1 /*
2  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 /*
7  * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006 by the Massachusetts Institute of Technology,
8  * Cambridge, MA, USA.  All Rights Reserved.
9  *
10  * This software is being provided to you, the LICENSEE, by the
11  * Massachusetts Institute of Technology (M.I.T.) under the following
12  * license.  By obtaining, using and/or copying this software, you agree
13  * that you have read, understood, and will comply with these terms and
14  * conditions:
15  *
16  * Export of this software from the United States of America may
17  * require a specific license from the United States Government.
18  * It is the responsibility of any person or organization contemplating
19  * export to obtain such a license before exporting.
20  *
21  * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
22  * this software and its documentation for any purpose and without fee or
23  * royalty is hereby granted, provided that you agree to comply with the
24  * following copyright notice and statements, including the disclaimer, and
25  * that the same appear on ALL copies of the software and documentation,
26  * including modifications that you make for internal use or for
27  * distribution:
28  *
29  * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
30  * OR WARRANTIES, EXPRESS OR IMPLIED.  By way of example, but not
31  * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
32  * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
33  * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
34  * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
35  *
36  * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
37  * be used in advertising or publicity pertaining to distribution of the
38  * software.  Title to copyright in this software and any associated
39  * documentation shall at all times remain with M.I.T., and USER agrees to
40  * preserve same.
41  *
42  * Furthermore if you modify this software you must label
43  * your software as modified software and not distribute it in such a
44  * fashion that it might be confused with the original M.I.T. software.
45  */
46 
47 /*
48  * Copyright (C) 1998 by the FundsXpress, INC.
49  *
50  * All rights reserved.
51  *
52  * Export of this software from the United States of America may require
53  * a specific license from the United States Government.  It is the
54  * responsibility of any person or organization contemplating export to
55  * obtain such a license before exporting.
56  *
57  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
58  * distribute this software and its documentation for any purpose and
59  * without fee is hereby granted, provided that the above copyright
60  * notice appear in all copies and that both that copyright notice and
61  * this permission notice appear in supporting documentation, and that
62  * the name of FundsXpress. not be used in advertising or publicity pertaining
63  * to distribution of the software without specific, written prior
64  * permission.  FundsXpress makes no representations about the suitability of
65  * this software for any purpose.  It is provided "as is" without express
66  * or implied warranty.
67  *
68  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
69  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
70  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
71  */
72 
73 /*
74  * This prototype for k5-int.h (Krb5 internals include file)
75  * includes the user-visible definitions from krb5.h and then
76  * includes other definitions that are not user-visible but are
77  * required for compiling Kerberos internal routines.
78  *
79  * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
80  */
81 
82 #ifndef _KRB5_INT_H
83 #define _KRB5_INT_H
84 
85 #pragma ident	"%Z%%M%	%I%	%E% SMI"
86 
87 #ifndef	_KERNEL
88 #include <osconf.h>
89 #include <security/cryptoki.h>
90 #else
91 #include <sys/crypto/common.h>
92 #include <sys/crypto/api.h>
93 #endif
94 
95 #ifdef  DEBUG
96 #if !defined(KRB5_DEBUG)
97 #define KRB5_DEBUG
98 #endif
99 #ifndef  KRB5_LOG_LVL
100 #define KRB5_LOG_LVL KRB5_ERR
101 #endif
102 #endif  /* DEBUG */
103 
104 #ifdef  _KERNEL
105 
106 #ifdef  DEBUG
107 #include        <sys/types.h>
108 #include        <sys/cmn_err.h>
109  extern  void prom_printf();
110 #endif  /* DEBUG */
111 
112 #else   /* !_KERNEL */
113 
114 #define prom_printf printf
115 
116 #endif /* !_KERNEL */
117 
118 #ifdef KRB5_LOG_LVL
119 
120 /* krb5_log is used to set the logging level to determine what class of messages
121  * are output by the mech.  Note, more than one logging level can be used by
122  * bit or'ing the log values together.
123  *
124  * All log messages are captured by syslog.
125  */
126 
127 extern unsigned int krb5_log;
128 
129 /* Note, these defines should be mutually exclusive bit fields */
130 #define KRB5_ERR  1   /* Use this debug log level for error path logging. */
131 #define KRB5_INFO 2   /* Use this debug log level for informational messages. */
132 
133 #ifdef  _KERNEL
134 
135 #define KRB5_LOG1(A, B, C, D) \
136      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C), (D)), TRUE)))
137 #define KRB5_LOG(A, B, C) \
138      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C)), TRUE)))
139 #define KRB5_LOG0(A, B)   \
140      ((void)((krb5_log) && (krb5_log & (A)) && (printf((B)), TRUE)))
141 
142 #else	/* !_KERNEL */
143 
144 #include <syslog.h>
145 
146 #define KRB5_LOG1(A, B, C, D) \
147         ((void)((krb5_log) && (krb5_log & (A)) && \
148 		(syslog(LOG_DEBUG, (B), (C), (D)), TRUE)))
149 #define KRB5_LOG(A, B, C) \
150         ((void)((krb5_log) && (krb5_log & (A)) && \
151 		(syslog(LOG_DEBUG, (B), (C)), TRUE)))
152 #define KRB5_LOG0(A, B)   \
153         ((void)((krb5_log) && (krb5_log & (A)) && \
154 	       	(syslog(LOG_DEBUG, B), TRUE)))
155 
156 #endif	/* _KERNEL */
157 
158 #else /* ! KRB5_LOG_LVL */
159 
160 #define KRB5_LOG1(A, B, C, D)
161 #define KRB5_LOG(A, B, C)
162 #define KRB5_LOG0(A, B)
163 
164 #endif /* KRB5_LOG_LVL */
165 
166 #ifdef POSIX_TYPES
167 #define timetype time_t
168 #else
169 #define timetype long
170 #endif
171 
172 /*
173  * Begin "k5-config.h"
174  */
175 #ifndef KRB5_CONFIG__
176 #define KRB5_CONFIG__
177 
178 /*
179  * Machine-type definitions: PC Clone 386 running Microsoft Windows
180  */
181 
182 #if defined(_MSDOS) || defined(_WIN32)
183 #include "win-mac.h"
184 
185 /* Kerberos Windows initialization file */
186 #define KERBEROS_INI    "kerberos.ini"
187 #define INI_FILES       "Files"
188 #define INI_KRB_CCACHE  "krb5cc"       /* Location of the ccache */
189 #define INI_KRB5_CONF   "krb5.ini"		/* Location of krb5.conf file */
190 #define ANSI_STDIO
191 #endif
192 
193 #ifndef _KERNEL
194 #ifndef KRB5_AUTOCONF__
195 #define KRB5_AUTOCONF__
196 #include <autoconf.h>
197 #endif
198 #endif 		/* !_KERNEL  */
199 
200 #ifndef KRB5_SYSTYPES__
201 #define KRB5_SYSTYPES__
202 
203 #ifdef HAVE_SYS_TYPES_H		/* From autoconf.h */
204 #include <sys/types.h>
205 #else /* HAVE_SYS_TYPES_H */
206 #endif /* HAVE_SYS_TYPES_H */
207 #endif /* KRB5_SYSTYPES__ */
208 
209 /* #include "k5-platform.h" SUNW XXX */
210 /* not used in krb5.h (yet) */
211 typedef uint64_t krb5_ui_8;
212 typedef int64_t krb5_int64;
213 
214 #define DEFAULT_PWD_STRING1 "Enter password:"
215 #define DEFAULT_PWD_STRING2 "Re-enter password for verification:"
216 
217 #define	KRB5_KDB_MAX_LIFE	(60*60*24) /* one day */
218 #define	KRB5_KDB_MAX_RLIFE	(60*60*24*365) /* one year */
219 #define	KRB5_KDB_EXPIRATION	2145830400 /* Thu Jan  1 00:00:00 2038 UTC */
220 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
221 #define KRB5_DEFAULT_RENEW_LIFE 7*24*60*60 /* 7 Days */
222 
223 /*
224  * Windows requires a different api interface to each function. Here
225  * just define it as NULL.
226  */
227 #ifndef KRB5_CALLCONV
228 #define KRB5_CALLCONV
229 #define KRB5_CALLCONV_C
230 #endif
231 #ifndef O_BINARY
232 #define O_BINARY 0
233 #endif
234 
235 #endif /* KRB5_CONFIG__ */
236 
237 /*
238  * End "k5-config.h"
239  */
240 
241 /*
242  * After loading the configuration definitions, load the Kerberos definitions.
243  */
244 #ifndef _KERNEL
245 #include <errno.h>
246 #include "profile.h"
247 #endif
248 
249 #include <krb5.h>
250 
251 #ifndef _KERNEL
252 #if 1 /* def NEED_SOCKETS */
253 #include <port-sockets.h>
254 #include <socket-utils.h>
255 #else
256 #ifndef SOCK_DGRAM
257 struct sockaddr;
258 #endif
259 #endif
260 #endif
261 
262 /* Get mutex support; currently used only for the replay cache.  */
263 #include "k5-thread.h"
264 
265 /*
266  * Solaris Kerberos:
267  * Define whether or not to do a reverse lookup when looking up a host in DNS.
268  */
269 #define REV_LOOKUP 1
270 #define NO_REV_LOOKUP 0
271 
272 
273 /* krb5/krb5.h includes many other .h files in the krb5 subdirectory.
274    The ones that it doesn't include, we include below.  */
275 
276 /*
277  * Begin "k5-errors.h"
278  */
279 #ifndef KRB5_ERRORS__
280 #define KRB5_ERRORS__
281 
282 
283 /* Error codes used in KRB_ERROR protocol messages.
284    Return values of library routines are based on a different error table
285    (which allows non-ambiguous error codes between subsystems) */
286 
287 /* KDC errors */
288 #define	KDC_ERR_NONE			0 /* No error */
289 #define	KDC_ERR_NAME_EXP		1 /* Client's entry in DB expired */
290 #define	KDC_ERR_SERVICE_EXP		2 /* Server's entry in DB expired */
291 #define	KDC_ERR_BAD_PVNO		3 /* Requested pvno not supported */
292 #define	KDC_ERR_C_OLD_MAST_KVNO		4 /* C's key encrypted in old master */
293 #define	KDC_ERR_S_OLD_MAST_KVNO		5 /* S's key encrypted in old master */
294 #define	KDC_ERR_C_PRINCIPAL_UNKNOWN	6 /* Client not found in Kerberos DB */
295 #define	KDC_ERR_S_PRINCIPAL_UNKNOWN	7 /* Server not found in Kerberos DB */
296 #define	KDC_ERR_PRINCIPAL_NOT_UNIQUE	8 /* Multiple entries in Kerberos DB */
297 #define	KDC_ERR_NULL_KEY		9 /* The C or S has a null key */
298 #define	KDC_ERR_CANNOT_POSTDATE		10 /* Tkt ineligible for postdating */
299 #define	KDC_ERR_NEVER_VALID		11 /* Requested starttime > endtime */
300 #define	KDC_ERR_POLICY			12 /* KDC policy rejects request */
301 #define	KDC_ERR_BADOPTION		13 /* KDC can't do requested opt. */
302 #define	KDC_ERR_ENCTYPE_NOSUPP		14 /* No support for encryption type */
303 #define KDC_ERR_SUMTYPE_NOSUPP		15 /* No support for checksum type */
304 #define KDC_ERR_PADATA_TYPE_NOSUPP	16 /* No support for padata type */
305 #define KDC_ERR_TRTYPE_NOSUPP		17 /* No support for transited type */
306 #define KDC_ERR_CLIENT_REVOKED		18 /* C's creds have been revoked */
307 #define KDC_ERR_SERVICE_REVOKED		19 /* S's creds have been revoked */
308 #define KDC_ERR_TGT_REVOKED		20 /* TGT has been revoked */
309 #define KDC_ERR_CLIENT_NOTYET		21 /* C not yet valid */
310 #define KDC_ERR_SERVICE_NOTYET		22 /* S not yet valid */
311 #define KDC_ERR_KEY_EXP			23 /* Password has expired */
312 #define KDC_ERR_PREAUTH_FAILED		24 /* Preauthentication failed */
313 #define KDC_ERR_PREAUTH_REQUIRED	25 /* Additional preauthentication */
314 					   /* required */
315 #define KDC_ERR_SERVER_NOMATCH		26 /* Requested server and */
316 					   /* ticket don't match*/
317 /* Application errors */
318 #define	KRB_AP_ERR_BAD_INTEGRITY 31	/* Decrypt integrity check failed */
319 #define	KRB_AP_ERR_TKT_EXPIRED	32	/* Ticket expired */
320 #define	KRB_AP_ERR_TKT_NYV	33	/* Ticket not yet valid */
321 #define	KRB_AP_ERR_REPEAT	34	/* Request is a replay */
322 #define	KRB_AP_ERR_NOT_US	35	/* The ticket isn't for us */
323 #define	KRB_AP_ERR_BADMATCH	36	/* Ticket/authenticator don't match */
324 #define	KRB_AP_ERR_SKEW		37	/* Clock skew too great */
325 #define	KRB_AP_ERR_BADADDR	38	/* Incorrect net address */
326 #define	KRB_AP_ERR_BADVERSION	39	/* Protocol version mismatch */
327 #define	KRB_AP_ERR_MSG_TYPE	40	/* Invalid message type */
328 #define	KRB_AP_ERR_MODIFIED	41	/* Message stream modified */
329 #define	KRB_AP_ERR_BADORDER	42	/* Message out of order */
330 #define	KRB_AP_ERR_BADKEYVER	44	/* Key version is not available */
331 #define	KRB_AP_ERR_NOKEY	45	/* Service key not available */
332 #define	KRB_AP_ERR_MUT_FAIL	46	/* Mutual authentication failed */
333 #define KRB_AP_ERR_BADDIRECTION	47 	/* Incorrect message direction */
334 #define KRB_AP_ERR_METHOD	48 	/* Alternative authentication */
335 					/* method required */
336 #define KRB_AP_ERR_BADSEQ	49 	/* Incorrect sequence numnber */
337 					/* in message */
338 #define KRB_AP_ERR_INAPP_CKSUM	50	/* Inappropriate type of */
339 					/* checksum in message */
340 #define	KRB_AP_PATH_NOT_ACCEPTED 51	/* Policy rejects transited path */
341 #define	KRB_ERR_RESPONSE_TOO_BIG 52	/* Response too big for UDP, */
342 					/*   retry with TCP */
343 
344 /* other errors */
345 #define KRB_ERR_GENERIC		60 	/* Generic error (description */
346 					/* in e-text) */
347 #define	KRB_ERR_FIELD_TOOLONG	61	/* Field is too long for impl. */
348 
349 #endif /* KRB5_ERRORS__ */
350 /*
351  * End "k5-errors.h"
352  */
353 
354 /*
355  * This structure is returned in the e-data field of the KRB-ERROR
356  * message when the error calling for an alternative form of
357  * authentication is returned, KRB_AP_METHOD.
358  */
359 typedef struct _krb5_alt_method {
360 	krb5_magic	magic;
361 	krb5_int32	method;
362 	unsigned int	length;
363 	krb5_octet	*data;
364 } krb5_alt_method;
365 
366 /*
367  * A null-terminated array of this structure is returned by the KDC as
368  * the data part of the ETYPE_INFO preauth type.  It informs the
369  * client which encryption types are supported.
370  * The	same data structure is used by both etype-info and etype-info2
371  * but s2kparams must be null when encoding etype-info.
372  */
373 typedef struct _krb5_etype_info_entry {
374 	krb5_magic	magic;
375 	krb5_enctype	etype;
376 	unsigned int	length;
377 	krb5_octet	*salt;
378 	krb5_data	s2kparams;
379 } krb5_etype_info_entry;
380 
381 /*
382  *  This is essentially -1 without sign extension which can screw up
383  *  comparisons on 64 bit machines. If the length is this value, then
384  *  the salt data is not present. This is to distinguish between not
385  *  being set and being of 0 length.
386  */
387 #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
388 
389 typedef krb5_etype_info_entry ** krb5_etype_info;
390 
391 /*
392  * a sam_challenge is returned for alternate preauth
393  */
394 /*
395           SAMFlags ::= BIT STRING {
396               use-sad-as-key[0],
397               send-encrypted-sad[1],
398               must-pk-encrypt-sad[2]
399           }
400  */
401 /*
402           PA-SAM-CHALLENGE ::= SEQUENCE {
403               sam-type[0]                 INTEGER,
404               sam-flags[1]                SAMFlags,
405               sam-type-name[2]            GeneralString OPTIONAL,
406               sam-track-id[3]             GeneralString OPTIONAL,
407               sam-challenge-label[4]      GeneralString OPTIONAL,
408               sam-challenge[5]            GeneralString OPTIONAL,
409               sam-response-prompt[6]      GeneralString OPTIONAL,
410               sam-pk-for-sad[7]           EncryptionKey OPTIONAL,
411               sam-nonce[8]                INTEGER OPTIONAL,
412               sam-cksum[9]                Checksum OPTIONAL
413           }
414 */
415 /* sam_type values -- informational only */
416 #define PA_SAM_TYPE_ENIGMA     1   /*  Enigma Logic */
417 #define PA_SAM_TYPE_DIGI_PATH  2   /*  Digital Pathways */
418 #define PA_SAM_TYPE_SKEY_K0    3   /*  S/key where  KDC has key 0 */
419 #define PA_SAM_TYPE_SKEY       4   /*  Traditional S/Key */
420 #define PA_SAM_TYPE_SECURID    5   /*  Security Dynamics */
421 #define PA_SAM_TYPE_CRYPTOCARD 6   /*  CRYPTOCard */
422 #if 1 /* XXX need to figure out who has which numbers assigned */
423 #define PA_SAM_TYPE_ACTIVCARD_DEC  6   /*  ActivCard decimal mode */
424 #define PA_SAM_TYPE_ACTIVCARD_HEX  7   /*  ActivCard hex mode */
425 #define PA_SAM_TYPE_DIGI_PATH_HEX  8   /*  Digital Pathways hex mode */
426 #endif
427 #define PA_SAM_TYPE_EXP_BASE    128 /* experimental */
428 #define PA_SAM_TYPE_GRAIL		(PA_SAM_TYPE_EXP_BASE+0) /* testing */
429 #define PA_SAM_TYPE_SECURID_PREDICT	(PA_SAM_TYPE_EXP_BASE+1) /* special */
430 
431 typedef struct _krb5_predicted_sam_response {
432 	krb5_magic	magic;
433 	krb5_keyblock	sam_key;
434         krb5_flags      sam_flags; /* Makes key munging easier */
435         krb5_timestamp  stime;  /* time on server, for replay detection */
436         krb5_int32      susec;
437         krb5_principal  client;
438         krb5_data       msd;    /* mechanism specific data */
439 } krb5_predicted_sam_response;
440 
441 typedef struct _krb5_sam_challenge {
442 	krb5_magic	magic;
443 	krb5_int32	sam_type; /* information */
444 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
445 	krb5_data	sam_type_name;
446 	krb5_data	sam_track_id;
447 	krb5_data	sam_challenge_label;
448 	krb5_data	sam_challenge;
449 	krb5_data	sam_response_prompt;
450 	krb5_data	sam_pk_for_sad;
451 	krb5_int32	sam_nonce;
452 	krb5_checksum	sam_cksum;
453 } krb5_sam_challenge;
454 
455 typedef struct _krb5_sam_key {	/* reserved for future use */
456 	krb5_magic	magic;
457 	krb5_keyblock	sam_key;
458 } krb5_sam_key;
459 
460 typedef struct _krb5_enc_sam_response_enc {
461 	krb5_magic	magic;
462 	krb5_int32	sam_nonce;
463 	krb5_timestamp	sam_timestamp;
464 	krb5_int32	sam_usec;
465 	krb5_data	sam_sad;
466 } krb5_enc_sam_response_enc;
467 
468 typedef struct _krb5_sam_response {
469 	krb5_magic	magic;
470 	krb5_int32	sam_type; /* informational */
471 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
472 	krb5_data	sam_track_id; /* copied */
473 	krb5_enc_data	sam_enc_key; /* krb5_sam_key - future use */
474 	krb5_enc_data	sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
475 	krb5_int32	sam_nonce;
476 	krb5_timestamp	sam_patimestamp;
477 } krb5_sam_response;
478 
479 typedef struct _krb5_sam_challenge_2 {
480 	krb5_data	sam_challenge_2_body;
481 	krb5_checksum	**sam_cksum;		/* Array of checksums */
482 } krb5_sam_challenge_2;
483 
484 typedef struct _krb5_sam_challenge_2_body {
485 	krb5_magic	magic;
486 	krb5_int32	sam_type; /* information */
487 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
488 	krb5_data	sam_type_name;
489 	krb5_data	sam_track_id;
490 	krb5_data	sam_challenge_label;
491 	krb5_data	sam_challenge;
492 	krb5_data	sam_response_prompt;
493 	krb5_data	sam_pk_for_sad;
494 	krb5_int32	sam_nonce;
495 	krb5_enctype	sam_etype;
496 } krb5_sam_challenge_2_body;
497 
498 typedef struct _krb5_sam_response_2 {
499 	krb5_magic	magic;
500 	krb5_int32	sam_type; /* informational */
501 	krb5_flags	sam_flags; /* KRB5_SAM_* values */
502 	krb5_data	sam_track_id; /* copied */
503 	krb5_enc_data	sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
504 	krb5_int32	sam_nonce;
505 } krb5_sam_response_2;
506 
507 typedef struct _krb5_enc_sam_response_enc_2 {
508 	krb5_magic	magic;
509 	krb5_int32	sam_nonce;
510 	krb5_data	sam_sad;
511 } krb5_enc_sam_response_enc_2;
512 
513 /*
514  * Begin "dbm.h"
515  */
516 #ifndef _KERNEL
517 
518 /*
519  * Since we are always using db, use the db-ndbm include header file.
520  */
521 
522 #include "db-ndbm.h"
523 
524 #endif /* !KERNEL */
525 /*
526  * End "dbm.h"
527  */
528 
529 /*
530  * Begin "ext-proto.h"
531  */
532 #ifndef KRB5_EXT_PROTO__
533 #define KRB5_EXT_PROTO__
534 
535 #ifndef _KERNEL
536 #include <stdlib.h>
537 #include <string.h>
538 #endif /* !_KERNEL */
539 
540 #ifndef HAVE_STRDUP
541 extern char *strdup (const char *);
542 #endif
543 
544 #ifndef _KERNEL
545 #ifdef HAVE_UNISTD_H
546 #include <unistd.h>
547 #endif
548 #endif /* !_KERNEL */
549 
550 #endif /* KRB5_EXT_PROTO__ */
551 /*
552  * End "ext-proto.h"
553  */
554 
555 /*
556  * Begin "sysincl.h"
557  */
558 #ifndef KRB5_SYSINCL__
559 #define KRB5_SYSINCL__
560 
561 #ifndef KRB5_SYSTYPES__
562 #define KRB5_SYSTYPES__
563 /* needed for much of the rest -- but already handled in krb5.h? */
564 /* #include <sys/types.h> */
565 #endif /* KRB5_SYSTYPES__ */
566 
567 #ifdef	_KERNEL
568 #include <sys/time.h>
569 #else
570 #ifdef HAVE_SYS_TIME_H
571 #include <sys/time.h>
572 #ifdef TIME_WITH_SYS_TIME
573 #include <time.h>
574 #endif
575 #else
576 #include <time.h>
577 #endif
578 #endif /* _KERNEL */
579 
580 #ifdef HAVE_SYS_STAT_H
581 #include <sys/stat.h>			/* struct stat, stat() */
582 #endif
583 
584 #ifdef HAVE_SYS_PARAM_H
585 #include <sys/param.h>			/* MAXPATHLEN */
586 #endif
587 
588 #ifdef HAVE_SYS_FILE_H
589 #include <sys/file.h>			/* prototypes for file-related
590 					   syscalls; flags for open &
591 					   friends */
592 #endif
593 
594 #ifdef _KERNEL
595 #include <sys/fcntl.h>
596 #else
597 #include <fcntl.h>
598 #endif
599 
600 #endif /* KRB5_SYSINCL__ */
601 /*
602  * End "sysincl.h"
603  */
604 
605 /*
606  * Begin "los-proto.h"
607  */
608 #ifndef KRB5_LIBOS_PROTO__
609 #define KRB5_LIBOS_PROTO__
610 
611 #ifndef	_KERNEL
612 #include <stdio.h>
613 
614 struct addrlist;
615 #endif
616 
617 /* libos.spec */
618 krb5_error_code krb5_lock_file
619 	(krb5_context, int, int);
620 
621 krb5_error_code krb5_unlock_file
622 	(krb5_context, int);
623 
624 int krb5_net_read
625 	(krb5_context, int , char *, int);
626 
627 int krb5_net_write
628 	(krb5_context, int , const char *, int);
629 
630 krb5_error_code krb5_sendto_kdc
631 	(krb5_context, const krb5_data *, const krb5_data *,
632 	   krb5_data *, int *, int);
633 
634 krb5_error_code krb5_get_krbhst
635 	(krb5_context, const krb5_data *, char ***);
636 
637 krb5_error_code krb5_free_krbhst
638 	(krb5_context, char * const *);
639 
640 krb5_error_code krb5_gen_replay_name
641     (krb5_context, const krb5_address *, const char *, char **);
642 
643 krb5_error_code krb5_create_secure_file
644 	(krb5_context, const char * pathname);
645 
646 #ifndef	_KERNEL
647 krb5_error_code krb5_sync_disk_file
648 	(krb5_context, FILE *fp);
649 
650 krb5_error_code
651 krb5_open_pkcs11_session(CK_SESSION_HANDLE *);
652 #endif
653 
654 
655 krb5_error_code krb5_read_message
656 	(krb5_context, krb5_pointer, krb5_data *);
657 
658 krb5_error_code krb5_write_message
659 	(krb5_context, krb5_pointer, krb5_data *);
660 
661 krb5_error_code krb5int_get_fq_local_hostname (char *, size_t);
662 
663 /*
664  * Solaris Kerberos
665  * The following two functions are needed for better realm
666  * determination based on the DNS domain name.
667  */
668 krb5_error_code krb5int_lookup_host(int , const char *, char **);
669 
670 krb5_error_code krb5int_domain_get_realm(krb5_context, const char *,
671     char **);
672 krb5_error_code krb5int_fqdn_get_realm(krb5_context, const char *,
673     char **);
674 
675 krb5_error_code krb5_os_init_context
676         (krb5_context);
677 
678 void krb5_os_free_context (krb5_context);
679 
680 /* This function is needed by KfM's KerberosPreferences API
681  * because it needs to be able to specify "secure" */
682 #ifndef _KERNEL
683 krb5_error_code os_get_default_config_files
684     (profile_filespec_t **pfiles, krb5_boolean secure);
685 #endif
686 
687 krb5_error_code krb5_find_config_files(void);
688 
689 krb5_error_code krb5_os_hostaddr
690     (krb5_context, const char *, krb5_address ***);
691 
692 #ifndef _KERNEL
693 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
694  * going to use this structure.  */
695 struct addrlist {
696 	struct addrinfo **addrs;
697 	int naddrs;
698 	int space;
699 };
700 
701 #define	ADDRLIST_INIT { 0, 0, 0 }
702 extern void krb5int_free_addrlist (struct addrlist *);
703 extern int krb5int_grow_addrlist (struct addrlist *, int);
704 extern int krb5int_add_host_to_list (struct addrlist *, const char *,
705 			int, int, int, int);
706 
707 krb5_error_code
708 krb5int_locate_server (krb5_context,
709 		       const krb5_data *realm,
710 		       struct addrlist *,
711 		       /* Only meaningful for kdc, really...  */
712 		       int want_masters,
713 		       /* look up [realms]->$realm->$name in krb5.conf */
714 		       const char *profilename,
715 		       /* SRV record lookup */
716 		       const char *dnsname,
717 		       int is_stream_service,
718 		       /* Port numbers, in network order!  For profile
719 			  version only, DNS code gets port numbers
720 			  itself.  Use 0 for dflport2 if there's no
721 			  secondary port (most common, except kdc
722 			  case).  */
723 		       int dflport1, int dflport2,
724 		       int family);
725 
726 #endif /* _KERNEL */
727 
728 #endif /* KRB5_LIBOS_PROTO__ */
729 
730 /* new encryption provider api */
731 
732 struct krb5_enc_provider {
733 
734     /* keybytes is the input size to make_key;
735        keylength is the output size */
736     size_t block_size, keybytes, keylength;
737 
738     /* cipher-state == 0 fresh state thrown away at end */
739     krb5_error_code (*encrypt) (
740 	krb5_context context,
741 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
742 	krb5_const krb5_data *input, krb5_data *output);
743 
744     krb5_error_code (*decrypt) (
745 	krb5_context context,
746 	krb5_const krb5_keyblock *key, krb5_const krb5_data *ivec,
747 	krb5_const krb5_data *input, krb5_data *output);
748 
749     krb5_error_code (*make_key)
750     (krb5_context, krb5_const krb5_data *, krb5_keyblock *);
751 
752     krb5_error_code (*init_state) (krb5_context,
753 			const krb5_keyblock *,
754 			krb5_keyusage, krb5_data *);
755     krb5_error_code (*free_state) (krb5_context, krb5_data *);
756 
757 };
758 
759 struct krb5_hash_provider {
760     size_t hashsize, blocksize;
761 
762     /* this takes multiple inputs to avoid lots of copying. */
763     krb5_error_code (*hash) (krb5_context context,
764 	unsigned int icount, krb5_const krb5_data *input,
765 	krb5_data *output);
766 };
767 
768 struct krb5_keyhash_provider {
769     size_t hashsize;
770 
771     krb5_error_code (*hash) (
772 	krb5_context context,
773 	krb5_const krb5_keyblock *key,
774 	krb5_keyusage keyusage,
775 	krb5_const krb5_data *ivec,
776 	krb5_const krb5_data *input, krb5_data *output);
777 
778     krb5_error_code (*verify) (
779 	krb5_context context,
780 	krb5_const krb5_keyblock *key,
781 	krb5_keyusage keyusage,
782 	krb5_const krb5_data *ivec,
783 	krb5_const krb5_data *input,
784 	krb5_const krb5_data *hash,
785 	krb5_boolean *valid);
786 
787 };
788 
789 typedef void (*krb5_encrypt_length_func) (
790   krb5_const struct krb5_enc_provider *enc,
791   krb5_const struct krb5_hash_provider *hash,
792   size_t inputlen, size_t *length);
793 
794 typedef krb5_error_code (*krb5_crypt_func) (
795   krb5_context context,
796   krb5_const struct krb5_enc_provider *enc,
797   krb5_const struct krb5_hash_provider *hash,
798   krb5_const krb5_keyblock *key, krb5_keyusage usage,
799   krb5_const krb5_data *ivec,
800   krb5_const krb5_data *input, krb5_data *output);
801 
802 #ifndef	_KERNEL
803 typedef krb5_error_code (*krb5_str2key_func) (
804   krb5_context context,
805   krb5_const struct krb5_enc_provider *enc, krb5_const krb5_data *string,
806   krb5_const krb5_data *salt, krb5_const krb5_data *params,
807   krb5_keyblock *key);
808 #endif	/* _KERNEL */
809 
810 struct krb5_keytypes {
811     krb5_enctype etype;
812     char *in_string;
813     char *out_string;
814     const struct krb5_enc_provider *enc;
815     const struct krb5_hash_provider *hash;
816     krb5_encrypt_length_func encrypt_len;
817     krb5_crypt_func encrypt;
818     krb5_crypt_func decrypt;
819     krb5_cksumtype required_ctype;
820 #ifndef	_KERNEL
821     /* Solaris Kerberos:  strings to key conversion not done in the kernel */
822     krb5_str2key_func str2key;
823 #else	/* _KERNEL */
824     char *mt_e_name;
825     char *mt_h_name;
826     crypto_mech_type_t kef_cipher_mt;
827     crypto_mech_type_t kef_hash_mt;
828 #endif	/* _KERNEL */
829 };
830 
831 
832 struct krb5_cksumtypes {
833     krb5_cksumtype ctype;
834     unsigned int flags;
835     char *in_string;
836     char *out_string;
837     /* if the hash is keyed, this is the etype it is keyed with.
838        Actually, it can be keyed by any etype which has the same
839        enc_provider as the specified etype.  DERIVE checksums can
840        be keyed with any valid etype. */
841     krb5_enctype keyed_etype;
842     /* I can't statically initialize a union, so I'm just going to use
843        two pointers here.  The keyhash is used if non-NULL.  If NULL,
844        then HMAC/hash with derived keys is used if the relevant flag
845        is set.  Otherwise, a non-keyed hash is computed.  This is all
846        kind of messy, but so is the krb5 api. */
847     const struct krb5_keyhash_provider *keyhash;
848     const struct krb5_hash_provider *hash;
849     /* This just gets uglier and uglier.  In the key derivation case,
850 	we produce an hmac.  To make the hmac code work, we can't hack
851 	the output size indicated by the hash provider, but we may want
852 	a truncated hmac.  If we want truncation, this is the number of
853 	bytes we truncate to; it should be 0 otherwise.	*/
854     unsigned int trunc_size;
855 #ifdef _KERNEL
856     char *mt_c_name;
857     crypto_mech_type_t kef_cksum_mt;
858 #endif /* _KERNEL */
859 };
860 
861 #define KRB5_CKSUMFLAG_DERIVE		0x0001
862 #define KRB5_CKSUMFLAG_NOT_COLL_PROOF	0x0002
863 
864 krb5_error_code krb5int_des_init_state(
865 	krb5_context,
866 	const krb5_keyblock *,
867 	krb5_keyusage, krb5_data *);
868 
869 krb5_error_code krb5int_c_mandatory_cksumtype(
870 	krb5_context,
871 	krb5_enctype,
872 	krb5_cksumtype *);
873 
874 /*
875  * normally to free a cipher_state you can just memset the length to zero and
876  * free it.
877  */
878 krb5_error_code krb5int_default_free_state(krb5_context, krb5_data *);
879 
880 /*
881  * Combine two keys (normally used by the hardware preauth mechanism)
882  */
883 krb5_error_code krb5int_c_combine_keys
884 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
885 		krb5_keyblock *outkey);
886 /*
887  * in here to deal with stuff from lib/crypto
888  */
889 
890 void krb5_nfold (int inbits, krb5_const unsigned char *in,
891 		int outbits, unsigned char *out);
892 
893 #ifdef _KERNEL
894 
895 int k5_ef_crypto(
896 	const char *, char *,
897 	long, krb5_keyblock *,
898 	const krb5_data *, int);
899 
900 krb5_error_code
901 krb5_hmac(krb5_context, const krb5_keyblock *,
902 	krb5_const krb5_data *, krb5_data *);
903 
904 #else
905 krb5_error_code krb5_hmac
906 	(krb5_context,
907 	krb5_const struct krb5_hash_provider *,
908 	krb5_const krb5_keyblock *, krb5_const unsigned int,
909 	krb5_const krb5_data *, krb5_data *);
910 
911 #endif /* _KERNEL */
912 
913 krb5_error_code krb5int_pbkdf2_hmac_sha1 (krb5_context,
914 		const krb5_data *,
915 		unsigned long,
916 		krb5_enctype,
917 		const krb5_data *,
918 		const krb5_data *);
919 
920 /* Make this a function eventually?  */
921 #ifdef WIN32
922 # define krb5int_zap_data(ptr, len) SecureZeroMemory(ptr, len)
923 #else
924 # define krb5int_zap_data(ptr, len) memset((void *)ptr, 0, len)
925 # if defined(__GNUC__) && defined(__GLIBC__)
926 /* GNU libc generates multiple bogus initialization warnings if we
927    pass memset a volatile pointer.  The compiler should do well enough
928    with memset even without GNU libc's attempt at optimization.  */
929 # undef memset
930 # endif
931 #endif /* WIN32 */
932 #define zap(p,l) krb5int_zap_data(p,l)
933 
934 
935 /*
936  * These declarations are here, so both krb5 and k5crypto
937  * can get to them.
938  * krb5 needs to get to them so it can  make them available to libgssapi.
939  */
940 extern const struct krb5_enc_provider krb5int_enc_arcfour;
941 extern const struct krb5_hash_provider krb5int_hash_md5;
942 
943 
944 /* #ifdef KRB5_OLD_CRYPTO XXX SUNW14resync */
945 
946 krb5_error_code krb5_crypto_us_timeofday
947     (krb5_int32  *, krb5_int32  *);
948 
949 /* #endif KRB5_OLD_CRYPTO */
950 
951 /* this helper fct is in libkrb5, but it makes sense declared here. */
952 
953 krb5_error_code krb5_encrypt_helper
954 	(krb5_context context, krb5_const krb5_keyblock *key,
955 	krb5_keyusage usage, krb5_const krb5_data *plain,
956 	krb5_enc_data *cipher);
957 
958 /*
959  * End "los-proto.h"
960  */
961 
962 /*
963  * Include the KDB definitions.
964  */
965 #ifndef _KERNEL
966 #include <krb5/kdb.h>
967 #endif /* !_KERNEL */
968 /*
969  * Begin "libos.h"
970  */
971 #ifndef KRB5_LIBOS__
972 #define KRB5_LIBOS__
973 
974 typedef struct _krb5_os_context {
975 	krb5_magic	magic;
976 	krb5_int32	time_offset;
977 	krb5_int32	usec_offset;
978 	krb5_int32	os_flags;
979 	char *		default_ccname;
980 } *krb5_os_context;
981 
982 /*
983  * Flags for the os_flags field
984  *
985  * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid.
986  * The intention is that this facility to correct the system clocks so
987  * that they reflect the "real" time, for systems where for some
988  * reason we can't set the system clock.  Instead we calculate the
989  * offset between the system time and real time, and store the offset
990  * in the os context so that we can correct the system clock as necessary.
991  *
992  * KRB5_OS_TOFFSET_TIME means that the time offset fields should be
993  * returned as the time by the krb5 time routines.  This should only
994  * be used for testing purposes (obviously!)
995  */
996 #define KRB5_OS_TOFFSET_VALID	1
997 #define KRB5_OS_TOFFSET_TIME	2
998 
999 /* lock mode flags */
1000 #define	KRB5_LOCKMODE_SHARED	0x0001
1001 #define	KRB5_LOCKMODE_EXCLUSIVE	0x0002
1002 #define	KRB5_LOCKMODE_DONTBLOCK	0x0004
1003 #define	KRB5_LOCKMODE_UNLOCK	0x0008
1004 
1005 #endif /* KRB5_LIBOS__ */
1006 /*
1007  * End "libos.h"
1008  */
1009 
1010 /*
1011  * Define our view of the size of a DES key.
1012  */
1013 #define	KRB5_MIT_DES_KEYSIZE		8
1014 
1015 /*
1016  * Define a couple of SHA1 constants
1017  */
1018 #define	SHS_DATASIZE	64
1019 #define	SHS_DIGESTSIZE	20
1020 
1021 /*
1022  * Check if des_int.h has been included before us.  If so, then check to see
1023  * that our view of the DES key size is the same as des_int.h's.
1024  */
1025 #ifdef	MIT_DES_KEYSIZE
1026 #if	MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
1027 error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
1028 #endif	/* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
1029 #endif	/* MIT_DES_KEYSIZE */
1030 
1031 #ifndef _KERNEL
1032 /* Solaris Kerberos: only define PROVIDE_DES3_CBC_SHA if the following are
1033  * defined.
1034  */
1035 #define PROVIDE_DES3_CBC_SHA 1
1036 #define PROVIDE_NIST_SHA 1
1037 
1038 #endif /* !_KERNEL */
1039 
1040 /*
1041  * Begin "preauth.h"
1042  *
1043  * (Originally written by Glen Machin at Sandia Labs.)
1044  */
1045 /*
1046  * Sandia National Laboratories also makes no representations about the
1047  * suitability of the modifications, or additions to this software for
1048  * any purpose.  It is provided "as is" without express or implied warranty.
1049  *
1050  */
1051 #ifndef KRB5_PREAUTH__
1052 #define KRB5_PREAUTH__
1053 
1054 typedef struct _krb5_pa_enc_ts {
1055     krb5_timestamp	patimestamp;
1056     krb5_int32		pausec;
1057 } krb5_pa_enc_ts;
1058 
1059 typedef krb5_error_code (*krb5_preauth_obtain_proc)
1060     (krb5_context,
1061 	    krb5_pa_data *,
1062 	    krb5_etype_info,
1063 	    krb5_keyblock *,
1064 	    krb5_error_code ( * )(krb5_context,
1065 				  krb5_const krb5_enctype,
1066 				  krb5_data *,
1067 				  krb5_const_pointer,
1068 				  krb5_keyblock **),
1069 	    krb5_const_pointer,
1070 	    krb5_creds *,
1071 	    krb5_kdc_req *,
1072 	    krb5_pa_data **);
1073 
1074 typedef krb5_error_code (*krb5_preauth_process_proc)
1075     (krb5_context,
1076 	    krb5_pa_data *,
1077 	    krb5_kdc_req *,
1078 	    krb5_kdc_rep *,
1079 	    krb5_error_code ( * )(krb5_context,
1080 				  krb5_const krb5_enctype,
1081 				  krb5_data *,
1082 				  krb5_const_pointer,
1083 				  krb5_keyblock **),
1084 	    krb5_const_pointer,
1085 	    krb5_error_code ( * )(krb5_context,
1086 				  krb5_const krb5_keyblock *,
1087 				  krb5_const_pointer,
1088 				  krb5_kdc_rep * ),
1089 	    krb5_keyblock **,
1090 	    krb5_creds *,
1091 	    krb5_int32 *,
1092 	    krb5_int32 *);
1093 
1094 typedef struct _krb5_preauth_ops {
1095     krb5_magic magic;
1096     int     type;
1097     int	flags;
1098     krb5_preauth_obtain_proc	obtain;
1099     krb5_preauth_process_proc	process;
1100 } krb5_preauth_ops;
1101 
1102 void krb5_free_etype_info (krb5_context, krb5_etype_info);
1103 
1104 /*
1105  * Preauthentication property flags
1106  */
1107 #define KRB5_PREAUTH_FLAGS_ENCRYPT	0x00000001
1108 #define KRB5_PREAUTH_FLAGS_HARDWARE	0x00000002
1109 
1110 #endif /* KRB5_PREAUTH__ */
1111 /*
1112  * End "preauth.h"
1113  */
1114 
1115 krb5_error_code
1116 krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *);
1117 
1118 #ifndef _KERNEL /* needed for lib/krb5/krb/ */
1119 typedef krb5_error_code (*krb5_gic_get_as_key_fct)
1120     (krb5_context,
1121      krb5_principal,
1122      krb5_enctype,
1123      krb5_prompter_fct,
1124      void *prompter_data,
1125      krb5_data *salt,
1126      krb5_data *s2kparams,
1127      krb5_keyblock *as_key,
1128      void *gak_data);
1129 
1130 krb5_error_code KRB5_CALLCONV
1131 krb5_get_init_creds
1132 (krb5_context context,
1133 	krb5_creds *creds,
1134 	krb5_principal client,
1135 	krb5_prompter_fct prompter,
1136 	void *prompter_data,
1137 	krb5_deltat start_time,
1138 	char *in_tkt_service,
1139 	krb5_get_init_creds_opt *options,
1140 	krb5_gic_get_as_key_fct gak,
1141 	void *gak_data,
1142 	int *master,
1143 	krb5_kdc_rep **as_reply);
1144 
1145 void krb5int_populate_gic_opt (
1146      krb5_context, krb5_get_init_creds_opt *,
1147      krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
1148      krb5_preauthtype *pre_auth_types, krb5_creds *creds);
1149 
1150 krb5_error_code krb5_do_preauth
1151 	(krb5_context, krb5_kdc_req *,
1152 	krb5_pa_data **, krb5_pa_data ***,
1153 	krb5_data *, krb5_data *, krb5_enctype *,
1154 	krb5_keyblock *,
1155 	krb5_prompter_fct, void *,
1156 	krb5_gic_get_as_key_fct, void *);
1157 #endif /* _KERNEL */
1158 
1159 void KRB5_CALLCONV krb5_free_sam_challenge
1160 	(krb5_context, krb5_sam_challenge * );
1161 void KRB5_CALLCONV krb5_free_sam_challenge_2
1162 	(krb5_context, krb5_sam_challenge_2 * );
1163 void KRB5_CALLCONV krb5_free_sam_challenge_2_body
1164 	(krb5_context, krb5_sam_challenge_2_body *);
1165 void KRB5_CALLCONV krb5_free_sam_response
1166 	(krb5_context, krb5_sam_response * );
1167 void KRB5_CALLCONV krb5_free_sam_response_2
1168 	(krb5_context, krb5_sam_response_2 * );
1169 void KRB5_CALLCONV krb5_free_predicted_sam_response
1170 	(krb5_context, krb5_predicted_sam_response * );
1171 void KRB5_CALLCONV krb5_free_enc_sam_response_enc
1172 	(krb5_context, krb5_enc_sam_response_enc * );
1173 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2
1174 	(krb5_context, krb5_enc_sam_response_enc_2 * );
1175 void KRB5_CALLCONV krb5_free_sam_challenge_contents
1176 	(krb5_context, krb5_sam_challenge * );
1177 void KRB5_CALLCONV krb5_free_sam_challenge_2_contents
1178 	(krb5_context, krb5_sam_challenge_2 * );
1179 void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents
1180 	(krb5_context, krb5_sam_challenge_2_body * );
1181 void KRB5_CALLCONV krb5_free_sam_response_contents
1182 	(krb5_context, krb5_sam_response * );
1183 void KRB5_CALLCONV krb5_free_sam_response_2_contents
1184 	(krb5_context, krb5_sam_response_2 *);
1185 void KRB5_CALLCONV krb5_free_predicted_sam_response_contents
1186 	(krb5_context, krb5_predicted_sam_response * );
1187 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents
1188 	(krb5_context, krb5_enc_sam_response_enc * );
1189 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents
1190 	(krb5_context, krb5_enc_sam_response_enc_2 * );
1191 
1192 void KRB5_CALLCONV krb5_free_pa_enc_ts
1193 	(krb5_context, krb5_pa_enc_ts *);
1194 
1195 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
1196 #ifndef	_KERNEL
1197 #include "com_err.h"
1198 #endif /* _KERNEL */
1199 
1200 /*
1201  * Solaris Kerberos: moved from sendto_kdc.c so other code can reference
1202  */
1203 #define	DEFAULT_UDP_PREF_LIMIT   1465
1204 
1205 #ifndef	_KERNEL
1206 #include "profile.h"
1207 #include <strings.h>
1208 #endif /* _KERNEL */
1209 
1210 #define KEY_CHANGED(k1, k2) \
1211 (k1 == NULL || \
1212  k1 != k2 || \
1213  k1->enctype != k2->enctype || \
1214  k1->length != k2->length || \
1215  bcmp(k1->contents, k2->contents, k1->length))
1216 
1217 #ifndef _KERNEL
1218 typedef struct _arcfour_ctx {
1219 	CK_SESSION_HANDLE eSession; /* encrypt session handle */
1220 	CK_SESSION_HANDLE dSession; /* decrypt session handle */
1221 	CK_OBJECT_HANDLE  eKey; /* encrypt key object */
1222 	CK_OBJECT_HANDLE  dKey; /* decrype key object */
1223 	uchar_t           initialized;
1224 }arcfour_ctx_rec;
1225 
1226 #endif /* !_KERNEL */
1227 
1228 struct _krb5_context {
1229 	krb5_magic	magic;
1230 	krb5_enctype	*in_tkt_ktypes;
1231 	int		in_tkt_ktype_count;
1232 	krb5_enctype	*tgs_ktypes;
1233 	int		tgs_ktype_count;
1234         /* This used to be a void*, but since we always allocate them
1235            together (though in different source files), and the types
1236            are declared in the same header, might as well just combine
1237            them.
1238 
1239            The array[1] is so the existing code treating the field as
1240            a pointer will still work.  For cleanliness, it should
1241            eventually get changed to a single element instead of an
1242            array.  */
1243         struct _krb5_os_context os_context[1];
1244 	char		*default_realm;
1245 	int		ser_ctx_count;
1246 	krb5_boolean	profile_secure;
1247 	void	      	*ser_ctx;
1248 #ifndef _KERNEL
1249 	profile_t	profile;
1250 	void		*db_context;
1251 	void		*kdblog_context;
1252 	/* allowable clock skew */
1253 	krb5_deltat 	clockskew;
1254 	krb5_cksumtype	kdc_req_sumtype;
1255 	krb5_cksumtype	default_ap_req_sumtype;
1256 	krb5_cksumtype	default_safe_sumtype;
1257 	krb5_flags 	kdc_default_options;
1258 	krb5_flags	library_options;
1259 	int		fcc_default_format;
1260 	int		scc_default_format;
1261 	krb5_prompt_type *prompt_types;
1262 	/* Message size above which we'll try TCP first in send-to-kdc
1263 	   type code.  Aside from the 2**16 size limit, we put no
1264 	   absolute limit on the UDP packet size.  */
1265 	int		udp_pref_limit;
1266 
1267 	/* This is the tgs_ktypes list as read from the profile, or
1268 	   set to compiled-in defaults.	 The application code cannot
1269 	   override it.	 This is used for session keys for
1270 	   intermediate ticket-granting tickets used to acquire the
1271 	   requested ticket (the session key of which may be
1272 	   constrained by tgs_ktypes above).  */
1273 	krb5_enctype	*conf_tgs_ktypes;
1274 	int		conf_tgs_ktypes_count;
1275 
1276 	/* Use the _configured version?	 */
1277 	krb5_boolean	use_conf_ktypes;
1278 #ifdef KRB5_DNS_LOOKUP
1279 	krb5_boolean	profile_in_memory;
1280 #endif /* KRB5_DNS_LOOKUP */
1281 
1282 	pid_t pid;  /* fork safety: PID of process that did last PKCS11 init */
1283 
1284 	/* Solaris Kerberos: handles for PKCS#11 crypto */
1285 	/*
1286 	 * Warning, do not access hSession directly as this is not fork() safe.
1287 	 * Instead use the krb_ctx_hSession() macro below.
1288 	 */
1289 	CK_SESSION_HANDLE hSession;
1290 	int		cryptoki_initialized;
1291 
1292 	/* arcfour_ctx: used only for rcmd stuff so no fork safety issues apply */
1293 	arcfour_ctx_rec arcfour_ctx;
1294 #else /* ! KERNEL */
1295 	crypto_mech_type_t kef_cipher_mt;
1296 	crypto_mech_type_t kef_hash_mt;
1297 	crypto_mech_type_t kef_cksum_mt;
1298 #endif /* ! KERNEL */
1299 };
1300 
1301 #ifndef  _KERNEL
1302 extern pid_t __krb5_current_pid;
1303 
1304 CK_SESSION_HANDLE krb5_reinit_ef_handle(krb5_context);
1305 
1306 /*
1307  * fork safety: barring the ef_init code, every other function must use the
1308  * krb_ctx_hSession() macro to access the hSession field in a krb context.
1309  * Note, if the pid of the krb ctx == the current global pid then it is safe to
1310  * use the ctx hSession otherwise it needs to be re-inited before it is returned
1311  * to the caller.
1312  */
1313 #define krb_ctx_hSession(ctx) \
1314     ((ctx)->pid == __krb5_current_pid) ? (ctx)->hSession : krb5_reinit_ef_handle((ctx))
1315 #endif
1316 
1317 #define MD5_CKSUM_LENGTH 16
1318 #define RSA_MD5_CKSUM_LENGTH 16
1319 #define MD5_BLOCKSIZE 64
1320 
1321 
1322 /*
1323  * Solaris Kerberos:
1324  * This next section of prototypes and constants
1325  * are all unique to the Solaris Kerberos implementation.
1326  * Because Solaris uses the native encryption framework
1327  * to provide crypto support, the following routines
1328  * are needed to support this system.
1329  */
1330 
1331 /*
1332  * Begin Solaris Crypto Prototypes
1333  */
1334 
1335 /*
1336  * define constants that are used for creating the constant
1337  * which is used to make derived keys.
1338  */
1339 #define DK_ENCR_KEY_BYTE 0xAA
1340 #define DK_HASH_KEY_BYTE 0x55
1341 #define DK_CKSUM_KEY_BYTE 0x99
1342 
1343 int init_derived_keydata(krb5_context, const struct krb5_enc_provider *,
1344 			krb5_keyblock *, krb5_keyusage,
1345 			krb5_keyblock **, krb5_keyblock **);
1346 
1347 krb5_error_code add_derived_key(krb5_keyblock *, krb5_keyusage, uchar_t,
1348 				krb5_keyblock *);
1349 
1350 krb5_keyblock *find_derived_key(krb5_keyusage, uchar_t, krb5_keyblock *);
1351 krb5_keyblock *krb5_create_derived_keyblock(int);
1352 
1353 #ifdef _KERNEL
1354 int k5_ef_hash(krb5_context, int, const krb5_data *, krb5_data *);
1355 
1356 int k5_ef_mac(krb5_context, krb5_keyblock *, krb5_data *,
1357         const krb5_data *, krb5_data *);
1358 
1359 void make_kef_key(krb5_keyblock *);
1360 int init_key_kef(crypto_mech_type_t, krb5_keyblock *);
1361 int update_key_template(krb5_keyblock *);
1362 void setup_kef_keytypes();
1363 void setup_kef_cksumtypes();
1364 crypto_mech_type_t get_cipher_mech_type(krb5_context, krb5_keyblock *);
1365 crypto_mech_type_t get_hash_mech_type(krb5_context, krb5_keyblock *);
1366 
1367 #else
1368 /*
1369  * This structure is used to map Kerberos supported OID's,
1370  * to PKCS11 mechanisms
1371  */
1372 #define USE_ENCR	0x01
1373 #define	USE_HASH	0x02
1374 
1375 typedef struct krb5_mech_2_pkcs {
1376 	uchar_t		flags;
1377 	CK_MECHANISM_TYPE enc_algo;
1378 	CK_MECHANISM_TYPE hash_algo;
1379 	CK_MECHANISM_TYPE str2key_algo;
1380 } KRB5_MECH_TO_PKCS;
1381 
1382 #define ENC_DEFINED(x)	(((x).flags & USE_ENCR))
1383 #define HASH_DEFINED(x)	(((x).flags & USE_HASH))
1384 
1385 extern CK_RV get_algo(krb5_enctype etype, KRB5_MECH_TO_PKCS * algos);
1386 extern CK_RV get_key_type (krb5_enctype etype, CK_KEY_TYPE * keyType);
1387 extern krb5_error_code slot_supports_krb5 (CK_SLOT_ID_PTR slotid);
1388 
1389 krb5_error_code init_key_uef(CK_SESSION_HANDLE, krb5_keyblock *);
1390 
1391 krb5_error_code k5_ef_hash(krb5_context, CK_MECHANISM *,
1392 	unsigned int, const krb5_data *, krb5_data *);
1393 
1394 krb5_error_code k5_ef_mac(krb5_context context,
1395 	krb5_keyblock *key, krb5_data *ivec,
1396 	krb5_const krb5_data *input, krb5_data *output);
1397 
1398 #endif	/* !_KERNEL */
1399 
1400 krb5_error_code
1401 derive_3des_keys(krb5_context, struct krb5_enc_provider *,
1402                 krb5_keyblock *, krb5_keyusage,
1403                 krb5_keyblock *, krb5_keyblock *);
1404 
1405 /*
1406  * End Solaris Crypto Prototypes
1407  */
1408 
1409 #define KRB5_LIBOPT_SYNC_KDCTIME	0x0001
1410 
1411 /* internal message representations */
1412 
1413 typedef struct _krb5_safe {
1414     krb5_magic magic;
1415     krb5_data user_data;                /* user data */
1416     krb5_timestamp timestamp;           /* client time, optional */
1417     krb5_int32 usec;                    /* microsecond portion of time,
1418                                            optional */
1419     krb5_ui_4 seq_number;               /* sequence #, optional */
1420     krb5_address *s_address;    /* sender address */
1421     krb5_address *r_address;    /* recipient address, optional */
1422     krb5_checksum *checksum;    /* data integrity checksum */
1423 } krb5_safe;
1424 
1425 typedef struct _krb5_priv {
1426     krb5_magic magic;
1427     krb5_enc_data enc_part;             /* encrypted part */
1428 } krb5_priv;
1429 
1430 typedef struct _krb5_priv_enc_part {
1431     krb5_magic magic;
1432     krb5_data user_data;                /* user data */
1433     krb5_timestamp timestamp;           /* client time, optional */
1434     krb5_int32 usec;                    /* microsecond portion of time, opt. */
1435     krb5_ui_4 seq_number;               /* sequence #, optional */
1436     krb5_address *s_address;    /* sender address */
1437     krb5_address *r_address;    /* recipient address, optional */
1438 } krb5_priv_enc_part;
1439 
1440 void KRB5_CALLCONV krb5_free_safe
1441         (krb5_context, krb5_safe * );
1442 void KRB5_CALLCONV krb5_free_priv
1443         (krb5_context, krb5_priv * );
1444 void KRB5_CALLCONV krb5_free_priv_enc_part
1445         (krb5_context, krb5_priv_enc_part * );
1446 
1447 /*
1448  * Begin "asn1.h"
1449  */
1450 #ifndef KRB5_ASN1__
1451 #define KRB5_ASN1__
1452 
1453 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
1454 /* here we use some knowledge of ASN.1 encodings */
1455 /*
1456   Ticket is APPLICATION 1.
1457   Authenticator is APPLICATION 2.
1458   AS_REQ is APPLICATION 10.
1459   AS_REP is APPLICATION 11.
1460   TGS_REQ is APPLICATION 12.
1461   TGS_REP is APPLICATION 13.
1462   AP_REQ is APPLICATION 14.
1463   AP_REP is APPLICATION 15.
1464   KRB_SAFE is APPLICATION 20.
1465   KRB_PRIV is APPLICATION 21.
1466   KRB_CRED is APPLICATION 22.
1467   EncASRepPart is APPLICATION 25.
1468   EncTGSRepPart is APPLICATION 26.
1469   EncAPRepPart is APPLICATION 27.
1470   EncKrbPrivPart is APPLICATION 28.
1471   EncKrbCredPart is APPLICATION 29.
1472   KRB_ERROR is APPLICATION 30.
1473  */
1474 /* allow either constructed or primitive encoding, so check for bit 6
1475    set or reset */
1476 #define krb5_is_krb_ticket(dat)\
1477 	((dat) && (dat)->length && ((dat)->data[0] == 0x61 ||\
1478 				    (dat)->data[0] == 0x41))
1479 #define krb5_is_krb_authenticator(dat)\
1480 	((dat) && (dat)->length && ((dat)->data[0] == 0x62 ||\
1481 				    (dat)->data[0] == 0x42))
1482 #define krb5_is_as_req(dat)\
1483 	((dat) && (dat)->length && ((dat)->data[0] == 0x6a ||\
1484 				    (dat)->data[0] == 0x4a))
1485 #define krb5_is_as_rep(dat)\
1486 	((dat) && (dat)->length && ((dat)->data[0] == 0x6b ||\
1487 				    (dat)->data[0] == 0x4b))
1488 #define krb5_is_tgs_req(dat)\
1489 	((dat) && (dat)->length && ((dat)->data[0] == 0x6c ||\
1490 				    (dat)->data[0] == 0x4c))
1491 #define krb5_is_tgs_rep(dat)\
1492 	((dat) && (dat)->length && ((dat)->data[0] == 0x6d ||\
1493 				    (dat)->data[0] == 0x4d))
1494 #define krb5_is_ap_req(dat)\
1495 	((dat) && (dat)->length && ((dat)->data[0] == 0x6e ||\
1496 				    (dat)->data[0] == 0x4e))
1497 #define krb5_is_ap_rep(dat)\
1498 	((dat) && (dat)->length && ((dat)->data[0] == 0x6f ||\
1499 				    (dat)->data[0] == 0x4f))
1500 #define krb5_is_krb_safe(dat)\
1501 	((dat) && (dat)->length && ((dat)->data[0] == 0x74 ||\
1502 				    (dat)->data[0] == 0x54))
1503 #define krb5_is_krb_priv(dat)\
1504 	((dat) && (dat)->length && ((dat)->data[0] == 0x75 ||\
1505 				    (dat)->data[0] == 0x55))
1506 #define krb5_is_krb_cred(dat)\
1507 	((dat) && (dat)->length && ((dat)->data[0] == 0x76 ||\
1508 				    (dat)->data[0] == 0x56))
1509 #define krb5_is_krb_enc_as_rep_part(dat)\
1510 	((dat) && (dat)->length && ((dat)->data[0] == 0x79 ||\
1511 				    (dat)->data[0] == 0x59))
1512 #define krb5_is_krb_enc_tgs_rep_part(dat)\
1513 	((dat) && (dat)->length && ((dat)->data[0] == 0x7a ||\
1514 				    (dat)->data[0] == 0x5a))
1515 #define krb5_is_krb_enc_ap_rep_part(dat)\
1516 	((dat) && (dat)->length && ((dat)->data[0] == 0x7b ||\
1517 				    (dat)->data[0] == 0x5b))
1518 #define krb5_is_krb_enc_krb_priv_part(dat)\
1519 	((dat) && (dat)->length && ((dat)->data[0] == 0x7c ||\
1520 				    (dat)->data[0] == 0x5c))
1521 #define krb5_is_krb_enc_krb_cred_part(dat)\
1522 	((dat) && (dat)->length && ((dat)->data[0] == 0x7d ||\
1523 				    (dat)->data[0] == 0x5d))
1524 #define krb5_is_krb_error(dat)\
1525 	((dat) && (dat)->length && ((dat)->data[0] == 0x7e ||\
1526 				    (dat)->data[0] == 0x5e))
1527 
1528 /*************************************************************************
1529  * Prototypes for krb5_encode.c
1530  *************************************************************************/
1531 
1532 /*
1533    krb5_error_code encode_krb5_structure(const krb5_structure *rep,
1534 					 krb5_data **code);
1535    modifies  *code
1536    effects   Returns the ASN.1 encoding of *rep in **code.
1537              Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep.
1538              Returns ENOMEM if memory runs out.
1539 */
1540 
1541 krb5_error_code encode_krb5_authenticator
1542 	(const krb5_authenticator *rep, krb5_data **code);
1543 
1544 krb5_error_code encode_krb5_ticket
1545 	(const krb5_ticket *rep, krb5_data **code);
1546 
1547 krb5_error_code encode_krb5_encryption_key
1548 	(const krb5_keyblock *rep, krb5_data **code);
1549 
1550 krb5_error_code encode_krb5_enc_tkt_part
1551 	(const krb5_enc_tkt_part *rep, krb5_data **code);
1552 
1553 krb5_error_code encode_krb5_enc_kdc_rep_part
1554 	(const krb5_enc_kdc_rep_part *rep, krb5_data **code);
1555 
1556 /* yes, the translation is identical to that used for KDC__REP */
1557 krb5_error_code encode_krb5_as_rep
1558 	(const krb5_kdc_rep *rep, krb5_data **code);
1559 
1560 /* yes, the translation is identical to that used for KDC__REP */
1561 krb5_error_code encode_krb5_tgs_rep
1562 	(const krb5_kdc_rep *rep, krb5_data **code);
1563 
1564 krb5_error_code encode_krb5_ap_req
1565 	(const krb5_ap_req *rep, krb5_data **code);
1566 
1567 krb5_error_code encode_krb5_ap_rep
1568 	(const krb5_ap_rep *rep, krb5_data **code);
1569 
1570 krb5_error_code encode_krb5_ap_rep_enc_part
1571 	(const krb5_ap_rep_enc_part *rep, krb5_data **code);
1572 
1573 krb5_error_code encode_krb5_as_req
1574 	(const krb5_kdc_req *rep, krb5_data **code);
1575 
1576 krb5_error_code encode_krb5_tgs_req
1577 	(const krb5_kdc_req *rep, krb5_data **code);
1578 
1579 krb5_error_code encode_krb5_kdc_req_body
1580 	(const krb5_kdc_req *rep, krb5_data **code);
1581 
1582 krb5_error_code encode_krb5_safe
1583 	(const krb5_safe *rep, krb5_data **code);
1584 
1585 krb5_error_code encode_krb5_safe_with_body
1586 	(const krb5_safe *rep, const krb5_data *body, krb5_data **code);
1587 
1588 krb5_error_code encode_krb5_priv
1589 	(const krb5_priv *rep, krb5_data **code);
1590 
1591 krb5_error_code encode_krb5_enc_priv_part
1592 	(const krb5_priv_enc_part *rep, krb5_data **code);
1593 
1594 krb5_error_code encode_krb5_cred
1595 	(const krb5_cred *rep, krb5_data **code);
1596 
1597 krb5_error_code encode_krb5_enc_cred_part
1598 	(const krb5_cred_enc_part *rep, krb5_data **code);
1599 
1600 krb5_error_code encode_krb5_error
1601 	(const krb5_error *rep, krb5_data **code);
1602 
1603 krb5_error_code encode_krb5_authdata
1604 	(const krb5_authdata **rep, krb5_data **code);
1605 
1606 krb5_error_code encode_krb5_pwd_sequence
1607 	(const passwd_phrase_element *rep, krb5_data **code);
1608 
1609 krb5_error_code encode_krb5_pwd_data
1610 	(const krb5_pwd_data *rep, krb5_data **code);
1611 
1612 krb5_error_code encode_krb5_padata_sequence
1613 	(const krb5_pa_data ** rep, krb5_data **code);
1614 
1615 krb5_error_code encode_krb5_alt_method
1616 	(const krb5_alt_method *, krb5_data **code);
1617 
1618 krb5_error_code encode_krb5_etype_info
1619 	(const krb5_etype_info_entry **, krb5_data **code);
1620 
1621 krb5_error_code encode_krb5_etype_info2
1622 	(const krb5_etype_info_entry **, krb5_data **code);
1623 
1624 krb5_error_code encode_krb5_enc_data
1625     	(const krb5_enc_data *, krb5_data **);
1626 
1627 krb5_error_code encode_krb5_pa_enc_ts
1628     	(const krb5_pa_enc_ts *, krb5_data **);
1629 
1630 krb5_error_code encode_krb5_sam_challenge
1631 	(const krb5_sam_challenge * , krb5_data **);
1632 
1633 krb5_error_code encode_krb5_sam_key
1634 	(const krb5_sam_key * , krb5_data **);
1635 
1636 krb5_error_code encode_krb5_enc_sam_response_enc
1637 	(const krb5_enc_sam_response_enc * , krb5_data **);
1638 
1639 krb5_error_code encode_krb5_sam_response
1640 	(const krb5_sam_response * , krb5_data **);
1641 
1642 krb5_error_code encode_krb5_predicted_sam_response
1643 	(const krb5_predicted_sam_response * , krb5_data **);
1644 
1645 krb5_error_code encode_krb5_sam_challenge_2
1646 	(const krb5_sam_challenge_2 * , krb5_data **);
1647 
1648 krb5_error_code encode_krb5_sam_challenge_2_body
1649 	(const krb5_sam_challenge_2_body * , krb5_data **);
1650 
1651 krb5_error_code encode_krb5_enc_sam_response_enc_2
1652 	(const krb5_enc_sam_response_enc_2 * , krb5_data **);
1653 
1654 krb5_error_code encode_krb5_sam_response_2
1655 	(const krb5_sam_response_2 * , krb5_data **);
1656 
1657 krb5_error_code encode_krb5_setpw_req
1658         (const krb5_principal target, char *password, krb5_data **code);
1659 
1660 /*************************************************************************
1661  * End of prototypes for krb5_encode.c
1662  *************************************************************************/
1663 
1664 /*************************************************************************
1665  * Prototypes for krb5_decode.c
1666  *************************************************************************/
1667 
1668 /*
1669    krb5_error_code decode_krb5_structure(const krb5_data *code,
1670                                          krb5_structure **rep);
1671 
1672    requires  Expects **rep to not have been allocated;
1673               a new *rep is allocated regardless of the old value.
1674    effects   Decodes *code into **rep.
1675 	     Returns ENOMEM if memory is exhausted.
1676              Returns asn1 and krb5 errors.
1677 */
1678 
1679 krb5_error_code decode_krb5_authenticator
1680 	(const krb5_data *code, krb5_authenticator **rep);
1681 
1682 krb5_error_code decode_krb5_ticket
1683 	(const krb5_data *code, krb5_ticket **rep);
1684 
1685 krb5_error_code decode_krb5_encryption_key
1686 	(const krb5_data *output, krb5_keyblock **rep);
1687 
1688 krb5_error_code decode_krb5_enc_tkt_part
1689 	(const krb5_data *output, krb5_enc_tkt_part **rep);
1690 
1691 krb5_error_code decode_krb5_enc_kdc_rep_part
1692 	(const krb5_data *output, krb5_enc_kdc_rep_part **rep);
1693 
1694 krb5_error_code decode_krb5_as_rep
1695 	(const krb5_data *output, krb5_kdc_rep **rep);
1696 
1697 krb5_error_code decode_krb5_tgs_rep
1698 	(const krb5_data *output, krb5_kdc_rep **rep);
1699 
1700 krb5_error_code decode_krb5_ap_req
1701 	(const krb5_data *output, krb5_ap_req **rep);
1702 
1703 krb5_error_code decode_krb5_ap_rep
1704 	(const krb5_data *output, krb5_ap_rep **rep);
1705 
1706 krb5_error_code decode_krb5_ap_rep_enc_part
1707 	(const krb5_data *output, krb5_ap_rep_enc_part **rep);
1708 
1709 krb5_error_code decode_krb5_as_req
1710 	(const krb5_data *output, krb5_kdc_req **rep);
1711 
1712 krb5_error_code decode_krb5_tgs_req
1713 	(const krb5_data *output, krb5_kdc_req **rep);
1714 
1715 krb5_error_code decode_krb5_kdc_req_body
1716 	(const krb5_data *output, krb5_kdc_req **rep);
1717 
1718 krb5_error_code decode_krb5_safe
1719 	(const krb5_data *output, krb5_safe **rep);
1720 
1721 krb5_error_code decode_krb5_safe_with_body
1722 	(const krb5_data *output, krb5_safe **rep, krb5_data *body);
1723 
1724 krb5_error_code decode_krb5_priv
1725 	(const krb5_data *output, krb5_priv **rep);
1726 
1727 krb5_error_code decode_krb5_enc_priv_part
1728 	(const krb5_data *output, krb5_priv_enc_part **rep);
1729 
1730 krb5_error_code decode_krb5_cred
1731 	(const krb5_data *output, krb5_cred **rep);
1732 
1733 krb5_error_code decode_krb5_enc_cred_part
1734 	(const krb5_data *output, krb5_cred_enc_part **rep);
1735 
1736 krb5_error_code decode_krb5_error
1737 	(const krb5_data *output, krb5_error **rep);
1738 
1739 krb5_error_code decode_krb5_authdata
1740 	(const krb5_data *output, krb5_authdata ***rep);
1741 
1742 krb5_error_code decode_krb5_pwd_sequence
1743 	(const krb5_data *output, passwd_phrase_element **rep);
1744 
1745 krb5_error_code decode_krb5_pwd_data
1746 	(const krb5_data *output, krb5_pwd_data **rep);
1747 
1748 krb5_error_code decode_krb5_padata_sequence
1749 	(const krb5_data *output, krb5_pa_data ***rep);
1750 
1751 krb5_error_code decode_krb5_alt_method
1752 	(const krb5_data *output, krb5_alt_method **rep);
1753 
1754 krb5_error_code decode_krb5_etype_info
1755 	(const krb5_data *output, krb5_etype_info_entry ***rep);
1756 
1757 krb5_error_code decode_krb5_etype_info2
1758 	(const krb5_data *output, krb5_etype_info_entry ***rep);
1759 
1760 krb5_error_code decode_krb5_enc_data
1761 	(const krb5_data *output, krb5_enc_data **rep);
1762 
1763 krb5_error_code decode_krb5_pa_enc_ts
1764 	(const krb5_data *output, krb5_pa_enc_ts **rep);
1765 
1766 krb5_error_code decode_krb5_sam_challenge
1767 	(const krb5_data *, krb5_sam_challenge **);
1768 
1769 krb5_error_code decode_krb5_sam_key
1770 	(const krb5_data *, krb5_sam_key **);
1771 
1772 krb5_error_code decode_krb5_enc_sam_response_enc
1773 	(const krb5_data *, krb5_enc_sam_response_enc **);
1774 
1775 krb5_error_code decode_krb5_sam_response
1776 	(const krb5_data *, krb5_sam_response **);
1777 
1778 krb5_error_code decode_krb5_predicted_sam_response
1779 	(const krb5_data *, krb5_predicted_sam_response **);
1780 
1781 krb5_error_code decode_krb5_sam_challenge_2
1782 	(const krb5_data *, krb5_sam_challenge_2 **);
1783 
1784 krb5_error_code decode_krb5_sam_challenge_2_body
1785 	(const krb5_data *, krb5_sam_challenge_2_body **);
1786 
1787 krb5_error_code decode_krb5_enc_sam_response_enc_2
1788 	(const krb5_data *, krb5_enc_sam_response_enc_2 **);
1789 
1790 krb5_error_code decode_krb5_sam_response_2
1791 	(const krb5_data *, krb5_sam_response_2 **);
1792 
1793 
1794 /*************************************************************************
1795  * End of prototypes for krb5_decode.c
1796  *************************************************************************/
1797 
1798 #endif /* KRB5_ASN1__ */
1799 /*
1800  * End "asn1.h"
1801  */
1802 
1803 
1804 /*
1805  * Internal krb5 library routines
1806  */
1807 krb5_error_code krb5_encrypt_tkt_part
1808 	(krb5_context,
1809 	   krb5_const krb5_keyblock *,
1810 	   krb5_ticket *);
1811 
1812 
1813 krb5_error_code krb5_encode_kdc_rep
1814 	(krb5_context,
1815 	   krb5_const krb5_msgtype,
1816 	   krb5_const krb5_enc_kdc_rep_part *,
1817 	   int using_subkey,
1818 	   krb5_const krb5_keyblock *,
1819 	   krb5_kdc_rep *,
1820 	   krb5_data ** );
1821 
1822 krb5_error_code krb5_validate_times
1823 	(krb5_context, krb5_ticket_times *);
1824 
1825 krb5_boolean krb5int_auth_con_chkseqnum
1826 	(krb5_context ctx, krb5_auth_context ac, krb5_ui_4 in_seq);
1827 
1828 /*
1829  * [De]Serialization Handle and operations.
1830  */
1831 struct __krb5_serializer {
1832     krb5_magic		odtype;
1833     krb5_error_code	(*sizer) (krb5_context,
1834 				  krb5_pointer,
1835 				  size_t *);
1836     krb5_error_code	(*externalizer) (krb5_context,
1837 					 krb5_pointer,
1838 					 krb5_octet **,
1839 					 size_t *);
1840     krb5_error_code	(*internalizer) (krb5_context,
1841 					 krb5_pointer *,
1842 					 krb5_octet **,
1843 					 size_t *);
1844 };
1845 typedef struct __krb5_serializer * krb5_ser_handle;
1846 typedef struct __krb5_serializer krb5_ser_entry;
1847 
1848 krb5_ser_handle krb5_find_serializer
1849 	(krb5_context,
1850 		krb5_magic);
1851 krb5_error_code krb5_register_serializer
1852 	(krb5_context,
1853 			const krb5_ser_entry *);
1854 
1855 /* Determine the external size of a particular opaque structure */
1856 krb5_error_code KRB5_CALLCONV krb5_size_opaque
1857 	(krb5_context,
1858 		krb5_magic,
1859 		krb5_pointer,
1860 		size_t *);
1861 
1862 /* Serialize the structure into a buffer */
1863 krb5_error_code KRB5_CALLCONV krb5_externalize_opaque
1864 	(krb5_context,
1865 	krb5_magic,
1866 	krb5_pointer,
1867 	krb5_octet * *,
1868 	size_t *);
1869 
1870 /* Deserialize the structure from a buffer */
1871 krb5_error_code KRB5_CALLCONV krb5_internalize_opaque
1872 	(krb5_context,
1873 		krb5_magic,
1874 		krb5_pointer *,
1875 		krb5_octet **,
1876 		size_t *);
1877 
1878 /* Serialize data into a buffer */
1879 krb5_error_code krb5_externalize_data
1880 	(krb5_context,
1881 		krb5_pointer,
1882 		krb5_octet **,
1883 		size_t *);
1884 /*
1885  * Initialization routines.
1886  */
1887 
1888 /* Initialize serialization for krb5_[os_]context */
1889 krb5_error_code KRB5_CALLCONV krb5_ser_context_init
1890 	(krb5_context);
1891 
1892 /* Initialize serialization for krb5_auth_context */
1893 krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init
1894 	(krb5_context);
1895 
1896 /* Initialize serialization for krb5_keytab */
1897 krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init
1898 	(krb5_context);
1899 
1900 /* Initialize serialization for krb5_ccache */
1901 krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init
1902 	(krb5_context);
1903 
1904 /* Initialize serialization for krb5_rcache */
1905 krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init
1906 	(krb5_context);
1907 
1908 /* [De]serialize 4-byte integer */
1909 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32
1910 	(krb5_int32,
1911 		krb5_octet **,
1912 		size_t *);
1913 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32
1914 	(krb5_int32 *,
1915 		krb5_octet **,
1916 		size_t *);
1917 /* [De]serialize 8-byte integer */
1918 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64
1919 	(krb5_int64, krb5_octet * *, size_t *);
1920 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64
1921 	(krb5_int64 *, krb5_octet **, size_t *);
1922 /* [De]serialize byte string */
1923 krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
1924 	(krb5_octet *,
1925 		size_t,
1926 		krb5_octet **,
1927 		size_t *);
1928 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes
1929 	(krb5_octet *,
1930 		size_t,
1931 		krb5_octet **,
1932 		size_t *);
1933 
1934 
1935 krb5_error_code KRB5_CALLCONV krb5int_cc_default
1936 	(krb5_context, krb5_ccache *);
1937 
1938 krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default
1939 	(krb5_context, krb5_ccache, krb5_flags, krb5_creds *, krb5_creds *);
1940 
1941 void krb5int_set_prompt_types
1942 	(krb5_context, krb5_prompt_type *);
1943 
1944 krb5_error_code
1945 krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
1946 		krb5_keyblock * /* Old keyblock, not new!  */);
1947 
1948 /* set and change password helpers */
1949 
1950 krb5_error_code krb5int_mk_chpw_req
1951         (krb5_context context, krb5_auth_context auth_context,
1952              krb5_data *ap_req, char *passwd, krb5_data *packet);
1953 krb5_error_code krb5int_rd_chpw_rep
1954         (krb5_context context, krb5_auth_context auth_context,
1955                        krb5_data *packet, int *result_code,
1956                        krb5_data *result_data);
1957 krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
1958         (krb5_context context, int result_code,
1959                         char **result_codestr);
1960 krb5_error_code  krb5int_mk_setpw_req
1961         (krb5_context context, krb5_auth_context auth_context,
1962              krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet);
1963 krb5_error_code krb5int_rd_setpw_rep
1964         (krb5_context context, krb5_auth_context auth_context,
1965                        krb5_data *packet, int *result_code,
1966                        krb5_data *result_data);
1967 
1968 krb5_error_code krb5int_setpw_result_code_string
1969         (krb5_context context, int result_code,
1970                        const char **result_codestr);
1971 
1972 struct srv_dns_entry {
1973 	struct srv_dns_entry *next;
1974 	int priority;
1975 	int weight;
1976 	unsigned short port;
1977 	char *host;
1978 };
1979 
1980 krb5_error_code
1981 krb5int_make_srv_query_realm(const krb5_data *realm,
1982 	const char *service,
1983 	const char *protocol,
1984 	struct srv_dns_entry **answers);
1985 void krb5int_free_srv_dns_data(struct srv_dns_entry *);
1986 
1987 /*
1988  * Convenience function for structure magic number
1989  */
1990 #define KRB5_VERIFY_MAGIC(structure,magic_number) \
1991     if ((structure)->magic != (magic_number)) return (magic_number);
1992 
1993 
1994 /* SUNW14resync XXX - see k5-util.h */
1995 #if 0
1996 int krb5_seteuid  (int);
1997 #endif
1998 
1999 char * krb5_getenv(const char *);
2000 int krb5_setenv  (const char *, const char *, int);
2001 void krb5_unsetenv  (const char *);
2002 
2003 
2004 /* SUNW14resync - (from here to EOF) not sure if we need this but will add it
2005    for future resync sake */
2006 
2007 /* To keep happy libraries which are (for now) accessing internal stuff */
2008 
2009 /* Make sure to increment by one when changing the struct */
2010 #define KRB5INT_ACCESS_STRUCT_VERSION 9
2011 
2012 #ifndef ANAME_SZ
2013 struct ktext;                   /* from krb.h, for krb524 support */
2014 #endif
2015 typedef struct _krb5int_access {
2016     /* crypto stuff */
2017     const struct krb5_hash_provider *md5_hash_provider;
2018     const struct krb5_enc_provider *arcfour_enc_provider;
2019     krb5_error_code (* krb5_hmac) (const struct krb5_hash_provider *hash,
2020                                    const krb5_keyblock *key,
2021                                    unsigned int icount, const krb5_data *input,
2022                                    krb5_data *output);
2023     /* service location and communication */
2024 #ifndef _KERNEL
2025     krb5_error_code (*locate_server) (krb5_context, const krb5_data *,
2026                                       struct addrlist *, int,
2027                                       const char *, const char *,
2028                                       int, int, int, int);
2029     krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
2030                                    const struct addrlist *, krb5_data *reply,
2031                                    struct sockaddr *, socklen_t *, int *);
2032     krb5_error_code (*add_host_to_list)(struct addrlist *lp,
2033                                         const char *hostname,
2034                                         int port, int secport,
2035                                         int socktype, int family);
2036     void (*free_addrlist) (struct addrlist *);
2037 #endif /* _KERNEL */
2038 
2039 
2040     krb5_error_code (*make_srv_query_realm)(const krb5_data *realm,
2041                                             const char *service,
2042                                             const char *protocol,
2043                                             struct srv_dns_entry **answers);
2044     void (*free_srv_dns_data)(struct srv_dns_entry *);
2045     int (*use_dns_kdc)(krb5_context);
2046 
2047     /* krb4 compatibility stuff -- may be null if not enabled */
2048     krb5_int32 (*krb_life_to_time)(krb5_int32, int);
2049     int (*krb_time_to_life)(krb5_int32, krb5_int32);
2050     int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *);
2051     krb5_error_code (*krb5int_c_mandatory_cksumtype)
2052         (krb5_context, krb5_enctype, krb5_cksumtype *);
2053     krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64)
2054         (krb5_int64, krb5_octet **, size_t *);
2055     krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64)
2056         (krb5_int64 *, krb5_octet **, size_t *);
2057 } krb5int_access;
2058 
2059 #define KRB5INT_ACCESS_VERSION \
2060     (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \
2061                    (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF)
2062 
2063 krb5_error_code KRB5_CALLCONV krb5int_accessor
2064         (krb5int_access*, krb5_int32);
2065 
2066 /* Ick -- some krb524 and krb4 support placed in the krb5 library,
2067    because AFS (and potentially other applications?) use the krb4
2068    object as an opaque token, which (in some implementations) is not
2069    in fact a krb4 ticket, so we don't want to drag in the krb4 support
2070    just to enable this.  */
2071 
2072 #define KRB524_SERVICE "krb524"
2073 #define KRB524_PORT 4444
2074 
2075 /* v4lifetime.c */
2076 extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int);
2077 extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32);
2078 
2079 /* conv_creds.c */
2080 int krb5int_encode_v4tkt
2081         (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
2082 
2083 /* send524.c */
2084 int krb5int_524_sendto_kdc
2085         (krb5_context context, const krb5_data * message,
2086          const krb5_data * realm, krb5_data * reply,
2087          struct sockaddr *, socklen_t *);
2088 
2089 /* temporary -- this should be under lib/krb5/ccache somewhere */
2090 
2091 struct _krb5_ccache {
2092     krb5_magic magic;
2093     const struct _krb5_cc_ops *ops;
2094     krb5_pointer data;
2095 };
2096 
2097 struct _krb5_cc_ops {
2098     krb5_magic magic;
2099     char *prefix;
2100     const char * (KRB5_CALLCONV *get_name) (krb5_context, krb5_ccache);
2101     krb5_error_code (KRB5_CALLCONV *resolve) (krb5_context, krb5_ccache *,
2102                                             const char *);
2103     krb5_error_code (KRB5_CALLCONV *gen_new) (krb5_context, krb5_ccache *);
2104     krb5_error_code (KRB5_CALLCONV *init) (krb5_context, krb5_ccache,
2105                                             krb5_principal);
2106     krb5_error_code (KRB5_CALLCONV *destroy) (krb5_context, krb5_ccache);
2107     krb5_error_code (KRB5_CALLCONV *close) (krb5_context, krb5_ccache);
2108     krb5_error_code (KRB5_CALLCONV *store) (krb5_context, krb5_ccache,
2109                                             krb5_creds *);
2110     krb5_error_code (KRB5_CALLCONV *retrieve) (krb5_context, krb5_ccache,
2111                                             krb5_flags, krb5_creds *,
2112                                             krb5_creds *);
2113     krb5_error_code (KRB5_CALLCONV *get_princ) (krb5_context, krb5_ccache,
2114                                             krb5_principal *);
2115     krb5_error_code (KRB5_CALLCONV *get_first) (krb5_context, krb5_ccache,
2116                                             krb5_cc_cursor *);
2117     krb5_error_code (KRB5_CALLCONV *get_next) (krb5_context, krb5_ccache,
2118                                             krb5_cc_cursor *, krb5_creds *);
2119     krb5_error_code (KRB5_CALLCONV *end_get) (krb5_context, krb5_ccache,
2120                                             krb5_cc_cursor *);
2121     krb5_error_code (KRB5_CALLCONV *remove_cred) (krb5_context, krb5_ccache,
2122                                             krb5_flags, krb5_creds *);
2123     krb5_error_code (KRB5_CALLCONV *set_flags) (krb5_context, krb5_ccache,
2124                                             krb5_flags);
2125 };
2126 
2127 extern const krb5_cc_ops *krb5_cc_dfl_ops;
2128 
2129 typedef struct _krb5_donot_replay {
2130     krb5_magic magic;
2131     krb5_ui_4 hash;
2132     char *server;                       /* null-terminated */
2133     char *client;                       /* null-terminated */
2134     krb5_int32 cusec;
2135     krb5_timestamp ctime;
2136 } krb5_donot_replay;
2137 
2138 krb5_error_code krb5_rc_default
2139         (krb5_context,
2140                 krb5_rcache *);
2141 krb5_error_code krb5_rc_resolve_type
2142         (krb5_context,
2143                 krb5_rcache *,char *);
2144 krb5_error_code krb5_rc_resolve_full
2145         (krb5_context,
2146                 krb5_rcache *,char *);
2147 char * krb5_rc_get_type
2148         (krb5_context,
2149                 krb5_rcache);
2150 char * krb5_rc_default_type
2151         (krb5_context);
2152 char * krb5_rc_default_name
2153         (krb5_context);
2154 krb5_error_code krb5_auth_to_rep
2155         (krb5_context,
2156                 krb5_tkt_authent *,
2157                 krb5_donot_replay *);
2158 
2159 krb5_error_code KRB5_CALLCONV krb5_rc_initialize
2160         (krb5_context, krb5_rcache,krb5_deltat);
2161 krb5_error_code KRB5_CALLCONV krb5_rc_recover_or_initialize
2162         (krb5_context, krb5_rcache,krb5_deltat);
2163 krb5_error_code KRB5_CALLCONV krb5_rc_recover
2164         (krb5_context, krb5_rcache);
2165 krb5_error_code KRB5_CALLCONV krb5_rc_destroy
2166         (krb5_context, krb5_rcache);
2167 krb5_error_code KRB5_CALLCONV krb5_rc_close
2168         (krb5_context, krb5_rcache);
2169 krb5_error_code KRB5_CALLCONV krb5_rc_store
2170         (krb5_context, krb5_rcache,krb5_donot_replay *);
2171 krb5_error_code KRB5_CALLCONV krb5_rc_expunge
2172         (krb5_context, krb5_rcache);
2173 krb5_error_code KRB5_CALLCONV krb5_rc_get_lifespan
2174         (krb5_context, krb5_rcache,krb5_deltat *);
2175 char *KRB5_CALLCONV krb5_rc_get_name
2176         (krb5_context, krb5_rcache);
2177 krb5_error_code KRB5_CALLCONV krb5_rc_resolve
2178         (krb5_context, krb5_rcache, char *);
2179 
2180 typedef struct _krb5_kt_ops {
2181     krb5_magic magic;
2182     char *prefix;
2183     /* routines always present */
2184     krb5_error_code (KRB5_CALLCONV *resolve)
2185         (krb5_context,
2186                  const char *,
2187                  krb5_keytab *);
2188     krb5_error_code (KRB5_CALLCONV *get_name)
2189         (krb5_context,
2190                  krb5_keytab,
2191                  char *,
2192                  unsigned int);
2193     krb5_error_code (KRB5_CALLCONV *close)
2194         (krb5_context,
2195                  krb5_keytab);
2196     krb5_error_code (KRB5_CALLCONV *get)
2197         (krb5_context,
2198                  krb5_keytab,
2199                  krb5_const_principal,
2200                  krb5_kvno,
2201                  krb5_enctype,
2202                  krb5_keytab_entry *);
2203     krb5_error_code (KRB5_CALLCONV *start_seq_get)
2204         (krb5_context,
2205                  krb5_keytab,
2206                  krb5_kt_cursor *);
2207     krb5_error_code (KRB5_CALLCONV *get_next)
2208         (krb5_context,
2209                  krb5_keytab,
2210                  krb5_keytab_entry *,
2211                  krb5_kt_cursor *);
2212     krb5_error_code (KRB5_CALLCONV *end_get)
2213         (krb5_context,
2214                  krb5_keytab,
2215                  krb5_kt_cursor *);
2216     /* routines to be included on extended version (write routines) */
2217     krb5_error_code (KRB5_CALLCONV *add)
2218         (krb5_context,
2219                  krb5_keytab,
2220                  krb5_keytab_entry *);
2221     krb5_error_code (KRB5_CALLCONV *remove)
2222         (krb5_context,
2223                  krb5_keytab,
2224                   krb5_keytab_entry *);
2225 
2226     /* Handle for serializer */
2227     const krb5_ser_entry *serializer;
2228 } krb5_kt_ops;
2229 
2230 extern const krb5_kt_ops krb5_kt_dfl_ops;
2231 
2232 extern krb5_error_code krb5int_translate_gai_error (int);
2233 
2234 /* Not sure it's ready for exposure just yet.  */
2235 extern krb5_error_code
2236 krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *);
2237 
2238 extern int krb5int_crypto_init (void);
2239 extern int krb5int_prng_init(void);
2240 
2241 /*
2242  * SUNW14resync
2243  * Hack (?) to neuter C99 "inline" which causes warnings w/our build.
2244  */
2245 #define inline
2246 
2247 /* Solaris kerberos */
2248 krb5_boolean KRB5_CALLCONV is_in_keytype
2249 	(krb5_const krb5_enctype *keytype,
2250 	int numkeytypes, krb5_enctype enctype);
2251 
2252 /*
2253  * Solaris Kerberos
2254  * Use krb5_getuid() to select the mechanism to obtain the uid.
2255  */
2256 extern uid_t	krb5_getuid();
2257 /*
2258  * Referral definitions, debugging hooks, and subfunctions.
2259  */
2260 #define        KRB5_REFERRAL_MAXHOPS	5
2261 /* #define DEBUG_REFERRALS */
2262 
2263 #ifdef DEBUG_REFERRALS
2264 void krb5int_dbgref_dump_principal(char *, krb5_principal);
2265 #endif
2266 
2267 /* Common hostname-parsing code. */
2268 krb5_error_code KRB5_CALLCONV krb5int_clean_hostname
2269 	(krb5_context,
2270 		const char *,
2271 		char *,
2272 		size_t);
2273 
2274 #endif /* _KRB5_INT_H */
2275