3b0d00c743
All network traffic to KDC goes through the SOCKS4a proxy if it is configured. This is deliberately kept simple -- and is not generalized to SOCKS4 or SOCKS5 or other types of proxies -- so it is easy to audit for network and DNS leaks. (SOCKS4 works in IP addresses, and so invites DNS leaks. SOCKS5 can be OK, if used judiciously, but takes more work to implement.) This only affects krb5_sendto -- the other initiator of network traffic in libkrb5, krb5_change_password, will be fixed to respect socks4a_proxy in a subsequent commit. XXX Need to figure out where the socks4a.c code should go. fix https://github.com/heimdal/heimdal/issues/1151
543 lines
15 KiB
C
543 lines
15 KiB
C
/*
|
|
* Copyright (c) 1997-2016 Kungliga Tekniska Högskolan
|
|
* (Royal Institute of Technology, Stockholm, Sweden).
|
|
* All rights reserved.
|
|
*
|
|
* Portions Copyright (c) 2009 Apple Inc. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* 3. Neither the name of the Institute nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
/* $Id$ */
|
|
|
|
#ifndef __KRB5_LOCL_H__
|
|
#define __KRB5_LOCL_H__
|
|
|
|
#include <config.h>
|
|
#include <roken.h>
|
|
|
|
#include <ctype.h>
|
|
|
|
#ifdef HAVE_POLL_H
|
|
#include <poll.h>
|
|
#endif
|
|
|
|
#include <krb5-types.h>
|
|
|
|
#ifdef HAVE_SYS_TYPES_H
|
|
#include <sys/types.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_MMAN_H
|
|
#include <sys/mman.h>
|
|
#endif
|
|
|
|
#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
|
|
#include <sys/ioctl.h>
|
|
#endif
|
|
#ifdef HAVE_PWD_H
|
|
#undef _POSIX_PTHREAD_SEMANTICS
|
|
/* This gets us the 5-arg getpwnam_r on Solaris 9. */
|
|
#define _POSIX_PTHREAD_SEMANTICS
|
|
#include <pwd.h>
|
|
#endif
|
|
|
|
#ifdef HAVE_SYS_SELECT_H
|
|
#include <sys/select.h>
|
|
#endif
|
|
#ifdef _AIX
|
|
struct mbuf;
|
|
#endif
|
|
#ifdef HAVE_SYS_FILIO_H
|
|
#include <sys/filio.h>
|
|
#endif
|
|
#ifdef HAVE_SYS_FILE_H
|
|
#include <sys/file.h>
|
|
#endif
|
|
|
|
#include <com_err.h>
|
|
|
|
#include <heimbase.h>
|
|
#include "heimbase-atomics.h"
|
|
|
|
#define HEIMDAL_TEXTDOMAIN "heimdal_krb5"
|
|
|
|
#ifdef LIBINTL
|
|
#include <libintl.h>
|
|
#define N_(x,y) dgettext(HEIMDAL_TEXTDOMAIN, x)
|
|
#else
|
|
#define N_(x,y) (x)
|
|
#define bindtextdomain(package, localedir)
|
|
#endif
|
|
|
|
|
|
#ifdef HAVE_CRYPT_H
|
|
#undef des_encrypt
|
|
#define des_encrypt wingless_pigs_mostly_fail_to_fly
|
|
#include <crypt.h>
|
|
#undef des_encrypt
|
|
#endif
|
|
|
|
#ifdef HAVE_DOOR_CREATE
|
|
#include <door.h>
|
|
#endif
|
|
|
|
#include <parse_time.h>
|
|
#include <base64.h>
|
|
|
|
#include <wind.h>
|
|
|
|
#ifndef HEIM_NO_CRYPTO_HDRS
|
|
#include "crypto-headers.h"
|
|
#endif
|
|
|
|
|
|
#include <krb5_asn1.h>
|
|
typedef Krb5Int32 krb5int32;
|
|
typedef Krb5UInt32 krb5uint32;
|
|
#include <pkinit_asn1.h>
|
|
|
|
struct send_to_kdc;
|
|
|
|
/* XXX glue for pkinit */
|
|
struct hx509_certs_data;
|
|
struct krb5_pk_identity;
|
|
struct krb5_pk_cert;
|
|
struct ContentInfo;
|
|
struct AlgorithmIdentifier;
|
|
typedef struct krb5_pk_init_ctx_data *krb5_pk_init_ctx;
|
|
struct krb5_dh_moduli;
|
|
struct krb5_fast_state;
|
|
struct krb5_gss_init_ctx_data;
|
|
|
|
/* v4 glue */
|
|
struct _krb5_krb_auth_data;
|
|
|
|
struct krb5_gss_init_ctx_data;
|
|
typedef struct krb5_gss_init_ctx_data *krb5_gss_init_ctx;
|
|
|
|
struct gss_ctx_id_t_desc_struct;
|
|
struct gss_cred_id_t_desc_struct;
|
|
struct gss_OID_desc_struct;
|
|
|
|
#include <der.h>
|
|
|
|
#define UI_UTIL_FLAG_VERIFY 0x1 /* ask to verify password */
|
|
#define UI_UTIL_FLAG_VERIFY_SILENT 0x2 /* silence on verify failure */
|
|
|
|
#include <krb5.h>
|
|
#include <krb5_err.h>
|
|
#include <k5e1_err.h>
|
|
#include <asn1_err.h>
|
|
#ifdef PKINIT
|
|
#include <hx509.h>
|
|
#endif
|
|
|
|
#include "crypto.h"
|
|
|
|
typedef krb5_error_code (KRB5_LIB_CALL *krb5_gssic_step)(
|
|
krb5_context,
|
|
krb5_gss_init_ctx,
|
|
const krb5_creds *,
|
|
struct gss_ctx_id_t_desc_struct **,
|
|
KDCOptions options,
|
|
krb5_data *,
|
|
krb5_data *,
|
|
krb5_data *);
|
|
|
|
typedef krb5_error_code (KRB5_LIB_CALL *krb5_gssic_finish)(
|
|
krb5_context,
|
|
krb5_gss_init_ctx,
|
|
const krb5_creds *,
|
|
struct gss_ctx_id_t_desc_struct *,
|
|
krb5int32,
|
|
krb5_enctype,
|
|
krb5_principal *,
|
|
krb5_keyblock **);
|
|
|
|
typedef void (KRB5_LIB_CALL *krb5_gssic_release_cred)(
|
|
krb5_context,
|
|
krb5_gss_init_ctx,
|
|
struct gss_cred_id_t_desc_struct *);
|
|
|
|
typedef void (KRB5_LIB_CALL *krb5_gssic_delete_sec_context)(
|
|
krb5_context,
|
|
krb5_gss_init_ctx,
|
|
struct gss_ctx_id_t_desc_struct *);
|
|
|
|
#define KRB5_GSS_IC_FLAG_RELEASE_CRED 1
|
|
|
|
struct socks4a; /* XXX */
|
|
struct socks4a_io; /* XXX */
|
|
|
|
#include <krb5-private.h>
|
|
|
|
#include "heim_threads.h"
|
|
|
|
extern const char _krb5_wellknown_lkdc[];
|
|
|
|
#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
|
|
#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
|
|
|
|
#define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum))
|
|
|
|
#ifndef PATH_SEP
|
|
#define PATH_SEP ":"
|
|
#endif
|
|
|
|
/* should this be public? */
|
|
#define KEYTAB_DEFAULT "FILE:" SYSCONFDIR "/krb5.keytab"
|
|
#define KEYTAB_DEFAULT_MODIFY "FILE:" SYSCONFDIR "/krb5.keytab"
|
|
|
|
#ifndef CLIENT_KEYTAB_DEFAULT
|
|
#define CLIENT_KEYTAB_DEFAULT "FILE:" LOCALSTATEDIR "/user/%{euid}/client.keytab";
|
|
#endif
|
|
|
|
#define MODULI_FILE SYSCONFDIR "/krb5.moduli"
|
|
|
|
#ifndef O_BINARY
|
|
#define O_BINARY 0
|
|
#endif
|
|
|
|
#ifndef O_CLOEXEC
|
|
#define O_CLOEXEC 0
|
|
#endif
|
|
|
|
#ifndef SOCK_CLOEXEC
|
|
#define SOCK_CLOEXEC 0
|
|
#endif
|
|
|
|
|
|
#define KRB5_BUFSIZ 2048
|
|
|
|
typedef enum {
|
|
KRB5_INIT_CREDS_TRISTATE_UNSET = 0,
|
|
KRB5_INIT_CREDS_TRISTATE_TRUE,
|
|
KRB5_INIT_CREDS_TRISTATE_FALSE
|
|
} krb5_get_init_creds_tristate;
|
|
|
|
struct _krb5_get_init_creds_opt_private {
|
|
int refcount;
|
|
/* ENC_TIMESTAMP */
|
|
const char *password;
|
|
krb5_s2k_proc key_proc;
|
|
/* PA_PAC_REQUEST */
|
|
krb5_get_init_creds_tristate req_pac;
|
|
/* PKINIT */
|
|
krb5_pk_init_ctx pk_init_ctx;
|
|
krb5_get_init_creds_tristate addressless;
|
|
int flags;
|
|
#define KRB5_INIT_CREDS_DONE 1
|
|
#define KRB5_INIT_CREDS_CANONICALIZE 2
|
|
#define KRB5_INIT_CREDS_NO_C_CANON_CHECK 4
|
|
#define KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK 8
|
|
#define KRB5_INIT_CREDS_PKINIT_KX_VALID 32
|
|
#define KRB5_INIT_CREDS_PKINIT_NO_KRBTGT_OTHERNAME_CHECK 64
|
|
struct {
|
|
krb5_gic_process_last_req func;
|
|
void *ctx;
|
|
} lr;
|
|
};
|
|
|
|
typedef uint32_t krb5_enctype_set;
|
|
|
|
/*
|
|
* Functions like EVP_sha256() are slow. Instead we should use EVP_x_fetch()
|
|
* and cache the result. Similarly OSSL_LIB_CTX_load_config() is slow, so if
|
|
* we have a krb5-specific OpenSSL cnf then we want to cache the result of
|
|
* loading it. But there are no up_ref/dec_ref OpenSSL functions for any of
|
|
* the things in this structure(!), so we build our own.
|
|
*
|
|
* We could also have a thread-safe global cache of these things to further
|
|
* reduce the cost of all these OpenSSL function calls by caching their results
|
|
* even more aggressively, and eventually we will, just not right now.
|
|
*
|
|
* Notes:
|
|
*
|
|
* - krb5_context is, unfortunately, mutable, so we can't share it between
|
|
* threads
|
|
*
|
|
* - OSSL_LIB_CTX * and all the EVPs we cache here are immutable, so we _can_
|
|
* share them between threads to amortize the cost of creating them
|
|
*/
|
|
typedef struct krb5_context_ossl_data *krb5_context_ossl;
|
|
struct krb5_context_ossl_data {
|
|
OSSL_LIB_CTX *libctx; /* OpenSSL library context */
|
|
char *propq;
|
|
char *cnf;
|
|
heim_base_atomic(uint32_t) refs;
|
|
krb5_context_ossl next; /* thread-safe global cache */
|
|
OSSL_PROVIDER *openssl_def;
|
|
OSSL_PROVIDER *openssl_fips;
|
|
OSSL_PROVIDER *openssl_leg;
|
|
EVP_CIPHER *rc4;
|
|
EVP_CIPHER *aes128_cbc;
|
|
EVP_CIPHER *aes192_cbc;
|
|
EVP_CIPHER *aes256_cbc;
|
|
EVP_CIPHER *aes128_cts;
|
|
EVP_CIPHER *aes192_cts;
|
|
EVP_CIPHER *aes256_cts;
|
|
EVP_CIPHER *des_cbc;
|
|
EVP_CIPHER *des_ede3_cbc;
|
|
EVP_MAC *hmac;
|
|
EVP_MD *md4;
|
|
EVP_MD *md5;
|
|
EVP_MD *sha1;
|
|
EVP_MD *sha256;
|
|
EVP_MD *sha384;
|
|
EVP_MD *sha512;
|
|
};
|
|
|
|
/*
|
|
* Do not remove or reorder the fields of this structure.
|
|
* Fields that are no longer used should be marked "deprecated".
|
|
* New fields should always be appended to the end of the
|
|
* structure.
|
|
*
|
|
* Although this structure is internal it is shared with
|
|
* plugins and such changes will result in data corruption
|
|
* if plugins are not built with a matching version.
|
|
*/
|
|
typedef struct krb5_context_data {
|
|
heim_context hcontext;
|
|
krb5_enctype *etypes;
|
|
krb5_enctype *cfg_etypes;
|
|
krb5_enctype *etypes_des;/* deprecated */
|
|
krb5_enctype *as_etypes;
|
|
krb5_enctype *tgs_etypes;
|
|
krb5_enctype *permitted_enctypes;
|
|
char **default_realms;
|
|
time_t max_skew;
|
|
time_t kdc_timeout;
|
|
time_t host_timeout;
|
|
unsigned max_retries;
|
|
int32_t kdc_sec_offset;
|
|
int32_t kdc_usec_offset;
|
|
krb5_config_section *cf;
|
|
const krb5_cc_ops **cc_ops;
|
|
int num_cc_ops;
|
|
const char *http_proxy;
|
|
const char *socks4a_proxy;
|
|
const char *time_fmt;
|
|
krb5_boolean log_utc;
|
|
const char *default_keytab;
|
|
const char *default_keytab_modify;
|
|
krb5_boolean use_admin_kdc;
|
|
krb5_addresses *extra_addresses;
|
|
krb5_boolean scan_interfaces; /* `ifconfig -a' */
|
|
krb5_boolean srv_lookup; /* do SRV lookups */
|
|
krb5_boolean srv_try_txt; /* try TXT records also */
|
|
int32_t fcache_vno; /* create cache files w/ this
|
|
version */
|
|
int num_kt_types; /* # of registered keytab types */
|
|
struct krb5_keytab_data *kt_types; /* registered keytab types */
|
|
const char *date_fmt;
|
|
krb5_error_code error_code;
|
|
krb5_addresses *ignore_addresses;
|
|
char *default_cc_name;
|
|
char *default_cc_name_env;
|
|
char *configured_default_cc_name;
|
|
int default_cc_name_set;
|
|
int large_msg_size;
|
|
int max_msg_size;
|
|
int tgs_negative_timeout; /* timeout for TGS negative cache */
|
|
int flags;
|
|
#define KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME 1
|
|
#define KRB5_CTX_F_CHECK_PAC 2
|
|
#define KRB5_CTX_F_HOMEDIR_ACCESS 4
|
|
#define KRB5_CTX_F_SOCKETS_INITIALIZED 8
|
|
#define KRB5_CTX_F_RD_REQ_IGNORE 16
|
|
#define KRB5_CTX_F_FCACHE_STRICT_CHECKING 32
|
|
#define KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE 64
|
|
#define KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME 128
|
|
struct send_to_kdc *send_to_kdc;
|
|
#ifdef PKINIT
|
|
hx509_context hx509ctx;
|
|
#endif
|
|
unsigned int num_kdc_requests;
|
|
krb5_name_canon_rule name_canon_rules;
|
|
size_t config_include_depth;
|
|
krb5_boolean no_ticket_store; /* Don't store service tickets */
|
|
|
|
/* OpenSSL 3.x */
|
|
krb5_context_ossl ossl;
|
|
} krb5_context_data;
|
|
|
|
#define KRB5_DEFAULT_CCNAME_FILE "FILE:%{TEMP}/krb5cc_%{uid}"
|
|
#define KRB5_DEFAULT_CCNAME_DIR "DIR:%{TEMP}/krb5cc_%{uid}_dir/"
|
|
#define KRB5_DEFAULT_CCNAME_API "API:"
|
|
#define KRB5_DEFAULT_CCNAME_KCM_KCM "KCM:%{uid}"
|
|
#define KRB5_DEFAULT_CCNAME_KCM_API "API:%{uid}"
|
|
|
|
#define EXTRACT_TICKET_ALLOW_CNAME_MISMATCH 1
|
|
#define EXTRACT_TICKET_ALLOW_SERVER_MISMATCH 2
|
|
#define EXTRACT_TICKET_MATCH_REALM 4
|
|
#define EXTRACT_TICKET_AS_REQ 8
|
|
#define EXTRACT_TICKET_TIMESYNC 16
|
|
#define EXTRACT_TICKET_MATCH_ANON 32
|
|
|
|
/*
|
|
* Configurable options
|
|
*/
|
|
|
|
#ifndef KRB5_DEFAULT_CCTYPE
|
|
#ifdef __APPLE__
|
|
#define KRB5_DEFAULT_CCTYPE (&krb5_acc_ops)
|
|
#else
|
|
#define KRB5_DEFAULT_CCTYPE (&krb5_fcc_ops)
|
|
#endif
|
|
#endif
|
|
|
|
#ifndef KRB5_ADDRESSLESS_DEFAULT
|
|
#define KRB5_ADDRESSLESS_DEFAULT TRUE
|
|
#endif
|
|
|
|
#ifndef KRB5_FORWARDABLE_DEFAULT
|
|
#define KRB5_FORWARDABLE_DEFAULT TRUE
|
|
#endif
|
|
|
|
#ifndef KRB5_CONFIGURATION_CHANGE_NOTIFY_NAME
|
|
#define KRB5_CONFIGURATION_CHANGE_NOTIFY_NAME "org.h5l.Kerberos.configuration-changed"
|
|
#endif
|
|
|
|
#ifndef KRB5_FALLBACK_DEFAULT
|
|
#define KRB5_FALLBACK_DEFAULT TRUE
|
|
#endif
|
|
|
|
#ifndef KRB5_TKT_LIFETIME_DEFAULT
|
|
# define KRB5_TKT_LIFETIME_DEFAULT 15778800 /* seconds */
|
|
#endif
|
|
|
|
#ifndef KRB5_TKT_RENEW_LIFETIME_DEFAULT
|
|
# define KRB5_TKT_RENEW_LIFETIME_DEFAULT 15778800 /* seconds */
|
|
#endif
|
|
|
|
#ifdef PKINIT
|
|
|
|
struct krb5_pk_identity {
|
|
hx509_verify_ctx verify_ctx;
|
|
hx509_certs certs;
|
|
hx509_cert cert;
|
|
hx509_certs anchors;
|
|
hx509_certs certpool;
|
|
hx509_revoke_ctx revokectx;
|
|
int flags;
|
|
#define PKINIT_BTMM 1
|
|
#define PKINIT_NO_KDC_ANCHOR 2
|
|
};
|
|
|
|
enum krb5_pk_type {
|
|
PKINIT_WIN2K = 1,
|
|
PKINIT_27 = 2
|
|
};
|
|
|
|
enum keyex_enum { USE_RSA, USE_DH, USE_ECDH };
|
|
|
|
struct krb5_pk_init_ctx_data {
|
|
TD_DH_PARAMETERS *kdc_sig_algs;
|
|
TD_DH_PARAMETERS *kdc_dh_algs;
|
|
const heim_oid *want_sig_alg;
|
|
const heim_oid *want_dh_alg;
|
|
const heim_oid *want_kdf_alg;
|
|
struct krb5_pk_identity *id;
|
|
enum keyex_enum keyex;
|
|
EVP_PKEY *pkey;
|
|
krb5_data *clientDHNonce;
|
|
struct krb5_dh_moduli **m;
|
|
hx509_peer_info peer;
|
|
krb5_principal client;
|
|
krb5_principal server;
|
|
krb5_data as_req;
|
|
krb5_data pk_as_rep;
|
|
enum krb5_pk_type type;
|
|
unsigned int kdc_dh_alg_idx:8; /* 256 is plenty */
|
|
unsigned int require_binding:1;
|
|
unsigned int require_eku:1;
|
|
unsigned int require_krbtgt_otherName:1;
|
|
unsigned int require_hostname_match:1;
|
|
unsigned int trustedCertifiers:1;
|
|
unsigned int anonymous:1;
|
|
unsigned int kdc_verified:1;
|
|
};
|
|
|
|
#endif /* PKINIT */
|
|
|
|
struct krb5_fast_state {
|
|
enum PA_FX_FAST_REQUEST_enum type;
|
|
unsigned int flags;
|
|
#define KRB5_FAST_REPLY_KEY_USE_TO_ENCRYPT_THE_REPLY 0x0001
|
|
#define KRB5_FAST_REPLY_KEY_USE_IN_TRANSACTION 0x0002
|
|
#define KRB5_FAST_KDC_REPLY_KEY_REPLACED 0x0004
|
|
#define KRB5_FAST_REPLY_REPLY_VERIFIED 0x0008
|
|
#define KRB5_FAST_STRONG 0x0010
|
|
#define KRB5_FAST_EXPECTED 0x0020 /* in exchange with KDC, fast was discovered */
|
|
#define KRB5_FAST_REQUIRED 0x0040 /* fast required by action of caller */
|
|
#define KRB5_FAST_DISABLED 0x0080
|
|
|
|
#define KRB5_FAST_AP_ARMOR_SERVICE 0x0100
|
|
#define KRB5_FAST_OPTIMISTIC 0x0200 /* Optimistic try, like Anon + PKINIT or service fast bit */
|
|
#define KRB5_FAST_REQUIRE_ENC_PA 0x0400
|
|
|
|
#define KRB5_FAST_AS_REQ 0x1000
|
|
#define KRB5_FAST_ANON_PKINIT_ARMOR 0x2000
|
|
#define KRB5_FAST_KDC_VERIFIED 0x4000
|
|
|
|
krb5_keyblock *reply_key;
|
|
krb5_ccache armor_ccache;
|
|
krb5_auth_context armor_ac;
|
|
KrbFastArmor *armor_data;
|
|
krb5_principal armor_service;
|
|
krb5_crypto armor_crypto;
|
|
krb5_keyblock armor_key;
|
|
krb5_keyblock *strengthen_key;
|
|
|
|
/* KRB5_FAST_ANON_PKINIT_ARMOR */
|
|
krb5_get_init_creds_opt *anon_pkinit_opt;
|
|
krb5_init_creds_context anon_pkinit_ctx;
|
|
};
|
|
|
|
struct krb5_decrypt_tkt_with_subkey_state {
|
|
krb5_keyblock *subkey;
|
|
struct krb5_fast_state *fast_state;
|
|
};
|
|
|
|
#define ISTILDE(x) (x == '~')
|
|
#ifdef _WIN32
|
|
# define ISPATHSEP(x) (x == '/' || x =='\\')
|
|
#else
|
|
# define ISPATHSEP(x) (x == '/')
|
|
#endif
|
|
|
|
/* Flag in KRB5_AUTHDATA_AP_OPTIONS */
|
|
#define KERB_AP_OPTIONS_CBT 0x00004000
|
|
|
|
/* Flag in PAC_ATTRIBUTES_INFO */
|
|
#define KRB5_PAC_WAS_REQUESTED 0x1
|
|
#define KRB5_PAC_WAS_GIVEN_IMPLICITLY 0x2
|
|
|
|
#endif /* __KRB5_LOCL_H__ */
|