1/*
2 * $Id: krb.h,v 1.4 2005/01/10 19:13:36 snsimon Exp $
3 *
4 * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
5 *
6 * For copying and distribution information, please see the file
7 * <mit-copyright.h>.
8 *
9 * Include file for the Kerberos library.
10 */
11
12#if !defined (__STDC__) && !defined(_MSC_VER)
13#define const
14#define signed
15#endif
16
17#include <ktypes.h>
18#include <time.h>
19
20#ifndef __KRB_H__
21#define __KRB_H__
22
23/* XXX */
24#ifndef __BEGIN_DECLS
25#if defined(__cplusplus)
26#define	__BEGIN_DECLS	extern "C" {
27#define	__END_DECLS	};
28#else
29#define	__BEGIN_DECLS
30#define	__END_DECLS
31#endif
32#endif
33
34#if defined (__STDC__) || defined (_MSC_VER)
35#ifndef __P
36#define __P(x) x
37#endif
38#else
39#ifndef __P
40#define __P(x) ()
41#endif
42#endif
43
44__BEGIN_DECLS
45
46/* Need some defs from des.h	 */
47#if !defined(NOPROTO) && !defined(__STDC__)
48#define NOPROTO
49#endif
50#include <des.h>
51
52/* CNS compatibility ahead! */
53#ifndef KRB_INT32
54#define KRB_INT32 int32_t
55#endif
56#ifndef KRB_UINT32
57#define KRB_UINT32 u_int32_t
58#endif
59
60/* Global library variables. */
61extern int krb_ignore_ip_address; /* To turn off IP address comparison */
62extern int krb_no_long_lifetimes; /* To disable AFS compatible lifetimes */
63extern int krbONE;
64#define         HOST_BYTE_ORDER (* (char *) &krbONE)
65/* Debug variables */
66extern int krb_debug;
67extern int krb_ap_req_debug;
68extern int krb_dns_debug;
69
70
71/* Text describing error codes */
72#define		MAX_KRB_ERRORS	256
73extern const char *krb_err_txt[MAX_KRB_ERRORS];
74
75/* General definitions */
76#define		KSUCCESS	0
77#define		KFAILURE	255
78
79/*
80 * Kerberos specific definitions
81 *
82 * KRBLOG is the log file for the kerberos master server. KRB_CONF is
83 * the configuration file where different host machines running master
84 * and slave servers can be found. KRB_MASTER is the name of the
85 * machine with the master database.  The admin_server runs on this
86 * machine, and all changes to the db (as opposed to read-only
87 * requests, which can go to slaves) must go to it. KRB_HOST is the
88 * default machine * when looking for a kerberos slave server.  Other
89 * possibilities are * in the KRB_CONF file. KRB_REALM is the name of
90 * the realm.
91 */
92
93/* /etc/kerberosIV is only for backwards compatibility, don't use it! */
94#ifndef KRB_CONF
95#define KRB_CONF	"/etc/krb.conf"
96#endif
97#ifndef KRB_RLM_TRANS
98#define KRB_RLM_TRANS   "/etc/krb.realms"
99#endif
100#ifndef KRB_CNF_FILES
101#define KRB_CNF_FILES	{ KRB_CONF,   "/etc/kerberosIV/krb.conf", 0}
102#endif
103#ifndef KRB_RLM_FILES
104#define KRB_RLM_FILES	{ KRB_RLM_TRANS, "/etc/kerberosIV/krb.realms", 0}
105#endif
106#ifndef KRB_EQUIV
107#define KRB_EQUIV	"/etc/krb.equiv"
108#endif
109#define KRB_MASTER	"kerberos"
110#ifndef KRB_REALM
111#define KRB_REALM	(krb_get_default_realm())
112#endif
113
114/* The maximum sizes for aname, realm, sname, and instance +1 */
115#define 	ANAME_SZ	40
116#define		REALM_SZ	40
117#define		SNAME_SZ	40
118#define		INST_SZ		40
119/* Leave space for quoting */
120#define		MAX_K_NAME_SZ	(2*ANAME_SZ + 2*INST_SZ + 2*REALM_SZ - 3)
121#define		KKEY_SZ		100
122#define		VERSION_SZ	1
123#define		MSG_TYPE_SZ	1
124#define		DATE_SZ		26	/* RTI date output */
125
126#define MAX_HSTNM 100 /* for compatibility */
127
128typedef struct krb_principal{
129    char name[ANAME_SZ];
130    char instance[INST_SZ];
131    char realm[REALM_SZ];
132}krb_principal;
133
134#ifndef DEFAULT_TKT_LIFE	/* allow compile-time override */
135/* default lifetime for krb_mk_req & co., 10 hrs */
136#define	DEFAULT_TKT_LIFE 141
137#endif
138
139#define		KRB_TICKET_GRANTING_TICKET	"krbtgt"
140
141/* Definition of text structure used to pass text around */
142#define		MAX_KTXT_LEN	1250
143
144struct ktext {
145    unsigned int length;		/* Length of the text */
146    unsigned char dat[MAX_KTXT_LEN];	/* The data itself */
147    u_int32_t mbz;		/* zero to catch runaway strings */
148};
149
150typedef struct ktext *KTEXT;
151typedef struct ktext KTEXT_ST;
152
153
154/* Definitions for send_to_kdc */
155#define	CLIENT_KRB_TIMEOUT	4	/* default time between retries */
156#define CLIENT_KRB_RETRY	5	/* retry this many times */
157#define	CLIENT_KRB_BUFLEN	512	/* max unfragmented packet */
158
159/* Definitions for ticket file utilities */
160#define	R_TKT_FIL	0
161#define	W_TKT_FIL	1
162
163/* Parameters for rd_ap_req */
164/* Maximum alloable clock skew in seconds */
165#define 	CLOCK_SKEW	5*60
166/* Filename for readservkey */
167#ifndef		KEYFILE
168#define		KEYFILE		(krb_get_default_keyfile())
169#endif
170
171/* Structure definition for rd_ap_req */
172
173struct auth_dat {
174    unsigned char k_flags;	/* Flags from ticket */
175    char    pname[ANAME_SZ];	/* Principal's name */
176    char    pinst[INST_SZ];	/* His Instance */
177    char    prealm[REALM_SZ];	/* His Realm */
178    u_int32_t checksum;		/* Data checksum (opt) */
179    des_cblock session;		/* Session Key */
180    int     life;		/* Life of ticket */
181    u_int32_t time_sec;		/* Time ticket issued */
182    u_int32_t address;		/* Address in ticket */
183    KTEXT_ST reply;		/* Auth reply (opt) */
184};
185
186typedef struct auth_dat AUTH_DAT;
187
188/* Structure definition for credentials returned by get_cred */
189
190struct credentials {
191    char    service[ANAME_SZ];	/* Service name */
192    char    instance[INST_SZ];	/* Instance */
193    char    realm[REALM_SZ];	/* Auth domain */
194    des_cblock session;		/* Session key */
195    int     lifetime;		/* Lifetime */
196    int     kvno;		/* Key version number */
197    KTEXT_ST ticket_st;		/* The ticket itself */
198    int32_t    issue_date;	/* The issue time */
199    char    pname[ANAME_SZ];	/* Principal's name */
200    char    pinst[INST_SZ];	/* Principal's instance */
201};
202
203typedef struct credentials CREDENTIALS;
204
205/* Structure definition for rd_private_msg and rd_safe_msg */
206
207struct msg_dat {
208    unsigned char *app_data;	/* pointer to appl data */
209    u_int32_t app_length;	/* length of appl data */
210    u_int32_t hash;		/* hash to lookup replay */
211    int     swap;		/* swap bytes? */
212    int32_t    time_sec;		/* msg timestamp seconds */
213    unsigned char time_5ms;	/* msg timestamp 5ms units */
214};
215
216typedef struct msg_dat MSG_DAT;
217
218struct krb_host {
219    char *realm;
220    char *host;
221    enum krb_host_proto { PROTO_UDP, PROTO_TCP, PROTO_HTTP } proto;
222    int port;
223    int admin;
224};
225
226/* Location of ticket file for save_cred and get_cred */
227#define TKT_FILE        tkt_string()
228#ifndef TKT_ROOT
229#define TKT_ROOT        (krb_get_default_tkt_root())
230#endif
231
232/* Error codes returned from the KDC */
233#define		KDC_OK		0	/* Request OK */
234#define		KDC_NAME_EXP	1	/* Principal expired */
235#define		KDC_SERVICE_EXP	2	/* Service expired */
236#define		KDC_AUTH_EXP	3	/* Auth expired */
237#define		KDC_PKT_VER	4	/* Protocol version unknown */
238#define		KDC_P_MKEY_VER	5	/* Wrong master key version */
239#define		KDC_S_MKEY_VER 	6	/* Wrong master key version */
240#define		KDC_BYTE_ORDER	7	/* Byte order unknown */
241#define		KDC_PR_UNKNOWN	8	/* Principal unknown */
242#define		KDC_PR_N_UNIQUE 9	/* Principal not unique */
243#define		KDC_NULL_KEY   10	/* Principal has null key */
244#define		KDC_GEN_ERR    20	/* Generic error from KDC */
245
246
247/* Values returned by get_credentials */
248#define		GC_OK		0	/* Retrieve OK */
249#define		RET_OK		0	/* Retrieve OK */
250#define		GC_TKFIL       21	/* Can't read ticket file */
251#define		RET_TKFIL      21	/* Can't read ticket file */
252#define		GC_NOTKT       22	/* Can't find ticket or TGT */
253#define		RET_NOTKT      22	/* Can't find ticket or TGT */
254
255
256/* Values returned by mk_ap_req	 */
257#define		MK_AP_OK	0	/* Success */
258#define		MK_AP_TGTEXP   26	/* TGT Expired */
259
260/* Values returned by rd_ap_req */
261#define		RD_AP_OK	0	/* Request authentic */
262#define		RD_AP_UNDEC    31	/* Can't decode authenticator */
263#define		RD_AP_EXP      32	/* Ticket expired */
264#define		RD_AP_NYV      33	/* Ticket not yet valid */
265#define		RD_AP_REPEAT   34	/* Repeated request */
266#define		RD_AP_NOT_US   35	/* The ticket isn't for us */
267#define		RD_AP_INCON    36	/* Request is inconsistent */
268#define		RD_AP_TIME     37	/* delta_t too big */
269#define		RD_AP_BADD     38	/* Incorrect net address */
270#define		RD_AP_VERSION  39	/* protocol version mismatch */
271#define		RD_AP_MSG_TYPE 40	/* invalid msg type */
272#define		RD_AP_MODIFIED 41	/* message stream modified */
273#define		RD_AP_ORDER    42	/* message out of order */
274#define		RD_AP_UNAUTHOR 43	/* unauthorized request */
275
276/* Values returned by get_pw_tkt */
277#define		GT_PW_OK	0	/* Got password changing tkt */
278#define		GT_PW_NULL     51	/* Current PW is null */
279#define		GT_PW_BADPW    52	/* Incorrect current password */
280#define		GT_PW_PROT     53	/* Protocol Error */
281#define		GT_PW_KDCERR   54	/* Error returned by KDC */
282#define		GT_PW_NULLTKT  55	/* Null tkt returned by KDC */
283
284
285/* Values returned by send_to_kdc */
286#define		SKDC_OK		0	/* Response received */
287#define		SKDC_RETRY     56	/* Retry count exceeded */
288#define		SKDC_CANT      57	/* Can't send request */
289
290/*
291 * Values returned by get_intkt
292 * (can also return SKDC_* and KDC errors)
293 */
294
295#define		INTK_OK		0	/* Ticket obtained */
296#define		INTK_W_NOTALL  61	/* Not ALL tickets returned */
297#define		INTK_BADPW     62	/* Incorrect password */
298#define		INTK_PROT      63	/* Protocol Error */
299#define		INTK_ERR       70	/* Other error */
300
301/* Values returned by get_adtkt */
302#define         AD_OK           0	/* Ticket Obtained */
303#define         AD_NOTGT       71	/* Don't have tgt */
304#define         AD_INTR_RLM_NOTGT 72	/* Can't get inter-realm tgt */
305
306/* Error codes returned by ticket file utilities */
307#define		NO_TKT_FIL	76	/* No ticket file found */
308#define		TKT_FIL_ACC	77	/* Couldn't access tkt file */
309#define		TKT_FIL_LCK	78	/* Couldn't lock ticket file */
310#define		TKT_FIL_FMT	79	/* Bad ticket file format */
311#define		TKT_FIL_INI	80	/* tf_init not called first */
312
313/* Error code returned by kparse_name */
314#define		KNAME_FMT	81	/* Bad Kerberos name format */
315
316/* Error code returned by krb_mk_safe */
317#define		SAFE_PRIV_ERROR	-1	/* syscall error */
318
319/* Defines for krb_sendauth and krb_recvauth */
320
321#define	KOPT_DONT_MK_REQ 0x00000001 /* don't call krb_mk_req */
322#define	KOPT_DO_MUTUAL   0x00000002 /* do mutual auth */
323
324#define	KOPT_DONT_CANON  0x00000004 /*
325				     * don't canonicalize inst as
326				     * a hostname
327				     */
328
329#define KOPT_IGNORE_PROTOCOL 0x0008
330
331#define	KRB_SENDAUTH_VLEN 8	    /* length for version strings */
332
333
334/* flags for krb_verify_user() */
335#define KRB_VERIFY_NOT_SECURE	0
336#define KRB_VERIFY_SECURE	1
337#define KRB_VERIFY_SECURE_FAIL	2
338
339extern char *krb4_version;
340
341typedef int (*key_proc_t) __P((const char *name,
342			       char *instance, /* INOUT parameter */
343			       const char *realm,
344			       const void *password,
345			       des_cblock *key));
346
347typedef int (*decrypt_proc_t) __P((const char *name,
348				   const char *instance,
349				   const char *realm,
350				   const void *arg,
351				   key_proc_t,
352				   KTEXT *));
353
354#include "krb-protos.h"
355
356__END_DECLS
357
358#endif /* __KRB_H__ */
359