1 /*
2  * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
3  */
4 /*
5  * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006 by the Massachusetts Institute of Technology,
6  * Cambridge, MA, USA.  All Rights Reserved.
7  *
8  * This software is being provided to you, the LICENSEE, by the
9  * Massachusetts Institute of Technology (M.I.T.) under the following
10  * license.  By obtaining, using and/or copying this software, you agree
11  * that you have read, understood, and will comply with these terms and
12  * conditions:
13  *
14  * Export of this software from the United States of America may
15  * require a specific license from the United States Government.
16  * It is the responsibility of any person or organization contemplating
17  * export to obtain such a license before exporting.
18  *
19  * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
20  * this software and its documentation for any purpose and without fee or
21  * royalty is hereby granted, provided that you agree to comply with the
22  * following copyright notice and statements, including the disclaimer, and
23  * that the same appear on ALL copies of the software and documentation,
24  * including modifications that you make for internal use or for
25  * distribution:
26  *
27  * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
28  * OR WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
29  * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
30  * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
31  * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
32  * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
33  *
34  * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
35  * be used in advertising or publicity pertaining to distribution of the
36  * software.  Title to copyright in this software and any associated
37  * documentation shall at all times remain with M.I.T., and USER agrees to
38  * preserve same.
39  *
40  * Furthermore if you modify this software you must label
41  * your software as modified software and not distribute it in such a
42  * fashion that it might be confused with the original M.I.T. software.
43  */
44 
45 /*
46  * Copyright (C) 1998 by the FundsXpress, INC.
47  *
48  * All rights reserved.
49  *
50  * Export of this software from the United States of America may require
51  * a specific license from the United States Government.  It is the
52  * responsibility of any person or organization contemplating export to
53  * obtain such a license before exporting.
54  *
55  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
56  * distribute this software and its documentation for any purpose and
57  * without fee is hereby granted, provided that the above copyright
58  * notice appear in all copies and that both that copyright notice and
59  * this permission notice appear in supporting documentation, and that
60  * the name of FundsXpress. not be used in advertising or publicity pertaining
61  * to distribution of the software without specific, written prior
62  * permission.  FundsXpress makes no representations about the suitability of
63  * this software for any purpose.  It is provided "as is" without express
64  * or implied warranty.
65  *
66  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
67  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
68  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
69  */
70 
71 /*
72  * This prototype for k5-int.h (Krb5 internals include file)
73  * includes the user-visible definitions from krb5.h and then
74  * includes other definitions that are not user-visible but are
75  * required for compiling Kerberos internal routines.
76  *
77  * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
78  */
79 
80 #ifndef _KRB5_INT_H
81 #define _KRB5_INT_H
82 
83 #ifdef KRB5_GENERAL__
84 #error krb5.h included before k5-int.h
85 #endif /* KRB5_GENERAL__ */
86 
87 #ifndef	_KERNEL
88 #include <osconf.h>
89 #include <security/cryptoki.h>
90 #else
91 #include <sys/crypto/common.h>
92 #include <sys/crypto/api.h>
93 #endif
94 
95 #ifdef  DEBUG
96 #if !defined(KRB5_DEBUG)
97 #define KRB5_DEBUG
98 #endif
99 #ifndef  KRB5_LOG_LVL
100 #define KRB5_LOG_LVL KRB5_ERR
101 #endif
102 #endif  /* DEBUG */
103 
104 #ifdef  _KERNEL
105 
106 #ifdef  DEBUG
107 #include        <sys/types.h>
108 #include        <sys/cmn_err.h>
109  extern  void prom_printf();
110 #endif  /* DEBUG */
111 
112 #else   /* !_KERNEL */
113 
114 #define prom_printf printf
115 
116 #endif /* !_KERNEL */
117 
118 #ifdef KRB5_LOG_LVL
119 
120 /* krb5_log is used to set the logging level to determine what class of messages
121  * are output by the mech.  Note, more than one logging level can be used by
122  * bit or'ing the log values together.
123  *
124  * All log messages are captured by syslog.
125  */
126 
127 extern unsigned int krb5_log;
128 
129 /* Note, these defines should be mutually exclusive bit fields */
130 #define KRB5_ERR  1   /* Use this debug log level for error path logging. */
131 #define KRB5_INFO 2   /* Use this debug log level for informational messages. */
132 
133 #ifdef  _KERNEL
134 
135 #define KRB5_LOG1(A, B, C, D) \
136      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C), (D)), TRUE)))
137 #define KRB5_LOG(A, B, C) \
138      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C)), TRUE)))
139 #define KRB5_LOG0(A, B)   \
140      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B)), TRUE)))
141 
142 #else	/* !_KERNEL */
143 
144 #include <syslog.h>
145 
146 #define KRB5_LOG1(A, B, C, D) \
147         ((void)((krb5_log) && (krb5_log & (A)) && \
148 		(syslog(LOG_DEBUG, (B), (C), (D)), TRUE)))
149 #define KRB5_LOG(A, B, C) \
150         ((void)((krb5_log) && (krb5_log & (A)) && \
151 		(syslog(LOG_DEBUG, (B), (C)), TRUE)))
152 #define KRB5_LOG0(A, B)   \
153         ((void)((krb5_log) && (krb5_log & (A)) && \
154 	       	(syslog(LOG_DEBUG, B), TRUE)))
155 
156 #endif	/* _KERNEL */
157 
158 #else /* ! KRB5_LOG_LVL */
159 
160 #define KRB5_LOG1(A, B, C, D)
161 #define KRB5_LOG(A, B, C)
162 #define KRB5_LOG0(A, B)
163 
164 #endif /* KRB5_LOG_LVL */
165 
166 #ifdef POSIX_TYPES
167 #define timetype time_t
168 #else
169 #define timetype long
170 #endif
171 
172 /*
173  * Begin "k5-config.h"
174  */
175 #ifndef KRB5_CONFIG__
176 #define KRB5_CONFIG__
177 
178 /*
179  * Machine-type definitions: PC Clone 386 running Microloss Windows
180  */
181 
182 #if defined(_MSDOS) || defined(_WIN32)
183 #include "win-mac.h"
184 
185 /* Kerberos Windows initialization file */
186 #define KERBEROS_INI	"kerberos.ini"
187 #define INI_FILES	"Files"
188 #define INI_KRB_CCACHE	"krb5cc"	/* Location of the ccache */
189 #define INI_KRB5_CONF	"krb5.ini"	/* Location of krb5.conf file */
190 #define ANSI_STDIO
191 #endif
192 
193 #ifndef _KERNEL
194 #ifndef KRB5_AUTOCONF__
195 #define KRB5_AUTOCONF__
196 #include "autoconf.h"
197 #endif
198 #endif 		/* !_KERNEL  */
199 
200 #ifndef KRB5_SYSTYPES__
201 #define KRB5_SYSTYPES__
202 
203 #ifndef _KERNEL
204 #ifdef HAVE_SYS_TYPES_H		/* From autoconf.h */
205 #include <sys/types.h>
206 #else /* HAVE_SYS_TYPES_H */
207 typedef unsigned long 	u_long;
208 typedef unsigned int	u_int;
209 typedef unsigned short	u_short;
210 typedef unsigned char	u_char;
211 #endif /* HAVE_SYS_TYPES_H */
212 #endif /* KRB5_SYSTYPES__ */
213 #endif 		/* !_KERNEL  */
214 
215 
216 /* #include "k5-platform.h" SUNW XXX */
217 /* not used in krb5.h (yet) */
218 typedef uint64_t krb5_ui_8;
219 typedef int64_t krb5_int64;
220 
221 
222 
223 #define DEFAULT_PWD_STRING1 "Enter password:"
224 #define DEFAULT_PWD_STRING2 "Re-enter password for verification:"
225 #define	KRB5_KDB_MAX_LIFE	(60*60*24) /* one day */
226 #define	KRB5_KDB_MAX_RLIFE	(60*60*24*365) /* one year */
227 #define	KRB5_KDB_EXPIRATION	2145830400 /* Thu Jan  1 00:00:00 2038 UTC */
228 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
229 #define KRB5_DEFAULT_RENEW_LIFE 7*24*60*60 /* 7 Days */
230 
231 /*
232  * Windows requires a different api interface to each function. Here
233  * just define it as NULL.
234  */
235 #ifndef KRB5_CALLCONV
236 #define KRB5_CALLCONV
237 #define KRB5_CALLCONV_C
238 #endif
239 #ifndef O_BINARY
240 #define O_BINARY 0
241 #endif
242 
243 #endif /* KRB5_CONFIG__ */
244 
245 /*
246  * End "k5-config.h"
247  */
248 
249 /*
250  * After loading the configuration definitions, load the Kerberos definitions.
251  */
252 #ifndef _KERNEL
253 #include <errno.h>
254 #include "profile.h"
255 #endif
256 
257 #include <krb5.h>
258 
259 #ifndef _KERNEL
260 #if 1 /* def NEED_SOCKETS */
261 #include <port-sockets.h>
262 #include <socket-utils.h>
263 #else
264 #ifndef SOCK_DGRAM
265 struct sockaddr;
266 #endif
267 #endif
268 #endif
269 
270 /* Get mutex support; currently used only for the replay cache.  */
271 #include "k5-thread.h"
272 
273 
274 /* krb5/krb5.h includes many other .h files in the krb5 subdirectory.
275    The ones that it doesn't include, we include below.  */
276 
277 /*
278  * Begin "k5-errors.h"
279  */
280 #ifndef KRB5_ERRORS__
281 #define KRB5_ERRORS__
282 
283 
284 /* Error codes used in KRB_ERROR protocol messages.
285    Return values of library routines are based on a different error table
286    (which allows non-ambiguous error codes between subsystems) */
287 
288 /* KDC errors */
289 #define	KDC_ERR_NONE			0 /* No error */
290 #define	KDC_ERR_NAME_EXP		1 /* Client's entry in DB expired */
291 #define	KDC_ERR_SERVICE_EXP		2 /* Server's entry in DB expired */
292 #define	KDC_ERR_BAD_PVNO		3 /* Requested pvno not supported */
293 #define	KDC_ERR_C_OLD_MAST_KVNO		4 /* C's key encrypted in old master */
294 #define	KDC_ERR_S_OLD_MAST_KVNO		5 /* S's key encrypted in old master */
295 #define	KDC_ERR_C_PRINCIPAL_UNKNOWN	6 /* Client not found in Kerberos DB */
296 #define	KDC_ERR_S_PRINCIPAL_UNKNOWN	7 /* Server not found in Kerberos DB */
297 #define	KDC_ERR_PRINCIPAL_NOT_UNIQUE	8 /* Multiple entries in Kerberos DB */
298 #define	KDC_ERR_NULL_KEY		9 /* The C or S has a null key */
299 #define	KDC_ERR_CANNOT_POSTDATE		10 /* Tkt ineligible for postdating */
300 #define	KDC_ERR_NEVER_VALID		11 /* Requested starttime > endtime */
301 #define	KDC_ERR_POLICY			12 /* KDC policy rejects request */
302 #define	KDC_ERR_BADOPTION		13 /* KDC can't do requested opt. */
303 #define	KDC_ERR_ENCTYPE_NOSUPP		14 /* No support for encryption type */
304 #define KDC_ERR_SUMTYPE_NOSUPP		15 /* No support for checksum type */
305 #define KDC_ERR_PADATA_TYPE_NOSUPP	16 /* No support for padata type */
306 #define KDC_ERR_TRTYPE_NOSUPP		17 /* No support for transited type */
307 #define KDC_ERR_CLIENT_REVOKED		18 /* C's creds have been revoked */
308 #define KDC_ERR_SERVICE_REVOKED		19 /* S's creds have been revoked */
309 #define KDC_ERR_TGT_REVOKED		20 /* TGT has been revoked */
310 #define KDC_ERR_CLIENT_NOTYET		21 /* C not yet valid */
311 #define KDC_ERR_SERVICE_NOTYET		22 /* S not yet valid */
312 #define KDC_ERR_KEY_EXP			23 /* Password has expired */
313 #define KDC_ERR_PREAUTH_FAILED		24 /* Preauthentication failed */
314 #define KDC_ERR_PREAUTH_REQUIRED	25 /* Additional preauthentication */
315 					   /* required */
316 #define KDC_ERR_SERVER_NOMATCH		26 /* Requested server and */
317 					   /* ticket don't match*/
318 #define KDC_ERR_MUST_USE_USER2USER      27 /* Server principal valid for */
319 					   /*   user2user only */
320 #define KDC_ERR_PATH_NOT_ACCEPTED       28 /* KDC policy rejected transited */
321 					   /*   path */
322 #define KDC_ERR_SVC_UNAVAILABLE		29 /* A service is not
323 					    * available that is
324 					    * required to process the
325 					    * request */
326 /* Application errors */
327 #define	KRB_AP_ERR_BAD_INTEGRITY 31	/* Decrypt integrity check failed */
328 #define	KRB_AP_ERR_TKT_EXPIRED	32	/* Ticket expired */
329 #define	KRB_AP_ERR_TKT_NYV	33	/* Ticket not yet valid */
330 #define	KRB_AP_ERR_REPEAT	34	/* Request is a replay */
331 #define	KRB_AP_ERR_NOT_US	35	/* The ticket isn't for us */
332 #define	KRB_AP_ERR_BADMATCH	36	/* Ticket/authenticator don't match */
333 #define	KRB_AP_ERR_SKEW		37	/* Clock skew too great */
334 #define	KRB_AP_ERR_BADADDR	38	/* Incorrect net address */
335 #define	KRB_AP_ERR_BADVERSION	39	/* Protocol version mismatch */
336 #define	KRB_AP_ERR_MSG_TYPE	40	/* Invalid message type */
337 #define	KRB_AP_ERR_MODIFIED	41	/* Message stream modified */
338 #define	KRB_AP_ERR_BADORDER	42	/* Message out of order */
339 #define	KRB_AP_ERR_BADKEYVER	44	/* Key version is not available */
340 #define	KRB_AP_ERR_NOKEY	45	/* Service key not available */
341 #define	KRB_AP_ERR_MUT_FAIL	46	/* Mutual authentication failed */
342 #define KRB_AP_ERR_BADDIRECTION	47 	/* Incorrect message direction */
343 #define KRB_AP_ERR_METHOD	48 	/* Alternative authentication */
344 					/* method required */
345 #define KRB_AP_ERR_BADSEQ	49 	/* Incorrect sequence numnber */
346 					/* in message */
347 #define KRB_AP_ERR_INAPP_CKSUM	50	/* Inappropriate type of */
348 					/* checksum in message */
349 #define KRB_AP_PATH_NOT_ACCEPTED 51	/* Policy rejects transited path */
350 #define KRB_ERR_RESPONSE_TOO_BIG 52	/* Response too big for UDP, */
351 					/*   retry with TCP */
352 
353 /* other errors */
354 #define KRB_ERR_GENERIC		60 	/* Generic error (description */
355 					/* in e-text) */
356 #define	KRB_ERR_FIELD_TOOLONG	61	/* Field is too long for impl. */
357 
358 /* PKINIT server-reported errors */
359 #define KDC_ERR_CLIENT_NOT_TRUSTED		62 /* client cert not trusted */
360 #define KDC_ERR_INVALID_SIG			64 /* client signature verify failed */
361 #define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED	65 /* invalid Diffie-Hellman parameters */
362 #define KDC_ERR_CERTIFICATE_MISMATCH            66
363 #define KRB_AP_ERR_NO_TGT                       67
364 #define KDC_ERR_WRONG_REALM                     68
365 #define KRB_AP_ERR_USER_TO_USER_REQUIRED        69
366 #define KDC_ERR_CANT_VERIFY_CERTIFICATE         70 /* client cert not verifiable
367  to */
368 						   /* trusted root cert */
369 #define KDC_ERR_INVALID_CERTIFICATE		71 /* client cert had invalid signature */
370 #define KDC_ERR_REVOKED_CERTIFICATE		72 /* client cert was revoked */
371 #define KDC_ERR_REVOCATION_STATUS_UNKNOWN	73 /* client cert revoked, reason unknown */
372 #define KDC_ERR_CLIENT_NAME_MISMATCH		75 /* mismatch between client cert and */
373 						   /* principal name */
374 #define KDC_ERR_INCONSISTENT_KEY_PURPOSE	77 /* bad extended key use */
375 #define KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED	78 /* bad digest algorithm in client cert */
376 #define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED	79 /* missing paChecksum in PA-PK-AS-REQ */
377 #define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */
378 #define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
379 
380 #endif /* KRB5_ERRORS__ */
381 /*
382  * End "k5-errors.h"
383  */
384 
385 /*
386  * This structure is returned in the e-data field of the KRB-ERROR
387  * message when the error calling for an alternative form of
388  * authentication is returned, KRB_AP_METHOD.
389  */
390 typedef struct _krb5_alt_method {
391 	krb5_magic	magic;
392 	krb5_int32	method;
393 	unsigned int	length;
394 	krb5_octet	*data;
395 } krb5_alt_method;
396 
397 /*
398  * A null-terminated array of this structure is returned by the KDC as
399  * the data part of the ETYPE_INFO preauth type.  It informs the
400  * client which encryption types are supported.
401  * The  same data structure is used by both etype-info and etype-info2
402  * but s2kparams must be null when encoding etype-info.
403  */
404 typedef struct _krb5_etype_info_entry {
405 	krb5_magic	magic;
406 	krb5_enctype	etype;
407 	unsigned int	length;
408 	krb5_octet	*salt;
409     krb5_data s2kparams;
410 } krb5_etype_info_entry;
411 
412 /*
413  *  This is essentially -1 without sign extension which can screw up
414  *  comparisons on 64 bit machines. If the length is this value, then
415  *  the salt data is not present. This is to distinguish between not
416  *  being set and being of 0 length.
417  */
418 #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
419 
420 typedef krb5_etype_info_entry ** krb5_etype_info;
421 
422 /* RFC 4537 */
423 typedef struct _krb5_etype_list {
424         int             length;
425         krb5_enctype    *etypes;
426 } krb5_etype_list;
427 
428 /*
429  * a sam_challenge is returned for alternate preauth
430  */
431 /*
432           SAMFlags ::= BIT STRING {
433               use-sad-as-key[0],
434               send-encrypted-sad[1],
435               must-pk-encrypt-sad[2]
436           }
437  */
438 /*
439           PA-SAM-CHALLENGE ::= SEQUENCE {
440               sam-type[0]                 INTEGER,
441               sam-flags[1]                SAMFlags,
442               sam-type-name[2]            GeneralString OPTIONAL,
443               sam-track-id[3]             GeneralString OPTIONAL,
444               sam-challenge-label[4]      GeneralString OPTIONAL,
445               sam-challenge[5]            GeneralString OPTIONAL,
446               sam-response-prompt[6]      GeneralString OPTIONAL,
447               sam-pk-for-sad[7]           EncryptionKey OPTIONAL,
448               sam-nonce[8]                INTEGER OPTIONAL,
449               sam-cksum[9]                Checksum OPTIONAL
450           }
451 */
452 /* sam_type values -- informational only */
453 #define PA_SAM_TYPE_ENIGMA     1   /*  Enigma Logic */
454 #define PA_SAM_TYPE_DIGI_PATH  2   /*  Digital Pathways */
455 #define PA_SAM_TYPE_SKEY_K0    3   /*  S/key where  KDC has key 0 */
456 #define PA_SAM_TYPE_SKEY       4   /*  Traditional S/Key */
457 #define PA_SAM_TYPE_SECURID    5   /*  Security Dynamics */
458 #define PA_SAM_TYPE_CRYPTOCARD 6   /*  CRYPTOCard */
459 #if 1 /* XXX need to figure out who has which numbers assigned */
460 #define PA_SAM_TYPE_ACTIVCARD_DEC  6   /*  ActivCard decimal mode */
461 #define PA_SAM_TYPE_ACTIVCARD_HEX  7   /*  ActivCard hex mode */
462 #define PA_SAM_TYPE_DIGI_PATH_HEX  8   /*  Digital Pathways hex mode */
463 #endif
464 #define PA_SAM_TYPE_EXP_BASE    128 /* experimental */
465 #define PA_SAM_TYPE_GRAIL		(PA_SAM_TYPE_EXP_BASE+0) /* testing */
466 #define PA_SAM_TYPE_SECURID_PREDICT	(PA_SAM_TYPE_EXP_BASE+1) /* special */
467 
468 typedef struct _krb5_predicted_sam_response {
469 	krb5_magic	magic;
470 	krb5_keyblock	sam_key;
471 	krb5_flags	sam_flags; /* Makes key munging easier */
472 	krb5_timestamp  stime;	/* time on server, for replay detection */
473 	krb5_int32      susec;
474 	krb5_principal  client;
475 	krb5_data       msd;	/* mechanism specific data */
476 } krb5_predicted_sam_response;
477 
478 typedef struct _krb5_sam_challenge {
479 	krb5_magic	magic;
480 	krb5_int32	sam_type; /* information */
481 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
482 	krb5_data	sam_type_name;
483 	krb5_data	sam_track_id;
484 	krb5_data	sam_challenge_label;
485 	krb5_data	sam_challenge;
486 	krb5_data	sam_response_prompt;
487 	krb5_data	sam_pk_for_sad;
488 	krb5_int32	sam_nonce;
489 	krb5_checksum	sam_cksum;
490 } krb5_sam_challenge;
491 
492 typedef struct _krb5_sam_key {	/* reserved for future use */
493 	krb5_magic	magic;
494 	krb5_keyblock	sam_key;
495 } krb5_sam_key;
496 
497 typedef struct _krb5_enc_sam_response_enc {
498 	krb5_magic	magic;
499 	krb5_int32	sam_nonce;
500 	krb5_timestamp	sam_timestamp;
501 	krb5_int32	sam_usec;
502 	krb5_data	sam_sad;
503 } krb5_enc_sam_response_enc;
504 
505 typedef struct _krb5_sam_response {
506 	krb5_magic	magic;
507 	krb5_int32	sam_type; /* informational */
508 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
509 	krb5_data	sam_track_id; /* copied */
510 	krb5_enc_data	sam_enc_key; /* krb5_sam_key - future use */
511 	krb5_enc_data	sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
512 	krb5_int32	sam_nonce;
513 	krb5_timestamp	sam_patimestamp;
514 } krb5_sam_response;
515 
516 typedef struct _krb5_sam_challenge_2 {
517 	krb5_data	sam_challenge_2_body;
518 	krb5_checksum	**sam_cksum;		/* Array of checksums */
519 } krb5_sam_challenge_2;
520 
521 typedef struct _krb5_sam_challenge_2_body {
522 	krb5_magic	magic;
523 	krb5_int32	sam_type; /* information */
524 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
525 	krb5_data	sam_type_name;
526 	krb5_data	sam_track_id;
527 	krb5_data	sam_challenge_label;
528 	krb5_data	sam_challenge;
529 	krb5_data	sam_response_prompt;
530 	krb5_data	sam_pk_for_sad;
531 	krb5_int32	sam_nonce;
532 	krb5_enctype	sam_etype;
533 } krb5_sam_challenge_2_body;
534 
535 typedef struct _krb5_sam_response_2 {
536 	krb5_magic	magic;
537 	krb5_int32	sam_type; /* informational */
538 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
539 	krb5_data	sam_track_id; /* copied */
540 	krb5_enc_data	sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
541 	krb5_int32	sam_nonce;
542 } krb5_sam_response_2;
543 
544 typedef struct _krb5_enc_sam_response_enc_2 {
545 	krb5_magic	magic;
546 	krb5_int32	sam_nonce;
547 	krb5_data	sam_sad;
548 } krb5_enc_sam_response_enc_2;
549 
550 /*
551  * Keep the pkinit definitions in a separate file so that the plugin
552  * only has to include k5-int-pkinit.h rather than k5-int.h
553  */
554 
555 #include "k5-int-pkinit.h"
556 
557 /*
558  * Begin "dbm.h"
559  */
560 #ifndef _KERNEL
561 
562 /*
563  * Since we are always using db, use the db-ndbm include header file.
564  */
565 
566 #include "db-ndbm.h"
567 
568 #endif /* !KERNEL */
569 /*
570  * End "dbm.h"
571  */
572 
573 /*
574  * Begin "ext-proto.h"
575  */
576 #ifndef KRB5_EXT_PROTO__
577 #define KRB5_EXT_PROTO__
578 
579 #ifndef _KERNEL
580 #include <stdlib.h>
581 #include <string.h>
582 #endif /* !_KERNEL */
583 
584 #ifndef HAVE_STRDUP
585 extern char *strdup (const char *);
586 #endif
587 
588 #ifndef _KERNEL
589 #ifdef HAVE_UNISTD_H
590 #include <unistd.h>
591 #endif
592 #endif /* !_KERNEL */
593 
594 #endif /* KRB5_EXT_PROTO__ */
595 /*
596  * End "ext-proto.h"
597  */
598 
599 /*
600  * Begin "sysincl.h"
601  */
602 #ifndef KRB5_SYSINCL__
603 #define KRB5_SYSINCL__
604 
605 #ifndef KRB5_SYSTYPES__
606 #define KRB5_SYSTYPES__
607 /* needed for much of the rest -- but already handled in krb5.h? */
608 /* #include <sys/types.h> */
609 #endif /* KRB5_SYSTYPES__ */
610 
611 #ifdef	_KERNEL
612 #include <sys/time.h>
613 #else
614 #ifdef HAVE_SYS_TIME_H
615 #include <sys/time.h>
616 #ifdef TIME_WITH_SYS_TIME
617 #include <time.h>
618 #endif
619 #else
620 #include <time.h>
621 #endif
622 #endif /* _KERNEL */
623 
624 #ifdef HAVE_SYS_STAT_H
625 #include <sys/stat.h>			/* struct stat, stat() */
626 #endif
627 
628 #ifdef HAVE_SYS_PARAM_H
629 #include <sys/param.h>			/* MAXPATHLEN */
630 #endif
631 
632 #ifdef HAVE_SYS_FILE_H
633 #include <sys/file.h>			/* prototypes for file-related
634 					   syscalls; flags for open &
635 					   friends */
636 #endif
637 
638 #ifdef _KERNEL
639 #include <sys/fcntl.h>
640 #else
641 #include <fcntl.h>
642 #endif
643 
644 #endif /* KRB5_SYSINCL__ */
645 /*
646  * End "sysincl.h"
647  */
648 
649 /*
650  * Begin "los-proto.h"
651  */
652 #ifndef KRB5_LIBOS_PROTO__
653 #define KRB5_LIBOS_PROTO__
654 #endif
655 
656 #ifndef	_KERNEL
657 #include <stdio.h>
658 
659 struct addrlist;
660 struct sendto_callback_info;
661 #endif
662 
663 /* libos.spec */
664 krb5_error_code krb5_lock_file (krb5_context, int, int);
665 krb5_error_code krb5_unlock_file (krb5_context, int);
666 krb5_error_code krb5_sendto_kdc (krb5_context, const krb5_data *,
667 				 const krb5_data *, krb5_data *, int *, int);
668 /* Solaris Kerberos */
669 krb5_error_code krb5_sendto_kdc2 (krb5_context, const krb5_data *,
670 				const krb5_data *, krb5_data *, int *, int,
671 				char **);
672 
673 
674 krb5_error_code krb5_get_krbhst (krb5_context, const krb5_data *, char *** );
675 krb5_error_code krb5_free_krbhst (krb5_context, char * const * );
676 krb5_error_code krb5_create_secure_file (krb5_context, const char * pathname);
677 
678 int krb5_net_read (krb5_context, int , char *, int);
679 
680 int krb5_net_write
681 	(krb5_context, int , const char *, int);
682 
683 
684 krb5_error_code krb5_gen_replay_name
685     (krb5_context, const krb5_address *, const char *, char **);
686 
687 
688 #ifndef	_KERNEL
689 
690 krb5_error_code krb5_sync_disk_file (krb5_context, FILE *fp);
691 
692 krb5_error_code
693 krb5_open_pkcs11_session(CK_SESSION_HANDLE *);
694 
695 
696 krb5_error_code krb5_read_message
697 	(krb5_context, krb5_pointer, krb5_data *);
698 
699 krb5_error_code krb5_write_message
700 	(krb5_context, krb5_pointer, krb5_data *);
701 krb5_error_code krb5int_sendto (krb5_context context, const krb5_data *message,
702                 const struct addrlist *addrs, struct sendto_callback_info* callback_info,
703 				krb5_data *reply, struct sockaddr *localaddr, socklen_t *localaddrlen,
704                 struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, int *addr_used,
705 		int (*msg_handler)(krb5_context, const krb5_data *, void *),
706 		void *msg_handler_data);
707 
708 krb5_error_code krb5int_get_fq_local_hostname (char *, size_t);
709 
710 krb5_error_code krb5_set_debugging_time
711         (krb5_context, krb5_timestamp, krb5_int32);
712 krb5_error_code krb5_use_natural_time
713         (krb5_context);
714 krb5_error_code krb5_set_time_offsets
715         (krb5_context, krb5_timestamp, krb5_int32);
716 krb5_error_code krb5int_check_clockskew(krb5_context, krb5_timestamp);
717 #endif
718 
719 /*
720  * Solaris Kerberos
721  * The following two functions are needed for better realm
722  * determination based on the DNS domain name.
723  */
724 krb5_error_code krb5int_lookup_host(int , const char *, char **);
725 
726 krb5_error_code krb5int_domain_get_realm(krb5_context, const char *,
727     char **);
728 krb5_error_code krb5int_fqdn_get_realm(krb5_context, const char *,
729     char **);
730 
731 krb5_error_code krb5int_init_context_kdc(krb5_context *);
732 
733 krb5_error_code krb5_os_init_context (krb5_context, krb5_boolean);
734 
735 void krb5_os_free_context (krb5_context);
736 
737 /* This function is needed by KfM's KerberosPreferences API
738  * because it needs to be able to specify "secure" */
739 #ifndef _KERNEL
740 krb5_error_code os_get_default_config_files
741     (profile_filespec_t **pfiles, krb5_boolean secure);
742 #endif
743 
744 krb5_error_code krb5_os_hostaddr
745 	(krb5_context, const char *, krb5_address ***);
746 
747 #ifndef _KERNEL
748 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
749    going to use this structure.  */
750 struct addrlist {
751     struct {
752 #ifdef FAI_DEFINED
753 	struct addrinfo *ai;
754 #else
755 	struct undefined_addrinfo *ai;
756 #endif
757 	void (*freefn)(void *);
758 	void *data;
759     } *addrs;
760     int naddrs;
761     int space;
762 };
763 #define ADDRLIST_INIT { 0, 0, 0 }
764 extern void krb5int_free_addrlist (struct addrlist *);
765 extern int krb5int_grow_addrlist (struct addrlist *, int);
766 extern int krb5int_add_host_to_list (struct addrlist *, const char *,
767 				     int, int, int, int);
768 
769 #include <locate_plugin.h>
770 krb5_error_code
771 krb5int_locate_server (krb5_context, const krb5_data *realm,
772 		       struct addrlist *, enum locate_service_type svc,
773 		       int sockettype, int family);
774 
775 #endif /* _KERNEL */
776 
777 /* new encryption provider api */
778 
779 struct krb5_enc_provider {
780     /* keybytes is the input size to make_key;
781        keylength is the output size */
782     size_t block_size, keybytes, keylength;
783 
784     /* cipher-state == 0 fresh state thrown away at end */
785     krb5_error_code (*encrypt) (
786 	krb5_context context,
787 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
788 	krb5_const krb5_data *input, krb5_data *output);
789 
790     krb5_error_code (*decrypt) (
791 	krb5_context context,
792 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
793 	krb5_const krb5_data *input, krb5_data *output);
794 
795     krb5_error_code (*make_key)
796     (krb5_context, krb5_const krb5_data *, krb5_keyblock *);
797 
798     krb5_error_code (*init_state) (krb5_context,
799 			const krb5_keyblock *,
800 			krb5_keyusage, krb5_data *);
801     krb5_error_code (*free_state) (krb5_context, krb5_data *);
802 
803 };
804 
805 struct krb5_hash_provider {
806     size_t hashsize, blocksize;
807 
808     /* this takes multiple inputs to avoid lots of copying. */
809     krb5_error_code (*hash) (krb5_context context,
810 	unsigned int icount, krb5_const krb5_data *input,
811 	krb5_data *output);
812 };
813 
814 struct krb5_keyhash_provider {
815     size_t hashsize;
816 
817     krb5_error_code (*hash) (
818 	krb5_context context,
819 	krb5_const krb5_keyblock *key,
820 	krb5_keyusage keyusage,
821 	krb5_const krb5_data *ivec,
822 	krb5_const krb5_data *input, krb5_data *output);
823 
824     krb5_error_code (*verify) (
825 	krb5_context context,
826 	krb5_const krb5_keyblock *key,
827 	krb5_keyusage keyusage,
828 	krb5_const krb5_data *ivec,
829 	krb5_const krb5_data *input,
830 	krb5_const krb5_data *hash,
831 	krb5_boolean *valid);
832 
833 };
834 
835 typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc,
836   const struct krb5_hash_provider *hash,
837   size_t inputlen, size_t *length);
838 
839 typedef krb5_error_code (*krb5_crypt_func) (
840   krb5_context context,
841   krb5_const struct krb5_enc_provider *enc,
842   krb5_const struct krb5_hash_provider *hash,
843   krb5_const krb5_keyblock *key, krb5_keyusage usage,
844   krb5_const krb5_data *ivec,
845   krb5_const krb5_data *input, krb5_data *output);
846 
847 #ifndef	_KERNEL
848 typedef krb5_error_code (*krb5_str2key_func) (
849   krb5_context context,
850   krb5_const struct krb5_enc_provider *enc, krb5_const krb5_data *string,
851   krb5_const krb5_data *salt, krb5_const krb5_data *params,
852   krb5_keyblock *key);
853 #endif	/* _KERNEL */
854 
855 typedef krb5_error_code (*krb5_prf_func)(
856 					 const struct krb5_enc_provider *enc,
857 					 const struct krb5_hash_provider *hash,
858 					 const krb5_keyblock *key,
859 					 const krb5_data *in, krb5_data *out);
860 
861 struct krb5_keytypes {
862     krb5_enctype etype;
863     char *in_string;
864     char *out_string;
865     const struct krb5_enc_provider *enc;
866     const struct krb5_hash_provider *hash;
867     krb5_encrypt_length_func encrypt_len;
868     krb5_crypt_func encrypt;
869     krb5_crypt_func decrypt;
870     krb5_cksumtype required_ctype;
871 #ifndef	_KERNEL
872     /* Solaris Kerberos:  strings to key conversion not done in the kernel */
873     krb5_str2key_func str2key;
874 #else	/* _KERNEL */
875     char *mt_e_name;
876     char *mt_h_name;
877     crypto_mech_type_t kef_cipher_mt;
878     crypto_mech_type_t kef_hash_mt;
879 #endif	/* _KERNEL */
880 };
881 
882 struct krb5_cksumtypes {
883     krb5_cksumtype ctype;
884     unsigned int flags;
885     char *in_string;
886     char *out_string;
887     /* if the hash is keyed, this is the etype it is keyed with.
888        Actually, it can be keyed by any etype which has the same
889        enc_provider as the specified etype.  DERIVE checksums can
890        be keyed with any valid etype. */
891     krb5_enctype keyed_etype;
892     /* I can't statically initialize a union, so I'm just going to use
893        two pointers here.  The keyhash is used if non-NULL.  If NULL,
894        then HMAC/hash with derived keys is used if the relevant flag
895        is set.  Otherwise, a non-keyed hash is computed.  This is all
896        kind of messy, but so is the krb5 api. */
897     const struct krb5_keyhash_provider *keyhash;
898     const struct krb5_hash_provider *hash;
899     /* This just gets uglier and uglier.  In the key derivation case,
900        we produce an hmac.  To make the hmac code work, we can't hack
901        the output size indicated by the hash provider, but we may want
902        a truncated hmac.  If we want truncation, this is the number of
903        bytes we truncate to; it should be 0 otherwise.  */
904     unsigned int trunc_size;
905 #ifdef _KERNEL
906     char *mt_c_name;
907     crypto_mech_type_t kef_cksum_mt;
908 #endif /* _KERNEL */
909 };
910 
911 #define KRB5_CKSUMFLAG_DERIVE		0x0001
912 #define KRB5_CKSUMFLAG_NOT_COLL_PROOF	0x0002
913 
914 /*
915  * in here to deal with stuff from lib/crypto
916  */
917 
918 void krb5_nfold
919 (unsigned int inbits, const unsigned char *in,
920 		unsigned int outbits, unsigned char *out);
921 
922 krb5_error_code krb5int_pbkdf2_hmac_sha1 (krb5_context,
923 					   const krb5_data *,
924 					   unsigned long,
925 					   krb5_enctype,
926 					   const krb5_data *,
927 					   const krb5_data *);
928 
929 /* Make this a function eventually?  */
930 #ifdef _WIN32
931 # define krb5int_zap_data(ptr, len) SecureZeroMemory(ptr, len)
932 #elif defined(__palmos__) && !defined(__GNUC__)
933 /* CodeWarrior 8.3 complains about passing a pointer to volatile in to
934    memset.  On the other hand, we probably want it for gcc.  */
935 # define krb5int_zap_data(ptr, len) memset(ptr, 0, len)
936 #else
937 # define krb5int_zap_data(ptr, len) memset((void *)ptr, 0, len)
938 # if defined(__GNUC__) && defined(__GLIBC__)
939 /* GNU libc generates multiple bogus initialization warnings if we
940    pass memset a volatile pointer.  The compiler should do well enough
941    with memset even without GNU libc's attempt at optimization.  */
942 # undef memset
943 # endif
944 #endif /* WIN32 */
945 #define zap(p,l) krb5int_zap_data(p,l)
946 
947 
948 krb5_error_code krb5int_des_init_state
949 ( krb5_context,
950 	const krb5_keyblock *,
951 	krb5_keyusage, krb5_data *);
952 
953 krb5_error_code krb5int_c_mandatory_cksumtype(
954 	krb5_context,
955 	krb5_enctype,
956 	krb5_cksumtype *);
957 
958 /*
959  * normally to free a cipher_state you can just memset the length to zero and
960  * free it.
961  */
962 krb5_error_code krb5int_default_free_state
963 (krb5_context, krb5_data *);
964 
965 
966 /*
967  * Combine two keys (normally used by the hardware preauth mechanism)
968  */
969 krb5_error_code krb5int_c_combine_keys
970 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
971 		krb5_keyblock *outkey);
972 
973 
974 #ifdef _KERNEL
975 
976 int k5_ef_crypto(
977 	const char *, char *,
978 	long, krb5_keyblock *,
979 	const krb5_data *, int);
980 
981 krb5_error_code
982 krb5_hmac(krb5_context, const krb5_keyblock *,
983 	krb5_const krb5_data *, krb5_data *);
984 
985 #else
986 krb5_error_code krb5_hmac
987 	(krb5_context,
988 	krb5_const struct krb5_hash_provider *,
989 	krb5_const krb5_keyblock *, krb5_const unsigned int,
990 	krb5_const krb5_data *, krb5_data *);
991 
992 #endif /* _KERNEL */
993 
994 
995 /*
996  * These declarations are here, so both krb5 and k5crypto
997  * can get to them.
998  * krb5 needs to get to them so it can  make them available to libgssapi.
999  */
1000 extern const struct krb5_enc_provider krb5int_enc_arcfour;
1001 extern const struct krb5_hash_provider krb5int_hash_md5;
1002 
1003 
1004 /* #ifdef KRB5_OLD_CRYPTO XXX SUNW14resync */
1005 
1006 krb5_error_code krb5_crypto_us_timeofday
1007 	(krb5_int32 *,
1008 		krb5_int32 *);
1009 
1010 #ifndef _KERNEL
1011 /* Solaris kerberos: for convenience */
1012 time_t krb5int_gmt_mktime (struct tm *);
1013 #endif /* ! _KERNEL */
1014 
1015 /* #endif KRB5_OLD_CRYPTO */
1016 
1017 /* this helper fct is in libkrb5, but it makes sense declared here. */
1018 
1019 krb5_error_code krb5_encrypt_helper
1020 (krb5_context context, const krb5_keyblock *key,
1021 		krb5_keyusage keyusage, const krb5_data *plain,
1022 		krb5_enc_data *cipher);
1023 
1024 /*
1025  * End "los-proto.h"
1026  */
1027 
1028 /*
1029  * Begin "libos.h"
1030  */
1031 #ifndef KRB5_LIBOS__
1032 #define KRB5_LIBOS__
1033 
1034 typedef struct _krb5_os_context {
1035 	krb5_magic		magic;
1036 	krb5_int32		time_offset;
1037 	krb5_int32		usec_offset;
1038 	krb5_int32		os_flags;
1039 	char *			default_ccname;
1040 } *krb5_os_context;
1041 
1042 /*
1043  * Flags for the os_flags field
1044  *
1045  * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid.
1046  * The intention is that this facility to correct the system clocks so
1047  * that they reflect the "real" time, for systems where for some
1048  * reason we can't set the system clock.  Instead we calculate the
1049  * offset between the system time and real time, and store the offset
1050  * in the os context so that we can correct the system clock as necessary.
1051  *
1052  * KRB5_OS_TOFFSET_TIME means that the time offset fields should be
1053  * returned as the time by the krb5 time routines.  This should only
1054  * be used for testing purposes (obviously!)
1055  */
1056 #define KRB5_OS_TOFFSET_VALID	1
1057 #define KRB5_OS_TOFFSET_TIME	2
1058 
1059 /* lock mode flags */
1060 #define	KRB5_LOCKMODE_SHARED	0x0001
1061 #define	KRB5_LOCKMODE_EXCLUSIVE	0x0002
1062 #define	KRB5_LOCKMODE_DONTBLOCK	0x0004
1063 #define	KRB5_LOCKMODE_UNLOCK	0x0008
1064 
1065 #endif /* KRB5_LIBOS__ */
1066 /*
1067  * End "libos.h"
1068  */
1069 
1070 /*
1071  * Define our view of the size of a DES key.
1072  */
1073 #define	KRB5_MIT_DES_KEYSIZE		8
1074 /*
1075  * Define a couple of SHA1 constants
1076  */
1077 #define	SHS_DATASIZE	64
1078 #define	SHS_DIGESTSIZE	20
1079 
1080 /*
1081  * Check if des_int.h has been included before us.  If so, then check to see
1082  * that our view of the DES key size is the same as des_int.h's.
1083  */
1084 #ifdef	MIT_DES_KEYSIZE
1085 #if	MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
1086 error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
1087 #endif	/* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
1088 #endif	/* MIT_DES_KEYSIZE */
1089 
1090 #ifndef _KERNEL
1091 /* Solaris Kerberos: only define PROVIDE_DES3_CBC_SHA if the following are
1092  * defined.
1093  */
1094 #define PROVIDE_DES3_CBC_SHA 1
1095 #define PROVIDE_NIST_SHA 1
1096 
1097 #endif /* !_KERNEL */
1098 
1099 /*
1100  * Begin "preauth.h"
1101  *
1102  * (Originally written by Glen Machin at Sandia Labs.)
1103  */
1104 /*
1105  * Sandia National Laboratories also makes no representations about the
1106  * suitability of the modifications, or additions to this software for
1107  * any purpose.  It is provided "as is" without express or implied warranty.
1108  *
1109  */
1110 #ifndef KRB5_PREAUTH__
1111 #define KRB5_PREAUTH__
1112 
1113 #include <preauth_plugin.h>
1114 
1115 #define CLIENT_ROCK_MAGIC 0x4352434b
1116 /* This structure is passed into the client preauth functions and passed
1117  * back to the "get_data_proc" function so that it can locate the
1118  * requested information.  It is opaque to the plugin code and can be
1119  * expanded in the future as new types of requests are defined which
1120  * may require other things to be passed through. */
1121 typedef struct _krb5_preauth_client_rock {
1122 	krb5_magic	magic;
1123 	krb5_kdc_rep	*as_reply;
1124 } krb5_preauth_client_rock;
1125 
1126 /* This structure lets us keep track of all of the modules which are loaded,
1127  * turning the list of modules and their lists of implemented preauth types
1128  * into a single list which we can walk easily. */
1129 typedef struct _krb5_preauth_context {
1130     int n_modules;
1131     struct _krb5_preauth_context_module {
1132 	/* Which of the possibly more than one preauth types which the
1133 	 * module supports we're using at this point in the list. */
1134 	krb5_preauthtype pa_type;
1135 	/* Encryption types which the client claims to support -- we
1136 	 * copy them directly into the krb5_kdc_req structure during
1137 	 * krb5_preauth_prepare_request(). */
1138 	krb5_enctype *enctypes;
1139 	/* The plugin's per-plugin context and a function to clear it. */
1140 	void *plugin_context;
1141 	preauth_client_plugin_fini_proc client_fini;
1142 	/* The module's table, and some of its members, copied here for
1143 	 * convenience when we populated the list. */
1144 	struct krb5plugin_preauth_client_ftable_v1 *ftable;
1145 	const char *name;
1146 	int flags, use_count;
1147 	preauth_client_process_proc client_process;
1148 	preauth_client_tryagain_proc client_tryagain;
1149 	preauth_client_supply_gic_opts_proc client_supply_gic_opts;
1150 	preauth_client_request_init_proc client_req_init;
1151 	preauth_client_request_fini_proc client_req_fini;
1152 	/* The per-request context which the client_req_init() function
1153 	 * might allocate, which we'll need to clean up later by
1154 	 * calling the client_req_fini() function. */
1155 	void *request_context;
1156 	/* A pointer to the request_context pointer.  All modules within
1157 	 * a plugin will point at the request_context of the first
1158 	 * module within the plugin. */
1159 	void **request_context_pp;
1160     } *modules;
1161 } krb5_preauth_context;
1162 
1163 typedef struct _krb5_pa_enc_ts {
1164     krb5_timestamp	patimestamp;
1165     krb5_int32		pausec;
1166 } krb5_pa_enc_ts;
1167 
1168 typedef struct _krb5_pa_for_user {
1169     krb5_principal      user;
1170     krb5_checksum       cksum;
1171     krb5_data           auth_package;
1172 } krb5_pa_for_user;
1173 
1174 enum {
1175   KRB5_FAST_ARMOR_AP_REQUEST = 0x1
1176 };
1177 
1178 typedef struct _krb5_fast_armor {
1179     krb5_int32 armor_type;
1180     krb5_data armor_value;
1181 } krb5_fast_armor;
1182 typedef struct _krb5_fast_armored_req {
1183     krb5_magic magic;
1184     krb5_fast_armor *armor;
1185     krb5_checksum req_checksum;
1186     krb5_enc_data enc_part;
1187 } krb5_fast_armored_req;
1188 
1189 typedef struct _krb5_fast_req {
1190     krb5_magic magic;
1191     krb5_flags fast_options;
1192     /* padata from req_body is used*/
1193    krb5_kdc_req *req_body;
1194 } krb5_fast_req;
1195 
1196 
1197 /* Bits 0-15 are critical in fast options.*/
1198 #define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff
1199 #define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01
1200 
1201 typedef struct _krb5_fast_finished {
1202     krb5_timestamp timestamp;
1203     krb5_int32 usec;
1204     krb5_principal client;
1205     krb5_checksum ticket_checksum;
1206 } krb5_fast_finished;
1207 
1208 typedef struct _krb5_fast_response {
1209     krb5_magic magic;
1210     krb5_pa_data **padata;
1211     krb5_keyblock *strengthen_key;
1212     krb5_fast_finished *finished;
1213     krb5_int32 nonce;
1214 } krb5_fast_response;
1215 
1216 typedef krb5_error_code (*krb5_preauth_obtain_proc)
1217     (krb5_context,
1218 		    krb5_pa_data *,
1219 		    krb5_etype_info,
1220 		    krb5_keyblock *,
1221 		    krb5_error_code ( * )(krb5_context,
1222 					  const krb5_enctype,
1223 					  krb5_data *,
1224 					  krb5_const_pointer,
1225 					  krb5_keyblock **),
1226 		    krb5_const_pointer,
1227 		    krb5_creds *,
1228 		    krb5_kdc_req *,
1229 		    krb5_pa_data **);
1230 
1231 typedef krb5_error_code (*krb5_preauth_process_proc)
1232     (krb5_context,
1233 		    krb5_pa_data *,
1234 		    krb5_kdc_req *,
1235 		    krb5_kdc_rep *,
1236 		    krb5_error_code ( * )(krb5_context,
1237 					  const krb5_enctype,
1238 					  krb5_data *,
1239 					  krb5_const_pointer,
1240 					  krb5_keyblock **),
1241 		    krb5_const_pointer,
1242 		    krb5_error_code ( * )(krb5_context,
1243 					  const krb5_keyblock *,
1244 					  krb5_const_pointer,
1245 					  krb5_kdc_rep * ),
1246 		    krb5_keyblock **,
1247 		    krb5_creds *,
1248 		    krb5_int32 *,
1249 		    krb5_int32 *);
1250 
1251 typedef struct _krb5_preauth_ops {
1252     krb5_magic magic;
1253     int     type;
1254     int	flags;
1255     krb5_preauth_obtain_proc	obtain;
1256     krb5_preauth_process_proc	process;
1257 } krb5_preauth_ops;
1258 
1259 
1260 krb5_error_code krb5_obtain_padata
1261     	(krb5_context,
1262 		krb5_pa_data **,
1263 		krb5_error_code ( * )(krb5_context,
1264 						      const krb5_enctype,
1265 						      krb5_data *,
1266 						      krb5_const_pointer,
1267 						      krb5_keyblock **),
1268 		krb5_const_pointer,
1269 		krb5_creds *,
1270 		krb5_kdc_req *);
1271 
1272 krb5_error_code krb5_process_padata
1273 	(krb5_context,
1274 		krb5_kdc_req *,
1275 		krb5_kdc_rep *,
1276 		krb5_error_code ( * )(krb5_context,
1277 						      const krb5_enctype,
1278 						      krb5_data *,
1279 						      krb5_const_pointer,
1280 						      krb5_keyblock **),
1281 		krb5_const_pointer,
1282 		krb5_error_code ( * )(krb5_context,
1283 						      const krb5_keyblock *,
1284 						      krb5_const_pointer,
1285 						      krb5_kdc_rep * ),
1286 		krb5_keyblock **,
1287 		krb5_creds *,
1288 		krb5_int32 *);
1289 
1290 void krb5_free_etype_info (krb5_context, krb5_etype_info);
1291 
1292 /*
1293  * Preauthentication property flags
1294  */
1295 #define KRB5_PREAUTH_FLAGS_ENCRYPT	0x00000001
1296 #define KRB5_PREAUTH_FLAGS_HARDWARE	0x00000002
1297 
1298 #endif /* KRB5_PREAUTH__ */
1299 /*
1300  * End "preauth.h"
1301  */
1302 
1303 /*
1304  * Extending the krb5_get_init_creds_opt structure.  The original
1305  * krb5_get_init_creds_opt structure is defined publicly.  The
1306  * new extended version is private.  The original interface
1307  * assumed a pre-allocated structure which was passed to
1308  * krb5_get_init_creds_init().  The new interface assumes that
1309  * the caller will call krb5_get_init_creds_alloc() and
1310  * krb5_get_init_creds_free().
1311  *
1312  * Callers MUST NOT call krb5_get_init_creds_init() after allocating an
1313  * opts structure using krb5_get_init_creds_alloc().  To do so will
1314  * introduce memory leaks.  Unfortunately, there is no way to enforce
1315  * this behavior.
1316  *
1317  * Two private flags are added for backward compatibility.
1318  * KRB5_GET_INIT_CREDS_OPT_EXTENDED says that the structure was allocated
1319  * with the new krb5_get_init_creds_opt_alloc() function.
1320  * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended
1321  * structure is a shadow copy of an original krb5_get_init_creds_opt
1322  * structure.
1323  * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to
1324  * krb5int_gic_opt_to_opte(), the resulting extended structure should be
1325  * freed (using krb5_get_init_creds_free).  Otherwise, the original
1326  * structure was already extended and there is no need to free it.
1327  */
1328 
1329 #define KRB5_GET_INIT_CREDS_OPT_EXTENDED 0x80000000
1330 #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
1331 
1332 #define krb5_gic_opt_is_extended(s) \
1333     ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
1334 #define krb5_gic_opt_is_shadowed(s) \
1335     ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
1336 
1337 
1338 typedef struct _krb5_gic_opt_private {
1339     int num_preauth_data;
1340     krb5_gic_opt_pa_data *preauth_data;
1341 } krb5_gic_opt_private;
1342 
1343 typedef struct _krb5_gic_opt_ext {
1344     krb5_flags flags;
1345     krb5_deltat tkt_life;
1346     krb5_deltat renew_life;
1347     int forwardable;
1348     int proxiable;
1349     krb5_enctype *etype_list;
1350     int etype_list_length;
1351     krb5_address **address_list;
1352     krb5_preauthtype *preauth_list;
1353     int preauth_list_length;
1354     krb5_data *salt;
1355     /*
1356      * Do not change anything above this point in this structure.
1357      * It is identical to the public krb5_get_init_creds_opt structure.
1358      * New members must be added below.
1359      */
1360     krb5_gic_opt_private *opt_private;
1361 } krb5_gic_opt_ext;
1362 
1363 krb5_error_code
1364 krb5int_gic_opt_to_opte(krb5_context context,
1365                         krb5_get_init_creds_opt *opt,
1366                         krb5_gic_opt_ext **opte,
1367                         unsigned int force,
1368                         const char *where);
1369 
1370 krb5_error_code
1371 krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *);
1372 
1373 #ifndef _KERNEL /* needed for lib/krb5/krb/ */
1374 typedef krb5_error_code (*krb5_gic_get_as_key_fct)
1375     (krb5_context,
1376 		     krb5_principal,
1377 		     krb5_enctype,
1378 		     krb5_prompter_fct,
1379 		     void *prompter_data,
1380 		     krb5_data *salt,
1381      krb5_data *s2kparams,
1382 		     krb5_keyblock *as_key,
1383 		     void *gak_data);
1384 
1385 krb5_error_code KRB5_CALLCONV
1386 krb5_get_init_creds
1387 (krb5_context context,
1388 		krb5_creds *creds,
1389 		krb5_principal client,
1390 		krb5_prompter_fct prompter,
1391 		void *prompter_data,
1392 		krb5_deltat start_time,
1393 		char *in_tkt_service,
1394 		krb5_gic_opt_ext *gic_options,
1395 		krb5_gic_get_as_key_fct gak,
1396 		void *gak_data,
1397 		int *master,
1398 		krb5_kdc_rep **as_reply);
1399 
1400 krb5_error_code krb5int_populate_gic_opt (
1401     krb5_context, krb5_gic_opt_ext **,
1402     krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
1403     krb5_preauthtype *pre_auth_types, krb5_creds *creds);
1404 
1405 
1406 krb5_error_code KRB5_CALLCONV krb5_do_preauth
1407 	(krb5_context context,
1408 	 krb5_kdc_req *request,
1409 	 krb5_data *encoded_request_body,
1410 	 krb5_data *encoded_previous_request,
1411 	 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1412 	 krb5_data *salt, krb5_data *s2kparams,
1413 	 krb5_enctype *etype, krb5_keyblock *as_key,
1414 	 krb5_prompter_fct prompter, void *prompter_data,
1415 	 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1416 	 krb5_preauth_client_rock *get_data_rock,
1417 	 krb5_gic_opt_ext *opte);
1418 krb5_error_code KRB5_CALLCONV krb5_do_preauth_tryagain
1419 	(krb5_context context,
1420 	 krb5_kdc_req *request,
1421 	 krb5_data *encoded_request_body,
1422 	 krb5_data *encoded_previous_request,
1423 	 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1424 	 krb5_error *err_reply,
1425 	 krb5_data *salt, krb5_data *s2kparams,
1426 	 krb5_enctype *etype, krb5_keyblock *as_key,
1427 	 krb5_prompter_fct prompter, void *prompter_data,
1428 	 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1429 	 krb5_preauth_client_rock *get_data_rock,
1430 	 krb5_gic_opt_ext *opte);
1431 void KRB5_CALLCONV krb5_init_preauth_context
1432 	(krb5_context);
1433 void KRB5_CALLCONV krb5_free_preauth_context
1434 	(krb5_context);
1435 void KRB5_CALLCONV krb5_clear_preauth_context_use_counts
1436 	(krb5_context);
1437 void KRB5_CALLCONV krb5_preauth_prepare_request
1438 	(krb5_context, krb5_gic_opt_ext *, krb5_kdc_req *);
1439 void KRB5_CALLCONV krb5_preauth_request_context_init
1440 	(krb5_context);
1441 void KRB5_CALLCONV krb5_preauth_request_context_fini
1442 	(krb5_context);
1443 
1444 #endif /* _KERNEL */
1445 void KRB5_CALLCONV krb5_free_sam_challenge
1446 	(krb5_context, krb5_sam_challenge * );
1447 void KRB5_CALLCONV krb5_free_sam_challenge_2
1448 	(krb5_context, krb5_sam_challenge_2 * );
1449 void KRB5_CALLCONV krb5_free_sam_challenge_2_body
1450 	(krb5_context, krb5_sam_challenge_2_body *);
1451 void KRB5_CALLCONV krb5_free_sam_response
1452 	(krb5_context, krb5_sam_response * );
1453 void KRB5_CALLCONV krb5_free_sam_response_2
1454 	(krb5_context, krb5_sam_response_2 * );
1455 void KRB5_CALLCONV krb5_free_predicted_sam_response
1456 	(krb5_context, krb5_predicted_sam_response * );
1457 void KRB5_CALLCONV krb5_free_enc_sam_response_enc
1458 	(krb5_context, krb5_enc_sam_response_enc * );
1459 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2
1460 	(krb5_context, krb5_enc_sam_response_enc_2 * );
1461 void KRB5_CALLCONV krb5_free_sam_challenge_contents
1462 	(krb5_context, krb5_sam_challenge * );
1463 void KRB5_CALLCONV krb5_free_sam_challenge_2_contents
1464 	(krb5_context, krb5_sam_challenge_2 * );
1465 void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents
1466 	(krb5_context, krb5_sam_challenge_2_body * );
1467 void KRB5_CALLCONV krb5_free_sam_response_contents
1468 	(krb5_context, krb5_sam_response * );
1469 void KRB5_CALLCONV krb5_free_sam_response_2_contents
1470 	(krb5_context, krb5_sam_response_2 *);
1471 void KRB5_CALLCONV krb5_free_predicted_sam_response_contents
1472 	(krb5_context, krb5_predicted_sam_response * );
1473 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents
1474 	(krb5_context, krb5_enc_sam_response_enc * );
1475 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents
1476 	(krb5_context, krb5_enc_sam_response_enc_2 * );
1477 
1478 void KRB5_CALLCONV krb5_free_pa_enc_ts
1479 	(krb5_context, krb5_pa_enc_ts *);
1480 
1481 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
1482 #ifndef	_KERNEL
1483 #include "com_err.h"
1484 #include <krb5/k5-plugin.h>
1485 #endif /* _KERNEL */
1486 
1487 /*
1488  * Solaris Kerberos: moved from sendto_kdc.c so other code can reference
1489  */
1490 #define	DEFAULT_UDP_PREF_LIMIT   1465
1491 
1492 #ifndef	_KERNEL
1493 #include "profile.h"
1494 #include <strings.h>
1495 #endif /* _KERNEL */
1496 
1497 #define KEY_CHANGED(k1, k2) \
1498 (k1 == NULL || \
1499  k1 != k2 || \
1500  k1->enctype != k2->enctype || \
1501  k1->length != k2->length || \
1502  bcmp(k1->contents, k2->contents, k1->length))
1503 
1504 #ifndef _KERNEL
1505 typedef struct _arcfour_ctx {
1506 	CK_SESSION_HANDLE eSession; /* encrypt session handle */
1507 	CK_SESSION_HANDLE dSession; /* decrypt session handle */
1508 	CK_OBJECT_HANDLE  eKey; /* encrypt key object */
1509 	CK_OBJECT_HANDLE  dKey; /* decrype key object */
1510 	uchar_t           initialized;
1511 }arcfour_ctx_rec;
1512 
1513 #endif /* !_KERNEL */
1514 
1515 struct _krb5_context {
1516 	krb5_magic	magic;
1517 	krb5_enctype	*in_tkt_ktypes;
1518 	unsigned int	in_tkt_ktype_count;
1519 	krb5_enctype	*tgs_ktypes;
1520 	unsigned int	tgs_ktype_count;
1521 	/* This used to be a void*, but since we always allocate them
1522 	   together (though in different source files), and the types
1523 	   are declared in the same header, might as well just combine
1524 	   them.
1525 
1526 	   The array[1] is so the existing code treating the field as
1527 	   a pointer will still work.  For cleanliness, it should
1528 	   eventually get changed to a single element instead of an
1529 	   array.  */
1530 	struct _krb5_os_context	os_context[1];
1531 	char		*default_realm;
1532 	int		ser_ctx_count;
1533 	krb5_boolean	profile_secure;
1534 	void	      	*ser_ctx;
1535 #ifndef _KERNEL
1536 	profile_t	profile;
1537 	void		*db_context;
1538 	void		*kdblog_context;
1539 	/* allowable clock skew */
1540 	krb5_deltat 	clockskew;
1541 	krb5_cksumtype	kdc_req_sumtype;
1542 	krb5_cksumtype	default_ap_req_sumtype;
1543 	krb5_cksumtype	default_safe_sumtype;
1544 	krb5_flags 	kdc_default_options;
1545 	krb5_flags	library_options;
1546 	int		fcc_default_format;
1547 	int		scc_default_format;
1548 	krb5_prompt_type *prompt_types;
1549 	/* Message size above which we'll try TCP first in send-to-kdc
1550 	   type code.  Aside from the 2**16 size limit, we put no
1551 	   absolute limit on the UDP packet size.  */
1552 	int		udp_pref_limit;
1553 
1554 	/* This is the tgs_ktypes list as read from the profile, or
1555 	   set to compiled-in defaults.	 The application code cannot
1556 	   override it.	 This is used for session keys for
1557 	   intermediate ticket-granting tickets used to acquire the
1558 	   requested ticket (the session key of which may be
1559 	   constrained by tgs_ktypes above).  */
1560 	krb5_enctype	*conf_tgs_ktypes;
1561 	int		conf_tgs_ktypes_count;
1562 
1563 	/* Use the _configured version?	 */
1564 	krb5_boolean	use_conf_ktypes;
1565 
1566 #ifdef KRB5_DNS_LOOKUP
1567         krb5_boolean    profile_in_memory;
1568 #endif /* KRB5_DNS_LOOKUP */
1569 
1570     /* locate_kdc module stuff */
1571     struct plugin_dir_handle libkrb5_plugins;
1572     struct krb5plugin_service_locate_ftable *vtbl;
1573     void (**locate_fptrs)(void);
1574 
1575 	pid_t pid;  /* fork safety: PID of process that did last PKCS11 init */
1576 
1577 	/* Solaris Kerberos: handles for PKCS#11 crypto */
1578 	/*
1579 	 * Warning, do not access hSession directly as this is not fork() safe.
1580 	 * Instead use the krb_ctx_hSession() macro below.
1581 	 */
1582 	CK_SESSION_HANDLE hSession;
1583 	int		cryptoki_initialized;
1584 
1585 	/* arcfour_ctx: used only for rcmd stuff so no fork safety issues apply */
1586 	arcfour_ctx_rec arcfour_ctx;
1587 
1588 	/* preauth module stuff */
1589 	struct plugin_dir_handle preauth_plugins;
1590 	krb5_preauth_context *preauth_context;
1591 
1592 	/* error detail info */
1593 	struct errinfo err;
1594 #else /* ! KERNEL */
1595 	crypto_mech_type_t kef_cipher_mt;
1596 	crypto_mech_type_t kef_hash_mt;
1597 	crypto_mech_type_t kef_cksum_mt;
1598 #endif /* ! KERNEL */
1599 };
1600 
1601 #ifndef  _KERNEL
1602 extern pid_t __krb5_current_pid;
1603 
1604 CK_SESSION_HANDLE krb5_reinit_ef_handle(krb5_context);
1605 
1606 /*
1607  * fork safety: barring the ef_init code, every other function must use the
1608  * krb_ctx_hSession() macro to access the hSession field in a krb context.
1609  * Note, if the pid of the krb ctx == the current global pid then it is safe to
1610  * use the ctx hSession otherwise it needs to be re-inited before it is returned
1611  * to the caller.
1612  */
1613 #define krb_ctx_hSession(ctx) \
1614     ((ctx)->pid == __krb5_current_pid) ? (ctx)->hSession : krb5_reinit_ef_handle((ctx))
1615 #endif
1616 
1617 #define MD5_CKSUM_LENGTH 16
1618 #define RSA_MD5_CKSUM_LENGTH 16
1619 #define MD5_BLOCKSIZE 64
1620 
1621 
1622 /*
1623  * Solaris Kerberos:
1624  * This next section of prototypes and constants
1625  * are all unique to the Solaris Kerberos implementation.
1626  * Because Solaris uses the native encryption framework
1627  * to provide crypto support, the following routines
1628  * are needed to support this system.
1629  */
1630 
1631 /*
1632  * Begin Solaris Crypto Prototypes
1633  */
1634 
1635 /*
1636  * define constants that are used for creating the constant
1637  * which is used to make derived keys.
1638  */
1639 #define DK_ENCR_KEY_BYTE 0xAA
1640 #define DK_HASH_KEY_BYTE 0x55
1641 #define DK_CKSUM_KEY_BYTE 0x99
1642 
1643 int init_derived_keydata(krb5_context, const struct krb5_enc_provider *,
1644 			krb5_keyblock *, krb5_keyusage,
1645 			krb5_keyblock **, krb5_keyblock **);
1646 
1647 krb5_error_code add_derived_key(krb5_keyblock *, krb5_keyusage, uchar_t,
1648 				krb5_keyblock *);
1649 
1650 krb5_keyblock *find_derived_key(krb5_keyusage, uchar_t, krb5_keyblock *);
1651 krb5_keyblock *krb5_create_derived_keyblock(int);
1652 
1653 #ifdef _KERNEL
1654 int k5_ef_hash(krb5_context, int, const krb5_data *, krb5_data *);
1655 
1656 int k5_ef_mac(krb5_context, krb5_keyblock *, krb5_data *,
1657         const krb5_data *, krb5_data *);
1658 
1659 void make_kef_key(krb5_keyblock *);
1660 int init_key_kef(crypto_mech_type_t, krb5_keyblock *);
1661 int update_key_template(krb5_keyblock *);
1662 void setup_kef_keytypes();
1663 void setup_kef_cksumtypes();
1664 crypto_mech_type_t get_cipher_mech_type(krb5_context, krb5_keyblock *);
1665 crypto_mech_type_t get_hash_mech_type(krb5_context, krb5_keyblock *);
1666 
1667 #else
1668 /*
1669  * This structure is used to map Kerberos supported OID's,
1670  * to PKCS11 mechanisms
1671  */
1672 #define USE_ENCR	0x01
1673 #define	USE_HASH	0x02
1674 
1675 typedef struct krb5_mech_2_pkcs {
1676 	uchar_t		flags;
1677 	CK_MECHANISM_TYPE enc_algo;
1678 	CK_MECHANISM_TYPE hash_algo;
1679 	CK_MECHANISM_TYPE str2key_algo;
1680 } KRB5_MECH_TO_PKCS;
1681 
1682 #define ENC_DEFINED(x)	(((x).flags & USE_ENCR))
1683 #define HASH_DEFINED(x)	(((x).flags & USE_HASH))
1684 
1685 extern CK_RV get_algo(krb5_enctype etype, KRB5_MECH_TO_PKCS * algos);
1686 extern CK_RV get_key_type (krb5_enctype etype, CK_KEY_TYPE * keyType);
1687 extern krb5_error_code slot_supports_krb5 (CK_SLOT_ID_PTR slotid);
1688 
1689 krb5_error_code init_key_uef(CK_SESSION_HANDLE, krb5_keyblock *);
1690 
1691 krb5_error_code k5_ef_hash(krb5_context, CK_MECHANISM *,
1692 	unsigned int, const krb5_data *, krb5_data *);
1693 
1694 krb5_error_code k5_ef_mac(krb5_context context,
1695 	krb5_keyblock *key, krb5_data *ivec,
1696 	krb5_const krb5_data *input, krb5_data *output);
1697 
1698 #endif	/* !_KERNEL */
1699 
1700 krb5_error_code
1701 derive_3des_keys(krb5_context, struct krb5_enc_provider *,
1702                 krb5_keyblock *, krb5_keyusage,
1703                 krb5_keyblock *, krb5_keyblock *);
1704 
1705 /*
1706  * End Solaris Crypto Prototypes
1707  */
1708 
1709 #define KRB5_LIBOPT_SYNC_KDCTIME	0x0001
1710 
1711 /* internal message representations */
1712 
1713 typedef struct _krb5_safe {
1714     krb5_magic magic;
1715     krb5_data user_data;		/* user data */
1716     krb5_timestamp timestamp;		/* client time, optional */
1717     krb5_int32 usec;			/* microsecond portion of time,
1718 					   optional */
1719     krb5_ui_4 seq_number;		/* sequence #, optional */
1720     krb5_address *s_address;	/* sender address */
1721     krb5_address *r_address;	/* recipient address, optional */
1722     krb5_checksum *checksum;	/* data integrity checksum */
1723 } krb5_safe;
1724 
1725 typedef struct _krb5_priv {
1726     krb5_magic magic;
1727     krb5_enc_data enc_part;		/* encrypted part */
1728 } krb5_priv;
1729 
1730 typedef struct _krb5_priv_enc_part {
1731     krb5_magic magic;
1732     krb5_data user_data;		/* user data */
1733     krb5_timestamp timestamp;		/* client time, optional */
1734     krb5_int32 usec;			/* microsecond portion of time, opt. */
1735     krb5_ui_4 seq_number;		/* sequence #, optional */
1736     krb5_address *s_address;	/* sender address */
1737     krb5_address *r_address;	/* recipient address, optional */
1738 } krb5_priv_enc_part;
1739 
1740 void KRB5_CALLCONV krb5_free_safe
1741 	(krb5_context, krb5_safe * );
1742 void KRB5_CALLCONV krb5_free_priv
1743 	(krb5_context, krb5_priv * );
1744 void KRB5_CALLCONV krb5_free_priv_enc_part
1745 	(krb5_context, krb5_priv_enc_part * );
1746 
1747 /*
1748  * Begin "asn1.h"
1749  */
1750 #ifndef KRB5_ASN1__
1751 #define KRB5_ASN1__
1752 
1753 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
1754 /* here we use some knowledge of ASN.1 encodings */
1755 /*
1756   Ticket is APPLICATION 1.
1757   Authenticator is APPLICATION 2.
1758   AS_REQ is APPLICATION 10.
1759   AS_REP is APPLICATION 11.
1760   TGS_REQ is APPLICATION 12.
1761   TGS_REP is APPLICATION 13.
1762   AP_REQ is APPLICATION 14.
1763   AP_REP is APPLICATION 15.
1764   KRB_SAFE is APPLICATION 20.
1765   KRB_PRIV is APPLICATION 21.
1766   KRB_CRED is APPLICATION 22.
1767   EncASRepPart is APPLICATION 25.
1768   EncTGSRepPart is APPLICATION 26.
1769   EncAPRepPart is APPLICATION 27.
1770   EncKrbPrivPart is APPLICATION 28.
1771   EncKrbCredPart is APPLICATION 29.
1772   KRB_ERROR is APPLICATION 30.
1773  */
1774 /* allow either constructed or primitive encoding, so check for bit 6
1775    set or reset */
1776 #define krb5_is_krb_ticket(dat)\
1777 	((dat) && (dat)->length && ((dat)->data[0] == 0x61 ||\
1778 				    (dat)->data[0] == 0x41))
1779 #define krb5_is_krb_authenticator(dat)\
1780 	((dat) && (dat)->length && ((dat)->data[0] == 0x62 ||\
1781 				    (dat)->data[0] == 0x42))
1782 #define krb5_is_as_req(dat)\
1783 	((dat) && (dat)->length && ((dat)->data[0] == 0x6a ||\
1784 				    (dat)->data[0] == 0x4a))
1785 #define krb5_is_as_rep(dat)\
1786 	((dat) && (dat)->length && ((dat)->data[0] == 0x6b ||\
1787 				    (dat)->data[0] == 0x4b))
1788 #define krb5_is_tgs_req(dat)\
1789 	((dat) && (dat)->length && ((dat)->data[0] == 0x6c ||\
1790 				    (dat)->data[0] == 0x4c))
1791 #define krb5_is_tgs_rep(dat)\
1792 	((dat) && (dat)->length && ((dat)->data[0] == 0x6d ||\
1793 				    (dat)->data[0] == 0x4d))
1794 #define krb5_is_ap_req(dat)\
1795 	((dat) && (dat)->length && ((dat)->data[0] == 0x6e ||\
1796 				    (dat)->data[0] == 0x4e))
1797 #define krb5_is_ap_rep(dat)\
1798 	((dat) && (dat)->length && ((dat)->data[0] == 0x6f ||\
1799 				    (dat)->data[0] == 0x4f))
1800 #define krb5_is_krb_safe(dat)\
1801 	((dat) && (dat)->length && ((dat)->data[0] == 0x74 ||\
1802 				    (dat)->data[0] == 0x54))
1803 #define krb5_is_krb_priv(dat)\
1804 	((dat) && (dat)->length && ((dat)->data[0] == 0x75 ||\
1805 				    (dat)->data[0] == 0x55))
1806 #define krb5_is_krb_cred(dat)\
1807 	((dat) && (dat)->length && ((dat)->data[0] == 0x76 ||\
1808 				    (dat)->data[0] == 0x56))
1809 #define krb5_is_krb_enc_as_rep_part(dat)\
1810 	((dat) && (dat)->length && ((dat)->data[0] == 0x79 ||\
1811 				    (dat)->data[0] == 0x59))
1812 #define krb5_is_krb_enc_tgs_rep_part(dat)\
1813 	((dat) && (dat)->length && ((dat)->data[0] == 0x7a ||\
1814 				    (dat)->data[0] == 0x5a))
1815 #define krb5_is_krb_enc_ap_rep_part(dat)\
1816 	((dat) && (dat)->length && ((dat)->data[0] == 0x7b ||\
1817 				    (dat)->data[0] == 0x5b))
1818 #define krb5_is_krb_enc_krb_priv_part(dat)\
1819 	((dat) && (dat)->length && ((dat)->data[0] == 0x7c ||\
1820 				    (dat)->data[0] == 0x5c))
1821 #define krb5_is_krb_enc_krb_cred_part(dat)\
1822 	((dat) && (dat)->length && ((dat)->data[0] == 0x7d ||\
1823 				    (dat)->data[0] == 0x5d))
1824 #define krb5_is_krb_error(dat)\
1825 	((dat) && (dat)->length && ((dat)->data[0] == 0x7e ||\
1826 				    (dat)->data[0] == 0x5e))
1827 
1828 /*************************************************************************
1829  * Prototypes for krb5_encode.c
1830  *************************************************************************/
1831 
1832 /*
1833    krb5_error_code encode_krb5_structure(const krb5_structure *rep,
1834 					 krb5_data **code);
1835    modifies  *code
1836    effects   Returns the ASN.1 encoding of *rep in **code.
1837              Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep.
1838              Returns ENOMEM if memory runs out.
1839 */
1840 
1841 krb5_error_code encode_krb5_authenticator
1842 	(const krb5_authenticator *rep, krb5_data **code);
1843 
1844 krb5_error_code encode_krb5_ticket
1845 	(const krb5_ticket *rep, krb5_data **code);
1846 
1847 krb5_error_code encode_krb5_encryption_key
1848 	(const krb5_keyblock *rep, krb5_data **code);
1849 
1850 krb5_error_code encode_krb5_enc_tkt_part
1851 	(const krb5_enc_tkt_part *rep, krb5_data **code);
1852 
1853 krb5_error_code encode_krb5_enc_kdc_rep_part
1854 	(const krb5_enc_kdc_rep_part *rep, krb5_data **code);
1855 
1856 /* yes, the translation is identical to that used for KDC__REP */
1857 krb5_error_code encode_krb5_as_rep
1858 	(const krb5_kdc_rep *rep, krb5_data **code);
1859 
1860 /* yes, the translation is identical to that used for KDC__REP */
1861 krb5_error_code encode_krb5_tgs_rep
1862 	(const krb5_kdc_rep *rep, krb5_data **code);
1863 
1864 krb5_error_code encode_krb5_ap_req
1865 	(const krb5_ap_req *rep, krb5_data **code);
1866 
1867 krb5_error_code encode_krb5_ap_rep
1868 	(const krb5_ap_rep *rep, krb5_data **code);
1869 
1870 krb5_error_code encode_krb5_ap_rep_enc_part
1871 	(const krb5_ap_rep_enc_part *rep, krb5_data **code);
1872 
1873 krb5_error_code encode_krb5_as_req
1874 	(const krb5_kdc_req *rep, krb5_data **code);
1875 
1876 krb5_error_code encode_krb5_tgs_req
1877 	(const krb5_kdc_req *rep, krb5_data **code);
1878 
1879 krb5_error_code encode_krb5_kdc_req_body
1880 	(const krb5_kdc_req *rep, krb5_data **code);
1881 
1882 krb5_error_code encode_krb5_safe
1883 	(const krb5_safe *rep, krb5_data **code);
1884 
1885 struct krb5_safe_with_body {
1886 	krb5_safe *safe;
1887 	krb5_data *body;
1888 };
1889 
1890 krb5_error_code encode_krb5_safe_with_body
1891 	(const struct krb5_safe_with_body *rep, krb5_data **code);
1892 
1893 krb5_error_code encode_krb5_priv
1894 	(const krb5_priv *rep, krb5_data **code);
1895 
1896 krb5_error_code encode_krb5_enc_priv_part
1897 	(const krb5_priv_enc_part *rep, krb5_data **code);
1898 
1899 krb5_error_code encode_krb5_cred
1900 	(const krb5_cred *rep, krb5_data **code);
1901 
1902 krb5_error_code encode_krb5_enc_cred_part
1903 	(const krb5_cred_enc_part *rep, krb5_data **code);
1904 
1905 krb5_error_code encode_krb5_error
1906 	(const krb5_error *rep, krb5_data **code);
1907 
1908 krb5_error_code encode_krb5_authdata
1909 	(krb5_authdata *const *rep, krb5_data **code);
1910 
1911 krb5_error_code encode_krb5_authdata_elt
1912 	(const krb5_authdata *rep, krb5_data **code);
1913 
1914 krb5_error_code encode_krb5_pwd_sequence
1915 	(const passwd_phrase_element *rep, krb5_data **code);
1916 
1917 krb5_error_code encode_krb5_pwd_data
1918 	(const krb5_pwd_data *rep, krb5_data **code);
1919 
1920 krb5_error_code encode_krb5_padata_sequence
1921         (krb5_pa_data *const *rep, krb5_data **code);
1922 
1923 krb5_error_code encode_krb5_alt_method
1924 	(const krb5_alt_method *, krb5_data **code);
1925 
1926 krb5_error_code encode_krb5_etype_info
1927         (krb5_etype_info_entry *const *, krb5_data **code);
1928 krb5_error_code encode_krb5_etype_info2
1929         (krb5_etype_info_entry *const *, krb5_data **code);
1930 
1931 krb5_error_code encode_krb5_enc_data
1932     	(const krb5_enc_data *, krb5_data **);
1933 
1934 krb5_error_code encode_krb5_pa_enc_ts
1935     	(const krb5_pa_enc_ts *, krb5_data **);
1936 
1937 krb5_error_code encode_krb5_sam_challenge
1938 	(const krb5_sam_challenge * , krb5_data **);
1939 
1940 krb5_error_code encode_krb5_sam_key
1941 	(const krb5_sam_key * , krb5_data **);
1942 
1943 krb5_error_code encode_krb5_enc_sam_response_enc
1944 	(const krb5_enc_sam_response_enc * , krb5_data **);
1945 
1946 krb5_error_code encode_krb5_sam_response
1947 	(const krb5_sam_response * , krb5_data **);
1948 
1949 krb5_error_code encode_krb5_sam_challenge_2
1950 	(const krb5_sam_challenge_2 * , krb5_data **);
1951 
1952 krb5_error_code encode_krb5_sam_challenge_2_body
1953 	(const krb5_sam_challenge_2_body * , krb5_data **);
1954 
1955 krb5_error_code encode_krb5_enc_sam_response_enc_2
1956 	(const krb5_enc_sam_response_enc_2 * , krb5_data **);
1957 
1958 krb5_error_code encode_krb5_sam_response_2
1959 	(const krb5_sam_response_2 * , krb5_data **);
1960 
1961 krb5_error_code encode_krb5_predicted_sam_response
1962 	(const krb5_predicted_sam_response * , krb5_data **);
1963 
1964 struct krb5_setpw_req {
1965     krb5_principal target;
1966     krb5_data password;
1967 };
1968 krb5_error_code encode_krb5_setpw_req
1969         (const struct krb5_setpw_req *rep, krb5_data **code);
1970 
1971 /*************************************************************************
1972  * End of prototypes for krb5_encode.c
1973  *************************************************************************/
1974 
1975 krb5_error_code decode_krb5_sam_challenge
1976        (const krb5_data *, krb5_sam_challenge **);
1977 
1978 krb5_error_code decode_krb5_enc_sam_key
1979        (const krb5_data *, krb5_sam_key **);
1980 
1981 krb5_error_code decode_krb5_enc_sam_response_enc
1982        (const krb5_data *, krb5_enc_sam_response_enc **);
1983 
1984 krb5_error_code decode_krb5_sam_response
1985        (const krb5_data *, krb5_sam_response **);
1986 
1987 krb5_error_code decode_krb5_predicted_sam_response
1988        (const krb5_data *, krb5_predicted_sam_response **);
1989 
1990 krb5_error_code decode_krb5_sam_challenge_2
1991 	(const krb5_data *, krb5_sam_challenge_2 **);
1992 
1993 krb5_error_code decode_krb5_sam_challenge_2_body
1994 	(const krb5_data *, krb5_sam_challenge_2_body **);
1995 
1996 krb5_error_code decode_krb5_enc_sam_response_enc_2
1997 	(const krb5_data *, krb5_enc_sam_response_enc_2 **);
1998 
1999 krb5_error_code decode_krb5_sam_response_2
2000 	(const krb5_data *, krb5_sam_response_2 **);
2001 
2002 
2003 /*************************************************************************
2004  * Prototypes for krb5_decode.c
2005  *************************************************************************/
2006 
2007 krb5_error_code krb5_validate_times
2008        (krb5_context,
2009 		       krb5_ticket_times *);
2010 
2011 /*
2012    krb5_error_code decode_krb5_structure(const krb5_data *code,
2013                                          krb5_structure **rep);
2014 
2015    requires  Expects **rep to not have been allocated;
2016               a new *rep is allocated regardless of the old value.
2017    effects   Decodes *code into **rep.
2018 	     Returns ENOMEM if memory is exhausted.
2019              Returns asn1 and krb5 errors.
2020 */
2021 
2022 krb5_error_code decode_krb5_authenticator
2023 	(const krb5_data *code, krb5_authenticator **rep);
2024 
2025 krb5_error_code decode_krb5_ticket
2026 	(const krb5_data *code, krb5_ticket **rep);
2027 
2028 krb5_error_code decode_krb5_encryption_key
2029 	(const krb5_data *output, krb5_keyblock **rep);
2030 
2031 krb5_error_code decode_krb5_enc_tkt_part
2032 	(const krb5_data *output, krb5_enc_tkt_part **rep);
2033 
2034 krb5_error_code decode_krb5_enc_kdc_rep_part
2035 	(const krb5_data *output, krb5_enc_kdc_rep_part **rep);
2036 
2037 krb5_error_code decode_krb5_as_rep
2038 	(const krb5_data *output, krb5_kdc_rep **rep);
2039 
2040 krb5_error_code decode_krb5_tgs_rep
2041 	(const krb5_data *output, krb5_kdc_rep **rep);
2042 
2043 krb5_error_code decode_krb5_ap_req
2044 	(const krb5_data *output, krb5_ap_req **rep);
2045 
2046 krb5_error_code decode_krb5_ap_rep
2047 	(const krb5_data *output, krb5_ap_rep **rep);
2048 
2049 krb5_error_code decode_krb5_ap_rep_enc_part
2050 	(const krb5_data *output, krb5_ap_rep_enc_part **rep);
2051 
2052 krb5_error_code decode_krb5_as_req
2053 	(const krb5_data *output, krb5_kdc_req **rep);
2054 
2055 krb5_error_code decode_krb5_tgs_req
2056 	(const krb5_data *output, krb5_kdc_req **rep);
2057 
2058 krb5_error_code decode_krb5_kdc_req_body
2059 	(const krb5_data *output, krb5_kdc_req **rep);
2060 
2061 krb5_error_code decode_krb5_safe
2062 	(const krb5_data *output, krb5_safe **rep);
2063 
2064 krb5_error_code decode_krb5_safe_with_body
2065 	(const krb5_data *output, krb5_safe **rep, krb5_data *body);
2066 
2067 krb5_error_code decode_krb5_priv
2068 	(const krb5_data *output, krb5_priv **rep);
2069 
2070 krb5_error_code decode_krb5_enc_priv_part
2071 	(const krb5_data *output, krb5_priv_enc_part **rep);
2072 
2073 krb5_error_code decode_krb5_cred
2074 	(const krb5_data *output, krb5_cred **rep);
2075 
2076 krb5_error_code decode_krb5_enc_cred_part
2077 	(const krb5_data *output, krb5_cred_enc_part **rep);
2078 
2079 krb5_error_code decode_krb5_error
2080 	(const krb5_data *output, krb5_error **rep);
2081 
2082 krb5_error_code decode_krb5_authdata
2083 	(const krb5_data *output, krb5_authdata ***rep);
2084 
2085 krb5_error_code decode_krb5_pwd_sequence
2086 	(const krb5_data *output, passwd_phrase_element **rep);
2087 
2088 krb5_error_code decode_krb5_pwd_data
2089 	(const krb5_data *output, krb5_pwd_data **rep);
2090 
2091 krb5_error_code decode_krb5_padata_sequence
2092 	(const krb5_data *output, krb5_pa_data ***rep);
2093 
2094 krb5_error_code decode_krb5_alt_method
2095 	(const krb5_data *output, krb5_alt_method **rep);
2096 
2097 krb5_error_code decode_krb5_etype_info
2098 	(const krb5_data *output, krb5_etype_info_entry ***rep);
2099 
2100 krb5_error_code decode_krb5_etype_info2
2101 	(const krb5_data *output, krb5_etype_info_entry ***rep);
2102 
2103 krb5_error_code decode_krb5_enc_data
2104 	(const krb5_data *output, krb5_enc_data **rep);
2105 
2106 krb5_error_code decode_krb5_pa_enc_ts
2107 	(const krb5_data *output, krb5_pa_enc_ts **rep);
2108 
2109 krb5_error_code decode_krb5_sam_key
2110 	(const krb5_data *, krb5_sam_key **);
2111 
2112 struct _krb5_key_data;		/* kdb.h */
2113 krb5_error_code
2114 krb5int_ldap_encode_sequence_of_keys (struct _krb5_key_data *key_data,
2115 				      krb5_int16 n_key_data,
2116 				      krb5_int32 mkvno,
2117 				      krb5_data **code);
2118 
2119 krb5_error_code
2120 krb5int_ldap_decode_sequence_of_keys (krb5_data *in,
2121 				      struct _krb5_key_data **out,
2122 				      krb5_int16 *n_key_data,
2123 				      int *mkvno);
2124 
2125 /*************************************************************************
2126  * End of prototypes for krb5_decode.c
2127  *************************************************************************/
2128 
2129 #endif /* KRB5_ASN1__ */
2130 /*
2131  * End "asn1.h"
2132  */
2133 
2134 
2135 /*
2136  * Internal krb5 library routines
2137  */
2138 krb5_error_code krb5_encrypt_tkt_part
2139 	(krb5_context,
2140 		const krb5_keyblock *,
2141 		krb5_ticket * );
2142 
2143 
2144 krb5_error_code krb5_encode_kdc_rep
2145 	(krb5_context,
2146 		const krb5_msgtype,
2147 		const krb5_enc_kdc_rep_part *,
2148 		int using_subkey,
2149 		const krb5_keyblock *,
2150 		krb5_kdc_rep *,
2151 		krb5_data ** );
2152 
2153 krb5_boolean krb5int_auth_con_chkseqnum
2154 	(krb5_context ctx, krb5_auth_context ac, krb5_ui_4 in_seq);
2155 /*
2156  * [De]Serialization Handle and operations.
2157  */
2158 struct __krb5_serializer {
2159     krb5_magic		odtype;
2160     krb5_error_code	(*sizer) (krb5_context,
2161 						  krb5_pointer,
2162 						  size_t *);
2163     krb5_error_code	(*externalizer) (krb5_context,
2164 							 krb5_pointer,
2165 							 krb5_octet **,
2166 							 size_t *);
2167     krb5_error_code	(*internalizer) (krb5_context,
2168 							 krb5_pointer *,
2169 							 krb5_octet **,
2170 							 size_t *);
2171 };
2172 typedef const struct __krb5_serializer * krb5_ser_handle;
2173 typedef struct __krb5_serializer krb5_ser_entry;
2174 
2175 krb5_ser_handle krb5_find_serializer
2176 	(krb5_context,
2177 		krb5_magic);
2178 krb5_error_code krb5_register_serializer
2179 	(krb5_context,
2180 			const krb5_ser_entry *);
2181 
2182 /* Determine the external size of a particular opaque structure */
2183 krb5_error_code KRB5_CALLCONV krb5_size_opaque
2184 	(krb5_context,
2185 		krb5_magic,
2186 		krb5_pointer,
2187 		size_t *);
2188 
2189 /* Serialize the structure into a buffer */
2190 krb5_error_code KRB5_CALLCONV krb5_externalize_opaque
2191 	(krb5_context,
2192 		krb5_magic,
2193 		krb5_pointer,
2194 		krb5_octet **,
2195 		size_t *);
2196 
2197 /* Deserialize the structure from a buffer */
2198 krb5_error_code KRB5_CALLCONV krb5_internalize_opaque
2199 	(krb5_context,
2200 		krb5_magic,
2201 		krb5_pointer *,
2202 		krb5_octet **,
2203 		size_t *);
2204 
2205 /* Serialize data into a buffer */
2206 krb5_error_code krb5_externalize_data
2207 	(krb5_context,
2208 		krb5_pointer,
2209 		krb5_octet **,
2210 		size_t *);
2211 /*
2212  * Initialization routines.
2213  */
2214 
2215 /* Initialize serialization for krb5_[os_]context */
2216 krb5_error_code KRB5_CALLCONV krb5_ser_context_init
2217 	(krb5_context);
2218 
2219 /* Initialize serialization for krb5_auth_context */
2220 krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init
2221 	(krb5_context);
2222 
2223 /* Initialize serialization for krb5_keytab */
2224 krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init
2225 	(krb5_context);
2226 
2227 /* Initialize serialization for krb5_ccache */
2228 krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init
2229 	(krb5_context);
2230 
2231 /* Initialize serialization for krb5_rcache */
2232 krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init
2233 	(krb5_context);
2234 
2235 /* [De]serialize 4-byte integer */
2236 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32
2237 	(krb5_int32,
2238 		krb5_octet **,
2239 		size_t *);
2240 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32
2241 	(krb5_int32 *,
2242 		krb5_octet **,
2243 		size_t *);
2244 /* [De]serialize 8-byte integer */
2245 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64
2246 	(krb5_int64, krb5_octet **, size_t *);
2247 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64
2248 	(krb5_int64 *, krb5_octet **, size_t *);
2249 /* [De]serialize byte string */
2250 krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
2251 	(krb5_octet *,
2252 		size_t,
2253 		krb5_octet **,
2254 		size_t *);
2255 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes
2256 	(krb5_octet *,
2257 		size_t,
2258 		krb5_octet **,
2259 		size_t *);
2260 
2261 krb5_error_code KRB5_CALLCONV krb5int_cc_default
2262 	(krb5_context, krb5_ccache *);
2263 
2264 krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default
2265 	(krb5_context, krb5_ccache, krb5_flags,
2266 			krb5_creds *, krb5_creds *);
2267 
2268 krb5_boolean KRB5_CALLCONV
2269 krb5_creds_compare (krb5_context in_context,
2270                     krb5_creds *in_creds,
2271                     krb5_creds *in_compare_creds);
2272 
2273 void krb5int_set_prompt_types
2274 	(krb5_context, krb5_prompt_type *);
2275 
2276 krb5_error_code
2277 krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
2278 				  krb5_keyblock * /* Old keyblock, not new!  */);
2279 
2280 /* set and change password helpers */
2281 
2282 krb5_error_code krb5int_mk_chpw_req
2283 	(krb5_context context, krb5_auth_context auth_context,
2284  			krb5_data *ap_req, char *passwd, krb5_data *packet);
2285 krb5_error_code krb5int_rd_chpw_rep
2286 	(krb5_context context, krb5_auth_context auth_context,
2287 		       krb5_data *packet, int *result_code,
2288 		       krb5_data *result_data);
2289 krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
2290 	(krb5_context context, int result_code,
2291 			char **result_codestr);
2292 krb5_error_code  krb5int_mk_setpw_req
2293 	(krb5_context context, krb5_auth_context auth_context,
2294  			krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet);
2295 krb5_error_code krb5int_rd_setpw_rep
2296 	(krb5_context context, krb5_auth_context auth_context,
2297 		       krb5_data *packet, int *result_code,
2298 		       krb5_data *result_data);
2299 krb5_error_code krb5int_setpw_result_code_string
2300 	(krb5_context context, int result_code,
2301 			const char **result_codestr);
2302 
2303 struct srv_dns_entry {
2304     struct srv_dns_entry *next;
2305     int priority;
2306     int weight;
2307     unsigned short port;
2308     char *host;
2309 };
2310 #ifdef KRB5_DNS_LOOKUP
2311 krb5_error_code
2312 krb5int_make_srv_query_realm(const krb5_data *realm,
2313 			     const char *service,
2314 			     const char *protocol,
2315 			     struct srv_dns_entry **answers);
2316 void krb5int_free_srv_dns_data(struct srv_dns_entry *);
2317 #endif
2318 
2319 /*
2320  * Convenience function for structure magic number
2321  */
2322 #define KRB5_VERIFY_MAGIC(structure,magic_number) \
2323     if ((structure)->magic != (magic_number)) return (magic_number);
2324 
2325 
2326 /* SUNW14resync XXX - see k5-util.h */
2327 #if 0
2328 int krb5_seteuid  (int);
2329 #endif
2330 
2331 char * krb5_getenv(const char *);
2332 int krb5_setenv  (const char *, const char *, int);
2333 void krb5_unsetenv  (const char *);
2334 
2335 
2336 /* SUNW14resync - (from here to EOF) not sure if we need this but will add it
2337    for future resync sake */
2338 
2339 /* To keep happy libraries which are (for now) accessing internal stuff */
2340 
2341 /* Make sure to increment by one when changing the struct */
2342 #define KRB5INT_ACCESS_STRUCT_VERSION 12
2343 
2344 #ifndef ANAME_SZ
2345 struct ktext;			/* from krb.h, for krb524 support */
2346 #endif
2347 typedef struct _krb5int_access {
2348     /* crypto stuff */
2349     const struct krb5_hash_provider *md5_hash_provider;
2350     const struct krb5_enc_provider *arcfour_enc_provider;
2351     krb5_error_code (* krb5_hmac) (krb5_context, const struct krb5_hash_provider *hash,
2352 				   const krb5_keyblock *key,
2353 				   unsigned int icount, const krb5_data *input,
2354 				   krb5_data *output);
2355     /* service location and communication */
2356 #ifndef _KERNEL
2357     krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
2358 				   const struct addrlist *, struct sendto_callback_info*, krb5_data *reply,
2359 				   struct sockaddr *, socklen_t *,struct sockaddr *,
2360 				   socklen_t *, int *,
2361 				   int (*msg_handler)(krb5_context, const krb5_data *, void *),
2362 				   void *msg_handler_data);
2363     krb5_error_code (*add_host_to_list)(struct addrlist *lp,
2364 					const char *hostname,
2365 					int port, int secport,
2366 					int socktype, int family);
2367     void (*free_addrlist) (struct addrlist *);
2368 #endif /* _KERNEL */
2369 
2370     krb5_error_code (*make_srv_query_realm)(const krb5_data *realm,
2371 					    const char *service,
2372 					    const char *protocol,
2373 					    struct srv_dns_entry **answers);
2374     void (*free_srv_dns_data)(struct srv_dns_entry *);
2375     int (*use_dns_kdc)(krb5_context);
2376     krb5_error_code (*clean_hostname)(krb5_context, const char *, char *, size_t);
2377 
2378     /* krb4 compatibility stuff -- may be null if not enabled */
2379     krb5_int32 (*krb_life_to_time)(krb5_int32, int);
2380     int (*krb_time_to_life)(krb5_int32, krb5_int32);
2381     int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *);
2382     krb5_error_code (*krb5int_c_mandatory_cksumtype)
2383         (krb5_context, krb5_enctype, krb5_cksumtype *);
2384     krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64)
2385         (krb5_int64, krb5_octet **, size_t *);
2386     krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64)
2387         (krb5_int64 *, krb5_octet **, size_t *);
2388 
2389     /* Used for KDB LDAP back end.  */
2390     krb5_error_code
2391     (*asn1_ldap_encode_sequence_of_keys) (struct _krb5_key_data *key_data,
2392 					  krb5_int16 n_key_data,
2393 					  krb5_int32 mkvno,
2394 					  krb5_data **code);
2395 
2396     krb5_error_code
2397     (*asn1_ldap_decode_sequence_of_keys) (krb5_data *in,
2398 					  struct _krb5_key_data **out,
2399 					  krb5_int16 *n_key_data,
2400 					  int *mkvno);
2401 
2402     /*
2403      * pkinit asn.1 encode/decode functions
2404      */
2405     krb5_error_code (*encode_krb5_auth_pack)
2406         (const krb5_auth_pack *rep, krb5_data **code);
2407     krb5_error_code (*encode_krb5_auth_pack_draft9)
2408         (const krb5_auth_pack_draft9 *rep, krb5_data **code);
2409     krb5_error_code (*encode_krb5_kdc_dh_key_info)
2410         (const krb5_kdc_dh_key_info *rep, krb5_data **code);
2411     krb5_error_code (*encode_krb5_pa_pk_as_rep)
2412         (const krb5_pa_pk_as_rep *rep, krb5_data **code);
2413     krb5_error_code (*encode_krb5_pa_pk_as_rep_draft9)
2414         (const krb5_pa_pk_as_rep_draft9 *rep, krb5_data **code);
2415     krb5_error_code (*encode_krb5_pa_pk_as_req)
2416 	(const krb5_pa_pk_as_req *rep, krb5_data **code);
2417     krb5_error_code (*encode_krb5_pa_pk_as_req_draft9)
2418 	(const krb5_pa_pk_as_req_draft9 *rep, krb5_data **code);
2419     krb5_error_code (*encode_krb5_reply_key_pack)
2420         (const krb5_reply_key_pack *, krb5_data **code);
2421     krb5_error_code (*encode_krb5_reply_key_pack_draft9)
2422         (const krb5_reply_key_pack_draft9 *, krb5_data **code);
2423     krb5_error_code (*encode_krb5_td_dh_parameters)
2424         (const krb5_algorithm_identifier **, krb5_data **code);
2425     krb5_error_code (*encode_krb5_td_trusted_certifiers)
2426         (const krb5_external_principal_identifier **, krb5_data **code);
2427     krb5_error_code (*encode_krb5_typed_data)
2428         (const krb5_typed_data **, krb5_data **code);
2429 
2430     krb5_error_code (*decode_krb5_auth_pack)
2431         (const krb5_data *, krb5_auth_pack **);
2432     krb5_error_code (*decode_krb5_auth_pack_draft9)
2433         (const krb5_data *, krb5_auth_pack_draft9 **);
2434     krb5_error_code (*decode_krb5_pa_pk_as_req)
2435         (const krb5_data *, krb5_pa_pk_as_req **);
2436     krb5_error_code (*decode_krb5_pa_pk_as_req_draft9)
2437         (const krb5_data *, krb5_pa_pk_as_req_draft9 **);
2438     krb5_error_code (*decode_krb5_pa_pk_as_rep)
2439         (const krb5_data *, krb5_pa_pk_as_rep **);
2440     krb5_error_code (*decode_krb5_pa_pk_as_rep_draft9)
2441         (const krb5_data *, krb5_pa_pk_as_rep_draft9 **);
2442     krb5_error_code (*decode_krb5_kdc_dh_key_info)
2443         (const krb5_data *, krb5_kdc_dh_key_info **);
2444     krb5_error_code (*decode_krb5_principal_name)
2445         (const krb5_data *, krb5_principal_data **);
2446     krb5_error_code (*decode_krb5_reply_key_pack)
2447         (const krb5_data *, krb5_reply_key_pack **);
2448     krb5_error_code (*decode_krb5_reply_key_pack_draft9)
2449         (const krb5_data *, krb5_reply_key_pack_draft9 **);
2450     krb5_error_code (*decode_krb5_td_dh_parameters)
2451         (const krb5_data *, krb5_algorithm_identifier ***);
2452     krb5_error_code (*decode_krb5_td_trusted_certifiers)
2453         (const krb5_data *, krb5_external_principal_identifier ***);
2454     krb5_error_code (*decode_krb5_typed_data)
2455         (const krb5_data *, krb5_typed_data ***);
2456 
2457     krb5_error_code (*decode_krb5_as_req)
2458 	(const krb5_data *output, krb5_kdc_req **rep);
2459     krb5_error_code (*encode_krb5_kdc_req_body)
2460 	(const krb5_kdc_req *rep, krb5_data **code);
2461     void (KRB5_CALLCONV *krb5_free_kdc_req)
2462 	(krb5_context, krb5_kdc_req * );
2463     void (*krb5int_set_prompt_types)
2464 	(krb5_context, krb5_prompt_type *);
2465     krb5_error_code (*encode_krb5_authdata_elt)
2466 	(const krb5_authdata *rep, krb5_data **code);
2467 
2468 } krb5int_access;
2469 
2470 #define KRB5INT_ACCESS_VERSION \
2471     (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \
2472 		   (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF)
2473 
2474 krb5_error_code KRB5_CALLCONV krb5int_accessor
2475 	(krb5int_access*, krb5_int32);
2476 
2477 /* Ick -- some krb524 and krb4 support placed in the krb5 library,
2478    because AFS (and potentially other applications?) use the krb4
2479    object as an opaque token, which (in some implementations) is not
2480    in fact a krb4 ticket, so we don't want to drag in the krb4 support
2481    just to enable this.  */
2482 
2483 #define KRB524_SERVICE "krb524"
2484 #define KRB524_PORT 4444
2485 
2486 /* v4lifetime.c */
2487 extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int);
2488 extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32);
2489 
2490 /* conv_creds.c */
2491 int krb5int_encode_v4tkt
2492 	(struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
2493 
2494 /* send524.c */
2495 int krb5int_524_sendto_kdc
2496         (krb5_context context, const krb5_data * message,
2497 	 const krb5_data * realm, krb5_data * reply,
2498 	 struct sockaddr *, socklen_t *);
2499 
2500 /* temporary -- this should be under lib/krb5/ccache somewhere */
2501 
2502 struct _krb5_ccache {
2503     krb5_magic magic;
2504     const struct _krb5_cc_ops *ops;
2505     krb5_pointer data;
2506 };
2507 
2508 /*
2509  * Per-type ccache cursor.
2510  */
2511 struct krb5_cc_ptcursor {
2512     const struct _krb5_cc_ops *ops;
2513     krb5_pointer data;
2514 };
2515 typedef struct krb5_cc_ptcursor *krb5_cc_ptcursor;
2516 
2517 struct _krb5_cc_ops {
2518     krb5_magic magic;
2519     char *prefix;
2520     const char * (KRB5_CALLCONV *get_name) (krb5_context, krb5_ccache);
2521     krb5_error_code (KRB5_CALLCONV *resolve) (krb5_context, krb5_ccache *,
2522 					    const char *);
2523     krb5_error_code (KRB5_CALLCONV *gen_new) (krb5_context, krb5_ccache *);
2524     krb5_error_code (KRB5_CALLCONV *init) (krb5_context, krb5_ccache,
2525 					    krb5_principal);
2526     krb5_error_code (KRB5_CALLCONV *destroy) (krb5_context, krb5_ccache);
2527     krb5_error_code (KRB5_CALLCONV *close) (krb5_context, krb5_ccache);
2528     krb5_error_code (KRB5_CALLCONV *store) (krb5_context, krb5_ccache,
2529 					    krb5_creds *);
2530     krb5_error_code (KRB5_CALLCONV *retrieve) (krb5_context, krb5_ccache,
2531 					    krb5_flags, krb5_creds *,
2532 					    krb5_creds *);
2533     krb5_error_code (KRB5_CALLCONV *get_princ) (krb5_context, krb5_ccache,
2534 					    krb5_principal *);
2535     krb5_error_code (KRB5_CALLCONV *get_first) (krb5_context, krb5_ccache,
2536 					    krb5_cc_cursor *);
2537     krb5_error_code (KRB5_CALLCONV *get_next) (krb5_context, krb5_ccache,
2538 					    krb5_cc_cursor *, krb5_creds *);
2539     krb5_error_code (KRB5_CALLCONV *end_get) (krb5_context, krb5_ccache,
2540 					    krb5_cc_cursor *);
2541     krb5_error_code (KRB5_CALLCONV *remove_cred) (krb5_context, krb5_ccache,
2542 					    krb5_flags, krb5_creds *);
2543     krb5_error_code (KRB5_CALLCONV *set_flags) (krb5_context, krb5_ccache,
2544 					    krb5_flags);
2545     krb5_error_code (KRB5_CALLCONV *get_flags) (krb5_context, krb5_ccache,
2546 						krb5_flags *);
2547     krb5_error_code (KRB5_CALLCONV *ptcursor_new)(krb5_context,
2548 						  krb5_cc_ptcursor *);
2549     krb5_error_code (KRB5_CALLCONV *ptcursor_next)(krb5_context,
2550 						   krb5_cc_ptcursor,
2551 						   krb5_ccache *);
2552     krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context,
2553 						   krb5_cc_ptcursor *);
2554     krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache);
2555     krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context,
2556 						krb5_ccache, krb5_timestamp *);
2557     krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache,
2558 						krb5_timestamp *);
2559 };
2560 
2561 extern const krb5_cc_ops *krb5_cc_dfl_ops;
2562 
2563 krb5_error_code
2564 krb5int_cc_os_default_name(krb5_context context, char **name);
2565 
2566 /*
2567  * Cursor for iterating over ccache types
2568  */
2569 struct krb5_cc_typecursor;
2570 typedef struct krb5_cc_typecursor *krb5_cc_typecursor;
2571 
2572 krb5_error_code
2573 krb5int_cc_typecursor_new(krb5_context context, krb5_cc_typecursor *cursor);
2574 
2575 krb5_error_code
2576 krb5int_cc_typecursor_next(
2577     krb5_context context,
2578     krb5_cc_typecursor cursor,
2579     const struct _krb5_cc_ops **ops);
2580 
2581 krb5_error_code
2582 krb5int_cc_typecursor_free(
2583     krb5_context context,
2584     krb5_cc_typecursor *cursor);
2585 
2586 typedef struct _krb5_donot_replay {
2587     krb5_magic magic;
2588     krb5_ui_4 hash;
2589     char *server;			/* null-terminated */
2590     char *client;			/* null-terminated */
2591     char *msghash;                      /* null-terminated */
2592     krb5_int32 cusec;
2593     krb5_timestamp ctime;
2594 } krb5_donot_replay;
2595 
2596 krb5_error_code krb5_rc_default
2597 	(krb5_context,
2598 		krb5_rcache *);
2599 krb5_error_code krb5_rc_resolve_type
2600 	(krb5_context,
2601 		krb5_rcache *,char *);
2602 krb5_error_code krb5_rc_resolve_full
2603 	(krb5_context,
2604 		krb5_rcache *,char *);
2605 char * krb5_rc_get_type
2606 	(krb5_context,
2607 		krb5_rcache);
2608 char * krb5_rc_default_type
2609 	(krb5_context);
2610 char * krb5_rc_default_name
2611 	(krb5_context);
2612 krb5_error_code krb5_auth_to_rep
2613 	(krb5_context,
2614 		krb5_tkt_authent *,
2615 		krb5_donot_replay *);
2616 
2617 
2618 krb5_error_code KRB5_CALLCONV krb5_rc_initialize
2619 	(krb5_context, krb5_rcache,krb5_deltat);
2620 krb5_error_code KRB5_CALLCONV krb5_rc_recover_or_initialize
2621 	(krb5_context, krb5_rcache,krb5_deltat);
2622 krb5_error_code KRB5_CALLCONV krb5_rc_recover
2623 	(krb5_context, krb5_rcache);
2624 krb5_error_code KRB5_CALLCONV krb5_rc_destroy
2625 	(krb5_context, krb5_rcache);
2626 krb5_error_code KRB5_CALLCONV krb5_rc_close
2627 	(krb5_context, krb5_rcache);
2628 krb5_error_code KRB5_CALLCONV krb5_rc_store
2629 	(krb5_context, krb5_rcache,krb5_donot_replay *);
2630 krb5_error_code KRB5_CALLCONV krb5_rc_expunge
2631 	(krb5_context, krb5_rcache);
2632 krb5_error_code KRB5_CALLCONV krb5_rc_get_lifespan
2633 	(krb5_context, krb5_rcache,krb5_deltat *);
2634 char *KRB5_CALLCONV krb5_rc_get_name
2635 	(krb5_context, krb5_rcache);
2636 krb5_error_code KRB5_CALLCONV krb5_rc_resolve
2637 	(krb5_context, krb5_rcache, char *);
2638 
2639 typedef struct _krb5_kt_ops {
2640     krb5_magic magic;
2641     char *prefix;
2642     /* routines always present */
2643     krb5_error_code (KRB5_CALLCONV *resolve)
2644 	(krb5_context,
2645 		 const char *,
2646 		 krb5_keytab *);
2647     krb5_error_code (KRB5_CALLCONV *get_name)
2648 	(krb5_context,
2649 		 krb5_keytab,
2650 		 char *,
2651 		 unsigned int);
2652     krb5_error_code (KRB5_CALLCONV *close)
2653 	(krb5_context,
2654 		 krb5_keytab);
2655     krb5_error_code (KRB5_CALLCONV *get)
2656 	(krb5_context,
2657 		 krb5_keytab,
2658 		 krb5_const_principal,
2659 		 krb5_kvno,
2660 		 krb5_enctype,
2661 		 krb5_keytab_entry *);
2662     krb5_error_code (KRB5_CALLCONV *start_seq_get)
2663 	(krb5_context,
2664 		 krb5_keytab,
2665 		 krb5_kt_cursor *);
2666     krb5_error_code (KRB5_CALLCONV *get_next)
2667 	(krb5_context,
2668 		 krb5_keytab,
2669 		 krb5_keytab_entry *,
2670 		 krb5_kt_cursor *);
2671     krb5_error_code (KRB5_CALLCONV *end_get)
2672 	(krb5_context,
2673 		 krb5_keytab,
2674 		 krb5_kt_cursor *);
2675     /* routines to be included on extended version (write routines) */
2676     krb5_error_code (KRB5_CALLCONV *add)
2677 	(krb5_context,
2678 		 krb5_keytab,
2679 		 krb5_keytab_entry *);
2680     krb5_error_code (KRB5_CALLCONV *remove)
2681 	(krb5_context,
2682 		 krb5_keytab,
2683 		  krb5_keytab_entry *);
2684 
2685     /* Handle for serializer */
2686     const krb5_ser_entry *serializer;
2687 } krb5_kt_ops;
2688 
2689 extern const krb5_kt_ops krb5_kt_dfl_ops;
2690 
2691 extern krb5_error_code krb5int_translate_gai_error (int);
2692 
2693 /* Not sure it's ready for exposure just yet.  */
2694 extern krb5_error_code
2695 krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *);
2696 
2697 extern int krb5int_crypto_init (void);
2698 extern int krb5int_prng_init(void);
2699 
2700 
2701 /*
2702  * SUNW14resync
2703  * Hack (?) to neuter C99 "inline" which causes warnings w/our build.
2704  */
2705 #define inline
2706 
2707 /* Some data comparison and conversion functions.  */
2708 #if 0
2709 static inline int data_cmp(krb5_data d1, krb5_data d2)
2710 {
2711     if (d1.length < d2.length) return -1;
2712     if (d1.length > d2.length) return 1;
2713     return memcmp(d1.data, d2.data, d1.length);
2714 }
2715 static inline int data_eq (krb5_data d1, krb5_data d2)
2716 {
2717     return data_cmp(d1, d2) == 0;
2718 }
2719 #else
data_eq(krb5_data d1,krb5_data d2)2720 static inline int data_eq (krb5_data d1, krb5_data d2)
2721 {
2722     return (d1.length == d2.length
2723             && !memcmp(d1.data, d2.data, d1.length));
2724 }
2725 #endif
string2data(char * str)2726 static inline krb5_data string2data (char *str)
2727 {
2728     krb5_data d;
2729     d.magic = KV5M_DATA;
2730     d.length = strlen(str);
2731     d.data = str;
2732     return d;
2733 }
2734 /*LINTED*/
data_eq_string(krb5_data d,char * s)2735 static inline int data_eq_string (krb5_data d, char *s)
2736 {
2737     return data_eq(d, string2data(s));
2738 }
2739 /*LINTED*/
authdata_eq(krb5_authdata a1,krb5_authdata a2)2740 static inline int authdata_eq (krb5_authdata a1, krb5_authdata a2)
2741 {
2742     return (a1.ad_type == a2.ad_type
2743             && a1.length == a2.length
2744             && !memcmp(a1.contents, a2.contents, a1.length));
2745 }
2746 
2747 
2748 /* Solaris kerberos */
2749 krb5_boolean KRB5_CALLCONV is_in_keytype
2750 	(krb5_const krb5_enctype *keytype,
2751 	int numkeytypes, krb5_enctype enctype);
2752 
2753 /*
2754  * Solaris Kerberos
2755  * Use krb5_getuid() to select the mechanism to obtain the uid.
2756  */
2757 extern uid_t	krb5_getuid();
2758 
2759 /*
2760  * Referral definitions, debugging hooks, and subfunctions.
2761  */
2762 #define        KRB5_REFERRAL_MAXHOPS	5
2763 /* #define DEBUG_REFERRALS */
2764 
2765 #ifdef DEBUG_REFERRALS
2766 void krb5int_dbgref_dump_principal(char *, krb5_principal);
2767 #endif
2768 
2769 /* Common hostname-parsing code. */
2770 krb5_error_code KRB5_CALLCONV krb5int_clean_hostname
2771 	(krb5_context,
2772 		const char *,
2773 		char *,
2774 		size_t);
2775 
2776 /*
2777  * Solaris Kerberos
2778  * Kernel & user space realloc.
2779  */
2780 void *krb5int_realloc
2781 	(void *oldp,
2782 	 size_t new_size,
2783 	 size_t old_size);
2784 #endif /* _KRB5_INT_H */
2785