1/* $NetBSD: krb5_locl.h,v 1.3 2019/12/15 22:50:50 christos Exp $ */ 2 3/* 4 * Copyright (c) 1997-2016 Kungliga Tekniska H��gskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 21 * 3. Neither the name of the Institute nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 */ 37 38/* Id */ 39 40#ifndef __KRB5_LOCL_H__ 41#define __KRB5_LOCL_H__ 42 43#include <config.h> 44#include <krb5/roken.h> 45 46#include <ctype.h> 47 48#ifdef HAVE_POLL_H 49#include <sys/poll.h> 50#endif 51 52#include <krb5/krb5-types.h> 53 54#ifdef HAVE_SYS_TYPES_H 55#include <sys/types.h> 56#endif 57#ifdef HAVE_SYS_MMAN_H 58#include <sys/mman.h> 59#endif 60 61#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40 62#include <sys/ioctl.h> 63#endif 64#ifdef HAVE_PWD_H 65#undef _POSIX_PTHREAD_SEMANTICS 66/* This gets us the 5-arg getpwnam_r on Solaris 9. */ 67#define _POSIX_PTHREAD_SEMANTICS 68#include <pwd.h> 69#endif 70 71#ifdef HAVE_SYS_SELECT_H 72#include <sys/select.h> 73#endif 74#ifdef _AIX 75struct mbuf; 76#endif 77#ifdef HAVE_SYS_FILIO_H 78#include <sys/filio.h> 79#endif 80#ifdef HAVE_SYS_FILE_H 81#include <sys/file.h> 82#endif 83 84#include <krb5/com_err.h> 85 86#include <krb5/heimbase.h> 87 88#define HEIMDAL_TEXTDOMAIN "heimdal_krb5" 89 90#ifdef LIBINTL 91#include <libintl.h> 92#define N_(x,y) dgettext(HEIMDAL_TEXTDOMAIN, x) 93#else 94#define N_(x,y) (x) 95#define bindtextdomain(package, localedir) 96#endif 97 98 99#ifdef HAVE_CRYPT_H 100#undef des_encrypt 101#define des_encrypt wingless_pigs_mostly_fail_to_fly 102#include <crypt.h> 103#undef des_encrypt 104#endif 105 106#ifdef HAVE_DOOR_CREATE 107#include <door.h> 108#endif 109 110#include <krb5/parse_time.h> 111#include <krb5/base64.h> 112 113#include <krb5/wind.h> 114 115/* 116 * We use OpenSSL for EC, but to do this we need to disable cross-references 117 * between OpenSSL and hcrypto bn.h and such. Source files that use OpenSSL EC 118 * must define HEIM_NO_CRYPTO_HDRS before including this file. 119 */ 120#define HC_DEPRECATED_CRYPTO 121#ifndef HEIM_NO_CRYPTO_HDRS 122#include "crypto-headers.h" 123#endif 124 125 126#include <krb5/krb5_asn1.h> 127#include <krb5/pkinit_asn1.h> 128 129struct send_to_kdc; 130 131/* XXX glue for pkinit */ 132struct hx509_certs_data; 133struct krb5_pk_identity; 134struct krb5_pk_cert; 135struct ContentInfo; 136struct AlgorithmIdentifier; 137typedef struct krb5_pk_init_ctx_data *krb5_pk_init_ctx; 138struct krb5_dh_moduli; 139 140/* v4 glue */ 141struct _krb5_krb_auth_data; 142 143#include <krb5/der.h> 144 145#include <krb5/krb5.h> 146#include <krb5/krb5_err.h> 147#include <krb5/asn1_err.h> 148#ifdef PKINIT 149#include <krb5/hx509.h> 150#endif 151 152#include "crypto.h" 153 154#include <krb5/krb5-private.h> 155 156#include "heim_threads.h" 157 158#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) 159#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) 160 161#ifndef __func__ 162#define __func__ "unknown-function" 163#endif 164 165#define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum)) 166 167#ifndef PATH_SEP 168#define PATH_SEP ":" 169#endif 170 171/* should this be public? */ 172#define KEYTAB_DEFAULT "FILE:" SYSCONFDIR "/krb5.keytab" 173#define KEYTAB_DEFAULT_MODIFY "FILE:" SYSCONFDIR "/krb5.keytab" 174 175 176#define MODULI_FILE SYSCONFDIR "/krb5.moduli" 177 178#ifndef O_BINARY 179#define O_BINARY 0 180#endif 181 182#ifndef O_CLOEXEC 183#define O_CLOEXEC 0 184#endif 185 186#ifndef SOCK_CLOEXEC 187#define SOCK_CLOEXEC 0 188#endif 189 190 191#define KRB5_BUFSIZ 2048 192 193typedef enum { 194 KRB5_INIT_CREDS_TRISTATE_UNSET = 0, 195 KRB5_INIT_CREDS_TRISTATE_TRUE, 196 KRB5_INIT_CREDS_TRISTATE_FALSE 197} krb5_get_init_creds_tristate; 198 199struct _krb5_get_init_creds_opt_private { 200 int refcount; 201 /* ENC_TIMESTAMP */ 202 const char *password; 203 krb5_s2k_proc key_proc; 204 /* PA_PAC_REQUEST */ 205 krb5_get_init_creds_tristate req_pac; 206 /* PKINIT */ 207 krb5_pk_init_ctx pk_init_ctx; 208 krb5_get_init_creds_tristate addressless; 209 int flags; 210#define KRB5_INIT_CREDS_CANONICALIZE 1 211#define KRB5_INIT_CREDS_NO_C_CANON_CHECK 2 212#define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK 4 213#define KRB5_INIT_CREDS_PKINIT_KX_VALID 32 214#define KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK 64 215 struct { 216 krb5_gic_process_last_req func; 217 void *ctx; 218 } lr; 219}; 220 221typedef uint32_t krb5_enctype_set; 222 223typedef struct krb5_context_data { 224 krb5_enctype *etypes; 225 krb5_enctype *cfg_etypes; 226 krb5_enctype *etypes_des;/* deprecated */ 227 krb5_enctype *as_etypes; 228 krb5_enctype *tgs_etypes; 229 krb5_enctype *permitted_enctypes; 230 char **default_realms; 231 time_t max_skew; 232 time_t kdc_timeout; 233 time_t host_timeout; 234 unsigned max_retries; 235 int32_t kdc_sec_offset; 236 int32_t kdc_usec_offset; 237 krb5_config_section *cf; 238 struct et_list *et_list; 239 struct krb5_log_facility *warn_dest; 240 struct krb5_log_facility *debug_dest; 241 const krb5_cc_ops **cc_ops; 242 int num_cc_ops; 243 const char *http_proxy; 244 const char *time_fmt; 245 krb5_boolean log_utc; 246 const char *default_keytab; 247 const char *default_keytab_modify; 248 krb5_boolean use_admin_kdc; 249 krb5_addresses *extra_addresses; 250 krb5_boolean scan_interfaces; /* `ifconfig -a' */ 251 krb5_boolean srv_lookup; /* do SRV lookups */ 252 krb5_boolean srv_try_txt; /* try TXT records also */ 253 int32_t fcache_vno; /* create cache files w/ this 254 version */ 255 int num_kt_types; /* # of registered keytab types */ 256 struct krb5_keytab_data *kt_types; /* registered keytab types */ 257 const char *date_fmt; 258 char *error_string; 259 krb5_error_code error_code; 260 krb5_addresses *ignore_addresses; 261 char *default_cc_name; 262 char *default_cc_name_env; 263 int default_cc_name_set; 264 HEIMDAL_MUTEX mutex; /* protects error_string */ 265 int large_msg_size; 266 int max_msg_size; 267 int tgs_negative_timeout; /* timeout for TGS negative cache */ 268 int flags; 269#define KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME 1 270#define KRB5_CTX_F_CHECK_PAC 2 271#define KRB5_CTX_F_HOMEDIR_ACCESS 4 272#define KRB5_CTX_F_SOCKETS_INITIALIZED 8 273#define KRB5_CTX_F_RD_REQ_IGNORE 16 274#define KRB5_CTX_F_FCACHE_STRICT_CHECKING 32 275 struct send_to_kdc *send_to_kdc; 276#ifdef PKINIT 277 hx509_context hx509ctx; 278#endif 279 unsigned int num_kdc_requests; 280 krb5_name_canon_rule name_canon_rules; 281} krb5_context_data; 282 283#ifndef KRB5_USE_PATH_TOKENS 284#define KRB5_DEFAULT_CCNAME_FILE "FILE:/tmp/krb5cc_%{uid}" 285#define KRB5_DEFAULT_CCNAME_DIR "DIR:/tmp/krb5cc_%{uid}_dir/" 286#else 287#define KRB5_DEFAULT_CCNAME_FILE "FILE:%{TEMP}/krb5cc_%{uid}" 288#define KRB5_DEFAULT_CCNAME_DIR "DIR:%{TEMP}/krb5cc_%{uid}_dir/" 289#endif 290#define KRB5_DEFAULT_CCNAME_API "API:" 291#define KRB5_DEFAULT_CCNAME_KCM_KCM "KCM:%{uid}" 292#define KRB5_DEFAULT_CCNAME_KCM_API "API:%{uid}" 293 294#define EXTRACT_TICKET_ALLOW_CNAME_MISMATCH 1 295#define EXTRACT_TICKET_ALLOW_SERVER_MISMATCH 2 296#define EXTRACT_TICKET_MATCH_REALM 4 297#define EXTRACT_TICKET_AS_REQ 8 298#define EXTRACT_TICKET_TIMESYNC 16 299#define EXTRACT_TICKET_MATCH_ANON 32 300 301/* 302 * Configurable options 303 */ 304 305#ifndef KRB5_DEFAULT_CCTYPE 306#ifdef __APPLE__ 307#define KRB5_DEFAULT_CCTYPE (&krb5_acc_ops) 308#else 309#define KRB5_DEFAULT_CCTYPE (&krb5_fcc_ops) 310#endif 311#endif 312 313#ifndef KRB5_ADDRESSLESS_DEFAULT 314#define KRB5_ADDRESSLESS_DEFAULT TRUE 315#endif 316 317#ifndef KRB5_FORWARDABLE_DEFAULT 318#define KRB5_FORWARDABLE_DEFAULT TRUE 319#endif 320 321#ifndef KRB5_CONFIGURATION_CHANGE_NOTIFY_NAME 322#define KRB5_CONFIGURATION_CHANGE_NOTIFY_NAME "org.h5l.Kerberos.configuration-changed" 323#endif 324 325#ifndef KRB5_FALLBACK_DEFAULT 326#define KRB5_FALLBACK_DEFAULT TRUE 327#endif 328 329#ifndef KRB5_TKT_LIFETIME_DEFAULT 330# define KRB5_TKT_LIFETIME_DEFAULT 15778800 /* seconds */ 331#endif 332 333#ifndef KRB5_TKT_RENEW_LIFETIME_DEFAULT 334# define KRB5_TKT_RENEW_LIFETIME_DEFAULT 15778800 /* seconds */ 335#endif 336 337#ifdef PKINIT 338 339struct krb5_pk_identity { 340 hx509_verify_ctx verify_ctx; 341 hx509_certs certs; 342 hx509_cert cert; 343 hx509_certs anchors; 344 hx509_certs certpool; 345 hx509_revoke_ctx revokectx; 346 int flags; 347#define PKINIT_BTMM 1 348}; 349 350enum krb5_pk_type { 351 PKINIT_WIN2K = 1, 352 PKINIT_27 = 2 353}; 354 355enum keyex_enum { USE_RSA, USE_DH, USE_ECDH }; 356 357struct krb5_pk_init_ctx_data { 358 struct krb5_pk_identity *id; 359 enum keyex_enum keyex; 360 union { 361 DH *dh; 362 void *eckey; 363 } u; 364 krb5_data *clientDHNonce; 365 struct krb5_dh_moduli **m; 366 hx509_peer_info peer; 367 enum krb5_pk_type type; 368 unsigned int require_binding:1; 369 unsigned int require_eku:1; 370 unsigned int require_krbtgt_otherName:1; 371 unsigned int require_hostname_match:1; 372 unsigned int trustedCertifiers:1; 373 unsigned int anonymous:1; 374}; 375 376#endif /* PKINIT */ 377 378#define ISTILDE(x) (x == '~') 379#ifdef _WIN32 380# define ISPATHSEP(x) (x == '/' || x =='\\') 381#else 382# define ISPATHSEP(x) (x == '/') 383#endif 384 385#endif /* __KRB5_LOCL_H__ */ 386