1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
|
/*
* $Id: krb.h,v 1.99 1999/11/16 14:02:47 bg Exp $
* $FreeBSD$
*
* Copyright 1987, 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
* <mit-copyright.h>.
*
* Include file for the Kerberos library.
*/
#if !defined (__STDC__) && !defined(_MSC_VER)
#define const
#define signed
#endif
#include <sys/types.h>
#include <time.h>
#ifndef __KRB_H__
#define __KRB_H__
/* XXX */
#ifndef __BEGIN_DECLS
#if defined(__cplusplus)
#define __BEGIN_DECLS extern "C" {
#define __END_DECLS };
#else
#define __BEGIN_DECLS
#define __END_DECLS
#endif
#endif
#if defined (__STDC__) || defined (_MSC_VER)
#ifndef __P
#define __P(x) x
#endif
#else
#ifndef __P
#define __P(x) ()
#endif
#endif
__BEGIN_DECLS
/* Need some defs from des.h */
#if !defined(NOPROTO) && !defined(__STDC__)
#define NOPROTO
#endif
#include <openssl/des.h>
/* CNS compatibility ahead! */
#ifndef KRB_INT32
#define KRB_INT32 int32_t
#endif
#ifndef KRB_UINT32
#define KRB_UINT32 u_int32_t
#endif
/* Global library variables. */
extern int krb_ignore_ip_address; /* To turn off IP address comparison */
extern int krb_no_long_lifetimes; /* To disable AFS compatible lifetimes */
extern int krbONE;
#define HOST_BYTE_ORDER (* (char *) &krbONE)
/* Debug variables */
extern int krb_debug;
extern int krb_ap_req_debug;
extern int krb_dns_debug;
/* Text describing error codes */
#define MAX_KRB_ERRORS 256
extern const char *krb_err_txt[MAX_KRB_ERRORS];
/* General definitions */
#define KSUCCESS 0
#define KFAILURE 255
/*
* Kerberos specific definitions
*
* KRBLOG is the log file for the kerberos master server. KRB_CONF is
* the configuration file where different host machines running master
* and slave servers can be found. KRB_MASTER is the name of the
* machine with the master database. The admin_server runs on this
* machine, and all changes to the db (as opposed to read-only
* requests, which can go to slaves) must go to it. KRB_HOST is the
* default machine * when looking for a kerberos slave server. Other
* possibilities are * in the KRB_CONF file. KRB_REALM is the name of
* the realm.
*/
/* /etc/kerberosIV is only for backwards compatibility, don't use it! */
#ifndef KRB_CONF
#define KRB_CONF "/etc/kerberosIV/krb.conf"
#endif
#ifndef KRB_RLM_TRANS
#define KRB_RLM_TRANS "/etc/kerberosIV/krb.realms"
#endif
#ifndef KRB_CNF_FILES
#define KRB_CNF_FILES { KRB_CONF, "/etc/krb.conf", 0}
#endif
#ifndef KRB_RLM_FILES
#define KRB_RLM_FILES { KRB_RLM_TRANS, "/etc/krb.realms", 0}
#endif
#ifndef KRB_EQUIV
#define KRB_EQUIV "/etc/kerberosIV/krb.equiv"
#endif
#define KRB_MASTER "kerberos"
#ifndef KRB_REALM
#define KRB_REALM (krb_get_default_realm())
#endif
/* The maximum sizes for aname, realm, sname, and instance +1 */
#define ANAME_SZ 40
#define REALM_SZ 40
#define SNAME_SZ 40
#define INST_SZ 40
/* Leave space for quoting */
#define MAX_K_NAME_SZ (2*ANAME_SZ + 2*INST_SZ + 2*REALM_SZ - 3)
#define KKEY_SZ 100
#define VERSION_SZ 1
#define MSG_TYPE_SZ 1
#define DATE_SZ 26 /* RTI date output */
#define MAX_HSTNM 100 /* for compatibility */
typedef struct krb_principal{
char name[ANAME_SZ];
char instance[INST_SZ];
char realm[REALM_SZ];
}krb_principal;
#ifndef DEFAULT_TKT_LIFE /* allow compile-time override */
/* default lifetime for krb_mk_req & co., 10 hrs */
#define DEFAULT_TKT_LIFE 120
#endif
#define KRB_TICKET_GRANTING_TICKET "krbtgt"
/* Definition of text structure used to pass text around */
#define MAX_KTXT_LEN 1250
struct ktext {
unsigned int length; /* Length of the text */
unsigned char dat[MAX_KTXT_LEN]; /* The data itself */
u_int32_t mbz; /* zero to catch runaway strings */
};
typedef struct ktext *KTEXT;
typedef struct ktext KTEXT_ST;
/* Definitions for send_to_kdc */
#define CLIENT_KRB_TIMEOUT 4 /* default time between retries */
#define CLIENT_KRB_RETRY 5 /* retry this many times */
#define CLIENT_KRB_BUFLEN 512 /* max unfragmented packet */
/* Definitions for ticket file utilities */
#define R_TKT_FIL 0
#define W_TKT_FIL 1
/* Parameters for rd_ap_req */
/* Maximum alloable clock skew in seconds */
#define CLOCK_SKEW 5*60
/* Filename for readservkey */
#ifndef KEYFILE
#define KEYFILE (krb_get_default_keyfile())
#endif
/* Structure definition for rd_ap_req */
struct auth_dat {
unsigned char k_flags; /* Flags from ticket */
char pname[ANAME_SZ]; /* Principal's name */
char pinst[INST_SZ]; /* His Instance */
char prealm[REALM_SZ]; /* His Realm */
u_int32_t checksum; /* Data checksum (opt) */
des_cblock session; /* Session Key */
int life; /* Life of ticket */
u_int32_t time_sec; /* Time ticket issued */
u_int32_t address; /* Address in ticket */
KTEXT_ST reply; /* Auth reply (opt) */
};
typedef struct auth_dat AUTH_DAT;
/* Structure definition for credentials returned by get_cred */
struct credentials {
char service[ANAME_SZ]; /* Service name */
char instance[INST_SZ]; /* Instance */
char realm[REALM_SZ]; /* Auth domain */
des_cblock session; /* Session key */
int lifetime; /* Lifetime */
int kvno; /* Key version number */
KTEXT_ST ticket_st; /* The ticket itself */
int32_t issue_date; /* The issue time */
char pname[ANAME_SZ]; /* Principal's name */
char pinst[INST_SZ]; /* Principal's instance */
};
typedef struct credentials CREDENTIALS;
/* Structure definition for rd_private_msg and rd_safe_msg */
struct msg_dat {
unsigned char *app_data; /* pointer to appl data */
u_int32_t app_length; /* length of appl data */
u_int32_t hash; /* hash to lookup replay */
int swap; /* swap bytes? */
int32_t time_sec; /* msg timestamp seconds */
unsigned char time_5ms; /* msg timestamp 5ms units */
};
typedef struct msg_dat MSG_DAT;
struct krb_host {
char *realm;
char *host;
enum krb_host_proto { PROTO_UDP, PROTO_TCP, PROTO_HTTP } proto;
int port;
int admin;
};
/* Location of ticket file for save_cred and get_cred */
#define TKT_FILE tkt_string()
#ifndef TKT_ROOT
#define TKT_ROOT (krb_get_default_tkt_root())
#endif
/* Error codes returned from the KDC */
#define KDC_OK 0 /* Request OK */
#define KDC_NAME_EXP 1 /* Principal expired */
#define KDC_SERVICE_EXP 2 /* Service expired */
#define KDC_AUTH_EXP 3 /* Auth expired */
#define KDC_PKT_VER 4 /* Protocol version unknown */
#define KDC_P_MKEY_VER 5 /* Wrong master key version */
#define KDC_S_MKEY_VER 6 /* Wrong master key version */
#define KDC_BYTE_ORDER 7 /* Byte order unknown */
#define KDC_PR_UNKNOWN 8 /* Principal unknown */
#define KDC_PR_N_UNIQUE 9 /* Principal not unique */
#define KDC_NULL_KEY 10 /* Principal has null key */
#define KDC_GEN_ERR 20 /* Generic error from KDC */
/* Values returned by get_credentials */
#define GC_OK 0 /* Retrieve OK */
#define RET_OK 0 /* Retrieve OK */
#define GC_TKFIL 21 /* Can't read ticket file */
#define RET_TKFIL 21 /* Can't read ticket file */
#define GC_NOTKT 22 /* Can't find ticket or TGT */
#define RET_NOTKT 22 /* Can't find ticket or TGT */
/* Values returned by mk_ap_req */
#define MK_AP_OK 0 /* Success */
#define MK_AP_TGTEXP 26 /* TGT Expired */
/* Values returned by rd_ap_req */
#define RD_AP_OK 0 /* Request authentic */
#define RD_AP_UNDEC 31 /* Can't decode authenticator */
#define RD_AP_EXP 32 /* Ticket expired */
#define RD_AP_NYV 33 /* Ticket not yet valid */
#define RD_AP_REPEAT 34 /* Repeated request */
#define RD_AP_NOT_US 35 /* The ticket isn't for us */
#define RD_AP_INCON 36 /* Request is inconsistent */
#define RD_AP_TIME 37 /* delta_t too big */
#define RD_AP_BADD 38 /* Incorrect net address */
#define RD_AP_VERSION 39 /* protocol version mismatch */
#define RD_AP_MSG_TYPE 40 /* invalid msg type */
#define RD_AP_MODIFIED 41 /* message stream modified */
#define RD_AP_ORDER 42 /* message out of order */
#define RD_AP_UNAUTHOR 43 /* unauthorized request */
/* Values returned by get_pw_tkt */
#define GT_PW_OK 0 /* Got password changing tkt */
#define GT_PW_NULL 51 /* Current PW is null */
#define GT_PW_BADPW 52 /* Incorrect current password */
#define GT_PW_PROT 53 /* Protocol Error */
#define GT_PW_KDCERR 54 /* Error returned by KDC */
#define GT_PW_NULLTKT 55 /* Null tkt returned by KDC */
/* Values returned by send_to_kdc */
#define SKDC_OK 0 /* Response received */
#define SKDC_RETRY 56 /* Retry count exceeded */
#define SKDC_CANT 57 /* Can't send request */
/*
* Values returned by get_intkt
* (can also return SKDC_* and KDC errors)
*/
#define INTK_OK 0 /* Ticket obtained */
#define INTK_W_NOTALL 61 /* Not ALL tickets returned */
#define INTK_BADPW 62 /* Incorrect password */
#define INTK_PROT 63 /* Protocol Error */
#define INTK_ERR 70 /* Other error */
/* Values returned by get_adtkt */
#define AD_OK 0 /* Ticket Obtained */
#define AD_NOTGT 71 /* Don't have tgt */
#define AD_INTR_RLM_NOTGT 72 /* Can't get inter-realm tgt */
/* Error codes returned by ticket file utilities */
#define NO_TKT_FIL 76 /* No ticket file found */
#define TKT_FIL_ACC 77 /* Couldn't access tkt file */
#define TKT_FIL_LCK 78 /* Couldn't lock ticket file */
#define TKT_FIL_FMT 79 /* Bad ticket file format */
#define TKT_FIL_INI 80 /* tf_init not called first */
/* Error code returned by kparse_name */
#define KNAME_FMT 81 /* Bad Kerberos name format */
/* Error code returned by krb_mk_safe */
#define SAFE_PRIV_ERROR -1 /* syscall error */
/* Defines for krb_sendauth and krb_recvauth */
#define KOPT_DONT_MK_REQ 0x00000001 /* don't call krb_mk_req */
#define KOPT_DO_MUTUAL 0x00000002 /* do mutual auth */
#define KOPT_DONT_CANON 0x00000004 /*
* don't canonicalize inst as
* a hostname
*/
#define KOPT_IGNORE_PROTOCOL 0x0008
#define KRB_SENDAUTH_VLEN 8 /* length for version strings */
/* flags for krb_verify_user() */
#define KRB_VERIFY_NOT_SECURE 0
#define KRB_VERIFY_SECURE 1
#define KRB_VERIFY_SECURE_FAIL 2
extern char *krb4_version;
typedef int (*key_proc_t) __P((const char *name,
char *instance, /* INOUT parameter */
const char *realm,
const void *password,
des_cblock *key));
typedef int (*decrypt_proc_t) __P((const char *name,
const char *instance,
const char *realm,
const void *arg,
key_proc_t,
KTEXT *));
#include "krb-protos.h"
__END_DECLS
#endif /* __KRB_H__ */
|