1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
/*
* kdc/kdc_util.h
*
* Portions Copyright (C) 2007 Apple Inc.
* Copyright 1990, 2007 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. Furthermore if you modify this software you must label
* your software as modified software and not distribute it in such a
* fashion that it might be confused with the original M.I.T. software.
* M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
*
* Declarations for policy.c
*/
#ifndef __KRB5_KDC_UTIL__
#define __KRB5_KDC_UTIL__
#include "kdb.h"
typedef struct _krb5_fulladdr {
krb5_address * address;
krb5_ui_4 port;
} krb5_fulladdr;
krb5_error_code check_hot_list (krb5_ticket *);
krb5_boolean realm_compare (krb5_principal, krb5_principal);
krb5_boolean krb5_is_tgs_principal (krb5_principal);
krb5_error_code add_to_transited (krb5_data *,
krb5_data *,
krb5_principal,
krb5_principal,
krb5_principal);
krb5_error_code compress_transited (krb5_data *,
krb5_principal,
krb5_data *);
krb5_error_code concat_authorization_data (krb5_authdata **,
krb5_authdata **,
krb5_authdata ***);
krb5_error_code fetch_last_req_info (krb5_db_entry *,
krb5_last_req_entry ***);
krb5_error_code kdc_convert_key (krb5_keyblock *,
krb5_keyblock *,
int);
krb5_error_code kdc_process_tgs_req
(krb5_kdc_req *,
const krb5_fulladdr *,
krb5_data *,
krb5_ticket **,
krb5_keyblock **);
krb5_error_code kdc_get_server_key (krb5_ticket *,
krb5_keyblock **,
krb5_kvno *);
int validate_as_request (krb5_kdc_req *, krb5_db_entry,
krb5_db_entry, krb5_timestamp,
const char **);
int validate_tgs_request (krb5_kdc_req *, krb5_db_entry,
krb5_ticket *, krb5_timestamp,
const char **);
int fetch_asn1_field (unsigned char *, unsigned int, unsigned int,
krb5_data *);
int
dbentry_has_key_for_enctype (krb5_context context,
krb5_db_entry *client,
krb5_enctype enctype);
int
dbentry_supports_enctype (krb5_context context,
krb5_db_entry *client,
krb5_enctype enctype);
krb5_enctype
select_session_keytype (krb5_context context,
krb5_db_entry *server,
int nktypes,
krb5_enctype *ktypes);
krb5_error_code
get_salt_from_key (krb5_context, krb5_principal,
krb5_key_data *, krb5_data *);
void limit_string (char *name);
void
ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype);
void
rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep);
/* do_as_req.c */
krb5_error_code process_as_req (krb5_kdc_req *, krb5_data *,
const krb5_fulladdr *,
krb5_data ** );
/* do_tgs_req.c */
krb5_error_code process_tgs_req (krb5_data *,
const krb5_fulladdr *,
krb5_data ** );
/* dispatch.c */
krb5_error_code dispatch (krb5_data *,
const krb5_fulladdr *,
krb5_data **);
/* main.c */
krb5_error_code kdc_initialize_rcache (krb5_context, char *);
krb5_error_code setup_server_realm (krb5_principal);
/* network.c */
krb5_error_code listen_and_process (const char *);
krb5_error_code setup_network (const char *);
krb5_error_code closedown_network (const char *);
/* policy.c */
int against_local_policy_as (krb5_kdc_req *, krb5_db_entry,
krb5_db_entry, krb5_timestamp,
const char **);
int against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry,
krb5_ticket *, const char **);
/* kdc_preauth.c */
const char * missing_required_preauth
(krb5_db_entry *client, krb5_db_entry *server,
krb5_enc_tkt_part *enc_tkt_reply);
void get_preauth_hint_list (krb5_kdc_req * request,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_data *e_data);
krb5_error_code load_preauth_plugins(krb5_context context);
krb5_error_code unload_preauth_plugins(krb5_context context);
krb5_error_code check_padata
(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply,
void **padata_context, krb5_data *e_data);
krb5_error_code return_padata
(krb5_context context, krb5_db_entry *client,
krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply,
krb5_key_data *client_key, krb5_keyblock *encrypting_key,
void **padata_context);
krb5_error_code free_padata_context
(krb5_context context, void **padata_context);
/* kdc_authdata.c */
krb5_error_code load_authdata_plugins(krb5_context context);
krb5_error_code unload_authdata_plugins(krb5_context context);
krb5_error_code handle_authdata (krb5_context context, krb5_db_entry *client,
krb5_data *req_pkt, krb5_kdc_req *request,
krb5_enc_tkt_part *enc_tkt_reply);
/* replay.c */
krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **);
void kdc_insert_lookaside (krb5_data *, krb5_data *);
void kdc_free_lookaside(krb5_context);
/* kdc_util.c */
krb5_error_code
get_principal_locked (krb5_context kcontext,
krb5_const_principal search_for,
krb5_db_entry *entries, int *nentries,
krb5_boolean *more);
krb5_error_code
get_principal (krb5_context kcontext,
krb5_const_principal search_for,
krb5_db_entry *entries, int *nentries, krb5_boolean *more);
void
log_as_req(const krb5_fulladdr *from,
krb5_kdc_req *request, krb5_kdc_rep *reply,
const char *cname, const char *sname,
krb5_timestamp authtime,
const char *status, krb5_error_code errcode, const char *emsg);
void
log_tgs_req(const krb5_fulladdr *from,
krb5_kdc_req *request, krb5_kdc_rep *reply,
const char *cname, const char *sname, const char *altcname,
krb5_timestamp authtime,
const char *status, krb5_error_code errcode, const char *emsg);
void log_tgs_alt_tgt(krb5_principal p);
#define isflagset(flagfield, flag) (flagfield & (flag))
#define setflag(flagfield, flag) (flagfield |= (flag))
#define clear(flagfield, flag) (flagfield &= ~(flag))
#ifndef min
#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))
#endif
#ifdef KRB5_USE_INET6
#define ADDRTYPE2FAMILY(X) \
((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1)
#else
#define ADDRTYPE2FAMILY(X) \
((X) == ADDRTYPE_INET ? AF_INET : -1)
#endif
/* RFC 4120: KRB5KDC_ERR_KEY_TOO_WEAK
* RFC 4556: KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED */
#define KRB5KDC_ERR_KEY_TOO_WEAK KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED
#endif /* __KRB5_KDC_UTIL__ */
|
