{
2220
    return (d1.length == d2.length && (d1.length == 0 ||
2221
                                       !memcmp(d1.data, d2.data, d1.length)));
2222
}
2223

2224
static inline int
2225
data_eq_string (krb5_data d, const char *s)
2226
{
2227
    return (d.length == strlen(s) && (d.length == 0 ||
2228
                                      !memcmp(d.data, s, d.length)));
2229
}
2230

2231
static inline krb5_data
2232
make_data(void *data, unsigned int len)
2233
{
2234
    krb5_data d;
2235

2236
    d.magic = KV5M_DATA;
2237
    d.data = (char *) data;
2238
    d.length = len;
2239
    return d;
2240
}
2241

2242
static inline krb5_data
2243
empty_data(void)
2244
{
2245
    return make_data(NULL, 0);
2246
}
2247

2248
static inline krb5_data
2249
string2data(char *str)
2250
{
2251
    return make_data(str, strlen(str));
2252
}
2253

2254
static inline krb5_error_code
2255
alloc_data(krb5_data *data, unsigned int len)
2256
{
2257
    /* Allocate at least one byte since zero-byte allocs may return NULL. */
2258
    char *ptr = (char *) calloc((len > 0) ? len : 1, 1);
2259

2260
    if (ptr == NULL)
2261
        return ENOMEM;
2262
    data->magic = KV5M_DATA;
2263
    data->data = ptr;
2264
    data->length = len;
2265
    return 0;
2266
}
2267

2268
static inline int
2269
authdata_eq(krb5_authdata a1, krb5_authdata a2)
2270
{
2271
    return (a1.ad_type == a2.ad_type && a1.length == a2.length &&
2272
            (a1.length == 0 || !memcmp(a1.contents, a2.contents, a1.length)));
2273
}
2274

2275
/* Allocate zeroed memory; set *code to 0 on success or ENOMEM on failure. */
2276
static inline void *
2277
k5calloc(size_t nmemb, size_t size, krb5_error_code *code)
2278
{
2279
    void *ptr;
2280

2281
    /* Allocate at least one byte since zero-byte allocs may return NULL. */
2282
    ptr = calloc(nmemb ? nmemb : 1, size ? size : 1);
2283
    *code = (ptr == NULL) ? ENOMEM : 0;
2284
    return ptr;
2285
}
2286

2287
/* Allocate zeroed memory; set *code to 0 on success or ENOMEM on failure. */
2288
static inline void *
2289
k5alloc(size_t size, krb5_error_code *code)
2290
{
2291
    return k5calloc(1, size, code);
2292
}
2293

2294
/* Return a copy of the len bytes of memory at in; set *code to 0 or ENOMEM. */
2295
static inline void *
2296
k5memdup(const void *in, size_t len, krb5_error_code *code)
2297
{
2298
    void *ptr = k5alloc(len, code);
2299

2300
    if (ptr != NULL && len > 0)
2301
        memcpy(ptr, in, len);
2302
    return ptr;
2303
}
2304

2305
/* Like k5memdup, but add a final null byte. */
2306
static inline void *
2307
k5memdup0(const void *in, size_t len, krb5_error_code *code)
2308
{
2309
    void *ptr = k5alloc(len + 1, code);
2310

2311
    if (ptr != NULL && len > 0)
2312
        memcpy(ptr, in, len);
2313
    return ptr;
2314
}
2315

2316
/* Convert a krb5_timestamp to a time_t value, treating the negative range of
2317
 * krb5_timestamp as times between 2038 and 2106 (if time_t is 64-bit). */
2318
static inline time_t
2319
ts2tt(krb5_timestamp timestamp)
2320
{
2321
    return (time_t)(uint32_t)timestamp;
2322
}
2323

2324
/* Return the delta between two timestamps (a - b) as a signed 32-bit value,
2325
 * without relying on undefined behavior. */
2326
static inline krb5_deltat
2327
ts_delta(krb5_timestamp a, krb5_timestamp b)
2328
{
2329
    return (krb5_deltat)((uint32_t)a - (uint32_t)b);
2330
}
2331

2332
/* Return (end - start) as an unsigned 32-bit value, or 0 if start > end. */
2333
static inline uint32_t
2334
ts_interval(krb5_timestamp start, krb5_timestamp end)
2335
{
2336
    if ((uint32_t)start > (uint32_t)end)
2337
        return 0;
2338
    return (uint32_t)end - (uint32_t)start;
2339
}
2340

2341
/* Increment a timestamp by a signed 32-bit interval, without relying on
2342
 * undefined behavior. */
2343
static inline krb5_timestamp
2344
ts_incr(krb5_timestamp ts, krb5_deltat delta)
2345
{
2346
    return (krb5_timestamp)((uint32_t)ts + (uint32_t)delta);
2347
}
2348

2349
/* Return true if a comes after b. */
2350
static inline krb5_boolean
2351
ts_after(krb5_timestamp a, krb5_timestamp b)
2352
{
2353
    return (uint32_t)a > (uint32_t)b;
2354
}
2355

2356
/* Return true if a and b are within d seconds. */
2357
static inline krb5_boolean
2358
ts_within(krb5_timestamp a, krb5_timestamp b, krb5_deltat d)
2359
{
2360
    return !ts_after(a, ts_incr(b, d)) && !ts_after(b, ts_incr(a, d));
2361
}
2362

2363
krb5_error_code KRB5_CALLCONV
2364
krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
2365
                              krb5_ccache ccache,
2366
                              krb5_creds *in_creds,
2367
                              krb5_data *cert,
2368
                              krb5_creds **out_creds);
2369

2370
krb5_error_code KRB5_CALLCONV
2371
krb5_get_credentials_for_proxy(krb5_context context,
2372
                               krb5_flags options,
2373
                               krb5_ccache ccache,
2374
                               krb5_creds *in_creds,
2375
                               krb5_ticket *evidence_tkt,
2376
                               krb5_creds **out_creds);
2377

2378
krb5_error_code KRB5_CALLCONV
2379
krb5int_get_authdata_containee_types(krb5_context context,
2380
                                     const krb5_authdata *container,
2381
                                     unsigned int *nad_types,
2382
                                     krb5_authdatatype **ad_types);
2383

2384
krb5_error_code krb5int_parse_enctype_list(krb5_context context,
2385
                                           const char *profkey, char *profstr,
2386
                                           krb5_enctype *default_list,
2387
                                           krb5_enctype **result);
2388

2389
krb5_boolean k5_etypes_contains(const krb5_enctype *list, krb5_enctype etype);
2390

2391
void k5_change_error_message_code(krb5_context ctx, krb5_error_code oldcode,
2392
                                  krb5_error_code newcode);
2393

2394
/* Define shorter internal names for setting error messages. */
2395
#define k5_setmsg krb5_set_error_message
2396
#define k5_prependmsg krb5_prepend_error_message
2397
#define k5_wrapmsg krb5_wrap_error_message
2398

2399
/*
2400
 * Like krb5_principal_compare(), but with canonicalization of sname if
2401
 * fallback is enabled.  This function should be avoided if multiple matches
2402
 * are required, since repeated canonicalization is inefficient.
2403
 */
2404
krb5_boolean
2405
k5_sname_compare(krb5_context context, krb5_const_principal sname,
2406
                 krb5_const_principal princ);
2407

2408
/* Generate an HMAC-MD5 keyed checksum as specified by RFC 2104. */
2409
krb5_error_code
2410
k5_hmac_md5(const krb5_data *key, const krb5_crypto_iov *data, size_t num_data,
2411
            krb5_data *output);
2412

2413
/* Address objects for initiator and acceptor directional addresses. */
2414
extern const krb5_address k5_addr_directional_init;
2415
extern const krb5_address k5_addr_directional_accept;
2416

2417
/*
2418
 * Translate sa to a krb5_address, putting the result in *out with contents
2419
 * aliased from *sa.  If local_use is true, translate UNIX domain socket names
2420
 * to ADDRTYPE_UNIXSOCK; otherwise do not handle them.  Return
2421
 * KRB5_PROG_ATYPE_NOSUPP if sa cannot be converted.
2422
 */
2423
krb5_error_code
2424
k5_sockaddr_to_address(const struct sockaddr *sa, krb5_boolean local_use,
2425
                       krb5_address *out);
2426

2427
/* Place a printable representation of sa (without port) into buf. */
2428
void
2429
k5_print_addr(const struct sockaddr *sa, char *buf, size_t len);
2430

2431
/* Place a printable representation of sa (with port) into buf. */
2432
void
2433
k5_print_addr_port(const struct sockaddr *sa, char *buf, size_t len);
2434

2435
#endif /* _KRB5_INT_H */
2436

2437