diff options
Diffstat (limited to 'third_party/heimdal/kdc/kdc_locl.h')
-rw-r--r-- | third_party/heimdal/kdc/kdc_locl.h | 257 |
1 files changed, 257 insertions, 0 deletions
diff --git a/third_party/heimdal/kdc/kdc_locl.h b/third_party/heimdal/kdc/kdc_locl.h new file mode 100644 index 0000000..767d04f --- /dev/null +++ b/third_party/heimdal/kdc/kdc_locl.h @@ -0,0 +1,257 @@ +/* + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * $Id$ + */ + +#ifndef __KDC_LOCL_H__ +#define __KDC_LOCL_H__ + +#include "headers.h" + +typedef struct pk_client_params pk_client_params; +typedef struct gss_client_params gss_client_params; + +#include <kdc-private.h> + +#define FAST_EXPIRATION_TIME (3 * 60) + +/* KFE == KDC_FIND_ETYPE */ +#define KFE_IS_TGS 0x1 +#define KFE_IS_PREAUTH 0x2 +#define KFE_USE_CLIENT 0x4 + +#define heim_pcontext krb5_context +#define heim_pconfig krb5_kdc_configuration * +#include <heimbase-svc.h> + +#define KDC_AUDIT_EATWHITE HEIM_SVC_AUDIT_EATWHITE +#define KDC_AUDIT_VIS HEIM_SVC_AUDIT_VIS +#define KDC_AUDIT_VISLAST HEIM_SVC_AUDIT_VISLAST + +struct kdc_request_desc { + HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS; +}; + +struct kdc_patypes; + +struct krb5_kdc_configuration { + KRB5_KDC_CONFIGURATION_COMMON_ELEMENTS; + + int num_kdc_processes; + + size_t max_datagram_reply_length; + + time_t kdc_warn_pwexpire; /* time before expiration to print a warning */ + + unsigned int require_preauth : 1; /* require preauth for all principals */ + unsigned int encode_as_rep_as_tgs_rep : 1; /* bug compatibility */ + + unsigned int check_ticket_addresses : 1; + unsigned int warn_ticket_addresses : 1; + unsigned int allow_null_ticket_addresses : 1; + unsigned int allow_anonymous : 1; + unsigned int historical_anon_realm : 1; + unsigned int strict_nametypes : 1; + enum krb5_kdc_trpolicy trpolicy; + + unsigned int enable_unarmored_pa_enc_timestamp : 1; + + unsigned int enable_pkinit : 1; + unsigned int pkinit_princ_in_cert : 1; + const char *pkinit_kdc_identity; + const char *pkinit_kdc_anchors; + const char *pkinit_kdc_friendly_name; + const char *pkinit_kdc_ocsp_file; + char **pkinit_kdc_cert_pool; + char **pkinit_kdc_revoke; + int pkinit_dh_min_bits; + unsigned int pkinit_require_binding : 1; + unsigned int pkinit_allow_proxy_certs : 1; + unsigned int synthetic_clients : 1; + unsigned int pkinit_max_life_from_cert_extension : 1; + krb5_timestamp pkinit_max_life_from_cert; + krb5_timestamp pkinit_max_life_bound; + krb5_timestamp synthetic_clients_max_life; + krb5_timestamp synthetic_clients_max_renew; + + int digests_allowed; + unsigned int enable_digest : 1; + + unsigned int enable_kx509 : 1; + + unsigned int enable_gss_preauth : 1; + unsigned int enable_gss_auth_data : 1; + gss_OID_set gss_mechanisms_allowed; + gss_OID_set gss_cross_realm_mechanisms_allowed; + +}; + +struct astgs_request_desc { + HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS; + + /* AS-REQ or TGS-REQ */ + KDC_REQ req; + + /* AS-REP or TGS-REP */ + KDC_REP rep; + EncTicketPart et; + EncKDCRepPart ek; + + /* client principal (AS) or TGT/S4U principal (TGS) */ + krb5_principal client_princ; + hdb_entry *client; + HDB *clientdb; + krb5_principal canon_client_princ; + + /* server principal */ + krb5_principal server_princ; + HDB *serverdb; + hdb_entry *server; + + /* presented ticket in TGS-REQ (unused by AS) */ + krb5_principal krbtgt_princ; + hdb_entry *krbtgt; + HDB *krbtgtdb; + krb5_ticket *ticket; + + krb5_keyblock reply_key; + + krb5_pac pac; + uint64_t pac_attributes; + + /* Only AS */ + const struct kdc_patypes *pa_used; + + /* PA methods can affect both the reply key and the session key (pkinit) */ + krb5_enctype sessionetype; + krb5_keyblock session_key; + + krb5_timestamp pa_endtime; + krb5_timestamp pa_max_life; + + krb5_keyblock strengthen_key; + const Key *ticket_key; + + /* only valid for tgs-req */ + unsigned int rk_is_subkey : 1; + unsigned int fast_asserted : 1; + unsigned int explicit_armor_present : 1; + + krb5_crypto armor_crypto; + hdb_entry *armor_server; + HDB *armor_serverdb; + krb5_ticket *armor_ticket; + Key *armor_key; + + hdb_entry *explicit_armor_client; + HDB *explicit_armor_clientdb; + krb5_pac explicit_armor_pac; + + KDCFastState fast; +}; + +typedef struct kx509_req_context_desc { + HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS; + + struct Kx509Request req; + Kx509CSRPlus csr_plus; + krb5_auth_context ac; + const char *realm; /* XXX Confusion: is this crealm or srealm? */ + krb5_keyblock *key; + hx509_request csr; + krb5_times ticket_times; + unsigned int send_chain:1; /* Client expects a full chain */ + unsigned int have_csr:1; /* Client sent a CSR */ +} *kx509_req_context; + +#undef heim_pconfig +#undef heim_pcontext + +extern sig_atomic_t exit_flag; +extern size_t max_request_udp; +extern size_t max_request_tcp; +extern const char *request_log; +extern const char *port_str; +extern krb5_addresses explicit_addresses; + +extern int enable_http; + +extern int detach_from_console; +extern int daemon_child; +extern int do_bonjour; + +extern int testing_flag; + +extern const struct units _kdc_digestunits[]; + +#define KDC_LOG_FILE "kdc.log" + +extern struct timeval _kdc_now; +#define kdc_time (_kdc_now.tv_sec) + +extern char *runas_string; +extern char *chroot_string; + +void +start_kdc(krb5_context context, krb5_kdc_configuration *config, const char *argv0); + +krb5_kdc_configuration * +configure(krb5_context context, int argc, char **argv, int *optidx); + +#ifdef __APPLE__ +void bonjour_announce(krb5_context, krb5_kdc_configuration *); +#endif + +/* no-copy setters */ + +#undef _KDC_REQUEST_GET_ACCESSOR +#undef _KDC_REQUEST_SET_ACCESSOR + +#undef _KDC_REQUEST_GET_ACCESSOR_PTR +#undef _KDC_REQUEST_SET_ACCESSOR_PTR +#define _KDC_REQUEST_SET_ACCESSOR_PTR(R, T, t, f) \ + void \ + _kdc_request_set_ ## f ## _nocopy(R r, T *v); + +#undef _KDC_REQUEST_GET_ACCESSOR_STRUCT +#undef _KDC_REQUEST_SET_ACCESSOR_STRUCT +#define _KDC_REQUEST_SET_ACCESSOR_STRUCT(R, T, t, f) \ + void \ + _kdc_request_set_ ## f ## _nocopy(R r, T *v); + +#undef HEIMDAL_KDC_KDC_ACCESSORS_H +#include "kdc-accessors.h" + +#endif /* __KDC_LOCL_H__ */ |