summaryrefslogtreecommitdiff
path: root/source4/heimdal/lib/krb5/krb5.h
diff options
context:
space:
mode:
Diffstat (limited to 'source4/heimdal/lib/krb5/krb5.h')
-rw-r--r--source4/heimdal/lib/krb5/krb5.h192
1 files changed, 159 insertions, 33 deletions
diff --git a/source4/heimdal/lib/krb5/krb5.h b/source4/heimdal/lib/krb5/krb5.h
index 9c0f5669466..3950bd30a4e 100644
--- a/source4/heimdal/lib/krb5/krb5.h
+++ b/source4/heimdal/lib/krb5/krb5.h
@@ -45,8 +45,11 @@
#include <krb5_err.h>
#include <heim_err.h>
#include <k524_err.h>
+#include <k5e1_err.h>
#include <krb5_asn1.h>
+typedef Krb5Int32 krb5int32;
+typedef Krb5UInt32 krb5uint32;
/* name confusion with MIT */
#ifndef KRB5KDC_ERR_KEY_EXP
@@ -55,8 +58,10 @@
#ifdef _WIN32
#define KRB5_CALLCONV __stdcall
+#define KRB5_LIB_CALL __stdcall
#else
#define KRB5_CALLCONV
+#define KRB5_LIB_CALL
#endif
/* simple constants */
@@ -150,6 +155,8 @@ enum {
ETYPE_DES3_CBC_SHA1 = KRB5_ENCTYPE_DES3_CBC_SHA1,
ETYPE_AES128_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
ETYPE_AES256_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ETYPE_AES128_CTS_HMAC_SHA256_128 = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA256_128,
+ ETYPE_AES256_CTS_HMAC_SHA384_192 = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA384_192,
ETYPE_ARCFOUR_HMAC_MD5 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
ETYPE_ARCFOUR_HMAC_MD5_56 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56,
ETYPE_ENCTYPE_PK_CROSS = KRB5_ENCTYPE_ENCTYPE_PK_CROSS,
@@ -274,14 +281,28 @@ typedef enum krb5_key_usage {
/* Encryption type of the kdc session contribution in pk-init */
KRB5_KU_AS_REQ = 56,
/* Checksum of over the AS-REQ send by the KDC in PA-REQ-ENC-PA-REP */
+ KRB5_KU_FAST_REQ_CHKSUM = 50,
+ /* FAST armor checksum */
+ KRB5_KU_FAST_ENC = 51,
+ /* FAST armor encryption */
+ KRB5_KU_FAST_REP = 52,
+ /* FAST armor reply */
+ KRB5_KU_FAST_FINISHED = 53,
+ /* FAST finished checksum */
+ KRB5_KU_ENC_CHALLENGE_CLIENT = 54,
+ /* fast challenge from client */
+ KRB5_KU_ENC_CHALLENGE_KDC = 55,
+ /* fast challenge from kdc */
KRB5_KU_DIGEST_ENCRYPT = -18,
/* Encryption key usage used in the digest encryption field */
KRB5_KU_DIGEST_OPAQUE = -19,
/* Checksum key usage used in the digest opaque field */
KRB5_KU_KRB5SIGNEDPATH = -21,
/* Checksum key usage on KRB5SignedPath */
- KRB5_KU_CANONICALIZED_NAMES = -23
+ KRB5_KU_CANONICALIZED_NAMES = -23,
/* Checksum key usage on PA-CANONICALIZED */
+ KRB5_KU_H5L_COOKIE = -25
+ /* encrypted foo */
} krb5_key_usage;
typedef krb5_key_usage krb5_keyusage;
@@ -344,15 +365,7 @@ typedef AP_REQ krb5_ap_req;
struct krb5_cc_ops;
-#ifdef _WIN32
-#define KRB5_USE_PATH_TOKENS 1
-#endif
-
-#ifdef KRB5_USE_PATH_TOKENS
#define KRB5_DEFAULT_CCFILE_ROOT "%{TEMP}/krb5cc_"
-#else
-#define KRB5_DEFAULT_CCFILE_ROOT "/tmp/krb5cc_"
-#endif
#define KRB5_DEFAULT_CCROOT "FILE:" KRB5_DEFAULT_CCFILE_ROOT
@@ -367,6 +380,10 @@ typedef struct krb5_cccol_cursor_data *krb5_cccol_cursor;
typedef struct krb5_ccache_data {
const struct krb5_cc_ops *ops;
krb5_data data;
+ unsigned int cc_initialized:1; /* if 1: krb5_cc_initialize() called */
+ unsigned int cc_need_start_realm:1;
+ unsigned int cc_start_tgt_stored:1;
+ unsigned int cc_kx509_done:1;
}krb5_ccache_data;
typedef struct krb5_ccache_data *krb5_ccache;
@@ -422,6 +439,7 @@ typedef union {
/* flags for krb5_verify_ap_req */
#define KRB5_VERIFY_AP_REQ_IGNORE_INVALID (1 << 0)
+#define KRB5_VERIFY_AP_REQ_IGNORE_ADDRS (1 << 1)
#define KRB5_GC_CACHED (1U << 0)
#define KRB5_GC_USER_USER (1U << 1)
@@ -431,6 +449,7 @@ typedef union {
#define KRB5_GC_NO_TRANSIT_CHECK (1U << 5)
#define KRB5_GC_CONSTRAINED_DELEGATION (1U << 6)
#define KRB5_GC_CANONICALIZE (1U << 7)
+#define KRB5_GC_ANONYMOUS (1U << 8)
/* constants for compare_creds (and cc_retrieve_cred) */
#define KRB5_TC_DONT_MATCH_REALM (1U << 31)
@@ -467,9 +486,15 @@ typedef struct krb5_creds {
typedef struct krb5_cc_cache_cursor_data *krb5_cc_cache_cursor;
-#define KRB5_CC_OPS_VERSION 3
+#define KRB5_CC_OPS_VERSION_0 0
+#define KRB5_CC_OPS_VERSION_1 1
+#define KRB5_CC_OPS_VERSION_2 2
+#define KRB5_CC_OPS_VERSION_3 3
+#define KRB5_CC_OPS_VERSION_5 5
+/* Only extend the structure. Do not change signatures. */
typedef struct krb5_cc_ops {
+ /* Version 0 */
int version;
const char *prefix;
const char* (KRB5_CALLCONV * get_name)(krb5_context, krb5_ccache);
@@ -496,27 +521,43 @@ typedef struct krb5_cc_ops {
krb5_error_code (KRB5_CALLCONV * end_cache_get)(krb5_context, krb5_cc_cursor);
krb5_error_code (KRB5_CALLCONV * move)(krb5_context, krb5_ccache, krb5_ccache);
krb5_error_code (KRB5_CALLCONV * get_default_name)(krb5_context, char **);
+ /* Version 1 */
krb5_error_code (KRB5_CALLCONV * set_default)(krb5_context, krb5_ccache);
+ /* Version 2 */
krb5_error_code (KRB5_CALLCONV * lastchange)(krb5_context, krb5_ccache, krb5_timestamp *);
+ /* Version 3 */
krb5_error_code (KRB5_CALLCONV * set_kdc_offset)(krb5_context, krb5_ccache, krb5_deltat);
krb5_error_code (KRB5_CALLCONV * get_kdc_offset)(krb5_context, krb5_ccache, krb5_deltat *);
+ /* Version 5 */
+ krb5_error_code (KRB5_CALLCONV * get_name_2)(krb5_context, krb5_ccache,
+ const char **id, const char **res,
+ const char **sub);
+ krb5_error_code (KRB5_CALLCONV * resolve_2)(krb5_context, krb5_ccache *id, const char *res,
+ const char *sub);
+ /* Add new functions here for versions 6 and above */
} krb5_cc_ops;
-struct krb5_log_facility;
-
+/*
+ * krb5_config_binding is identical to struct heim_config_binding
+ * within heimbase.h. Its format is public and used by callers of
+ * krb5_config_get_list() and krb5_config_vget_list().
+ */
+enum krb5_config_type {
+ krb5_config_string,
+ krb5_config_list,
+};
struct krb5_config_binding {
- enum { krb5_config_string, krb5_config_list } type;
+ enum krb5_config_type type;
char *name;
struct krb5_config_binding *next;
union {
- char *string;
- struct krb5_config_binding *list;
- void *generic;
+ char *string;
+ struct krb5_config_binding *list;
+ void *generic;
} u;
};
typedef struct krb5_config_binding krb5_config_binding;
-
typedef krb5_config_binding krb5_config_section;
typedef struct krb5_ticket {
@@ -537,8 +578,9 @@ typedef Authenticator krb5_donot_replay;
#define KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS 0x02
#define KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE 0x04
#define KRB5_STORAGE_KEYBLOCK_KEYTYPE_TWICE 0x08
-#define KRB5_STORAGE_BYTEORDER_MASK 0x60
+#define KRB5_STORAGE_BYTEORDER_MASK 0x70
#define KRB5_STORAGE_BYTEORDER_BE 0x00 /* default */
+#define KRB5_STORAGE_BYTEORDER_PACKED 0x10
#define KRB5_STORAGE_BYTEORDER_LE 0x20
#define KRB5_STORAGE_BYTEORDER_HOST 0x40
#define KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER 0x80
@@ -641,6 +683,8 @@ typedef struct krb5_auth_context_data {
krb5_keytype keytype; /* ¿requested key type ? */
krb5_cksumtype cksumtype; /* ¡requested checksum type! */
+
+ AuthorizationData *auth_data;
}krb5_auth_context_data, *krb5_auth_context;
@@ -652,14 +696,13 @@ typedef struct {
extern const char *heimdal_version, *heimdal_long_version;
-typedef void (KRB5_CALLCONV * krb5_log_log_func_t)(const char*, const char*, void*);
+typedef void (KRB5_CALLCONV * krb5_log_log_func_t)(krb5_context,
+ const char*,
+ const char*,
+ void*);
typedef void (KRB5_CALLCONV * krb5_log_close_func_t)(void*);
-typedef struct krb5_log_facility {
- char *program;
- int len;
- struct facility *val;
-} krb5_log_facility;
+typedef struct heim_log_facility_s krb5_log_facility;
typedef EncAPRepPart krb5_ap_rep_enc_part;
@@ -671,8 +714,18 @@ typedef EncAPRepPart krb5_ap_rep_enc_part;
#define KRB5_TGS_NAME ("krbtgt")
#define KRB5_WELLKNOWN_NAME ("WELLKNOWN")
#define KRB5_ANON_NAME ("ANONYMOUS")
+#define KRB5_ANON_REALM ("WELLKNOWN:ANONYMOUS")
+#define KRB5_FEDERATED_NAME ("FEDERATED")
+#define KRB5_FEDERATED_REALM ("WELLKNOWN:FEDERATED")
+#define KRB5_WELLKNOWN_ORG_H5L_REALM ("WELLKNOWN:ORG.H5L")
#define KRB5_DIGEST_NAME ("digest")
+#define KRB5_PKU2U_REALM_NAME ("WELLKNOWN:PKU2U")
+#define KRB5_LKDC_REALM_NAME ("WELLKNOWN:COM.APPLE.LKDC")
+
+#define KRB5_GSS_HOSTBASED_SERVICE_NAME ("WELLKNOWN:ORG.H5L.HOSTBASED-SERVICE")
+#define KRB5_GSS_REFERALS_REALM_NAME ("WELLKNOWN:ORG.H5L.REFERALS-REALM")
+
typedef enum {
KRB5_PROMPT_TYPE_PASSWORD = 0x1,
KRB5_PROMPT_TYPE_NEW_PASSWORD = 0x2,
@@ -720,6 +773,7 @@ struct _krb5_get_init_creds_opt {
int forwardable;
int proxiable;
int anonymous;
+ int change_password_prompt;
krb5_enctype *etype_list;
int etype_list_length;
krb5_addresses *address_list;
@@ -743,6 +797,7 @@ typedef struct _krb5_get_init_creds_opt krb5_get_init_creds_opt;
#define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 /* no supported */
#define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0100
#define KRB5_GET_INIT_CREDS_OPT_DISABLE_TRANSITED_CHECK 0x0200
+#define KRB5_GET_INIT_CREDS_OPT_CHANGE_PASSWORD_PROMPT 0x0400
/* krb5_init_creds_step flags argument */
#define KRB5_INIT_CREDS_STEP_FLAG_CONTINUE 0x0001
@@ -783,11 +838,13 @@ typedef struct krb5_verify_opt {
struct krb5_krbhst_data;
typedef struct krb5_krbhst_data *krb5_krbhst_handle;
-#define KRB5_KRBHST_KDC 1
-#define KRB5_KRBHST_ADMIN 2
-#define KRB5_KRBHST_CHANGEPW 3
-#define KRB5_KRBHST_KRB524 4
-#define KRB5_KRBHST_KCA 5
+#define KRB5_KRBHST_KDC 1
+#define KRB5_KRBHST_ADMIN 2
+#define KRB5_KRBHST_CHANGEPW 3
+#define KRB5_KRBHST_KRB524 4
+#define KRB5_KRBHST_KCA 5
+#define KRB5_KRBHST_READONLY_ADMIN 6
+#define KRB5_KRBHST_TKTBRIDGEAP 7
typedef struct krb5_krbhst_info {
enum { KRB5_KRBHST_UDP,
@@ -806,6 +863,7 @@ enum {
KRB5_KRBHST_FLAGS_LARGE_MSG = 2
};
+typedef krb5_error_code (*krb5_sendto_prexmit)(krb5_context, int, void *, int, krb5_data *);
typedef krb5_error_code
(KRB5_CALLCONV * krb5_send_to_kdc_func)(krb5_context, void *, krb5_krbhst_info *, time_t,
const krb5_data *, krb5_data *);
@@ -814,7 +872,9 @@ typedef krb5_error_code
enum {
KRB5_PRINCIPAL_PARSE_NO_REALM = 1, /**< Require that there are no realm */
KRB5_PRINCIPAL_PARSE_REQUIRE_REALM = 2, /**< Require a realm present */
- KRB5_PRINCIPAL_PARSE_ENTERPRISE = 4 /**< Parse as a NT-ENTERPRISE name */
+ KRB5_PRINCIPAL_PARSE_ENTERPRISE = 4, /**< Parse as a NT-ENTERPRISE name */
+ KRB5_PRINCIPAL_PARSE_IGNORE_REALM = 8, /**< Ignore realm if present */
+ KRB5_PRINCIPAL_PARSE_NO_DEF_REALM = 16 /**< Don't default the realm */
};
/** flags for krb5_unparse_name_flags */
@@ -827,19 +887,43 @@ enum {
typedef struct krb5_sendto_ctx_data *krb5_sendto_ctx;
#define KRB5_SENDTO_DONE 0
-#define KRB5_SENDTO_RESTART 1
+#define KRB5_SENDTO_RESET 1
#define KRB5_SENDTO_CONTINUE 2
+#define KRB5_SENDTO_TIMEOUT 3
+#define KRB5_SENDTO_INITIAL 4
+#define KRB5_SENDTO_FILTER 5
+#define KRB5_SENDTO_FAILED 6
+#define KRB5_SENDTO_KRBHST 7
typedef krb5_error_code
(KRB5_CALLCONV * krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *,
const krb5_data *, int *);
-struct krb5_plugin;
enum krb5_plugin_type {
PLUGIN_TYPE_DATA = 1,
- PLUGIN_TYPE_FUNC
+ PLUGIN_TYPE_FUNC /* no longer supported */
};
+/*
+ * Since <krb5/common_plugin.h> is new with Heimdal 8, users looking to write
+ * portable plugins across Heimdal 7 and 8 need a conditional compilation
+ * predicate from a header file that does exist in both major releases. This
+ * is as good a place as any to define a plugin source-compatibility version
+ * number.
+ *
+ * When this macro is defined and is equal to 1, the Heimdal 8 plugin source
+ * API, and <krb5/common_plugin.h> header are available and should be used.
+ *
+ * In Heimdal 7, this macro is not defined, and <krb5/common_plugin.h> may not
+ * be available.
+ */
+#define KRB5_PLUGIN_COMMON_SPI_VERSION 1
+
+#define KRB5_PLUGIN_INVOKE_ALL 1
+
+typedef uintptr_t
+(KRB5_LIB_CALL *krb5_get_instance_func_t)(const char *);
+
struct credentials; /* this is to keep the compiler happy */
struct getargs;
struct sockaddr;
@@ -884,10 +968,48 @@ typedef struct {
}krb5_key_salt_tuple;
/*
+ * Name canonicalization rule options
+ */
+
+typedef enum krb5_name_canon_rule_options {
+ KRB5_NCRO_GC_ONLY = 1 << 0,
+ KRB5_NCRO_USE_REFERRALS = 1 << 1,
+ KRB5_NCRO_NO_REFERRALS = 1 << 2,
+ KRB5_NCRO_USE_FAST = 1 << 3,
+ KRB5_NCRO_USE_DNSSEC = 1 << 4,
+ KRB5_NCRO_LOOKUP_REALM = 1 << 5
+} krb5_name_canon_rule_options;
+
+typedef struct krb5_name_canon_rule_data *krb5_name_canon_rule;
+typedef const struct krb5_name_canon_rule_data *krb5_const_name_canon_rule;
+typedef struct krb5_name_canon_iterator_data *krb5_name_canon_iterator;
+
+/*
+ * krb5_get_init_creds_opt_set_pkinit flags
+ */
+
+#define KRB5_GIC_OPT_PKINIT_USE_ENCKEY 2 /* use RSA, not DH */
+#define KRB5_GIC_OPT_PKINIT_ANONYMOUS 4 /* anonymous PKINIT */
+#define KRB5_GIC_OPT_PKINIT_BTMM 8 /* reserved by Apple */
+#define KRB5_GIC_OPT_PKINIT_NO_KDC_ANCHOR 16 /* do not authenticate KDC */
+
+/*
+ * _krb5_principal_is_anonymous() flags
+ */
+#define KRB5_ANON_MATCH_AUTHENTICATED 1 /* authenticated with anon flag */
+#define KRB5_ANON_MATCH_UNAUTHENTICATED 2 /* anonymous PKINIT */
+#define KRB5_ANON_IGNORE_NAME_TYPE 4 /* don't check the name type */
+#define KRB5_ANON_MATCH_ANY ( KRB5_ANON_MATCH_AUTHENTICATED | \
+ KRB5_ANON_MATCH_UNAUTHENTICATED )
+#define KRB5_ANON_MATCH_ANY_NONT ( KRB5_ANON_MATCH_ANY | \
+ KRB5_ANON_IGNORE_NAME_TYPE )
+
+/*
*
*/
struct hx509_certs_data;
+typedef struct krb5_kx509_req_ctx_data *krb5_kx509_req_ctx;
#include <krb5-protos.h>
@@ -898,11 +1020,13 @@ extern KRB5_LIB_VARIABLE const char *krb5_defkeyname;
extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops;
+extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_dcc_ops;
extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_fcc_ops;
extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_mcc_ops;
extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_kcm_ops;
extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops;
extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops;
+extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_krcc_ops;
extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_fkt_ops;
extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_wrfkt_ops;
@@ -916,6 +1040,8 @@ extern KRB5_LIB_VARIABLE const char *krb5_cc_type_file;
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_memory;
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm;
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_scc;
+extern KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc;
+extern KRB5_LIB_VARIABLE const char *krb5_cc_type_keyring;
#endif /* __KRB5_H__ */
View Lorry Controller Status