1 /* 2 | * Copyright 2003 Sun Microsystems, Inc. All rights reserved. 2 | * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 /* 7 * Copyright (C) 1989-1995 by the Massachusetts Institute of Technology, 8 * Cambridge, MA, USA. All Rights Reserved. 9 * 10 * This software is being provided to you, the LICENSEE, by the 11 * Massachusetts Institute of Technology (M.I.T.) under the following 12 * license. By obtaining, using and/or copying this software, you agree 13 * that you have read, understood, and will comply with these terms and 14 * conditions: 15 * 16 * Export of this software from the United States of America may 17 * require a specific license from the United States Government. 18 * It is the responsibility of any person or organization contemplating 19 * export to obtain such a license before exporting. 20 * 21 * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute 22 * this software and its documentation for any purpose and without fee or 23 * royalty is hereby granted, provided that you agree to comply with the 24 * following copyright notice and statements, including the disclaimer, and 25 * that the same appear on ALL copies of the software and documentation, 26 * including modifications that you make for internal use or for 27 * distribution: 28 * 29 * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS 30 * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not 31 * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF 32 * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF 33 * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY 34 * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. 35 * 36 * The name of the Massachusetts Institute of Technology or M.I.T. may NOT 37 * be used in advertising or publicity pertaining to distribution of the 38 * software. Title to copyright in this software and any associated 39 * documentation shall at all times remain with M.I.T., and USER agrees to 40 * preserve same. 41 */ 42 /* 43 * Copyright (C) 1998 by the FundsXpress, INC. 44 * 45 * All rights reserved. 46 * 47 * Export of this software from the United States of America may require 48 * a specific license from the United States Government. It is the 49 * responsibility of any person or organization contemplating export to 50 * obtain such a license before exporting. 51 * 52 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 53 * distribute this software and its documentation for any purpose and 54 * without fee is hereby granted, provided that the above copyright 55 * notice appear in all copies and that both that copyright notice and 56 * this permission notice appear in supporting documentation, and that 57 * the name of FundsXpress. not be used in advertising or publicity pertaining 58 * to distribution of the software without specific, written prior 59 * permission. FundsXpress makes no representations about the suitability of 60 * this software for any purpose. It is provided "as is" without express 61 * or implied warranty. 62 * 63 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 64 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 65 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 66 */ 67 68 /* 69 * This prototype for k5-int.h (Krb5 internals include file) 70 * includes the user-visible definitions from krb5.h and then 71 * includes other definitions that are not user-visible but are 72 * required for compiling Kerberos internal routines. 73 * 74 * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995 75 */ 76 77 #ifndef _KRB5_INT_H 78 #define _KRB5_INT_H 79 80 | #pragma ident "@(#)k5-int.h 1.18 04/09/08 SMI" 80 | #pragma ident "@(#)k5-int.h 1.17 04/05/04 SMI" 81 82 #ifndef _KERNEL 83 #include <osconf.h> 84 #include <security/cryptoki.h> 85 #else 86 #include <sys/crypto/common.h> 87 #include <sys/crypto/api.h> 88 #endif 89 90 #ifdef DEBUG 91 #if !defined(KRB5_DEBUG) 92 #define KRB5_DEBUG 93 #endif 94 #ifndef KRB5_LOG_LVL 95 #define KRB5_LOG_LVL KRB5_ERR 96 #endif 97 #endif /* DEBUG */ 98 99 #ifdef _KERNEL 100 101 #ifdef DEBUG 102 #include <sys/types.h> 103 #include <sys/cmn_err.h> 104 extern void prom_printf(); 105 #endif /* DEBUG */ 106 107 #else /* !_KERNEL */ 108 109 #define prom_printf printf 110 111 #endif /* !_KERNEL */ 112 113 #ifdef KRB5_LOG_LVL 114 115 /* krb5_log is used to set the logging level to determine what class of messages 116 * are output by the mech. Note, more than one logging level can be used by 117 * bit or'ing the log values together. 118 * 119 * All log messages are captured by syslog. 120 */ 121 122 extern unsigned int krb5_log; 123 124 /* Note, these defines should be mutually exclusive bit fields */ 125 #define KRB5_ERR 1 /* Use this debug log level for error path logging. */ 126 #define KRB5_INFO 2 /* Use this debug log level for informational messages. */ 127 128 #ifdef _KERNEL 129 130 #define KRB5_LOG1(A, B, C, D) \ 131 ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C), (D)), TRUE))) 132 #define KRB5_LOG(A, B, C) \ 133 ((void)((krb5_log) && (krb5_log & (A)) && (printf((B), (C)), TRUE))) 134 #define KRB5_LOG0(A, B) \ 135 ((void)((krb5_log) && (krb5_log & (A)) && (printf((B)), TRUE))) 136 137 #else /* !_KERNEL */ 138 139 #include <syslog.h> 140 141 #define KRB5_LOG1(A, B, C, D) \ 142 ((void)((krb5_log) && (krb5_log & (A)) && \ 143 (syslog(LOG_DEBUG, (B), (C), (D)), TRUE))) 144 #define KRB5_LOG(A, B, C) \ 145 ((void)((krb5_log) && (krb5_log & (A)) && \ 146 (syslog(LOG_DEBUG, (B), (C)), TRUE))) 147 #define KRB5_LOG0(A, B) \ 148 ((void)((krb5_log) && (krb5_log & (A)) && \ 149 (syslog(LOG_DEBUG, B), TRUE))) 150 151 #endif /* _KERNEL */ 152 153 #else /* ! KRB5_LOG_LVL */ 154 155 #define KRB5_LOG1(A, B, C, D) 156 #define KRB5_LOG(A, B, C) 157 #define KRB5_LOG0(A, B) 158 159 #endif /* KRB5_LOG_LVL */ 160 161 /* Compatibility switch for SAM preauth */ 162 #define AS_REP_105_SAM_COMPAT 163 164 #ifdef POSIX_TYPES 165 #define timetype time_t 166 #else 167 #define timetype long 168 #endif 169 170 /* 171 * Begin "k5-config.h" 172 */ 173 #ifndef KRB5_CONFIG__ 174 #define KRB5_CONFIG__ 175 176 /* 177 * Machine-type definitions: PC Clone 386 running Microsoft Windows 178 */ 179 180 #if defined(_MSDOS) || defined(_WIN32) || defined(macintosh) 181 #include "win-mac.h" 182 #if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__) 183 #pragma import on 184 #endif 185 #endif 186 187 #if defined(_MSDOS) || defined(_WIN32) 188 /* Kerberos Windows initialization file */ 189 #define KERBEROS_INI "kerberos.ini" 190 #define INI_FILES "Files" 191 #define INI_KRB_CCACHE "krb5cc" /* Location of the ccache */ 192 #define INI_KRB5_CONF "krb5.ini" /* Location of krb5.conf file */ 193 #define HAVE_LABS 194 #define ANSI_STDIO 195 #endif 196 197 198 #ifndef macintosh 199 #if defined(__MWERKS__) || defined(applec) || defined(THINK_C) 200 #define macintosh 201 #define SIZEOF_INT 4 202 #define SIZEOF_SHORT 2 203 #define HAVE_SRAND 204 #define NO_PASSWORD 205 #define HAVE_LABS 206 /*#define ENOMEM -1*/ 207 #define ANSI_STDIO 208 #ifndef _SIZET 209 typedef unsigned int size_t; 210 #define _SIZET 211 #endif 212 #include <unix.h> 213 #include <ctype.h> 214 #endif 215 #endif 216 217 #ifndef _KERNEL 218 #ifndef KRB5_AUTOCONF__ 219 #define KRB5_AUTOCONF__ 220 #include <autoconf.h> 221 #endif 222 #endif /* !_KERNEL */ 223 224 #ifndef KRB5_SYSTYPES__ 225 #define KRB5_SYSTYPES__ 226 227 #ifdef HAVE_SYS_TYPES_H /* From autoconf.h */ 228 #include <sys/types.h> 229 #else /* HAVE_SYS_TYPES_H */ 230 #endif /* HAVE_SYS_TYPES_H */ 231 #endif /* KRB5_SYSTYPES__ */ 232 233 #ifdef SYSV 234 /* Change srandom and random to use rand and srand */ 235 /* Taken from the Sandia changes. XXX We should really just include */ 236 /* srandom and random into Kerberos release, since rand() is a really */ 237 /* bad random number generator.... [tytso:19920616.2231EDT] */ 238 #define random() rand() 239 #define srandom(a) srand(a) 240 #endif /* SYSV */ 241 242 typedef uint64_t krb5_ui_8; 243 typedef int64_t krb5_int64; 244 245 #define DEFAULT_PWD_STRING1 "Enter password:" 246 #define DEFAULT_PWD_STRING2 "Re-enter password for verification:" 247 248 #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ 249 #define KRB5_KDB_MAX_RLIFE (60*60*24*365) /* one year */ 250 #define KRB5_KDB_EXPIRATION 2145830400 /* Thu Jan 1 00:00:00 2038 UTC */ 251 #define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */ 252 #define KRB5_DEFAULT_RENEW_LIFE 7*24*60*60 /* 7 Days */ 253 254 /* 255 * Windows requires a different api interface to each function. Here 256 * just define it as NULL. 257 */ 258 #ifndef KRB5_CALLCONV 259 #define KRB5_CALLCONV 260 #define KRB5_CALLCONV_C 261 #define KRB5_DLLIMP 262 #define GSS_DLLIMP 263 #define KRB5_EXPORTVAR 264 #define FAR 265 #define NEAR 266 #endif 267 #ifndef O_BINARY 268 #define O_BINARY 0 269 #endif 270 271 #ifndef HAVE_LABS 272 #define labs(x) abs(x) 273 #endif 274 275 #endif /* KRB5_CONFIG__ */ 276 277 /* 278 * End "k5-config.h" 279 */ 280 281 /* 282 * After loading the configuration definitions, load the Kerberos definitions. 283 */ 284 #include <krb5.h> 285 286 #ifndef _KERNEL 287 #ifdef NEED_SOCKETS 288 #include <port-sockets.h> 289 #include <socket-utils.h> 290 #else 291 #ifndef SOCK_DGRAM 292 struct sockaddr; 293 #endif 294 #endif 295 #endif 296 297 /* krb5/krb5.h includes many other .h files in the krb5 subdirectory. 298 The ones that it doesn't include, we include below. */ 299 300 /* 301 * Begin "k5-errors.h" 302 */ 303 #ifndef KRB5_ERRORS__ 304 #define KRB5_ERRORS__ 305 306 307 /* Error codes used in KRB_ERROR protocol messages. 308 Return values of library routines are based on a different error table 309 (which allows non-ambiguous error codes between subsystems) */ 310 311 /* KDC errors */ 312 #define KDC_ERR_NONE 0 /* No error */ 313 #define KDC_ERR_NAME_EXP 1 /* Client's entry in DB expired */ 314 #define KDC_ERR_SERVICE_EXP 2 /* Server's entry in DB expired */ 315 #define KDC_ERR_BAD_PVNO 3 /* Requested pvno not supported */ 316 #define KDC_ERR_C_OLD_MAST_KVNO 4 /* C's key encrypted in old master */ 317 #define KDC_ERR_S_OLD_MAST_KVNO 5 /* S's key encrypted in old master */ 318 #define KDC_ERR_C_PRINCIPAL_UNKNOWN 6 /* Client not found in Kerberos DB */ 319 #define KDC_ERR_S_PRINCIPAL_UNKNOWN 7 /* Server not found in Kerberos DB */ 320 #define KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 /* Multiple entries in Kerberos DB */ 321 #define KDC_ERR_NULL_KEY 9 /* The C or S has a null key */ 322 #define KDC_ERR_CANNOT_POSTDATE 10 /* Tkt ineligible for postdating */ 323 #define KDC_ERR_NEVER_VALID 11 /* Requested starttime > endtime */ 324 #define KDC_ERR_POLICY 12 /* KDC policy rejects request */ 325 #define KDC_ERR_BADOPTION 13 /* KDC can't do requested opt. */ 326 #define KDC_ERR_ENCTYPE_NOSUPP 14 /* No support for encryption type */ 327 #define KDC_ERR_SUMTYPE_NOSUPP 15 /* No support for checksum type */ 328 #define KDC_ERR_PADATA_TYPE_NOSUPP 16 /* No support for padata type */ 329 #define KDC_ERR_TRTYPE_NOSUPP 17 /* No support for transited type */ 330 #define KDC_ERR_CLIENT_REVOKED 18 /* C's creds have been revoked */ 331 #define KDC_ERR_SERVICE_REVOKED 19 /* S's creds have been revoked */ 332 #define KDC_ERR_TGT_REVOKED 20 /* TGT has been revoked */ 333 #define KDC_ERR_CLIENT_NOTYET 21 /* C not yet valid */ 334 #define KDC_ERR_SERVICE_NOTYET 22 /* S not yet valid */ 335 #define KDC_ERR_KEY_EXP 23 /* Password has expired */ 336 #define KDC_ERR_PREAUTH_FAILED 24 /* Preauthentication failed */ 337 #define KDC_ERR_PREAUTH_REQUIRED 25 /* Additional preauthentication */ 338 /* required */ 339 #define KDC_ERR_SERVER_NOMATCH 26 /* Requested server and */ 340 /* ticket don't match*/ 341 /* Application errors */ 342 #define KRB_AP_ERR_BAD_INTEGRITY 31 /* Decrypt integrity check failed */ 343 #define KRB_AP_ERR_TKT_EXPIRED 32 /* Ticket expired */ 344 #define KRB_AP_ERR_TKT_NYV 33 /* Ticket not yet valid */ 345 #define KRB_AP_ERR_REPEAT 34 /* Request is a replay */ 346 #define KRB_AP_ERR_NOT_US 35 /* The ticket isn't for us */ 347 #define KRB_AP_ERR_BADMATCH 36 /* Ticket/authenticator don't match */ 348 #define KRB_AP_ERR_SKEW 37 /* Clock skew too great */ 349 #define KRB_AP_ERR_BADADDR 38 /* Incorrect net address */ 350 #define KRB_AP_ERR_BADVERSION 39 /* Protocol version mismatch */ 351 #define KRB_AP_ERR_MSG_TYPE 40 /* Invalid message type */ 352 #define KRB_AP_ERR_MODIFIED 41 /* Message stream modified */ 353 #define KRB_AP_ERR_BADORDER 42 /* Message out of order */ 354 #define KRB_AP_ERR_BADKEYVER 44 /* Key version is not available */ 355 #define KRB_AP_ERR_NOKEY 45 /* Service key not available */ 356 #define KRB_AP_ERR_MUT_FAIL 46 /* Mutual authentication failed */ 357 #define KRB_AP_ERR_BADDIRECTION 47 /* Incorrect message direction */ 358 #define KRB_AP_ERR_METHOD 48 /* Alternative authentication */ 359 /* method required */ 360 #define KRB_AP_ERR_BADSEQ 49 /* Incorrect sequence numnber */ 361 /* in message */ 362 #define KRB_AP_ERR_INAPP_CKSUM 50 /* Inappropriate type of */ 363 /* checksum in message */ 364 #define KRB_AP_PATH_NOT_ACCEPTED 51 /* Policy rejects transited path */ 365 #define KRB_ERR_RESPONSE_TOO_BIG 52 /* Response too big for UDP, */ 366 /* retry with TCP */ 367 368 /* other errors */ 369 #define KRB_ERR_GENERIC 60 /* Generic error (description */ 370 /* in e-text) */ 371 #define KRB_ERR_FIELD_TOOLONG 61 /* Field is too long for impl. */ 372 373 #endif /* KRB5_ERRORS__ */ 374 /* 375 * End "k5-errors.h" 376 */ 377 378 /* 379 * This structure is returned in the e-data field of the KRB-ERROR 380 * message when the error calling for an alternative form of 381 * authentication is returned, KRB_AP_METHOD. 382 */ 383 typedef struct _krb5_alt_method { 384 krb5_magic magic; 385 krb5_int32 method; 386 unsigned int length; 387 krb5_octet *data; 388 } krb5_alt_method; ----Unchanged portion omitted---- 1197 1198 #endif /* !_KERNEL */ 1199 1200 struct _krb5_context { 1201 krb5_magic magic; 1202 krb5_enctype *in_tkt_ktypes; 1203 int in_tkt_ktype_count; 1204 krb5_enctype *tgs_ktypes; 1205 int tgs_ktype_count; 1206 void *os_context; 1207 char *default_realm; 1208 int ser_ctx_count; 1209 krb5_boolean profile_secure; 1210 void *ser_ctx; 1211 #ifndef _KERNEL 1212 profile_t profile; 1213 void *db_context; 1214 + void *kdblog_context; 1215 /* allowable clock skew */ 1216 krb5_deltat clockskew; 1217 krb5_cksumtype kdc_req_sumtype; 1218 krb5_cksumtype default_ap_req_sumtype; 1219 krb5_cksumtype default_safe_sumtype; 1220 krb5_flags kdc_default_options; 1221 krb5_flags library_options; 1222 int fcc_default_format; 1223 int scc_default_format; 1224 krb5_prompt_type *prompt_types; 1225 /* Message size above which we'll try TCP first in send-to-kdc 1226 type code. Aside from the 2**16 size limit, we put no 1227 absolute limit on the UDP packet size. */ 1228 int udp_pref_limit; 1229 1230 /* This is the tgs_ktypes list as read from the profile, or 1231 set to compiled-in defaults. The application code cannot 1232 override it. This is used for session keys for 1233 intermediate ticket-granting tickets used to acquire the 1234 requested ticket (the session key of which may be 1235 constrained by tgs_ktypes above). */ 1236 krb5_enctype *conf_tgs_ktypes; 1237 int conf_tgs_ktypes_count; 1238 1239 /* Use the _configured version? */ 1240 krb5_boolean use_conf_ktypes; 1241 #ifdef KRB5_DNS_LOOKUP 1242 krb5_boolean profile_in_memory; 1243 #endif /* KRB5_DNS_LOOKUP */ 1244 1245 /* Solaris Kerberos: handles for PKCS#11 crypto */ 1246 CK_SESSION_HANDLE hSession; 1247 CK_OBJECT_HANDLE hKey; 1248 int cryptoki_initialized; 1249 arcfour_ctx_rec arcfour_ctx; 1250 #else 1251 crypto_mech_type_t kef_cipher_mt; 1252 crypto_mech_type_t kef_hash_mt; 1253 crypto_mech_type_t kef_cksum_mt; 1254 #endif /* _KERNEL */ 1255 }; ----Unchanged portion omitted----