1 files changed, 168 insertions, 22 deletions

diff --git a/kdc/kdc_locl.h b/kdc/kdc_locl.h
index adbb94765fcf..caee019af98f 100644
--- a/kdc/kdc_locl.h
+++ b/kdc/kdc_locl.h
@@ -41,54 +41,180 @@
 #include "headers.h"
 
 typedef struct pk_client_params pk_client_params;
-struct DigestREQ;
-struct Kx509Request;
-typedef struct kdc_request_desc *kdc_request_t;
+typedef struct gss_client_params gss_client_params;
 
 #include <kdc-private.h>
 
 #define FAST_EXPIRATION_TIME (3 * 60)
 
+/* KFE == KDC_FIND_ETYPE */
+#define KFE_IS_TGS	0x1
+#define KFE_IS_PREAUTH	0x2
+#define KFE_USE_CLIENT	0x4
+
+#define heim_pcontext krb5_context
+#define heim_pconfig krb5_kdc_configuration *
+#include <heimbase-svc.h>
+
+#define KDC_AUDIT_EATWHITE      HEIM_SVC_AUDIT_EATWHITE
+#define KDC_AUDIT_VIS           HEIM_SVC_AUDIT_VIS
+#define KDC_AUDIT_VISLAST       HEIM_SVC_AUDIT_VISLAST
+
 struct kdc_request_desc {
-    krb5_context context;
-    krb5_kdc_configuration *config;
+    HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS;
+};
 
-    /* */
+struct kdc_patypes;
 
-    krb5_data request;
-    KDC_REQ req;
-    METHOD_DATA *padata;
+struct krb5_kdc_configuration {
+    KRB5_KDC_CONFIGURATION_COMMON_ELEMENTS;
+
+    int num_kdc_processes;
+
+    size_t max_datagram_reply_length;
+
+    time_t kdc_warn_pwexpire; /* time before expiration to print a warning */
+
+    unsigned int require_preauth : 1; /* require preauth for all principals */
+    unsigned int encode_as_rep_as_tgs_rep : 1; /* bug compatibility */
+
+    /*
+     * Windows 2019 (and earlier versions) always sends the salt
+     * and Samba has testsuites that check this behaviour, so a
+     * Samba AD DC will set this flag to match the AS-REP packet
+     * exactly.
+     */
+    unsigned int force_include_pa_etype_salt : 1;
+
+    unsigned int tgt_use_strongest_session_key : 1;
+    unsigned int preauth_use_strongest_session_key : 1;
+    unsigned int svc_use_strongest_session_key : 1;
+    unsigned int use_strongest_server_key : 1;
 
-    /* out */
+    unsigned int check_ticket_addresses : 1;
+    unsigned int warn_ticket_addresses : 1;
+    unsigned int allow_null_ticket_addresses : 1;
+    unsigned int allow_anonymous : 1;
+    unsigned int historical_anon_realm : 1;
+    unsigned int strict_nametypes : 1;
+    enum krb5_kdc_trpolicy trpolicy;
 
-    METHOD_DATA outpadata;
-    
+    unsigned int require_pac : 1;
+    unsigned int disable_pac : 1;
+    unsigned int enable_fast : 1;
+    unsigned int enable_armored_pa_enc_timestamp : 1;
+    unsigned int enable_unarmored_pa_enc_timestamp : 1;
+
+    unsigned int enable_pkinit : 1;
+    unsigned int pkinit_princ_in_cert : 1;
+    const char *pkinit_kdc_identity;
+    const char *pkinit_kdc_anchors;
+    const char *pkinit_kdc_friendly_name;
+    const char *pkinit_kdc_ocsp_file;
+    char **pkinit_kdc_cert_pool;
+    char **pkinit_kdc_revoke;
+    int pkinit_dh_min_bits;
+    unsigned int pkinit_require_binding : 1;
+    unsigned int pkinit_allow_proxy_certs : 1;
+    unsigned int synthetic_clients : 1;
+    unsigned int pkinit_max_life_from_cert_extension : 1;
+    krb5_timestamp pkinit_max_life_from_cert;
+    krb5_timestamp pkinit_max_life_bound;
+    krb5_timestamp synthetic_clients_max_life;
+    krb5_timestamp synthetic_clients_max_renew;
+
+    int digests_allowed;
+    unsigned int enable_digest : 1;
+
+    unsigned int enable_kx509 : 1;
+
+    unsigned int enable_gss_preauth : 1;
+    unsigned int enable_gss_auth_data : 1;
+    gss_OID_set gss_mechanisms_allowed;
+    gss_OID_set gss_cross_realm_mechanisms_allowed;
+
+};
+
+struct astgs_request_desc {
+    HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS;
+
+    /* AS-REQ or TGS-REQ */
+    KDC_REQ req;
+
+    /* AS-REP or TGS-REP */
     KDC_REP rep;
     EncTicketPart et;
     EncKDCRepPart ek;
 
+    /* client principal (AS) or TGT/S4U principal (TGS) */
+    krb5_principal client_princ;
+    hdb_entry *client;
+    HDB *clientdb;
+    krb5_principal canon_client_princ;
+
+    /* server principal */
+    krb5_principal server_princ;
+    HDB *serverdb;
+    hdb_entry *server;
+
+    /* presented ticket in TGS-REQ (unused by AS) */
+    krb5_principal krbtgt_princ;
+    hdb_entry *krbtgt;
+    HDB *krbtgtdb;
+    krb5_ticket *ticket;
+
+    krb5_keyblock reply_key;
+
+    krb5_pac pac;
+    uint64_t pac_attributes;
+
+    /* Only AS */
+    const struct kdc_patypes *pa_used;
+
     /* PA methods can affect both the reply key and the session key (pkinit) */
     krb5_enctype sessionetype;
-    krb5_keyblock reply_key;
     krb5_keyblock session_key;
 
-    const char *e_text;
+    krb5_timestamp pa_endtime;
+    krb5_timestamp pa_max_life;
 
-    /* state */
-    krb5_principal client_princ;
-    char *client_name;
-    hdb_entry_ex *client;
-    HDB *clientdb;
+    krb5_keyblock strengthen_key;
+    const Key *ticket_key;
 
-    krb5_principal server_princ;
-    char *server_name;
-    hdb_entry_ex *server;
+    /* only valid for tgs-req */
+    unsigned int rk_is_subkey : 1;
+    unsigned int fast_asserted : 1;
+    unsigned int explicit_armor_present : 1;
 
     krb5_crypto armor_crypto;
+    hdb_entry *armor_server;
+    HDB *armor_serverdb;
+    krb5_ticket *armor_ticket;
+    Key *armor_key;
+
+    hdb_entry *explicit_armor_client;
+    HDB *explicit_armor_clientdb;
+    krb5_pac explicit_armor_pac;
 
     KDCFastState fast;
 };
 
+typedef struct kx509_req_context_desc {
+    HEIM_SVC_REQUEST_DESC_COMMON_ELEMENTS;
+
+    struct Kx509Request req;
+    Kx509CSRPlus csr_plus;
+    krb5_auth_context ac;
+    const char *realm; /* XXX Confusion: is this crealm or srealm? */
+    krb5_keyblock *key;
+    hx509_request csr;
+    krb5_times ticket_times;
+    unsigned int send_chain:1;          /* Client expects a full chain */
+    unsigned int have_csr:1;            /* Client sent a CSR */
+} *kx509_req_context;
+
+#undef heim_pconfig
+#undef heim_pcontext
 
 extern sig_atomic_t exit_flag;
 extern size_t max_request_udp;
@@ -125,4 +251,24 @@ configure(krb5_context context, int argc, char **argv, int *optidx);
 void bonjour_announce(krb5_context, krb5_kdc_configuration *);
 #endif
 
+/* no-copy setters */
+
+#undef _KDC_REQUEST_GET_ACCESSOR
+#undef _KDC_REQUEST_SET_ACCESSOR
+
+#undef _KDC_REQUEST_GET_ACCESSOR_PTR
+#undef _KDC_REQUEST_SET_ACCESSOR_PTR
+#define _KDC_REQUEST_SET_ACCESSOR_PTR(R, T, t, f)	    \
+    void						    \
+    _kdc_request_set_ ## f ## _nocopy(R r, T *v);
+
+#undef _KDC_REQUEST_GET_ACCESSOR_STRUCT
+#undef _KDC_REQUEST_SET_ACCESSOR_STRUCT
+#define _KDC_REQUEST_SET_ACCESSOR_STRUCT(R, T, t, f)	    \
+    void						    \
+    _kdc_request_set_ ## f ## _nocopy(R r, T *v);
+
+#undef HEIMDAL_KDC_KDC_ACCESSORS_H
+#include "kdc-accessors.h"
+
 #endif /* __KDC_LOCL_H__ */