1 | /* |
---|
2 | * KrbDriver.h -- Application interface for Kerberos Macintosh Client |
---|
3 | * (A mac system extension) |
---|
4 | * |
---|
5 | * This interface can be used as is or it can be accessed at a |
---|
6 | * higher level using a library interface (kerberos.h?). |
---|
7 | * |
---|
8 | * Set the compiler def KRB_DEFS if you are also including krb.h |
---|
9 | * in your code (this is only necessary for building the driver itself). |
---|
10 | * |
---|
11 | * Copyright 1992 by Cornell University |
---|
12 | * FIXME: What COPYRIGHT terms and conditions from Cornell? |
---|
13 | * |
---|
14 | * Initial coding 1/92 by Peter Bosanko. |
---|
15 | * Merged into multi-platform source tree by Julia Menapace and |
---|
16 | * John Gilmore, Cygnus Support, May 1994. |
---|
17 | */ |
---|
18 | |
---|
19 | #ifndef Krb_Driver_h |
---|
20 | #define Krb_Driver_h |
---|
21 | |
---|
22 | /* Driver control block status/control bits */ |
---|
23 | |
---|
24 | #define dNeedLock 0x4000 |
---|
25 | #define dStatEnable 0x0800 |
---|
26 | #define dCtlEnable 0x0400 |
---|
27 | |
---|
28 | |
---|
29 | /* csCodes for Control Calls */ |
---|
30 | enum cKrbcsCodes { |
---|
31 | cKrbKillIO = 1, |
---|
32 | |
---|
33 | /* Low level routines, here for compatability with Brown Driver */ |
---|
34 | cKrbGetLocalRealm, |
---|
35 | cKrbSetLocalRealm, |
---|
36 | |
---|
37 | /* return the name of the Kerberos realm for the host. |
---|
38 | -> host Host name |
---|
39 | -> uRealm pointer to buffer that will receive realm name |
---|
40 | */ |
---|
41 | cKrbGetRealm, |
---|
42 | |
---|
43 | cKrbAddRealmMap, |
---|
44 | cKrbDeleteRealmMap, |
---|
45 | |
---|
46 | /* yields the Nth mapping of a net or host to a Kerberos realm |
---|
47 | -> itemNumber which mapping, traditionally the first |
---|
48 | -> host host or net |
---|
49 | -> uRealm pointer to buffer that will receive realm name |
---|
50 | */ |
---|
51 | cKrbGetNthRealmMap, |
---|
52 | |
---|
53 | cKrbGetNthServer, |
---|
54 | cKrbAddServerMap, |
---|
55 | cKrbDeleteServerMap, |
---|
56 | cKrbGetNthServerMap, |
---|
57 | cKrbGetNumSessions, |
---|
58 | cKrbGetNthSession, |
---|
59 | cKrbDeleteSession, |
---|
60 | cKrbGetCredentials, |
---|
61 | cKrbAddCredentials, |
---|
62 | cKrbDeleteCredentials, |
---|
63 | cKrbGetNumCredentials, |
---|
64 | cKrbGetNthCredentials, |
---|
65 | |
---|
66 | /* High Level routines */ |
---|
67 | cKrbDeleteAllSessions, |
---|
68 | /* Removes all credentials from storage. The user will be asked to |
---|
69 | enter user name and password the next time a ticket is requested */ |
---|
70 | |
---|
71 | cKrbGetTicketForService, |
---|
72 | /* Gets a ticket and returns it to application in buf |
---|
73 | -> service Formal Kerberos name of service |
---|
74 | -> buf Buffer to receive ticket |
---|
75 | -> checksum checksum for this service |
---|
76 | <-> buflen length of ticket buffer (must be at least |
---|
77 | 1258 bytes) |
---|
78 | <- sessionKey for internal use |
---|
79 | <- schedule for internal use */ |
---|
80 | |
---|
81 | cKrbGetAuthForService, |
---|
82 | /* Similiar to cKrbGetTicketForService except it builds a kerberos |
---|
83 | "SendAuth" style request (with SendAuth and application version |
---|
84 | numbers preceeding the actual ticket) |
---|
85 | -> service Formal Kerberos name of service |
---|
86 | -> buf Buffer to receive ticket |
---|
87 | -> checksum checksum for this service |
---|
88 | -> applicationVersion version number of the application (8 byte |
---|
89 | string) |
---|
90 | <-> buflen length of ticket buffer (must be at least |
---|
91 | 1258 bytes) |
---|
92 | <- sessionKey for internal use |
---|
93 | <- schedule for internal use */ |
---|
94 | |
---|
95 | /* Use the same krbHiParmBlock for the routines below that you |
---|
96 | used to get the ticket for the service. That way the session |
---|
97 | key and schedule will get passed back to the driver. */ |
---|
98 | |
---|
99 | cKrbCheckServiceResponse, |
---|
100 | /* Use the return code from this call to determine if the client |
---|
101 | is properly authenticated |
---|
102 | -> buf points to the begining of the server response |
---|
103 | -> buflen length of the server response |
---|
104 | -> sessionKey this was returned from cKrbGetTicketForService |
---|
105 | -> schedule " |
---|
106 | -> checksum left over from cKrbGetTicketForService call |
---|
107 | -> lAddr addresses used for service validation... |
---|
108 | -> lPort " |
---|
109 | -> fAddr " |
---|
110 | -> fPort " */ |
---|
111 | |
---|
112 | cKrbEncrypt, |
---|
113 | /* Encrypt stream, High level version of cKrbMakePrivate |
---|
114 | -> buf points to the begining of stream buffer |
---|
115 | -> buflen length of the stream buffer |
---|
116 | -> sessionKey this was returned from cKrbGetTicketForService |
---|
117 | -> schedule " |
---|
118 | -> lAddr server uses addresses to confirm who we are... |
---|
119 | -> lPort " |
---|
120 | -> fAddr " |
---|
121 | -> fPort " |
---|
122 | -> encryptBuf output buffer, allow 26 more bytes than |
---|
123 | input data |
---|
124 | <- encryptLength actual length of output data */ |
---|
125 | |
---|
126 | cKrbDecrypt, |
---|
127 | /* Decrypt stream, High level version of cKrbReadPrivate |
---|
128 | -> buf points to the begining of stream buffer |
---|
129 | -> buflen length of the stream buffer |
---|
130 | -> sessionKey this was returned from cKrbGetTicketForService |
---|
131 | -> schedule " |
---|
132 | -> lAddr addresses used to confirm source of message... |
---|
133 | -> lPort " |
---|
134 | -> fAddr " |
---|
135 | -> fPort " |
---|
136 | <- decryptOffset offset in buf to beginning of application data |
---|
137 | <- decryptLength actual length of decrypted data */ |
---|
138 | |
---|
139 | cKrbCacheInitialTicket, |
---|
140 | /* Gets a ticket for the ticket granting service and optionally |
---|
141 | another service that you specify. |
---|
142 | This call always prompts the user for a password. The |
---|
143 | ticket(s) are placed in the ticket cache but are not |
---|
144 | returned. Use cKrbGetTicketForService to receive the |
---|
145 | ticket. NOTE: This call is useful for getting a ticket for |
---|
146 | the password changing service or any other service that |
---|
147 | requires that the user be reauthenticated ( that needs an |
---|
148 | initial ticket ). |
---|
149 | |
---|
150 | -> service Formal Kerberos name of service |
---|
151 | ( NULL service is OK if you just want a |
---|
152 | ticket granting ticket ) */ |
---|
153 | |
---|
154 | cKrbGetUserName, |
---|
155 | /* Get the kerberos name of the user. If the user is not |
---|
156 | logged in, returns error cKrbNotLoggedIn. |
---|
157 | |
---|
158 | <- user Name that user typed in login dialog */ |
---|
159 | |
---|
160 | cKrbSetUserName, |
---|
161 | /* Set the kerberos name of the user. If the user is logged |
---|
162 | in, cKrbSetUserName logged the user out. |
---|
163 | |
---|
164 | -> user Name that will be used as default in |
---|
165 | login dialog */ |
---|
166 | |
---|
167 | cKrbSetPassword, |
---|
168 | /* Sets the password which will be used the next time a |
---|
169 | password is needed. This can be used to bypass the login |
---|
170 | dialog. NOTE: Password is cleared from memory after it is |
---|
171 | used once or whenever a cKrbSetUserName or cKrbDeleteAllSessions |
---|
172 | call is made. |
---|
173 | -> user contains password (of current user) */ |
---|
174 | |
---|
175 | cKrbGetDesPointers, |
---|
176 | /* Returns a block of pointers to DES routines so the routines |
---|
177 | can be called directly. */ |
---|
178 | |
---|
179 | /* Various routines added by Cygnus Mac kerberos driver interface */ |
---|
180 | |
---|
181 | cKrbKnameParse, |
---|
182 | /* |
---|
183 | takes a Kerberos name "fullname" of the form: |
---|
184 | username[.instance][@realm] and returns the three components |
---|
185 | ("name", "instance", and "realm" in the example above) in the |
---|
186 | given arguments. If successful, it returns KSUCCESS. If there |
---|
187 | was an error, KNAME_FMT is returned. For proper operation, this |
---|
188 | routine requires that the arguments be initialized, either |
---|
189 | to null strings, or to default values of name, instance, |
---|
190 | and realm. Low Call. |
---|
191 | <- uName |
---|
192 | <- uInstance |
---|
193 | <- uRealm |
---|
194 | -> fullname |
---|
195 | */ |
---|
196 | |
---|
197 | cKrbGetErrText, |
---|
198 | /* |
---|
199 | Given an error number returns the error text associated with |
---|
200 | that error number. Low Call. |
---|
201 | -> admin (the error number) |
---|
202 | <- uName (the error text) |
---|
203 | */ |
---|
204 | |
---|
205 | cKrbGetPwInTkt, |
---|
206 | /* |
---|
207 | Takes the name of the server for which the initial ticket is to |
---|
208 | be obtained, the name of the principal the ticket is for, the |
---|
209 | desired lifetime of the ticket, and the user's password. It |
---|
210 | gets the ticket, decrypts it using the password provided, |
---|
211 | and stores it away for future use. It requires the caller to |
---|
212 | supply a non-null password. Low Call. |
---|
213 | -> uName |
---|
214 | -> uInstance |
---|
215 | -> uRealm |
---|
216 | -> sName |
---|
217 | -> sInstance |
---|
218 | -> admin (ticket lifetime) |
---|
219 | -> fullname (password) |
---|
220 | */ |
---|
221 | |
---|
222 | cKrbGetTfFullname, |
---|
223 | /* |
---|
224 | Given a ticket file name, return the principal's name, instance, |
---|
225 | and realm. Currently there is only one tktfile/cache. Low Call. |
---|
226 | <- uName |
---|
227 | <- uInstance |
---|
228 | -> fullname (ticket file/cache name) |
---|
229 | */ |
---|
230 | |
---|
231 | cKrbLAST_ONE}; |
---|
232 | |
---|
233 | /* Password changing service */ |
---|
234 | |
---|
235 | #define KRB_PASSWORD_SERVICE "changepw.kerberos" |
---|
236 | |
---|
237 | /* Error codes */ |
---|
238 | enum cKrbErrs { |
---|
239 | cKrbCorruptedFile = -1024, /* couldn't find a needed resource */ |
---|
240 | cKrbNoKillIO, /* can't killIO because all calls sync */ |
---|
241 | cKrbBadSelector, /* csCode passed doesn't select a |
---|
242 | recognized function */ |
---|
243 | cKrbCantClose, /* we must always remain open */ |
---|
244 | cKrbMapDoesntExist, /* tried to access a map that doesn't exist |
---|
245 | (index too large, or criteria doesn't |
---|
246 | match anything) */ |
---|
247 | cKrbSessDoesntExist, /* tried to access session that doesn't exist */ |
---|
248 | cKrbCredsDontExist, /* tried to access creds that don't exist */ |
---|
249 | cKrbTCPunavailable, /* couldn't open MacTCP driver */ |
---|
250 | cKrbUserCancelled, /* user cancelled a log in operation */ |
---|
251 | cKrbConfigurationErr, /* Kerberos Preference file is not configured |
---|
252 | properly */ |
---|
253 | cKrbServerRejected, /* A server rejected our ticket */ |
---|
254 | cKrbServerImposter, /* Server appears to be a phony */ |
---|
255 | cKrbServerRespIncomplete, /* Server response is not complete */ |
---|
256 | cKrbNotLoggedIn, /* Returned by cKrbGetUserName if user is |
---|
257 | not logged in */ |
---|
258 | cKrbOldDriver, /* old version of the driver */ |
---|
259 | |
---|
260 | cKrbKerberosErrBlock = -20000 /* start block of 256 kerberos errors */ |
---|
261 | }; |
---|
262 | |
---|
263 | /* Parameter block for high level calls */ |
---|
264 | struct krbHiParmBlock { |
---|
265 | /* full name -- combined service, instance, realm */ |
---|
266 | char *service; |
---|
267 | char *buf; |
---|
268 | unsigned long buflen; |
---|
269 | long checksum; |
---|
270 | unsigned long lAddr; |
---|
271 | unsigned short lPort; |
---|
272 | unsigned long fAddr; |
---|
273 | unsigned short fPort; |
---|
274 | unsigned long decryptOffset; |
---|
275 | unsigned long decryptLength; |
---|
276 | char *encryptBuf; |
---|
277 | unsigned long encryptLength; |
---|
278 | char *applicationVersion; /* Version string, must be |
---|
279 | 8 bytes long! */ |
---|
280 | char sessionKey[8]; /* for internal use */ |
---|
281 | char schedule[128]; /* for internal use */ |
---|
282 | char *user; |
---|
283 | }; |
---|
284 | |
---|
285 | typedef struct krbHiParmBlock krbHiParmBlock; |
---|
286 | typedef krbHiParmBlock *KrbParmPtr; |
---|
287 | typedef KrbParmPtr *KrbParmHandle; |
---|
288 | |
---|
289 | /* ********************************************************* */ |
---|
290 | /* The rest of these defs are for low level calls |
---|
291 | /* ********************************************************* */ |
---|
292 | #ifndef KRB_DEFS |
---|
293 | /* First some kerberos defs */ |
---|
294 | |
---|
295 | typedef unsigned char des_cblock[8]; /* crypto-block size */ |
---|
296 | |
---|
297 | /* Key schedule */ |
---|
298 | typedef struct des_ks_struct { des_cblock _; } des_key_schedule[16]; |
---|
299 | |
---|
300 | #define C_Block des_cblock |
---|
301 | #define Key_schedule des_key_schedule |
---|
302 | |
---|
303 | /* The maximum sizes for aname, realm, sname, and instance +1 */ |
---|
304 | #define ANAME_SZ 40 |
---|
305 | #define REALM_SZ 40 |
---|
306 | #define SNAME_SZ 40 |
---|
307 | #define INST_SZ 40 |
---|
308 | |
---|
309 | /* Definition of text structure used to pass text around */ |
---|
310 | #define MAX_KTXT_LEN 1250 |
---|
311 | |
---|
312 | struct ktext { |
---|
313 | int length; /* Length of the text */ |
---|
314 | unsigned char dat[MAX_KTXT_LEN]; /* The data itself */ |
---|
315 | unsigned long mbz; /* zero to catch runaway strings */ |
---|
316 | }; |
---|
317 | |
---|
318 | typedef struct ktext *KTEXT; |
---|
319 | typedef struct ktext KTEXT_ST; |
---|
320 | |
---|
321 | struct credentials { |
---|
322 | char service[ANAME_SZ]; /* Service name */ |
---|
323 | char instance[INST_SZ]; /* Instance */ |
---|
324 | char realm[REALM_SZ]; /* Auth domain */ |
---|
325 | C_Block session; /* Session key */ |
---|
326 | int lifetime; /* Lifetime */ |
---|
327 | int kvno; /* Key version number */ |
---|
328 | KTEXT_ST ticket_st; /* The ticket itself */ |
---|
329 | long issue_date; /* The issue time */ |
---|
330 | char pname[ANAME_SZ]; /* Principal's name */ |
---|
331 | char pinst[INST_SZ]; /* Principal's instance */ |
---|
332 | }; |
---|
333 | |
---|
334 | typedef struct credentials CREDENTIALS; |
---|
335 | |
---|
336 | /* Structure definition for rd_private_msg and rd_safe_msg */ |
---|
337 | |
---|
338 | struct msg_dat { |
---|
339 | unsigned char *app_data; /* pointer to appl data */ |
---|
340 | unsigned long app_length; /* length of appl data */ |
---|
341 | unsigned long hash; /* hash to lookup replay */ |
---|
342 | int swap; /* swap bytes? */ |
---|
343 | long time_sec; /* msg timestamp seconds */ |
---|
344 | unsigned char time_5ms; /* msg timestamp 5ms units */ |
---|
345 | }; |
---|
346 | |
---|
347 | typedef struct msg_dat MSG_DAT; |
---|
348 | |
---|
349 | #endif |
---|
350 | |
---|
351 | |
---|
352 | /* Parameter block for low level calls */ |
---|
353 | struct krbParmBlock { |
---|
354 | char *uName; |
---|
355 | char *uInstance; |
---|
356 | char *uRealm; /* also where local realm or mapping realm passed */ |
---|
357 | char *sName; |
---|
358 | char *sInstance; |
---|
359 | char *sRealm; |
---|
360 | char *host; /* also netorhost */ |
---|
361 | int admin; /* isadmin, mustadmin */ |
---|
362 | int *itemNumber; |
---|
363 | int *adminReturn; /* when it needs to be passed back */ |
---|
364 | CREDENTIALS *cred; |
---|
365 | char *fullname; /* for kname_parse */ |
---|
366 | int result; /* general purpose integer return value */ |
---|
367 | }; |
---|
368 | typedef struct krbParmBlock krbParmBlock; |
---|
369 | |
---|
370 | /* |
---|
371 | * Mac_stubs.c exports a variable for communication with the Kerberos |
---|
372 | * driver, for hardy souls using the driver interface. |
---|
373 | */ |
---|
374 | extern short mac_stubs_kdriver; |
---|
375 | #endif /* Krb_Driver_h */ |
---|