/src/krb5/src/kdc/kdc_util.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ |
2 | | /* kdc/kdc_util.h */ |
3 | | /* |
4 | | * Portions Copyright (C) 2007 Apple Inc. |
5 | | * Copyright 1990, 2007, 2014 by the Massachusetts Institute of Technology. |
6 | | * |
7 | | * Export of this software from the United States of America may |
8 | | * require a specific license from the United States Government. |
9 | | * It is the responsibility of any person or organization contemplating |
10 | | * export to obtain such a license before exporting. |
11 | | * |
12 | | * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and |
13 | | * distribute this software and its documentation for any purpose and |
14 | | * without fee is hereby granted, provided that the above copyright |
15 | | * notice appear in all copies and that both that copyright notice and |
16 | | * this permission notice appear in supporting documentation, and that |
17 | | * the name of M.I.T. not be used in advertising or publicity pertaining |
18 | | * to distribution of the software without specific, written prior |
19 | | * permission. Furthermore if you modify this software you must label |
20 | | * your software as modified software and not distribute it in such a |
21 | | * fashion that it might be confused with the original M.I.T. software. |
22 | | * M.I.T. makes no representations about the suitability of |
23 | | * this software for any purpose. It is provided "as is" without express |
24 | | * or implied warranty. |
25 | | * |
26 | | * |
27 | | * Declarations for policy.c |
28 | | */ |
29 | | |
30 | | #ifndef __KRB5_KDC_UTIL__ |
31 | | #define __KRB5_KDC_UTIL__ |
32 | | |
33 | | #include <krb5/kdcpreauth_plugin.h> |
34 | | #include "kdb.h" |
35 | | #include "net-server.h" |
36 | | #include "realm_data.h" |
37 | | #include "reqstate.h" |
38 | | |
39 | | krb5_boolean krb5_is_tgs_principal (krb5_const_principal); |
40 | | krb5_boolean is_cross_tgs_principal(krb5_const_principal); |
41 | | krb5_boolean is_local_tgs_principal(krb5_const_principal); |
42 | | krb5_error_code |
43 | | add_to_transited (krb5_data *, |
44 | | krb5_data *, |
45 | | krb5_principal, |
46 | | krb5_principal, |
47 | | krb5_principal); |
48 | | krb5_error_code |
49 | | compress_transited (krb5_data *, |
50 | | krb5_principal, |
51 | | krb5_data *); |
52 | | krb5_error_code |
53 | | fetch_last_req_info (krb5_db_entry *, krb5_last_req_entry ***); |
54 | | |
55 | | krb5_error_code |
56 | | kdc_convert_key (krb5_keyblock *, krb5_keyblock *, int); |
57 | | krb5_error_code |
58 | | kdc_process_tgs_req (kdc_realm_t *, krb5_kdc_req *, |
59 | | const krb5_fulladdr *, |
60 | | krb5_data *, |
61 | | krb5_ticket **, |
62 | | krb5_db_entry **krbtgt_ptr, |
63 | | krb5_keyblock **, krb5_keyblock **, |
64 | | krb5_pa_data **pa_tgs_req); |
65 | | |
66 | | krb5_error_code |
67 | | kdc_get_server_key (krb5_context, krb5_ticket *, unsigned int, |
68 | | krb5_boolean match_enctype, |
69 | | krb5_db_entry **, krb5_keyblock **, krb5_kvno *); |
70 | | |
71 | | krb5_error_code |
72 | | get_first_current_key(krb5_context context, krb5_db_entry *entry, |
73 | | krb5_keyblock *key_out); |
74 | | |
75 | | krb5_error_code |
76 | | get_local_tgt(krb5_context context, const krb5_data *realm, |
77 | | krb5_db_entry *candidate, krb5_db_entry **alias_out, |
78 | | krb5_db_entry **storage_out, krb5_keyblock *kb_out); |
79 | | |
80 | | krb5_error_code |
81 | | validate_as_request (kdc_realm_t *, krb5_kdc_req *, krb5_db_entry *, |
82 | | krb5_db_entry *, krb5_timestamp, |
83 | | const char **, krb5_pa_data ***); |
84 | | |
85 | | krb5_error_code |
86 | | check_tgs_constraints(kdc_realm_t *realm, krb5_kdc_req *request, |
87 | | krb5_db_entry *server, krb5_ticket *ticket, krb5_pac pac, |
88 | | const krb5_ticket *stkt, krb5_pac stkt_pac, |
89 | | krb5_db_entry *stkt_server, krb5_timestamp kdc_time, |
90 | | krb5_pa_s4u_x509_user *s4u_x509_user, |
91 | | krb5_db_entry *s4u2self_client, |
92 | | krb5_boolean is_crossrealm, krb5_boolean is_referral, |
93 | | const char **status, krb5_pa_data ***e_data); |
94 | | |
95 | | krb5_error_code |
96 | | check_tgs_policy(kdc_realm_t *realm, krb5_kdc_req *request, |
97 | | krb5_db_entry *server, krb5_ticket *ticket, |
98 | | krb5_pac pac, const krb5_ticket *stkt, krb5_pac stkt_pac, |
99 | | krb5_principal stkt_pac_client, krb5_db_entry *stkt_server, |
100 | | krb5_timestamp kdc_time, krb5_boolean is_crossrealm, |
101 | | krb5_boolean is_referral, const char **status, |
102 | | krb5_pa_data ***e_data); |
103 | | |
104 | | krb5_flags |
105 | | get_ticket_flags(krb5_flags reqflags, krb5_db_entry *client, |
106 | | krb5_db_entry *server, krb5_enc_tkt_part *header_enc); |
107 | | |
108 | | krb5_error_code |
109 | | check_indicators(krb5_context context, krb5_db_entry *server, |
110 | | krb5_data *const *indicators); |
111 | | |
112 | | int |
113 | | fetch_asn1_field (unsigned char *, unsigned int, unsigned int, krb5_data *); |
114 | | |
115 | | krb5_enctype |
116 | | select_session_keytype (krb5_context context, krb5_db_entry *server, |
117 | | int nktypes, krb5_enctype *ktypes); |
118 | | |
119 | | void limit_string (char *name); |
120 | | |
121 | | char *ktypes2str(krb5_enctype *ktype, int nktypes); |
122 | | |
123 | | char *rep_etypes2str(krb5_kdc_rep *rep); |
124 | | |
125 | | /* authind.c */ |
126 | | krb5_boolean |
127 | | authind_contains(krb5_data *const *indicators, const char *ind); |
128 | | |
129 | | krb5_error_code |
130 | | authind_add(krb5_context context, const char *ind, krb5_data ***indicators); |
131 | | |
132 | | krb5_error_code |
133 | | authind_extract(krb5_context context, krb5_authdata **authdata, |
134 | | krb5_data ***indicators); |
135 | | |
136 | | /* cammac.c */ |
137 | | krb5_error_code |
138 | | cammac_create(krb5_context context, krb5_enc_tkt_part *enc_tkt_reply, |
139 | | krb5_keyblock *server_key, krb5_db_entry *tgt, |
140 | | krb5_keyblock *tgt_key, krb5_authdata **contents, |
141 | | krb5_authdata ***cammac_out); |
142 | | |
143 | | krb5_boolean |
144 | | cammac_check_kdcver(krb5_context context, krb5_cammac *cammac, |
145 | | krb5_enc_tkt_part *enc_tkt, krb5_db_entry *tgt, |
146 | | krb5_keyblock *tgt_key); |
147 | | |
148 | | /* do_as_req.c */ |
149 | | void |
150 | | process_as_req (krb5_kdc_req *, krb5_data *, |
151 | | const krb5_fulladdr *, const krb5_fulladdr *, kdc_realm_t *, |
152 | | verto_ctx *, loop_respond_fn, void *); |
153 | | |
154 | | /* do_tgs_req.c */ |
155 | | krb5_error_code |
156 | | process_tgs_req (krb5_kdc_req *, krb5_data *, const krb5_fulladdr *, |
157 | | kdc_realm_t *, krb5_data ** ); |
158 | | /* dispatch.c */ |
159 | | void |
160 | | dispatch (void *, |
161 | | const krb5_fulladdr *, |
162 | | const krb5_fulladdr *, |
163 | | krb5_data *, |
164 | | int, |
165 | | verto_ctx *, |
166 | | loop_respond_fn, |
167 | | void *); |
168 | | |
169 | | void |
170 | | kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...) |
171 | | #if !defined(__cplusplus) && (__GNUC__ > 2) |
172 | | __attribute__((__format__(__printf__, 3, 4))) |
173 | | #endif |
174 | | ; |
175 | | |
176 | | /* kdc_preauth.c */ |
177 | | krb5_boolean |
178 | | enctype_requires_etype_info_2(krb5_enctype enctype); |
179 | | |
180 | | const char * |
181 | | missing_required_preauth (krb5_db_entry *client, |
182 | | krb5_db_entry *server, |
183 | | krb5_enc_tkt_part *enc_tkt_reply); |
184 | | typedef void (*kdc_hint_respond_fn)(void *arg); |
185 | | void |
186 | | get_preauth_hint_list(krb5_kdc_req *request, |
187 | | krb5_kdcpreauth_rock rock, krb5_pa_data ***e_data_out, |
188 | | kdc_hint_respond_fn respond, void *arg); |
189 | | void |
190 | | load_preauth_plugins(struct server_handle * handle, krb5_context context, |
191 | | verto_ctx *ctx); |
192 | | void |
193 | | unload_preauth_plugins(krb5_context context); |
194 | | |
195 | | typedef void (*kdc_preauth_respond_fn)(void *arg, krb5_error_code code); |
196 | | |
197 | | void |
198 | | check_padata(krb5_context context, krb5_kdcpreauth_rock rock, |
199 | | krb5_data *req_pkt, krb5_kdc_req *request, |
200 | | krb5_enc_tkt_part *enc_tkt_reply, void **padata_context, |
201 | | krb5_pa_data ***e_data, krb5_boolean *typed_e_data, |
202 | | kdc_preauth_respond_fn respond, void *state); |
203 | | |
204 | | krb5_error_code |
205 | | return_padata(krb5_context context, krb5_kdcpreauth_rock rock, |
206 | | krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, |
207 | | krb5_keyblock *encrypting_key, void **padata_context); |
208 | | |
209 | | void |
210 | | free_padata_context(krb5_context context, void *padata_context); |
211 | | |
212 | | /* kdc_preauth_ec.c */ |
213 | | krb5_error_code |
214 | | kdcpreauth_encrypted_challenge_initvt(krb5_context context, int maj_ver, |
215 | | int min_ver, krb5_plugin_vtable vtable); |
216 | | |
217 | | /* kdc_preauth_enctsc.c */ |
218 | | krb5_error_code |
219 | | kdcpreauth_encrypted_timestamp_initvt(krb5_context context, int maj_ver, |
220 | | int min_ver, krb5_plugin_vtable vtable); |
221 | | |
222 | | /* kdc_authdata.c */ |
223 | | krb5_error_code |
224 | | load_authdata_plugins(krb5_context context); |
225 | | krb5_error_code |
226 | | unload_authdata_plugins(krb5_context context); |
227 | | |
228 | | krb5_error_code |
229 | | get_auth_indicators(krb5_context context, krb5_enc_tkt_part *enc_tkt, |
230 | | krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key, |
231 | | krb5_data ***indicators_out); |
232 | | |
233 | | krb5_error_code |
234 | | handle_authdata(kdc_realm_t *realm, unsigned int flags, krb5_db_entry *client, |
235 | | krb5_db_entry *server, krb5_db_entry *subject_server, |
236 | | krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key, |
237 | | krb5_keyblock *client_key, krb5_keyblock *server_key, |
238 | | krb5_keyblock *header_key, krb5_keyblock *replaced_reply_key, |
239 | | krb5_data *req_pkt, krb5_kdc_req *request, |
240 | | krb5_const_principal altcprinc, krb5_pac subject_pac, |
241 | | krb5_enc_tkt_part *enc_tkt_request, |
242 | | krb5_data ***auth_indicators, |
243 | | krb5_enc_tkt_part *enc_tkt_reply); |
244 | | |
245 | | /* replay.c */ |
246 | | krb5_error_code kdc_init_lookaside(krb5_context context); |
247 | | krb5_boolean kdc_check_lookaside (krb5_context, krb5_data *, krb5_data **); |
248 | | void kdc_insert_lookaside (krb5_context, krb5_data *, krb5_data *); |
249 | | void kdc_remove_lookaside (krb5_context kcontext, krb5_data *); |
250 | | void kdc_free_lookaside(krb5_context); |
251 | | |
252 | | /* kdc_util.c */ |
253 | | void reset_for_hangup(void *); |
254 | | |
255 | | krb5_error_code |
256 | | get_verified_pac(krb5_context context, const krb5_enc_tkt_part *enc_tkt, |
257 | | krb5_const_principal sprinc, krb5_keyblock *server_key, |
258 | | krb5_db_entry *tgt, krb5_keyblock *tgt_key, |
259 | | krb5_pac *pac_out); |
260 | | |
261 | | krb5_error_code |
262 | | get_pac_princ_with_realm(krb5_context context, krb5_pac pac, |
263 | | krb5_principal *princ_out, |
264 | | krb5_timestamp *authtime_out); |
265 | | |
266 | | krb5_boolean |
267 | | include_pac_p(krb5_context context, krb5_kdc_req *request); |
268 | | |
269 | | krb5_error_code |
270 | | return_enc_padata(krb5_context context, |
271 | | krb5_data *req_pkt, krb5_kdc_req *request, |
272 | | krb5_keyblock *reply_key, |
273 | | krb5_db_entry *server, |
274 | | krb5_enc_kdc_rep_part *reply_encpart, |
275 | | krb5_boolean is_referral); |
276 | | |
277 | | krb5_error_code |
278 | | kdc_process_s4u2self_req(krb5_context context, krb5_kdc_req *request, |
279 | | const krb5_db_entry *server, |
280 | | krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session, |
281 | | krb5_pa_s4u_x509_user **s4u2self_req, |
282 | | krb5_db_entry **princ_ptr, const char **status); |
283 | | |
284 | | krb5_error_code |
285 | | s4u2self_forwardable(krb5_context context, krb5_db_entry *server, |
286 | | krb5_flags *tktflags); |
287 | | |
288 | | krb5_error_code |
289 | | kdc_make_s4u2self_rep (krb5_context context, |
290 | | krb5_keyblock *tgs_subkey, |
291 | | krb5_keyblock *tgs_session, |
292 | | krb5_pa_s4u_x509_user *req_s4u_user, |
293 | | krb5_kdc_rep *reply, |
294 | | krb5_enc_kdc_rep_part *reply_encpart); |
295 | | |
296 | | krb5_error_code |
297 | | kdc_check_transited_list(krb5_context context, const krb5_data *trans, |
298 | | const krb5_data *realm1, const krb5_data *realm2); |
299 | | |
300 | | void |
301 | | kdc_get_ticket_endtime(kdc_realm_t *realm, krb5_timestamp now, |
302 | | krb5_timestamp endtime, krb5_timestamp till, |
303 | | krb5_db_entry *client, krb5_db_entry *server, |
304 | | krb5_timestamp *out_endtime); |
305 | | |
306 | | void |
307 | | kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request, |
308 | | krb5_enc_tkt_part *tgt, krb5_db_entry *client, |
309 | | krb5_db_entry *server, krb5_flags *tktflags, |
310 | | krb5_ticket_times *times); |
311 | | |
312 | | void |
313 | | log_as_req(krb5_context context, |
314 | | const krb5_fulladdr *local_addr, |
315 | | const krb5_fulladdr *remote_addr, |
316 | | krb5_kdc_req *request, krb5_kdc_rep *reply, |
317 | | krb5_db_entry *client, const char *cname, |
318 | | krb5_db_entry *server, const char *sname, |
319 | | krb5_timestamp authtime, |
320 | | const char *status, krb5_error_code errcode, const char *emsg); |
321 | | void |
322 | | log_tgs_req(krb5_context ctx, const krb5_fulladdr *from, |
323 | | krb5_kdc_req *request, krb5_kdc_rep *reply, |
324 | | krb5_principal cprinc, krb5_principal sprinc, |
325 | | krb5_principal altcprinc, |
326 | | krb5_timestamp authtime, |
327 | | unsigned int c_flags, |
328 | | const char *status, krb5_error_code errcode, const char *emsg); |
329 | | void |
330 | | log_tgs_badtrans(krb5_context ctx, krb5_principal cprinc, |
331 | | krb5_principal sprinc, krb5_data *trcont, |
332 | | krb5_error_code errcode); |
333 | | |
334 | | void |
335 | | log_tgs_alt_tgt(krb5_context context, krb5_principal p); |
336 | | |
337 | | krb5_boolean |
338 | | is_client_db_alias(krb5_context context, const krb5_db_entry *entry, |
339 | | krb5_const_principal princ); |
340 | | |
341 | | /* FAST*/ |
342 | | enum krb5_fast_kdc_flags { |
343 | | KRB5_FAST_REPLY_KEY_USED = 0x1, |
344 | | KRB5_FAST_REPLY_KEY_REPLACED = 0x02 |
345 | | }; |
346 | | |
347 | | /* |
348 | | * If *requestptr contains FX_FAST padata, compute the armor key, verify the |
349 | | * checksum over checksummed_data, decode the FAST request, and substitute |
350 | | * *requestptr with the inner request. Set the armor_key, cookie, and |
351 | | * fast_options fields in state. state->cookie will be set for a non-FAST |
352 | | * request if it contains FX_COOKIE padata. If inner_body_out is non-NULL, set |
353 | | * *inner_body_out to a copy of the encoded inner body, or to NULL if the |
354 | | * request is not a FAST request. |
355 | | */ |
356 | | krb5_error_code |
357 | | kdc_find_fast (krb5_kdc_req **requestptr, krb5_data *checksummed_data, |
358 | | krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session, |
359 | | struct kdc_request_state *state, krb5_data **inner_body_out); |
360 | | |
361 | | krb5_error_code |
362 | | kdc_fast_response_handle_padata (struct kdc_request_state *state, |
363 | | krb5_kdc_req *request, |
364 | | krb5_kdc_rep *rep, |
365 | | krb5_enctype enctype); |
366 | | krb5_error_code |
367 | | kdc_fast_handle_error (krb5_context context, |
368 | | struct kdc_request_state *state, |
369 | | krb5_kdc_req *request, |
370 | | krb5_pa_data **in_padata, krb5_error *err, |
371 | | krb5_data **fast_edata_out); |
372 | | |
373 | | krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state, |
374 | | krb5_keyblock *existing_key, |
375 | | krb5_keyblock **out_key); |
376 | | |
377 | | |
378 | | krb5_boolean |
379 | | kdc_fast_hide_client(struct kdc_request_state *state); |
380 | | |
381 | | krb5_error_code |
382 | | kdc_handle_protected_negotiation( krb5_context context, |
383 | | krb5_data *req_pkt, krb5_kdc_req *request, |
384 | | const krb5_keyblock *reply_key, |
385 | | krb5_pa_data ***out_enc_padata); |
386 | | |
387 | | krb5_error_code |
388 | | kdc_fast_read_cookie(krb5_context context, struct kdc_request_state *state, |
389 | | krb5_kdc_req *req, krb5_db_entry *local_tgt, |
390 | | krb5_keyblock *local_tgt_key); |
391 | | |
392 | | krb5_boolean kdc_fast_search_cookie(struct kdc_request_state *state, |
393 | | krb5_preauthtype pa_type, krb5_data *out); |
394 | | |
395 | | krb5_error_code kdc_fast_set_cookie(struct kdc_request_state *state, |
396 | | krb5_preauthtype pa_type, |
397 | | const krb5_data *data); |
398 | | |
399 | | krb5_error_code |
400 | | kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state, |
401 | | krb5_db_entry *local_tgt, krb5_keyblock *local_tgt_key, |
402 | | krb5_const_principal client_princ, |
403 | | krb5_pa_data **cookie_out); |
404 | | |
405 | | krb5_error_code |
406 | | kdc_add_pa_pac_options(krb5_context context, krb5_kdc_req *request, |
407 | | krb5_pa_data ***out_enc_padata); |
408 | | |
409 | | krb5_error_code |
410 | | kdc_get_pa_pac_options(krb5_context context, krb5_pa_data **in_padata, |
411 | | krb5_pa_pac_options **pac_options_out); |
412 | | |
413 | | krb5_error_code |
414 | | kdc_get_pa_pac_rbcd(krb5_context context, krb5_pa_data **in_padata, |
415 | | krb5_boolean *supported); |
416 | | |
417 | | /* Information handle for kdcpreauth callbacks. All pointers are aliases. */ |
418 | | struct krb5_kdcpreauth_rock_st { |
419 | | krb5_kdc_req *request; |
420 | | krb5_data *inner_body; |
421 | | krb5_db_entry *client; |
422 | | krb5_db_entry *local_tgt; |
423 | | krb5_keyblock *local_tgt_key; |
424 | | krb5_key_data *client_key; |
425 | | krb5_keyblock *client_keyblock; |
426 | | struct kdc_request_state *rstate; |
427 | | verto_ctx *vctx; |
428 | | krb5_data ***auth_indicators; |
429 | | krb5_boolean send_freshness_token; |
430 | | krb5_boolean replaced_reply_key; |
431 | | }; |
432 | | |
433 | | #define isflagset(flagfield, flag) (flagfield & (flag)) |
434 | | #define setflag(flagfield, flag) (flagfield |= (flag)) |
435 | | #define clear(flagfield, flag) (flagfield &= ~(flag)) |
436 | | |
437 | | #ifndef min |
438 | | #define min(a, b) ((a) < (b) ? (a) : (b)) |
439 | | #define max(a, b) ((a) > (b) ? (a) : (b)) |
440 | | #endif |
441 | | |
442 | | #define ts_min(a, b) (ts_after(a, b) ? (b) : (a)) |
443 | | |
444 | | #define ADDRTYPE2FAMILY(X) \ |
445 | | ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1) |
446 | | |
447 | | /* RFC 4120: KRB5KDC_ERR_KEY_TOO_WEAK |
448 | | * RFC 4556: KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED */ |
449 | | #define KRB5KDC_ERR_KEY_TOO_WEAK KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED |
450 | | /* TGS-REQ options where the service can be a non-TGS principal */ |
451 | | |
452 | | #define NON_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | \ |
453 | | KDC_OPT_VALIDATE) |
454 | | |
455 | | /* TGS-REQ options which are not compatible with referrals */ |
456 | | #define NO_REFERRAL_OPTION (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY) |
457 | | |
458 | | /* Options incompatible with AS and S4U2Self requests */ |
459 | | #define AS_INVALID_OPTIONS (NO_REFERRAL_OPTION | KDC_OPT_CNAME_IN_ADDL_TKT) |
460 | | |
461 | | /* |
462 | | * Mask of KDC options that request the corresponding ticket flag with |
463 | | * the same number. Some of these are invalid for AS-REQs, but |
464 | | * validate_as_request() takes care of that. KDC_OPT_RENEWABLE isn't |
465 | | * here because it needs special handling in |
466 | | * kdc_get_ticket_renewtime(). |
467 | | * |
468 | | * According to RFC 4120 section 3.1.3 the following AS-REQ options |
469 | | * request their corresponding ticket flags if local policy allows: |
470 | | * |
471 | | * KDC_OPT_FORWARDABLE KDC_OPT_ALLOW_POSTDATE |
472 | | * KDC_OPT_POSTDATED KDC_OPT_PROXIABLE |
473 | | * KDC_OPT_RENEWABLE |
474 | | * |
475 | | * RFC 1510 section A.6 shows pseudocode indicating that the following |
476 | | * TGS-REQ options request their corresponding ticket flags if local |
477 | | * policy allows: |
478 | | * |
479 | | * KDC_OPT_FORWARDABLE KDC_OPT_FORWARDED |
480 | | * KDC_OPT_PROXIABLE KDC_OPT_PROXY |
481 | | * KDC_OPT_POSTDATED KDC_OPT_RENEWABLE |
482 | | * |
483 | | * The above list omits KDC_OPT_ALLOW_POSTDATE, but RFC 4120 section |
484 | | * 5.4.1 says the TGS also handles it. |
485 | | * |
486 | | * RFC 6112 makes KDC_OPT_REQUEST_ANONYMOUS the same bit number as |
487 | | * TKT_FLG_ANONYMOUS. |
488 | | */ |
489 | | #define OPTS_COMMON_FLAGS_MASK \ |
490 | | (KDC_OPT_FORWARDABLE | KDC_OPT_FORWARDED | \ |
491 | | KDC_OPT_PROXIABLE | KDC_OPT_PROXY | \ |
492 | | KDC_OPT_ALLOW_POSTDATE | KDC_OPT_POSTDATED | \ |
493 | | KDC_OPT_REQUEST_ANONYMOUS) |
494 | | |
495 | | /* Copy KDC options that request the corresponding ticket flags. */ |
496 | | #define OPTS2FLAGS(x) (x & OPTS_COMMON_FLAGS_MASK) |
497 | | |
498 | | /* |
499 | | * Mask of ticket flags for the TGS to propagate from a ticket to a |
500 | | * derivative ticket. |
501 | | * |
502 | | * RFC 4120 section 2.1 says the following flags are carried forward |
503 | | * from an initial ticket to derivative tickets: |
504 | | * |
505 | | * TKT_FLG_PRE_AUTH |
506 | | * TKT_FLG_HW_AUTH |
507 | | * |
508 | | * RFC 4120 section 2.6 says TKT_FLG_FORWARDED is carried forward to |
509 | | * derivative tickets. Proxy tickets are basically identical to |
510 | | * forwarded tickets except that a TGT may never be proxied, therefore |
511 | | * tickets derived from proxy tickets should have TKT_FLAG_PROXY set. |
512 | | * RFC 4120 and RFC 1510 apparently have an accidental omission in not |
513 | | * requiring that tickets derived from a proxy ticket have |
514 | | * TKT_FLG_PROXY set. Previous code also omitted this behavior. |
515 | | * |
516 | | * RFC 6112 section 4.2 implies that TKT_FLG_ANONYMOUS must be |
517 | | * propagated from an anonymous ticket to derivative tickets. |
518 | | */ |
519 | | #define TGS_COPIED_FLAGS_MASK \ |
520 | | (TKT_FLG_FORWARDED | TKT_FLG_PROXY | \ |
521 | | TKT_FLG_PRE_AUTH | TKT_FLG_HW_AUTH | \ |
522 | | TKT_FLG_ANONYMOUS) |
523 | | |
524 | | /* Copy appropriate header ticket flags to new ticket. */ |
525 | | #define COPY_TKT_FLAGS(x) (x & TGS_COPIED_FLAGS_MASK) |
526 | | |
527 | | int check_anon(kdc_realm_t *realm, krb5_principal client, |
528 | | krb5_principal server); |
529 | | int errcode_to_protocol(krb5_error_code code); |
530 | | |
531 | | char *data2string(krb5_data *d); |
532 | | |
533 | | /* Return the current key version of entry, or 0 if it has no keys. */ |
534 | | static inline krb5_kvno |
535 | | current_kvno(krb5_db_entry *entry) |
536 | 0 | { |
537 | 0 | return (entry->n_key_data == 0) ? 0 : entry->key_data[0].key_data_kvno; |
538 | 0 | } |
539 | | |
540 | | /* MS-PAC section 2.9 */ |
541 | | struct pac_s4u_delegation_info { |
542 | | char *proxy_target; |
543 | | uint32_t transited_services_length; |
544 | | char **transited_services; |
545 | | }; |
546 | | |
547 | | /* Leaves room for one additional service. */ |
548 | | krb5_error_code |
549 | | ndr_dec_delegation_info(krb5_data *data, |
550 | | struct pac_s4u_delegation_info **res); |
551 | | |
552 | | krb5_error_code |
553 | | ndr_enc_delegation_info(struct pac_s4u_delegation_info *in, |
554 | | krb5_data *out); |
555 | | |
556 | | void ndr_free_delegation_info(struct pac_s4u_delegation_info *in); |
557 | | |
558 | | #endif /* __KRB5_KDC_UTIL__ */ |