2N/A/*
2N/A * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
2N/A */
2N/A/*
2N/A * COPYRIGHT (C) 2006,2007
2N/A * THE REGENTS OF THE UNIVERSITY OF MICHIGAN
2N/A * ALL RIGHTS RESERVED
2N/A *
2N/A * Permission is granted to use, copy, create derivative works
2N/A * and redistribute this software and such derivative works
2N/A * for any purpose, so long as the name of The University of
2N/A * Michigan is not used in any advertising or publicity
2N/A * pertaining to the use of distribution of this software
2N/A * without specific, written prior authorization. If the
2N/A * above copyright notice or any other identification of the
2N/A * University of Michigan is included in any copy of any
2N/A * portion of this software, then the disclaimer below must
2N/A * also be included.
2N/A *
2N/A * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
2N/A * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
2N/A * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
2N/A * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
2N/A * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
2N/A * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
2N/A * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
2N/A * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
2N/A * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
2N/A * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
2N/A * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
2N/A * SUCH DAMAGES.
2N/A */
2N/A
2N/A/*
2N/A * Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
2N/A */
2N/A
2N/A#ifndef _PKINIT_H
2N/A#define _PKINIT_H
2N/A
2N/A/* Solaris Kerberos */
2N/A#include <krb5.h>
2N/A#include <preauth_plugin.h>
2N/A#include <k5-int-pkinit.h>
2N/A#include <profile.h>
2N/A#include "pkinit_accessor.h"
2N/A
2N/A/*
2N/A * It is anticipated that all the special checks currently
2N/A * required when talking to a Longhorn server will go away
2N/A * by the time it is officially released and all references
2N/A * to the longhorn global can be removed and any code
2N/A * #ifdef'd with LONGHORN_BETA_COMPAT can be removed.
2N/A * And this #define!
2N/A */
2N/A#define LONGHORN_BETA_COMPAT 1
2N/A#ifdef LONGHORN_BETA_COMPAT
2N/Aextern int longhorn; /* XXX Talking to a Longhorn server? */
2N/A#endif
2N/A
2N/A
2N/A#ifndef WITHOUT_PKCS11
2N/A/* Solaris Kerberos */
2N/A#include <security/cryptoki.h>
2N/A#include <security/pkcs11.h>
2N/A
2N/A/* Solaris Kerberos */
2N/A#define PKCS11_MODNAME "/usr/lib/libpkcs11.so"
2N/A
2N/A#define PK_SIGLEN_GUESS 1000
2N/A#define PK_NOSLOT 999999
2N/A#endif
2N/A
2N/A#define DH_PROTOCOL 1
2N/A#define RSA_PROTOCOL 2
2N/A
2N/A#define TD_TRUSTED_CERTIFIERS 104
2N/A#define TD_INVALID_CERTIFICATES 105
2N/A#define TD_DH_PARAMETERS 109
2N/A
2N/A#define PKINIT_CTX_MAGIC 0x05551212
2N/A#define PKINIT_REQ_CTX_MAGIC 0xdeadbeef
2N/A
2N/A#define PKINIT_DEFAULT_DH_MIN_BITS 2048
2N/A
2N/A#define KRB5_CONF_KDCDEFAULTS "kdcdefaults"
2N/A#define KRB5_CONF_LIBDEFAULTS "libdefaults"
2N/A#define KRB5_CONF_REALMS "realms"
2N/A#define KRB5_CONF_PKINIT_ALLOW_UPN "pkinit_allow_upn"
2N/A#define KRB5_CONF_PKINIT_ANCHORS "pkinit_anchors"
2N/A#define KRB5_CONF_PKINIT_CERT_MATCH "pkinit_cert_match"
2N/A#define KRB5_CONF_PKINIT_DH_MIN_BITS "pkinit_dh_min_bits"
2N/A#define KRB5_CONF_PKINIT_EKU_CHECKING "pkinit_eku_checking"
2N/A#define KRB5_CONF_PKINIT_IDENTITIES "pkinit_identities"
2N/A#define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity"
2N/A#define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname"
2N/A#define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp"
2N/A#define KRB5_CONF_PKINIT_LONGHORN "pkinit_longhorn"
2N/A#define KRB5_CONF_PKINIT_MAPPING_FILE "pkinit_mapping_file"
2N/A#define KRB5_CONF_PKINIT_POOL "pkinit_pool"
2N/A#define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking"
2N/A#define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke"
2N/A#define KRB5_CONF_PKINIT_WIN2K "pkinit_win2k"
2N/A#define KRB5_CONF_PKINIT_WIN2K_REQUIRE_BINDING "pkinit_win2k_require_binding"
2N/A
2N/A/* Make pkiDebug(fmt,...) print, or not. */
2N/A#ifdef DEBUG
2N/A#define pkiDebug printf
2N/A#else
2N/A/* Still evaluates for side effects. */
2N/Astatic inline void pkiDebug (const char *fmt, ...) { }
2N/A/* This is better if the compiler doesn't inline variadic functions
2N/A well, but gcc will warn about "left-hand operand of comma
2N/A expression has no effect". Still evaluates for side effects. */
2N/A/* #define pkiDebug (void) */
2N/A#endif
2N/A
2N/A/* Solaris compiler doesn't grok __FUNCTION__
2N/A * hack for now. Fix all the uses eventually. */
2N/A#define __FUNCTION__ __func__
2N/A
2N/A/* Macros to deal with converting between various data types... */
2N/A#define PADATA_TO_KRB5DATA(pad, k5d) \
2N/A (k5d)->length = (pad)->length; (k5d)->data = (char *)(pad)->contents;
2N/A#define OCTETDATA_TO_KRB5DATA(octd, k5d) \
2N/A (k5d)->length = (octd)->length; (k5d)->data = (char *)(octd)->data;
2N/A
2N/Aextern const krb5_octet_data dh_oid;
2N/A
2N/A/*
2N/A * notes about crypto contexts:
2N/A *
2N/A * the basic idea is that there are crypto contexts that live at
2N/A * both the plugin level and request level. the identity context (that
2N/A * keeps info about your own certs and such) is separate because
2N/A * it is needed at different levels for the kdc and and the client.
2N/A * (the kdc's identity is at the plugin level, the client's identity
2N/A * information could change per-request.)
2N/A * the identity context is meant to have the entity's cert,
2N/A * a list of trusted and intermediate cas, a list of crls, and any
2N/A * pkcs11 information. the req context is meant to have the
2N/A * received certificate and the DH related information. the plugin
2N/A * context is meant to have global crypto information, i.e., OIDs
2N/A * and constant DH parameter information.
2N/A */
2N/A
2N/A/*
2N/A * plugin crypto context should keep plugin common information,
2N/A * eg., OIDs, known DHparams
2N/A */
2N/Atypedef struct _pkinit_plg_crypto_context *pkinit_plg_crypto_context;
2N/A
2N/A/*
2N/A * request crypto context should keep reqyest common information,
2N/A * eg., received credentials, DH parameters of this request
2N/A */
2N/Atypedef struct _pkinit_req_crypto_context *pkinit_req_crypto_context;
2N/A
2N/A/*
2N/A * identity context should keep information about credentials
2N/A * for the request, eg., my credentials, trusted ca certs,
2N/A * intermediate ca certs, crls, pkcs11 info
2N/A */
2N/Atypedef struct _pkinit_identity_crypto_context *pkinit_identity_crypto_context;
2N/A
2N/A/*
2N/A * this structure keeps information about the config options
2N/A */
2N/Atypedef struct _pkinit_plg_opts {
2N/A int require_eku; /* require EKU checking (default is true) */
2N/A int accept_secondary_eku;/* accept secondary EKU (default is false) */
2N/A int allow_upn; /* allow UPN-SAN instead of pkinit-SAN */
2N/A int dh_or_rsa; /* selects DH or RSA based pkinit */
2N/A int require_crl_checking; /* require CRL for a CA (default is false) */
2N/A int dh_min_bits; /* minimum DH modulus size allowed */
2N/A} pkinit_plg_opts;
2N/A
2N/A/*
2N/A * this structure keeps options used for a given request
2N/A */
2N/Atypedef struct _pkinit_req_opts {
2N/A int require_eku;
2N/A int accept_secondary_eku;
2N/A int allow_upn;
2N/A int dh_or_rsa;
2N/A int require_crl_checking;
2N/A int dh_size; /* initial request DH modulus size (default=1024) */
2N/A int require_hostname_match;
2N/A int win2k_target;
2N/A int win2k_require_cksum;
2N/A} pkinit_req_opts;
2N/A
2N/A/*
2N/A * information about identity from config file or command line
2N/A */
2N/A
2N/Atypedef struct _pkinit_identity_opts {
2N/A char *identity;
2N/A char **identity_alt;
2N/A char **anchors;
2N/A char **intermediates;
2N/A char **crls;
2N/A char *ocsp;
2N/A char *dn_mapping_file;
2N/A int idtype;
2N/A char *cert_filename;
2N/A char *key_filename;
2N/A#ifndef WITHOUT_PKCS11
2N/A char *p11_module_name;
2N/A CK_SLOT_ID slotid;
2N/A char *token_label;
2N/A char *cert_id_string;
2N/A char *cert_label;
2N/A char *PIN; /* Solaris Kerberos */
2N/A#endif
2N/A} pkinit_identity_opts;
2N/A
2N/A
2N/A/*
2N/A * Client's plugin context
2N/A */
2N/Astruct _pkinit_context {
2N/A int magic;
2N/A pkinit_plg_crypto_context cryptoctx;
2N/A pkinit_plg_opts *opts;
2N/A pkinit_identity_opts *idopts;
2N/A};
2N/Atypedef struct _pkinit_context *pkinit_context;
2N/A
2N/A/*
2N/A * Client's per-request context
2N/A */
2N/Astruct _pkinit_req_context {
2N/A int magic;
2N/A pkinit_req_crypto_context cryptoctx;
2N/A pkinit_req_opts *opts;
2N/A pkinit_identity_crypto_context idctx;
2N/A pkinit_identity_opts *idopts;
2N/A krb5_preauthtype pa_type;
2N/A};
2N/Atypedef struct _pkinit_req_context *pkinit_req_context;
2N/A
2N/A/*
2N/A * KDC's (per-realm) plugin context
2N/A */
2N/Astruct _pkinit_kdc_context {
2N/A int magic;
2N/A pkinit_plg_crypto_context cryptoctx;
2N/A pkinit_plg_opts *opts;
2N/A pkinit_identity_crypto_context idctx;
2N/A pkinit_identity_opts *idopts;
2N/A char *realmname;
2N/A unsigned int realmname_len;
2N/A};
2N/Atypedef struct _pkinit_kdc_context *pkinit_kdc_context;
2N/A
2N/A/*
2N/A * KDC's per-request context
2N/A */
2N/Astruct _pkinit_kdc_req_context {
2N/A int magic;
2N/A pkinit_req_crypto_context cryptoctx;
2N/A krb5_auth_pack *rcv_auth_pack;
2N/A krb5_auth_pack_draft9 *rcv_auth_pack9;
2N/A krb5_preauthtype pa_type;
2N/A};
2N/Atypedef struct _pkinit_kdc_req_context *pkinit_kdc_req_context;
2N/A
2N/A/*
2N/A * Functions in pkinit_lib.c
2N/A */
2N/A
2N/Akrb5_error_code pkinit_init_req_opts(pkinit_req_opts **);
2N/Avoid pkinit_fini_req_opts(pkinit_req_opts *);
2N/A
2N/Akrb5_error_code pkinit_init_plg_opts(pkinit_plg_opts **);
2N/Avoid pkinit_fini_plg_opts(pkinit_plg_opts *);
2N/A
2N/Akrb5_error_code pkinit_init_identity_opts(pkinit_identity_opts **idopts);
2N/Avoid pkinit_fini_identity_opts(pkinit_identity_opts *idopts);
2N/Akrb5_error_code pkinit_dup_identity_opts(pkinit_identity_opts *src_opts,
2N/A pkinit_identity_opts **dest_opts);
2N/A
2N/A/*
2N/A * Functions in pkinit_identity.c
2N/A */
2N/Achar * idtype2string(int idtype);
2N/Achar * catype2string(int catype);
2N/A
2N/Akrb5_error_code pkinit_identity_initialize
2N/A (krb5_context context, /* IN */
2N/A pkinit_plg_crypto_context plg_cryptoctx, /* IN */
2N/A pkinit_req_crypto_context req_cryptoctx, /* IN */
2N/A pkinit_identity_opts *idopts, /* IN */
2N/A pkinit_identity_crypto_context id_cryptoctx, /* IN/OUT */
2N/A int do_matching, /* IN */
2N/A krb5_principal princ);
2N/A
2N/Akrb5_error_code pkinit_cert_matching
2N/A (krb5_context context,
2N/A pkinit_plg_crypto_context plg_cryptoctx,
2N/A pkinit_req_crypto_context req_cryptoctx,
2N/A pkinit_identity_crypto_context id_cryptoctx,
2N/A krb5_principal princ,
2N/A krb5_boolean do_select); /* Solaris Kerberos */
2N/A
2N/A/*
2N/A * initialization and free functions
2N/A */
2N/Avoid init_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in);
2N/Avoid init_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in);
2N/Avoid init_krb5_reply_key_pack(krb5_reply_key_pack **in);
2N/Avoid init_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in);
2N/A
2N/Avoid init_krb5_auth_pack(krb5_auth_pack **in);
2N/Avoid init_krb5_auth_pack_draft9(krb5_auth_pack_draft9 **in);
2N/Avoid init_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in);
2N/Avoid init_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in);
2N/Avoid init_krb5_typed_data(krb5_typed_data **in);
2N/Avoid init_krb5_subject_pk_info(krb5_subject_pk_info **in);
2N/A
2N/Avoid free_krb5_pa_pk_as_req(krb5_pa_pk_as_req **in);
2N/Avoid free_krb5_pa_pk_as_req_draft9(krb5_pa_pk_as_req_draft9 **in);
2N/Avoid free_krb5_reply_key_pack(krb5_reply_key_pack **in);
2N/Avoid free_krb5_reply_key_pack_draft9(krb5_reply_key_pack_draft9 **in);
2N/Avoid free_krb5_auth_pack(krb5_auth_pack **in);
2N/Avoid free_krb5_auth_pack_draft9(krb5_context, krb5_auth_pack_draft9 **in);
2N/Avoid free_krb5_pa_pk_as_rep(krb5_pa_pk_as_rep **in);
2N/Avoid free_krb5_pa_pk_as_rep_draft9(krb5_pa_pk_as_rep_draft9 **in);
2N/Avoid free_krb5_external_principal_identifier(krb5_external_principal_identifier ***in);
2N/Avoid free_krb5_trusted_ca(krb5_trusted_ca ***in);
2N/Avoid free_krb5_typed_data(krb5_typed_data ***in);
2N/Avoid free_krb5_algorithm_identifiers(krb5_algorithm_identifier ***in);
2N/Avoid free_krb5_algorithm_identifier(krb5_algorithm_identifier *in);
2N/Avoid free_krb5_kdc_dh_key_info(krb5_kdc_dh_key_info **in);
2N/Avoid free_krb5_subject_pk_info(krb5_subject_pk_info **in);
2N/Akrb5_error_code pkinit_copy_krb5_octet_data(krb5_octet_data *dst, const krb5_octet_data *src);
2N/A
2N/A
2N/A/*
2N/A * Functions in pkinit_profile.c
2N/A */
2N/Akrb5_error_code pkinit_kdcdefault_strings
2N/A (krb5_context context, const char *realmname, const char *option,
2N/A char ***ret_value);
2N/Akrb5_error_code pkinit_kdcdefault_string
2N/A (krb5_context context, const char *realmname, const char *option,
2N/A char **ret_value);
2N/Akrb5_error_code pkinit_kdcdefault_boolean
2N/A (krb5_context context, const char *realmname, const char *option,
2N/A int default_value, int *ret_value);
2N/Akrb5_error_code pkinit_kdcdefault_integer
2N/A (krb5_context context, const char *realmname, const char *option,
2N/A int default_value, int *ret_value);
2N/A
2N/A
2N/Akrb5_error_code pkinit_libdefault_strings
2N/A (krb5_context context, const krb5_data *realm,
2N/A const char *option, char ***ret_value);
2N/Akrb5_error_code pkinit_libdefault_string
2N/A (krb5_context context, const krb5_data *realm,
2N/A const char *option, char **ret_value);
2N/Akrb5_error_code pkinit_libdefault_boolean
2N/A (krb5_context context, const krb5_data *realm, const char *option,
2N/A int default_value, int *ret_value);
2N/Akrb5_error_code pkinit_libdefault_integer
2N/A (krb5_context context, const krb5_data *realm, const char *option,
2N/A int default_value, int *ret_value);
2N/A
2N/A/*
2N/A * debugging functions
2N/A */
2N/A/* Solaris Kerberos - make const to work with openssl 1.0 */
2N/Avoid print_buffer(const unsigned char *, unsigned int);
2N/Avoid print_buffer_bin(const unsigned char *, unsigned int, char *);
2N/A
2N/A/*
2N/A * Now get crypto function declarations
2N/A */
2N/A#include "pkinit_crypto.h"
2N/A
2N/A#endif /* _PKINIT_H */