1/*	$NetBSD: krb5_locl.h,v 1.3 2019/12/15 22:50:50 christos Exp $	*/
2
3/*
4 * Copyright (c) 1997-2016 Kungliga Tekniska H��gskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 *
14 * 1. Redistributions of source code must retain the above copyright
15 *    notice, this list of conditions and the following disclaimer.
16 *
17 * 2. Redistributions in binary form must reproduce the above copyright
18 *    notice, this list of conditions and the following disclaimer in the
19 *    documentation and/or other materials provided with the distribution.
20 *
21 * 3. Neither the name of the Institute nor the names of its contributors
22 *    may be used to endorse or promote products derived from this software
23 *    without specific prior written permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 */
37
38/* Id */
39
40#ifndef __KRB5_LOCL_H__
41#define __KRB5_LOCL_H__
42
43#include <config.h>
44#include <krb5/roken.h>
45
46#include <ctype.h>
47
48#ifdef HAVE_POLL_H
49#include <sys/poll.h>
50#endif
51
52#include <krb5/krb5-types.h>
53
54#ifdef HAVE_SYS_TYPES_H
55#include <sys/types.h>
56#endif
57#ifdef HAVE_SYS_MMAN_H
58#include <sys/mman.h>
59#endif
60
61#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
62#include <sys/ioctl.h>
63#endif
64#ifdef HAVE_PWD_H
65#undef _POSIX_PTHREAD_SEMANTICS
66/* This gets us the 5-arg getpwnam_r on Solaris 9.  */
67#define _POSIX_PTHREAD_SEMANTICS
68#include <pwd.h>
69#endif
70
71#ifdef HAVE_SYS_SELECT_H
72#include <sys/select.h>
73#endif
74#ifdef _AIX
75struct mbuf;
76#endif
77#ifdef HAVE_SYS_FILIO_H
78#include <sys/filio.h>
79#endif
80#ifdef HAVE_SYS_FILE_H
81#include <sys/file.h>
82#endif
83
84#include <krb5/com_err.h>
85
86#include <krb5/heimbase.h>
87
88#define HEIMDAL_TEXTDOMAIN "heimdal_krb5"
89
90#ifdef LIBINTL
91#include <libintl.h>
92#define N_(x,y) dgettext(HEIMDAL_TEXTDOMAIN, x)
93#else
94#define N_(x,y) (x)
95#define bindtextdomain(package, localedir)
96#endif
97
98
99#ifdef HAVE_CRYPT_H
100#undef des_encrypt
101#define des_encrypt wingless_pigs_mostly_fail_to_fly
102#include <crypt.h>
103#undef des_encrypt
104#endif
105
106#ifdef HAVE_DOOR_CREATE
107#include <door.h>
108#endif
109
110#include <krb5/parse_time.h>
111#include <krb5/base64.h>
112
113#include <krb5/wind.h>
114
115/*
116 * We use OpenSSL for EC, but to do this we need to disable cross-references
117 * between OpenSSL and hcrypto bn.h and such.  Source files that use OpenSSL EC
118 * must define HEIM_NO_CRYPTO_HDRS before including this file.
119 */
120#define HC_DEPRECATED_CRYPTO
121#ifndef HEIM_NO_CRYPTO_HDRS
122#include "crypto-headers.h"
123#endif
124
125
126#include <krb5/krb5_asn1.h>
127#include <krb5/pkinit_asn1.h>
128
129struct send_to_kdc;
130
131/* XXX glue for pkinit */
132struct hx509_certs_data;
133struct krb5_pk_identity;
134struct krb5_pk_cert;
135struct ContentInfo;
136struct AlgorithmIdentifier;
137typedef struct krb5_pk_init_ctx_data *krb5_pk_init_ctx;
138struct krb5_dh_moduli;
139
140/* v4 glue */
141struct _krb5_krb_auth_data;
142
143#include <krb5/der.h>
144
145#include <krb5/krb5.h>
146#include <krb5/krb5_err.h>
147#include <krb5/asn1_err.h>
148#ifdef PKINIT
149#include <krb5/hx509.h>
150#endif
151
152#include "crypto.h"
153
154#include <krb5/krb5-private.h>
155
156#include "heim_threads.h"
157
158#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
159#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
160
161#ifndef __func__
162#define __func__ "unknown-function"
163#endif
164
165#define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum))
166
167#ifndef PATH_SEP
168#define PATH_SEP ":"
169#endif
170
171/* should this be public? */
172#define KEYTAB_DEFAULT "FILE:" SYSCONFDIR "/krb5.keytab"
173#define KEYTAB_DEFAULT_MODIFY "FILE:" SYSCONFDIR "/krb5.keytab"
174
175
176#define MODULI_FILE SYSCONFDIR "/krb5.moduli"
177
178#ifndef O_BINARY
179#define O_BINARY 0
180#endif
181
182#ifndef O_CLOEXEC
183#define O_CLOEXEC 0
184#endif
185
186#ifndef SOCK_CLOEXEC
187#define SOCK_CLOEXEC 0
188#endif
189
190
191#define KRB5_BUFSIZ 2048
192
193typedef enum {
194    KRB5_INIT_CREDS_TRISTATE_UNSET = 0,
195    KRB5_INIT_CREDS_TRISTATE_TRUE,
196    KRB5_INIT_CREDS_TRISTATE_FALSE
197} krb5_get_init_creds_tristate;
198
199struct _krb5_get_init_creds_opt_private {
200    int refcount;
201    /* ENC_TIMESTAMP */
202    const char *password;
203    krb5_s2k_proc key_proc;
204    /* PA_PAC_REQUEST */
205    krb5_get_init_creds_tristate req_pac;
206    /* PKINIT */
207    krb5_pk_init_ctx pk_init_ctx;
208    krb5_get_init_creds_tristate addressless;
209    int flags;
210#define KRB5_INIT_CREDS_CANONICALIZE		1
211#define KRB5_INIT_CREDS_NO_C_CANON_CHECK	2
212#define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK	4
213#define KRB5_INIT_CREDS_PKINIT_KX_VALID		32
214#define KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK    64
215    struct {
216        krb5_gic_process_last_req func;
217        void *ctx;
218    } lr;
219};
220
221typedef uint32_t krb5_enctype_set;
222
223typedef struct krb5_context_data {
224    krb5_enctype *etypes;
225    krb5_enctype *cfg_etypes;
226    krb5_enctype *etypes_des;/* deprecated */
227    krb5_enctype *as_etypes;
228    krb5_enctype *tgs_etypes;
229    krb5_enctype *permitted_enctypes;
230    char **default_realms;
231    time_t max_skew;
232    time_t kdc_timeout;
233    time_t host_timeout;
234    unsigned max_retries;
235    int32_t kdc_sec_offset;
236    int32_t kdc_usec_offset;
237    krb5_config_section *cf;
238    struct et_list *et_list;
239    struct krb5_log_facility *warn_dest;
240    struct krb5_log_facility *debug_dest;
241    const krb5_cc_ops **cc_ops;
242    int num_cc_ops;
243    const char *http_proxy;
244    const char *time_fmt;
245    krb5_boolean log_utc;
246    const char *default_keytab;
247    const char *default_keytab_modify;
248    krb5_boolean use_admin_kdc;
249    krb5_addresses *extra_addresses;
250    krb5_boolean scan_interfaces;	/* `ifconfig -a' */
251    krb5_boolean srv_lookup;		/* do SRV lookups */
252    krb5_boolean srv_try_txt;		/* try TXT records also */
253    int32_t fcache_vno;			/* create cache files w/ this
254                                           version */
255    int num_kt_types;			/* # of registered keytab types */
256    struct krb5_keytab_data *kt_types;  /* registered keytab types */
257    const char *date_fmt;
258    char *error_string;
259    krb5_error_code error_code;
260    krb5_addresses *ignore_addresses;
261    char *default_cc_name;
262    char *default_cc_name_env;
263    int default_cc_name_set;
264    HEIMDAL_MUTEX mutex;		/* protects error_string */
265    int large_msg_size;
266    int max_msg_size;
267    int tgs_negative_timeout;		/* timeout for TGS negative cache */
268    int flags;
269#define KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME	1
270#define KRB5_CTX_F_CHECK_PAC			2
271#define KRB5_CTX_F_HOMEDIR_ACCESS		4
272#define KRB5_CTX_F_SOCKETS_INITIALIZED          8
273#define KRB5_CTX_F_RD_REQ_IGNORE		16
274#define KRB5_CTX_F_FCACHE_STRICT_CHECKING	32
275    struct send_to_kdc *send_to_kdc;
276#ifdef PKINIT
277    hx509_context hx509ctx;
278#endif
279    unsigned int num_kdc_requests;
280    krb5_name_canon_rule name_canon_rules;
281} krb5_context_data;
282
283#ifndef KRB5_USE_PATH_TOKENS
284#define KRB5_DEFAULT_CCNAME_FILE "FILE:/tmp/krb5cc_%{uid}"
285#define KRB5_DEFAULT_CCNAME_DIR "DIR:/tmp/krb5cc_%{uid}_dir/"
286#else
287#define KRB5_DEFAULT_CCNAME_FILE "FILE:%{TEMP}/krb5cc_%{uid}"
288#define KRB5_DEFAULT_CCNAME_DIR "DIR:%{TEMP}/krb5cc_%{uid}_dir/"
289#endif
290#define KRB5_DEFAULT_CCNAME_API "API:"
291#define KRB5_DEFAULT_CCNAME_KCM_KCM "KCM:%{uid}"
292#define KRB5_DEFAULT_CCNAME_KCM_API "API:%{uid}"
293
294#define EXTRACT_TICKET_ALLOW_CNAME_MISMATCH		1
295#define EXTRACT_TICKET_ALLOW_SERVER_MISMATCH		2
296#define EXTRACT_TICKET_MATCH_REALM			4
297#define EXTRACT_TICKET_AS_REQ				8
298#define EXTRACT_TICKET_TIMESYNC				16
299#define EXTRACT_TICKET_MATCH_ANON			32
300
301/*
302 * Configurable options
303 */
304
305#ifndef KRB5_DEFAULT_CCTYPE
306#ifdef __APPLE__
307#define KRB5_DEFAULT_CCTYPE (&krb5_acc_ops)
308#else
309#define KRB5_DEFAULT_CCTYPE (&krb5_fcc_ops)
310#endif
311#endif
312
313#ifndef KRB5_ADDRESSLESS_DEFAULT
314#define KRB5_ADDRESSLESS_DEFAULT TRUE
315#endif
316
317#ifndef KRB5_FORWARDABLE_DEFAULT
318#define KRB5_FORWARDABLE_DEFAULT TRUE
319#endif
320
321#ifndef KRB5_CONFIGURATION_CHANGE_NOTIFY_NAME
322#define KRB5_CONFIGURATION_CHANGE_NOTIFY_NAME "org.h5l.Kerberos.configuration-changed"
323#endif
324
325#ifndef KRB5_FALLBACK_DEFAULT
326#define KRB5_FALLBACK_DEFAULT TRUE
327#endif
328
329#ifndef KRB5_TKT_LIFETIME_DEFAULT
330# define KRB5_TKT_LIFETIME_DEFAULT        15778800  /* seconds */
331#endif
332
333#ifndef KRB5_TKT_RENEW_LIFETIME_DEFAULT
334# define KRB5_TKT_RENEW_LIFETIME_DEFAULT  15778800  /* seconds */
335#endif
336
337#ifdef PKINIT
338
339struct krb5_pk_identity {
340    hx509_verify_ctx verify_ctx;
341    hx509_certs certs;
342    hx509_cert cert;
343    hx509_certs anchors;
344    hx509_certs certpool;
345    hx509_revoke_ctx revokectx;
346    int flags;
347#define PKINIT_BTMM 1
348};
349
350enum krb5_pk_type {
351    PKINIT_WIN2K = 1,
352    PKINIT_27 = 2
353};
354
355enum keyex_enum { USE_RSA, USE_DH, USE_ECDH };
356
357struct krb5_pk_init_ctx_data {
358    struct krb5_pk_identity *id;
359    enum keyex_enum keyex;
360    union {
361	DH *dh;
362        void *eckey;
363    } u;
364    krb5_data *clientDHNonce;
365    struct krb5_dh_moduli **m;
366    hx509_peer_info peer;
367    enum krb5_pk_type type;
368    unsigned int require_binding:1;
369    unsigned int require_eku:1;
370    unsigned int require_krbtgt_otherName:1;
371    unsigned int require_hostname_match:1;
372    unsigned int trustedCertifiers:1;
373    unsigned int anonymous:1;
374};
375
376#endif /* PKINIT */
377
378#define ISTILDE(x) (x == '~')
379#ifdef _WIN32
380# define ISPATHSEP(x) (x == '/' || x =='\\')
381#else
382# define ISPATHSEP(x) (x == '/')
383#endif
384
385#endif /* __KRB5_LOCL_H__ */
386