kdc_util.h   [plain text]

/*
 * kdc/kdc_util.h
 *
 * Portions Copyright (C) 2007 Apple Inc.
 * Copyright 1990 by the Massachusetts Institute of Technology.
 *
 * Export of this software from the United States of America may
 *   require a specific license from the United States Government.
 *   It is the responsibility of any person or organization contemplating
 *   export to obtain such a license before exporting.
 * 
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
 * distribute this software and its documentation for any purpose and
 * without fee is hereby granted, provided that the above copyright
 * notice appear in all copies and that both that copyright notice and
 * this permission notice appear in supporting documentation, and that
 * the name of M.I.T. not be used in advertising or publicity pertaining
 * to distribution of the software without specific, written prior
 * permission.  Furthermore if you modify this software you must label
 * your software as modified software and not distribute it in such a
 * fashion that it might be confused with the original M.I.T. software.
 * M.I.T. makes no representations about the suitability of
 * this software for any purpose.  It is provided "as is" without express
 * or implied warranty.
 * 
 *
 * Declarations for policy.c
 */

#ifndef __KRB5_KDC_UTIL__
#define __KRB5_KDC_UTIL__

#include "kdb.h"

typedef struct _krb5_fulladdr {
    krb5_address *	address;
    krb5_ui_4		port;
} krb5_fulladdr;

krb5_error_code check_hot_list (krb5_ticket *);
krb5_boolean realm_compare (krb5_principal, krb5_principal);
krb5_boolean krb5_is_tgs_principal (krb5_principal);
krb5_error_code add_to_transited (krb5_data *,
					    krb5_data *,
					    krb5_principal,
					    krb5_principal,
					    krb5_principal);
krb5_error_code compress_transited (krb5_data *,
					      krb5_principal,
					      krb5_data *);
krb5_error_code concat_authorization_data (krb5_authdata **,
						     krb5_authdata **,
						     krb5_authdata ***);
krb5_error_code fetch_last_req_info (krb5_db_entry *,
					       krb5_last_req_entry ***);

krb5_error_code kdc_convert_key (krb5_keyblock *,
					   krb5_keyblock *,
					   int);
krb5_error_code kdc_process_tgs_req 
	(krb5_kdc_req *,
	           const krb5_fulladdr *,
	           krb5_data *,
	           krb5_ticket **,
	           krb5_keyblock **);

krb5_error_code kdc_get_server_key (krb5_ticket *,
					      krb5_keyblock **,
					      krb5_kvno *);

int validate_as_request (krb5_kdc_req *, krb5_db_entry, 
					  krb5_db_entry, krb5_timestamp,
					  const char **);

int validate_tgs_request (krb5_kdc_req *, krb5_db_entry, 
					  krb5_ticket *, krb5_timestamp,
					  const char **);

int fetch_asn1_field (unsigned char *, unsigned int, unsigned int,
				 krb5_data *);

int
dbentry_has_key_for_enctype (krb5_context context,
				       krb5_db_entry *client,
				       krb5_enctype enctype);
    
int
dbentry_supports_enctype (krb5_context context,
				    krb5_db_entry *client,
				    krb5_enctype enctype);

krb5_enctype
select_session_keytype (krb5_context context,
				  krb5_db_entry *server,
				  int nktypes,
				  krb5_enctype *ktypes);

krb5_error_code
get_salt_from_key (krb5_context, krb5_principal,
			     krb5_key_data *, krb5_data *);

void limit_string (char *name);

void
ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype);

void
rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep);

/* do_as_req.c */
krb5_error_code process_as_req (krb5_kdc_req *, krb5_data *,
					  const krb5_fulladdr *,
					  krb5_data ** );

/* do_tgs_req.c */
krb5_error_code process_tgs_req (krb5_data *,
					   const krb5_fulladdr *,
					   krb5_data ** );
/* dispatch.c */
krb5_error_code dispatch (krb5_data *,
				    const krb5_fulladdr *,
				    krb5_data **);

/* main.c */
krb5_error_code kdc_initialize_rcache (krb5_context, char *);

krb5_error_code setup_server_realm (krb5_principal);

/* network.c */
krb5_error_code listen_and_process (const char *);
krb5_error_code setup_network (const char *);
krb5_error_code closedown_network (const char *);

/* policy.c */
int against_local_policy_as (krb5_kdc_req *, krb5_db_entry,
					krb5_db_entry, krb5_timestamp,
					const char **);

int against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry,
					krb5_ticket *, const char **);

/* kdc_preauth.c */
const char * missing_required_preauth
    (krb5_db_entry *client, krb5_db_entry *server,
	       krb5_enc_tkt_part *enc_tkt_reply);
void get_preauth_hint_list (krb5_kdc_req * request,
				      krb5_db_entry *client,
				      krb5_db_entry *server,
				      krb5_data *e_data);
krb5_error_code load_preauth_plugins(krb5_context context);
krb5_error_code unload_preauth_plugins(krb5_context context);

krb5_error_code check_padata
    (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
	       krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
	       void **padata_context, krb5_data *e_data);
    
krb5_error_code return_padata
    (krb5_context context, krb5_db_entry *client,
	       krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
	       krb5_key_data *client_key, krb5_keyblock *encrypting_key,
	       void **padata_context);
    
krb5_error_code free_padata_context
    (krb5_context context, void **padata_context);

/* kdc_authdata.c */
krb5_error_code load_authdata_plugins(krb5_context context);
krb5_error_code unload_authdata_plugins(krb5_context context);

krb5_error_code handle_authdata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
	      krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply);

/* replay.c */
krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **);
void kdc_insert_lookaside (krb5_data *, krb5_data *);
void kdc_free_lookaside(krb5_context);

/* which way to convert key? */
#define CONVERT_INTO_DB	0
#define CONVERT_OUTOF_DB 1

#define isflagset(flagfield, flag) (flagfield & (flag))
#define setflag(flagfield, flag) (flagfield |= (flag))
#define clear(flagfield, flag) (flagfield &= ~(flag))

#ifdef KRB5_KRB4_COMPAT
krb5_error_code process_v4 (const krb5_data *,
				      const krb5_fulladdr *,
				      krb5_data **);
void process_v4_mode (const char *, const char *);
void enable_v4_crossrealm(char *);
#else
#define process_v4(foo,bar,quux,foobar)	KRB5KRB_AP_ERR_BADVERSION
#endif

#ifndef	min
#define	min(a, b)	((a) < (b) ? (a) : (b))
#define	max(a, b)	((a) > (b) ? (a) : (b))
#endif

#ifdef KRB5_USE_INET6
#define ADDRTYPE2FAMILY(X) \
  ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1)
#else
#define ADDRTYPE2FAMILY(X) \
  ((X) == ADDRTYPE_INET ? AF_INET : -1)
#endif

/* RFC 4120: KRB5KDC_ERR_KEY_TOO_WEAK
 * RFC 4556: KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED */
#define KRB5KDC_ERR_KEY_TOO_WEAK KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED

#endif /* __KRB5_KDC_UTIL__ */