1 /*
2  * $Id: krb.h,v 1.2 2001/12/04 02:06:05 rjs3 Exp $
3  *
4  * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
5  *
6  * For copying and distribution information, please see the file
7  * <mit-copyright.h>.
8  *
9  * Include file for the Kerberos library.
10  */
11 
12 #if !defined (__STDC__) && !defined(_MSC_VER)
13 #define const
14 #define signed
15 #endif
16 
17 #include <ktypes.h>
18 #include <time.h>
19 
20 #ifndef __KRB_H__
21 #define __KRB_H__
22 
23 /* XXX */
24 #ifndef __BEGIN_DECLS
25 #if defined(__cplusplus)
26 #define	__BEGIN_DECLS	extern "C" {
27 #define	__END_DECLS	};
28 #else
29 #define	__BEGIN_DECLS
30 #define	__END_DECLS
31 #endif
32 #endif
33 
34 #if defined (__STDC__) || defined (_MSC_VER)
35 #ifndef __P
36 #define __P(x) x
37 #endif
38 #else
39 #ifndef __P
40 #define __P(x) ()
41 #endif
42 #endif
43 
44 __BEGIN_DECLS
45 
46 /* Need some defs from des.h	 */
47 #if !defined(NOPROTO) && !defined(__STDC__)
48 #define NOPROTO
49 #endif
50 #include <des.h>
51 
52 /* CNS compatibility ahead! */
53 #ifndef KRB_INT32
54 #define KRB_INT32 int32_t
55 #endif
56 #ifndef KRB_UINT32
57 #define KRB_UINT32 u_int32_t
58 #endif
59 
60 /* Global library variables. */
61 extern int krb_ignore_ip_address; /* To turn off IP address comparison */
62 extern int krb_no_long_lifetimes; /* To disable AFS compatible lifetimes */
63 extern int krbONE;
64 #define         HOST_BYTE_ORDER (* (char *) &krbONE)
65 /* Debug variables */
66 extern int krb_debug;
67 extern int krb_ap_req_debug;
68 extern int krb_dns_debug;
69 
70 
71 /* Text describing error codes */
72 #define		MAX_KRB_ERRORS	256
73 extern const char *krb_err_txt[MAX_KRB_ERRORS];
74 
75 /* General definitions */
76 #define		KSUCCESS	0
77 #define		KFAILURE	255
78 
79 /*
80  * Kerberos specific definitions
81  *
82  * KRBLOG is the log file for the kerberos master server. KRB_CONF is
83  * the configuration file where different host machines running master
84  * and slave servers can be found. KRB_MASTER is the name of the
85  * machine with the master database.  The admin_server runs on this
86  * machine, and all changes to the db (as opposed to read-only
87  * requests, which can go to slaves) must go to it. KRB_HOST is the
88  * default machine * when looking for a kerberos slave server.  Other
89  * possibilities are * in the KRB_CONF file. KRB_REALM is the name of
90  * the realm.
91  */
92 
93 /* /etc/kerberosIV is only for backwards compatibility, don't use it! */
94 #ifndef KRB_CONF
95 #define KRB_CONF	"/etc/krb.conf"
96 #endif
97 #ifndef KRB_RLM_TRANS
98 #define KRB_RLM_TRANS   "/etc/krb.realms"
99 #endif
100 #ifndef KRB_CNF_FILES
101 #define KRB_CNF_FILES	{ KRB_CONF,   "/etc/kerberosIV/krb.conf", 0}
102 #endif
103 #ifndef KRB_RLM_FILES
104 #define KRB_RLM_FILES	{ KRB_RLM_TRANS, "/etc/kerberosIV/krb.realms", 0}
105 #endif
106 #ifndef KRB_EQUIV
107 #define KRB_EQUIV	"/etc/krb.equiv"
108 #endif
109 #define KRB_MASTER	"kerberos"
110 #ifndef KRB_REALM
111 #define KRB_REALM	(krb_get_default_realm())
112 #endif
113 
114 /* The maximum sizes for aname, realm, sname, and instance +1 */
115 #define 	ANAME_SZ	40
116 #define		REALM_SZ	40
117 #define		SNAME_SZ	40
118 #define		INST_SZ		40
119 /* Leave space for quoting */
120 #define		MAX_K_NAME_SZ	(2*ANAME_SZ + 2*INST_SZ + 2*REALM_SZ - 3)
121 #define		KKEY_SZ		100
122 #define		VERSION_SZ	1
123 #define		MSG_TYPE_SZ	1
124 #define		DATE_SZ		26	/* RTI date output */
125 
126 #define MAX_HSTNM 100 /* for compatibility */
127 
128 typedef struct krb_principal{
129     char name[ANAME_SZ];
130     char instance[INST_SZ];
131     char realm[REALM_SZ];
132 }krb_principal;
133 
134 #ifndef DEFAULT_TKT_LIFE	/* allow compile-time override */
135 /* default lifetime for krb_mk_req & co., 10 hrs */
136 #define	DEFAULT_TKT_LIFE 141
137 #endif
138 
139 #define		KRB_TICKET_GRANTING_TICKET	"krbtgt"
140 
141 /* Definition of text structure used to pass text around */
142 #define		MAX_KTXT_LEN	1250
143 
144 struct ktext {
145     unsigned int length;		/* Length of the text */
146     unsigned char dat[MAX_KTXT_LEN];	/* The data itself */
147     u_int32_t mbz;		/* zero to catch runaway strings */
148 };
149 
150 typedef struct ktext *KTEXT;
151 typedef struct ktext KTEXT_ST;
152 
153 
154 /* Definitions for send_to_kdc */
155 #define	CLIENT_KRB_TIMEOUT	4	/* default time between retries */
156 #define CLIENT_KRB_RETRY	5	/* retry this many times */
157 #define	CLIENT_KRB_BUFLEN	512	/* max unfragmented packet */
158 
159 /* Definitions for ticket file utilities */
160 #define	R_TKT_FIL	0
161 #define	W_TKT_FIL	1
162 
163 /* Parameters for rd_ap_req */
164 /* Maximum alloable clock skew in seconds */
165 #define 	CLOCK_SKEW	5*60
166 /* Filename for readservkey */
167 #ifndef		KEYFILE
168 #define		KEYFILE		(krb_get_default_keyfile())
169 #endif
170 
171 /* Structure definition for rd_ap_req */
172 
173 struct auth_dat {
174     unsigned char k_flags;	/* Flags from ticket */
175     char    pname[ANAME_SZ];	/* Principal's name */
176     char    pinst[INST_SZ];	/* His Instance */
177     char    prealm[REALM_SZ];	/* His Realm */
178     u_int32_t checksum;		/* Data checksum (opt) */
179     des_cblock session;		/* Session Key */
180     int     life;		/* Life of ticket */
181     u_int32_t time_sec;		/* Time ticket issued */
182     u_int32_t address;		/* Address in ticket */
183     KTEXT_ST reply;		/* Auth reply (opt) */
184 };
185 
186 typedef struct auth_dat AUTH_DAT;
187 
188 /* Structure definition for credentials returned by get_cred */
189 
190 struct credentials {
191     char    service[ANAME_SZ];	/* Service name */
192     char    instance[INST_SZ];	/* Instance */
193     char    realm[REALM_SZ];	/* Auth domain */
194     des_cblock session;		/* Session key */
195     int     lifetime;		/* Lifetime */
196     int     kvno;		/* Key version number */
197     KTEXT_ST ticket_st;		/* The ticket itself */
198     int32_t    issue_date;	/* The issue time */
199     char    pname[ANAME_SZ];	/* Principal's name */
200     char    pinst[INST_SZ];	/* Principal's instance */
201 };
202 
203 typedef struct credentials CREDENTIALS;
204 
205 /* Structure definition for rd_private_msg and rd_safe_msg */
206 
207 struct msg_dat {
208     unsigned char *app_data;	/* pointer to appl data */
209     u_int32_t app_length;	/* length of appl data */
210     u_int32_t hash;		/* hash to lookup replay */
211     int     swap;		/* swap bytes? */
212     int32_t    time_sec;		/* msg timestamp seconds */
213     unsigned char time_5ms;	/* msg timestamp 5ms units */
214 };
215 
216 typedef struct msg_dat MSG_DAT;
217 
218 struct krb_host {
219     char *realm;
220     char *host;
221     enum krb_host_proto { PROTO_UDP, PROTO_TCP, PROTO_HTTP } proto;
222     int port;
223     int admin;
224 };
225 
226 /* Location of ticket file for save_cred and get_cred */
227 #define TKT_FILE        tkt_string()
228 #ifndef TKT_ROOT
229 #define TKT_ROOT        (krb_get_default_tkt_root())
230 #endif
231 
232 /* Error codes returned from the KDC */
233 #define		KDC_OK		0	/* Request OK */
234 #define		KDC_NAME_EXP	1	/* Principal expired */
235 #define		KDC_SERVICE_EXP	2	/* Service expired */
236 #define		KDC_AUTH_EXP	3	/* Auth expired */
237 #define		KDC_PKT_VER	4	/* Protocol version unknown */
238 #define		KDC_P_MKEY_VER	5	/* Wrong master key version */
239 #define		KDC_S_MKEY_VER 	6	/* Wrong master key version */
240 #define		KDC_BYTE_ORDER	7	/* Byte order unknown */
241 #define		KDC_PR_UNKNOWN	8	/* Principal unknown */
242 #define		KDC_PR_N_UNIQUE 9	/* Principal not unique */
243 #define		KDC_NULL_KEY   10	/* Principal has null key */
244 #define		KDC_GEN_ERR    20	/* Generic error from KDC */
245 
246 
247 /* Values returned by get_credentials */
248 #define		GC_OK		0	/* Retrieve OK */
249 #define		RET_OK		0	/* Retrieve OK */
250 #define		GC_TKFIL       21	/* Can't read ticket file */
251 #define		RET_TKFIL      21	/* Can't read ticket file */
252 #define		GC_NOTKT       22	/* Can't find ticket or TGT */
253 #define		RET_NOTKT      22	/* Can't find ticket or TGT */
254 
255 
256 /* Values returned by mk_ap_req	 */
257 #define		MK_AP_OK	0	/* Success */
258 #define		MK_AP_TGTEXP   26	/* TGT Expired */
259 
260 /* Values returned by rd_ap_req */
261 #define		RD_AP_OK	0	/* Request authentic */
262 #define		RD_AP_UNDEC    31	/* Can't decode authenticator */
263 #define		RD_AP_EXP      32	/* Ticket expired */
264 #define		RD_AP_NYV      33	/* Ticket not yet valid */
265 #define		RD_AP_REPEAT   34	/* Repeated request */
266 #define		RD_AP_NOT_US   35	/* The ticket isn't for us */
267 #define		RD_AP_INCON    36	/* Request is inconsistent */
268 #define		RD_AP_TIME     37	/* delta_t too big */
269 #define		RD_AP_BADD     38	/* Incorrect net address */
270 #define		RD_AP_VERSION  39	/* protocol version mismatch */
271 #define		RD_AP_MSG_TYPE 40	/* invalid msg type */
272 #define		RD_AP_MODIFIED 41	/* message stream modified */
273 #define		RD_AP_ORDER    42	/* message out of order */
274 #define		RD_AP_UNAUTHOR 43	/* unauthorized request */
275 
276 /* Values returned by get_pw_tkt */
277 #define		GT_PW_OK	0	/* Got password changing tkt */
278 #define		GT_PW_NULL     51	/* Current PW is null */
279 #define		GT_PW_BADPW    52	/* Incorrect current password */
280 #define		GT_PW_PROT     53	/* Protocol Error */
281 #define		GT_PW_KDCERR   54	/* Error returned by KDC */
282 #define		GT_PW_NULLTKT  55	/* Null tkt returned by KDC */
283 
284 
285 /* Values returned by send_to_kdc */
286 #define		SKDC_OK		0	/* Response received */
287 #define		SKDC_RETRY     56	/* Retry count exceeded */
288 #define		SKDC_CANT      57	/* Can't send request */
289 
290 /*
291  * Values returned by get_intkt
292  * (can also return SKDC_* and KDC errors)
293  */
294 
295 #define		INTK_OK		0	/* Ticket obtained */
296 #define		INTK_W_NOTALL  61	/* Not ALL tickets returned */
297 #define		INTK_BADPW     62	/* Incorrect password */
298 #define		INTK_PROT      63	/* Protocol Error */
299 #define		INTK_ERR       70	/* Other error */
300 
301 /* Values returned by get_adtkt */
302 #define         AD_OK           0	/* Ticket Obtained */
303 #define         AD_NOTGT       71	/* Don't have tgt */
304 #define         AD_INTR_RLM_NOTGT 72	/* Can't get inter-realm tgt */
305 
306 /* Error codes returned by ticket file utilities */
307 #define		NO_TKT_FIL	76	/* No ticket file found */
308 #define		TKT_FIL_ACC	77	/* Couldn't access tkt file */
309 #define		TKT_FIL_LCK	78	/* Couldn't lock ticket file */
310 #define		TKT_FIL_FMT	79	/* Bad ticket file format */
311 #define		TKT_FIL_INI	80	/* tf_init not called first */
312 
313 /* Error code returned by kparse_name */
314 #define		KNAME_FMT	81	/* Bad Kerberos name format */
315 
316 /* Error code returned by krb_mk_safe */
317 #define		SAFE_PRIV_ERROR	-1	/* syscall error */
318 
319 /* Defines for krb_sendauth and krb_recvauth */
320 
321 #define	KOPT_DONT_MK_REQ 0x00000001 /* don't call krb_mk_req */
322 #define	KOPT_DO_MUTUAL   0x00000002 /* do mutual auth */
323 
324 #define	KOPT_DONT_CANON  0x00000004 /*
325 				     * don't canonicalize inst as
326 				     * a hostname
327 				     */
328 
329 #define KOPT_IGNORE_PROTOCOL 0x0008
330 
331 #define	KRB_SENDAUTH_VLEN 8	    /* length for version strings */
332 
333 
334 /* flags for krb_verify_user() */
335 #define KRB_VERIFY_NOT_SECURE	0
336 #define KRB_VERIFY_SECURE	1
337 #define KRB_VERIFY_SECURE_FAIL	2
338 
339 extern char *krb4_version;
340 
341 typedef int (*key_proc_t) __P((const char *name,
342 			       char *instance, /* INOUT parameter */
343 			       const char *realm,
344 			       const void *password,
345 			       des_cblock *key));
346 
347 typedef int (*decrypt_proc_t) __P((const char *name,
348 				   const char *instance,
349 				   const char *realm,
350 				   const void *arg,
351 				   key_proc_t,
352 				   KTEXT *));
353 
354 #include "krb-protos.h"
355 
356 __END_DECLS
357 
358 #endif /* __KRB_H__ */
359