1 /* $NetBSD: krb5_locl.h,v 1.3 2019/12/15 22:50:50 christos Exp $ */ 2 3 /* 4 * Copyright (c) 1997-2016 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 21 * 3. Neither the name of the Institute nor the names of its contributors 22 * may be used to endorse or promote products derived from this software 23 * without specific prior written permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 */ 37 38 /* Id */ 39 40 #ifndef __KRB5_LOCL_H__ 41 #define __KRB5_LOCL_H__ 42 43 #include <config.h> 44 #include <krb5/roken.h> 45 46 #include <ctype.h> 47 48 #ifdef HAVE_POLL_H 49 #include <sys/poll.h> 50 #endif 51 52 #include <krb5/krb5-types.h> 53 54 #ifdef HAVE_SYS_TYPES_H 55 #include <sys/types.h> 56 #endif 57 #ifdef HAVE_SYS_MMAN_H 58 #include <sys/mman.h> 59 #endif 60 61 #if defined(HAVE_SYS_IOCTL_H) && SunOS != 40 62 #include <sys/ioctl.h> 63 #endif 64 #ifdef HAVE_PWD_H 65 #undef _POSIX_PTHREAD_SEMANTICS 66 /* This gets us the 5-arg getpwnam_r on Solaris 9. */ 67 #define _POSIX_PTHREAD_SEMANTICS 68 #include <pwd.h> 69 #endif 70 71 #ifdef HAVE_SYS_SELECT_H 72 #include <sys/select.h> 73 #endif 74 #ifdef _AIX 75 struct mbuf; 76 #endif 77 #ifdef HAVE_SYS_FILIO_H 78 #include <sys/filio.h> 79 #endif 80 #ifdef HAVE_SYS_FILE_H 81 #include <sys/file.h> 82 #endif 83 84 #include <krb5/com_err.h> 85 86 #include <krb5/heimbase.h> 87 88 #define HEIMDAL_TEXTDOMAIN "heimdal_krb5" 89 90 #ifdef LIBINTL 91 #include <libintl.h> 92 #define N_(x,y) dgettext(HEIMDAL_TEXTDOMAIN, x) 93 #else 94 #define N_(x,y) (x) 95 #define bindtextdomain(package, localedir) 96 #endif 97 98 99 #ifdef HAVE_CRYPT_H 100 #undef des_encrypt 101 #define des_encrypt wingless_pigs_mostly_fail_to_fly 102 #include <crypt.h> 103 #undef des_encrypt 104 #endif 105 106 #ifdef HAVE_DOOR_CREATE 107 #include <door.h> 108 #endif 109 110 #include <krb5/parse_time.h> 111 #include <krb5/base64.h> 112 113 #include <krb5/wind.h> 114 115 /* 116 * We use OpenSSL for EC, but to do this we need to disable cross-references 117 * between OpenSSL and hcrypto bn.h and such. Source files that use OpenSSL EC 118 * must define HEIM_NO_CRYPTO_HDRS before including this file. 119 */ 120 #define HC_DEPRECATED_CRYPTO 121 #ifndef HEIM_NO_CRYPTO_HDRS 122 #include "crypto-headers.h" 123 #endif 124 125 126 #include <krb5/krb5_asn1.h> 127 #include <krb5/pkinit_asn1.h> 128 129 struct send_to_kdc; 130 131 /* XXX glue for pkinit */ 132 struct hx509_certs_data; 133 struct krb5_pk_identity; 134 struct krb5_pk_cert; 135 struct ContentInfo; 136 struct AlgorithmIdentifier; 137 typedef struct krb5_pk_init_ctx_data *krb5_pk_init_ctx; 138 struct krb5_dh_moduli; 139 140 /* v4 glue */ 141 struct _krb5_krb_auth_data; 142 143 #include <krb5/der.h> 144 145 #include <krb5/krb5.h> 146 #include <krb5/krb5_err.h> 147 #include <krb5/asn1_err.h> 148 #ifdef PKINIT 149 #include <krb5/hx509.h> 150 #endif 151 152 #include "crypto.h" 153 154 #include <krb5/krb5-private.h> 155 156 #include "heim_threads.h" 157 158 #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) 159 #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) 160 161 #ifndef __func__ 162 #define __func__ "unknown-function" 163 #endif 164 165 #define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum)) 166 167 #ifndef PATH_SEP 168 #define PATH_SEP ":" 169 #endif 170 171 /* should this be public? */ 172 #define KEYTAB_DEFAULT "FILE:" SYSCONFDIR "/krb5.keytab" 173 #define KEYTAB_DEFAULT_MODIFY "FILE:" SYSCONFDIR "/krb5.keytab" 174 175 176 #define MODULI_FILE SYSCONFDIR "/krb5.moduli" 177 178 #ifndef O_BINARY 179 #define O_BINARY 0 180 #endif 181 182 #ifndef O_CLOEXEC 183 #define O_CLOEXEC 0 184 #endif 185 186 #ifndef SOCK_CLOEXEC 187 #define SOCK_CLOEXEC 0 188 #endif 189 190 191 #define KRB5_BUFSIZ 2048 192 193 typedef enum { 194 KRB5_INIT_CREDS_TRISTATE_UNSET = 0, 195 KRB5_INIT_CREDS_TRISTATE_TRUE, 196 KRB5_INIT_CREDS_TRISTATE_FALSE 197 } krb5_get_init_creds_tristate; 198 199 struct _krb5_get_init_creds_opt_private { 200 int refcount; 201 /* ENC_TIMESTAMP */ 202 const char *password; 203 krb5_s2k_proc key_proc; 204 /* PA_PAC_REQUEST */ 205 krb5_get_init_creds_tristate req_pac; 206 /* PKINIT */ 207 krb5_pk_init_ctx pk_init_ctx; 208 krb5_get_init_creds_tristate addressless; 209 int flags; 210 #define KRB5_INIT_CREDS_CANONICALIZE 1 211 #define KRB5_INIT_CREDS_NO_C_CANON_CHECK 2 212 #define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK 4 213 #define KRB5_INIT_CREDS_PKINIT_KX_VALID 32 214 #define KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK 64 215 struct { 216 krb5_gic_process_last_req func; 217 void *ctx; 218 } lr; 219 }; 220 221 typedef uint32_t krb5_enctype_set; 222 223 typedef struct krb5_context_data { 224 krb5_enctype *etypes; 225 krb5_enctype *cfg_etypes; 226 krb5_enctype *etypes_des;/* deprecated */ 227 krb5_enctype *as_etypes; 228 krb5_enctype *tgs_etypes; 229 krb5_enctype *permitted_enctypes; 230 char **default_realms; 231 time_t max_skew; 232 time_t kdc_timeout; 233 time_t host_timeout; 234 unsigned max_retries; 235 int32_t kdc_sec_offset; 236 int32_t kdc_usec_offset; 237 krb5_config_section *cf; 238 struct et_list *et_list; 239 struct krb5_log_facility *warn_dest; 240 struct krb5_log_facility *debug_dest; 241 const krb5_cc_ops **cc_ops; 242 int num_cc_ops; 243 const char *http_proxy; 244 const char *time_fmt; 245 krb5_boolean log_utc; 246 const char *default_keytab; 247 const char *default_keytab_modify; 248 krb5_boolean use_admin_kdc; 249 krb5_addresses *extra_addresses; 250 krb5_boolean scan_interfaces; /* `ifconfig -a' */ 251 krb5_boolean srv_lookup; /* do SRV lookups */ 252 krb5_boolean srv_try_txt; /* try TXT records also */ 253 int32_t fcache_vno; /* create cache files w/ this 254 version */ 255 int num_kt_types; /* # of registered keytab types */ 256 struct krb5_keytab_data *kt_types; /* registered keytab types */ 257 const char *date_fmt; 258 char *error_string; 259 krb5_error_code error_code; 260 krb5_addresses *ignore_addresses; 261 char *default_cc_name; 262 char *default_cc_name_env; 263 int default_cc_name_set; 264 HEIMDAL_MUTEX mutex; /* protects error_string */ 265 int large_msg_size; 266 int max_msg_size; 267 int tgs_negative_timeout; /* timeout for TGS negative cache */ 268 int flags; 269 #define KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME 1 270 #define KRB5_CTX_F_CHECK_PAC 2 271 #define KRB5_CTX_F_HOMEDIR_ACCESS 4 272 #define KRB5_CTX_F_SOCKETS_INITIALIZED 8 273 #define KRB5_CTX_F_RD_REQ_IGNORE 16 274 #define KRB5_CTX_F_FCACHE_STRICT_CHECKING 32 275 struct send_to_kdc *send_to_kdc; 276 #ifdef PKINIT 277 hx509_context hx509ctx; 278 #endif 279 unsigned int num_kdc_requests; 280 krb5_name_canon_rule name_canon_rules; 281 } krb5_context_data; 282 283 #ifndef KRB5_USE_PATH_TOKENS 284 #define KRB5_DEFAULT_CCNAME_FILE "FILE:/tmp/krb5cc_%{uid}" 285 #define KRB5_DEFAULT_CCNAME_DIR "DIR:/tmp/krb5cc_%{uid}_dir/" 286 #else 287 #define KRB5_DEFAULT_CCNAME_FILE "FILE:%{TEMP}/krb5cc_%{uid}" 288 #define KRB5_DEFAULT_CCNAME_DIR "DIR:%{TEMP}/krb5cc_%{uid}_dir/" 289 #endif 290 #define KRB5_DEFAULT_CCNAME_API "API:" 291 #define KRB5_DEFAULT_CCNAME_KCM_KCM "KCM:%{uid}" 292 #define KRB5_DEFAULT_CCNAME_KCM_API "API:%{uid}" 293 294 #define EXTRACT_TICKET_ALLOW_CNAME_MISMATCH 1 295 #define EXTRACT_TICKET_ALLOW_SERVER_MISMATCH 2 296 #define EXTRACT_TICKET_MATCH_REALM 4 297 #define EXTRACT_TICKET_AS_REQ 8 298 #define EXTRACT_TICKET_TIMESYNC 16 299 #define EXTRACT_TICKET_MATCH_ANON 32 300 301 /* 302 * Configurable options 303 */ 304 305 #ifndef KRB5_DEFAULT_CCTYPE 306 #ifdef __APPLE__ 307 #define KRB5_DEFAULT_CCTYPE (&krb5_acc_ops) 308 #else 309 #define KRB5_DEFAULT_CCTYPE (&krb5_fcc_ops) 310 #endif 311 #endif 312 313 #ifndef KRB5_ADDRESSLESS_DEFAULT 314 #define KRB5_ADDRESSLESS_DEFAULT TRUE 315 #endif 316 317 #ifndef KRB5_FORWARDABLE_DEFAULT 318 #define KRB5_FORWARDABLE_DEFAULT TRUE 319 #endif 320 321 #ifndef KRB5_CONFIGURATION_CHANGE_NOTIFY_NAME 322 #define KRB5_CONFIGURATION_CHANGE_NOTIFY_NAME "org.h5l.Kerberos.configuration-changed" 323 #endif 324 325 #ifndef KRB5_FALLBACK_DEFAULT 326 #define KRB5_FALLBACK_DEFAULT TRUE 327 #endif 328 329 #ifndef KRB5_TKT_LIFETIME_DEFAULT 330 # define KRB5_TKT_LIFETIME_DEFAULT 15778800 /* seconds */ 331 #endif 332 333 #ifndef KRB5_TKT_RENEW_LIFETIME_DEFAULT 334 # define KRB5_TKT_RENEW_LIFETIME_DEFAULT 15778800 /* seconds */ 335 #endif 336 337 #ifdef PKINIT 338 339 struct krb5_pk_identity { 340 hx509_verify_ctx verify_ctx; 341 hx509_certs certs; 342 hx509_cert cert; 343 hx509_certs anchors; 344 hx509_certs certpool; 345 hx509_revoke_ctx revokectx; 346 int flags; 347 #define PKINIT_BTMM 1 348 }; 349 350 enum krb5_pk_type { 351 PKINIT_WIN2K = 1, 352 PKINIT_27 = 2 353 }; 354 355 enum keyex_enum { USE_RSA, USE_DH, USE_ECDH }; 356 357 struct krb5_pk_init_ctx_data { 358 struct krb5_pk_identity *id; 359 enum keyex_enum keyex; 360 union { 361 DH *dh; 362 void *eckey; 363 } u; 364 krb5_data *clientDHNonce; 365 struct krb5_dh_moduli **m; 366 hx509_peer_info peer; 367 enum krb5_pk_type type; 368 unsigned int require_binding:1; 369 unsigned int require_eku:1; 370 unsigned int require_krbtgt_otherName:1; 371 unsigned int require_hostname_match:1; 372 unsigned int trustedCertifiers:1; 373 unsigned int anonymous:1; 374 }; 375 376 #endif /* PKINIT */ 377 378 #define ISTILDE(x) (x == '~') 379 #ifdef _WIN32 380 # define ISPATHSEP(x) (x == '/' || x =='\\') 381 #else 382 # define ISPATHSEP(x) (x == '/') 383 #endif 384 385 #endif /* __KRB5_LOCL_H__ */ 386