1 /*
2  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 /*
7  * Copyright (C) 1989-1995 by the Massachusetts Institute of Technology,
8  * Cambridge, MA, USA.  All Rights Reserved.
9  *
10  * This software is being provided to you, the LICENSEE, by the
11  * Massachusetts Institute of Technology (M.I.T.) under the following
12  * license.  By obtaining, using and/or copying this software, you agree
13  * that you have read, understood, and will comply with these terms and
14  * conditions:
15  *
16  * Export of this software from the United States of America may
17  * require a specific license from the United States Government.
18  * It is the responsibility of any person or organization contemplating
19  * export to obtain such a license before exporting.
20  *
21  * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
22  * this software and its documentation for any purpose and without fee or
23  * royalty is hereby granted, provided that you agree to comply with the
24  * following copyright notice and statements, including the disclaimer, and
25  * that the same appear on ALL copies of the software and documentation,
26  * including modifications that you make for internal use or for
27  * distribution:
28  *
29  * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
30  * OR WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
31  * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
32  * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
33  * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
34  * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
35  *
36  * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
37  * be used in advertising or publicity pertaining to distribution of the
38  * software.  Title to copyright in this software and any associated
39  * documentation shall at all times remain with M.I.T., and USER agrees to
40  * preserve same.
41  */
42 /*
43  * Copyright (C) 1998 by the FundsXpress, INC.
44  *
45  * All rights reserved.
46  *
47  * Export of this software from the United States of America may require
48  * a specific license from the United States Government.  It is the
49  * responsibility of any person or organization contemplating export to
50  * obtain such a license before exporting.
51  *
52  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
53  * distribute this software and its documentation for any purpose and
54  * without fee is hereby granted, provided that the above copyright
55  * notice appear in all copies and that both that copyright notice and
56  * this permission notice appear in supporting documentation, and that
57  * the name of FundsXpress. not be used in advertising or publicity pertaining
58  * to distribution of the software without specific, written prior
59  * permission.  FundsXpress makes no representations about the suitability of
60  * this software for any purpose.  It is provided "as is" without express
61  * or implied warranty.
62  *
63  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
64  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
65  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
66  */
67 
68 /*
69  * This prototype for k5-int.h (Krb5 internals include file)
70  * includes the user-visible definitions from krb5.h and then
71  * includes other definitions that are not user-visible but are
72  * required for compiling Kerberos internal routines.
73  *
74  * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
75  */
76 
77 #ifndef _KRB5_INT_H
78 #define _KRB5_INT_H
79 
80 #pragma ident	"%Z%%M%	%I%	%E% SMI"
81 
82 #ifndef	_KERNEL
83 #include <osconf.h>
84 #include <security/cryptoki.h>
85 #else
86 #include <sys/crypto/common.h>
87 #include <sys/crypto/api.h>
88 #endif
89 
90 #ifdef  DEBUG
91 #if !defined(KRB5_DEBUG)
92 #define KRB5_DEBUG
93 #endif
94 #ifndef  KRB5_LOG_LVL
95 #define KRB5_LOG_LVL KRB5_ERR
96 #endif
97 #endif  /* DEBUG */
98 
99 #ifdef  _KERNEL
100 
101 #ifdef  DEBUG
102 #include        <sys/types.h>
103 #include        <sys/cmn_err.h>
104  extern  void prom_printf();
105 #endif  /* DEBUG */
106 
107 #else   /* !_KERNEL */
108 
109 #define prom_printf printf
110 
111 #endif /* !_KERNEL */
112 
113 #ifdef KRB5_LOG_LVL
114 
115 /* krb5_log is used to set the logging level to determine what class of messages
116  * are output by the mech.  Note, more than one logging level can be used by
117  * bit or'ing the log values together.
118  *
119  * All log messages are captured by syslog.
120  */
121 
122 extern unsigned int krb5_log;
123 
124 /* Note, these defines should be mutually exclusive bit fields */
125 #define KRB5_ERR  1   /* Use this debug log level for error path logging. */
126 #define KRB5_INFO 2   /* Use this debug log level for informational messages. */
127 
128 #ifdef  _KERNEL
129 
130 #define KRB5_LOG1(A, B, C, D) \
131      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C), (D)), TRUE)))
132 #define KRB5_LOG(A, B, C) \
133      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C)), TRUE)))
134 #define KRB5_LOG0(A, B)   \
135      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B)), TRUE)))
136 
137 #else	/* !_KERNEL */
138 
139 #include <syslog.h>
140 
141 #define KRB5_LOG1(A, B, C, D) \
142         ((void)((krb5_log) && (krb5_log & (A)) && \
143 		(syslog(LOG_DEBUG, (B), (C), (D)), TRUE)))
144 #define KRB5_LOG(A, B, C) \
145         ((void)((krb5_log) && (krb5_log & (A)) && \
146 		(syslog(LOG_DEBUG, (B), (C)), TRUE)))
147 #define KRB5_LOG0(A, B)   \
148         ((void)((krb5_log) && (krb5_log & (A)) && \
149 	       	(syslog(LOG_DEBUG, B), TRUE)))
150 
151 #endif	/* _KERNEL */
152 
153 #else /* ! KRB5_LOG_LVL */
154 
155 #define KRB5_LOG1(A, B, C, D)
156 #define KRB5_LOG(A, B, C)
157 #define KRB5_LOG0(A, B)
158 
159 #endif /* KRB5_LOG_LVL */
160 
161 /* Compatibility switch for SAM preauth */
162 #define AS_REP_105_SAM_COMPAT
163 
164 #ifdef POSIX_TYPES
165 #define timetype time_t
166 #else
167 #define timetype long
168 #endif
169 
170 /*
171  * Begin "k5-config.h"
172  */
173 #ifndef KRB5_CONFIG__
174 #define KRB5_CONFIG__
175 
176 /*
177  * Machine-type definitions: PC Clone 386 running Microsoft Windows
178  */
179 
180 #if defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
181 #include "win-mac.h"
182 #if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
183 #pragma import on
184 #endif
185 #endif
186 
187 #if defined(_MSDOS) || defined(_WIN32)
188 /* Kerberos Windows initialization file */
189 #define KERBEROS_INI    "kerberos.ini"
190 #define INI_FILES       "Files"
191 #define INI_KRB_CCACHE  "krb5cc"       /* Location of the ccache */
192 #define INI_KRB5_CONF   "krb5.ini"		/* Location of krb5.conf file */
193 #define HAVE_LABS
194 #define ANSI_STDIO
195 #endif
196 
197 
198 #ifndef macintosh
199 #if defined(__MWERKS__) || defined(applec) || defined(THINK_C)
200 #define macintosh
201 #define SIZEOF_INT 4
202 #define SIZEOF_SHORT 2
203 #define HAVE_SRAND
204 #define NO_PASSWORD
205 #define HAVE_LABS
206 /*#define ENOMEM -1*/
207 #define ANSI_STDIO
208 #ifndef _SIZET
209 typedef unsigned int size_t;
210 #define _SIZET
211 #endif
212 #include <unix.h>
213 #include <ctype.h>
214 #endif
215 #endif
216 
217 #ifndef _KERNEL
218 #ifndef KRB5_AUTOCONF__
219 #define KRB5_AUTOCONF__
220 #include <autoconf.h>
221 #endif
222 #endif 		/* !_KERNEL  */
223 
224 #ifndef KRB5_SYSTYPES__
225 #define KRB5_SYSTYPES__
226 
227 #ifdef HAVE_SYS_TYPES_H		/* From autoconf.h */
228 #include <sys/types.h>
229 #else /* HAVE_SYS_TYPES_H */
230 #endif /* HAVE_SYS_TYPES_H */
231 #endif /* KRB5_SYSTYPES__ */
232 
233 #ifdef SYSV
234 /* Change srandom and random to use rand and srand */
235 /* Taken from the Sandia changes.  XXX  We should really just include */
236 /* srandom and random into Kerberos release, since rand() is a really */
237 /* bad random number generator.... [tytso:19920616.2231EDT] */
238 #define random() rand()
239 #define srandom(a) srand(a)
240 #endif /* SYSV */
241 
242 typedef uint64_t krb5_ui_8;
243 typedef int64_t krb5_int64;
244 
245 #define DEFAULT_PWD_STRING1 "Enter password:"
246 #define DEFAULT_PWD_STRING2 "Re-enter password for verification:"
247 
248 #define	KRB5_KDB_MAX_LIFE	(60*60*24) /* one day */
249 #define	KRB5_KDB_MAX_RLIFE	(60*60*24*365) /* one year */
250 #define	KRB5_KDB_EXPIRATION	2145830400 /* Thu Jan  1 00:00:00 2038 UTC */
251 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
252 #define KRB5_DEFAULT_RENEW_LIFE 7*24*60*60 /* 7 Days */
253 
254 /*
255  * Windows requires a different api interface to each function. Here
256  * just define it as NULL.
257  */
258 #ifndef KRB5_CALLCONV
259 #define KRB5_CALLCONV
260 #define KRB5_CALLCONV_C
261 #define KRB5_DLLIMP
262 #define GSS_DLLIMP
263 #define KRB5_EXPORTVAR
264 #define FAR
265 #define NEAR
266 #endif
267 #ifndef O_BINARY
268 #define O_BINARY 0
269 #endif
270 
271 #ifndef HAVE_LABS
272 #define labs(x) abs(x)
273 #endif
274 
275 #endif /* KRB5_CONFIG__ */
276 
277 /*
278  * End "k5-config.h"
279  */
280 
281 /*
282  * After loading the configuration definitions, load the Kerberos definitions.
283  */
284 #include <krb5.h>
285 
286 #ifndef _KERNEL
287 #ifdef NEED_SOCKETS
288 #include <port-sockets.h>
289 #include <socket-utils.h>
290 #else
291 #ifndef SOCK_DGRAM
292 struct sockaddr;
293 #endif
294 #endif
295 #endif
296 
297 /* krb5/krb5.h includes many other .h files in the krb5 subdirectory.
298    The ones that it doesn't include, we include below.  */
299 
300 /*
301  * Begin "k5-errors.h"
302  */
303 #ifndef KRB5_ERRORS__
304 #define KRB5_ERRORS__
305 
306 
307 /* Error codes used in KRB_ERROR protocol messages.
308    Return values of library routines are based on a different error table
309    (which allows non-ambiguous error codes between subsystems) */
310 
311 /* KDC errors */
312 #define	KDC_ERR_NONE			0 /* No error */
313 #define	KDC_ERR_NAME_EXP		1 /* Client's entry in DB expired */
314 #define	KDC_ERR_SERVICE_EXP		2 /* Server's entry in DB expired */
315 #define	KDC_ERR_BAD_PVNO		3 /* Requested pvno not supported */
316 #define	KDC_ERR_C_OLD_MAST_KVNO		4 /* C's key encrypted in old master */
317 #define	KDC_ERR_S_OLD_MAST_KVNO		5 /* S's key encrypted in old master */
318 #define	KDC_ERR_C_PRINCIPAL_UNKNOWN	6 /* Client not found in Kerberos DB */
319 #define	KDC_ERR_S_PRINCIPAL_UNKNOWN	7 /* Server not found in Kerberos DB */
320 #define	KDC_ERR_PRINCIPAL_NOT_UNIQUE	8 /* Multiple entries in Kerberos DB */
321 #define	KDC_ERR_NULL_KEY		9 /* The C or S has a null key */
322 #define	KDC_ERR_CANNOT_POSTDATE		10 /* Tkt ineligible for postdating */
323 #define	KDC_ERR_NEVER_VALID		11 /* Requested starttime > endtime */
324 #define	KDC_ERR_POLICY			12 /* KDC policy rejects request */
325 #define	KDC_ERR_BADOPTION		13 /* KDC can't do requested opt. */
326 #define	KDC_ERR_ENCTYPE_NOSUPP		14 /* No support for encryption type */
327 #define KDC_ERR_SUMTYPE_NOSUPP		15 /* No support for checksum type */
328 #define KDC_ERR_PADATA_TYPE_NOSUPP	16 /* No support for padata type */
329 #define KDC_ERR_TRTYPE_NOSUPP		17 /* No support for transited type */
330 #define KDC_ERR_CLIENT_REVOKED		18 /* C's creds have been revoked */
331 #define KDC_ERR_SERVICE_REVOKED		19 /* S's creds have been revoked */
332 #define KDC_ERR_TGT_REVOKED		20 /* TGT has been revoked */
333 #define KDC_ERR_CLIENT_NOTYET		21 /* C not yet valid */
334 #define KDC_ERR_SERVICE_NOTYET		22 /* S not yet valid */
335 #define KDC_ERR_KEY_EXP			23 /* Password has expired */
336 #define KDC_ERR_PREAUTH_FAILED		24 /* Preauthentication failed */
337 #define KDC_ERR_PREAUTH_REQUIRED	25 /* Additional preauthentication */
338 					   /* required */
339 #define KDC_ERR_SERVER_NOMATCH		26 /* Requested server and */
340 					   /* ticket don't match*/
341 /* Application errors */
342 #define	KRB_AP_ERR_BAD_INTEGRITY 31	/* Decrypt integrity check failed */
343 #define	KRB_AP_ERR_TKT_EXPIRED	32	/* Ticket expired */
344 #define	KRB_AP_ERR_TKT_NYV	33	/* Ticket not yet valid */
345 #define	KRB_AP_ERR_REPEAT	34	/* Request is a replay */
346 #define	KRB_AP_ERR_NOT_US	35	/* The ticket isn't for us */
347 #define	KRB_AP_ERR_BADMATCH	36	/* Ticket/authenticator don't match */
348 #define	KRB_AP_ERR_SKEW		37	/* Clock skew too great */
349 #define	KRB_AP_ERR_BADADDR	38	/* Incorrect net address */
350 #define	KRB_AP_ERR_BADVERSION	39	/* Protocol version mismatch */
351 #define	KRB_AP_ERR_MSG_TYPE	40	/* Invalid message type */
352 #define	KRB_AP_ERR_MODIFIED	41	/* Message stream modified */
353 #define	KRB_AP_ERR_BADORDER	42	/* Message out of order */
354 #define	KRB_AP_ERR_BADKEYVER	44	/* Key version is not available */
355 #define	KRB_AP_ERR_NOKEY	45	/* Service key not available */
356 #define	KRB_AP_ERR_MUT_FAIL	46	/* Mutual authentication failed */
357 #define KRB_AP_ERR_BADDIRECTION	47 	/* Incorrect message direction */
358 #define KRB_AP_ERR_METHOD	48 	/* Alternative authentication */
359 					/* method required */
360 #define KRB_AP_ERR_BADSEQ	49 	/* Incorrect sequence numnber */
361 					/* in message */
362 #define KRB_AP_ERR_INAPP_CKSUM	50	/* Inappropriate type of */
363 					/* checksum in message */
364 #define	KRB_AP_PATH_NOT_ACCEPTED 51	/* Policy rejects transited path */
365 #define	KRB_ERR_RESPONSE_TOO_BIG 52	/* Response too big for UDP, */
366 					/*   retry with TCP */
367 
368 /* other errors */
369 #define KRB_ERR_GENERIC		60 	/* Generic error (description */
370 					/* in e-text) */
371 #define	KRB_ERR_FIELD_TOOLONG	61	/* Field is too long for impl. */
372 
373 #endif /* KRB5_ERRORS__ */
374 /*
375  * End "k5-errors.h"
376  */
377 
378 /*
379  * This structure is returned in the e-data field of the KRB-ERROR
380  * message when the error calling for an alternative form of
381  * authentication is returned, KRB_AP_METHOD.
382  */
383 typedef struct _krb5_alt_method {
384 	krb5_magic	magic;
385 	krb5_int32	method;
386 	unsigned int	length;
387 	krb5_octet	*data;
388 } krb5_alt_method;
389 
390 /*
391  * A null-terminated array of this structure is returned by the KDC as
392  * the data part of the ETYPE_INFO preauth type.  It informs the
393  * client which encryption types are supported.
394  * The	same data structure is used by both etype-info and etype-info2
395  * but s2kparams must be null when encoding etype-info.
396  */
397 typedef struct _krb5_etype_info_entry {
398 	krb5_magic	magic;
399 	krb5_enctype	etype;
400 	unsigned int	length;
401 	krb5_octet	*salt;
402 	krb5_data	s2kparams;
403 } krb5_etype_info_entry;
404 
405 /*
406  *  This is essentially -1 without sign extension which can screw up
407  *  comparisons on 64 bit machines. If the length is this value, then
408  *  the salt data is not present. This is to distinguish between not
409  *  being set and being of 0 length.
410  */
411 #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
412 
413 typedef krb5_etype_info_entry ** krb5_etype_info;
414 
415 /*
416  * a sam_challenge is returned for alternate preauth
417  */
418 /*
419           SAMFlags ::= BIT STRING {
420               use-sad-as-key[0],
421               send-encrypted-sad[1],
422               must-pk-encrypt-sad[2]
423           }
424  */
425 /*
426           PA-SAM-CHALLENGE ::= SEQUENCE {
427               sam-type[0]                 INTEGER,
428               sam-flags[1]                SAMFlags,
429               sam-type-name[2]            GeneralString OPTIONAL,
430               sam-track-id[3]             GeneralString OPTIONAL,
431               sam-challenge-label[4]      GeneralString OPTIONAL,
432               sam-challenge[5]            GeneralString OPTIONAL,
433               sam-response-prompt[6]      GeneralString OPTIONAL,
434               sam-pk-for-sad[7]           EncryptionKey OPTIONAL,
435               sam-nonce[8]                INTEGER OPTIONAL,
436               sam-cksum[9]                Checksum OPTIONAL
437           }
438 */
439 /* sam_type values -- informational only */
440 #define PA_SAM_TYPE_ENIGMA     1   /*  Enigma Logic */
441 #define PA_SAM_TYPE_DIGI_PATH  2   /*  Digital Pathways */
442 #define PA_SAM_TYPE_SKEY_K0    3   /*  S/key where  KDC has key 0 */
443 #define PA_SAM_TYPE_SKEY       4   /*  Traditional S/Key */
444 #define PA_SAM_TYPE_SECURID    5   /*  Security Dynamics */
445 #define PA_SAM_TYPE_CRYPTOCARD 6   /*  CRYPTOCard */
446 #if 1 /* XXX need to figure out who has which numbers assigned */
447 #define PA_SAM_TYPE_ACTIVCARD_DEC  6   /*  ActivCard decimal mode */
448 #define PA_SAM_TYPE_ACTIVCARD_HEX  7   /*  ActivCard hex mode */
449 #define PA_SAM_TYPE_DIGI_PATH_HEX  8   /*  Digital Pathways hex mode */
450 #endif
451 #define PA_SAM_TYPE_EXP_BASE    128 /* experimental */
452 #define PA_SAM_TYPE_GRAIL		(PA_SAM_TYPE_EXP_BASE+0) /* testing */
453 #define PA_SAM_TYPE_SECURID_PREDICT	(PA_SAM_TYPE_EXP_BASE+1) /* special */
454 
455 typedef struct _krb5_predicted_sam_response {
456 	krb5_magic	magic;
457 	krb5_keyblock	sam_key;
458         krb5_flags      sam_flags; /* Makes key munging easier */
459         krb5_timestamp  stime;  /* time on server, for replay detection */
460         krb5_int32      susec;
461         krb5_principal  client;
462         krb5_data       msd;    /* mechanism specific data */
463 } krb5_predicted_sam_response;
464 
465 typedef struct _krb5_sam_challenge {
466 	krb5_magic	magic;
467 	krb5_int32	sam_type; /* information */
468 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
469 	krb5_data	sam_type_name;
470 	krb5_data	sam_track_id;
471 	krb5_data	sam_challenge_label;
472 	krb5_data	sam_challenge;
473 	krb5_data	sam_response_prompt;
474 	krb5_data	sam_pk_for_sad;
475 	krb5_int32	sam_nonce;
476 	krb5_checksum	sam_cksum;
477 } krb5_sam_challenge;
478 
479 typedef struct _krb5_sam_key {	/* reserved for future use */
480 	krb5_magic	magic;
481 	krb5_keyblock	sam_key;
482 } krb5_sam_key;
483 
484 typedef struct _krb5_enc_sam_response_enc {
485 	krb5_magic	magic;
486 	krb5_int32	sam_nonce;
487 	krb5_timestamp	sam_timestamp;
488 	krb5_int32	sam_usec;
489 	krb5_data	sam_sad;
490 } krb5_enc_sam_response_enc;
491 
492 typedef struct _krb5_sam_response {
493 	krb5_magic	magic;
494 	krb5_int32	sam_type; /* informational */
495 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
496 	krb5_data	sam_track_id; /* copied */
497 	krb5_enc_data	sam_enc_key; /* krb5_sam_key - future use */
498 	krb5_enc_data	sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
499 	krb5_int32	sam_nonce;
500 	krb5_timestamp	sam_patimestamp;
501 } krb5_sam_response;
502 
503 typedef struct _krb5_sam_challenge_2 {
504 	krb5_data	sam_challenge_2_body;
505 	krb5_checksum	**sam_cksum;		/* Array of checksums */
506 } krb5_sam_challenge_2;
507 
508 typedef struct _krb5_sam_challenge_2_body {
509 	krb5_magic	magic;
510 	krb5_int32	sam_type; /* information */
511 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
512 	krb5_data	sam_type_name;
513 	krb5_data	sam_track_id;
514 	krb5_data	sam_challenge_label;
515 	krb5_data	sam_challenge;
516 	krb5_data	sam_response_prompt;
517 	krb5_data	sam_pk_for_sad;
518 	krb5_int32	sam_nonce;
519 	krb5_enctype	sam_etype;
520 } krb5_sam_challenge_2_body;
521 
522 typedef struct _krb5_sam_response_2 {
523 	krb5_magic	magic;
524 	krb5_int32	sam_type; /* informational */
525 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
526 	krb5_data	sam_track_id; /* copied */
527 	krb5_enc_data	sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
528 	krb5_int32	sam_nonce;
529 } krb5_sam_response_2;
530 
531 typedef struct _krb5_enc_sam_response_enc_2 {
532 	krb5_magic	magic;
533 	krb5_int32	sam_nonce;
534 	krb5_data	sam_sad;
535 } krb5_enc_sam_response_enc_2;
536 
537 /*
538  * Begin "dbm.h"
539  */
540 #ifndef _KERNEL
541 
542 /*
543  * Since we are always using db, use the db-ndbm include header file.
544  */
545 
546 #include "db-ndbm.h"
547 
548 #endif /* !KERNEL */
549 /*
550  * End "dbm.h"
551  */
552 
553 /*
554  * Begin "ext-proto.h"
555  */
556 #ifndef KRB5_EXT_PROTO__
557 #define KRB5_EXT_PROTO__
558 
559 #ifndef _KERNEL
560 #include <stdlib.h>
561 
562 #ifdef HAVE_STRING_H
563 #include <string.h>
564 #else
565 #include <strings.h>
566 #endif
567 
568 #endif /* !_KERNEL */
569 
570 #ifndef HAVE_STRDUP
571 extern char *strdup (const char *);
572 #endif
573 
574 #ifndef _KERNEL
575 #ifdef HAVE_UNISTD_H
576 #include <unistd.h>
577 #endif
578 #endif /* !_KERNEL */
579 
580 #endif /* KRB5_EXT_PROTO__ */
581 /*
582  * End "ext-proto.h"
583  */
584 
585 /*
586  * Begin "sysincl.h"
587  */
588 #ifndef KRB5_SYSINCL__
589 #define KRB5_SYSINCL__
590 
591 #ifndef KRB5_SYSTYPES__
592 #define KRB5_SYSTYPES__
593 /* needed for much of the rest -- but already handled in krb5.h? */
594 /* #include <sys/types.h> */
595 #endif /* KRB5_SYSTYPES__ */
596 
597 #ifdef	_KERNEL
598 #include <sys/time.h>
599 #else
600 #ifdef HAVE_SYS_TIME_H
601 #include <sys/time.h>
602 #ifdef TIME_WITH_SYS_TIME
603 #include <time.h>
604 #endif
605 #else
606 #include <time.h>
607 #endif
608 #endif /* _KERNEL */
609 
610 #ifdef HAVE_SYS_STAT_H
611 #include <sys/stat.h>			/* struct stat, stat() */
612 #endif
613 
614 #ifdef HAVE_SYS_PARAM_H
615 #include <sys/param.h>			/* MAXPATHLEN */
616 #endif
617 
618 #ifdef HAVE_SYS_FILE_H
619 #include <sys/file.h>			/* prototypes for file-related
620 					   syscalls; flags for open &
621 					   friends */
622 #endif
623 
624 #ifdef _KERNEL
625 #include <sys/fcntl.h>
626 #else
627 #include <fcntl.h>
628 #endif
629 
630 #endif /* KRB5_SYSINCL__ */
631 /*
632  * End "sysincl.h"
633  */
634 
635 /*
636  * Begin "los-proto.h"
637  */
638 #ifndef KRB5_LIBOS_PROTO__
639 #define KRB5_LIBOS_PROTO__
640 
641 #ifndef	_KERNEL
642 #include <stdio.h>
643 
644 struct addrlist;
645 #endif
646 
647 /* libos.spec */
648 krb5_error_code krb5_lock_file
649 	(krb5_context, int, int);
650 
651 krb5_error_code krb5_unlock_file
652 	(krb5_context, int);
653 
654 int krb5_net_read
655 	(krb5_context, int , char *, int);
656 
657 int krb5_net_write
658 	(krb5_context, int , const char *, int);
659 
660 krb5_error_code krb5_sendto_kdc
661 	(krb5_context, const krb5_data *, const krb5_data *,
662 	   krb5_data *, int, int);
663 
664 krb5_error_code krb5_get_krbhst
665 	(krb5_context, const krb5_data *, char ***);
666 
667 krb5_error_code krb5_free_krbhst
668 	(krb5_context, char * const *);
669 
670 krb5_error_code krb5_gen_replay_name
671     (krb5_context, const krb5_address *, const char *, char **);
672 
673 krb5_error_code krb5_create_secure_file
674 	(krb5_context, const char * pathname);
675 
676 #ifndef	_KERNEL
677 krb5_error_code krb5_sync_disk_file
678 	(krb5_context, FILE *fp);
679 
680 krb5_error_code
681 krb5_open_pkcs11_session(CK_SESSION_HANDLE *);
682 #endif
683 
684 
685 krb5_error_code krb5_read_message
686 	(krb5_context, krb5_pointer, krb5_data *);
687 
688 krb5_error_code krb5_write_message
689 	(krb5_context, krb5_pointer, krb5_data *);
690 
691 krb5_error_code krb5int_get_fq_local_hostname (char *, size_t);
692 
693 krb5_error_code krb5_os_init_context
694         (krb5_context);
695 
696 void krb5_os_free_context (krb5_context);
697 
698 krb5_error_code krb5_find_config_files(void);
699 
700 #ifndef _KERNEL
701 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
702  * going to use this structure.  */
703 struct addrlist {
704 	struct addrinfo **addrs;
705 	int naddrs;
706 	int space;
707 };
708 
709 #define	ADDRLIST_INIT { 0, 0, 0 }
710 extern void krb5int_free_addrlist (struct addrlist *);
711 extern int krb5int_grow_addrlist (struct addrlist *, int);
712 extern int krb5int_add_host_to_list (struct addrlist *, const char *,
713 			int, int, int, int);
714 
715 krb5_error_code krb5_locate_srv_conf
716 	(krb5_context, const krb5_data *, const char *,
717 	struct sockaddr **, int*, int);
718 
719 #ifdef KRB5_DNS_LOOKUP
720 /* no context? */
721 krb5_error_code krb5_locate_srv_dns
722 	(const krb5_data *, const char *,
723 	const char *, struct sockaddr **, int *,
724 	char *, unsigned short *, boolean_t);
725 
726 int _krb5_conf_boolean(char *);
727 int _krb5_use_dns_kdc(krb5_context);
728 int _krb5_use_dns_realm(krb5_context);
729 
730 #endif /* KRB5_DNS_LOOKUP */
731 #endif /* _KERNEL */
732 
733 #endif /* KRB5_LIBOS_PROTO__ */
734 
735 /* new encryption provider api */
736 
737 struct krb5_enc_provider {
738     void (*block_size) (size_t *output);
739 
740     /* keybytes is the input size to make_key;
741        keylength is the output size */
742     void (*keysize) (size_t *keybytes, size_t *keylength);
743 
744     /* ivec == 0 is an all-zeros ivec */
745     krb5_error_code (*encrypt) (
746 	krb5_context context,
747 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
748 	krb5_const krb5_data *input, krb5_data *output);
749 
750     krb5_error_code (*decrypt) (
751 	krb5_context context,
752 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
753 	krb5_const krb5_data *input, krb5_data *output);
754 
755     krb5_error_code (*make_key)
756     (krb5_context, krb5_const krb5_data *, krb5_keyblock *);
757 
758     krb5_error_code (*init_state) (krb5_context,
759 			const krb5_keyblock *,
760 			krb5_keyusage, krb5_data *);
761     krb5_error_code (*free_state) (krb5_context, krb5_data *);
762 
763 };
764 
765 struct krb5_hash_provider {
766     void (*hash_size) (size_t *output);
767 
768     void (*block_size) (size_t *output);
769 
770     /* this takes multiple inputs to avoid lots of copying. */
771     krb5_error_code (*hash) (krb5_context context,
772 	unsigned int icount, krb5_const krb5_data *input,
773 	krb5_data *output);
774 };
775 
776 struct krb5_keyhash_provider {
777     void (*hash_size) (size_t *output);
778 
779     krb5_error_code (*hash) (
780 	krb5_context context,
781 	krb5_const krb5_keyblock *key,
782 	krb5_keyusage keyusage,
783 	krb5_const krb5_data *ivec,
784 	krb5_const krb5_data *input, krb5_data *output);
785 
786     krb5_error_code (*verify) (
787 	krb5_context context,
788 	krb5_const krb5_keyblock *key,
789 	krb5_keyusage keyusage,
790 	krb5_const krb5_data *ivec,
791 	krb5_const krb5_data *input,
792 	krb5_const krb5_data *hash,
793 	krb5_boolean *valid);
794 
795 };
796 
797 typedef void (*krb5_encrypt_length_func) (
798   krb5_const struct krb5_enc_provider *enc,
799   krb5_const struct krb5_hash_provider *hash,
800   size_t inputlen, size_t *length);
801 
802 typedef krb5_error_code (*krb5_crypt_func) (
803   krb5_context context,
804   krb5_const struct krb5_enc_provider *enc,
805   krb5_const struct krb5_hash_provider *hash,
806   krb5_const krb5_keyblock *key, krb5_keyusage usage,
807   krb5_const krb5_data *ivec,
808   krb5_const krb5_data *input, krb5_data *output);
809 
810 #ifndef	_KERNEL
811 typedef krb5_error_code (*krb5_str2key_func) (
812   krb5_context context,
813   krb5_const struct krb5_enc_provider *enc, krb5_const krb5_data *string,
814   krb5_const krb5_data *salt, krb5_const krb5_data *params,
815   krb5_keyblock *key);
816 #endif	/* _KERNEL */
817 
818 struct krb5_keytypes {
819     krb5_enctype etype;
820     char *in_string;
821     char *out_string;
822     const struct krb5_enc_provider *enc;
823     const struct krb5_hash_provider *hash;
824     krb5_encrypt_length_func encrypt_len;
825     krb5_crypt_func encrypt;
826     krb5_crypt_func decrypt;
827     krb5_cksumtype required_ctype;
828 #ifndef	_KERNEL
829     /* Solaris Kerberos:  strings to key conversion not done in the kernel */
830     krb5_str2key_func str2key;
831 #else	/* _KERNEL */
832     char *mt_e_name;
833     char *mt_h_name;
834     crypto_mech_type_t kef_cipher_mt;
835     crypto_mech_type_t kef_hash_mt;
836 #endif	/* _KERNEL */
837 };
838 
839 
840 struct krb5_cksumtypes {
841     krb5_cksumtype ctype;
842     unsigned int flags;
843     char *in_string;
844     char *out_string;
845     /* if the hash is keyed, this is the etype it is keyed with.
846        Actually, it can be keyed by any etype which has the same
847        enc_provider as the specified etype.  DERIVE checksums can
848        be keyed with any valid etype. */
849     krb5_enctype keyed_etype;
850     /* I can't statically initialize a union, so I'm just going to use
851        two pointers here.  The keyhash is used if non-NULL.  If NULL,
852        then HMAC/hash with derived keys is used if the relevant flag
853        is set.  Otherwise, a non-keyed hash is computed.  This is all
854        kind of messy, but so is the krb5 api. */
855     const struct krb5_keyhash_provider *keyhash;
856     const struct krb5_hash_provider *hash;
857     /* This just gets uglier and uglier.  In the key derivation case,
858 	we produce an hmac.  To make the hmac code work, we can't hack
859 	the output size indicated by the hash provider, but we may want
860 	a truncated hmac.  If we want truncation, this is the number of
861 	bytes we truncate to; it should be 0 otherwise.	*/
862     unsigned int trunc_size;
863 #ifdef _KERNEL
864     char *mt_c_name;
865     crypto_mech_type_t kef_cksum_mt;
866 #endif /* _KERNEL */
867 };
868 
869 #define KRB5_CKSUMFLAG_DERIVE		0x0001
870 #define KRB5_CKSUMFLAG_NOT_COLL_PROOF	0x0002
871 
872 krb5_error_code krb5int_des_init_state(
873 	krb5_context,
874 	const krb5_keyblock *,
875 	krb5_keyusage, krb5_data *);
876 
877 krb5_error_code krb5int_c_mandatory_cksumtype(
878 	krb5_context,
879 	krb5_enctype,
880 	krb5_cksumtype *);
881 
882 /*
883  * normally to free a cipher_state you can just memset the length to zero and
884  * free it.
885  */
886 krb5_error_code krb5int_default_free_state(krb5_context, krb5_data *);
887 
888 /*
889  * Combine two keys (normally used by the hardware preauth mechanism)
890  */
891 krb5_error_code krb5int_c_combine_keys
892 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
893 		krb5_keyblock *outkey);
894 /*
895  * in here to deal with stuff from lib/crypto
896  */
897 
898 void krb5_nfold (int inbits, krb5_const unsigned char *in,
899 		int outbits, unsigned char *out);
900 
901 #ifdef _KERNEL
902 
903 int k5_ef_crypto(
904 	const char *, char *,
905 	long, krb5_keyblock *,
906 	krb5_data *, int);
907 
908 krb5_error_code
909 krb5_hmac(krb5_context, const krb5_keyblock *,
910 	krb5_const krb5_data *, krb5_data *);
911 
912 #else
913 krb5_error_code krb5_hmac
914 	(krb5_context,
915 	krb5_const struct krb5_hash_provider *,
916 	krb5_const krb5_keyblock *, krb5_const unsigned int,
917 	krb5_const krb5_data *, krb5_data *);
918 
919 #endif /* _KERNEL */
920 
921 krb5_error_code krb5int_pbkdf2_hmac_sha1 (krb5_context,
922 		const krb5_data *,
923 		unsigned long,
924 		krb5_enctype,
925 		const krb5_data *,
926 		const krb5_data *);
927 
928 krb5_error_code krb5_crypto_us_timeofday
929     (krb5_int32  *, krb5_int32  *);
930 
931 /* this helper fct is in libkrb5, but it makes sense declared here. */
932 
933 krb5_error_code krb5_encrypt_helper
934 	(krb5_context context, krb5_const krb5_keyblock *key,
935 	krb5_keyusage usage, krb5_const krb5_data *plain,
936 	krb5_enc_data *cipher);
937 
938 /*
939  * End "los-proto.h"
940  */
941 
942 /*
943  * Include the KDB definitions.
944  */
945 #ifndef _KERNEL
946 #include <krb5/kdb.h>
947 #endif /* !_KERNEL */
948 /*
949  * Begin "libos.h"
950  */
951 #ifndef KRB5_LIBOS__
952 #define KRB5_LIBOS__
953 
954 typedef struct _krb5_os_context {
955 	krb5_magic	magic;
956 	krb5_int32	time_offset;
957 	krb5_int32	usec_offset;
958 	krb5_int32	os_flags;
959 	char *		default_ccname;
960 	krb5_principal	default_ccprincipal;
961 } *krb5_os_context;
962 
963 /*
964  * Flags for the os_flags field
965  *
966  * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid.
967  * The intention is that this facility to correct the system clocks so
968  * that they reflect the "real" time, for systems where for some
969  * reason we can't set the system clock.  Instead we calculate the
970  * offset between the system time and real time, and store the offset
971  * in the os context so that we can correct the system clock as necessary.
972  *
973  * KRB5_OS_TOFFSET_TIME means that the time offset fields should be
974  * returned as the time by the krb5 time routines.  This should only
975  * be used for testing purposes (obviously!)
976  */
977 #define KRB5_OS_TOFFSET_VALID	1
978 #define KRB5_OS_TOFFSET_TIME	2
979 
980 /* lock mode flags */
981 #define	KRB5_LOCKMODE_SHARED	0x0001
982 #define	KRB5_LOCKMODE_EXCLUSIVE	0x0002
983 #define	KRB5_LOCKMODE_DONTBLOCK	0x0004
984 #define	KRB5_LOCKMODE_UNLOCK	0x0008
985 
986 #endif /* KRB5_LIBOS__ */
987 /*
988  * End "libos.h"
989  */
990 
991 /*
992  * Define our view of the size of a DES key.
993  */
994 #define	KRB5_MIT_DES_KEYSIZE		8
995 
996 /*
997  * Define a couple of SHA1 constants
998  */
999 #define	SHS_DATASIZE	64
1000 #define	SHS_DIGESTSIZE	20
1001 
1002 /*
1003  * Check if des_int.h has been included before us.  If so, then check to see
1004  * that our view of the DES key size is the same as des_int.h's.
1005  */
1006 #ifdef	MIT_DES_KEYSIZE
1007 #if	MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
1008 error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
1009 #endif	/* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
1010 #endif	/* MIT_DES_KEYSIZE */
1011 
1012 #ifndef _KERNEL
1013 /* Solaris Kerberos: only define PROVIDE_DES3_CBC_SHA if the following are
1014  * defined.
1015  */
1016 #define PROVIDE_DES3_CBC_SHA 1
1017 #define PROVIDE_NIST_SHA 1
1018 
1019 #endif /* !_KERNEL */
1020 
1021 /*
1022  * Begin "preauth.h"
1023  *
1024  * (Originally written by Glen Machin at Sandia Labs.)
1025  */
1026 /*
1027  * Sandia National Laboratories also makes no representations about the
1028  * suitability of the modifications, or additions to this software for
1029  * any purpose.  It is provided "as is" without express or implied warranty.
1030  *
1031  */
1032 #ifndef KRB5_PREAUTH__
1033 #define KRB5_PREAUTH__
1034 
1035 typedef struct _krb5_pa_enc_ts {
1036     krb5_timestamp	patimestamp;
1037     krb5_int32		pausec;
1038 } krb5_pa_enc_ts;
1039 
1040 typedef krb5_error_code (*krb5_preauth_obtain_proc)
1041     (krb5_context,
1042 	    krb5_pa_data *,
1043 	    krb5_etype_info,
1044 	    krb5_keyblock *,
1045 	    krb5_error_code ( * )(krb5_context,
1046 				  krb5_const krb5_enctype,
1047 				  krb5_data *,
1048 				  krb5_const_pointer,
1049 				  krb5_keyblock **),
1050 	    krb5_const_pointer,
1051 	    krb5_creds *,
1052 	    krb5_kdc_req *,
1053 	    krb5_pa_data **);
1054 
1055 typedef krb5_error_code (*krb5_preauth_process_proc)
1056     (krb5_context,
1057 	    krb5_pa_data *,
1058 	    krb5_kdc_req *,
1059 	    krb5_kdc_rep *,
1060 	    krb5_error_code ( * )(krb5_context,
1061 				  krb5_const krb5_enctype,
1062 				  krb5_data *,
1063 				  krb5_const_pointer,
1064 				  krb5_keyblock **),
1065 	    krb5_const_pointer,
1066 	    krb5_error_code ( * )(krb5_context,
1067 				  krb5_const krb5_keyblock *,
1068 				  krb5_const_pointer,
1069 				  krb5_kdc_rep * ),
1070 	    krb5_keyblock **,
1071 	    krb5_creds *,
1072 	    krb5_int32 *,
1073 	    krb5_int32 *);
1074 
1075 typedef struct _krb5_preauth_ops {
1076     krb5_magic magic;
1077     int     type;
1078     int	flags;
1079     krb5_preauth_obtain_proc	obtain;
1080     krb5_preauth_process_proc	process;
1081 } krb5_preauth_ops;
1082 
1083 void krb5_free_etype_info (krb5_context, krb5_etype_info);
1084 
1085 /*
1086  * Preauthentication property flags
1087  */
1088 #define KRB5_PREAUTH_FLAGS_ENCRYPT	0x00000001
1089 #define KRB5_PREAUTH_FLAGS_HARDWARE	0x00000002
1090 
1091 #endif /* KRB5_PREAUTH__ */
1092 /*
1093  * End "preauth.h"
1094  */
1095 
1096 krb5_error_code
1097 krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *);
1098 
1099 #ifndef _KERNEL /* needed for lib/krb5/krb/ */
1100 typedef krb5_error_code (*krb5_gic_get_as_key_fct)
1101     (krb5_context,
1102      krb5_principal,
1103      krb5_enctype,
1104      krb5_prompter_fct,
1105      void *prompter_data,
1106      krb5_data *salt,
1107      krb5_data *s2kparams,
1108      krb5_keyblock *as_key,
1109      void *gak_data);
1110 
1111 krb5_error_code KRB5_CALLCONV
1112 krb5_get_init_creds
1113 (krb5_context context,
1114 	krb5_creds *creds,
1115 	krb5_principal client,
1116 	krb5_prompter_fct prompter,
1117 	void *prompter_data,
1118 	krb5_deltat start_time,
1119 	char *in_tkt_service,
1120 	krb5_get_init_creds_opt *options,
1121 	krb5_gic_get_as_key_fct gak,
1122 	void *gak_data,
1123 	int master,
1124 	krb5_kdc_rep **as_reply);
1125 
1126 krb5_error_code krb5_do_preauth
1127 	(krb5_context, krb5_kdc_req *,
1128 	krb5_pa_data **, krb5_pa_data ***,
1129 	krb5_data *, krb5_data *, krb5_enctype *,
1130 	krb5_keyblock *,
1131 	krb5_prompter_fct, void *,
1132 	krb5_gic_get_as_key_fct, void *);
1133 #endif /* _KERNEL */
1134 
1135 void KRB5_CALLCONV krb5_free_sam_challenge
1136 	(krb5_context, krb5_sam_challenge * );
1137 void KRB5_CALLCONV krb5_free_sam_challenge_2
1138 	(krb5_context, krb5_sam_challenge_2 * );
1139 void KRB5_CALLCONV krb5_free_sam_challenge_2_body
1140 	(krb5_context, krb5_sam_challenge_2_body *);
1141 void KRB5_CALLCONV krb5_free_sam_response
1142 	(krb5_context, krb5_sam_response * );
1143 void KRB5_CALLCONV krb5_free_sam_response_2
1144 	(krb5_context, krb5_sam_response_2 * );
1145 void KRB5_CALLCONV krb5_free_predicted_sam_response
1146 	(krb5_context, krb5_predicted_sam_response * );
1147 void KRB5_CALLCONV krb5_free_enc_sam_response_enc
1148 	(krb5_context, krb5_enc_sam_response_enc * );
1149 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2
1150 	(krb5_context, krb5_enc_sam_response_enc_2 * );
1151 void KRB5_CALLCONV krb5_free_sam_challenge_contents
1152 	(krb5_context, krb5_sam_challenge * );
1153 void KRB5_CALLCONV krb5_free_sam_challenge_2_contents
1154 	(krb5_context, krb5_sam_challenge_2 * );
1155 void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents
1156 	(krb5_context, krb5_sam_challenge_2_body * );
1157 void KRB5_CALLCONV krb5_free_sam_response_contents
1158 	(krb5_context, krb5_sam_response * );
1159 void KRB5_CALLCONV krb5_free_sam_response_2_contents
1160 	(krb5_context, krb5_sam_response_2 *);
1161 void KRB5_CALLCONV krb5_free_predicted_sam_response_contents
1162 	(krb5_context, krb5_predicted_sam_response * );
1163 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents
1164 	(krb5_context, krb5_enc_sam_response_enc * );
1165 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents
1166 	(krb5_context, krb5_enc_sam_response_enc_2 * );
1167 
1168 void KRB5_CALLCONV krb5_free_pa_enc_ts
1169 	(krb5_context, krb5_pa_enc_ts *);
1170 
1171 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
1172 /*
1173  * Solaris Kerberos: moved from sendto_kdc.c so other code can reference
1174  */
1175 #define	DEFAULT_UDP_PREF_LIMIT   1465
1176 
1177 #ifndef	_KERNEL
1178 #include "profile.h"
1179 #include <strings.h>
1180 #endif /* _KERNEL */
1181 
1182 #define KEY_CHANGED(k1, k2) \
1183 (k1 == NULL || \
1184  k1 != k2 || \
1185  k1->enctype != k2->enctype || \
1186  k1->length != k2->length || \
1187  bcmp(k1->contents, k2->contents, k1->length))
1188 
1189 #ifndef _KERNEL
1190 typedef struct _arcfour_ctx {
1191 	CK_SESSION_HANDLE eSession; /* encrypt session handle */
1192 	CK_SESSION_HANDLE dSession; /* decrypt session handle */
1193 	CK_OBJECT_HANDLE  eKey; /* encrypt key object */
1194 	CK_OBJECT_HANDLE  dKey; /* decrype key object */
1195 	uchar_t           initialized;
1196 }arcfour_ctx_rec;
1197 
1198 #endif /* !_KERNEL */
1199 
1200 struct _krb5_context {
1201 	krb5_magic	magic;
1202 	krb5_enctype	*in_tkt_ktypes;
1203 	int		in_tkt_ktype_count;
1204 	krb5_enctype	*tgs_ktypes;
1205 	int		tgs_ktype_count;
1206 	void		*os_context;
1207 	char		*default_realm;
1208 	int		ser_ctx_count;
1209 	krb5_boolean	profile_secure;
1210 	void	      	*ser_ctx;
1211 #ifndef _KERNEL
1212 	profile_t	profile;
1213 	void		*db_context;
1214 	void		*kdblog_context;
1215 	/* allowable clock skew */
1216 	krb5_deltat 	clockskew;
1217 	krb5_cksumtype	kdc_req_sumtype;
1218 	krb5_cksumtype	default_ap_req_sumtype;
1219 	krb5_cksumtype	default_safe_sumtype;
1220 	krb5_flags 	kdc_default_options;
1221 	krb5_flags	library_options;
1222 	int		fcc_default_format;
1223 	int		scc_default_format;
1224 	krb5_prompt_type *prompt_types;
1225 	/* Message size above which we'll try TCP first in send-to-kdc
1226 	   type code.  Aside from the 2**16 size limit, we put no
1227 	   absolute limit on the UDP packet size.  */
1228 	int		udp_pref_limit;
1229 
1230 	/* This is the tgs_ktypes list as read from the profile, or
1231 	   set to compiled-in defaults.	 The application code cannot
1232 	   override it.	 This is used for session keys for
1233 	   intermediate ticket-granting tickets used to acquire the
1234 	   requested ticket (the session key of which may be
1235 	   constrained by tgs_ktypes above).  */
1236 	krb5_enctype	*conf_tgs_ktypes;
1237 	int		conf_tgs_ktypes_count;
1238 
1239 	/* Use the _configured version?	 */
1240 	krb5_boolean	use_conf_ktypes;
1241 #ifdef KRB5_DNS_LOOKUP
1242 	krb5_boolean	profile_in_memory;
1243 #endif /* KRB5_DNS_LOOKUP */
1244 
1245 	pid_t pid;  /* fork safety: PID of process that did last PKCS11 init */
1246 
1247 	/* Solaris Kerberos: handles for PKCS#11 crypto */
1248 	/*
1249 	 * Warning, do not access hSession directly as this is not fork() safe.
1250 	 * Instead use the krb_ctx_hSession() macro below.
1251 	 */
1252 	CK_SESSION_HANDLE hSession;
1253 	int		cryptoki_initialized;
1254 
1255 	/* arcfour_ctx: used only for rcmd stuff so no fork safety issues apply */
1256 	arcfour_ctx_rec arcfour_ctx;
1257 #else /* ! KERNEL */
1258 	crypto_mech_type_t kef_cipher_mt;
1259 	crypto_mech_type_t kef_hash_mt;
1260 	crypto_mech_type_t kef_cksum_mt;
1261 #endif /* ! KERNEL */
1262 };
1263 
1264 #ifndef  _KERNEL
1265 extern pid_t __krb5_current_pid;
1266 
1267 CK_SESSION_HANDLE krb5_reinit_ef_handle(krb5_context);
1268 
1269 /*
1270  * fork safety: barring the ef_init code, every other function must use the
1271  * krb_ctx_hSession() macro to access the hSession field in a krb context.
1272  * Note, if the pid of the krb ctx == the current global pid then it is safe to
1273  * use the ctx hSession otherwise it needs to be re-inited before it is returned
1274  * to the caller.
1275  */
1276 #define krb_ctx_hSession(ctx) \
1277     ((ctx)->pid == __krb5_current_pid) ? (ctx)->hSession : krb5_reinit_ef_handle((ctx))
1278 #endif
1279 
1280 #define MD5_CKSUM_LENGTH 16
1281 #define RSA_MD5_CKSUM_LENGTH 16
1282 #define MD5_BLOCKSIZE 64
1283 
1284 
1285 /*
1286  * Solaris Kerberos:
1287  * This next section of prototypes and constants
1288  * are all unique to the Solaris Kerberos implementation.
1289  * Because Solaris uses the native encryption framework
1290  * to provide crypto support, the following routines
1291  * are needed to support this system.
1292  */
1293 
1294 /*
1295  * Begin Solaris Crypto Prototypes
1296  */
1297 
1298 /*
1299  * define constants that are used for creating the constant
1300  * which is used to make derived keys.
1301  */
1302 #define DK_ENCR_KEY_BYTE 0xAA
1303 #define DK_HASH_KEY_BYTE 0x55
1304 #define DK_CKSUM_KEY_BYTE 0x99
1305 
1306 int init_derived_keydata(krb5_context, const struct krb5_enc_provider *,
1307 			krb5_keyblock *, krb5_keyusage,
1308 			krb5_keyblock **, krb5_keyblock **);
1309 
1310 krb5_error_code add_derived_key(krb5_keyblock *, krb5_keyusage, uchar_t,
1311 				krb5_keyblock *);
1312 
1313 krb5_keyblock *find_derived_key(krb5_keyusage, uchar_t, krb5_keyblock *);
1314 krb5_keyblock *krb5_create_derived_keyblock(int);
1315 
1316 #ifdef _KERNEL
1317 int k5_ef_hash(krb5_context, int, const krb5_data *, krb5_data *);
1318 
1319 int k5_ef_mac(krb5_context, krb5_keyblock *, krb5_data *,
1320         const krb5_data *, krb5_data *);
1321 
1322 void make_kef_key(krb5_keyblock *);
1323 int init_key_kef(crypto_mech_type_t, krb5_keyblock *);
1324 int update_key_template(krb5_keyblock *);
1325 void setup_kef_keytypes();
1326 void setup_kef_cksumtypes();
1327 crypto_mech_type_t get_cipher_mech_type(krb5_context, krb5_keyblock *);
1328 crypto_mech_type_t get_hash_mech_type(krb5_context, krb5_keyblock *);
1329 
1330 #else
1331 /*
1332  * This structure is used to map Kerberos supported OID's,
1333  * to PKCS11 mechanisms
1334  */
1335 #define USE_ENCR	0x01
1336 #define	USE_HASH	0x02
1337 
1338 typedef struct krb5_mech_2_pkcs {
1339 	uchar_t		flags;
1340 	CK_MECHANISM_TYPE enc_algo;
1341 	CK_MECHANISM_TYPE hash_algo;
1342 	CK_MECHANISM_TYPE str2key_algo;
1343 } KRB5_MECH_TO_PKCS;
1344 
1345 #define ENC_DEFINED(x)	(((x).flags & USE_ENCR))
1346 #define HASH_DEFINED(x)	(((x).flags & USE_HASH))
1347 
1348 extern CK_RV get_algo(krb5_enctype etype, KRB5_MECH_TO_PKCS * algos);
1349 extern CK_RV get_key_type (krb5_enctype etype, CK_KEY_TYPE * keyType);
1350 extern krb5_error_code slot_supports_krb5 (CK_SLOT_ID_PTR slotid);
1351 
1352 krb5_error_code init_key_uef(CK_SESSION_HANDLE, krb5_keyblock *);
1353 
1354 krb5_error_code k5_ef_hash(krb5_context, CK_MECHANISM *,
1355 	unsigned int, const krb5_data *, krb5_data *);
1356 
1357 krb5_error_code k5_ef_mac(krb5_context context,
1358 	krb5_keyblock *key, krb5_data *ivec,
1359 	krb5_const krb5_data *input, krb5_data *output);
1360 
1361 #endif	/* !_KERNEL */
1362 
1363 krb5_error_code
1364 derive_3des_keys(krb5_context, struct krb5_enc_provider *,
1365                 krb5_keyblock *, krb5_keyusage,
1366                 krb5_keyblock *, krb5_keyblock *);
1367 
1368 /*
1369  * End Solaris Crypto Prototypes
1370  */
1371 
1372 #define KRB5_LIBOPT_SYNC_KDCTIME	0x0001
1373 
1374 /*
1375  * Begin "asn1.h"
1376  */
1377 #ifndef KRB5_ASN1__
1378 #define KRB5_ASN1__
1379 
1380 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
1381 /* here we use some knowledge of ASN.1 encodings */
1382 /*
1383   Ticket is APPLICATION 1.
1384   Authenticator is APPLICATION 2.
1385   AS_REQ is APPLICATION 10.
1386   AS_REP is APPLICATION 11.
1387   TGS_REQ is APPLICATION 12.
1388   TGS_REP is APPLICATION 13.
1389   AP_REQ is APPLICATION 14.
1390   AP_REP is APPLICATION 15.
1391   KRB_SAFE is APPLICATION 20.
1392   KRB_PRIV is APPLICATION 21.
1393   KRB_CRED is APPLICATION 22.
1394   EncASRepPart is APPLICATION 25.
1395   EncTGSRepPart is APPLICATION 26.
1396   EncAPRepPart is APPLICATION 27.
1397   EncKrbPrivPart is APPLICATION 28.
1398   EncKrbCredPart is APPLICATION 29.
1399   KRB_ERROR is APPLICATION 30.
1400  */
1401 /* allow either constructed or primitive encoding, so check for bit 6
1402    set or reset */
1403 #define krb5_is_krb_ticket(dat)\
1404 	((dat) && (dat)->length && ((dat)->data[0] == 0x61 ||\
1405 				    (dat)->data[0] == 0x41))
1406 #define krb5_is_krb_authenticator(dat)\
1407 	((dat) && (dat)->length && ((dat)->data[0] == 0x62 ||\
1408 				    (dat)->data[0] == 0x42))
1409 #define krb5_is_as_req(dat)\
1410 	((dat) && (dat)->length && ((dat)->data[0] == 0x6a ||\
1411 				    (dat)->data[0] == 0x4a))
1412 #define krb5_is_as_rep(dat)\
1413 	((dat) && (dat)->length && ((dat)->data[0] == 0x6b ||\
1414 				    (dat)->data[0] == 0x4b))
1415 #define krb5_is_tgs_req(dat)\
1416 	((dat) && (dat)->length && ((dat)->data[0] == 0x6c ||\
1417 				    (dat)->data[0] == 0x4c))
1418 #define krb5_is_tgs_rep(dat)\
1419 	((dat) && (dat)->length && ((dat)->data[0] == 0x6d ||\
1420 				    (dat)->data[0] == 0x4d))
1421 #define krb5_is_ap_req(dat)\
1422 	((dat) && (dat)->length && ((dat)->data[0] == 0x6e ||\
1423 				    (dat)->data[0] == 0x4e))
1424 #define krb5_is_ap_rep(dat)\
1425 	((dat) && (dat)->length && ((dat)->data[0] == 0x6f ||\
1426 				    (dat)->data[0] == 0x4f))
1427 #define krb5_is_krb_safe(dat)\
1428 	((dat) && (dat)->length && ((dat)->data[0] == 0x74 ||\
1429 				    (dat)->data[0] == 0x54))
1430 #define krb5_is_krb_priv(dat)\
1431 	((dat) && (dat)->length && ((dat)->data[0] == 0x75 ||\
1432 				    (dat)->data[0] == 0x55))
1433 #define krb5_is_krb_cred(dat)\
1434 	((dat) && (dat)->length && ((dat)->data[0] == 0x76 ||\
1435 				    (dat)->data[0] == 0x56))
1436 #define krb5_is_krb_enc_as_rep_part(dat)\
1437 	((dat) && (dat)->length && ((dat)->data[0] == 0x79 ||\
1438 				    (dat)->data[0] == 0x59))
1439 #define krb5_is_krb_enc_tgs_rep_part(dat)\
1440 	((dat) && (dat)->length && ((dat)->data[0] == 0x7a ||\
1441 				    (dat)->data[0] == 0x5a))
1442 #define krb5_is_krb_enc_ap_rep_part(dat)\
1443 	((dat) && (dat)->length && ((dat)->data[0] == 0x7b ||\
1444 				    (dat)->data[0] == 0x5b))
1445 #define krb5_is_krb_enc_krb_priv_part(dat)\
1446 	((dat) && (dat)->length && ((dat)->data[0] == 0x7c ||\
1447 				    (dat)->data[0] == 0x5c))
1448 #define krb5_is_krb_enc_krb_cred_part(dat)\
1449 	((dat) && (dat)->length && ((dat)->data[0] == 0x7d ||\
1450 				    (dat)->data[0] == 0x5d))
1451 #define krb5_is_krb_error(dat)\
1452 	((dat) && (dat)->length && ((dat)->data[0] == 0x7e ||\
1453 				    (dat)->data[0] == 0x5e))
1454 
1455 /*************************************************************************
1456  * Prototypes for krb5_encode.c
1457  *************************************************************************/
1458 
1459 /*
1460    krb5_error_code encode_krb5_structure(const krb5_structure *rep,
1461 					 krb5_data **code);
1462    modifies  *code
1463    effects   Returns the ASN.1 encoding of *rep in **code.
1464              Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep.
1465              Returns ENOMEM if memory runs out.
1466 */
1467 
1468 krb5_error_code encode_krb5_authenticator
1469 	(const krb5_authenticator *rep, krb5_data **code);
1470 
1471 krb5_error_code encode_krb5_ticket
1472 	(const krb5_ticket *rep, krb5_data **code);
1473 
1474 krb5_error_code encode_krb5_encryption_key
1475 	(const krb5_keyblock *rep, krb5_data **code);
1476 
1477 krb5_error_code encode_krb5_enc_tkt_part
1478 	(const krb5_enc_tkt_part *rep, krb5_data **code);
1479 
1480 krb5_error_code encode_krb5_enc_kdc_rep_part
1481 	(const krb5_enc_kdc_rep_part *rep, krb5_data **code);
1482 
1483 /* yes, the translation is identical to that used for KDC__REP */
1484 krb5_error_code encode_krb5_as_rep
1485 	(const krb5_kdc_rep *rep, krb5_data **code);
1486 
1487 /* yes, the translation is identical to that used for KDC__REP */
1488 krb5_error_code encode_krb5_tgs_rep
1489 	(const krb5_kdc_rep *rep, krb5_data **code);
1490 
1491 krb5_error_code encode_krb5_ap_req
1492 	(const krb5_ap_req *rep, krb5_data **code);
1493 
1494 krb5_error_code encode_krb5_ap_rep
1495 	(const krb5_ap_rep *rep, krb5_data **code);
1496 
1497 krb5_error_code encode_krb5_ap_rep_enc_part
1498 	(const krb5_ap_rep_enc_part *rep, krb5_data **code);
1499 
1500 krb5_error_code encode_krb5_as_req
1501 	(const krb5_kdc_req *rep, krb5_data **code);
1502 
1503 krb5_error_code encode_krb5_tgs_req
1504 	(const krb5_kdc_req *rep, krb5_data **code);
1505 
1506 krb5_error_code encode_krb5_kdc_req_body
1507 	(const krb5_kdc_req *rep, krb5_data **code);
1508 
1509 krb5_error_code encode_krb5_safe
1510 	(const krb5_safe *rep, krb5_data **code);
1511 
1512 krb5_error_code encode_krb5_safe_with_body
1513 	(const krb5_safe *rep, const krb5_data *body, krb5_data **code);
1514 
1515 krb5_error_code encode_krb5_priv
1516 	(const krb5_priv *rep, krb5_data **code);
1517 
1518 krb5_error_code encode_krb5_enc_priv_part
1519 	(const krb5_priv_enc_part *rep, krb5_data **code);
1520 
1521 krb5_error_code encode_krb5_cred
1522 	(const krb5_cred *rep, krb5_data **code);
1523 
1524 krb5_error_code encode_krb5_enc_cred_part
1525 	(const krb5_cred_enc_part *rep, krb5_data **code);
1526 
1527 krb5_error_code encode_krb5_error
1528 	(const krb5_error *rep, krb5_data **code);
1529 
1530 krb5_error_code encode_krb5_authdata
1531 	(const krb5_authdata **rep, krb5_data **code);
1532 
1533 krb5_error_code encode_krb5_pwd_sequence
1534 	(const passwd_phrase_element *rep, krb5_data **code);
1535 
1536 krb5_error_code encode_krb5_pwd_data
1537 	(const krb5_pwd_data *rep, krb5_data **code);
1538 
1539 krb5_error_code encode_krb5_padata_sequence
1540 	(const krb5_pa_data ** rep, krb5_data **code);
1541 
1542 krb5_error_code encode_krb5_alt_method
1543 	(const krb5_alt_method *, krb5_data **code);
1544 
1545 krb5_error_code encode_krb5_etype_info
1546 	(const krb5_etype_info_entry **, krb5_data **code);
1547 
1548 krb5_error_code encode_krb5_etype_info2
1549 	(const krb5_etype_info_entry **, krb5_data **code);
1550 
1551 krb5_error_code encode_krb5_enc_data
1552     	(const krb5_enc_data *, krb5_data **);
1553 
1554 krb5_error_code encode_krb5_pa_enc_ts
1555     	(const krb5_pa_enc_ts *, krb5_data **);
1556 
1557 krb5_error_code encode_krb5_sam_challenge
1558 	(const krb5_sam_challenge * , krb5_data **);
1559 
1560 krb5_error_code encode_krb5_sam_key
1561 	(const krb5_sam_key * , krb5_data **);
1562 
1563 krb5_error_code encode_krb5_enc_sam_response_enc
1564 	(const krb5_enc_sam_response_enc * , krb5_data **);
1565 
1566 krb5_error_code encode_krb5_sam_response
1567 	(const krb5_sam_response * , krb5_data **);
1568 
1569 krb5_error_code encode_krb5_predicted_sam_response
1570 	(const krb5_predicted_sam_response * , krb5_data **);
1571 
1572 krb5_error_code encode_krb5_sam_challenge_2
1573 	(const krb5_sam_challenge_2 * , krb5_data **);
1574 
1575 krb5_error_code encode_krb5_sam_challenge_2_body
1576 	(const krb5_sam_challenge_2_body * , krb5_data **);
1577 
1578 krb5_error_code encode_krb5_enc_sam_response_enc_2
1579 	(const krb5_enc_sam_response_enc_2 * , krb5_data **);
1580 
1581 krb5_error_code encode_krb5_sam_response_2
1582 	(const krb5_sam_response_2 * , krb5_data **);
1583 
1584 /*************************************************************************
1585  * End of prototypes for krb5_encode.c
1586  *************************************************************************/
1587 
1588 /*************************************************************************
1589  * Prototypes for krb5_decode.c
1590  *************************************************************************/
1591 
1592 /*
1593    krb5_error_code decode_krb5_structure(const krb5_data *code,
1594                                          krb5_structure **rep);
1595 
1596    requires  Expects **rep to not have been allocated;
1597               a new *rep is allocated regardless of the old value.
1598    effects   Decodes *code into **rep.
1599 	     Returns ENOMEM if memory is exhausted.
1600              Returns asn1 and krb5 errors.
1601 */
1602 
1603 krb5_error_code decode_krb5_authenticator
1604 	(const krb5_data *code, krb5_authenticator **rep);
1605 
1606 krb5_error_code decode_krb5_ticket
1607 	(const krb5_data *code, krb5_ticket **rep);
1608 
1609 krb5_error_code decode_krb5_encryption_key
1610 	(const krb5_data *output, krb5_keyblock **rep);
1611 
1612 krb5_error_code decode_krb5_enc_tkt_part
1613 	(const krb5_data *output, krb5_enc_tkt_part **rep);
1614 
1615 krb5_error_code decode_krb5_enc_kdc_rep_part
1616 	(const krb5_data *output, krb5_enc_kdc_rep_part **rep);
1617 
1618 krb5_error_code decode_krb5_as_rep
1619 	(const krb5_data *output, krb5_kdc_rep **rep);
1620 
1621 krb5_error_code decode_krb5_tgs_rep
1622 	(const krb5_data *output, krb5_kdc_rep **rep);
1623 
1624 krb5_error_code decode_krb5_ap_req
1625 	(const krb5_data *output, krb5_ap_req **rep);
1626 
1627 krb5_error_code decode_krb5_ap_rep
1628 	(const krb5_data *output, krb5_ap_rep **rep);
1629 
1630 krb5_error_code decode_krb5_ap_rep_enc_part
1631 	(const krb5_data *output, krb5_ap_rep_enc_part **rep);
1632 
1633 krb5_error_code decode_krb5_as_req
1634 	(const krb5_data *output, krb5_kdc_req **rep);
1635 
1636 krb5_error_code decode_krb5_tgs_req
1637 	(const krb5_data *output, krb5_kdc_req **rep);
1638 
1639 krb5_error_code decode_krb5_kdc_req_body
1640 	(const krb5_data *output, krb5_kdc_req **rep);
1641 
1642 krb5_error_code decode_krb5_safe
1643 	(const krb5_data *output, krb5_safe **rep);
1644 
1645 krb5_error_code decode_krb5_safe_with_body
1646 	(const krb5_data *output, krb5_safe **rep, krb5_data *body);
1647 
1648 krb5_error_code decode_krb5_priv
1649 	(const krb5_data *output, krb5_priv **rep);
1650 
1651 krb5_error_code decode_krb5_enc_priv_part
1652 	(const krb5_data *output, krb5_priv_enc_part **rep);
1653 
1654 krb5_error_code decode_krb5_cred
1655 	(const krb5_data *output, krb5_cred **rep);
1656 
1657 krb5_error_code decode_krb5_enc_cred_part
1658 	(const krb5_data *output, krb5_cred_enc_part **rep);
1659 
1660 krb5_error_code decode_krb5_error
1661 	(const krb5_data *output, krb5_error **rep);
1662 
1663 krb5_error_code decode_krb5_authdata
1664 	(const krb5_data *output, krb5_authdata ***rep);
1665 
1666 krb5_error_code decode_krb5_pwd_sequence
1667 	(const krb5_data *output, passwd_phrase_element **rep);
1668 
1669 krb5_error_code decode_krb5_pwd_data
1670 	(const krb5_data *output, krb5_pwd_data **rep);
1671 
1672 krb5_error_code decode_krb5_padata_sequence
1673 	(const krb5_data *output, krb5_pa_data ***rep);
1674 
1675 krb5_error_code decode_krb5_alt_method
1676 	(const krb5_data *output, krb5_alt_method **rep);
1677 
1678 krb5_error_code decode_krb5_etype_info
1679 	(const krb5_data *output, krb5_etype_info_entry ***rep);
1680 
1681 krb5_error_code decode_krb5_etype_info2
1682 	(const krb5_data *output, krb5_etype_info_entry ***rep);
1683 
1684 krb5_error_code decode_krb5_enc_data
1685 	(const krb5_data *output, krb5_enc_data **rep);
1686 
1687 krb5_error_code decode_krb5_pa_enc_ts
1688 	(const krb5_data *output, krb5_pa_enc_ts **rep);
1689 
1690 krb5_error_code decode_krb5_sam_challenge
1691 	(const krb5_data *, krb5_sam_challenge **);
1692 
1693 krb5_error_code decode_krb5_sam_key
1694 	(const krb5_data *, krb5_sam_key **);
1695 
1696 krb5_error_code decode_krb5_enc_sam_response_enc
1697 	(const krb5_data *, krb5_enc_sam_response_enc **);
1698 
1699 krb5_error_code decode_krb5_sam_response
1700 	(const krb5_data *, krb5_sam_response **);
1701 
1702 krb5_error_code decode_krb5_predicted_sam_response
1703 	(const krb5_data *, krb5_predicted_sam_response **);
1704 
1705 krb5_error_code decode_krb5_sam_challenge_2
1706 	(const krb5_data *, krb5_sam_challenge_2 **);
1707 
1708 krb5_error_code decode_krb5_sam_challenge_2_body
1709 	(const krb5_data *, krb5_sam_challenge_2_body **);
1710 
1711 krb5_error_code decode_krb5_enc_sam_response_enc_2
1712 	(const krb5_data *, krb5_enc_sam_response_enc_2 **);
1713 
1714 krb5_error_code decode_krb5_sam_response_2
1715 	(const krb5_data *, krb5_sam_response_2 **);
1716 
1717 
1718 /*************************************************************************
1719  * End of prototypes for krb5_decode.c
1720  *************************************************************************/
1721 
1722 #endif /* KRB5_ASN1__ */
1723 /*
1724  * End "asn1.h"
1725  */
1726 
1727 
1728 /*
1729  * Internal krb5 library routines
1730  */
1731 krb5_error_code krb5_encrypt_tkt_part
1732 	(krb5_context,
1733 	   krb5_const krb5_keyblock *,
1734 	   krb5_ticket *);
1735 
1736 
1737 krb5_error_code krb5_encode_kdc_rep
1738 	(krb5_context,
1739 	   krb5_const krb5_msgtype,
1740 	   krb5_const krb5_enc_kdc_rep_part *,
1741 	   int using_subkey,
1742 	   krb5_const krb5_keyblock *,
1743 	   krb5_kdc_rep *,
1744 	   krb5_data ** );
1745 
1746 krb5_error_code krb5_validate_times
1747 	(krb5_context, krb5_ticket_times *);
1748 
1749 /*
1750  * [De]Serialization Handle and operations.
1751  */
1752 struct __krb5_serializer {
1753     krb5_magic		odtype;
1754     krb5_error_code	(*sizer) (krb5_context,
1755 				  krb5_pointer,
1756 				  size_t *);
1757     krb5_error_code	(*externalizer) (krb5_context,
1758 					 krb5_pointer,
1759 					 krb5_octet **,
1760 					 size_t *);
1761     krb5_error_code	(*internalizer) (krb5_context,
1762 					 krb5_pointer *,
1763 					 krb5_octet **,
1764 					 size_t *);
1765 };
1766 typedef struct __krb5_serializer * krb5_ser_handle;
1767 typedef struct __krb5_serializer krb5_ser_entry;
1768 
1769 krb5_ser_handle krb5_find_serializer
1770 	(krb5_context, krb5_magic);
1771 
1772 krb5_error_code krb5_register_serializer
1773 	(krb5_context, const krb5_ser_entry *);
1774 
1775 /* Determine the external size of a particular opaque structure */
1776 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_size_opaque
1777 	(krb5_context, krb5_magic, krb5_pointer, size_t *);
1778 
1779 /* Serialize the structure into a buffer */
1780 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_externalize_opaque
1781 	(krb5_context,
1782 	krb5_magic,
1783 	krb5_pointer,
1784 	krb5_octet * *,
1785 	size_t *);
1786 
1787 /* Deserialize the structure from a buffer */
1788 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_internalize_opaque
1789 	(krb5_context, krb5_magic, krb5_pointer *,
1790 		krb5_octet * *, size_t *);
1791 
1792 /* Serialize data into a buffer */
1793 krb5_error_code krb5_externalize_data
1794 	(krb5_context, krb5_pointer, krb5_octet **, size_t *);
1795 /*
1796  * Initialization routines.
1797  */
1798 
1799 /* Initialize serialization for krb5_[os_]context */
1800 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_context_init
1801 	(krb5_context);
1802 
1803 /* Initialize serialization for krb5_auth_context */
1804 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init
1805 	(krb5_context);
1806 
1807 /* Initialize serialization for krb5_keytab */
1808 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init
1809 	(krb5_context);
1810 
1811 /* Initialize serialization for krb5_ccache */
1812 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init
1813 	(krb5_context);
1814 
1815 /* Initialize serialization for krb5_rcache */
1816 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init
1817 	(krb5_context);
1818 
1819 /* [De]serialize 4-byte integer */
1820 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32
1821 	(krb5_int32, krb5_octet * *, size_t *);
1822 
1823 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64
1824 	(krb5_int64, krb5_octet * *, size_t *);
1825 
1826 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32
1827 	(krb5_int32 *, krb5_octet **, size_t *);
1828 
1829 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64
1830 	(krb5_int64 *, krb5_octet **, size_t *);
1831 
1832 /* [De]serialize byte string */
1833 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
1834 	(krb5_octet *,
1835 	size_t, krb5_octet * *, size_t *);
1836 
1837 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes
1838 	(krb5_octet *,
1839 	size_t, krb5_octet * *, size_t *);
1840 
1841 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5int_cc_default
1842 	(krb5_context, krb5_ccache *);
1843 
1844 krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default
1845 	(krb5_context, krb5_ccache, krb5_flags, krb5_creds *, krb5_creds *);
1846 
1847 void krb5int_set_prompt_types
1848 	(krb5_context, krb5_prompt_type *);
1849 
1850 krb5_error_code
1851 krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
1852 		krb5_keyblock * /* Old keyblock, not new!  */);
1853 
1854 
1855 
1856 extern const struct krb5_hash_provider krb5int_hash_md5;
1857 extern const struct krb5_enc_provider krb5int_enc_arcfour;
1858 
1859 struct srv_dns_entry {
1860 	struct srv_dns_entry *next;
1861 	int priority;
1862 	int weight;
1863 	unsigned short port;
1864 	char *host;
1865 };
1866 
1867 krb5_error_code
1868 krb5int_make_srv_query_realm(const krb5_data *realm,
1869 	const char *service,
1870 	const char *protocol,
1871 	struct srv_dns_entry **answers);
1872 void krb5int_free_srv_dns_data(struct srv_dns_entry *);
1873 
1874 /*
1875  * Convenience function for structure magic number
1876  */
1877 #define KRB5_VERIFY_MAGIC(structure,magic_number) \
1878     if ((structure)->magic != (magic_number)) return (magic_number);
1879 
1880 int krb5_seteuid  (int);
1881 
1882 char * krb5_getenv(const char *);
1883 
1884 int krb5_setenv  (const char *, const char *, int);
1885 
1886 void krb5_unsetenv  (const char *);
1887 
1888 #endif /* _KRB5_INT_H */
1889