1 /* $NetBSD: krb5.h,v 1.4 2023/06/19 21:41:44 christos Exp $ */ 2 3 /* 4 * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 21 * 3. Neither the name of the Institute nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 */ 37 38 /* Id */ 39 40 #ifndef __KRB5_H__ 41 #define __KRB5_H__ 42 43 #include <time.h> 44 #include <krb5/krb5-types.h> 45 46 #include <krb5/asn1_err.h> 47 #include <krb5/krb5_err.h> 48 #include <krb5/heim_err.h> 49 #include <krb5/k524_err.h> 50 51 #include <krb5/krb5_asn1.h> 52 53 /* name confusion with MIT */ 54 #ifndef KRB5KDC_ERR_KEY_EXP 55 #define KRB5KDC_ERR_KEY_EXP KRB5KDC_ERR_KEY_EXPIRED 56 #endif 57 58 #ifdef _WIN32 59 #define KRB5_CALLCONV __stdcall 60 #else 61 #define KRB5_CALLCONV 62 #endif 63 64 /* simple constants */ 65 66 #ifndef TRUE 67 #define TRUE 1 68 #define FALSE 0 69 #endif 70 71 typedef int krb5_boolean; 72 73 typedef int32_t krb5_error_code; 74 75 typedef int32_t krb5_kvno; 76 77 typedef uint32_t krb5_flags; 78 79 typedef void *krb5_pointer; 80 typedef const void *krb5_const_pointer; 81 82 struct krb5_crypto_data; 83 typedef struct krb5_crypto_data *krb5_crypto; 84 85 struct krb5_get_creds_opt_data; 86 typedef struct krb5_get_creds_opt_data *krb5_get_creds_opt; 87 88 struct krb5_digest_data; 89 typedef struct krb5_digest_data *krb5_digest; 90 struct krb5_ntlm_data; 91 typedef struct krb5_ntlm_data *krb5_ntlm; 92 93 struct krb5_pac_data; 94 typedef struct krb5_pac_data *krb5_pac; 95 96 typedef struct krb5_rd_req_in_ctx_data *krb5_rd_req_in_ctx; 97 typedef struct krb5_rd_req_out_ctx_data *krb5_rd_req_out_ctx; 98 99 typedef CKSUMTYPE krb5_cksumtype; 100 101 typedef Checksum krb5_checksum; 102 103 typedef ENCTYPE krb5_enctype; 104 105 typedef struct krb5_get_init_creds_ctx *krb5_init_creds_context; 106 107 typedef heim_octet_string krb5_data; 108 109 /* PKINIT related forward declarations */ 110 struct ContentInfo; 111 struct krb5_pk_identity; 112 struct krb5_pk_cert; 113 114 /* krb5_enc_data is a mit compat structure */ 115 typedef struct krb5_enc_data { 116 krb5_enctype enctype; 117 krb5_kvno kvno; 118 krb5_data ciphertext; 119 } krb5_enc_data; 120 121 /* alternative names */ 122 #define ENCTYPE_NULL KRB5_ENCTYPE_NULL 123 #define ENCTYPE_DES_CBC_CRC KRB5_ENCTYPE_DES_CBC_CRC 124 #define ENCTYPE_DES_CBC_MD4 KRB5_ENCTYPE_DES_CBC_MD4 125 #define ENCTYPE_DES_CBC_MD5 KRB5_ENCTYPE_DES_CBC_MD5 126 #define ENCTYPE_DES3_CBC_MD5 KRB5_ENCTYPE_DES3_CBC_MD5 127 #define ENCTYPE_OLD_DES3_CBC_SHA1 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1 128 #define ENCTYPE_SIGN_DSA_GENERATE KRB5_ENCTYPE_SIGN_DSA_GENERATE 129 #define ENCTYPE_ENCRYPT_RSA_PRIV KRB5_ENCTYPE_ENCRYPT_RSA_PRIV 130 #define ENCTYPE_ENCRYPT_RSA_PUB KRB5_ENCTYPE_ENCRYPT_RSA_PUB 131 #define ENCTYPE_DES3_CBC_SHA1 KRB5_ENCTYPE_DES3_CBC_SHA1 132 #define ENCTYPE_AES128_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 133 #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 134 #define ENCTYPE_ARCFOUR_HMAC KRB5_ENCTYPE_ARCFOUR_HMAC_MD5 135 #define ENCTYPE_ARCFOUR_HMAC_MD5 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5 136 #define ENCTYPE_ARCFOUR_HMAC_MD5_56 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56 137 #define ENCTYPE_ENCTYPE_PK_CROSS KRB5_ENCTYPE_ENCTYPE_PK_CROSS 138 #define ENCTYPE_DES_CBC_NONE KRB5_ENCTYPE_DES_CBC_NONE 139 #define ENCTYPE_DES3_CBC_NONE KRB5_ENCTYPE_DES3_CBC_NONE 140 #define ENCTYPE_DES_CFB64_NONE KRB5_ENCTYPE_DES_CFB64_NONE 141 #define ENCTYPE_DES_PCBC_NONE KRB5_ENCTYPE_DES_PCBC_NONE 142 #define ETYPE_NULL KRB5_ENCTYPE_NULL 143 #define ETYPE_DES_CBC_CRC KRB5_ENCTYPE_DES_CBC_CRC 144 #define ETYPE_DES_CBC_MD4 KRB5_ENCTYPE_DES_CBC_MD4 145 #define ETYPE_DES_CBC_MD5 KRB5_ENCTYPE_DES_CBC_MD5 146 #define ETYPE_DES3_CBC_MD5 KRB5_ENCTYPE_DES3_CBC_MD5 147 #define ETYPE_OLD_DES3_CBC_SHA1 KRB5_ENCTYPE_OLD_DES3_CBC_SHA1 148 #define ETYPE_SIGN_DSA_GENERATE KRB5_ENCTYPE_SIGN_DSA_GENERATE 149 #define ETYPE_ENCRYPT_RSA_PRIV KRB5_ENCTYPE_ENCRYPT_RSA_PRIV 150 #define ETYPE_ENCRYPT_RSA_PUB KRB5_ENCTYPE_ENCRYPT_RSA_PUB 151 #define ETYPE_DES3_CBC_SHA1 KRB5_ENCTYPE_DES3_CBC_SHA1 152 #define ETYPE_AES128_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 153 #define ETYPE_AES256_CTS_HMAC_SHA1_96 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96 154 #define ETYPE_AES128_CTS_HMAC_SHA256_128 KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128 155 #define ETYPE_AES256_CTS_HMAC_SHA384_192 KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192 156 #define ETYPE_ARCFOUR_HMAC_MD5 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5 157 #define ETYPE_ARCFOUR_HMAC_MD5_56 KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56 158 #define ETYPE_ENCTYPE_PK_CROSS KRB5_ENCTYPE_ENCTYPE_PK_CROSS 159 #define ETYPE_ARCFOUR_MD4 KRB5_ENCTYPE_ARCFOUR_MD4 160 #define ETYPE_ARCFOUR_HMAC_OLD KRB5_ENCTYPE_ARCFOUR_HMAC_OLD 161 #define ETYPE_ARCFOUR_HMAC_OLD_EXP KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP 162 #define ETYPE_DES_CBC_NONE KRB5_ENCTYPE_DES_CBC_NONE 163 #define ETYPE_DES3_CBC_NONE KRB5_ENCTYPE_DES3_CBC_NONE 164 #define ETYPE_DES_CFB64_NONE KRB5_ENCTYPE_DES_CFB64_NONE 165 #define ETYPE_DES_PCBC_NONE KRB5_ENCTYPE_DES_PCBC_NONE 166 #define ETYPE_DIGEST_MD5_NONE KRB5_ENCTYPE_DIGEST_MD5_NONE 167 #define ETYPE_CRAM_MD5_NONE KRB5_ENCTYPE_CRAM_MD5_NONE 168 169 /* PDU types */ 170 typedef enum krb5_pdu { 171 KRB5_PDU_ERROR = 0, 172 KRB5_PDU_TICKET = 1, 173 KRB5_PDU_AS_REQUEST = 2, 174 KRB5_PDU_AS_REPLY = 3, 175 KRB5_PDU_TGS_REQUEST = 4, 176 KRB5_PDU_TGS_REPLY = 5, 177 KRB5_PDU_AP_REQUEST = 6, 178 KRB5_PDU_AP_REPLY = 7, 179 KRB5_PDU_KRB_SAFE = 8, 180 KRB5_PDU_KRB_PRIV = 9, 181 KRB5_PDU_KRB_CRED = 10, 182 KRB5_PDU_NONE = 11 /* See krb5_get_permitted_enctypes() */ 183 } krb5_pdu; 184 185 typedef PADATA_TYPE krb5_preauthtype; 186 187 typedef enum krb5_key_usage { 188 KRB5_KU_PA_ENC_TIMESTAMP = 1, 189 /* AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the 190 client key (section 5.4.1) */ 191 KRB5_KU_TICKET = 2, 192 /* AS-REP Ticket and TGS-REP Ticket (includes tgs session key or 193 application session key), encrypted with the service key 194 (section 5.4.2) */ 195 KRB5_KU_AS_REP_ENC_PART = 3, 196 /* AS-REP encrypted part (includes tgs session key or application 197 session key), encrypted with the client key (section 5.4.2) */ 198 KRB5_KU_TGS_REQ_AUTH_DAT_SESSION = 4, 199 /* TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs 200 session key (section 5.4.1) */ 201 KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY = 5, 202 /* TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs 203 authenticator subkey (section 5.4.1) */ 204 KRB5_KU_TGS_REQ_AUTH_CKSUM = 6, 205 /* TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed 206 with the tgs session key (sections 5.3.2, 5.4.1) */ 207 KRB5_KU_TGS_REQ_AUTH = 7, 208 /* TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs 209 authenticator subkey), encrypted with the tgs session key 210 (section 5.3.2) */ 211 KRB5_KU_TGS_REP_ENC_PART_SESSION = 8, 212 /* TGS-REP encrypted part (includes application session key), 213 encrypted with the tgs session key (section 5.4.2) */ 214 KRB5_KU_TGS_REP_ENC_PART_SUB_KEY = 9, 215 /* TGS-REP encrypted part (includes application session key), 216 encrypted with the tgs authenticator subkey (section 5.4.2) */ 217 KRB5_KU_AP_REQ_AUTH_CKSUM = 10, 218 /* AP-REQ Authenticator cksum, keyed with the application session 219 key (section 5.3.2) */ 220 KRB5_KU_AP_REQ_AUTH = 11, 221 /* AP-REQ Authenticator (includes application authenticator 222 subkey), encrypted with the application session key (section 223 5.3.2) */ 224 KRB5_KU_AP_REQ_ENC_PART = 12, 225 /* AP-REP encrypted part (includes application session subkey), 226 encrypted with the application session key (section 5.5.2) */ 227 KRB5_KU_KRB_PRIV = 13, 228 /* KRB-PRIV encrypted part, encrypted with a key chosen by the 229 application (section 5.7.1) */ 230 KRB5_KU_KRB_CRED = 14, 231 /* KRB-CRED encrypted part, encrypted with a key chosen by the 232 application (section 5.8.1) */ 233 KRB5_KU_KRB_SAFE_CKSUM = 15, 234 /* KRB-SAFE cksum, keyed with a key chosen by the application 235 (section 5.6.1) */ 236 KRB5_KU_OTHER_ENCRYPTED = 16, 237 /* Data which is defined in some specification outside of 238 Kerberos to be encrypted using an RFC1510 encryption type. */ 239 KRB5_KU_OTHER_CKSUM = 17, 240 /* Data which is defined in some specification outside of 241 Kerberos to be checksummed using an RFC1510 checksum type. */ 242 KRB5_KU_KRB_ERROR = 18, 243 /* Krb-error checksum */ 244 KRB5_KU_AD_KDC_ISSUED = 19, 245 /* AD-KDCIssued checksum */ 246 KRB5_KU_MANDATORY_TICKET_EXTENSION = 20, 247 /* Checksum for Mandatory Ticket Extensions */ 248 KRB5_KU_AUTH_DATA_TICKET_EXTENSION = 21, 249 /* Checksum in Authorization Data in Ticket Extensions */ 250 KRB5_KU_USAGE_SEAL = 22, 251 /* seal in GSSAPI krb5 mechanism */ 252 KRB5_KU_USAGE_SIGN = 23, 253 /* sign in GSSAPI krb5 mechanism */ 254 KRB5_KU_USAGE_SEQ = 24, 255 /* SEQ in GSSAPI krb5 mechanism */ 256 KRB5_KU_USAGE_ACCEPTOR_SEAL = 22, 257 /* acceptor sign in GSSAPI CFX krb5 mechanism */ 258 KRB5_KU_USAGE_ACCEPTOR_SIGN = 23, 259 /* acceptor seal in GSSAPI CFX krb5 mechanism */ 260 KRB5_KU_USAGE_INITIATOR_SEAL = 24, 261 /* initiator sign in GSSAPI CFX krb5 mechanism */ 262 KRB5_KU_USAGE_INITIATOR_SIGN = 25, 263 /* initiator seal in GSSAPI CFX krb5 mechanism */ 264 KRB5_KU_PA_SERVER_REFERRAL_DATA = 22, 265 /* encrypted server referral data */ 266 KRB5_KU_SAM_CHECKSUM = 25, 267 /* Checksum for the SAM-CHECKSUM field */ 268 KRB5_KU_SAM_ENC_TRACK_ID = 26, 269 /* Encryption of the SAM-TRACK-ID field */ 270 KRB5_KU_PA_SERVER_REFERRAL = 26, 271 /* Keyusage for the server referral in a TGS req */ 272 KRB5_KU_SAM_ENC_NONCE_SAD = 27, 273 /* Encryption of the SAM-NONCE-OR-SAD field */ 274 KRB5_KU_PA_PKINIT_KX = 44, 275 /* Encryption type of the kdc session contribution in pk-init */ 276 KRB5_KU_AS_REQ = 56, 277 /* Checksum of over the AS-REQ send by the KDC in PA-REQ-ENC-PA-REP */ 278 KRB5_KU_FAST_REQ_CHKSUM = 50, 279 /* FAST armor checksum */ 280 KRB5_KU_FAST_ENC = 51, 281 /* FAST armor encryption */ 282 KRB5_KU_FAST_REP = 52, 283 /* FAST armor reply */ 284 KRB5_KU_FAST_FINISHED = 53, 285 /* FAST finished checksum */ 286 KRB5_KU_ENC_CHALLENGE_CLIENT = 54, 287 /* fast challenge from client */ 288 KRB5_KU_ENC_CHALLENGE_KDC = 55, 289 /* fast challenge from kdc */ 290 KRB5_KU_DIGEST_ENCRYPT = -18, 291 /* Encryption key usage used in the digest encryption field */ 292 KRB5_KU_DIGEST_OPAQUE = -19, 293 /* Checksum key usage used in the digest opaque field */ 294 KRB5_KU_KRB5SIGNEDPATH = -21, 295 /* Checksum key usage on KRB5SignedPath */ 296 KRB5_KU_CANONICALIZED_NAMES = -23, 297 /* Checksum key usage on PA-CANONICALIZED */ 298 KRB5_KU_H5L_COOKIE = -25 299 /* encrypted foo */ 300 } krb5_key_usage; 301 302 typedef krb5_key_usage krb5_keyusage; 303 304 typedef enum krb5_salttype { 305 KRB5_PW_SALT = KRB5_PADATA_PW_SALT, 306 KRB5_AFS3_SALT = KRB5_PADATA_AFS3_SALT 307 }krb5_salttype; 308 309 typedef struct krb5_salt { 310 krb5_salttype salttype; 311 krb5_data saltvalue; 312 } krb5_salt; 313 314 typedef ETYPE_INFO krb5_preauthinfo; 315 316 typedef struct { 317 krb5_preauthtype type; 318 krb5_preauthinfo info; /* list of preauthinfo for this type */ 319 } krb5_preauthdata_entry; 320 321 typedef struct krb5_preauthdata { 322 unsigned len; 323 krb5_preauthdata_entry *val; 324 }krb5_preauthdata; 325 326 typedef enum krb5_address_type { 327 KRB5_ADDRESS_INET = 2, 328 KRB5_ADDRESS_NETBIOS = 20, 329 KRB5_ADDRESS_INET6 = 24, 330 KRB5_ADDRESS_ADDRPORT = 256, 331 KRB5_ADDRESS_IPPORT = 257 332 } krb5_address_type; 333 334 enum { 335 AP_OPTS_USE_SESSION_KEY = 1, 336 AP_OPTS_MUTUAL_REQUIRED = 2, 337 AP_OPTS_USE_SUBKEY = 4 /* library internal */ 338 }; 339 340 typedef HostAddress krb5_address; 341 342 typedef HostAddresses krb5_addresses; 343 344 typedef krb5_enctype krb5_keytype; 345 346 enum krb5_keytype_old { 347 KEYTYPE_NULL = ETYPE_NULL, 348 KEYTYPE_DES = ETYPE_DES_CBC_CRC, 349 KEYTYPE_DES3 = ETYPE_OLD_DES3_CBC_SHA1, 350 KEYTYPE_AES128 = ETYPE_AES128_CTS_HMAC_SHA1_96, 351 KEYTYPE_AES256 = ETYPE_AES256_CTS_HMAC_SHA1_96, 352 KEYTYPE_ARCFOUR = ETYPE_ARCFOUR_HMAC_MD5, 353 KEYTYPE_ARCFOUR_56 = ETYPE_ARCFOUR_HMAC_MD5_56 354 }; 355 356 typedef EncryptionKey krb5_keyblock; 357 358 typedef AP_REQ krb5_ap_req; 359 360 struct krb5_cc_ops; 361 362 #ifdef _WIN32 363 #define KRB5_USE_PATH_TOKENS 1 364 #endif 365 366 #ifdef KRB5_USE_PATH_TOKENS 367 #define KRB5_DEFAULT_CCFILE_ROOT "%{TEMP}/krb5cc_" 368 #else 369 #define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_" 370 #endif 371 372 #define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT 373 374 #define KRB5_ACCEPT_NULL_ADDRESSES(C) \ 375 krb5_config_get_bool_default((C), NULL, TRUE, \ 376 "libdefaults", "accept_null_addresses", \ 377 NULL) 378 379 typedef void *krb5_cc_cursor; 380 typedef struct krb5_cccol_cursor_data *krb5_cccol_cursor; 381 382 typedef struct krb5_ccache_data { 383 const struct krb5_cc_ops *ops; 384 krb5_data data; 385 int initialized; /* if non-zero: krb5_cc_initialize() called, now empty */ 386 }krb5_ccache_data; 387 388 typedef struct krb5_ccache_data *krb5_ccache; 389 390 typedef struct krb5_context_data *krb5_context; 391 392 typedef Realm krb5_realm; 393 typedef const char *krb5_const_realm; /* stupid language */ 394 395 #define krb5_realm_length(r) strlen(r) 396 #define krb5_realm_data(r) (r) 397 398 typedef Principal krb5_principal_data; 399 typedef struct Principal *krb5_principal; 400 typedef const struct Principal *krb5_const_principal; 401 typedef struct Principals *krb5_principals; 402 403 typedef time_t krb5_deltat; 404 typedef time_t krb5_timestamp; 405 406 typedef struct krb5_times { 407 krb5_timestamp authtime; 408 krb5_timestamp starttime; 409 krb5_timestamp endtime; 410 krb5_timestamp renew_till; 411 } krb5_times; 412 413 typedef union { 414 TicketFlags b; 415 krb5_flags i; 416 } krb5_ticket_flags; 417 418 /* options for krb5_get_in_tkt() */ 419 #define KDC_OPT_FORWARDABLE (1 << 1) 420 #define KDC_OPT_FORWARDED (1 << 2) 421 #define KDC_OPT_PROXIABLE (1 << 3) 422 #define KDC_OPT_PROXY (1 << 4) 423 #define KDC_OPT_ALLOW_POSTDATE (1 << 5) 424 #define KDC_OPT_POSTDATED (1 << 6) 425 #define KDC_OPT_RENEWABLE (1 << 8) 426 #define KDC_OPT_REQUEST_ANONYMOUS (1 << 14) 427 #define KDC_OPT_DISABLE_TRANSITED_CHECK (1 << 26) 428 #define KDC_OPT_RENEWABLE_OK (1 << 27) 429 #define KDC_OPT_ENC_TKT_IN_SKEY (1 << 28) 430 #define KDC_OPT_RENEW (1 << 30) 431 #define KDC_OPT_VALIDATE (1 << 31) 432 433 typedef union { 434 KDCOptions b; 435 krb5_flags i; 436 } krb5_kdc_flags; 437 438 /* flags for krb5_verify_ap_req */ 439 440 #define KRB5_VERIFY_AP_REQ_IGNORE_INVALID (1 << 0) 441 442 #define KRB5_GC_CACHED (1U << 0) 443 #define KRB5_GC_USER_USER (1U << 1) 444 #define KRB5_GC_EXPIRED_OK (1U << 2) 445 #define KRB5_GC_NO_STORE (1U << 3) 446 #define KRB5_GC_FORWARDABLE (1U << 4) 447 #define KRB5_GC_NO_TRANSIT_CHECK (1U << 5) 448 #define KRB5_GC_CONSTRAINED_DELEGATION (1U << 6) 449 #define KRB5_GC_CANONICALIZE (1U << 7) 450 #define KRB5_GC_ANONYMOUS (1U << 8) 451 452 /* constants for compare_creds (and cc_retrieve_cred) */ 453 #define KRB5_TC_DONT_MATCH_REALM (1U << 31) 454 #define KRB5_TC_MATCH_KEYTYPE (1U << 30) 455 #define KRB5_TC_MATCH_KTYPE KRB5_TC_MATCH_KEYTYPE /* MIT name */ 456 #define KRB5_TC_MATCH_SRV_NAMEONLY (1 << 29) 457 #define KRB5_TC_MATCH_FLAGS_EXACT (1 << 28) 458 #define KRB5_TC_MATCH_FLAGS (1 << 27) 459 #define KRB5_TC_MATCH_TIMES_EXACT (1 << 26) 460 #define KRB5_TC_MATCH_TIMES (1 << 25) 461 #define KRB5_TC_MATCH_AUTHDATA (1 << 24) 462 #define KRB5_TC_MATCH_2ND_TKT (1 << 23) 463 #define KRB5_TC_MATCH_IS_SKEY (1 << 22) 464 465 /* constants for get_flags and set_flags */ 466 #define KRB5_TC_OPENCLOSE 0x00000001 467 #define KRB5_TC_NOTICKET 0x00000002 468 469 typedef AuthorizationData krb5_authdata; 470 471 typedef KRB_ERROR krb5_error; 472 473 typedef struct krb5_creds { 474 krb5_principal client; 475 krb5_principal server; 476 krb5_keyblock session; 477 krb5_times times; 478 krb5_data ticket; 479 krb5_data second_ticket; 480 krb5_authdata authdata; 481 krb5_addresses addresses; 482 krb5_ticket_flags flags; 483 } krb5_creds; 484 485 typedef struct krb5_cc_cache_cursor_data *krb5_cc_cache_cursor; 486 487 #define KRB5_CC_OPS_VERSION 3 488 489 typedef struct krb5_cc_ops { 490 int version; 491 const char *prefix; 492 const char* (KRB5_CALLCONV * get_name)(krb5_context, krb5_ccache); 493 krb5_error_code (KRB5_CALLCONV * resolve)(krb5_context, krb5_ccache *, const char *); 494 krb5_error_code (KRB5_CALLCONV * gen_new)(krb5_context, krb5_ccache *); 495 krb5_error_code (KRB5_CALLCONV * init)(krb5_context, krb5_ccache, krb5_principal); 496 krb5_error_code (KRB5_CALLCONV * destroy)(krb5_context, krb5_ccache); 497 krb5_error_code (KRB5_CALLCONV * close)(krb5_context, krb5_ccache); 498 krb5_error_code (KRB5_CALLCONV * store)(krb5_context, krb5_ccache, krb5_creds*); 499 krb5_error_code (KRB5_CALLCONV * retrieve)(krb5_context, krb5_ccache, 500 krb5_flags, const krb5_creds*, krb5_creds *); 501 krb5_error_code (KRB5_CALLCONV * get_princ)(krb5_context, krb5_ccache, krb5_principal*); 502 krb5_error_code (KRB5_CALLCONV * get_first)(krb5_context, krb5_ccache, krb5_cc_cursor *); 503 krb5_error_code (KRB5_CALLCONV * get_next)(krb5_context, krb5_ccache, 504 krb5_cc_cursor*, krb5_creds*); 505 krb5_error_code (KRB5_CALLCONV * end_get)(krb5_context, krb5_ccache, krb5_cc_cursor*); 506 krb5_error_code (KRB5_CALLCONV * remove_cred)(krb5_context, krb5_ccache, 507 krb5_flags, krb5_creds*); 508 krb5_error_code (KRB5_CALLCONV * set_flags)(krb5_context, krb5_ccache, krb5_flags); 509 int (KRB5_CALLCONV * get_version)(krb5_context, krb5_ccache); 510 krb5_error_code (KRB5_CALLCONV * get_cache_first)(krb5_context, krb5_cc_cursor *); 511 krb5_error_code (KRB5_CALLCONV * get_cache_next)(krb5_context, krb5_cc_cursor, 512 krb5_ccache *); 513 krb5_error_code (KRB5_CALLCONV * end_cache_get)(krb5_context, krb5_cc_cursor); 514 krb5_error_code (KRB5_CALLCONV * move)(krb5_context, krb5_ccache, krb5_ccache); 515 krb5_error_code (KRB5_CALLCONV * get_default_name)(krb5_context, char **); 516 krb5_error_code (KRB5_CALLCONV * set_default)(krb5_context, krb5_ccache); 517 krb5_error_code (KRB5_CALLCONV * lastchange)(krb5_context, krb5_ccache, krb5_timestamp *); 518 krb5_error_code (KRB5_CALLCONV * set_kdc_offset)(krb5_context, krb5_ccache, krb5_deltat); 519 krb5_error_code (KRB5_CALLCONV * get_kdc_offset)(krb5_context, krb5_ccache, krb5_deltat *); 520 } krb5_cc_ops; 521 522 struct krb5_log_facility; 523 524 struct krb5_config_binding { 525 enum { krb5_config_string, krb5_config_list } type; 526 char *name; 527 struct krb5_config_binding *next; 528 union { 529 char *string; 530 struct krb5_config_binding *list; 531 void *generic; 532 } u; 533 }; 534 535 typedef struct krb5_config_binding krb5_config_binding; 536 537 typedef krb5_config_binding krb5_config_section; 538 539 typedef struct krb5_ticket { 540 EncTicketPart ticket; 541 krb5_principal client; 542 krb5_principal server; 543 } krb5_ticket; 544 545 typedef Authenticator krb5_authenticator_data; 546 547 typedef krb5_authenticator_data *krb5_authenticator; 548 549 struct krb5_rcache_data; 550 typedef struct krb5_rcache_data *krb5_rcache; 551 typedef Authenticator krb5_donot_replay; 552 553 #define KRB5_STORAGE_HOST_BYTEORDER 0x01 /* old */ 554 #define KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS 0x02 555 #define KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE 0x04 556 #define KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE 0x08 557 #define KRB5_STORAGE_BYTEORDER_MASK 0x60 558 #define KRB5_STORAGE_BYTEORDER_BE 0x00 /* default */ 559 #define KRB5_STORAGE_BYTEORDER_LE 0x20 560 #define KRB5_STORAGE_BYTEORDER_HOST 0x40 561 #define KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER 0x80 562 563 struct krb5_storage_data; 564 typedef struct krb5_storage_data krb5_storage; 565 566 typedef struct krb5_keytab_entry { 567 krb5_principal principal; 568 krb5_kvno vno; 569 krb5_keyblock keyblock; 570 uint32_t timestamp; 571 uint32_t flags; 572 krb5_principals aliases; 573 } krb5_keytab_entry; 574 575 typedef struct krb5_kt_cursor { 576 int fd; 577 krb5_storage *sp; 578 void *data; 579 } krb5_kt_cursor; 580 581 struct krb5_keytab_data; 582 583 typedef struct krb5_keytab_data *krb5_keytab; 584 585 #define KRB5_KT_PREFIX_MAX_LEN 30 586 587 struct krb5_keytab_data { 588 const char *prefix; 589 krb5_error_code (KRB5_CALLCONV * resolve)(krb5_context, const char*, krb5_keytab); 590 krb5_error_code (KRB5_CALLCONV * get_name)(krb5_context, krb5_keytab, char*, size_t); 591 krb5_error_code (KRB5_CALLCONV * close)(krb5_context, krb5_keytab); 592 krb5_error_code (KRB5_CALLCONV * destroy)(krb5_context, krb5_keytab); 593 krb5_error_code (KRB5_CALLCONV * get)(krb5_context, krb5_keytab, krb5_const_principal, 594 krb5_kvno, krb5_enctype, krb5_keytab_entry*); 595 krb5_error_code (KRB5_CALLCONV * start_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*); 596 krb5_error_code (KRB5_CALLCONV * next_entry)(krb5_context, krb5_keytab, 597 krb5_keytab_entry*, krb5_kt_cursor*); 598 krb5_error_code (KRB5_CALLCONV * end_seq_get)(krb5_context, krb5_keytab, krb5_kt_cursor*); 599 krb5_error_code (KRB5_CALLCONV * add)(krb5_context, krb5_keytab, krb5_keytab_entry*); 600 krb5_error_code (KRB5_CALLCONV * remove)(krb5_context, krb5_keytab, krb5_keytab_entry*); 601 void *data; 602 int32_t version; 603 }; 604 605 typedef struct krb5_keytab_data krb5_kt_ops; 606 607 struct krb5_keytab_key_proc_args { 608 krb5_keytab keytab; 609 krb5_principal principal; 610 }; 611 612 typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args; 613 614 typedef struct krb5_replay_data { 615 krb5_timestamp timestamp; 616 int32_t usec; 617 uint32_t seq; 618 } krb5_replay_data; 619 620 /* flags for krb5_auth_con_setflags */ 621 enum { 622 KRB5_AUTH_CONTEXT_DO_TIME = 1, 623 KRB5_AUTH_CONTEXT_RET_TIME = 2, 624 KRB5_AUTH_CONTEXT_DO_SEQUENCE = 4, 625 KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8, 626 KRB5_AUTH_CONTEXT_PERMIT_ALL = 16, 627 KRB5_AUTH_CONTEXT_USE_SUBKEY = 32, 628 KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED = 64 629 }; 630 631 /* flags for krb5_auth_con_genaddrs */ 632 enum { 633 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR = 1, 634 KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR = 3, 635 KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR = 4, 636 KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR = 12 637 }; 638 639 typedef struct krb5_auth_context_data { 640 unsigned int flags; 641 642 krb5_address *local_address; 643 krb5_address *remote_address; 644 int16_t local_port; 645 int16_t remote_port; 646 krb5_keyblock *keyblock; 647 krb5_keyblock *local_subkey; 648 krb5_keyblock *remote_subkey; 649 650 uint32_t local_seqnumber; 651 uint32_t remote_seqnumber; 652 653 krb5_authenticator authenticator; 654 655 krb5_pointer i_vector; 656 657 krb5_rcache rcache; 658 659 krb5_keytype keytype; /* ¿requested key type ? */ 660 krb5_cksumtype cksumtype; /* ¡requested checksum type! */ 661 662 AuthorizationData *auth_data; 663 664 }krb5_auth_context_data, *krb5_auth_context; 665 666 typedef struct { 667 KDC_REP kdc_rep; 668 EncKDCRepPart enc_part; 669 KRB_ERROR error; 670 } krb5_kdc_rep; 671 672 extern const char *heimdal_version, *heimdal_long_version; 673 674 typedef void (KRB5_CALLCONV * krb5_log_log_func_t)(const char*, const char*, void*); 675 typedef void (KRB5_CALLCONV * krb5_log_close_func_t)(void*); 676 677 typedef struct krb5_log_facility { 678 char *program; 679 int len; 680 struct facility *val; 681 } krb5_log_facility; 682 683 typedef EncAPRepPart krb5_ap_rep_enc_part; 684 685 #define KRB5_RECVAUTH_IGNORE_VERSION 1 686 687 #define KRB5_SENDAUTH_VERSION "KRB5_SENDAUTH_V1.0" 688 689 #define KRB5_TGS_NAME_SIZE (6) 690 #define KRB5_TGS_NAME ("krbtgt") 691 #define KRB5_WELLKNOWN_NAME ("WELLKNOWN") 692 #define KRB5_ANON_NAME ("ANONYMOUS") 693 #define KRB5_ANON_REALM ("WELLKNOWN:ANONYMOUS") 694 #define KRB5_WELLKNOWN_ORG_H5L_REALM ("WELLKNOWN:ORG.H5L") 695 #define KRB5_DIGEST_NAME ("digest") 696 697 698 #define KRB5_PKU2U_REALM_NAME ("WELLKNOWN:PKU2U") 699 #define KRB5_LKDC_REALM_NAME ("WELLKNOWN:COM.APPLE.LKDC") 700 701 #define KRB5_GSS_HOSTBASED_SERVICE_NAME ("WELLKNOWN:ORG.H5L.HOSTBASED-SERVICE") 702 #define KRB5_GSS_REFERALS_REALM_NAME ("WELLKNOWN:ORG.H5L.REFERALS-REALM") 703 704 typedef enum { 705 KRB5_PROMPT_TYPE_PASSWORD = 0x1, 706 KRB5_PROMPT_TYPE_NEW_PASSWORD = 0x2, 707 KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN = 0x3, 708 KRB5_PROMPT_TYPE_PREAUTH = 0x4, 709 KRB5_PROMPT_TYPE_INFO = 0x5 710 } krb5_prompt_type; 711 712 typedef struct _krb5_prompt { 713 const char *prompt; 714 int hidden; 715 krb5_data *reply; 716 krb5_prompt_type type; 717 } krb5_prompt; 718 719 typedef int (KRB5_CALLCONV * krb5_prompter_fct)(krb5_context /*context*/, 720 void * /*data*/, 721 const char * /*name*/, 722 const char * /*banner*/, 723 int /*num_prompts*/, 724 krb5_prompt /*prompts*/[]); 725 typedef krb5_error_code (KRB5_CALLCONV * krb5_key_proc)(krb5_context /*context*/, 726 krb5_enctype /*type*/, 727 krb5_salt /*salt*/, 728 krb5_const_pointer /*keyseed*/, 729 krb5_keyblock ** /*key*/); 730 typedef krb5_error_code (KRB5_CALLCONV * krb5_decrypt_proc)(krb5_context /*context*/, 731 krb5_keyblock * /*key*/, 732 krb5_key_usage /*usage*/, 733 krb5_const_pointer /*decrypt_arg*/, 734 krb5_kdc_rep * /*dec_rep*/); 735 typedef krb5_error_code (KRB5_CALLCONV * krb5_s2k_proc)(krb5_context /*context*/, 736 krb5_enctype /*type*/, 737 krb5_const_pointer /*keyseed*/, 738 krb5_salt /*salt*/, 739 krb5_data * /*s2kparms*/, 740 krb5_keyblock ** /*key*/); 741 742 struct _krb5_get_init_creds_opt_private; 743 744 struct _krb5_get_init_creds_opt { 745 krb5_flags flags; 746 krb5_deltat tkt_life; 747 krb5_deltat renew_life; 748 int forwardable; 749 int proxiable; 750 int anonymous; 751 int change_password_prompt; 752 krb5_enctype *etype_list; 753 int etype_list_length; 754 krb5_addresses *address_list; 755 /* XXX the next three should not be used, as they may be 756 removed later */ 757 krb5_preauthtype *preauth_list; 758 int preauth_list_length; 759 krb5_data *salt; 760 struct _krb5_get_init_creds_opt_private *opt_private; 761 }; 762 763 typedef struct _krb5_get_init_creds_opt krb5_get_init_creds_opt; 764 765 #define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE 0x0001 766 #define KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE 0x0002 767 #define KRB5_GET_INIT_CREDS_OPT_FORWARDABLE 0x0004 768 #define KRB5_GET_INIT_CREDS_OPT_PROXIABLE 0x0008 769 #define KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST 0x0010 770 #define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST 0x0020 771 #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040 772 #define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 /* no supported */ 773 #define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0100 774 #define KRB5_GET_INIT_CREDS_OPT_DISABLE_TRANSITED_CHECK 0x0200 775 #define KRB5_GET_INIT_CREDS_OPT_CHANGE_PASSWORD_PROMPT 0x0400 776 777 /* krb5_init_creds_step flags argument */ 778 #define KRB5_INIT_CREDS_STEP_FLAG_CONTINUE 0x0001 779 780 typedef struct _krb5_verify_init_creds_opt { 781 krb5_flags flags; 782 int ap_req_nofail; 783 } krb5_verify_init_creds_opt; 784 785 #define KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL 0x0001 786 787 typedef struct krb5_verify_opt { 788 unsigned int flags; 789 krb5_ccache ccache; 790 krb5_keytab keytab; 791 krb5_boolean secure; 792 const char *service; 793 } krb5_verify_opt; 794 795 #define KRB5_VERIFY_LREALMS 1 796 #define KRB5_VERIFY_NO_ADDRESSES 2 797 798 #define KRB5_KPASSWD_VERS_CHANGEPW 1 799 #define KRB5_KPASSWD_VERS_SETPW 0xff80 800 801 #define KRB5_KPASSWD_SUCCESS 0 802 #define KRB5_KPASSWD_MALFORMED 1 803 #define KRB5_KPASSWD_HARDERROR 2 804 #define KRB5_KPASSWD_AUTHERROR 3 805 #define KRB5_KPASSWD_SOFTERROR 4 806 #define KRB5_KPASSWD_ACCESSDENIED 5 807 #define KRB5_KPASSWD_BAD_VERSION 6 808 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7 809 810 #define KPASSWD_PORT 464 811 812 /* types for the new krbhst interface */ 813 struct krb5_krbhst_data; 814 typedef struct krb5_krbhst_data *krb5_krbhst_handle; 815 816 #define KRB5_KRBHST_KDC 1 817 #define KRB5_KRBHST_ADMIN 2 818 #define KRB5_KRBHST_CHANGEPW 3 819 #define KRB5_KRBHST_KRB524 4 820 #define KRB5_KRBHST_KCA 5 821 822 typedef struct krb5_krbhst_info { 823 enum { KRB5_KRBHST_UDP, 824 KRB5_KRBHST_TCP, 825 KRB5_KRBHST_HTTP } proto; 826 unsigned short port; 827 unsigned short def_port; 828 struct addrinfo *ai; 829 struct krb5_krbhst_info *next; 830 char hostname[1]; /* has to come last */ 831 } krb5_krbhst_info; 832 833 /* flags for krb5_krbhst_init_flags (and krb5_send_to_kdc_flags) */ 834 enum { 835 KRB5_KRBHST_FLAGS_MASTER = 1, 836 KRB5_KRBHST_FLAGS_LARGE_MSG = 2 837 }; 838 839 typedef krb5_error_code (*krb5_sendto_prexmit)(krb5_context, int, void *, int, krb5_data *); 840 typedef krb5_error_code 841 (KRB5_CALLCONV * krb5_send_to_kdc_func)(krb5_context, void *, krb5_krbhst_info *, time_t, 842 const krb5_data *, krb5_data *); 843 844 /** flags for krb5_parse_name_flags */ 845 enum { 846 KRB5_PRINCIPAL_PARSE_NO_REALM = 1, /**< Require that there are no realm */ 847 KRB5_PRINCIPAL_PARSE_REQUIRE_REALM = 2, /**< Require a realm present */ 848 KRB5_PRINCIPAL_PARSE_ENTERPRISE = 4, /**< Parse as a NT-ENTERPRISE name */ 849 KRB5_PRINCIPAL_PARSE_IGNORE_REALM = 8, /**< Ignore realm if present */ 850 KRB5_PRINCIPAL_PARSE_NO_DEF_REALM = 16 /**< Don't default the realm */ 851 }; 852 853 /** flags for krb5_unparse_name_flags */ 854 enum { 855 KRB5_PRINCIPAL_UNPARSE_SHORT = 1, /**< No realm if it is the default realm */ 856 KRB5_PRINCIPAL_UNPARSE_NO_REALM = 2, /**< No realm */ 857 KRB5_PRINCIPAL_UNPARSE_DISPLAY = 4 /**< No quoting */ 858 }; 859 860 typedef struct krb5_sendto_ctx_data *krb5_sendto_ctx; 861 862 #define KRB5_SENDTO_DONE 0 863 #define KRB5_SENDTO_RESET 1 864 #define KRB5_SENDTO_CONTINUE 2 865 #define KRB5_SENDTO_TIMEOUT 3 866 #define KRB5_SENDTO_INITIAL 4 867 #define KRB5_SENDTO_FILTER 5 868 #define KRB5_SENDTO_FAILED 6 869 #define KRB5_SENDTO_KRBHST 7 870 871 typedef krb5_error_code 872 (KRB5_CALLCONV * krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *, 873 const krb5_data *, int *); 874 875 struct krb5_plugin; 876 enum krb5_plugin_type { 877 PLUGIN_TYPE_DATA = 1, 878 PLUGIN_TYPE_FUNC 879 }; 880 881 #define KRB5_PLUGIN_INVOKE_ALL 1 882 883 struct credentials; /* this is to keep the compiler happy */ 884 struct getargs; 885 struct sockaddr; 886 887 /** 888 * Semi private, not stable yet 889 */ 890 891 typedef struct krb5_crypto_iov { 892 unsigned int flags; 893 /* ignored */ 894 #define KRB5_CRYPTO_TYPE_EMPTY 0 895 /* OUT krb5_crypto_length(KRB5_CRYPTO_TYPE_HEADER) */ 896 #define KRB5_CRYPTO_TYPE_HEADER 1 897 /* IN and OUT */ 898 #define KRB5_CRYPTO_TYPE_DATA 2 899 /* IN */ 900 #define KRB5_CRYPTO_TYPE_SIGN_ONLY 3 901 /* (only for encryption) OUT krb5_crypto_length(KRB5_CRYPTO_TYPE_TRAILER) */ 902 #define KRB5_CRYPTO_TYPE_PADDING 4 903 /* OUT krb5_crypto_length(KRB5_CRYPTO_TYPE_TRAILER) */ 904 #define KRB5_CRYPTO_TYPE_TRAILER 5 905 /* OUT krb5_crypto_length(KRB5_CRYPTO_TYPE_CHECKSUM) */ 906 #define KRB5_CRYPTO_TYPE_CHECKSUM 6 907 krb5_data data; 908 } krb5_crypto_iov; 909 910 911 /* Glue for MIT */ 912 913 typedef struct { 914 int32_t lr_type; 915 krb5_timestamp value; 916 } krb5_last_req_entry; 917 918 typedef krb5_error_code 919 (KRB5_CALLCONV * krb5_gic_process_last_req)(krb5_context, krb5_last_req_entry **, void *); 920 921 typedef struct { 922 krb5_enctype ks_enctype; 923 krb5int32 ks_salttype; 924 }krb5_key_salt_tuple; 925 926 /* 927 * Name canonicalization rule options 928 */ 929 930 typedef enum krb5_name_canon_rule_options { 931 KRB5_NCRO_GC_ONLY = 1 << 0, 932 KRB5_NCRO_USE_REFERRALS = 1 << 1, 933 KRB5_NCRO_NO_REFERRALS = 1 << 2, 934 KRB5_NCRO_USE_FAST = 1 << 3, 935 KRB5_NCRO_USE_DNSSEC = 1 << 4, 936 KRB5_NCRO_LOOKUP_REALM = 1 << 5 937 } krb5_name_canon_rule_options; 938 939 typedef struct krb5_name_canon_rule_data *krb5_name_canon_rule; 940 typedef const struct krb5_name_canon_rule_data *krb5_const_name_canon_rule; 941 typedef struct krb5_name_canon_iterator_data *krb5_name_canon_iterator; 942 943 /* 944 * krb5_get_init_creds_opt_set_pkinit flags 945 */ 946 947 #define KRB5_GIC_OPT_PKINIT_USE_ENCKEY 2 /* use RSA, not DH */ 948 #define KRB5_GIC_OPT_PKINIT_ANONYMOUS 4 /* anonymous PKINIT */ 949 #define KRB5_GIC_OPT_PKINIT_BTMM 8 /* reserved by Apple */ 950 #define KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR 16 /* do not authenticate KDC */ 951 952 /* 953 * _krb5_principal_is_anonymous() flags 954 */ 955 #define KRB5_ANON_MATCH_AUTHENTICATED 1 /* authenticated with anon flag */ 956 #define KRB5_ANON_MATCH_UNAUTHENTICATED 2 /* anonymous PKINIT */ 957 #define KRB5_ANON_IGNORE_NAME_TYPE 4 /* don't check the name type */ 958 #define KRB5_ANON_MATCH_ANY ( KRB5_ANON_MATCH_AUTHENTICATED | \ 959 KRB5_ANON_MATCH_UNAUTHENTICATED ) 960 #define KRB5_ANON_MATCH_ANY_NONT ( KRB5_ANON_MATCH_ANY | \ 961 KRB5_ANON_IGNORE_NAME_TYPE ) 962 963 /* 964 * 965 */ 966 967 struct hx509_certs_data; 968 969 #include <krb5/krb5-protos.h> 970 971 /* variables */ 972 973 extern KRB5_LIB_VARIABLE const char *krb5_config_file; 974 extern KRB5_LIB_VARIABLE const char *krb5_defkeyname; 975 976 977 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops; 978 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_dcc_ops; 979 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_fcc_ops; 980 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_mcc_ops; 981 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_kcm_ops; 982 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops; 983 extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops; 984 985 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_fkt_ops; 986 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_wrfkt_ops; 987 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_javakt_ops; 988 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_mkt_ops; 989 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_akf_ops; 990 extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_any_ops; 991 992 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_api; 993 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_file; 994 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_memory; 995 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm; 996 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_scc; 997 extern KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc; 998 999 /* clang analyzer workarounds */ 1000 1001 #ifdef __clang_analyzer__ 1002 /* 1003 * The clang analyzer (lint) can't know that krb5_enomem() always returns 1004 * non-zero, so code like: 1005 * 1006 * if ((x = malloc(...)) == NULL) 1007 * ret = krb5_enomem(context) 1008 * if (ret == 0) 1009 * *x = ...; 1010 * 1011 * causes false positives. 1012 * 1013 * The fix is to make krb5_enomem() a macro that always evaluates to ENOMEM. 1014 */ 1015 #define krb5_enomem(c) (krb5_enomem(c), ENOMEM) 1016 #endif 1017 1018 #endif /* __KRB5_H__ */ 1019 1020