1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
|
/*
* include/krb5.h
*
* Copyright 1989,1990,1995 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
* It is the responsibility of any person or organization contemplating
* export to obtain such a license before exporting.
*
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
* distribute this software and its documentation for any purpose and
* without fee is hereby granted, provided that the above copyright
* notice appear in all copies and that both that copyright notice and
* this permission notice appear in supporting documentation, and that
* the name of M.I.T. not be used in advertising or publicity pertaining
* to distribution of the software without specific, written prior
* permission. M.I.T. makes no representations about the suitability of
* this software for any purpose. It is provided "as is" without express
* or implied warranty.
*
*
* General definitions for Kerberos version 5.
*/
#ifndef KRB5_GENERAL__
#define KRB5_GENERAL__
#include "k5-config.h"
#include "base-defs.h"
#include "hostaddr.h"
typedef struct _krb5_context {
krb5_magic magic;
krb5_enctype * etypes;
int etype_count;
void * os_context;
} * krb5_context;
struct _krb5_auth_context;
typedef struct _krb5_auth_context krb5_auth_context;
#include "encryption.h"
#include "fieldbits.h"
#include "errors.h"
#include "proto.h"
#include "macros.h"
#include "error_def.h"
/* Time set */
typedef struct _krb5_ticket_times {
krb5_timestamp authtime; /* XXX ? should ktime in KDC_REP == authtime
in ticket? otherwise client can't get this */
krb5_timestamp starttime; /* optional in ticket, if not present,
use authtime */
krb5_timestamp endtime;
krb5_timestamp renew_till;
} krb5_ticket_times;
/* structure for auth data */
typedef struct _krb5_authdata {
krb5_magic magic;
krb5_authdatatype ad_type;
int length;
krb5_octet *contents;
} krb5_authdata;
/* structure for transited encoding */
typedef struct _krb5_transited {
krb5_magic magic;
krb5_octet tr_type;
krb5_data tr_contents;
} krb5_transited;
typedef struct _krb5_enc_tkt_part {
krb5_magic magic;
/* to-be-encrypted portion */
krb5_flags flags; /* flags */
krb5_keyblock *session; /* session key: includes keytype */
krb5_principal client; /* client name/realm */
krb5_transited transited; /* list of transited realms */
krb5_ticket_times times; /* auth, start, end, renew_till */
krb5_address **caddrs; /* array of ptrs to addresses */
krb5_authdata **authorization_data; /* auth data */
} krb5_enc_tkt_part;
typedef struct _krb5_ticket {
krb5_magic magic;
/* cleartext portion */
krb5_principal server; /* server name/realm */
krb5_enc_data enc_part; /* encryption type, kvno, encrypted
encoding */
krb5_enc_tkt_part *enc_part2; /* ptr to decrypted version, if
available */
} krb5_ticket;
/* the unencrypted version */
typedef struct _krb5_authenticator {
krb5_magic magic;
krb5_principal client; /* client name/realm */
krb5_checksum *checksum; /* checksum, includes type, optional */
krb5_int32 cusec; /* client usec portion */
krb5_timestamp ctime; /* client sec portion */
krb5_keyblock *subkey; /* true session key, optional */
krb5_int32 seq_number; /* sequence #, optional */
krb5_authdata **authorization_data; /* New add by Ari, auth data */
} krb5_authenticator;
typedef struct _krb5_tkt_authent {
krb5_magic magic;
krb5_ticket *ticket;
krb5_authenticator *authenticator;
krb5_flags ap_options;
} krb5_tkt_authent;
/* credentials: Ticket, session key, etc. */
typedef struct _krb5_creds {
krb5_magic magic;
krb5_principal client; /* client's principal identifier */
krb5_principal server; /* server's principal identifier */
krb5_keyblock keyblock; /* session encryption key info */
krb5_ticket_times times; /* lifetime info */
krb5_boolean is_skey; /* true if ticket is encrypted in
another ticket's skey */
krb5_flags ticket_flags; /* flags in ticket */
krb5_address **addresses; /* addrs in ticket */
krb5_data ticket; /* ticket string itself */
krb5_data second_ticket; /* second ticket, if related to
ticket (via DUPLICATE-SKEY or
ENC-TKT-IN-SKEY) */
krb5_authdata **authdata; /* authorization data */
} krb5_creds;
/* Last request fields */
typedef struct _krb5_last_req_entry {
krb5_magic magic;
krb5_octet lr_type;
krb5_timestamp value;
} krb5_last_req_entry;
/* pre-authentication data */
typedef struct _krb5_pa_data {
krb5_magic magic;
krb5_ui_2 pa_type;
int length;
krb5_octet *contents;
} krb5_pa_data;
typedef struct _krb5_kdc_req {
krb5_magic magic;
krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */
krb5_pa_data **padata; /* e.g. encoded AP_REQ */
/* real body */
krb5_flags kdc_options; /* requested options */
krb5_principal client; /* includes realm; optional */
krb5_principal server; /* includes realm (only used if no
client) */
krb5_timestamp from; /* requested starttime */
krb5_timestamp till; /* requested endtime */
krb5_timestamp rtime; /* (optional) requested renew_till */
krb5_int32 nonce; /* nonce to match request/response */
int netypes; /* # of etypes, must be positive */
krb5_enctype *etype; /* requested encryption type(s) */
krb5_address **addresses; /* requested addresses, optional */
krb5_enc_data authorization_data; /* encrypted auth data; OPTIONAL */
krb5_authdata **unenc_authdata; /* unencrypted auth data,
if available */
krb5_ticket **second_ticket; /* second ticket array; OPTIONAL */
} krb5_kdc_req;
typedef struct _krb5_enc_kdc_rep_part {
krb5_magic magic;
/* encrypted part: */
krb5_msgtype msg_type; /* krb5 message type */
krb5_keyblock *session; /* session key */
krb5_last_req_entry **last_req; /* array of ptrs to entries */
krb5_int32 nonce; /* nonce from request */
krb5_timestamp key_exp; /* expiration date */
krb5_flags flags; /* ticket flags */
krb5_ticket_times times; /* lifetime info */
krb5_principal server; /* server's principal identifier */
krb5_address **caddrs; /* array of ptrs to addresses,
optional */
} krb5_enc_kdc_rep_part;
typedef struct _krb5_kdc_rep {
krb5_magic magic;
/* cleartext part: */
krb5_msgtype msg_type; /* AS_REP or KDC_REP? */
krb5_pa_data **padata; /* preauthentication data from KDC */
krb5_principal client; /* client's principal identifier */
krb5_ticket *ticket; /* ticket */
krb5_enc_data enc_part; /* encryption type, kvno, encrypted
encoding */
krb5_enc_kdc_rep_part *enc_part2; /* unencrypted version, if available */
} krb5_kdc_rep;
/* error message structure */
typedef struct _krb5_error {
krb5_magic magic;
/* some of these may be meaningless in certain contexts */
krb5_timestamp ctime; /* client sec portion; optional */
krb5_int32 cusec; /* client usec portion; optional */
krb5_int32 susec; /* server usec portion */
krb5_timestamp stime; /* server sec portion */
krb5_ui_4 error; /* error code (protocol error #'s) */
krb5_principal client; /* client's principal identifier;
optional */
krb5_principal server; /* server's principal identifier */
krb5_data text; /* descriptive text */
krb5_data e_data; /* additional error-describing data */
} krb5_error;
typedef struct _krb5_ap_req {
krb5_magic magic;
krb5_flags ap_options; /* requested options */
krb5_ticket *ticket; /* ticket */
krb5_enc_data authenticator; /* authenticator (already encrypted) */
} krb5_ap_req;
typedef struct _krb5_ap_rep {
krb5_magic magic;
krb5_enc_data enc_part;
} krb5_ap_rep;
typedef struct _krb5_ap_rep_enc_part {
krb5_magic magic;
krb5_timestamp ctime; /* client time, seconds portion */
krb5_int32 cusec; /* client time, microseconds portion */
krb5_keyblock *subkey; /* true session key, optional */
krb5_int32 seq_number; /* sequence #, optional */
} krb5_ap_rep_enc_part;
typedef struct _krb5_response {
krb5_magic magic;
krb5_octet message_type;
krb5_data response;
} krb5_response;
typedef struct _krb5_safe {
krb5_magic magic;
krb5_data user_data; /* user data */
krb5_timestamp timestamp; /* client time, optional */
krb5_int32 usec; /* microsecond portion of time,
optional */
krb5_int32 seq_number; /* sequence #, optional */
krb5_address *s_address; /* sender address */
krb5_address *r_address; /* recipient address, optional */
krb5_checksum *checksum; /* data integrity checksum */
} krb5_safe;
typedef struct _krb5_priv {
krb5_magic magic;
krb5_enc_data enc_part; /* encrypted part */
} krb5_priv;
typedef struct _krb5_priv_enc_part {
krb5_magic magic;
krb5_data user_data; /* user data */
krb5_timestamp timestamp; /* client time, optional */
krb5_int32 usec; /* microsecond portion of time, opt. */
krb5_int32 seq_number; /* sequence #, optional */
krb5_address *s_address; /* sender address */
krb5_address *r_address; /* recipient address, optional */
} krb5_priv_enc_part;
typedef struct _krb5_cred_info {
krb5_magic magic;
krb5_keyblock* session; /* session key used to encrypt */
/* ticket */
krb5_principal client; /* client name/realm, optional */
krb5_principal server; /* server name/realm, optional */
krb5_flags flags; /* ticket flags, optional */
krb5_ticket_times times; /* auth, start, end, renew_till, */
/* optional */
krb5_address **caddrs; /* array of ptrs to addresses */
} krb5_cred_info;
typedef struct _krb5_cred_enc_part {
krb5_magic magic;
krb5_int32 nonce; /* nonce, optional */
krb5_timestamp timestamp; /* client time */
krb5_int32 usec; /* microsecond portion of time */
krb5_address *s_address; /* sender address, optional */
krb5_address *r_address; /* recipient address, optional */
krb5_cred_info **ticket_info;
} krb5_cred_enc_part;
typedef struct _krb5_cred {
krb5_magic magic;
krb5_ticket **tickets; /* tickets */
krb5_enc_data enc_part; /* encrypted part */
krb5_cred_enc_part *enc_part2; /* unencrypted version, if available*/
} krb5_cred;
/* Sandia password generation structures */
typedef struct _passwd_phrase_element {
krb5_magic magic;
krb5_data *passwd;
krb5_data *phrase;
} passwd_phrase_element;
typedef struct _krb5_pwd_data {
krb5_magic magic;
int sequence_count;
passwd_phrase_element **element;
} krb5_pwd_data;
/* these need to be here so the typedefs are available for the prototypes */
#include "safepriv.h"
#include "ccache.h"
#include "rcache.h"
#include "keytab.h"
#include "func-proto.h"
#include "k5-free.h"
/* The name of the Kerberos ticket granting service... and its size */
#define KRB5_TGS_NAME "krbtgt"
#define KRB5_TGS_NAME_SIZE 6
/* flags for recvauth */
#define KRB5_RECVAUTH_SKIP_VERSION 0x0001
#define KRB5_RECVAUTH_BADAUTHVERS 0x0002
#include "adm_defs.h"
#endif /* KRB5_GENERAL__ */
|
