1/* 2 * $Id: krb.h,v 1.4 2005/01/10 19:13:36 snsimon Exp $ 3 * 4 * Copyright 1987, 1988 by the Massachusetts Institute of Technology. 5 * 6 * For copying and distribution information, please see the file 7 * <mit-copyright.h>. 8 * 9 * Include file for the Kerberos library. 10 */ 11 12#if !defined (__STDC__) && !defined(_MSC_VER) 13#define const 14#define signed 15#endif 16 17#include <ktypes.h> 18#include <time.h> 19 20#ifndef __KRB_H__ 21#define __KRB_H__ 22 23/* XXX */ 24#ifndef __BEGIN_DECLS 25#if defined(__cplusplus) 26#define __BEGIN_DECLS extern "C" { 27#define __END_DECLS }; 28#else 29#define __BEGIN_DECLS 30#define __END_DECLS 31#endif 32#endif 33 34#if defined (__STDC__) || defined (_MSC_VER) 35#ifndef __P 36#define __P(x) x 37#endif 38#else 39#ifndef __P 40#define __P(x) () 41#endif 42#endif 43 44__BEGIN_DECLS 45 46/* Need some defs from des.h */ 47#if !defined(NOPROTO) && !defined(__STDC__) 48#define NOPROTO 49#endif 50#include <des.h> 51 52/* CNS compatibility ahead! */ 53#ifndef KRB_INT32 54#define KRB_INT32 int32_t 55#endif 56#ifndef KRB_UINT32 57#define KRB_UINT32 u_int32_t 58#endif 59 60/* Global library variables. */ 61extern int krb_ignore_ip_address; /* To turn off IP address comparison */ 62extern int krb_no_long_lifetimes; /* To disable AFS compatible lifetimes */ 63extern int krbONE; 64#define HOST_BYTE_ORDER (* (char *) &krbONE) 65/* Debug variables */ 66extern int krb_debug; 67extern int krb_ap_req_debug; 68extern int krb_dns_debug; 69 70 71/* Text describing error codes */ 72#define MAX_KRB_ERRORS 256 73extern const char *krb_err_txt[MAX_KRB_ERRORS]; 74 75/* General definitions */ 76#define KSUCCESS 0 77#define KFAILURE 255 78 79/* 80 * Kerberos specific definitions 81 * 82 * KRBLOG is the log file for the kerberos master server. KRB_CONF is 83 * the configuration file where different host machines running master 84 * and slave servers can be found. KRB_MASTER is the name of the 85 * machine with the master database. The admin_server runs on this 86 * machine, and all changes to the db (as opposed to read-only 87 * requests, which can go to slaves) must go to it. KRB_HOST is the 88 * default machine * when looking for a kerberos slave server. Other 89 * possibilities are * in the KRB_CONF file. KRB_REALM is the name of 90 * the realm. 91 */ 92 93/* /etc/kerberosIV is only for backwards compatibility, don't use it! */ 94#ifndef KRB_CONF 95#define KRB_CONF "/etc/krb.conf" 96#endif 97#ifndef KRB_RLM_TRANS 98#define KRB_RLM_TRANS "/etc/krb.realms" 99#endif 100#ifndef KRB_CNF_FILES 101#define KRB_CNF_FILES { KRB_CONF, "/etc/kerberosIV/krb.conf", 0} 102#endif 103#ifndef KRB_RLM_FILES 104#define KRB_RLM_FILES { KRB_RLM_TRANS, "/etc/kerberosIV/krb.realms", 0} 105#endif 106#ifndef KRB_EQUIV 107#define KRB_EQUIV "/etc/krb.equiv" 108#endif 109#define KRB_MASTER "kerberos" 110#ifndef KRB_REALM 111#define KRB_REALM (krb_get_default_realm()) 112#endif 113 114/* The maximum sizes for aname, realm, sname, and instance +1 */ 115#define ANAME_SZ 40 116#define REALM_SZ 40 117#define SNAME_SZ 40 118#define INST_SZ 40 119/* Leave space for quoting */ 120#define MAX_K_NAME_SZ (2*ANAME_SZ + 2*INST_SZ + 2*REALM_SZ - 3) 121#define KKEY_SZ 100 122#define VERSION_SZ 1 123#define MSG_TYPE_SZ 1 124#define DATE_SZ 26 /* RTI date output */ 125 126#define MAX_HSTNM 100 /* for compatibility */ 127 128typedef struct krb_principal{ 129 char name[ANAME_SZ]; 130 char instance[INST_SZ]; 131 char realm[REALM_SZ]; 132}krb_principal; 133 134#ifndef DEFAULT_TKT_LIFE /* allow compile-time override */ 135/* default lifetime for krb_mk_req & co., 10 hrs */ 136#define DEFAULT_TKT_LIFE 141 137#endif 138 139#define KRB_TICKET_GRANTING_TICKET "krbtgt" 140 141/* Definition of text structure used to pass text around */ 142#define MAX_KTXT_LEN 1250 143 144struct ktext { 145 unsigned int length; /* Length of the text */ 146 unsigned char dat[MAX_KTXT_LEN]; /* The data itself */ 147 u_int32_t mbz; /* zero to catch runaway strings */ 148}; 149 150typedef struct ktext *KTEXT; 151typedef struct ktext KTEXT_ST; 152 153 154/* Definitions for send_to_kdc */ 155#define CLIENT_KRB_TIMEOUT 4 /* default time between retries */ 156#define CLIENT_KRB_RETRY 5 /* retry this many times */ 157#define CLIENT_KRB_BUFLEN 512 /* max unfragmented packet */ 158 159/* Definitions for ticket file utilities */ 160#define R_TKT_FIL 0 161#define W_TKT_FIL 1 162 163/* Parameters for rd_ap_req */ 164/* Maximum alloable clock skew in seconds */ 165#define CLOCK_SKEW 5*60 166/* Filename for readservkey */ 167#ifndef KEYFILE 168#define KEYFILE (krb_get_default_keyfile()) 169#endif 170 171/* Structure definition for rd_ap_req */ 172 173struct auth_dat { 174 unsigned char k_flags; /* Flags from ticket */ 175 char pname[ANAME_SZ]; /* Principal's name */ 176 char pinst[INST_SZ]; /* His Instance */ 177 char prealm[REALM_SZ]; /* His Realm */ 178 u_int32_t checksum; /* Data checksum (opt) */ 179 des_cblock session; /* Session Key */ 180 int life; /* Life of ticket */ 181 u_int32_t time_sec; /* Time ticket issued */ 182 u_int32_t address; /* Address in ticket */ 183 KTEXT_ST reply; /* Auth reply (opt) */ 184}; 185 186typedef struct auth_dat AUTH_DAT; 187 188/* Structure definition for credentials returned by get_cred */ 189 190struct credentials { 191 char service[ANAME_SZ]; /* Service name */ 192 char instance[INST_SZ]; /* Instance */ 193 char realm[REALM_SZ]; /* Auth domain */ 194 des_cblock session; /* Session key */ 195 int lifetime; /* Lifetime */ 196 int kvno; /* Key version number */ 197 KTEXT_ST ticket_st; /* The ticket itself */ 198 int32_t issue_date; /* The issue time */ 199 char pname[ANAME_SZ]; /* Principal's name */ 200 char pinst[INST_SZ]; /* Principal's instance */ 201}; 202 203typedef struct credentials CREDENTIALS; 204 205/* Structure definition for rd_private_msg and rd_safe_msg */ 206 207struct msg_dat { 208 unsigned char *app_data; /* pointer to appl data */ 209 u_int32_t app_length; /* length of appl data */ 210 u_int32_t hash; /* hash to lookup replay */ 211 int swap; /* swap bytes? */ 212 int32_t time_sec; /* msg timestamp seconds */ 213 unsigned char time_5ms; /* msg timestamp 5ms units */ 214}; 215 216typedef struct msg_dat MSG_DAT; 217 218struct krb_host { 219 char *realm; 220 char *host; 221 enum krb_host_proto { PROTO_UDP, PROTO_TCP, PROTO_HTTP } proto; 222 int port; 223 int admin; 224}; 225 226/* Location of ticket file for save_cred and get_cred */ 227#define TKT_FILE tkt_string() 228#ifndef TKT_ROOT 229#define TKT_ROOT (krb_get_default_tkt_root()) 230#endif 231 232/* Error codes returned from the KDC */ 233#define KDC_OK 0 /* Request OK */ 234#define KDC_NAME_EXP 1 /* Principal expired */ 235#define KDC_SERVICE_EXP 2 /* Service expired */ 236#define KDC_AUTH_EXP 3 /* Auth expired */ 237#define KDC_PKT_VER 4 /* Protocol version unknown */ 238#define KDC_P_MKEY_VER 5 /* Wrong master key version */ 239#define KDC_S_MKEY_VER 6 /* Wrong master key version */ 240#define KDC_BYTE_ORDER 7 /* Byte order unknown */ 241#define KDC_PR_UNKNOWN 8 /* Principal unknown */ 242#define KDC_PR_N_UNIQUE 9 /* Principal not unique */ 243#define KDC_NULL_KEY 10 /* Principal has null key */ 244#define KDC_GEN_ERR 20 /* Generic error from KDC */ 245 246 247/* Values returned by get_credentials */ 248#define GC_OK 0 /* Retrieve OK */ 249#define RET_OK 0 /* Retrieve OK */ 250#define GC_TKFIL 21 /* Can't read ticket file */ 251#define RET_TKFIL 21 /* Can't read ticket file */ 252#define GC_NOTKT 22 /* Can't find ticket or TGT */ 253#define RET_NOTKT 22 /* Can't find ticket or TGT */ 254 255 256/* Values returned by mk_ap_req */ 257#define MK_AP_OK 0 /* Success */ 258#define MK_AP_TGTEXP 26 /* TGT Expired */ 259 260/* Values returned by rd_ap_req */ 261#define RD_AP_OK 0 /* Request authentic */ 262#define RD_AP_UNDEC 31 /* Can't decode authenticator */ 263#define RD_AP_EXP 32 /* Ticket expired */ 264#define RD_AP_NYV 33 /* Ticket not yet valid */ 265#define RD_AP_REPEAT 34 /* Repeated request */ 266#define RD_AP_NOT_US 35 /* The ticket isn't for us */ 267#define RD_AP_INCON 36 /* Request is inconsistent */ 268#define RD_AP_TIME 37 /* delta_t too big */ 269#define RD_AP_BADD 38 /* Incorrect net address */ 270#define RD_AP_VERSION 39 /* protocol version mismatch */ 271#define RD_AP_MSG_TYPE 40 /* invalid msg type */ 272#define RD_AP_MODIFIED 41 /* message stream modified */ 273#define RD_AP_ORDER 42 /* message out of order */ 274#define RD_AP_UNAUTHOR 43 /* unauthorized request */ 275 276/* Values returned by get_pw_tkt */ 277#define GT_PW_OK 0 /* Got password changing tkt */ 278#define GT_PW_NULL 51 /* Current PW is null */ 279#define GT_PW_BADPW 52 /* Incorrect current password */ 280#define GT_PW_PROT 53 /* Protocol Error */ 281#define GT_PW_KDCERR 54 /* Error returned by KDC */ 282#define GT_PW_NULLTKT 55 /* Null tkt returned by KDC */ 283 284 285/* Values returned by send_to_kdc */ 286#define SKDC_OK 0 /* Response received */ 287#define SKDC_RETRY 56 /* Retry count exceeded */ 288#define SKDC_CANT 57 /* Can't send request */ 289 290/* 291 * Values returned by get_intkt 292 * (can also return SKDC_* and KDC errors) 293 */ 294 295#define INTK_OK 0 /* Ticket obtained */ 296#define INTK_W_NOTALL 61 /* Not ALL tickets returned */ 297#define INTK_BADPW 62 /* Incorrect password */ 298#define INTK_PROT 63 /* Protocol Error */ 299#define INTK_ERR 70 /* Other error */ 300 301/* Values returned by get_adtkt */ 302#define AD_OK 0 /* Ticket Obtained */ 303#define AD_NOTGT 71 /* Don't have tgt */ 304#define AD_INTR_RLM_NOTGT 72 /* Can't get inter-realm tgt */ 305 306/* Error codes returned by ticket file utilities */ 307#define NO_TKT_FIL 76 /* No ticket file found */ 308#define TKT_FIL_ACC 77 /* Couldn't access tkt file */ 309#define TKT_FIL_LCK 78 /* Couldn't lock ticket file */ 310#define TKT_FIL_FMT 79 /* Bad ticket file format */ 311#define TKT_FIL_INI 80 /* tf_init not called first */ 312 313/* Error code returned by kparse_name */ 314#define KNAME_FMT 81 /* Bad Kerberos name format */ 315 316/* Error code returned by krb_mk_safe */ 317#define SAFE_PRIV_ERROR -1 /* syscall error */ 318 319/* Defines for krb_sendauth and krb_recvauth */ 320 321#define KOPT_DONT_MK_REQ 0x00000001 /* don't call krb_mk_req */ 322#define KOPT_DO_MUTUAL 0x00000002 /* do mutual auth */ 323 324#define KOPT_DONT_CANON 0x00000004 /* 325 * don't canonicalize inst as 326 * a hostname 327 */ 328 329#define KOPT_IGNORE_PROTOCOL 0x0008 330 331#define KRB_SENDAUTH_VLEN 8 /* length for version strings */ 332 333 334/* flags for krb_verify_user() */ 335#define KRB_VERIFY_NOT_SECURE 0 336#define KRB_VERIFY_SECURE 1 337#define KRB_VERIFY_SECURE_FAIL 2 338 339extern char *krb4_version; 340 341typedef int (*key_proc_t) __P((const char *name, 342 char *instance, /* INOUT parameter */ 343 const char *realm, 344 const void *password, 345 des_cblock *key)); 346 347typedef int (*decrypt_proc_t) __P((const char *name, 348 const char *instance, 349 const char *realm, 350 const void *arg, 351 key_proc_t, 352 KTEXT *)); 353 354#include "krb-protos.h" 355 356__END_DECLS 357 358#endif /* __KRB_H__ */ 359