17c478bdstevel@tonic-gate/*
25e01956Glenn Barry * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
37c478bdstevel@tonic-gate */
47c478bdstevel@tonic-gate/*
5fe598cdmp * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006 by the Massachusetts Institute of Technology,
67c478bdstevel@tonic-gate * Cambridge, MA, USA.  All Rights Reserved.
7159d09aMark Phalan *
8159d09aMark Phalan * This software is being provided to you, the LICENSEE, by the
9159d09aMark Phalan * Massachusetts Institute of Technology (M.I.T.) under the following
10159d09aMark Phalan * license.  By obtaining, using and/or copying this software, you agree
11159d09aMark Phalan * that you have read, understood, and will comply with these terms and
12159d09aMark Phalan * conditions:
13159d09aMark Phalan *
147c478bdstevel@tonic-gate * Export of this software from the United States of America may
157c478bdstevel@tonic-gate * require a specific license from the United States Government.
167c478bdstevel@tonic-gate * It is the responsibility of any person or organization contemplating
177c478bdstevel@tonic-gate * export to obtain such a license before exporting.
18159d09aMark Phalan *
19159d09aMark Phalan * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
20159d09aMark Phalan * this software and its documentation for any purpose and without fee or
21159d09aMark Phalan * royalty is hereby granted, provided that you agree to comply with the
22159d09aMark Phalan * following copyright notice and statements, including the disclaimer, and
23159d09aMark Phalan * that the same appear on ALL copies of the software and documentation,
24159d09aMark Phalan * including modifications that you make for internal use or for
257c478bdstevel@tonic-gate * distribution:
26159d09aMark Phalan *
27159d09aMark Phalan * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
28159d09aMark Phalan * OR WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
29159d09aMark Phalan * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
30159d09aMark Phalan * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
31159d09aMark Phalan * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
32159d09aMark Phalan * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
33159d09aMark Phalan *
34159d09aMark Phalan * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
35159d09aMark Phalan * be used in advertising or publicity pertaining to distribution of the
36159d09aMark Phalan * software.  Title to copyright in this software and any associated
37159d09aMark Phalan * documentation shall at all times remain with M.I.T., and USER agrees to
387c478bdstevel@tonic-gate * preserve same.
39fe598cdmp *
40fe598cdmp * Furthermore if you modify this software you must label
41fe598cdmp * your software as modified software and not distribute it in such a
42fe598cdmp * fashion that it might be confused with the original M.I.T. software.
43ab9b2e1gtb */
44159d09aMark Phalan
457c478bdstevel@tonic-gate/*
467c478bdstevel@tonic-gate * Copyright (C) 1998 by the FundsXpress, INC.
47159d09aMark Phalan *
487c478bdstevel@tonic-gate * All rights reserved.
49159d09aMark Phalan *
507c478bdstevel@tonic-gate * Export of this software from the United States of America may require
517c478bdstevel@tonic-gate * a specific license from the United States Government.  It is the
527c478bdstevel@tonic-gate * responsibility of any person or organization contemplating export to
537c478bdstevel@tonic-gate * obtain such a license before exporting.
54159d09aMark Phalan *
557c478bdstevel@tonic-gate * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
567c478bdstevel@tonic-gate * distribute this software and its documentation for any purpose and
577c478bdstevel@tonic-gate * without fee is hereby granted, provided that the above copyright
587c478bdstevel@tonic-gate * notice appear in all copies and that both that copyright notice and
597c478bdstevel@tonic-gate * this permission notice appear in supporting documentation, and that
607c478bdstevel@tonic-gate * the name of FundsXpress. not be used in advertising or publicity pertaining
617c478bdstevel@tonic-gate * to distribution of the software without specific, written prior
627c478bdstevel@tonic-gate * permission.  FundsXpress makes no representations about the suitability of
637c478bdstevel@tonic-gate * this software for any purpose.  It is provided "as is" without express
647c478bdstevel@tonic-gate * or implied warranty.
65159d09aMark Phalan *
667c478bdstevel@tonic-gate * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
677c478bdstevel@tonic-gate * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
687c478bdstevel@tonic-gate * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
697c478bdstevel@tonic-gate */
707c478bdstevel@tonic-gate
717c478bdstevel@tonic-gate/*
727c478bdstevel@tonic-gate * This prototype for k5-int.h (Krb5 internals include file)
737c478bdstevel@tonic-gate * includes the user-visible definitions from krb5.h and then
747c478bdstevel@tonic-gate * includes other definitions that are not user-visible but are
757c478bdstevel@tonic-gate * required for compiling Kerberos internal routines.
767c478bdstevel@tonic-gate *
777c478bdstevel@tonic-gate * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
787c478bdstevel@tonic-gate */
797c478bdstevel@tonic-gate
807c478bdstevel@tonic-gate#ifndef _KRB5_INT_H
817c478bdstevel@tonic-gate#define _KRB5_INT_H
827c478bdstevel@tonic-gate
83159d09aMark Phalan#ifdef KRB5_GENERAL__
84159d09aMark Phalan#error krb5.h included before k5-int.h
85159d09aMark Phalan#endif /* KRB5_GENERAL__ */
867c478bdstevel@tonic-gate
877c478bdstevel@tonic-gate#ifndef	_KERNEL
887c478bdstevel@tonic-gate#include <osconf.h>
897c478bdstevel@tonic-gate#include <security/cryptoki.h>
907c478bdstevel@tonic-gate#else
917c478bdstevel@tonic-gate#include <sys/crypto/common.h>
927c478bdstevel@tonic-gate#include <sys/crypto/api.h>
937c478bdstevel@tonic-gate#endif
947c478bdstevel@tonic-gate
957c478bdstevel@tonic-gate#ifdef  DEBUG
967c478bdstevel@tonic-gate#if !defined(KRB5_DEBUG)
977c478bdstevel@tonic-gate#define KRB5_DEBUG
987c478bdstevel@tonic-gate#endif
997c478bdstevel@tonic-gate#ifndef  KRB5_LOG_LVL
1007c478bdstevel@tonic-gate#define KRB5_LOG_LVL KRB5_ERR
1017c478bdstevel@tonic-gate#endif
1027c478bdstevel@tonic-gate#endif  /* DEBUG */
1037c478bdstevel@tonic-gate
1047c478bdstevel@tonic-gate#ifdef  _KERNEL
1057c478bdstevel@tonic-gate
1067c478bdstevel@tonic-gate#ifdef  DEBUG
1077c478bdstevel@tonic-gate#include        <sys/types.h>
1087c478bdstevel@tonic-gate#include        <sys/cmn_err.h>
1097c478bdstevel@tonic-gate extern  void prom_printf();
1107c478bdstevel@tonic-gate#endif  /* DEBUG */
1117c478bdstevel@tonic-gate
1127c478bdstevel@tonic-gate#else   /* !_KERNEL */
1137c478bdstevel@tonic-gate
1147c478bdstevel@tonic-gate#define prom_printf printf
1157c478bdstevel@tonic-gate
1167c478bdstevel@tonic-gate#endif /* !_KERNEL */
1177c478bdstevel@tonic-gate
1187c478bdstevel@tonic-gate#ifdef KRB5_LOG_LVL
1197c478bdstevel@tonic-gate
1207c478bdstevel@tonic-gate/* krb5_log is used to set the logging level to determine what class of messages
1217c478bdstevel@tonic-gate * are output by the mech.  Note, more than one logging level can be used by
1227c478bdstevel@tonic-gate * bit or'ing the log values together.
1237c478bdstevel@tonic-gate *
1247c478bdstevel@tonic-gate * All log messages are captured by syslog.
1257c478bdstevel@tonic-gate */
1267c478bdstevel@tonic-gate
1277c478bdstevel@tonic-gateextern unsigned int krb5_log;
1287c478bdstevel@tonic-gate
1297c478bdstevel@tonic-gate/* Note, these defines should be mutually exclusive bit fields */
1307c478bdstevel@tonic-gate#define KRB5_ERR  1   /* Use this debug log level for error path logging. */
1317c478bdstevel@tonic-gate#define KRB5_INFO 2   /* Use this debug log level for informational messages. */
1327c478bdstevel@tonic-gate
1337c478bdstevel@tonic-gate#ifdef  _KERNEL
1347c478bdstevel@tonic-gate
1357c478bdstevel@tonic-gate#define KRB5_LOG1(A, B, C, D) \
1367c478bdstevel@tonic-gate     ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C), (D)), TRUE)))
1377c478bdstevel@tonic-gate#define KRB5_LOG(A, B, C) \
1387c478bdstevel@tonic-gate     ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C)), TRUE)))
1397c478bdstevel@tonic-gate#define KRB5_LOG0(A, B)   \
1407c478bdstevel@tonic-gate     ((void)((krb5_log) && (krb5_log & (A)) && (printf((B)), TRUE)))
1417c478bdstevel@tonic-gate
1427c478bdstevel@tonic-gate#else	/* !_KERNEL */
1437c478bdstevel@tonic-gate
1447c478bdstevel@tonic-gate#include <syslog.h>
1457c478bdstevel@tonic-gate
1467c478bdstevel@tonic-gate#define KRB5_LOG1(A, B, C, D) \
1477c478bdstevel@tonic-gate        ((void)((krb5_log) && (krb5_log & (A)) && \
1487c478bdstevel@tonic-gate		(syslog(LOG_DEBUG, (B), (C), (D)), TRUE)))
1497c478bdstevel@tonic-gate#define KRB5_LOG(A, B, C) \
1507c478bdstevel@tonic-gate        ((void)((krb5_log) && (krb5_log & (A)) && \
1517c478bdstevel@tonic-gate		(syslog(LOG_DEBUG, (B), (C)), TRUE)))
1527c478bdstevel@tonic-gate#define KRB5_LOG0(A, B)   \
1537c478bdstevel@tonic-gate        ((void)((krb5_log) && (krb5_log & (A)) && \
1547c478bdstevel@tonic-gate	       	(syslog(LOG_DEBUG, B), TRUE)))
1557c478bdstevel@tonic-gate
1567c478bdstevel@tonic-gate#endif	/* _KERNEL */
1577c478bdstevel@tonic-gate
1587c478bdstevel@tonic-gate#else /* ! KRB5_LOG_LVL */
1597c478bdstevel@tonic-gate
1607c478bdstevel@tonic-gate#define KRB5_LOG1(A, B, C, D)
1617c478bdstevel@tonic-gate#define KRB5_LOG(A, B, C)
1627c478bdstevel@tonic-gate#define KRB5_LOG0(A, B)
1637c478bdstevel@tonic-gate
1647c478bdstevel@tonic-gate#endif /* KRB5_LOG_LVL */
1657c478bdstevel@tonic-gate
1667c478bdstevel@tonic-gate#ifdef POSIX_TYPES
1677c478bdstevel@tonic-gate#define timetype time_t
1687c478bdstevel@tonic-gate#else
1697c478bdstevel@tonic-gate#define timetype long
1707c478bdstevel@tonic-gate#endif
1717c478bdstevel@tonic-gate
1727c478bdstevel@tonic-gate/*
1737c478bdstevel@tonic-gate * Begin "k5-config.h"
1747c478bdstevel@tonic-gate */
1757c478bdstevel@tonic-gate#ifndef KRB5_CONFIG__
1767c478bdstevel@tonic-gate#define KRB5_CONFIG__
1777c478bdstevel@tonic-gate
178159d09aMark Phalan/*
179159d09aMark Phalan * Machine-type definitions: PC Clone 386 running Microloss Windows
1807c478bdstevel@tonic-gate */
1817c478bdstevel@tonic-gate
182159d09aMark Phalan#if defined(_MSDOS) || defined(_WIN32)
1837c478bdstevel@tonic-gate#include "win-mac.h"
1847c478bdstevel@tonic-gate
1857c478bdstevel@tonic-gate/* Kerberos Windows initialization file */
186159d09aMark Phalan#define KERBEROS_INI	"kerberos.ini"
187159d09aMark Phalan#define INI_FILES	"Files"
188159d09aMark Phalan#define INI_KRB_CCACHE	"krb5cc"	/* Location of the ccache */
189159d09aMark Phalan#define INI_KRB5_CONF	"krb5.ini"	/* Location of krb5.conf file */
1907c478bdstevel@tonic-gate#define ANSI_STDIO
1917c478bdstevel@tonic-gate#endif
1927c478bdstevel@tonic-gate
1937c478bdstevel@tonic-gate#ifndef _KERNEL
1947c478bdstevel@tonic-gate#ifndef KRB5_AUTOCONF__
1957c478bdstevel@tonic-gate#define KRB5_AUTOCONF__
196159d09aMark Phalan#include "autoconf.h"
1977c478bdstevel@tonic-gate#endif
1987c478bdstevel@tonic-gate#endif 		/* !_KERNEL  */
1997c478bdstevel@tonic-gate
2007c478bdstevel@tonic-gate#ifndef KRB5_SYSTYPES__
2017c478bdstevel@tonic-gate#define KRB5_SYSTYPES__
2027c478bdstevel@tonic-gate
203159d09aMark Phalan#ifndef _KERNEL
2047c478bdstevel@tonic-gate#ifdef HAVE_SYS_TYPES_H		/* From autoconf.h */
2057c478bdstevel@tonic-gate#include <sys/types.h>
2067c478bdstevel@tonic-gate#else /* HAVE_SYS_TYPES_H */
207159d09aMark Phalantypedef unsigned long 	u_long;
208159d09aMark Phalantypedef unsigned int	u_int;
209159d09aMark Phalantypedef unsigned short	u_short;
210159d09aMark Phalantypedef unsigned char	u_char;
2117c478bdstevel@tonic-gate#endif /* HAVE_SYS_TYPES_H */
2127c478bdstevel@tonic-gate#endif /* KRB5_SYSTYPES__ */
213159d09aMark Phalan#endif 		/* !_KERNEL  */
214159d09aMark Phalan
2157c478bdstevel@tonic-gate
216505d05cgtb/* #include "k5-platform.h" SUNW XXX */
217505d05cgtb/* not used in krb5.h (yet) */
2187c478bdstevel@tonic-gatetypedef uint64_t krb5_ui_8;
2197c478bdstevel@tonic-gatetypedef int64_t krb5_int64;
2207c478bdstevel@tonic-gate
221159d09aMark Phalan
222159d09aMark Phalan
2237c478bdstevel@tonic-gate#define DEFAULT_PWD_STRING1 "Enter password:"
2247c478bdstevel@tonic-gate#define DEFAULT_PWD_STRING2 "Re-enter password for verification:"
2257c478bdstevel@tonic-gate#define	KRB5_KDB_MAX_LIFE	(60*60*24) /* one day */
2267c478bdstevel@tonic-gate#define	KRB5_KDB_MAX_RLIFE	(60*60*24*365) /* one year */
2277c478bdstevel@tonic-gate#define	KRB5_KDB_EXPIRATION	2145830400 /* Thu Jan  1 00:00:00 2038 UTC */
2287c478bdstevel@tonic-gate#define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
2297c478bdstevel@tonic-gate#define KRB5_DEFAULT_RENEW_LIFE 7*24*60*60 /* 7 Days */
2307c478bdstevel@tonic-gate
231159d09aMark Phalan/*
2327c478bdstevel@tonic-gate * Windows requires a different api interface to each function. Here
2337c478bdstevel@tonic-gate * just define it as NULL.
2347c478bdstevel@tonic-gate */
2357c478bdstevel@tonic-gate#ifndef KRB5_CALLCONV
2367c478bdstevel@tonic-gate#define KRB5_CALLCONV
2377c478bdstevel@tonic-gate#define KRB5_CALLCONV_C
2387c478bdstevel@tonic-gate#endif
2397c478bdstevel@tonic-gate#ifndef O_BINARY
2407c478bdstevel@tonic-gate#define O_BINARY 0
2417c478bdstevel@tonic-gate#endif
2427c478bdstevel@tonic-gate
2437c478bdstevel@tonic-gate#endif /* KRB5_CONFIG__ */
2447c478bdstevel@tonic-gate
2457c478bdstevel@tonic-gate/*
2467c478bdstevel@tonic-gate * End "k5-config.h"
2477c478bdstevel@tonic-gate */
2487c478bdstevel@tonic-gate
2497c478bdstevel@tonic-gate/*
2507c478bdstevel@tonic-gate * After loading the configuration definitions, load the Kerberos definitions.
2517c478bdstevel@tonic-gate */
252505d05cgtb#ifndef _KERNEL
253505d05cgtb#include <errno.h>
254505d05cgtb#include "profile.h"
255505d05cgtb#endif
256505d05cgtb
2577c478bdstevel@tonic-gate#include <krb5.h>
2587c478bdstevel@tonic-gate
2597c478bdstevel@tonic-gate#ifndef _KERNEL
260505d05cgtb#if 1 /* def NEED_SOCKETS */
2617c478bdstevel@tonic-gate#include <port-sockets.h>
2627c478bdstevel@tonic-gate#include <socket-utils.h>
2637c478bdstevel@tonic-gate#else
2647c478bdstevel@tonic-gate#ifndef SOCK_DGRAM
2657c478bdstevel@tonic-gatestruct sockaddr;
2667c478bdstevel@tonic-gate#endif
2677c478bdstevel@tonic-gate#endif
2687c478bdstevel@tonic-gate#endif
2697c478bdstevel@tonic-gate
270505d05cgtb/* Get mutex support; currently used only for the replay cache.  */
271505d05cgtb#include "k5-thread.h"
272505d05cgtb
273505d05cgtb
2747c478bdstevel@tonic-gate/* krb5/krb5.h includes many other .h files in the krb5 subdirectory.
2757c478bdstevel@tonic-gate   The ones that it doesn't include, we include below.  */
2767c478bdstevel@tonic-gate
2777c478bdstevel@tonic-gate/*
2787c478bdstevel@tonic-gate * Begin "k5-errors.h"
2797c478bdstevel@tonic-gate */
2807c478bdstevel@tonic-gate#ifndef KRB5_ERRORS__
2817c478bdstevel@tonic-gate#define KRB5_ERRORS__
2827c478bdstevel@tonic-gate
2837c478bdstevel@tonic-gate
2847c478bdstevel@tonic-gate/* Error codes used in KRB_ERROR protocol messages.
2857c478bdstevel@tonic-gate   Return values of library routines are based on a different error table
2867c478bdstevel@tonic-gate   (which allows non-ambiguous error codes between subsystems) */
2877c478bdstevel@tonic-gate
2887c478bdstevel@tonic-gate/* KDC errors */
2897c478bdstevel@tonic-gate#define	KDC_ERR_NONE			0 /* No error */
2907c478bdstevel@tonic-gate#define	KDC_ERR_NAME_EXP		1 /* Client's entry in DB expired */
2917c478bdstevel@tonic-gate#define	KDC_ERR_SERVICE_EXP		2 /* Server's entry in DB expired */
2927c478bdstevel@tonic-gate#define	KDC_ERR_BAD_PVNO		3 /* Requested pvno not supported */
2937c478bdstevel@tonic-gate#define	KDC_ERR_C_OLD_MAST_KVNO		4 /* C's key encrypted in old master */
2947c478bdstevel@tonic-gate#define	KDC_ERR_S_OLD_MAST_KVNO		5 /* S's key encrypted in old master */
2957c478bdstevel@tonic-gate#define	KDC_ERR_C_PRINCIPAL_UNKNOWN	6 /* Client not found in Kerberos DB */
2967c478bdstevel@tonic-gate#define	KDC_ERR_S_PRINCIPAL_UNKNOWN	7 /* Server not found in Kerberos DB */
2977c478bdstevel@tonic-gate#define	KDC_ERR_PRINCIPAL_NOT_UNIQUE	8 /* Multiple entries in Kerberos DB */
2987c478bdstevel@tonic-gate#define	KDC_ERR_NULL_KEY		9 /* The C or S has a null key */
2997c478bdstevel@tonic-gate#define	KDC_ERR_CANNOT_POSTDATE		10 /* Tkt ineligible for postdating */
3007c478bdstevel@tonic-gate#define	KDC_ERR_NEVER_VALID		11 /* Requested starttime > endtime */
3017c478bdstevel@tonic-gate#define	KDC_ERR_POLICY			12 /* KDC policy rejects request */
3027c478bdstevel@tonic-gate#define	KDC_ERR_BADOPTION		13 /* KDC can't do requested opt. */
3037c478bdstevel@tonic-gate#define	KDC_ERR_ENCTYPE_NOSUPP		14 /* No support for encryption type */
3047c478bdstevel@tonic-gate#define KDC_ERR_SUMTYPE_NOSUPP		15 /* No support for checksum type */
3057c478bdstevel@tonic-gate#define KDC_ERR_PADATA_TYPE_NOSUPP	16 /* No support for padata type */
3067c478bdstevel@tonic-gate#define KDC_ERR_TRTYPE_NOSUPP		17 /* No support for transited type */
3077c478bdstevel@tonic-gate#define KDC_ERR_CLIENT_REVOKED		18 /* C's creds have been revoked */
3087c478bdstevel@tonic-gate#define KDC_ERR_SERVICE_REVOKED		19 /* S's creds have been revoked */
3097c478bdstevel@tonic-gate#define KDC_ERR_TGT_REVOKED		20 /* TGT has been revoked */
3107c478bdstevel@tonic-gate#define KDC_ERR_CLIENT_NOTYET		21 /* C not yet valid */
3117c478bdstevel@tonic-gate#define KDC_ERR_SERVICE_NOTYET		22 /* S not yet valid */
3127c478bdstevel@tonic-gate#define KDC_ERR_KEY_EXP			23 /* Password has expired */
3137c478bdstevel@tonic-gate#define KDC_ERR_PREAUTH_FAILED		24 /* Preauthentication failed */
3147c478bdstevel@tonic-gate#define KDC_ERR_PREAUTH_REQUIRED	25 /* Additional preauthentication */
3157c478bdstevel@tonic-gate					   /* required */
3167c478bdstevel@tonic-gate#define KDC_ERR_SERVER_NOMATCH		26 /* Requested server and */
3177c478bdstevel@tonic-gate					   /* ticket don't match*/
3185e01956Glenn Barry#define KDC_ERR_MUST_USE_USER2USER      27 /* Server principal valid for */
3195e01956Glenn Barry					   /*   user2user only */
3205e01956Glenn Barry#define KDC_ERR_PATH_NOT_ACCEPTED       28 /* KDC policy rejected transited */
3215e01956Glenn Barry					   /*   path */
322159d09aMark Phalan#define KDC_ERR_SVC_UNAVAILABLE		29 /* A service is not
323159d09aMark Phalan					    * available that is
324159d09aMark Phalan					    * required to process the
325159d09aMark Phalan					    * request */
3267c478bdstevel@tonic-gate/* Application errors */
3277c478bdstevel@tonic-gate#define	KRB_AP_ERR_BAD_INTEGRITY 31	/* Decrypt integrity check failed */
3287c478bdstevel@tonic-gate#define	KRB_AP_ERR_TKT_EXPIRED	32	/* Ticket expired */
3297c478bdstevel@tonic-gate#define	KRB_AP_ERR_TKT_NYV	33	/* Ticket not yet valid */
3307c478bdstevel@tonic-gate#define	KRB_AP_ERR_REPEAT	34	/* Request is a replay */
3317c478bdstevel@tonic-gate#define	KRB_AP_ERR_NOT_US	35	/* The ticket isn't for us */
3327c478bdstevel@tonic-gate#define	KRB_AP_ERR_BADMATCH	36	/* Ticket/authenticator don't match */
3337c478bdstevel@tonic-gate#define	KRB_AP_ERR_SKEW		37	/* Clock skew too great */
3347c478bdstevel@tonic-gate#define	KRB_AP_ERR_BADADDR	38	/* Incorrect net address */
3357c478bdstevel@tonic-gate#define	KRB_AP_ERR_BADVERSION	39	/* Protocol version mismatch */
3367c478bdstevel@tonic-gate#define	KRB_AP_ERR_MSG_TYPE	40	/* Invalid message type */
3377c478bdstevel@tonic-gate#define	KRB_AP_ERR_MODIFIED	41	/* Message stream modified */
3387c478bdstevel@tonic-gate#define	KRB_AP_ERR_BADORDER	42	/* Message out of order */
3397c478bdstevel@tonic-gate#define	KRB_AP_ERR_BADKEYVER	44	/* Key version is not available */
3407c478bdstevel@tonic-gate#define	KRB_AP_ERR_NOKEY	45	/* Service key not available */
3417c478bdstevel@tonic-gate#define	KRB_AP_ERR_MUT_FAIL	46	/* Mutual authentication failed */
3427c478bdstevel@tonic-gate#define KRB_AP_ERR_BADDIRECTION	47 	/* Incorrect message direction */
3437c478bdstevel@tonic-gate#define KRB_AP_ERR_METHOD	48 	/* Alternative authentication */
3447c478bdstevel@tonic-gate					/* method required */
3457c478bdstevel@tonic-gate#define KRB_AP_ERR_BADSEQ	49 	/* Incorrect sequence numnber */
3467c478bdstevel@tonic-gate					/* in message */
3477c478bdstevel@tonic-gate#define KRB_AP_ERR_INAPP_CKSUM	50	/* Inappropriate type of */
3487c478bdstevel@tonic-gate					/* checksum in message */
349159d09aMark Phalan#define KRB_AP_PATH_NOT_ACCEPTED 51	/* Policy rejects transited path */
350159d09aMark Phalan#define KRB_ERR_RESPONSE_TOO_BIG 52	/* Response too big for UDP, */
351159d09aMark Phalan					/*   retry with TCP */
3527c478bdstevel@tonic-gate
3537c478bdstevel@tonic-gate/* other errors */
3547c478bdstevel@tonic-gate#define KRB_ERR_GENERIC		60 	/* Generic error (description */
3557c478bdstevel@tonic-gate					/* in e-text) */
3567c478bdstevel@tonic-gate#define	KRB_ERR_FIELD_TOOLONG	61	/* Field is too long for impl. */
3577c478bdstevel@tonic-gate
358159d09aMark Phalan/* PKINIT server-reported errors */
359159d09aMark Phalan#define KDC_ERR_CLIENT_NOT_TRUSTED		62 /* client cert not trusted */
360159d09aMark Phalan#define KDC_ERR_INVALID_SIG			64 /* client signature verify failed */
361159d09aMark Phalan#define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED	65 /* invalid Diffie-Hellman parameters */
3625e01956Glenn Barry#define KDC_ERR_CERTIFICATE_MISMATCH            66
3635e01956Glenn Barry#define KRB_AP_ERR_NO_TGT                       67
3645e01956Glenn Barry#define KDC_ERR_WRONG_REALM                     68
3655e01956Glenn Barry#define KRB_AP_ERR_USER_TO_USER_REQUIRED        69
3665e01956Glenn Barry#define KDC_ERR_CANT_VERIFY_CERTIFICATE         70 /* client cert not verifiable
3675e01956Glenn Barry to */
368159d09aMark Phalan						   /* trusted root cert */
369159d09aMark Phalan#define KDC_ERR_INVALID_CERTIFICATE		71 /* client cert had invalid signature */
370159d09aMark Phalan#define KDC_ERR_REVOKED_CERTIFICATE		72 /* client cert was revoked */
371159d09aMark Phalan#define KDC_ERR_REVOCATION_STATUS_UNKNOWN	73 /* client cert revoked, reason unknown */
372159d09aMark Phalan#define KDC_ERR_CLIENT_NAME_MISMATCH		75 /* mismatch between client cert and */
373159d09aMark Phalan						   /* principal name */
374159d09aMark Phalan#define KDC_ERR_INCONSISTENT_KEY_PURPOSE	77 /* bad extended key use */
375159d09aMark Phalan#define KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED	78 /* bad digest algorithm in client cert */
376159d09aMark Phalan#define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED	79 /* missing paChecksum in PA-PK-AS-REQ */
377159d09aMark Phalan#define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */
378159d09aMark Phalan#define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
379159d09aMark Phalan
3807c478bdstevel@tonic-gate#endif /* KRB5_ERRORS__ */
3817c478bdstevel@tonic-gate/*
3827c478bdstevel@tonic-gate * End "k5-errors.h"
3837c478bdstevel@tonic-gate */
3847c478bdstevel@tonic-gate
3857c478bdstevel@tonic-gate/*
3867c478bdstevel@tonic-gate * This structure is returned in the e-data field of the KRB-ERROR
3877c478bdstevel@tonic-gate * message when the error calling for an alternative form of
3887c478bdstevel@tonic-gate * authentication is returned, KRB_AP_METHOD.
3897c478bdstevel@tonic-gate */
3907c478bdstevel@tonic-gatetypedef struct _krb5_alt_method {
3917c478bdstevel@tonic-gate	krb5_magic	magic;
3927c478bdstevel@tonic-gate	krb5_int32	method;
3937c478bdstevel@tonic-gate	unsigned int	length;
3947c478bdstevel@tonic-gate	krb5_octet	*data;
3957c478bdstevel@tonic-gate} krb5_alt_method;
3967c478bdstevel@tonic-gate
3977c478bdstevel@tonic-gate/*
3987c478bdstevel@tonic-gate * A null-terminated array of this structure is returned by the KDC as
3997c478bdstevel@tonic-gate * the data part of the ETYPE_INFO preauth type.  It informs the
4007c478bdstevel@tonic-gate * client which encryption types are supported.
401159d09aMark Phalan * The  same data structure is used by both etype-info and etype-info2
4027c478bdstevel@tonic-gate * but s2kparams must be null when encoding etype-info.
4037c478bdstevel@tonic-gate */
4047c478bdstevel@tonic-gatetypedef struct _krb5_etype_info_entry {
4057c478bdstevel@tonic-gate	krb5_magic	magic;
4067c478bdstevel@tonic-gate	krb5_enctype	etype;
4077c478bdstevel@tonic-gate	unsigned int	length;
4087c478bdstevel@tonic-gate	krb5_octet	*salt;
409159d09aMark Phalan    krb5_data s2kparams;
4107c478bdstevel@tonic-gate} krb5_etype_info_entry;
4117c478bdstevel@tonic-gate
412159d09aMark Phalan/*
4137c478bdstevel@tonic-gate *  This is essentially -1 without sign extension which can screw up
4147c478bdstevel@tonic-gate *  comparisons on 64 bit machines. If the length is this value, then
4157c478bdstevel@tonic-gate *  the salt data is not present. This is to distinguish between not
416159d09aMark Phalan *  being set and being of 0 length.
4177c478bdstevel@tonic-gate */
4187c478bdstevel@tonic-gate#define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
4197c478bdstevel@tonic-gate
4207c478bdstevel@tonic-gatetypedef krb5_etype_info_entry ** krb5_etype_info;
4217c478bdstevel@tonic-gate
422ba7b222Glenn Barry/* RFC 4537 */
423ba7b222Glenn Barrytypedef struct _krb5_etype_list {
424ba7b222Glenn Barry        int             length;
425ba7b222Glenn Barry        krb5_enctype    *etypes;
426ba7b222Glenn Barry} krb5_etype_list;
427ba7b222Glenn Barry
4287c478bdstevel@tonic-gate/*
429159d09aMark Phalan * a sam_challenge is returned for alternate preauth
4307c478bdstevel@tonic-gate */
4317c478bdstevel@tonic-gate/*
4327c478bdstevel@tonic-gate          SAMFlags ::= BIT STRING {
4337c478bdstevel@tonic-gate              use-sad-as-key[0],
4347c478bdstevel@tonic-gate              send-encrypted-sad[1],
4357c478bdstevel@tonic-gate              must-pk-encrypt-sad[2]
4367c478bdstevel@tonic-gate          }
4377c478bdstevel@tonic-gate */
4387c478bdstevel@tonic-gate/*
4397c478bdstevel@tonic-gate          PA-SAM-CHALLENGE ::= SEQUENCE {
4407c478bdstevel@tonic-gate              sam-type[0]                 INTEGER,
4417c478bdstevel@tonic-gate              sam-flags[1]                SAMFlags,
4427c478bdstevel@tonic-gate              sam-type-name[2]            GeneralString OPTIONAL,
4437c478bdstevel@tonic-gate              sam-track-id[3]             GeneralString OPTIONAL,
4447c478bdstevel@tonic-gate              sam-challenge-label[4]      GeneralString OPTIONAL,
4457c478bdstevel@tonic-gate              sam-challenge[5]            GeneralString OPTIONAL,
4467c478bdstevel@tonic-gate              sam-response-prompt[6]      GeneralString OPTIONAL,
4477c478bdstevel@tonic-gate              sam-pk-for-sad[7]           EncryptionKey OPTIONAL,
4487c478bdstevel@tonic-gate              sam-nonce[8]                INTEGER OPTIONAL,
4497c478bdstevel@tonic-gate              sam-cksum[9]                Checksum OPTIONAL
4507c478bdstevel@tonic-gate          }
4517c478bdstevel@tonic-gate*/
4527c478bdstevel@tonic-gate/* sam_type values -- informational only */
4537c478bdstevel@tonic-gate#define PA_SAM_TYPE_ENIGMA     1   /*  Enigma Logic */
4547c478bdstevel@tonic-gate#define PA_SAM_TYPE_DIGI_PATH  2   /*  Digital Pathways */
4557c478bdstevel@tonic-gate#define PA_SAM_TYPE_SKEY_K0    3   /*  S/key where  KDC has key 0 */
4567c478bdstevel@tonic-gate#define PA_SAM_TYPE_SKEY       4   /*  Traditional S/Key */
4577c478bdstevel@tonic-gate#define PA_SAM_TYPE_SECURID    5   /*  Security Dynamics */
4587c478bdstevel@tonic-gate#define PA_SAM_TYPE_CRYPTOCARD 6   /*  CRYPTOCard */
4597c478bdstevel@tonic-gate#if 1 /* XXX need to figure out who has which numbers assigned */
4607c478bdstevel@tonic-gate#define PA_SAM_TYPE_ACTIVCARD_DEC  6   /*  ActivCard decimal mode */
4617c478bdstevel@tonic-gate#define PA_SAM_TYPE_ACTIVCARD_HEX  7   /*  ActivCard hex mode */
4627c478bdstevel@tonic-gate#define PA_SAM_TYPE_DIGI_PATH_HEX  8   /*  Digital Pathways hex mode */
4637c478bdstevel@tonic-gate#endif
4647c478bdstevel@tonic-gate#define PA_SAM_TYPE_EXP_BASE    128 /* experimental */
4657c478bdstevel@tonic-gate#define PA_SAM_TYPE_GRAIL		(PA_SAM_TYPE_EXP_BASE+0) /* testing */
4667c478bdstevel@tonic-gate#define PA_SAM_TYPE_SECURID_PREDICT	(PA_SAM_TYPE_EXP_BASE+1) /* special */
4677c478bdstevel@tonic-gate
4687c478bdstevel@tonic-gatetypedef struct _krb5_predicted_sam_response {
4697c478bdstevel@tonic-gate	krb5_magic	magic;
4707c478bdstevel@tonic-gate	krb5_keyblock	sam_key;
471159d09aMark Phalan	krb5_flags	sam_flags; /* Makes key munging easier */
472159d09aMark Phalan	krb5_timestamp  stime;	/* time on server, for replay detection */
473159d09aMark Phalan	krb5_int32      susec;
474159d09aMark Phalan	krb5_principal  client;
475159d09aMark Phalan	krb5_data       msd;	/* mechanism specific data */
4767c478bdstevel@tonic-gate} krb5_predicted_sam_response;
4777c478bdstevel@tonic-gate
4787c478bdstevel@tonic-gatetypedef struct _krb5_sam_challenge {
4797c478bdstevel@tonic-gate	krb5_magic	magic;
4807c478bdstevel@tonic-gate	krb5_int32	sam_type; /* information */
4817c478bdstevel@tonic-gate	krb5_flags	sam_flags; /* KRB5_SAM_* values */
4827c478bdstevel@tonic-gate	krb5_data	sam_type_name;
4837c478bdstevel@tonic-gate	krb5_data	sam_track_id;
4847c478bdstevel@tonic-gate	krb5_data	sam_challenge_label;
4857c478bdstevel@tonic-gate	krb5_data	sam_challenge;
4867c478bdstevel@tonic-gate	krb5_data	sam_response_prompt;
4877c478bdstevel@tonic-gate	krb5_data	sam_pk_for_sad;
4887c478bdstevel@tonic-gate	krb5_int32	sam_nonce;
4897c478bdstevel@tonic-gate	krb5_checksum	sam_cksum;
4907c478bdstevel@tonic-gate} krb5_sam_challenge;
4917c478bdstevel@tonic-gate
4927c478bdstevel@tonic-gatetypedef struct _krb5_sam_key {	/* reserved for future use */
4937c478bdstevel@tonic-gate	krb5_magic	magic;
4947c478bdstevel@tonic-gate	krb5_keyblock	sam_key;
4957c478bdstevel@tonic-gate} krb5_sam_key;
4967c478bdstevel@tonic-gate
4977c478bdstevel@tonic-gatetypedef struct _krb5_enc_sam_response_enc {
4987c478bdstevel@tonic-gate	krb5_magic	magic;
4997c478bdstevel@tonic-gate	krb5_int32	sam_nonce;
5007c478bdstevel@tonic-gate	krb5_timestamp	sam_timestamp;
5017c478bdstevel@tonic-gate	krb5_int32	sam_usec;
5027c478bdstevel@tonic-gate	krb5_data	sam_sad;
5037c478bdstevel@tonic-gate} krb5_enc_sam_response_enc;
5047c478bdstevel@tonic-gate
5057c478bdstevel@tonic-gatetypedef struct _krb5_sam_response {
5067c478bdstevel@tonic-gate	krb5_magic	magic;
5077c478bdstevel@tonic-gate	krb5_int32	sam_type; /* informational */
5087c478bdstevel@tonic-gate	krb5_flags	sam_flags; /* KRB5_SAM_* values */
5097c478bdstevel@tonic-gate	krb5_data	sam_track_id; /* copied */
5107c478bdstevel@tonic-gate	krb5_enc_data	sam_enc_key; /* krb5_sam_key - future use */
5117c478bdstevel@tonic-gate	krb5_enc_data	sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
5127c478bdstevel@tonic-gate	krb5_int32	sam_nonce;
5137c478bdstevel@tonic-gate	krb5_timestamp	sam_patimestamp;
5147c478bdstevel@tonic-gate} krb5_sam_response;
5157c478bdstevel@tonic-gate
5167c478bdstevel@tonic-gatetypedef struct _krb5_sam_challenge_2 {
5177c478bdstevel@tonic-gate	krb5_data	sam_challenge_2_body;
5187c478bdstevel@tonic-gate	krb5_checksum	**sam_cksum;		/* Array of checksums */
5197c478bdstevel@tonic-gate} krb5_sam_challenge_2;
5207c478bdstevel@tonic-gate
5217c478bdstevel@tonic-gatetypedef struct _krb5_sam_challenge_2_body {
5227c478bdstevel@tonic-gate	krb5_magic	magic;
5237c478bdstevel@tonic-gate	krb5_int32	sam_type; /* information */
5247c478bdstevel@tonic-gate	krb5_flags	sam_flags; /* KRB5_SAM_* values */
5257c478bdstevel@tonic-gate	krb5_data	sam_type_name;
5267c478bdstevel@tonic-gate	krb5_data	sam_track_id;
5277c478bdstevel@tonic-gate	krb5_data	sam_challenge_label;
5287c478bdstevel@tonic-gate	krb5_data	sam_challenge;
5297c478bdstevel@tonic-gate	krb5_data	sam_response_prompt;
5307c478bdstevel@tonic-gate	krb5_data	sam_pk_for_sad;
5317c478bdstevel@tonic-gate	krb5_int32	sam_nonce;
5327c478bdstevel@tonic-gate	krb5_enctype	sam_etype;
5337c478bdstevel@tonic-gate} krb5_sam_challenge_2_body;
5347c478bdstevel@tonic-gate
5357c478bdstevel@tonic-gatetypedef struct _krb5_sam_response_2 {
5367c478bdstevel@tonic-gate	krb5_magic	magic;
5377c478bdstevel@tonic-gate	krb5_int32	sam_type; /* informational */
5387c478bdstevel@tonic-gate	krb5_flags	sam_flags; /* KRB5_SAM_* values */
5397c478bdstevel@tonic-gate	krb5_data	sam_track_id; /* copied */
5407c478bdstevel@tonic-gate	krb5_enc_data	sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
5417c478bdstevel@tonic-gate	krb5_int32	sam_nonce;
5427c478bdstevel@tonic-gate} krb5_sam_response_2;
5437c478bdstevel@tonic-gate
5447c478bdstevel@tonic-gatetypedef struct _krb5_enc_sam_response_enc_2 {
5457c478bdstevel@tonic-gate	krb5_magic	magic;
5467c478bdstevel@tonic-gate	krb5_int32	sam_nonce;
5477c478bdstevel@tonic-gate	krb5_data	sam_sad;
5487c478bdstevel@tonic-gate} krb5_enc_sam_response_enc_2;
5497c478bdstevel@tonic-gate
5507c478bdstevel@tonic-gate/*
551159d09aMark Phalan * Keep the pkinit definitions in a separate file so that the plugin
552159d09aMark Phalan * only has to include k5-int-pkinit.h rather than k5-int.h
553159d09aMark Phalan */
554159d09aMark Phalan
555159d09aMark Phalan#include "k5-int-pkinit.h"
556159d09aMark Phalan
557159d09aMark Phalan/*
5587c478bdstevel@tonic-gate * Begin "dbm.h"
5597c478bdstevel@tonic-gate */
5607c478bdstevel@tonic-gate#ifndef _KERNEL
5617c478bdstevel@tonic-gate
5627c478bdstevel@tonic-gate/*
5637c478bdstevel@tonic-gate * Since we are always using db, use the db-ndbm include header file.
5647c478bdstevel@tonic-gate */
5657c478bdstevel@tonic-gate
5667c478bdstevel@tonic-gate#include "db-ndbm.h"
5677c478bdstevel@tonic-gate
5687c478bdstevel@tonic-gate#endif /* !KERNEL */
5697c478bdstevel@tonic-gate/*
5707c478bdstevel@tonic-gate * End "dbm.h"
5717c478bdstevel@tonic-gate */
5727c478bdstevel@tonic-gate
5737c478bdstevel@tonic-gate/*
5747c478bdstevel@tonic-gate * Begin "ext-proto.h"
5757c478bdstevel@tonic-gate */
5767c478bdstevel@tonic-gate#ifndef KRB5_EXT_PROTO__
5777c478bdstevel@tonic-gate#define KRB5_EXT_PROTO__
5787c478bdstevel@tonic-gate
5797c478bdstevel@tonic-gate#ifndef _KERNEL
5807c478bdstevel@tonic-gate#include <stdlib.h>
5817c478bdstevel@tonic-gate#include <string.h>
5827c478bdstevel@tonic-gate#endif /* !_KERNEL */
5837c478bdstevel@tonic-gate
5847c478bdstevel@tonic-gate#ifndef HAVE_STRDUP
5857c478bdstevel@tonic-gateextern char *strdup (const char *);
5867c478bdstevel@tonic-gate#endif
5877c478bdstevel@tonic-gate
5887c478bdstevel@tonic-gate#ifndef _KERNEL
5897c478bdstevel@tonic-gate#ifdef HAVE_UNISTD_H
5907c478bdstevel@tonic-gate#include <unistd.h>
5917c478bdstevel@tonic-gate#endif
5927c478bdstevel@tonic-gate#endif /* !_KERNEL */
5937c478bdstevel@tonic-gate
5947c478bdstevel@tonic-gate#endif /* KRB5_EXT_PROTO__ */
5957c478bdstevel@tonic-gate/*
5967c478bdstevel@tonic-gate * End "ext-proto.h"
5977c478bdstevel@tonic-gate */
5987c478bdstevel@tonic-gate
5997c478bdstevel@tonic-gate/*
6007c478bdstevel@tonic-gate * Begin "sysincl.h"
6017c478bdstevel@tonic-gate */
6027c478bdstevel@tonic-gate#ifndef KRB5_SYSINCL__
6037c478bdstevel@tonic-gate#define KRB5_SYSINCL__
6047c478bdstevel@tonic-gate
6057c478bdstevel@tonic-gate#ifndef KRB5_SYSTYPES__
6067c478bdstevel@tonic-gate#define KRB5_SYSTYPES__
6077c478bdstevel@tonic-gate/* needed for much of the rest -- but already handled in krb5.h? */
6087c478bdstevel@tonic-gate/* #include <sys/types.h> */
6097c478bdstevel@tonic-gate#endif /* KRB5_SYSTYPES__ */
6107c478bdstevel@tonic-gate
6117c478bdstevel@tonic-gate#ifdef	_KERNEL
6127c478bdstevel@tonic-gate#include <sys/time.h>
6137c478bdstevel@tonic-gate#else
6147c478bdstevel@tonic-gate#ifdef HAVE_SYS_TIME_H
6157c478bdstevel@tonic-gate#include <sys/time.h>
6167c478bdstevel@tonic-gate#ifdef TIME_WITH_SYS_TIME
6177c478bdstevel@tonic-gate#include <time.h>
6187c478bdstevel@tonic-gate#endif
6197c478bdstevel@tonic-gate#else
6207c478bdstevel@tonic-gate#include <time.h>
6217c478bdstevel@tonic-gate#endif
6227c478bdstevel@tonic-gate#endif /* _KERNEL */
6237c478bdstevel@tonic-gate
6247c478bdstevel@tonic-gate#ifdef HAVE_SYS_STAT_H
6257c478bdstevel@tonic-gate#include <sys/stat.h>			/* struct stat, stat() */
6267c478bdstevel@tonic-gate#endif
6277c478bdstevel@tonic-gate
6287c478bdstevel@tonic-gate#ifdef HAVE_SYS_PARAM_H
6297c478bdstevel@tonic-gate#include <sys/param.h>			/* MAXPATHLEN */
6307c478bdstevel@tonic-gate#endif
6317c478bdstevel@tonic-gate
6327c478bdstevel@tonic-gate#ifdef HAVE_SYS_FILE_H
6337c478bdstevel@tonic-gate#include <sys/file.h>			/* prototypes for file-related
6347c478bdstevel@tonic-gate					   syscalls; flags for open &
6357c478bdstevel@tonic-gate					   friends */
6367c478bdstevel@tonic-gate#endif
6377c478bdstevel@tonic-gate
6387c478bdstevel@tonic-gate#ifdef _KERNEL
6397c478bdstevel@tonic-gate#include <sys/fcntl.h>
6407c478bdstevel@tonic-gate#else
6417c478bdstevel@tonic-gate#include <fcntl.h>
6427c478bdstevel@tonic-gate#endif
6437c478bdstevel@tonic-gate
6447c478bdstevel@tonic-gate#endif /* KRB5_SYSINCL__ */
6457c478bdstevel@tonic-gate/*
6467c478bdstevel@tonic-gate * End "sysincl.h"
6477c478bdstevel@tonic-gate */
6487c478bdstevel@tonic-gate
6497c478bdstevel@tonic-gate/*
6507c478bdstevel@tonic-gate * Begin "los-proto.h"
6517c478bdstevel@tonic-gate */
6527c478bdstevel@tonic-gate#ifndef KRB5_LIBOS_PROTO__
6537c478bdstevel@tonic-gate#define KRB5_LIBOS_PROTO__
654159d09aMark Phalan#endif
6557c478bdstevel@tonic-gate
6567c478bdstevel@tonic-gate#ifndef	_KERNEL
6577c478bdstevel@tonic-gate#include <stdio.h>
6587c478bdstevel@tonic-gate
6597c478bdstevel@tonic-gatestruct addrlist;
660159d09aMark Phalanstruct sendto_callback_info;
6617c478bdstevel@tonic-gate#endif
6627c478bdstevel@tonic-gate
6637c478bdstevel@tonic-gate/* libos.spec */
664159d09aMark Phalankrb5_error_code krb5_lock_file (krb5_context, int, int);
665159d09aMark Phalankrb5_error_code krb5_unlock_file (krb5_context, int);
666159d09aMark Phalankrb5_error_code krb5_sendto_kdc (krb5_context, const krb5_data *,
667159d09aMark Phalan				 const krb5_data *, krb5_data *, int *, int);
6685e01956Glenn Barry/* Solaris Kerberos */
6695e01956Glenn Barrykrb5_error_code krb5_sendto_kdc2 (krb5_context, const krb5_data *,
6705e01956Glenn Barry				const krb5_data *, krb5_data *, int *, int,
6715e01956Glenn Barry				char **);
672159d09aMark Phalan
6737c478bdstevel@tonic-gate
674159d09aMark Phalankrb5_error_code krb5_get_krbhst (krb5_context, const krb5_data *, char *** );
675159d09aMark Phalankrb5_error_code krb5_free_krbhst (krb5_context, char * const * );
676159d09aMark Phalankrb5_error_code krb5_create_secure_file (krb5_context, const char * pathname);
6777c478bdstevel@tonic-gate
678159d09aMark Phalanint krb5_net_read (krb5_context, int , char *, int);
6797c478bdstevel@tonic-gate
6807c478bdstevel@tonic-gateint krb5_net_write
6817c478bdstevel@tonic-gate	(krb5_context, int , const char *, int);
6827c478bdstevel@tonic-gate
6837c478bdstevel@tonic-gate
6847c478bdstevel@tonic-gatekrb5_error_code krb5_gen_replay_name
6857c478bdstevel@tonic-gate    (krb5_context, const krb5_address *, const char *, char **);
6867c478bdstevel@tonic-gate
6877c478bdstevel@tonic-gate
6887c478bdstevel@tonic-gate#ifndef	_KERNEL
689159d09aMark Phalan
690159d09aMark Phalankrb5_error_code krb5_sync_disk_file (krb5_context, FILE *fp);
6917c478bdstevel@tonic-gate
6927c478bdstevel@tonic-gatekrb5_error_code
6937c478bdstevel@tonic-gatekrb5_open_pkcs11_session(CK_SESSION_HANDLE *);
6947c478bdstevel@tonic-gate
6957c478bdstevel@tonic-gate
6967c478bdstevel@tonic-gatekrb5_error_code krb5_read_message
6977c478bdstevel@tonic-gate	(krb5_context, krb5_pointer, krb5_data *);
6987c478bdstevel@tonic-gate
6997c478bdstevel@tonic-gatekrb5_error_code krb5_write_message
7007c478bdstevel@tonic-gate	(krb5_context, krb5_pointer, krb5_data *);
701159d09aMark Phalankrb5_error_code krb5int_sendto (krb5_context context, const krb5_data *message,
702159d09aMark Phalan                const struct addrlist *addrs, struct sendto_callback_info* callback_info,
703159d09aMark Phalan				krb5_data *reply, struct sockaddr *localaddr, socklen_t *localaddrlen,
704159d09aMark Phalan                struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, int *addr_used,
705159d09aMark Phalan		int (*msg_handler)(krb5_context, const krb5_data *, void *),
706159d09aMark Phalan		void *msg_handler_data);
70754925bfwillf
7087c478bdstevel@tonic-gatekrb5_error_code krb5int_get_fq_local_hostname (char *, size_t);
709ba7b222Glenn Barry
710ba7b222Glenn Barrykrb5_error_code krb5_set_debugging_time
711ba7b222Glenn Barry        (krb5_context, krb5_timestamp, krb5_int32);
712ba7b222Glenn Barrykrb5_error_code krb5_use_natural_time
713ba7b222Glenn Barry        (krb5_context);
714ba7b222Glenn Barrykrb5_error_code krb5_set_time_offsets
715ba7b222Glenn Barry        (krb5_context, krb5_timestamp, krb5_int32);
716ba7b222Glenn Barrykrb5_error_code krb5int_check_clockskew(krb5_context, krb5_timestamp);
71754925bfwillf#endif
7187c478bdstevel@tonic-gate
719fe598cdmp/*
720fe598cdmp * Solaris Kerberos
721fe598cdmp * The following two functions are needed for better realm
722fe598cdmp * determination based on the DNS domain name.
723fe598cdmp */
724fe598cdmpkrb5_error_code krb5int_lookup_host(int , const char *, char **);
725fe598cdmp
726fe598cdmpkrb5_error_code krb5int_domain_get_realm(krb5_context, const char *,
727fe598cdmp    char **);
728fe598cdmpkrb5_error_code krb5int_fqdn_get_realm(krb5_context, const char *,
729fe598cdmp    char **);
730fe598cdmp
73154925bfwillfkrb5_error_code krb5int_init_context_kdc(krb5_context *);
73254925bfwillf
733159d09aMark Phalankrb5_error_code krb5_os_init_context (krb5_context, krb5_boolean);
7347c478bdstevel@tonic-gate
7357c478bdstevel@tonic-gatevoid krb5_os_free_context (krb5_context);
7367c478bdstevel@tonic-gate
737159d09aMark Phalan/* This function is needed by KfM's KerberosPreferences API
738159d09aMark Phalan * because it needs to be able to specify "secure" */
739505d05cgtb#ifndef _KERNEL
740159d09aMark Phalankrb5_error_code os_get_default_config_files
741159d09aMark Phalan    (profile_filespec_t **pfiles, krb5_boolean secure);
742505d05cgtb#endif
743505d05cgtb
744159d09aMark Phalankrb5_error_code krb5_os_hostaddr
745159d09aMark Phalan	(krb5_context, const char *, krb5_address ***);
746505d05cgtb
7477c478bdstevel@tonic-gate#ifndef _KERNEL
7487c478bdstevel@tonic-gate/* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
749159d09aMark Phalan   going to use this structure.  */
7507c478bdstevel@tonic-gatestruct addrlist {
751159d09aMark Phalan    struct {
752159d09aMark Phalan#ifdef FAI_DEFINED
753159d09aMark Phalan	struct addrinfo *ai;
754159d09aMark Phalan#else
755159d09aMark Phalan	struct undefined_addrinfo *ai;
756159d09aMark Phalan#endif
757159d09aMark Phalan	void (*freefn)(void *);
758159d09aMark Phalan	void *data;
759159d09aMark Phalan    } *addrs;
760159d09aMark Phalan    int naddrs;
761159d09aMark Phalan    int space;
7627c478bdstevel@tonic-gate};
763159d09aMark Phalan#define ADDRLIST_INIT { 0, 0, 0 }
7647c478bdstevel@tonic-gateextern void krb5int_free_addrlist (struct addrlist *);
7657c478bdstevel@tonic-gateextern int krb5int_grow_addrlist (struct addrlist *, int);
7667c478bdstevel@tonic-gateextern int krb5int_add_host_to_list (struct addrlist *, const char *,
767159d09aMark Phalan				     int, int, int, int);
7687c478bdstevel@tonic-gate
769159d09aMark Phalan#include <locate_plugin.h>
77010db137gtbkrb5_error_code
771159d09aMark Phalankrb5int_locate_server (krb5_context, const krb5_data *realm,
772159d09aMark Phalan		       struct addrlist *, enum locate_service_type svc,
773159d09aMark Phalan		       int sockettype, int family);
77410db137gtb
7757c478bdstevel@tonic-gate#endif /* _KERNEL */
7767c478bdstevel@tonic-gate
7777c478bdstevel@tonic-gate/* new encryption provider api */
7787c478bdstevel@tonic-gate
7797c478bdstevel@tonic-gatestruct krb5_enc_provider {
780159d09aMark Phalan    /* keybytes is the input size to make_key;
7817c478bdstevel@tonic-gate       keylength is the output size */
782505d05cgtb    size_t block_size, keybytes, keylength;
7837c478bdstevel@tonic-gate
784505d05cgtb    /* cipher-state == 0 fresh state thrown away at end */
7857c478bdstevel@tonic-gate    krb5_error_code (*encrypt) (
7867c478bdstevel@tonic-gate	krb5_context context,
7877c478bdstevel@tonic-gate	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
7887c478bdstevel@tonic-gate	krb5_const krb5_data *input, krb5_data *output);
7897c478bdstevel@tonic-gate
7907c478bdstevel@tonic-gate    krb5_error_code (*decrypt) (
7917c478bdstevel@tonic-gate	krb5_context context,
7927c478bdstevel@tonic-gate	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
7937c478bdstevel@tonic-gate	krb5_const krb5_data *input, krb5_data *output);
7947c478bdstevel@tonic-gate
7957c478bdstevel@tonic-gate    krb5_error_code (*make_key)
7967c478bdstevel@tonic-gate    (krb5_context, krb5_const krb5_data *, krb5_keyblock *);
7977c478bdstevel@tonic-gate
7987c478bdstevel@tonic-gate    krb5_error_code (*init_state) (krb5_context,
7997c478bdstevel@tonic-gate			const krb5_keyblock *,
8007c478bdstevel@tonic-gate			krb5_keyusage, krb5_data *);
8017c478bdstevel@tonic-gate    krb5_error_code (*free_state) (krb5_context, krb5_data *);
8027c478bdstevel@tonic-gate
8037c478bdstevel@tonic-gate};
8047c478bdstevel@tonic-gate
8057c478bdstevel@tonic-gatestruct krb5_hash_provider {
806159d09aMark Phalan    size_t hashsize, blocksize;
8077c478bdstevel@tonic-gate
8087c478bdstevel@tonic-gate    /* this takes multiple inputs to avoid lots of copying. */
8097c478bdstevel@tonic-gate    krb5_error_code (*hash) (krb5_context context,
8107c478bdstevel@tonic-gate	unsigned int icount, krb5_const krb5_data *input,
8117c478bdstevel@tonic-gate	krb5_data *output);
8127c478bdstevel@tonic-gate};
8137c478bdstevel@tonic-gate
8147c478bdstevel@tonic-gatestruct krb5_keyhash_provider {
815505d05cgtb    size_t hashsize;
8167c478bdstevel@tonic-gate
8177c478bdstevel@tonic-gate    krb5_error_code (*hash) (
8187c478bdstevel@tonic-gate	krb5_context context,
8197c478bdstevel@tonic-gate	krb5_const krb5_keyblock *key,
8207c478bdstevel@tonic-gate	krb5_keyusage keyusage,
8217c478bdstevel@tonic-gate	krb5_const krb5_data *ivec,
8227c478bdstevel@tonic-gate	krb5_const krb5_data *input, krb5_data *output);
8237c478bdstevel@tonic-gate
8247c478bdstevel@tonic-gate    krb5_error_code (*verify) (
8257c478bdstevel@tonic-gate	krb5_context context,
8267c478bdstevel@tonic-gate	krb5_const krb5_keyblock *key,
8277c478bdstevel@tonic-gate	krb5_keyusage keyusage,
8287c478bdstevel@tonic-gate	krb5_const krb5_data *ivec,
8297c478bdstevel@tonic-gate	krb5_const krb5_data *input,
8307c478bdstevel@tonic-gate	krb5_const krb5_data *hash,
8317c478bdstevel@tonic-gate	krb5_boolean *valid);
8327c478bdstevel@tonic-gate
8337c478bdstevel@tonic-gate};
8347c478bdstevel@tonic-gate
835159d09aMark Phalantypedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc,
836159d09aMark Phalan  const struct krb5_hash_provider *hash,
8377c478bdstevel@tonic-gate  size_t inputlen, size_t *length);
8387c478bdstevel@tonic-gate
8397c478bdstevel@tonic-gatetypedef krb5_error_code (*krb5_crypt_func) (
8407c478bdstevel@tonic-gate  krb5_context context,
8417c478bdstevel@tonic-gate  krb5_const struct krb5_enc_provider *enc,
8427c478bdstevel@tonic-gate  krb5_const struct krb5_hash_provider *hash,
8437c478bdstevel@tonic-gate  krb5_const krb5_keyblock *key, krb5_keyusage usage,
8447c478bdstevel@tonic-gate  krb5_const krb5_data *ivec,
8457c478bdstevel@tonic-gate  krb5_const krb5_data *input, krb5_data *output);
8467c478bdstevel@tonic-gate
8477c478bdstevel@tonic-gate#ifndef	_KERNEL
8487c478bdstevel@tonic-gatetypedef krb5_error_code (*krb5_str2key_func) (
8497c478bdstevel@tonic-gate  krb5_context context,
8507c478bdstevel@tonic-gate  krb5_const struct krb5_enc_provider *enc, krb5_const krb5_data *string,
8517c478bdstevel@tonic-gate  krb5_const krb5_data *salt, krb5_const krb5_data *params,
8527c478bdstevel@tonic-gate  krb5_keyblock *key);
8537c478bdstevel@tonic-gate#endif	/* _KERNEL */
8547c478bdstevel@tonic-gate
855159d09aMark Phalantypedef krb5_error_code (*krb5_prf_func)(
856159d09aMark Phalan					 const struct krb5_enc_provider *enc,
857159d09aMark Phalan					 const struct krb5_hash_provider *hash,
858159d09aMark Phalan					 const krb5_keyblock *key,
859159d09aMark Phalan					 const krb5_data *in, krb5_data *out);
860159d09aMark Phalan
8617c478bdstevel@tonic-gatestruct krb5_keytypes {
8627c478bdstevel@tonic-gate    krb5_enctype etype;
8637c478bdstevel@tonic-gate    char *in_string;
8647c478bdstevel@tonic-gate    char *out_string;
8657c478bdstevel@tonic-gate    const struct krb5_enc_provider *enc;
8667c478bdstevel@tonic-gate    const struct krb5_hash_provider *hash;
8677c478bdstevel@tonic-gate    krb5_encrypt_length_func encrypt_len;
8687c478bdstevel@tonic-gate    krb5_crypt_func encrypt;
8697c478bdstevel@tonic-gate    krb5_crypt_func decrypt;
8707c478bdstevel@tonic-gate    krb5_cksumtype required_ctype;
8717c478bdstevel@tonic-gate#ifndef	_KERNEL
8727c478bdstevel@tonic-gate    /* Solaris Kerberos:  strings to key conversion not done in the kernel */
8737c478bdstevel@tonic-gate    krb5_str2key_func str2key;
8747c478bdstevel@tonic-gate#else	/* _KERNEL */
8757c478bdstevel@tonic-gate    char *mt_e_name;
8767c478bdstevel@tonic-gate    char *mt_h_name;
8777c478bdstevel@tonic-gate    crypto_mech_type_t kef_cipher_mt;
8787c478bdstevel@tonic-gate    crypto_mech_type_t kef_hash_mt;
8797c478bdstevel@tonic-gate#endif	/* _KERNEL */
8807c478bdstevel@tonic-gate};
8817c478bdstevel@tonic-gate
8827c478bdstevel@tonic-gatestruct krb5_cksumtypes {
8837c478bdstevel@tonic-gate    krb5_cksumtype ctype;
8847c478bdstevel@tonic-gate    unsigned int flags;
8857c478bdstevel@tonic-gate    char *in_string;
8867c478bdstevel@tonic-gate    char *out_string;
8877c478bdstevel@tonic-gate    /* if the hash is keyed, this is the etype it is keyed with.
8887c478bdstevel@tonic-gate       Actually, it can be keyed by any etype which has the same
8897c478bdstevel@tonic-gate       enc_provider as the specified etype.  DERIVE checksums can
8907c478bdstevel@tonic-gate       be keyed with any valid etype. */
8917c478bdstevel@tonic-gate    krb5_enctype keyed_etype;
8927c478bdstevel@tonic-gate    /* I can't statically initialize a union, so I'm just going to use
8937c478bdstevel@tonic-gate       two pointers here.  The keyhash is used if non-NULL.  If NULL,
8947c478bdstevel@tonic-gate       then HMAC/hash with derived keys is used if the relevant flag
8957c478bdstevel@tonic-gate       is set.  Otherwise, a non-keyed hash is computed.  This is all
8967c478bdstevel@tonic-gate       kind of messy, but so is the krb5 api. */
8977c478bdstevel@tonic-gate    const struct krb5_keyhash_provider *keyhash;
8987c478bdstevel@tonic-gate    const struct krb5_hash_provider *hash;
8997c478bdstevel@tonic-gate    /* This just gets uglier and uglier.  In the key derivation case,
900159d09aMark Phalan       we produce an hmac.  To make the hmac code work, we can't hack
901159d09aMark Phalan       the output size indicated by the hash provider, but we may want
902159d09aMark Phalan       a truncated hmac.  If we want truncation, this is the number of
903159d09aMark Phalan       bytes we truncate to; it should be 0 otherwise.  */
9047c478bdstevel@tonic-gate    unsigned int trunc_size;
9057c478bdstevel@tonic-gate#ifdef _KERNEL
9067c478bdstevel@tonic-gate    char *mt_c_name;
9077c478bdstevel@tonic-gate    crypto_mech_type_t kef_cksum_mt;
9087c478bdstevel@tonic-gate#endif /* _KERNEL */
9097c478bdstevel@tonic-gate};
9107c478bdstevel@tonic-gate
9117c478bdstevel@tonic-gate#define KRB5_CKSUMFLAG_DERIVE		0x0001
9127c478bdstevel@tonic-gate#define KRB5_CKSUMFLAG_NOT_COLL_PROOF	0x0002
9137c478bdstevel@tonic-gate
914159d09aMark Phalan/*
915159d09aMark Phalan * in here to deal with stuff from lib/crypto
916159d09aMark Phalan */
917159d09aMark Phalan
918159d09aMark Phalanvoid krb5_nfold
919159d09aMark Phalan(unsigned int inbits, const unsigned char *in,
920159d09aMark Phalan		unsigned int outbits, unsigned char *out);
921159d09aMark Phalan
922159d09aMark Phalankrb5_error_code krb5int_pbkdf2_hmac_sha1 (krb5_context,
923159d09aMark Phalan					   const krb5_data *,
924159d09aMark Phalan					   unsigned long,
925159d09aMark Phalan					   krb5_enctype,
926159d09aMark Phalan					   const krb5_data *,
927159d09aMark Phalan					   const krb5_data *);
928159d09aMark Phalan
929159d09aMark Phalan/* Make this a function eventually?  */
930159d09aMark Phalan#ifdef _WIN32
931159d09aMark Phalan# define krb5int_zap_data(ptr, len) SecureZeroMemory(ptr, len)
932159d09aMark Phalan#elif defined(__palmos__) && !defined(__GNUC__)
933159d09aMark Phalan/* CodeWarrior 8.3 complains about passing a pointer to volatile in to
934159d09aMark Phalan   memset.  On the other hand, we probably want it for gcc.  */
935159d09aMark Phalan# define krb5int_zap_data(ptr, len) memset(ptr, 0, len)
936159d09aMark Phalan#else
937159d09aMark Phalan# define krb5int_zap_data(ptr, len) memset((void *)ptr, 0, len)
938159d09aMark Phalan# if defined(__GNUC__) && defined(__GLIBC__)
939159d09aMark Phalan/* GNU libc generates multiple bogus initialization warnings if we
940159d09aMark Phalan   pass memset a volatile pointer.  The compiler should do well enough
941159d09aMark Phalan   with memset even without GNU libc's attempt at optimization.  */
942159d09aMark Phalan# undef memset
943159d09aMark Phalan# endif
944159d09aMark Phalan#endif /* WIN32 */
945159d09aMark Phalan#define zap(p,l) krb5int_zap_data(p,l)
946159d09aMark Phalan
947159d09aMark Phalan
948159d09aMark Phalankrb5_error_code krb5int_des_init_state
949159d09aMark Phalan( krb5_context,
9507c478bdstevel@tonic-gate	const krb5_keyblock *,
9517c478bdstevel@tonic-gate	krb5_keyusage, krb5_data *);
9527c478bdstevel@tonic-gate
9537c478bdstevel@tonic-gatekrb5_error_code krb5int_c_mandatory_cksumtype(
9547c478bdstevel@tonic-gate	krb5_context,
9557c478bdstevel@tonic-gate	krb5_enctype,
9567c478bdstevel@tonic-gate	krb5_cksumtype *);
9577c478bdstevel@tonic-gate
958159d09aMark Phalan/*
9597c478bdstevel@tonic-gate * normally to free a cipher_state you can just memset the length to zero and
9607c478bdstevel@tonic-gate * free it.
9617c478bdstevel@tonic-gate */
962159d09aMark Phalankrb5_error_code krb5int_default_free_state
963159d09aMark Phalan(krb5_context, krb5_data *);
964159d09aMark Phalan
9657c478bdstevel@tonic-gate
9667c478bdstevel@tonic-gate/*
9677c478bdstevel@tonic-gate * Combine two keys (normally used by the hardware preauth mechanism)
9687c478bdstevel@tonic-gate */
9697c478bdstevel@tonic-gatekrb5_error_code krb5int_c_combine_keys
9707c478bdstevel@tonic-gate(krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
9717c478bdstevel@tonic-gate		krb5_keyblock *outkey);
9727c478bdstevel@tonic-gate
9737c478bdstevel@tonic-gate
9747c478bdstevel@tonic-gate#ifdef _KERNEL
9757c478bdstevel@tonic-gate
9767c478bdstevel@tonic-gateint k5_ef_crypto(
9777c478bdstevel@tonic-gate	const char *, char *,
9787c478bdstevel@tonic-gate	long, krb5_keyblock *,
979c54c769willf	const krb5_data *, int);
9807c478bdstevel@tonic-gate
9817c478bdstevel@tonic-gatekrb5_error_code
9827c478bdstevel@tonic-gatekrb5_hmac(krb5_context, const krb5_keyblock *,
9837c478bdstevel@tonic-gate	krb5_const krb5_data *, krb5_data *);
9847c478bdstevel@tonic-gate
9857c478bdstevel@tonic-gate#else
9867c478bdstevel@tonic-gatekrb5_error_code krb5_hmac
9877c478bdstevel@tonic-gate	(krb5_context,
9887c478bdstevel@tonic-gate	krb5_const struct krb5_hash_provider *,
9897c478bdstevel@tonic-gate	krb5_const krb5_keyblock *, krb5_const unsigned int,
9907c478bdstevel@tonic-gate	krb5_const krb5_data *, krb5_data *);
9917c478bdstevel@tonic-gate
9927c478bdstevel@tonic-gate#endif /* _KERNEL */
9937c478bdstevel@tonic-gate
994505d05cgtb
995505d05cgtb/*
996505d05cgtb * These declarations are here, so both krb5 and k5crypto
997505d05cgtb * can get to them.
998505d05cgtb * krb5 needs to get to them so it can  make them available to libgssapi.
999505d05cgtb */
1000505d05cgtbextern const struct krb5_enc_provider krb5int_enc_arcfour;
1001505d05cgtbextern const struct krb5_hash_provider krb5int_hash_md5;
1002505d05cgtb
1003