/usr/include/webauth/krb5.h is in libwebauth-dev 4.6.1-1+b1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 | /*
* WebAuth Kerberos authentication and encryption functions.
*
* These functions encapsulate the WebAuth support for Kerberos, including
* creating a WebAuth Kerberos context from various sources of authentication,
* constructing and verifying Kerberos authenticators, and encrypting and
* decrypting data protected by Kerberos session keys. Also included are
* functions to export and import Kerberos tickets.
*
* All of these functions will eventually become internal to the WebAuth
* library once higher-level functions have been added to perform WebAuth
* protocol actions.
*
* Written by Russ Allbery
* Copyright 2002, 2003, 2008, 2009, 2010, 2011, 2012, 2014
* The Board of Trustees of the Leland Stanford Junior University
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom the
* Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*/
#ifndef WEBAUTH_KRB5_H
#define WEBAUTH_KRB5_H 1
#include <webauth/defines.h>
struct webauth_context;
struct webauth_krb5;
/* Supported protocols for Kerberos password change. */
enum webauth_change_protocol {
WA_CHANGE_KPASSWD = 0,
WA_CHANGE_REMCTL = 1
};
/*
* Configuration information for Kerberos password change operations. This is
* used to bundle together the configuration parameters and pass them into
* webauth_krb5_change_config. If the protocol is WA_CHANGE_KPASSWD, all the
* other fields are ignored.
*
* The port may be 0, which indicates the standard port should be used.
* identity is the identity of the password change service and may be NULL to
* use the default. command and subcommand are protocol-specific command
* information, such as the first two arguments to a remctl command.
*
* The timeout will only be enforced if the library is built with remctl 3.1
* or later (which have remctl_set_timeout).
*/
struct webauth_krb5_change_config {
enum webauth_change_protocol protocol;
const char *host;
unsigned short port; /* May be 0 to use the standard port */
const char *identity; /* Metadata service identity or NULL */
const char *command; /* Protocol-specific command */
const char *subcommand; /* Protocol-specific subcommand */
time_t timeout; /* Network timeout, or 0 for no timeout */
};
/* Flags for webauth_krb5_get_principal and webauth_krb5_read_auth. */
enum webauth_krb5_canon {
WA_KRB5_CANON_NONE = 0, /* Do not canonicalize principals. */
WA_KRB5_CANON_LOCAL = 1, /* Strip the local realm */
WA_KRB5_CANON_STRIP = 2 /* Strip any realm */
};
BEGIN_DECLS
/*
* Create new webauth krb5 context for use with all the webauth_krb5_* calls.
* Takes the webauth_context with which to associate it and a pointer to a
* webauth_krb5 struct. The contents of that struct will be overwritten
* without freeing, so it does not have to be initialized (but should be freed
* if being reused).
*
* The initialized context can be freed with webauth_krb5_free. It will be
* automatically freed if the pool associated with the webauth_context is
* freed.
*/
int webauth_krb5_new(struct webauth_context *, struct webauth_krb5 **)
__attribute__((__nonnull__));
/*
* Frees the webauth_krb5 context including any memory allocated within that
* context. If this context has an associated credential cache, that cache
* will be destroyed as well. This will be done automatically when the
* associated webauth_context is destroyed, so it's normally not necessary to
* call this function.
*/
void webauth_krb5_free(struct webauth_context *, struct webauth_krb5 *)
__attribute__((__nonnull__));
/*
* Configure the path to a credential cache to use for FAST armor during
* password authentication requests, or NULL to disable use of FAST armor. If
* this is set, FAST will be used and required for all password
* authentications, and Kerberos authentications will fail if FAST cannot be
* used.
*/
int webauth_krb5_set_fast_armor_path(struct webauth_context *,
struct webauth_krb5 *,
const char *)
__attribute__((__nonnull__(1, 2)));
/*
* Initialize a webauth_krb5 context from an existing ticket cache. If the
* provided cache name is NULL, krb5_cc_default is used.
*/
int webauth_krb5_init_via_cache(struct webauth_context *,
struct webauth_krb5 *,
const char *cache)
__attribute__((__nonnull__(1, 2)));
/*
* Initialize a webauth_krb5 context with a keytab, obtaining a TGT.
* Credentials will be placed in the specified cache, or a memory cache if
* cache is NULL. If server_principal is NULL, the first principal in the
* keytab will be used; otherwise, the specifed server principal will be used.
*/
int webauth_krb5_init_via_keytab(struct webauth_context *,
struct webauth_krb5 *,
const char *keytab,
const char *server_principal,
const char *cache)
__attribute__((__nonnull__(1, 2, 3)));
/*
* Initialize a webauth_krb5 context with a username and password, obtaining
* credentials for the principal specified via get_principal, or a TGT for the
* default realm if that argument is NULL. Normally, the only argument used
* other than NULL is "kadmin/changepw" for password changes.
*
* If a TGT is obtained, it is verified using the specified keytab if
* provided. If the keytab is NULL, the TGT will not be verified. The
* obtained ticket will be placed in the specified cache or in a memory cache
* if cache is NULL.
*
* server_principal_out will be set to the fully qualified server principal
* used, unless the keytab is NULL.
*/
int webauth_krb5_init_via_password(struct webauth_context *,
struct webauth_krb5 *,
const char *username, const char *password,
const char *get_principal,
const char *keytab,
const char *server_principal,
const char *cache,
char **server_principal_out)
__attribute__((__nonnull__(1, 2, 3, 4)));
/*
* Initialize a context from a credential created via webauth_krb5_export_cred
* without importing the credential. This is used to prep the ticket cache
* when some actions have to be taken between preparation of the cache and
* storing tickets in it. Currently, this is only used in special handling
* for keyring caches.
*/
int webauth_krb5_prepare_via_cred(struct webauth_context *,
struct webauth_krb5 *,
const void *cred, size_t cred_len,
const char *cache)
__attribute__((__nonnull__));
/*
* Export a credential from a context. The context must have previously been
* initialized with webauth_krb5_init_via_* or webauth_krb5_import_cred.
* Takes the principal for which to export a service ticket. If this value is
* NULL, the TGT is exported. The provided time_t value is set to the
* expiration time of the credentials.
*/
int webauth_krb5_export_cred(struct webauth_context *, struct webauth_krb5 *,
const char *principal,
void **cred, size_t *cred_len,
time_t *expiration)
__attribute__((__nonnull__(1, 2, 4, 5)));
/*
* Import a credential (TGT or ticket) that was exported via
* webauth_krb5_export_cred. If the webauth_krb5 context has not yet been
* initialized, it will be initialized using the provided ticket cache
* identifier. If the cache parameter is NULL and the context is not yet
* initialized, a memory cache will be used.
*/
int webauth_krb5_import_cred(struct webauth_context *, struct webauth_krb5 *,
const void *, size_t, const char *cache)
__attribute__((__nonnull__(1, 2, 3)));
/*
* Get the string form of the principal from the context. This should only be
* called after a successful call to webauth_krb5_init_via_* or
* webauth_krb5_import_cred.
*
* If the canon argument is WA_KRB5_CANON_LOCAL, krb5_aname_to_localname is
* called on the principal. If krb5_aname_to_localname returns an error, the
* fully-qualified principal name is returned.
*
* If the canon argument is WA_KRB5_CANON_STRIP, the realm is stripped,
* regardless of what it is.
*
* If the canon argument is WA_KRB5_CANON_NONE, the fully-qualified Kerberos
* principal is always returned.
*/
int webauth_krb5_get_principal(struct webauth_context *, struct webauth_krb5 *,
char **principal, enum webauth_krb5_canon)
__attribute__((__nonnull__));
/*
* Get the ticket cache from the context. This is the string suitable for
* storing in KRB5CCNAME. It should only be called after a successful call to
* webauth_krb5_init_via_* or webauth_krb5_import_cred.
*/
int webauth_krb5_get_cache(struct webauth_context *, struct webauth_krb5 *,
char **)
__attribute__((__nonnull__));
/*
* Get the realm from the context. This should only be called after a
* successful call to webauth_krb5_init_via_* or webauth_krb5_import_cred.
*/
int webauth_krb5_get_realm(struct webauth_context *, struct webauth_krb5 *,
char **)
__attribute__((__nonnull__));
/*
* Calls krb5_mk_req using the specified service and stores the resulting
* authenticated request in req, which should be freed when it is no longer
* needed. This should only be called after one of the
* webauth_krb5_init_via_* or webauth_krb5_import_cred functions has been
* successfully called.
*/
int webauth_krb5_make_auth(struct webauth_context *, struct webauth_krb5 *,
const char *server_principal,
void **req, size_t *length)
__attribute__((__nonnull__));
/*
* The same as webauth_krb5_make_auth, but also encrypt the provided data
* in the session key.
*/
int webauth_krb5_make_auth_data(struct webauth_context *,
struct webauth_krb5 *,
const char *server_principal,
void **req, size_t *length,
const void *in_data, size_t in_length,
void **out_data, size_t *out_length)
__attribute__((__nonnull__(1, 2, 3, 4, 5)));
/*
* Calls krb5_rd_req on the specified request and returns the client
* principal. If server_principal is NULL, the first principal in the keytab
* will be used; otherwise, the specifed server principal will be used.
*/
int webauth_krb5_read_auth(struct webauth_context *, struct webauth_krb5 *,
const void *req, size_t length,
const char *keytab, const char *server_principal,
char **client_principal,
enum webauth_krb5_canon)
__attribute__((__nonnull__(1, 2, 3, 5, 7)));
/*
* The same as webauth_krb5_read_auth, but also decrypts the provided secure
* data with the session key.
*/
int webauth_krb5_read_auth_data(struct webauth_context *,
struct webauth_krb5 *, const void *req,
size_t length, const char *keytab,
const char *server_principal,
char **out_server_princ,
char **client_principal,
enum webauth_krb5_canon,
const void *in_data, size_t in_length,
void **out_data, size_t *out_length)
__attribute__((__nonnull__(1, 2, 3, 5, 8)));
/*
* Configure how password changes using this webauth_krb5 struct will be
* done.
*/
int webauth_krb5_change_config(struct webauth_context *,
struct webauth_krb5 *,
struct webauth_krb5_change_config *)
__attribute__((__nonnull__));
/*
* Change the password for a principal. The webauth_krb5 context must already
* be initialized using webauth_krb5_init_via_password with credentials for
* the password change service (normally kadmin/changepw).
*
* The password change will be done using the configuration set with
* webauth_krb5_change_config if it is called (on the same webauth_krb5
* struct) prior to making this call.
*/
int webauth_krb5_change_password(struct webauth_context *,
struct webauth_krb5 *, const char *password)
__attribute__((__nonnull__));
END_DECLS
#endif /* !WEBAUTH_KRB5_H */
|