1 /* 2 * $Id: krb.h,v 1.2 2001/12/04 02:06:05 rjs3 Exp $ 3 * 4 * Copyright 1987, 1988 by the Massachusetts Institute of Technology. 5 * 6 * For copying and distribution information, please see the file 7 * <mit-copyright.h>. 8 * 9 * Include file for the Kerberos library. 10 */ 11 12 #if !defined (__STDC__) && !defined(_MSC_VER) 13 #define const 14 #define signed 15 #endif 16 17 #include <ktypes.h> 18 #include <time.h> 19 20 #ifndef __KRB_H__ 21 #define __KRB_H__ 22 23 /* XXX */ 24 #ifndef __BEGIN_DECLS 25 #if defined(__cplusplus) 26 #define __BEGIN_DECLS extern "C" { 27 #define __END_DECLS }; 28 #else 29 #define __BEGIN_DECLS 30 #define __END_DECLS 31 #endif 32 #endif 33 34 #if defined (__STDC__) || defined (_MSC_VER) 35 #ifndef __P 36 #define __P(x) x 37 #endif 38 #else 39 #ifndef __P 40 #define __P(x) () 41 #endif 42 #endif 43 44 __BEGIN_DECLS 45 46 /* Need some defs from des.h */ 47 #if !defined(NOPROTO) && !defined(__STDC__) 48 #define NOPROTO 49 #endif 50 #include <des.h> 51 52 /* CNS compatibility ahead! */ 53 #ifndef KRB_INT32 54 #define KRB_INT32 int32_t 55 #endif 56 #ifndef KRB_UINT32 57 #define KRB_UINT32 u_int32_t 58 #endif 59 60 /* Global library variables. */ 61 extern int krb_ignore_ip_address; /* To turn off IP address comparison */ 62 extern int krb_no_long_lifetimes; /* To disable AFS compatible lifetimes */ 63 extern int krbONE; 64 #define HOST_BYTE_ORDER (* (char *) &krbONE) 65 /* Debug variables */ 66 extern int krb_debug; 67 extern int krb_ap_req_debug; 68 extern int krb_dns_debug; 69 70 71 /* Text describing error codes */ 72 #define MAX_KRB_ERRORS 256 73 extern const char *krb_err_txt[MAX_KRB_ERRORS]; 74 75 /* General definitions */ 76 #define KSUCCESS 0 77 #define KFAILURE 255 78 79 /* 80 * Kerberos specific definitions 81 * 82 * KRBLOG is the log file for the kerberos master server. KRB_CONF is 83 * the configuration file where different host machines running master 84 * and slave servers can be found. KRB_MASTER is the name of the 85 * machine with the master database. The admin_server runs on this 86 * machine, and all changes to the db (as opposed to read-only 87 * requests, which can go to slaves) must go to it. KRB_HOST is the 88 * default machine * when looking for a kerberos slave server. Other 89 * possibilities are * in the KRB_CONF file. KRB_REALM is the name of 90 * the realm. 91 */ 92 93 /* /etc/kerberosIV is only for backwards compatibility, don't use it! */ 94 #ifndef KRB_CONF 95 #define KRB_CONF "/etc/krb.conf" 96 #endif 97 #ifndef KRB_RLM_TRANS 98 #define KRB_RLM_TRANS "/etc/krb.realms" 99 #endif 100 #ifndef KRB_CNF_FILES 101 #define KRB_CNF_FILES { KRB_CONF, "/etc/kerberosIV/krb.conf", 0} 102 #endif 103 #ifndef KRB_RLM_FILES 104 #define KRB_RLM_FILES { KRB_RLM_TRANS, "/etc/kerberosIV/krb.realms", 0} 105 #endif 106 #ifndef KRB_EQUIV 107 #define KRB_EQUIV "/etc/krb.equiv" 108 #endif 109 #define KRB_MASTER "kerberos" 110 #ifndef KRB_REALM 111 #define KRB_REALM (krb_get_default_realm()) 112 #endif 113 114 /* The maximum sizes for aname, realm, sname, and instance +1 */ 115 #define ANAME_SZ 40 116 #define REALM_SZ 40 117 #define SNAME_SZ 40 118 #define INST_SZ 40 119 /* Leave space for quoting */ 120 #define MAX_K_NAME_SZ (2*ANAME_SZ + 2*INST_SZ + 2*REALM_SZ - 3) 121 #define KKEY_SZ 100 122 #define VERSION_SZ 1 123 #define MSG_TYPE_SZ 1 124 #define DATE_SZ 26 /* RTI date output */ 125 126 #define MAX_HSTNM 100 /* for compatibility */ 127 128 typedef struct krb_principal{ 129 char name[ANAME_SZ]; 130 char instance[INST_SZ]; 131 char realm[REALM_SZ]; 132 }krb_principal; 133 134 #ifndef DEFAULT_TKT_LIFE /* allow compile-time override */ 135 /* default lifetime for krb_mk_req & co., 10 hrs */ 136 #define DEFAULT_TKT_LIFE 141 137 #endif 138 139 #define KRB_TICKET_GRANTING_TICKET "krbtgt" 140 141 /* Definition of text structure used to pass text around */ 142 #define MAX_KTXT_LEN 1250 143 144 struct ktext { 145 unsigned int length; /* Length of the text */ 146 unsigned char dat[MAX_KTXT_LEN]; /* The data itself */ 147 u_int32_t mbz; /* zero to catch runaway strings */ 148 }; 149 150 typedef struct ktext *KTEXT; 151 typedef struct ktext KTEXT_ST; 152 153 154 /* Definitions for send_to_kdc */ 155 #define CLIENT_KRB_TIMEOUT 4 /* default time between retries */ 156 #define CLIENT_KRB_RETRY 5 /* retry this many times */ 157 #define CLIENT_KRB_BUFLEN 512 /* max unfragmented packet */ 158 159 /* Definitions for ticket file utilities */ 160 #define R_TKT_FIL 0 161 #define W_TKT_FIL 1 162 163 /* Parameters for rd_ap_req */ 164 /* Maximum alloable clock skew in seconds */ 165 #define CLOCK_SKEW 5*60 166 /* Filename for readservkey */ 167 #ifndef KEYFILE 168 #define KEYFILE (krb_get_default_keyfile()) 169 #endif 170 171 /* Structure definition for rd_ap_req */ 172 173 struct auth_dat { 174 unsigned char k_flags; /* Flags from ticket */ 175 char pname[ANAME_SZ]; /* Principal's name */ 176 char pinst[INST_SZ]; /* His Instance */ 177 char prealm[REALM_SZ]; /* His Realm */ 178 u_int32_t checksum; /* Data checksum (opt) */ 179 des_cblock session; /* Session Key */ 180 int life; /* Life of ticket */ 181 u_int32_t time_sec; /* Time ticket issued */ 182 u_int32_t address; /* Address in ticket */ 183 KTEXT_ST reply; /* Auth reply (opt) */ 184 }; 185 186 typedef struct auth_dat AUTH_DAT; 187 188 /* Structure definition for credentials returned by get_cred */ 189 190 struct credentials { 191 char service[ANAME_SZ]; /* Service name */ 192 char instance[INST_SZ]; /* Instance */ 193 char realm[REALM_SZ]; /* Auth domain */ 194 des_cblock session; /* Session key */ 195 int lifetime; /* Lifetime */ 196 int kvno; /* Key version number */ 197 KTEXT_ST ticket_st; /* The ticket itself */ 198 int32_t issue_date; /* The issue time */ 199 char pname[ANAME_SZ]; /* Principal's name */ 200 char pinst[INST_SZ]; /* Principal's instance */ 201 }; 202 203 typedef struct credentials CREDENTIALS; 204 205 /* Structure definition for rd_private_msg and rd_safe_msg */ 206 207 struct msg_dat { 208 unsigned char *app_data; /* pointer to appl data */ 209 u_int32_t app_length; /* length of appl data */ 210 u_int32_t hash; /* hash to lookup replay */ 211 int swap; /* swap bytes? */ 212 int32_t time_sec; /* msg timestamp seconds */ 213 unsigned char time_5ms; /* msg timestamp 5ms units */ 214 }; 215 216 typedef struct msg_dat MSG_DAT; 217 218 struct krb_host { 219 char *realm; 220 char *host; 221 enum krb_host_proto { PROTO_UDP, PROTO_TCP, PROTO_HTTP } proto; 222 int port; 223 int admin; 224 }; 225 226 /* Location of ticket file for save_cred and get_cred */ 227 #define TKT_FILE tkt_string() 228 #ifndef TKT_ROOT 229 #define TKT_ROOT (krb_get_default_tkt_root()) 230 #endif 231 232 /* Error codes returned from the KDC */ 233 #define KDC_OK 0 /* Request OK */ 234 #define KDC_NAME_EXP 1 /* Principal expired */ 235 #define KDC_SERVICE_EXP 2 /* Service expired */ 236 #define KDC_AUTH_EXP 3 /* Auth expired */ 237 #define KDC_PKT_VER 4 /* Protocol version unknown */ 238 #define KDC_P_MKEY_VER 5 /* Wrong master key version */ 239 #define KDC_S_MKEY_VER 6 /* Wrong master key version */ 240 #define KDC_BYTE_ORDER 7 /* Byte order unknown */ 241 #define KDC_PR_UNKNOWN 8 /* Principal unknown */ 242 #define KDC_PR_N_UNIQUE 9 /* Principal not unique */ 243 #define KDC_NULL_KEY 10 /* Principal has null key */ 244 #define KDC_GEN_ERR 20 /* Generic error from KDC */ 245 246 247 /* Values returned by get_credentials */ 248 #define GC_OK 0 /* Retrieve OK */ 249 #define RET_OK 0 /* Retrieve OK */ 250 #define GC_TKFIL 21 /* Can't read ticket file */ 251 #define RET_TKFIL 21 /* Can't read ticket file */ 252 #define GC_NOTKT 22 /* Can't find ticket or TGT */ 253 #define RET_NOTKT 22 /* Can't find ticket or TGT */ 254 255 256 /* Values returned by mk_ap_req */ 257 #define MK_AP_OK 0 /* Success */ 258 #define MK_AP_TGTEXP 26 /* TGT Expired */ 259 260 /* Values returned by rd_ap_req */ 261 #define RD_AP_OK 0 /* Request authentic */ 262 #define RD_AP_UNDEC 31 /* Can't decode authenticator */ 263 #define RD_AP_EXP 32 /* Ticket expired */ 264 #define RD_AP_NYV 33 /* Ticket not yet valid */ 265 #define RD_AP_REPEAT 34 /* Repeated request */ 266 #define RD_AP_NOT_US 35 /* The ticket isn't for us */ 267 #define RD_AP_INCON 36 /* Request is inconsistent */ 268 #define RD_AP_TIME 37 /* delta_t too big */ 269 #define RD_AP_BADD 38 /* Incorrect net address */ 270 #define RD_AP_VERSION 39 /* protocol version mismatch */ 271 #define RD_AP_MSG_TYPE 40 /* invalid msg type */ 272 #define RD_AP_MODIFIED 41 /* message stream modified */ 273 #define RD_AP_ORDER 42 /* message out of order */ 274 #define RD_AP_UNAUTHOR 43 /* unauthorized request */ 275 276 /* Values returned by get_pw_tkt */ 277 #define GT_PW_OK 0 /* Got password changing tkt */ 278 #define GT_PW_NULL 51 /* Current PW is null */ 279 #define GT_PW_BADPW 52 /* Incorrect current password */ 280 #define GT_PW_PROT 53 /* Protocol Error */ 281 #define GT_PW_KDCERR 54 /* Error returned by KDC */ 282 #define GT_PW_NULLTKT 55 /* Null tkt returned by KDC */ 283 284 285 /* Values returned by send_to_kdc */ 286 #define SKDC_OK 0 /* Response received */ 287 #define SKDC_RETRY 56 /* Retry count exceeded */ 288 #define SKDC_CANT 57 /* Can't send request */ 289 290 /* 291 * Values returned by get_intkt 292 * (can also return SKDC_* and KDC errors) 293 */ 294 295 #define INTK_OK 0 /* Ticket obtained */ 296 #define INTK_W_NOTALL 61 /* Not ALL tickets returned */ 297 #define INTK_BADPW 62 /* Incorrect password */ 298 #define INTK_PROT 63 /* Protocol Error */ 299 #define INTK_ERR 70 /* Other error */ 300 301 /* Values returned by get_adtkt */ 302 #define AD_OK 0 /* Ticket Obtained */ 303 #define AD_NOTGT 71 /* Don't have tgt */ 304 #define AD_INTR_RLM_NOTGT 72 /* Can't get inter-realm tgt */ 305 306 /* Error codes returned by ticket file utilities */ 307 #define NO_TKT_FIL 76 /* No ticket file found */ 308 #define TKT_FIL_ACC 77 /* Couldn't access tkt file */ 309 #define TKT_FIL_LCK 78 /* Couldn't lock ticket file */ 310 #define TKT_FIL_FMT 79 /* Bad ticket file format */ 311 #define TKT_FIL_INI 80 /* tf_init not called first */ 312 313 /* Error code returned by kparse_name */ 314 #define KNAME_FMT 81 /* Bad Kerberos name format */ 315 316 /* Error code returned by krb_mk_safe */ 317 #define SAFE_PRIV_ERROR -1 /* syscall error */ 318 319 /* Defines for krb_sendauth and krb_recvauth */ 320 321 #define KOPT_DONT_MK_REQ 0x00000001 /* don't call krb_mk_req */ 322 #define KOPT_DO_MUTUAL 0x00000002 /* do mutual auth */ 323 324 #define KOPT_DONT_CANON 0x00000004 /* 325 * don't canonicalize inst as 326 * a hostname 327 */ 328 329 #define KOPT_IGNORE_PROTOCOL 0x0008 330 331 #define KRB_SENDAUTH_VLEN 8 /* length for version strings */ 332 333 334 /* flags for krb_verify_user() */ 335 #define KRB_VERIFY_NOT_SECURE 0 336 #define KRB_VERIFY_SECURE 1 337 #define KRB_VERIFY_SECURE_FAIL 2 338 339 extern char *krb4_version; 340 341 typedef int (*key_proc_t) __P((const char *name, 342 char *instance, /* INOUT parameter */ 343 const char *realm, 344 const void *password, 345 des_cblock *key)); 346 347 typedef int (*decrypt_proc_t) __P((const char *name, 348 const char *instance, 349 const char *realm, 350 const void *arg, 351 key_proc_t, 352 KTEXT *)); 353 354 #include "krb-protos.h" 355 356 __END_DECLS 357 358 #endif /* __KRB_H__ */ 359