6 * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
8 * For copying and distribution information, please see the file
11 * Include file for the Kerberos library.
14 /* Only one time, please */
18 #include <mit-copyright.h>
20 /* Need some defs from des.h */
23 /* Text describing error codes */
24 #define MAX_KRB_ERRORS 256
25 extern char *krb_err_txt[MAX_KRB_ERRORS];
28 * These are not defined for at least SunOS 3.3, Ultrix 2.2, and A/UX 2.0
30 #if defined(ULTRIX022) || (defined(SunOS) && SunOS < 40) || defined(_AUX_SOURCE)
31 #define FD_ZERO(p) ((p)->fds_bits[0] = 0)
32 #define FD_SET(n, p) ((p)->fds_bits[0] |= (1 << (n)))
33 #define FD_ISSET(n, p) ((p)->fds_bits[0] & (1 << (n)))
36 /* General definitions */
41 typedef unsigned short uid_t;
42 typedef unsigned short gid_t;
43 #endif /* NO_UIDGID_T */
46 * Kerberos specific definitions
48 * KRBLOG is the log file for the kerberos master server. KRB_CONF is
49 * the configuration file where different host machines running master
50 * and slave servers can be found. KRB_MASTER is the name of the
51 * machine with the master database. The admin_server runs on this
52 * machine, and all changes to the db (as opposed to read-only
53 * requests, which can go to slaves) must go to it. KRB_HOST is the
54 * default machine * when looking for a kerberos slave server. Other
55 * possibilities are * in the KRB_CONF file. KRB_REALM is the name of
60 this is server - only, does not belong here;
61 #define KRBLOG "/kerberos/kerberos.log"
62 are these used anyplace '?';
63 #define VX_KRB_HSTFILE "/etc/krbhst"
64 #define PC_KRB_HSTFILE "\\kerberos\\krbhst"
67 #define KRB_CONF "/etc/athena/krb.conf"
68 #define KRB_RLM_TRANS "/etc/athena/krb.realms"
69 #define KRB_MASTER "kerberos"
70 #define KRB_HOST KRB_MASTER
71 #define KRB_REALM "ATHENA.MIT.EDU"
73 /* The maximum sizes for aname, realm, sname, and instance +1 */
78 /* include space for '.' and '@' */
79 #define MAX_K_NAME_SZ (ANAME_SZ + INST_SZ + REALM_SZ + 2)
83 #define DATE_SZ 26 /* RTI date output */
87 #ifndef DEFAULT_TKT_LIFE /* allow compile-time override */
88 #define DEFAULT_TKT_LIFE 120 /* default lifetime 10 hrs */
91 /* Definition of text structure used to pass text around */
92 #define MAX_KTXT_LEN 1250
95 int length; /* Length of the text */
96 unsigned char dat[MAX_KTXT_LEN]; /* The data itself */
97 unsigned long mbz; /* zero to catch runaway strings */
100 typedef struct ktext *KTEXT;
101 typedef struct ktext KTEXT_ST;
104 /* Definitions for send_to_kdc */
105 #define CLIENT_KRB_TIMEOUT 4 /* time between retries */
106 #define CLIENT_KRB_RETRY 5 /* retry this many times */
107 #define CLIENT_KRB_BUFLEN 512 /* max unfragmented packet */
109 /* Definitions for ticket file utilities */
113 /* Definitions for cl_get_tgt */
114 #ifndef CL_GTGT_INIT_FILE
116 #define CL_GTGT_INIT_FILE "\\kerberos\\k_in_tkts"
118 #define CL_GTGT_INIT_FILE "/etc/athena/k_in_tkts"
120 #endif /* CL_GTGT_INIT_FILE */
122 /* Parameters for rd_ap_req */
123 /* Maximum alloable clock skew in seconds */
124 #define CLOCK_SKEW 5*60
125 /* Filename for readservkey */
126 #define KEYFILE "/etc/athena/srvtab"
128 /* Structure definition for rd_ap_req */
131 unsigned char k_flags; /* Flags from ticket */
132 char pname[ANAME_SZ]; /* Principal's name */
133 char pinst[INST_SZ]; /* His Instance */
134 char prealm[REALM_SZ]; /* His Realm */
135 unsigned long checksum; /* Data checksum (opt) */
136 C_Block session; /* Session Key */
137 int life; /* Life of ticket */
138 unsigned long time_sec; /* Time ticket issued */
139 unsigned long address; /* Address in ticket */
140 KTEXT_ST reply; /* Auth reply (opt) */
143 typedef struct auth_dat AUTH_DAT;
145 /* Structure definition for credentials returned by get_cred */
148 char service[ANAME_SZ]; /* Service name */
149 char instance[INST_SZ]; /* Instance */
150 char realm[REALM_SZ]; /* Auth domain */
151 C_Block session; /* Session key */
152 int lifetime; /* Lifetime */
153 int kvno; /* Key version number */
154 KTEXT_ST ticket_st; /* The ticket itself */
155 long issue_date; /* The issue time */
156 char pname[ANAME_SZ]; /* Principal's name */
157 char pinst[INST_SZ]; /* Principal's instance */
160 typedef struct credentials CREDENTIALS;
162 /* Structure definition for rd_private_msg and rd_safe_msg */
165 unsigned char *app_data; /* pointer to appl data */
166 unsigned long app_length; /* length of appl data */
167 unsigned long hash; /* hash to lookup replay */
168 int swap; /* swap bytes? */
169 long time_sec; /* msg timestamp seconds */
170 unsigned char time_5ms; /* msg timestamp 5ms units */
173 typedef struct msg_dat MSG_DAT;
176 /* Location of ticket file for save_cred and get_cred */
178 #define TKT_FILE "\\kerberos\\ticket.ses"
180 #define TKT_FILE tkt_string()
181 #define TKT_ROOT "/tmp/tkt"
184 /* Error codes returned from the KDC */
185 #define KDC_OK 0 /* Request OK */
186 #define KDC_NAME_EXP 1 /* Principal expired */
187 #define KDC_SERVICE_EXP 2 /* Service expired */
188 #define KDC_AUTH_EXP 3 /* Auth expired */
189 #define KDC_PKT_VER 4 /* Protocol version unknown */
190 #define KDC_P_MKEY_VER 5 /* Wrong master key version */
191 #define KDC_S_MKEY_VER 6 /* Wrong master key version */
192 #define KDC_BYTE_ORDER 7 /* Byte order unknown */
193 #define KDC_PR_UNKNOWN 8 /* Principal unknown */
194 #define KDC_PR_N_UNIQUE 9 /* Principal not unique */
195 #define KDC_NULL_KEY 10 /* Principal has null key */
196 #define KDC_GEN_ERR 20 /* Generic error from KDC */
199 /* Values returned by get_credentials */
200 #define GC_OK 0 /* Retrieve OK */
201 #define RET_OK 0 /* Retrieve OK */
202 #define GC_TKFIL 21 /* Can't read ticket file */
203 #define RET_TKFIL 21 /* Can't read ticket file */
204 #define GC_NOTKT 22 /* Can't find ticket or TGT */
205 #define RET_NOTKT 22 /* Can't find ticket or TGT */
208 /* Values returned by mk_ap_req */
209 #define MK_AP_OK 0 /* Success */
210 #define MK_AP_TGTEXP 26 /* TGT Expired */
212 /* Values returned by rd_ap_req */
213 #define RD_AP_OK 0 /* Request authentic */
214 #define RD_AP_UNDEC 31 /* Can't decode authenticator */
215 #define RD_AP_EXP 32 /* Ticket expired */
216 #define RD_AP_NYV 33 /* Ticket not yet valid */
217 #define RD_AP_REPEAT 34 /* Repeated request */
218 #define RD_AP_NOT_US 35 /* The ticket isn't for us */
219 #define RD_AP_INCON 36 /* Request is inconsistent */
220 #define RD_AP_TIME 37 /* delta_t too big */
221 #define RD_AP_BADD 38 /* Incorrect net address */
222 #define RD_AP_VERSION 39 /* protocol version mismatch */
223 #define RD_AP_MSG_TYPE 40 /* invalid msg type */
224 #define RD_AP_MODIFIED 41 /* message stream modified */
225 #define RD_AP_ORDER 42 /* message out of order */
226 #define RD_AP_UNAUTHOR 43 /* unauthorized request */
228 /* Values returned by get_pw_tkt */
229 #define GT_PW_OK 0 /* Got password changing tkt */
230 #define GT_PW_NULL 51 /* Current PW is null */
231 #define GT_PW_BADPW 52 /* Incorrect current password */
232 #define GT_PW_PROT 53 /* Protocol Error */
233 #define GT_PW_KDCERR 54 /* Error returned by KDC */
234 #define GT_PW_NULLTKT 55 /* Null tkt returned by KDC */
237 /* Values returned by send_to_kdc */
238 #define SKDC_OK 0 /* Response received */
239 #define SKDC_RETRY 56 /* Retry count exceeded */
240 #define SKDC_CANT 57 /* Can't send request */
243 * Values returned by get_intkt
244 * (can also return SKDC_* and KDC errors)
247 #define INTK_OK 0 /* Ticket obtained */
248 #define INTK_W_NOTALL 61 /* Not ALL tickets returned */
249 #define INTK_BADPW 62 /* Incorrect password */
250 #define INTK_PROT 63 /* Protocol Error */
251 #define INTK_ERR 70 /* Other error */
253 /* Values returned by get_adtkt */
254 #define AD_OK 0 /* Ticket Obtained */
255 #define AD_NOTGT 71 /* Don't have tgt */
257 /* Error codes returned by ticket file utilities */
258 #define NO_TKT_FIL 76 /* No ticket file found */
259 #define TKT_FIL_ACC 77 /* Couldn't access tkt file */
260 #define TKT_FIL_LCK 78 /* Couldn't lock ticket file */
261 #define TKT_FIL_FMT 79 /* Bad ticket file format */
262 #define TKT_FIL_INI 80 /* tf_init not called first */
264 /* Error code returned by kparse_name */
265 #define KNAME_FMT 81 /* Bad Kerberos name format */
267 /* Error code returned by krb_mk_safe */
268 #define SAFE_PRIV_ERROR -1 /* syscall error */
271 * macros for byte swapping; also scratch space
272 * u_quad 0-->7, 1-->6, 2-->5, 3-->4, 4-->3, 5-->2, 6-->1, 7-->0
273 * u_long 0-->3, 1-->2, 2-->1, 3-->0
274 * u_short 0-->1, 1-->0
277 #define swap_u_16(x) {\
278 unsigned long _krb_swap_tmp[4];\
279 swab(((char *) x) +0, ((char *) _krb_swap_tmp) +14 ,2); \
280 swab(((char *) x) +2, ((char *) _krb_swap_tmp) +12 ,2); \
281 swab(((char *) x) +4, ((char *) _krb_swap_tmp) +10 ,2); \
282 swab(((char *) x) +6, ((char *) _krb_swap_tmp) +8 ,2); \
283 swab(((char *) x) +8, ((char *) _krb_swap_tmp) +6 ,2); \
284 swab(((char *) x) +10,((char *) _krb_swap_tmp) +4 ,2); \
285 swab(((char *) x) +12,((char *) _krb_swap_tmp) +2 ,2); \
286 swab(((char *) x) +14,((char *) _krb_swap_tmp) +0 ,2); \
287 bcopy((char *)_krb_swap_tmp,(char *)x,16);\
290 #define swap_u_12(x) {\
291 unsigned long _krb_swap_tmp[4];\
292 swab(( char *) x, ((char *) _krb_swap_tmp) +10 ,2); \
293 swab(((char *) x) +2, ((char *) _krb_swap_tmp) +8 ,2); \
294 swab(((char *) x) +4, ((char *) _krb_swap_tmp) +6 ,2); \
295 swab(((char *) x) +6, ((char *) _krb_swap_tmp) +4 ,2); \
296 swab(((char *) x) +8, ((char *) _krb_swap_tmp) +2 ,2); \
297 swab(((char *) x) +10,((char *) _krb_swap_tmp) +0 ,2); \
298 bcopy((char *)_krb_swap_tmp,(char *)x,12);\
301 #define swap_C_Block(x) {\
302 unsigned long _krb_swap_tmp[4];\
303 swab(( char *) x, ((char *) _krb_swap_tmp) +6 ,2); \
304 swab(((char *) x) +2,((char *) _krb_swap_tmp) +4 ,2); \
305 swab(((char *) x) +4,((char *) _krb_swap_tmp) +2 ,2); \
306 swab(((char *) x) +6,((char *) _krb_swap_tmp) ,2); \
307 bcopy((char *)_krb_swap_tmp,(char *)x,8);\
309 #define swap_u_quad(x) {\
310 unsigned long _krb_swap_tmp[4];\
311 swab(( char *) &x, ((char *) _krb_swap_tmp) +6 ,2); \
312 swab(((char *) &x) +2,((char *) _krb_swap_tmp) +4 ,2); \
313 swab(((char *) &x) +4,((char *) _krb_swap_tmp) +2 ,2); \
314 swab(((char *) &x) +6,((char *) _krb_swap_tmp) ,2); \
315 bcopy((char *)_krb_swap_tmp,(char *)&x,8);\
318 #define swap_u_long(x) {\
319 unsigned long _krb_swap_tmp[4];\
320 swab((char *) &x, ((char *) _krb_swap_tmp) +2 ,2); \
321 swab(((char *) &x) +2,((char *) _krb_swap_tmp),2); \
322 x = _krb_swap_tmp[0]; \
325 #define swap_u_short(x) {\
326 unsigned short _krb_swap_sh_tmp; \
327 swab((char *) &x, ( &_krb_swap_sh_tmp) ,2); \
328 x = (unsigned short) _krb_swap_sh_tmp; \
331 /* Kerberos ticket flag field bit definitions */
332 #define K_FLAG_ORDER 0 /* bit 0 --> lsb */
333 #define K_FLAG_1 /* reserved */
334 #define K_FLAG_2 /* reserved */
335 #define K_FLAG_3 /* reserved */
336 #define K_FLAG_4 /* reserved */
337 #define K_FLAG_5 /* reserved */
338 #define K_FLAG_6 /* reserved */
339 #define K_FLAG_7 /* reserved, bit 7 --> msb */
346 #define krb_mk_req mk_ap_req
347 #define krb_rd_req rd_ap_req
348 #define krb_kntoln an_to_ln
349 #define krb_set_key set_serv_key
350 #define krb_get_cred get_credentials
351 #define krb_mk_priv mk_private_msg
352 #define krb_rd_priv rd_private_msg
353 #define krb_mk_safe mk_safe_msg
354 #define krb_rd_safe rd_safe_msg
355 #define krb_mk_err mk_appl_err_msg
356 #define krb_rd_err rd_appl_err_msg
357 #define krb_ck_repl check_replay
358 #define krb_get_pw_in_tkt get_in_tkt
359 #define krb_get_svc_in_tkt get_svc_in_tkt
360 #define krb_get_pw_tkt get_pw_tkt
361 #define krb_realmofhost krb_getrealm
362 #define krb_get_phost get_phost
363 #define krb_get_krbhst get_krbhst
364 #define krb_get_lrealm get_krbrlm
365 #endif /* OLDNAMES */
367 /* Defines for krb_sendauth and krb_recvauth */
369 #define KOPT_DONT_MK_REQ 0x00000001 /* don't call krb_mk_req */
370 #define KOPT_DO_MUTUAL 0x00000002 /* do mutual auth */
372 #define KOPT_DONT_CANON 0x00000004 /*
373 * don't canonicalize inst as
377 #define KRB_SENDAUTH_VLEN 8 /* length for version strings */
380 #define KOPT_DO_OLDSTYLE 0x00000008 /* use the old-style protocol */
381 #endif /* ATHENA_COMPAT */
383 #endif /* KRB_DEFS */