1 /* -*- mode: c; indent-tabs-mode: nil -*- */
2 /*
3 * Copyright 2000, 2008 by the Massachusetts Institute of Technology.
4 * All Rights Reserved.
5 *
6 * Export of this software from the United States of America may
7 * require a specific license from the United States Government.
8 * It is the responsibility of any person or organization contemplating
9 * export to obtain such a license before exporting.
10 *
11 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
12 * distribute this software and its documentation for any purpose and
13 * without fee is hereby granted, provided that the above copyright
14 * notice appear in all copies and that both that copyright notice and
15 * this permission notice appear in supporting documentation, and that
16 * the name of M.I.T. not be used in advertising or publicity pertaining
17 * to distribution of the software without specific, written prior
18 * permission. Furthermore if you modify this software you must label
19 * your software as modified software and not distribute it in such a
20 * fashion that it might be confused with the original M.I.T. software.
21 * M.I.T. makes no representations about the suitability of
22 * this software for any purpose. It is provided "as is" without express
23 * or implied warranty.
24 *
25 */
26 /*
27 * Copyright 1993 by OpenVision Technologies, Inc.
28 *
29 * Permission to use, copy, modify, distribute, and sell this software
30 * and its documentation for any purpose is hereby granted without fee,
31 * provided that the above copyright notice appears in all copies and
32 * that both that copyright notice and this permission notice appear in
33 * supporting documentation, and that the name of OpenVision not be used
34 * in advertising or publicity pertaining to distribution of the software
35 * without specific, written prior permission. OpenVision makes no
36 * representations about the suitability of this software for any
37 * purpose. It is provided "as is" without express or implied warranty.
38 *
39 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
40 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
41 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
42 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
43 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
44 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
45 * PERFORMANCE OF THIS SOFTWARE.
46 */
47
48 #ifndef _GSSAPIP_KRB5_H_
49 #define _GSSAPIP_KRB5_H_
50
51 #include <k5-int.h>
52
53 #ifdef HAVE_MEMORY_H
54 #include <memory.h>
55 #endif
56
57 /* work around sunos braindamage */
58 #ifdef major
59 #undef major
60 #endif
61 #ifdef minor
62 #undef minor
63 #endif
64
65 #include "gssapiP_generic.h"
66
67 /* The include of gssapi_krb5.h will dtrt with the above #defines in
68 * effect.
69 */
70 #include "gssapi_krb5.h"
71 #include "gssapi_err_krb5.h"
72 #include "gssapi_ext.h"
73
74 /* for debugging */
75 #undef CFX_EXERCISE
76
77 /** constants **/
78
79 #define GSS_MECH_KRB5_OID_LENGTH 9
80 #define GSS_MECH_KRB5_OID "\052\206\110\206\367\022\001\002\002"
81
82 #define GSS_MECH_KRB5_OLD_OID_LENGTH 5
83 #define GSS_MECH_KRB5_OLD_OID "\053\005\001\005\002"
84
85 /* Incorrect krb5 mech OID emitted by MS. */
86 #define GSS_MECH_KRB5_WRONG_OID_LENGTH 9
87 #define GSS_MECH_KRB5_WRONG_OID "\052\206\110\202\367\022\001\002\002"
88
89 /* IAKERB variant */
90 #define GSS_MECH_IAKERB_OID_LENGTH 6
91 #define GSS_MECH_IAKERB_OID "\053\006\001\005\002\005"
92
93 extern const gss_OID_set kg_all_mechs;
94
95 #define CKSUMTYPE_KG_CB 0x8003
96
97 #define KG_TOK_CTX_AP_REQ 0x0100
98 #define KG_TOK_CTX_AP_REP 0x0200
99 #define KG_TOK_CTX_ERROR 0x0300
100 #define KG_TOK_SIGN_MSG 0x0101
101 #define KG_TOK_SEAL_MSG 0x0201
102 #define KG_TOK_MIC_MSG 0x0101
103 #define KG_TOK_WRAP_MSG 0x0201
104 #define KG_TOK_DEL_CTX 0x0102
105 #define KG2_TOK_MIC_MSG 0x0404
106 #define KG2_TOK_WRAP_MSG 0x0504
107 #define KG2_TOK_DEL_CTX 0x0405
108 #define IAKERB_TOK_PROXY 0x0501
109
110 #define KRB5_GSS_FOR_CREDS_OPTION 1
111
112 #define KG2_RESP_FLAG_ERROR 0x0001
113 #define KG2_RESP_FLAG_DELEG_OK 0x0002
114
115 /** CFX flags **/
116 #define FLAG_SENDER_IS_ACCEPTOR 0x01
117 #define FLAG_WRAP_CONFIDENTIAL 0x02
118 #define FLAG_ACCEPTOR_SUBKEY 0x04
119
120 /* These are to be stored in little-endian order, i.e., des-mac is
121 stored as 02 00. */
122 enum sgn_alg {
123 /* SGN_ALG_DES_MAC_MD5 = 0x0000, */
124 /* SGN_ALG_MD2_5 = 0x0001, */
125 /* SGN_ALG_DES_MAC = 0x0002, */
126 /* SGN_ALG_3 = 0x0003, /\* not published *\/ */
127 SGN_ALG_HMAC_MD5 = 0x0011, /* microsoft w2k; */
128 SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004
129 };
130 enum seal_alg {
131 SEAL_ALG_NONE = 0xffff,
132 /* SEAL_ALG_DES = 0x0000, */
133 /* SEAL_ALG_1 = 0x0001, /\* not published *\/ */
134 SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */
135 SEAL_ALG_DES3KD = 0x0002
136 };
137
138 /* for 3DES */
139 #define KG_USAGE_SEAL 22
140 #define KG_USAGE_SIGN 23
141 #define KG_USAGE_SEQ 24
142
143 /* for draft-ietf-krb-wg-gssapi-cfx-01 */
144 #define KG_USAGE_ACCEPTOR_SEAL 22
145 #define KG_USAGE_ACCEPTOR_SIGN 23
146 #define KG_USAGE_INITIATOR_SEAL 24
147 #define KG_USAGE_INITIATOR_SIGN 25
148
149 enum qop {
150 /* GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, */
151 /* GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002, */
152 /* GSS_KRB5_INTEG_C_QOP_DES_MAC = 0x0003, */
153 GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004,
154 GSS_KRB5_INTEG_C_QOP_MASK = 0x00ff,
155 /* GSS_KRB5_CONF_C_QOP_DES = 0x0100, */
156 GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200,
157 GSS_KRB5_CONF_C_QOP_MASK = 0xff00
158 };
159
160 /** internal types **/
161
162 typedef struct _krb5_gss_name_rec {
163 krb5_principal princ; /* immutable */
164 char *service; /* immutable */
165 char *host; /* immutable */
166 int is_cert; /* immutable */
167 k5_mutex_t lock; /* protects ad_context only for now */
168 krb5_authdata_context ad_context;
169 } krb5_gss_name_rec, *krb5_gss_name_t;
170
171 typedef struct _krb5_gss_cred_id_rec {
172 /* protect against simultaneous accesses */
173 k5_mutex_t lock;
174
175 /* name/type of credential */
176 gss_cred_usage_t usage;
177 krb5_gss_name_t name;
178 krb5_principal acceptor_mprinc;
179 krb5_principal impersonator;
180 unsigned int default_identity : 1;
181 unsigned int iakerb_mech : 1;
182 unsigned int destroy_ccache : 1;
183 unsigned int suppress_ci_flags : 1;
184
185 /* keytab (accept) data */
186 krb5_keytab keytab;
187 krb5_rcache rcache;
188
189 /* ccache (init) data */
190 krb5_ccache ccache;
191 krb5_keytab client_keytab;
192 krb5_boolean have_tgt;
193 krb5_timestamp expire;
194 krb5_timestamp refresh_time;
195 krb5_enctype *req_enctypes; /* limit negotiated enctypes to this list */
196 char *password;
197 } krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;
198
199 typedef struct _krb5_gss_ctx_ext_rec {
200 struct {
201 krb5_data *conv;
202 int verified;
203 } iakerb;
204 } krb5_gss_ctx_ext_rec, *krb5_gss_ctx_ext_t;
205
206 typedef struct _krb5_gss_ctx_id_rec {
207 krb5_magic magic;
208 unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */
209 unsigned int established : 1;
210 unsigned int have_acceptor_subkey : 1;
211 unsigned int seed_init : 1; /* XXX tested but never actually set */
212 unsigned int terminated : 1;
213 OM_uint32 gss_flags;
214 unsigned char seed[16];
215 krb5_gss_name_t here;
216 krb5_gss_name_t there;
217 krb5_key subkey; /* One of two potential keys to use with RFC 4121
218 * packets; this key must always be set. */
219 int signalg;
220 size_t cksum_size;
221 int sealalg;
222 krb5_key enc; /* RFC 1964 encryption key; seq xored with a constant
223 * for DES, seq for other RFC 1964 enctypes */
224 krb5_key seq; /* RFC 1964 sequencing key */
225 krb5_ticket_times krb_times;
226 krb5_flags krb_flags;
227 /* XXX these used to be signed. the old spec is inspecific, and
228 the new spec specifies unsigned. I don't believe that the change
229 affects the wire encoding. */
230 uint64_t seq_send;
231 uint64_t seq_recv;
232 g_seqnum_state seqstate;
233 krb5_context k5_context;
234 krb5_auth_context auth_context;
235 gss_OID_desc *mech_used;
236 /* Protocol spec revision for sending packets
237 0 => RFC 1964 with 3DES and RC4 enhancements
238 1 => RFC 4121
239 No others defined so far. It is always permitted to receive
240 tokens in RFC 4121 format. If enc is non-null, receiving RFC
241 1964 tokens is permitted.*/
242 int proto;
243 krb5_cksumtype cksumtype; /* for "main" subkey */
244 krb5_key acceptor_subkey; /* CFX only */
245 krb5_cksumtype acceptor_subkey_cksumtype;
246 int cred_rcache; /* did we get rcache from creds? */
247 krb5_authdata **authdata;
248 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
249
250 extern g_set kg_vdb;
251
252 #ifndef LEAN_CLIENT
253 extern k5_mutex_t gssint_krb5_keytab_lock;
254 #endif /* LEAN_CLIENT */
255
256 /** helper functions **/
257
258 OM_uint32 kg_get_defcred
259 (OM_uint32 *minor_status,
260 gss_cred_id_t *cred);
261
262 krb5_error_code kg_checksum_channel_bindings
263 (krb5_context context, gss_channel_bindings_t cb,
264 krb5_checksum *cksum);
265
266 krb5_error_code kg_make_seq_num (krb5_context context,
267 krb5_key key,
268 int direction, krb5_ui_4 seqnum, unsigned char *cksum,
269 unsigned char *buf);
270
271 krb5_error_code kg_get_seq_num (krb5_context context,
272 krb5_key key,
273 unsigned char *cksum, unsigned char *buf, int *direction,
274 krb5_ui_4 *seqnum);
275
276 krb5_error_code kg_make_seed (krb5_context context,
277 krb5_key key,
278 unsigned char *seed);
279
280 krb5_error_code
281 kg_setup_keys(krb5_context context,
282 krb5_gss_ctx_id_rec *ctx,
283 krb5_key subkey,
284 krb5_cksumtype *cksumtype);
285
286 int kg_confounder_size (krb5_context context, krb5_enctype enctype);
287
288 krb5_error_code kg_make_confounder (krb5_context context,
289 krb5_enctype enctype, unsigned char *buf);
290
291 krb5_error_code kg_encrypt (krb5_context context,
292 krb5_key key, int usage,
293 krb5_pointer iv,
294 krb5_const_pointer in,
295 krb5_pointer out,
296 unsigned int length);
297
298 /* Encrypt length bytes at ptr in place, with the given key and usage. If
299 * iv is not NULL, use it as the cipher state. */
300 krb5_error_code kg_encrypt_inplace(krb5_context context, krb5_key key,
301 int usage, krb5_pointer iv,
302 krb5_pointer ptr, unsigned int length);
303
304 krb5_error_code kg_encrypt_iov (krb5_context context,
305 int proto, int dce_style,
306 size_t ec, size_t rrc,
307 krb5_key key, int usage,
308 krb5_pointer iv,
309 gss_iov_buffer_desc *iov,
310 int iov_count);
311
312 krb5_error_code
313 kg_arcfour_docrypt (const krb5_keyblock *keyblock, int usage,
314 const unsigned char *kd_data, size_t kd_data_len,
315 const unsigned char *input_buf, size_t input_len,
316 unsigned char *output_buf);
317
318 krb5_error_code
319 kg_arcfour_docrypt_iov (krb5_context context,
320 const krb5_keyblock *keyblock, int usage,
321 const unsigned char *kd_data, size_t kd_data_len,
322 gss_iov_buffer_desc *iov,
323 int iov_count);
324
325 krb5_error_code kg_decrypt (krb5_context context,
326 krb5_key key, int usage,
327 krb5_pointer iv,
328 krb5_const_pointer in,
329 krb5_pointer out,
330 unsigned int length);
331
332 krb5_error_code kg_decrypt_iov (krb5_context context,
333 int proto, int dce_style,
334 size_t ec, size_t rrc,
335 krb5_key key, int usage,
336 krb5_pointer iv,
337 gss_iov_buffer_desc *iov,
338 int iov_count);
339
340 OM_uint32 kg_seal (OM_uint32 *minor_status,
341 gss_ctx_id_t context_handle,
342 int conf_req_flag,
343 gss_qop_t qop_req,
344 gss_buffer_t input_message_buffer,
345 int *conf_state,
346 gss_buffer_t output_message_buffer,
347 int toktype);
348
349 OM_uint32 kg_unseal (OM_uint32 *minor_status,
350 gss_ctx_id_t context_handle,
351 gss_buffer_t input_token_buffer,
352 gss_buffer_t message_buffer,
353 int *conf_state,
354 gss_qop_t *qop_state,
355 int toktype);
356
357 OM_uint32 kg_seal_size (OM_uint32 *minor_status,
358 gss_ctx_id_t context_handle,
359 int conf_req_flag,
360 gss_qop_t qop_req,
361 OM_uint32 output_size,
362 OM_uint32 *input_size);
363
364 krb5_error_code kg_ctx_size (krb5_context kcontext,
365 krb5_gss_ctx_id_t ctx,
366 size_t *sizep);
367
368 krb5_error_code kg_ctx_externalize (krb5_context kcontext,
369 krb5_gss_ctx_id_t ctx,
370 krb5_octet **buffer,
371 size_t *lenremain);
372
373 krb5_error_code kg_ctx_internalize (krb5_context kcontext,
374 krb5_gss_ctx_id_t *argp,
375 krb5_octet **buffer,
376 size_t *lenremain);
377
378 OM_uint32 kg_sync_ccache_name (krb5_context context, OM_uint32 *minor_status);
379
380 OM_uint32 kg_caller_provided_ccache_name (OM_uint32 *minor_status,
381 int *out_caller_provided_name);
382
383 OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status, char **out_name);
384
385 OM_uint32 kg_set_ccache_name (OM_uint32 *minor_status,
386 const char *name);
387
388 /* AEAD */
389
390 krb5_error_code gss_krb5int_make_seal_token_v3_iov(krb5_context context,
391 krb5_gss_ctx_id_rec *ctx,
392 int conf_req_flag,
393 int *conf_state,
394 gss_iov_buffer_desc *iov,
395 int iov_count,
396 int toktype);
397
398 OM_uint32 gss_krb5int_unseal_v3_iov(krb5_context context,
399 OM_uint32 *minor_status,
400 krb5_gss_ctx_id_rec *ctx,
401 gss_iov_buffer_desc *iov,
402 int iov_count,
403 int *conf_state,
404 gss_qop_t *qop_state,
405 int toktype);
406
407 gss_iov_buffer_t kg_locate_iov (gss_iov_buffer_desc *iov,
408 int iov_count,
409 OM_uint32 type);
410
411 gss_iov_buffer_t kg_locate_header_iov(gss_iov_buffer_desc *iov, int iov_count,
412 int toktype);
413
414 void kg_iov_msglen(gss_iov_buffer_desc *iov,
415 int iov_count,
416 size_t *data_length,
417 size_t *assoc_data_length);
418
419 void kg_release_iov(gss_iov_buffer_desc *iov,
420 int iov_count);
421
422 krb5_error_code kg_make_checksum_iov_v1(krb5_context context,
423 krb5_cksumtype type,
424 size_t token_cksum_len,
425 krb5_key seq,
426 krb5_key enc, /* for conf len */
427 krb5_keyusage sign_usage,
428 gss_iov_buffer_desc *iov,
429 int iov_count,
430 int toktype,
431 krb5_checksum *checksum);
432
433 krb5_error_code kg_make_checksum_iov_v3(krb5_context context,
434 krb5_cksumtype type,
435 size_t rrc,
436 krb5_key key,
437 krb5_keyusage sign_usage,
438 gss_iov_buffer_desc *iov,
439 int iov_count,
440 int toktype);
441
442 krb5_error_code kg_verify_checksum_iov_v3(krb5_context context,
443 krb5_cksumtype type,
444 size_t rrc,
445 krb5_key key,
446 krb5_keyusage sign_usage,
447 gss_iov_buffer_desc *iov,
448 int iov_count,
449 int toktype,
450 krb5_boolean *valid);
451
452 OM_uint32 kg_seal_iov (OM_uint32 *minor_status,
453 gss_ctx_id_t context_handle,
454 int conf_req_flag,
455 gss_qop_t qop_req,
456 int *conf_state,
457 gss_iov_buffer_desc *iov,
458 int iov_count,
459 int toktype);
460
461 OM_uint32 kg_unseal_iov (OM_uint32 *minor_status,
462 gss_ctx_id_t context_handle,
463 int *conf_state,
464 gss_qop_t *qop_state,
465 gss_iov_buffer_desc *iov,
466 int iov_count,
467 int toktype);
468
469 OM_uint32 kg_seal_iov_length(OM_uint32 *minor_status,
470 gss_ctx_id_t context_handle,
471 int conf_req_flag,
472 gss_qop_t qop_req,
473 int *conf_state,
474 gss_iov_buffer_desc *iov,
475 int iov_count,
476 int toktype);
477
478 krb5_cryptotype kg_translate_flag_iov(OM_uint32 type);
479
480 OM_uint32 kg_fixup_padding_iov(OM_uint32 *minor_status,
481 gss_iov_buffer_desc *iov,
482 int iov_count);
483
484 krb5_boolean kg_integ_only_iov(gss_iov_buffer_desc *iov, int iov_count);
485
486 krb5_error_code kg_allocate_iov(gss_iov_buffer_t iov, size_t size);
487
488 krb5_error_code
489 krb5_to_gss_cred(krb5_context context,
490 krb5_creds *creds,
491 krb5_gss_cred_id_t *out_cred);
492
493 krb5_boolean
494 kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred);
495
496 void
497 kg_cred_set_initial_refresh(krb5_context context, krb5_gss_cred_id_rec *cred,
498 krb5_ticket_times *times);
499
500 OM_uint32
501 kg_cred_resolve(OM_uint32 *minor_status, krb5_context context,
502 gss_cred_id_t cred_handle, gss_name_t target_name);
503
504 /** declarations of internal name mechanism functions **/
505
506 OM_uint32 KRB5_CALLCONV krb5_gss_acquire_cred
507 (OM_uint32*, /* minor_status */
508 gss_name_t, /* desired_name */
509 OM_uint32, /* time_req */
510 gss_OID_set, /* desired_mechs */
511 gss_cred_usage_t, /* cred_usage */
512 gss_cred_id_t*, /* output_cred_handle */
513 gss_OID_set*, /* actual_mechs */
514 OM_uint32* /* time_rec */
515 );
516
517 OM_uint32 KRB5_CALLCONV iakerb_gss_acquire_cred
518 (OM_uint32*, /* minor_status */
519 gss_name_t, /* desired_name */
520 OM_uint32, /* time_req */
521 gss_OID_set, /* desired_mechs */
522 gss_cred_usage_t, /* cred_usage */
523 gss_cred_id_t*, /* output_cred_handle */
524 gss_OID_set*, /* actual_mechs */
525 OM_uint32* /* time_rec */
526 );
527
528 OM_uint32 KRB5_CALLCONV
529 krb5_gss_acquire_cred_with_password(
530 OM_uint32 *minor_status,
531 const gss_name_t desired_name,
532 const gss_buffer_t password,
533 OM_uint32 time_req,
534 const gss_OID_set desired_mechs,
535 int cred_usage,
536 gss_cred_id_t *output_cred_handle,
537 gss_OID_set *actual_mechs,
538 OM_uint32 *time_rec);
539
540 OM_uint32 KRB5_CALLCONV
541 iakerb_gss_acquire_cred_with_password(
542 OM_uint32 *minor_status,
543 const gss_name_t desired_name,
544 const gss_buffer_t password,
545 OM_uint32 time_req,
546 const gss_OID_set desired_mechs,
547 int cred_usage,
548 gss_cred_id_t *output_cred_handle,
549 gss_OID_set *actual_mechs,
550 OM_uint32 *time_rec);
551
552 OM_uint32 KRB5_CALLCONV
553 iakerb_gss_acquire_cred_from(OM_uint32 *minor_status,
554 const gss_name_t desired_name,
555 OM_uint32 time_req,
556 const gss_OID_set desired_mechs,
557 gss_cred_usage_t cred_usage,
558 gss_const_key_value_set_t cred_store,
559 gss_cred_id_t *output_cred_handle,
560 gss_OID_set *actual_mechs,
561 OM_uint32 *time_rec);
562
563 OM_uint32 KRB5_CALLCONV krb5_gss_release_cred
564 (OM_uint32*, /* minor_status */
565 gss_cred_id_t* /* cred_handle */
566 );
567
568 OM_uint32 KRB5_CALLCONV krb5_gss_init_sec_context
569 (OM_uint32*, /* minor_status */
570 gss_cred_id_t, /* claimant_cred_handle */
571 gss_ctx_id_t*, /* context_handle */
572 gss_name_t, /* target_name */
573 gss_OID, /* mech_type */
574 OM_uint32, /* req_flags */
575 OM_uint32, /* time_req */
576 gss_channel_bindings_t,
577 /* input_chan_bindings */
578 gss_buffer_t, /* input_token */
579 gss_OID*, /* actual_mech_type */
580 gss_buffer_t, /* output_token */
581 OM_uint32*, /* ret_flags */
582 OM_uint32* /* time_rec */
583 );
584
585 OM_uint32 krb5_gss_init_sec_context_ext
586 (OM_uint32*, /* minor_status */
587 gss_cred_id_t, /* claimant_cred_handle */
588 gss_ctx_id_t*, /* context_handle */
589 gss_name_t, /* target_name */
590 gss_OID, /* mech_type */
591 OM_uint32, /* req_flags */
592 OM_uint32, /* time_req */
593 gss_channel_bindings_t,
594 /* input_chan_bindings */
595 gss_buffer_t, /* input_token */
596 gss_OID*, /* actual_mech_type */
597 gss_buffer_t, /* output_token */
598 OM_uint32*, /* ret_flags */
599 OM_uint32*, /* time_rec */
600 krb5_gss_ctx_ext_t /* exts */
601 );
602
603 #ifndef LEAN_CLIENT
604 OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context
605 (OM_uint32*, /* minor_status */
606 gss_ctx_id_t*, /* context_handle */
607 gss_cred_id_t, /* verifier_cred_handle */
608 gss_buffer_t, /* input_token_buffer */
609 gss_channel_bindings_t,
610 /* input_chan_bindings */
611 gss_name_t*, /* src_name */
612 gss_OID*, /* mech_type */
613 gss_buffer_t, /* output_token */
614 OM_uint32*, /* ret_flags */
615 OM_uint32*, /* time_rec */
616 gss_cred_id_t* /* delegated_cred_handle */
617 );
618
619 OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext
620 (OM_uint32*, /* minor_status */
621 gss_ctx_id_t*, /* context_handle */
622 gss_cred_id_t, /* verifier_cred_handle */
623 gss_buffer_t, /* input_token_buffer */
624 gss_channel_bindings_t,
625 /* input_chan_bindings */
626 gss_name_t*, /* src_name */
627 gss_OID*, /* mech_type */
628 gss_buffer_t, /* output_token */
629 OM_uint32*, /* ret_flags */
630 OM_uint32*, /* time_rec */
631 gss_cred_id_t*, /* delegated_cred_handle */
632 krb5_gss_ctx_ext_t/*exts */
633 );
634 #endif /* LEAN_CLIENT */
635
636 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid
637 (OM_uint32*, /* minor_status */
638 const gss_ctx_id_t,
639 /* context_handle */
640 const gss_OID, /* desired_object */
641 gss_buffer_set_t* /* data_set */
642 );
643
644 OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option
645 (OM_uint32*, /* minor_status */
646 gss_ctx_id_t*, /* context_handle */
647 const gss_OID, /* desired_object */
648 const gss_buffer_t/* value */
649 );
650
651 OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token
652 (OM_uint32*, /* minor_status */
653 gss_ctx_id_t, /* context_handle */
654 gss_buffer_t /* token_buffer */
655 );
656
657 OM_uint32 KRB5_CALLCONV krb5_gss_delete_sec_context
658 (OM_uint32*, /* minor_status */
659 gss_ctx_id_t*, /* context_handle */
660 gss_buffer_t /* output_token */
661 );
662
663 OM_uint32 KRB5_CALLCONV krb5_gss_context_time
664 (OM_uint32*, /* minor_status */
665 gss_ctx_id_t, /* context_handle */
666 OM_uint32* /* time_rec */
667 );
668
669 OM_uint32 KRB5_CALLCONV krb5_gss_display_status
670 (OM_uint32*, /* minor_status */
671 OM_uint32, /* status_value */
672 int, /* status_type */
673 gss_OID, /* mech_type */
674 OM_uint32*, /* message_context */
675 gss_buffer_t /* status_string */
676 );
677
678 OM_uint32 KRB5_CALLCONV krb5_gss_indicate_mechs
679 (OM_uint32*, /* minor_status */
680 gss_OID_set* /* mech_set */
681 );
682
683 OM_uint32 KRB5_CALLCONV krb5_gss_compare_name
684 (OM_uint32*, /* minor_status */
685 gss_name_t, /* name1 */
686 gss_name_t, /* name2 */
687 int* /* name_equal */
688 );
689
690 OM_uint32 KRB5_CALLCONV krb5_gss_display_name
691 (OM_uint32*, /* minor_status */
692 gss_name_t, /* input_name */
693 gss_buffer_t, /* output_name_buffer */
694 gss_OID* /* output_name_type */
695 );
696
697
698 OM_uint32 KRB5_CALLCONV krb5_gss_import_name
699 (OM_uint32*, /* minor_status */
700 gss_buffer_t, /* input_name_buffer */
701 gss_OID, /* input_name_type */
702 gss_name_t* /* output_name */
703 );
704
705 OM_uint32 KRB5_CALLCONV krb5_gss_release_name
706 (OM_uint32*, /* minor_status */
707 gss_name_t* /* input_name */
708 );
709
710 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_cred
711 (OM_uint32 *, /* minor_status */
712 gss_cred_id_t, /* cred_handle */
713 gss_name_t *, /* name */
714 OM_uint32 *, /* lifetime */
715 gss_cred_usage_t*,/* cred_usage */
716 gss_OID_set * /* mechanisms */
717 );
718
719 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_context
720 (OM_uint32*, /* minor_status */
721 gss_ctx_id_t, /* context_handle */
722 gss_name_t*, /* initiator_name */
723 gss_name_t*, /* acceptor_name */
724 OM_uint32*, /* lifetime_rec */
725 gss_OID*, /* mech_type */
726 OM_uint32*, /* ret_flags */
727 int*, /* locally_initiated */
728 int* /* open */
729 );
730
731 /* New V2 entry points */
732 OM_uint32 KRB5_CALLCONV krb5_gss_get_mic
733 (OM_uint32 *, /* minor_status */
734 gss_ctx_id_t, /* context_handle */
735 gss_qop_t, /* qop_req */
736 gss_buffer_t, /* message_buffer */
737 gss_buffer_t /* message_token */
738 );
739
740 OM_uint32 KRB5_CALLCONV krb5_gss_get_mic_iov
741 (OM_uint32 *, /* minor_status */
742 gss_ctx_id_t, /* context_handle */
743 gss_qop_t, /* qop_req */
744 gss_iov_buffer_desc *, /* iov */
745 int /* iov_count */
746 );
747
748 OM_uint32 KRB5_CALLCONV krb5_gss_get_mic_iov_length
749 (OM_uint32 *, /* minor_status */
750 gss_ctx_id_t, /* context_handle */
751 gss_qop_t, /* qop_req */
752 gss_iov_buffer_desc *, /* iov */
753 int /* iov_count */
754 );
755
756 OM_uint32 KRB5_CALLCONV krb5_gss_verify_mic
757 (OM_uint32 *, /* minor_status */
758 gss_ctx_id_t, /* context_handle */
759 gss_buffer_t, /* message_buffer */
760 gss_buffer_t, /* message_token */
761 gss_qop_t * /* qop_state */
762 );
763
764 OM_uint32 KRB5_CALLCONV krb5_gss_verify_mic_iov
765 (OM_uint32 *, /* minor_status */
766 gss_ctx_id_t, /* context_handle */
767 gss_qop_t *, /* qop_state */
768 gss_iov_buffer_desc *, /* iov */
769 int /* iov_count */
770 );
771
772 OM_uint32 KRB5_CALLCONV krb5_gss_wrap
773 (OM_uint32 *, /* minor_status */
774 gss_ctx_id_t, /* context_handle */
775 int, /* conf_req_flag */
776 gss_qop_t, /* qop_req */
777 gss_buffer_t, /* input_message_buffer */
778 int *, /* conf_state */
779 gss_buffer_t /* output_message_buffer */
780 );
781
782 OM_uint32 KRB5_CALLCONV krb5_gss_wrap_iov
783 (OM_uint32 *, /* minor_status */
784 gss_ctx_id_t, /* context_handle */
785 int, /* conf_req_flag */
786 gss_qop_t, /* qop_req */
787 int *, /* conf_state */
788 gss_iov_buffer_desc *, /* iov */
789 int /* iov_count */
790 );
791
792 OM_uint32 KRB5_CALLCONV krb5_gss_wrap_iov_length
793 (OM_uint32 *, /* minor_status */
794 gss_ctx_id_t, /* context_handle */
795 int, /* conf_req_flag */
796 gss_qop_t, /* qop_req */
797 int *, /* conf_state */
798 gss_iov_buffer_desc *, /* iov */
799 int /* iov_count */
800 );
801
802 OM_uint32 KRB5_CALLCONV krb5_gss_unwrap
803 (OM_uint32 *, /* minor_status */
804 gss_ctx_id_t, /* context_handle */
805 gss_buffer_t, /* input_message_buffer */
806 gss_buffer_t, /* output_message_buffer */
807 int *, /* conf_state */
808 gss_qop_t * /* qop_state */
809 );
810
811 OM_uint32 KRB5_CALLCONV krb5_gss_unwrap_iov
812 (OM_uint32 *, /* minor_status */
813 gss_ctx_id_t, /* context_handle */
814 int *, /* conf_state */
815 gss_qop_t *, /* qop_state */
816 gss_iov_buffer_desc *, /* iov */
817 int /* iov_count */
818 );
819
820 OM_uint32 KRB5_CALLCONV krb5_gss_wrap_size_limit
821 (OM_uint32 *, /* minor_status */
822 gss_ctx_id_t, /* context_handle */
823 int, /* conf_req_flag */
824 gss_qop_t, /* qop_req */
825 OM_uint32, /* req_output_size */
826 OM_uint32 * /* max_input_size */
827 );
828
829 OM_uint32 KRB5_CALLCONV krb5_gss_import_name_object
830 (OM_uint32 *, /* minor_status */
831 void *, /* input_name */
832 gss_OID, /* input_name_type */
833 gss_name_t * /* output_name */
834 );
835
836 OM_uint32 KRB5_CALLCONV krb5_gss_export_name_object
837 (OM_uint32 *, /* minor_status */
838 gss_name_t, /* input_name */
839 gss_OID, /* desired_name_type */
840 void * * /* output_name */
841 );
842
843 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_cred_by_mech
844 (OM_uint32 *, /* minor_status */
845 gss_cred_id_t, /* cred_handle */
846 gss_OID, /* mech_type */
847 gss_name_t *, /* name */
848 OM_uint32 *, /* initiator_lifetime */
849 OM_uint32 *, /* acceptor_lifetime */
850 gss_cred_usage_t * /* cred_usage */
851 );
852 #ifndef LEAN_CLIENT
853 OM_uint32 KRB5_CALLCONV krb5_gss_export_sec_context
854 (OM_uint32 *, /* minor_status */
855 gss_ctx_id_t *, /* context_handle */
856 gss_buffer_t /* interprocess_token */
857 );
858
859 OM_uint32 KRB5_CALLCONV krb5_gss_import_sec_context
860 (OM_uint32 *, /* minor_status */
861 gss_buffer_t, /* interprocess_token */
862 gss_ctx_id_t * /* context_handle */
863 );
864 #endif /* LEAN_CLIENT */
865
866 OM_uint32 krb5_gss_release_oid
867 (OM_uint32 *, /* minor_status */
868 gss_OID * /* oid */
869 );
870
871 OM_uint32 KRB5_CALLCONV krb5_gss_internal_release_oid
872 (OM_uint32 *, /* minor_status */
873 gss_OID * /* oid */
874 );
875
876 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_names_for_mech
877 (OM_uint32 *, /* minor_status */
878 gss_OID, /* mechanism */
879 gss_OID_set * /* name_types */
880 );
881
882 OM_uint32 krb5_gss_canonicalize_name
883 (OM_uint32 *, /* minor_status */
884 const gss_name_t, /* input_name */
885 const gss_OID, /* mech_type */
886 gss_name_t * /* output_name */
887 );
888
889 OM_uint32 KRB5_CALLCONV krb5_gss_export_name
890 (OM_uint32 *, /* minor_status */
891 const gss_name_t, /* input_name */
892 gss_buffer_t /* exported_name */
893 );
894
895 OM_uint32 KRB5_CALLCONV krb5_gss_duplicate_name
896 (OM_uint32 *, /* minor_status */
897 const gss_name_t, /* input_name */
898 gss_name_t * /* dest_name */
899 );
900
901 OM_uint32 krb5_gss_validate_cred
902 (OM_uint32 *, /* minor_status */
903 gss_cred_id_t /* cred */
904 );
905
906 OM_uint32 KRB5_CALLCONV krb5_gss_acquire_cred_impersonate_name(
907 OM_uint32 *, /* minor_status */
908 const gss_cred_id_t, /* impersonator_cred_handle */
909 const gss_name_t, /* desired_name */
910 OM_uint32, /* time_req */
911 const gss_OID_set, /* desired_mechs */
912 gss_cred_usage_t, /* cred_usage */
913 gss_cred_id_t *, /* output_cred_handle */
914 gss_OID_set *, /* actual_mechs */
915 OM_uint32 *); /* time_rec */
916
917 OM_uint32
918 krb5_gss_validate_cred_1(OM_uint32 * /* minor_status */,
919 gss_cred_id_t /* cred_handle */,
920 krb5_context /* context */);
921
922 gss_OID krb5_gss_convert_static_mech_oid(gss_OID oid);
923
924 krb5_error_code gss_krb5int_make_seal_token_v3(krb5_context,
925 krb5_gss_ctx_id_rec *,
926 const gss_buffer_desc *,
927 gss_buffer_t,
928 int, int);
929
930 OM_uint32 gss_krb5int_unseal_token_v3(krb5_context *contextptr,
931 OM_uint32 *minor_status,
932 krb5_gss_ctx_id_rec *ctx,
933 unsigned char *ptr,
934 unsigned int bodysize,
935 gss_buffer_t message_buffer,
936 int *conf_state, gss_qop_t *qop_state,
937 int toktype);
938
939 int gss_krb5int_rotate_left (void *ptr, size_t bufsiz, size_t rc);
940
941 /* naming_exts.c */
942 #define KG_INIT_NAME_NO_COPY 0x1
943
944 krb5_error_code
945 kg_init_name(krb5_context context, krb5_principal principal,
946 char *service, char *host, krb5_authdata_context ad_context,
947 krb5_flags flags, krb5_gss_name_t *name);
948
949 krb5_error_code
950 kg_release_name(krb5_context context, krb5_gss_name_t *name);
951
952 krb5_error_code
953 kg_duplicate_name(krb5_context context, const krb5_gss_name_t src,
954 krb5_gss_name_t *dst);
955
956 krb5_boolean
957 kg_compare_name(krb5_context context,
958 krb5_gss_name_t name1,
959 krb5_gss_name_t name2);
960
961 krb5_boolean
962 kg_acceptor_princ(krb5_context context, krb5_gss_name_t name,
963 krb5_principal *princ_out);
964
965 OM_uint32 KRB5_CALLCONV
966 krb5_gss_display_name_ext(OM_uint32 *minor_status,
967 gss_name_t name,
968 gss_OID display_as_name_type,
969 gss_buffer_t display_name);
970
971 OM_uint32 KRB5_CALLCONV
972 krb5_gss_inquire_name(OM_uint32 *minor_status,
973 gss_name_t name,
974 int *name_is_MN,
975 gss_OID *MN_mech,
976 gss_buffer_set_t *attrs);
977
978 OM_uint32 KRB5_CALLCONV
979 krb5_gss_get_name_attribute(OM_uint32 *minor_status,
980 gss_name_t name,
981 gss_buffer_t attr,
982 int *authenticated,
983 int *complete,
984 gss_buffer_t value,
985 gss_buffer_t display_value,
986 int *more);
987
988 OM_uint32 KRB5_CALLCONV
989 krb5_gss_set_name_attribute(OM_uint32 *minor_status,
990 gss_name_t name,
991 int complete,
992 gss_buffer_t attr,
993 gss_buffer_t value);
994
995 OM_uint32 KRB5_CALLCONV
996 krb5_gss_delete_name_attribute(OM_uint32 *minor_status,
997 gss_name_t name,
998 gss_buffer_t attr);
999
1000 OM_uint32 KRB5_CALLCONV
1001 krb5_gss_export_name_composite(OM_uint32 *minor_status,
1002 gss_name_t name,
1003 gss_buffer_t exp_composite_name);
1004
1005 OM_uint32 KRB5_CALLCONV
1006 krb5_gss_map_name_to_any(OM_uint32 *minor_status,
1007 gss_name_t name,
1008 int authenticated,
1009 gss_buffer_t type_id,
1010 gss_any_t *output);
1011
1012 OM_uint32 KRB5_CALLCONV
1013 krb5_gss_release_any_name_mapping(OM_uint32 *minor_status,
1014 gss_name_t name,
1015 gss_buffer_t type_id,
1016 gss_any_t *input);
1017
1018 OM_uint32 KRB5_CALLCONV
1019 krb5_gss_pseudo_random(OM_uint32 *minor_status,
1020 gss_ctx_id_t context,
1021 int prf_key,
1022 const gss_buffer_t prf_in,
1023 ssize_t desired_output_len,
1024 gss_buffer_t prf_out);
1025
1026 OM_uint32 KRB5_CALLCONV
1027 krb5_gss_store_cred(OM_uint32 *minor_status,
1028 gss_cred_id_t input_cred_handle,
1029 gss_cred_usage_t cred_usage,
1030 const gss_OID desired_mech,
1031 OM_uint32 overwrite_cred,
1032 OM_uint32 default_cred,
1033 gss_OID_set *elements_stored,
1034 gss_cred_usage_t *cred_usage_stored);
1035
1036 /* s4u_gss_glue.c */
1037 OM_uint32
1038 kg_compose_deleg_cred(OM_uint32 *minor_status,
1039 krb5_gss_cred_id_t impersonator_cred,
1040 krb5_creds *subject_creds,
1041 OM_uint32 time_req,
1042 krb5_gss_cred_id_t *output_cred,
1043 OM_uint32 *time_rec,
1044 krb5_context context);
1045
1046 /*
1047 * These take unglued krb5-mech-specific contexts.
1048 */
1049
1050 #define GSS_KRB5_GET_TKT_FLAGS_OID_LENGTH 11
1051 #define GSS_KRB5_GET_TKT_FLAGS_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x01"
1052
1053 OM_uint32 gss_krb5int_get_tkt_flags
1054 (OM_uint32 *minor_status,
1055 const gss_ctx_id_t context_handle,
1056 const gss_OID desired_object,
1057 gss_buffer_set_t *data_set);
1058
1059 #define GSS_KRB5_COPY_CCACHE_OID_LENGTH 11
1060 #define GSS_KRB5_COPY_CCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x02"
1061
1062 OM_uint32 gss_krb5int_copy_ccache
1063 (OM_uint32 *minor_status,
1064 gss_cred_id_t *cred_handle,
1065 const gss_OID desired_oid,
1066 const gss_buffer_t value);
1067
1068 #define GSS_KRB5_CCACHE_NAME_OID_LENGTH 11
1069 #define GSS_KRB5_CCACHE_NAME_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x03"
1070
1071 struct krb5_gss_ccache_name_req {
1072 const char *name;
1073 const char **out_name;
1074 };
1075
1076 OM_uint32
1077 gss_krb5int_ccache_name(OM_uint32 *minor_status, const gss_OID, const gss_OID,
1078 const gss_buffer_t);
1079
1080 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
1081 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
1082 #define GSS_KRB5_INQ_ODBC_SESSION_KEY_OID_LENGTH 11
1083 #define GSS_KRB5_INQ_ODBC_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x13"
1084
1085 OM_uint32
1086 gss_krb5int_inq_sspi_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *);
1087 OM_uint32
1088 gss_krb5int_inq_odbc_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *);
1089
1090 #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH 11
1091 #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x04"
1092
1093 struct krb5_gss_set_allowable_enctypes_req {
1094 OM_uint32 num_ktypes;
1095 krb5_enctype *ktypes;
1096 };
1097
1098 OM_uint32
1099 gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
1100 gss_cred_id_t *cred,
1101 const gss_OID desired_oid,
1102 const gss_buffer_t value);
1103
1104 #define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH 11
1105 #define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06"
1106
1107 OM_uint32
1108 gss_krb5int_export_lucid_sec_context(OM_uint32 *minor_status,
1109 const gss_ctx_id_t context_handle,
1110 const gss_OID desired_object,
1111 gss_buffer_set_t *data_set);
1112
1113 #define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH 11
1114 #define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07"
1115
1116 OM_uint32
1117 gss_krb5int_free_lucid_sec_context(OM_uint32 *, const gss_OID,
1118 const gss_OID, gss_buffer_t);
1119
1120 extern k5_mutex_t kg_kdc_flag_mutex;
1121 krb5_error_code krb5_gss_init_context (krb5_context *ctxp);
1122
1123 #define GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH 11
1124 #define GSS_KRB5_USE_KDC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08"
1125
1126 OM_uint32 krb5int_gss_use_kdc_context(OM_uint32 *, const gss_OID,
1127 const gss_OID, gss_buffer_t);
1128
1129 krb5_error_code krb5_gss_use_kdc_context(void);
1130
1131 #define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH 11
1132 #define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x09"
1133
1134 OM_uint32
1135 gss_krb5int_register_acceptor_identity(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t);
1136
1137 #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 11
1138 #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0a"
1139
1140 OM_uint32
1141 gss_krb5int_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
1142 const gss_ctx_id_t context_handle,
1143 const gss_OID desired_object,
1144 gss_buffer_set_t *ad_data);
1145
1146 #define GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH 11
1147 #define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0b"
1148
1149 OM_uint32
1150 gss_krb5int_set_cred_rcache(OM_uint32 *, gss_cred_id_t *, const gss_OID, const gss_buffer_t);
1151
1152 #define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11
1153 #define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c"
1154
1155 OM_uint32
1156 gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *,
1157 const gss_ctx_id_t,
1158 const gss_OID,
1159 gss_buffer_set_t *);
1160
1161 #define GET_SEC_CONTEXT_SASL_SSF_OID_LENGTH 11
1162 #define GET_SEC_CONTEXT_SASL_SSF_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f"
1163 OM_uint32
1164 gss_krb5int_sec_context_sasl_ssf(OM_uint32 *, const gss_ctx_id_t,
1165 const gss_OID, gss_buffer_set_t *);
1166
1167 #define GSS_KRB5_IMPORT_CRED_OID_LENGTH 11
1168 #define GSS_KRB5_IMPORT_CRED_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0d"
1169
1170 struct krb5_gss_import_cred_req {
1171 krb5_ccache id;
1172 krb5_principal keytab_principal;
1173 krb5_keytab keytab;
1174 };
1175
1176 OM_uint32
1177 gss_krb5int_import_cred(OM_uint32 *minor_status,
1178 gss_cred_id_t *cred,
1179 const gss_OID desired_oid,
1180 const gss_buffer_t value);
1181
1182 #ifdef _GSS_STATIC_LINK
1183 int gss_krb5int_lib_init(void);
1184 void gss_krb5int_lib_fini(void);
1185 #endif /* _GSS_STATIC_LINK */
1186
1187 OM_uint32 gss_krb5int_initialize_library(void);
1188 void gss_krb5int_cleanup_library(void);
1189
1190 /* For error message handling. */
1191 /* Returns a shared string, not a private copy! */
1192 extern char *
1193 krb5_gss_get_error_message(OM_uint32 minor_code);
1194 extern void
1195 krb5_gss_save_error_string(OM_uint32 minor_code, char *msg);
1196 extern void
1197 krb5_gss_save_error_message(OM_uint32 minor_code, const char *format, ...)
1198 #if !defined(__cplusplus) && (__GNUC__ > 2)
1199 __attribute__((__format__(__printf__, 2, 3)))
1200 #endif
1201 ;
1202 extern void
1203 krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx);
1204 #define get_error_message krb5_gss_get_error_message
1205 #define save_error_string krb5_gss_save_error_string
1206 #define save_error_message krb5_gss_save_error_message
1207 #ifdef KRB5_KERNEL
1208 /* Error messages aren't needed in the kernel, so reduce dependencies. */
1209 #define save_error_info(x,y)
1210 #else
1211 #define save_error_info krb5_gss_save_error_info
1212 #endif
1213 extern void krb5_gss_delete_error_info(void *p);
1214
1215 /* Prefix concatenated with Kerberos encryption type */
1216 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10
1217 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04"
1218
1219 /* IAKERB */
1220
1221 OM_uint32 KRB5_CALLCONV
1222 iakerb_gss_init_sec_context(OM_uint32 *minor_status,
1223 gss_cred_id_t claimant_cred_handle,
1224 gss_ctx_id_t *context_handle,
1225 gss_name_t target_name,
1226 gss_OID mech_type,
1227 OM_uint32 req_flags,
1228 OM_uint32 time_req,
1229 gss_channel_bindings_t input_chan_bindings,
1230 gss_buffer_t input_token,
1231 gss_OID *actual_mech_type,
1232 gss_buffer_t output_token,
1233 OM_uint32 *ret_flags,
1234 OM_uint32 *time_rec);
1235
1236 OM_uint32 KRB5_CALLCONV
1237 iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
1238 gss_ctx_id_t *context_handler,
1239 gss_cred_id_t verifier_cred_handle,
1240 gss_buffer_t input_token,
1241 gss_channel_bindings_t input_chan_bindings,
1242 gss_name_t *src_name,
1243 gss_OID *mech_type,
1244 gss_buffer_t output_token,
1245 OM_uint32 *ret_flags,
1246 OM_uint32 *time_rec,
1247 gss_cred_id_t *delegated_cred_handle);
1248
1249 OM_uint32 KRB5_CALLCONV
1250 iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
1251 gss_ctx_id_t *context_handle,
1252 gss_buffer_t output_token);
1253
1254 krb5_error_code
1255 iakerb_make_finished(krb5_context context,
1256 krb5_key key,
1257 const krb5_data *conv,
1258 krb5_data **finished);
1259
1260 krb5_error_code
1261 iakerb_verify_finished(krb5_context context,
1262 krb5_key key,
1263 const krb5_data *conv,
1264 const krb5_data *finished);
1265
1266 /*
1267 * Transfer contents of a krb5_data to a gss_buffer and invalidate the source
1268 * On unix, this is a simple pointer copy
1269 * On windows, memory is reallocated and copied.
1270 */
1271 static inline krb5_error_code
data_to_gss(krb5_data * input_k5data,gss_buffer_t output_buffer)1272 data_to_gss(krb5_data *input_k5data, gss_buffer_t output_buffer)
1273 {
1274 krb5_error_code code = 0;
1275 output_buffer->length = input_k5data->length;
1276 #if defined(_WIN32) || defined(DEBUG_GSSALLOC)
1277 if (output_buffer->length > 0) {
1278 output_buffer->value = gssalloc_malloc(output_buffer->length);
1279 if (output_buffer->value)
1280 memcpy(output_buffer->value, input_k5data->data, output_buffer->length);
1281 else
1282 code = ENOMEM;
1283 } else {
1284 output_buffer->value = NULL;
1285 }
1286 free(input_k5data->data);
1287 #else
1288 output_buffer->value = input_k5data->data;
1289 #endif
1290 *input_k5data = empty_data();
1291 return code;
1292 }
1293
1294 #define KRB5_GSS_EXTS_IAKERB_FINISHED 1
1295
1296
1297 /* Credential store extensions */
1298
1299 #define KRB5_CS_CLI_KEYTAB_URN "client_keytab"
1300 #define KRB5_CS_KEYTAB_URN "keytab"
1301 #define KRB5_CS_CCACHE_URN "ccache"
1302 #define KRB5_CS_RCACHE_URN "rcache"
1303 #define KRB5_CS_PASSWORD_URN "password"
1304 #define KRB5_CS_VERIFY_URN "verify"
1305
1306 OM_uint32
1307 kg_value_from_cred_store(gss_const_key_value_set_t cred_store,
1308 const char *type, const char **value);
1309
1310 OM_uint32 KRB5_CALLCONV
1311 krb5_gss_acquire_cred_from(
1312 OM_uint32 *, /* minor_status */
1313 const gss_name_t, /* desired_name */
1314 OM_uint32, /* time_req */
1315 const gss_OID_set, /* desired_mechs */
1316 gss_cred_usage_t, /* cred_usage */
1317 gss_const_key_value_set_t, /* cred_store */
1318 gss_cred_id_t *, /* output_cred_handle */
1319 gss_OID_set *, /* actual_mechs */
1320 OM_uint32 *); /* time_rec */
1321
1322 OM_uint32 KRB5_CALLCONV
1323 krb5_gss_store_cred_into(
1324 OM_uint32 *, /* minor_status */
1325 gss_cred_id_t, /* input_cred_handle */
1326 gss_cred_usage_t, /* input_usage */
1327 const gss_OID, /* desired_mech */
1328 OM_uint32, /* overwrite_cred */
1329 OM_uint32, /* default_cred */
1330 gss_const_key_value_set_t, /* cred_store */
1331 gss_OID_set *, /* elements_stored */
1332 gss_cred_usage_t *); /* cred_usage_stored */
1333
1334 OM_uint32 KRB5_CALLCONV
1335 krb5_gss_export_cred(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
1336 gss_buffer_t token);
1337
1338 OM_uint32 KRB5_CALLCONV
1339 krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token,
1340 gss_cred_id_t *cred_handle);
1341
1342 OM_uint32 KRB5_CALLCONV
1343 iakerb_gss_process_context_token(OM_uint32 *minor_status,
1344 const gss_ctx_id_t context_handle,
1345 const gss_buffer_t token_buffer);
1346
1347 OM_uint32 KRB5_CALLCONV
1348 iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1349 OM_uint32 *time_rec);
1350
1351 OM_uint32 KRB5_CALLCONV
1352 iakerb_gss_inquire_context(OM_uint32 *minor_status,
1353 gss_ctx_id_t context_handle, gss_name_t *src_name,
1354 gss_name_t *targ_name, OM_uint32 *lifetime_rec,
1355 gss_OID *mech_type, OM_uint32 *ctx_flags,
1356 int *locally_initiated, int *opened);
1357
1358 OM_uint32 KRB5_CALLCONV
1359 iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1360 gss_qop_t qop_req, gss_buffer_t message_buffer,
1361 gss_buffer_t message_token);
1362
1363 OM_uint32 KRB5_CALLCONV
1364 iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1365 gss_qop_t qop_req, gss_iov_buffer_desc *iov,
1366 int iov_count);
1367
1368 OM_uint32 KRB5_CALLCONV
1369 iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
1370 gss_ctx_id_t context_handle, gss_qop_t qop_req,
1371 gss_iov_buffer_desc *iov, int iov_count);
1372
1373 OM_uint32 KRB5_CALLCONV
1374 iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1375 gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
1376 gss_qop_t *qop_state);
1377
1378 OM_uint32 KRB5_CALLCONV
1379 iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1380 gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
1381 int iov_count);
1382
1383 OM_uint32 KRB5_CALLCONV
1384 iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1385 int conf_req_flag, gss_qop_t qop_req,
1386 gss_buffer_t input_message_buffer, int *conf_state,
1387 gss_buffer_t output_message_buffer);
1388
1389 OM_uint32 KRB5_CALLCONV
1390 iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1391 int conf_req_flag, gss_qop_t qop_req, int *conf_state,
1392 gss_iov_buffer_desc *iov, int iov_count);
1393
1394 OM_uint32 KRB5_CALLCONV
1395 iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
1396 gss_ctx_id_t context_handle, int conf_req_flag,
1397 gss_qop_t qop_req, int *conf_state,
1398 gss_iov_buffer_desc *iov, int iov_count);
1399
1400 OM_uint32 KRB5_CALLCONV
1401 iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1402 gss_buffer_t input_message_buffer,
1403 gss_buffer_t output_message_buffer, int *conf_state,
1404 gss_qop_t *qop_state);
1405
1406 OM_uint32 KRB5_CALLCONV
1407 iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1408 int *conf_state, gss_qop_t *qop_state,
1409 gss_iov_buffer_desc *iov, int iov_count);
1410
1411 OM_uint32 KRB5_CALLCONV
1412 iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
1413 gss_ctx_id_t context_handle, int conf_req_flag,
1414 gss_qop_t qop_req, OM_uint32 req_output_size,
1415 OM_uint32 *max_input_size);
1416
1417 #ifndef LEAN_CLIENT
1418 OM_uint32 KRB5_CALLCONV
1419 iakerb_gss_export_sec_context(OM_uint32 *minor_status,
1420 gss_ctx_id_t *context_handle,
1421 gss_buffer_t interprocess_token);
1422
1423 OM_uint32 KRB5_CALLCONV
1424 iakerb_gss_import_sec_context(OM_uint32 *minor_status,
1425 const gss_buffer_t interprocess_token,
1426 gss_ctx_id_t *context_handle);
1427 #endif /* LEAN_CLIENT */
1428
1429 OM_uint32 KRB5_CALLCONV
1430 iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
1431 const gss_ctx_id_t context_handle,
1432 const gss_OID desired_object,
1433 gss_buffer_set_t *data_set);
1434
1435 OM_uint32 KRB5_CALLCONV
1436 iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
1437 gss_ctx_id_t *context_handle,
1438 const gss_OID desired_object,
1439 const gss_buffer_t value);
1440
1441 OM_uint32 KRB5_CALLCONV
1442 iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1443 int prf_key, const gss_buffer_t prf_in,
1444 ssize_t desired_output_len, gss_buffer_t prf_out);
1445
1446 /* Magic string to identify exported krb5 GSS credentials. Increment this if
1447 * the format changes. */
1448 #define CRED_EXPORT_MAGIC "K5C1"
1449
1450 OM_uint32
1451 gss_krb5int_get_cred_impersonator(OM_uint32 *minor_status,
1452 const gss_cred_id_t cred_handle,
1453 const gss_OID desired_object,
1454 gss_buffer_set_t *data_set);
1455
1456 #endif /* _GSSAPIP_KRB5_H_ */
1457