1 /* -*- mode: c; indent-tabs-mode: nil -*- */ 2 /* 3 * Copyright 1993 by OpenVision Technologies, Inc. 4 * 5 * Permission to use, copy, modify, distribute, and sell this software 6 * and its documentation for any purpose is hereby granted without fee, 7 * provided that the above copyright notice appears in all copies and 8 * that both that copyright notice and this permission notice appear in 9 * supporting documentation, and that the name of OpenVision not be used 10 * in advertising or publicity pertaining to distribution of the software 11 * without specific, written prior permission. OpenVision makes no 12 * representations about the suitability of this software for any 13 * purpose. It is provided "as is" without express or implied warranty. 14 * 15 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 16 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 17 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR 18 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF 19 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 20 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 21 * PERFORMANCE OF THIS SOFTWARE. 22 */ 23 24 #ifndef _GSSAPI_KRB5_H_ 25 #define _GSSAPI_KRB5_H_ 26 27 #include <gssapi/gssapi.h> 28 #include <gssapi/gssapi_ext.h> 29 #include <krb5.h> 30 #include <stdint.h> 31 32 /* C++ friendlyness */ 33 #ifdef __cplusplus 34 extern "C" { 35 #endif /* __cplusplus */ 36 37 /* Reserved static storage for GSS_oids. See rfc 1964 for more details. */ 38 39 /* 2.1.1. Kerberos Principal Name Form: */ 40 GSS_DLLIMP extern const gss_OID GSS_KRB5_NT_PRINCIPAL_NAME; 41 /* This name form shall be represented by the Object Identifier {iso(1) 42 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 43 * krb5(2) krb5_name(1)}. The recommended symbolic name for this type 44 * is "GSS_KRB5_NT_PRINCIPAL_NAME". */ 45 46 /* 2.1.2. Host-Based Service Name Form */ 47 #define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE 48 /* This name form shall be represented by the Object Identifier {iso(1) 49 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 50 * generic(1) service_name(4)}. The previously recommended symbolic 51 * name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME". The 52 * currently preferred symbolic name for this type is 53 * "GSS_C_NT_HOSTBASED_SERVICE". */ 54 55 /* 2.2.1. User Name Form */ 56 #define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME 57 /* This name form shall be represented by the Object Identifier {iso(1) 58 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 59 * generic(1) user_name(1)}. The recommended symbolic name for this 60 * type is "GSS_KRB5_NT_USER_NAME". */ 61 62 /* 2.2.2. Machine UID Form */ 63 #define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME 64 /* This name form shall be represented by the Object Identifier {iso(1) 65 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 66 * generic(1) machine_uid_name(2)}. The recommended symbolic name for 67 * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */ 68 69 /* 2.2.3. String UID Form */ 70 #define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME 71 /* This name form shall be represented by the Object Identifier {iso(1) 72 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 73 * generic(1) string_uid_name(3)}. The recommended symbolic name for 74 * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ 75 76 /* Kerberos Enterprise Name Form (see RFC 6806 section 5): */ 77 GSS_DLLIMP extern const gss_OID GSS_KRB5_NT_ENTERPRISE_NAME; 78 /* {iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 79 * krb5(2) krb5-enterprise-name(6)}. */ 80 81 /* Kerberos X.509 DER-encoded certificate */ 82 GSS_DLLIMP extern const gss_OID GSS_KRB5_NT_X509_CERT; 83 /* {iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 84 * krb5(2) krb5-x509-cert(7)}. */ 85 86 GSS_DLLIMP extern const gss_OID gss_mech_krb5; 87 GSS_DLLIMP extern const gss_OID gss_mech_krb5_old; 88 GSS_DLLIMP extern const gss_OID gss_mech_krb5_wrong; 89 GSS_DLLIMP extern const gss_OID gss_mech_iakerb; 90 GSS_DLLIMP extern const gss_OID_set gss_mech_set_krb5; 91 GSS_DLLIMP extern const gss_OID_set gss_mech_set_krb5_old; 92 GSS_DLLIMP extern const gss_OID_set gss_mech_set_krb5_both; 93 94 GSS_DLLIMP extern const gss_OID gss_nt_krb5_name; 95 GSS_DLLIMP extern const gss_OID gss_nt_krb5_principal; 96 97 GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[]; 98 99 /* 100 * This OID can be used with gss_set_cred_option() to suppress the 101 * confidentiality and integrity flags from being asserted in initial context 102 * tokens. 103 * 104 * iso(1) member-body(2) Sweden(752) Stockholm University(43) Heimdal GSS-API 105 * Extensions(13) no_ci_flags(29) 106 */ 107 GSS_DLLIMP extern const gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X; 108 109 /* 110 * This OID can be used with gss_inquire_cred_by_oid(0 to retrieve the 111 * impersonator name (if any). 112 * 113 * iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 114 * krb5(2) krb5-gssapi-ext(5) get-cred-impersonator(14) 115 */ 116 GSS_DLLIMP extern const gss_OID GSS_KRB5_GET_CRED_IMPERSONATOR; 117 118 #define gss_krb5_nt_general_name gss_nt_krb5_name 119 #define gss_krb5_nt_principal gss_nt_krb5_principal 120 #define gss_krb5_nt_service_name gss_nt_service_name 121 #define gss_krb5_nt_user_name gss_nt_user_name 122 #define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name 123 #define gss_krb5_nt_string_uid_name gss_nt_string_uid_name 124 125 typedef struct gss_krb5_lucid_key { 126 OM_uint32 type; /* key encryption type */ 127 OM_uint32 length; /* length of key data */ 128 void * data; /* actual key data */ 129 } gss_krb5_lucid_key_t; 130 131 typedef struct gss_krb5_rfc1964_keydata { 132 OM_uint32 sign_alg; /* signing algorithm */ 133 OM_uint32 seal_alg; /* seal/encrypt algorithm */ 134 gss_krb5_lucid_key_t ctx_key; 135 /* Context key 136 (Kerberos session key or subkey) */ 137 } gss_krb5_rfc1964_keydata_t; 138 139 typedef struct gss_krb5_cfx_keydata { 140 OM_uint32 have_acceptor_subkey; 141 /* 1 if there is an acceptor_subkey 142 present, 0 otherwise */ 143 gss_krb5_lucid_key_t ctx_key; 144 /* Context key 145 (Kerberos session key or subkey) */ 146 gss_krb5_lucid_key_t acceptor_subkey; 147 /* acceptor-asserted subkey or 148 0's if no acceptor subkey */ 149 } gss_krb5_cfx_keydata_t; 150 151 typedef struct gss_krb5_lucid_context_v1 { 152 OM_uint32 version; /* Structure version number (1) 153 MUST be at beginning of struct! */ 154 OM_uint32 initiate; /* Are we the initiator? */ 155 OM_uint32 endtime; /* expiration time of context */ 156 uint64_t send_seq; /* sender sequence number */ 157 uint64_t recv_seq; /* receive sequence number */ 158 OM_uint32 protocol; /* 0: rfc1964, 159 1: draft-ietf-krb-wg-gssapi-cfx-07 */ 160 /* 161 * if (protocol == 0) rfc1964_kd should be used 162 * and cfx_kd contents are invalid and should be zero 163 * if (protocol == 1) cfx_kd should be used 164 * and rfc1964_kd contents are invalid and should be zero 165 */ 166 gss_krb5_rfc1964_keydata_t rfc1964_kd; 167 gss_krb5_cfx_keydata_t cfx_kd; 168 } gss_krb5_lucid_context_v1_t; 169 170 /* 171 * Mask for determining the version of a lucid context structure. Callers 172 * should not require this. 173 */ 174 typedef struct gss_krb5_lucid_context_version { 175 OM_uint32 version; /* Structure version number */ 176 } gss_krb5_lucid_context_version_t; 177 178 179 180 181 /* Alias for Heimdal compat. */ 182 #define gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity 183 184 OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *); 185 186 OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags( 187 OM_uint32 *minor_status, 188 gss_ctx_id_t context_handle, 189 krb5_flags *ticket_flags); 190 191 /* 192 * Copy krb5 creds from cred_handle into out_ccache, which must already be 193 * initialized. Use gss_store_cred_into() (new in krb5 1.11) instead, if 194 * possible. 195 */ 196 OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache( 197 OM_uint32 *minor_status, 198 gss_cred_id_t cred_handle, 199 krb5_ccache out_ccache); 200 201 OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name( 202 OM_uint32 *minor_status, const char *name, 203 const char **out_name); 204 205 /* 206 * gss_krb5_set_allowable_enctypes 207 * 208 * This function may be called by a context initiator after calling 209 * gss_acquire_cred(), but before calling gss_init_sec_context(), 210 * to restrict the set of enctypes which will be negotiated during 211 * context establishment to those in the provided array. 212 * 213 * 'cred' must be a valid credential handle obtained via 214 * gss_acquire_cred(). It may not be GSS_C_NO_CREDENTIAL. 215 * gss_acquire_cred() may have been called to get a handle to 216 * the default credential. 217 * 218 * The purpose of this function is to limit the keys that may 219 * be exported via gss_krb5_export_lucid_sec_context(); thus it 220 * should limit the enctypes of all keys that will be needed 221 * after the security context has been established. 222 * (i.e. context establishment may use a session key with a 223 * stronger enctype than in the provided array, however a 224 * subkey must be established within the enctype limits 225 * established by this function.) 226 * 227 */ 228 OM_uint32 KRB5_CALLCONV 229 gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, 230 gss_cred_id_t cred, 231 OM_uint32 num_ktypes, 232 krb5_enctype *ktypes); 233 234 /* 235 * Returns a non-opaque (lucid) version of the internal context 236 * information. 237 * 238 * Note that context_handle must not be used again by the caller 239 * after this call. The GSS implementation is free to release any 240 * resources associated with the original context. It is up to the 241 * GSS implementation whether it returns pointers to existing data, 242 * or copies of the data. The caller should treat the returned 243 * lucid context as read-only. 244 * 245 * The caller must call gss_krb5_free_lucid_context() to free 246 * the context and allocated resources when it is finished with it. 247 * 248 * 'version' is an integer indicating the requested version of the lucid 249 * context. If the implementation does not understand the requested version, 250 * it will return an error. 251 * 252 * For example: 253 * void *return_ctx; 254 * gss_krb5_lucid_context_v1_t *ctx; 255 * OM_uint32 min_stat, maj_stat; 256 * OM_uint32 vers; 257 * gss_ctx_id_t *ctx_handle; 258 * 259 * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, 260 * ctx_handle, 1, &return_ctx); 261 * // Verify success 262 * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx; 263 */ 264 265 OM_uint32 KRB5_CALLCONV 266 gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, 267 gss_ctx_id_t *context_handle, 268 OM_uint32 version, 269 void **kctx); 270 271 /* 272 * Frees the allocated storage associated with an 273 * exported struct gss_krb5_lucid_context. 274 */ 275 OM_uint32 KRB5_CALLCONV 276 gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, 277 void *kctx); 278 279 280 OM_uint32 KRB5_CALLCONV 281 gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, 282 const gss_ctx_id_t context_handle, 283 int ad_type, 284 gss_buffer_t ad_data); 285 286 OM_uint32 KRB5_CALLCONV 287 gss_krb5_set_cred_rcache(OM_uint32 *minor_status, 288 gss_cred_id_t cred, 289 krb5_rcache rcache); 290 291 OM_uint32 KRB5_CALLCONV 292 gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, krb5_timestamp *); 293 294 OM_uint32 KRB5_CALLCONV 295 gss_krb5_import_cred(OM_uint32 *minor_status, 296 krb5_ccache id, 297 krb5_principal keytab_principal, 298 krb5_keytab keytab, 299 gss_cred_id_t *cred); 300 301 #ifdef __cplusplus 302 } 303 #endif /* __cplusplus */ 304 305 #endif /* _GSSAPI_KRB5_H_ */ 306