1 /* 2 * Copyright 2008 by the Massachusetts Institute of Technology. 3 * All Rights Reserved. 4 * 5 * Export of this software from the United States of America may 6 * require a specific license from the United States Government. 7 * It is the responsibility of any person or organization contemplating 8 * export to obtain such a license before exporting. 9 * 10 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 11 * distribute this software and its documentation for any purpose and 12 * without fee is hereby granted, provided that the above copyright 13 * notice appear in all copies and that both that copyright notice and 14 * this permission notice appear in supporting documentation, and that 15 * the name of M.I.T. not be used in advertising or publicity pertaining 16 * to distribution of the software without specific, written prior 17 * permission. Furthermore if you modify this software you must label 18 * your software as modified software and not distribute it in such a 19 * fashion that it might be confused with the original M.I.T. software. 20 * M.I.T. makes no representations about the suitability of 21 * this software for any purpose. It is provided "as is" without express 22 * or implied warranty. 23 */ 24 25 #ifndef GSSAPI_EXT_H_ 26 #define GSSAPI_EXT_H_ 27 28 #include <gssapi/gssapi.h> 29 30 #ifdef __cplusplus 31 extern "C" { 32 #endif /* __cplusplus */ 33 34 /* 35 * Solaris extensions 36 */ 37 #ifndef _WIN32 38 OM_uint32 KRB5_CALLCONV 39 gss_pname_to_uid 40 (OM_uint32 *minor, 41 const gss_name_t name, 42 const gss_OID mech_type, 43 uid_t *uidOut); 44 #endif 45 46 /** 47 * Provides a platform-specific name for a GSSAPI name as interpreted by a 48 * given mechanism. 49 * 50 * @param [out] minor Minor status code 51 * @param [in] name The gss name resulting from accept_sec_context 52 * @param [in] mech_type The mechanism that will be asked to map @a name to a 53 * local name 54 * @param [out] localname Caller-allocated buffer to be filled in with the 55 * local name on success 56 */ 57 OM_uint32 KRB5_CALLCONV 58 gss_localname 59 (OM_uint32 *minor, 60 const gss_name_t name, 61 gss_const_OID mech_type, 62 gss_buffer_t localname); 63 64 /** 65 * Determine whether a mechanism name is authorized to act as a username. 66 * 67 * @param [in] name Mechanism name 68 * @param [in] username System username 69 * 70 * This is a simple wrapper around gss_authorize_localname(). It only supports 71 * system usernames as local names, and cannot distinguish between lack of 72 * authorization and other errors. 73 * 74 * @retval 1 @a name is authorized to act as @a username 75 * @retval 0 @a name is not authorized or an error occurred 76 */ 77 int KRB5_CALLCONV 78 gss_userok(const gss_name_t name, 79 const char *username); 80 81 /** 82 * Determine whether a mechanism name is authorized to act as a local name. 83 * 84 * @param [out] minor Minor status code 85 * @param [in] name Mechanism name 86 * @param [in] user Local name 87 * 88 * @a name is a mechanism name, typically the result of a completed 89 * gss_accept_sec_context(). @a user is an internal name representing a local 90 * name, such as a name imported by gss_import_name() with an @a 91 * input_name_type of @c GSS_C_NT_USER_NAME. 92 * 93 * @return Return GSS_S_COMPLETE if @a name is authorized to act as @a user, 94 * GSS_S_UNAUTHORIZED if not, or an appropriate GSS error code if an error 95 * occurred. 96 * 97 * @sa gss_userok 98 */ 99 OM_uint32 KRB5_CALLCONV 100 gss_authorize_localname(OM_uint32 *minor, 101 const gss_name_t name, 102 const gss_name_t user); 103 104 OM_uint32 KRB5_CALLCONV 105 gss_acquire_cred_with_password( 106 OM_uint32 *, /* minor_status */ 107 const gss_name_t, /* desired_name */ 108 const gss_buffer_t, /* password */ 109 OM_uint32, /* time_req */ 110 const gss_OID_set, /* desired_mechs */ 111 gss_cred_usage_t, /* cred_usage */ 112 gss_cred_id_t *, /* output_cred_handle */ 113 gss_OID_set *, /* actual_mechs */ 114 OM_uint32 *); /* time_rec */ 115 116 OM_uint32 KRB5_CALLCONV 117 gss_add_cred_with_password( 118 OM_uint32 *, /* minor_status */ 119 const gss_cred_id_t,/* input_cred_handle */ 120 const gss_name_t, /* desired_name */ 121 const gss_OID, /* desired_mech */ 122 const gss_buffer_t, /* password */ 123 gss_cred_usage_t, /* cred_usage */ 124 OM_uint32, /* initiator_time_req */ 125 OM_uint32, /* acceptor_time_req */ 126 gss_cred_id_t *, /* output_cred_handle */ 127 gss_OID_set *, /* actual_mechs */ 128 OM_uint32 *, /* initiator_time_rec */ 129 OM_uint32 *); /* acceptor_time_rec */ 130 131 /* 132 * GGF extensions 133 */ 134 typedef struct gss_buffer_set_desc_struct { 135 size_t count; 136 gss_buffer_desc *elements; 137 } gss_buffer_set_desc, *gss_buffer_set_t; 138 139 #define GSS_C_NO_BUFFER_SET ((gss_buffer_set_t) 0) 140 141 OM_uint32 KRB5_CALLCONV gss_create_empty_buffer_set 142 (OM_uint32 * /*minor_status*/, 143 gss_buffer_set_t * /*buffer_set*/); 144 145 OM_uint32 KRB5_CALLCONV gss_add_buffer_set_member 146 (OM_uint32 * /*minor_status*/, 147 const gss_buffer_t /*member_buffer*/, 148 gss_buffer_set_t * /*buffer_set*/); 149 150 OM_uint32 KRB5_CALLCONV gss_release_buffer_set 151 (OM_uint32 * /*minor_status*/, 152 gss_buffer_set_t * /*buffer_set*/); 153 154 OM_uint32 KRB5_CALLCONV gss_inquire_sec_context_by_oid 155 (OM_uint32 * /*minor_status*/, 156 const gss_ctx_id_t /*context_handle*/, 157 const gss_OID /*desired_object*/, 158 gss_buffer_set_t * /*data_set*/); 159 160 OM_uint32 KRB5_CALLCONV gss_inquire_cred_by_oid 161 (OM_uint32 * /*minor_status*/, 162 const gss_cred_id_t /*cred_handle*/, 163 const gss_OID /*desired_object*/, 164 gss_buffer_set_t * /*data_set*/); 165 166 OM_uint32 KRB5_CALLCONV gss_set_sec_context_option 167 (OM_uint32 * /*minor_status*/, 168 gss_ctx_id_t * /*cred_handle*/, 169 const gss_OID /*desired_object*/, 170 const gss_buffer_t /*value*/); 171 172 /* 173 * Export import cred extensions from GGF, but using Heimdal's signatures 174 */ 175 OM_uint32 KRB5_CALLCONV gss_export_cred 176 (OM_uint32 * /* minor_status */, 177 gss_cred_id_t /* cred_handle */, 178 gss_buffer_t /* token */); 179 180 OM_uint32 KRB5_CALLCONV gss_import_cred 181 (OM_uint32 * /* minor_status */, 182 gss_buffer_t /* token */, 183 gss_cred_id_t * /* cred_handle */); 184 185 /* 186 * Heimdal extension 187 */ 188 OM_uint32 KRB5_CALLCONV gss_set_cred_option 189 (OM_uint32 * /*minor_status*/, 190 gss_cred_id_t * /*cred*/, 191 const gss_OID /*desired_object*/, 192 const gss_buffer_t /*value*/); 193 194 /* 195 * Call the given method on the given mechanism 196 */ 197 OM_uint32 KRB5_CALLCONV gssspi_mech_invoke 198 (OM_uint32 * /*minor_status*/, 199 const gss_OID /*desired_mech*/, 200 const gss_OID /*desired_object*/, 201 gss_buffer_t /*value*/); 202 203 /* 204 * AEAD extensions 205 */ 206 207 OM_uint32 KRB5_CALLCONV gss_wrap_aead 208 (OM_uint32 * /*minor_status*/, 209 gss_ctx_id_t /*context_handle*/, 210 int /*conf_req_flag*/, 211 gss_qop_t /*qop_req*/, 212 gss_buffer_t /*input_assoc_buffer*/, 213 gss_buffer_t /*input_payload_buffer*/, 214 int * /*conf_state*/, 215 gss_buffer_t /*output_message_buffer*/); 216 217 OM_uint32 KRB5_CALLCONV gss_unwrap_aead 218 (OM_uint32 * /*minor_status*/, 219 gss_ctx_id_t /*context_handle*/, 220 gss_buffer_t /*input_message_buffer*/, 221 gss_buffer_t /*input_assoc_buffer*/, 222 gss_buffer_t /*output_payload_buffer*/, 223 int * /*conf_state*/, 224 gss_qop_t * /*qop_state*/); 225 226 /* 227 * SSPI extensions 228 */ 229 #define GSS_C_DCE_STYLE 0x1000 230 #define GSS_C_IDENTIFY_FLAG 0x2000 231 #define GSS_C_EXTENDED_ERROR_FLAG 0x4000 232 233 /* 234 * Returns a buffer set with the first member containing the 235 * session key for SSPI compatibility. The optional second 236 * member contains an OID identifying the session key type. 237 */ 238 GSS_DLLIMP extern gss_OID GSS_C_INQ_SSPI_SESSION_KEY; 239 240 /* 241 * Returns a buffer set with the first member containing the ticket session key 242 * for ODBC compatibility. The optional second member contains an OID 243 * identifying the session key type. 244 */ 245 GSS_DLLIMP extern gss_OID GSS_C_INQ_ODBC_SESSION_KEY; 246 247 GSS_DLLIMP extern gss_OID GSS_C_INQ_NEGOEX_KEY; 248 GSS_DLLIMP extern gss_OID GSS_C_INQ_NEGOEX_VERIFY_KEY; 249 250 OM_uint32 KRB5_CALLCONV gss_complete_auth_token 251 (OM_uint32 *minor_status, 252 const gss_ctx_id_t context_handle, 253 gss_buffer_t input_message_buffer); 254 255 typedef struct gss_iov_buffer_desc_struct { 256 OM_uint32 type; 257 gss_buffer_desc buffer; 258 } gss_iov_buffer_desc, *gss_iov_buffer_t; 259 260 #define GSS_C_NO_IOV_BUFFER ((gss_iov_buffer_t)0) 261 262 #define GSS_IOV_BUFFER_TYPE_EMPTY 0 263 #define GSS_IOV_BUFFER_TYPE_DATA 1 /* Packet data */ 264 #define GSS_IOV_BUFFER_TYPE_HEADER 2 /* Mechanism header */ 265 #define GSS_IOV_BUFFER_TYPE_MECH_PARAMS 3 /* Mechanism specific parameters */ 266 #define GSS_IOV_BUFFER_TYPE_TRAILER 7 /* Mechanism trailer */ 267 #define GSS_IOV_BUFFER_TYPE_PADDING 9 /* Padding */ 268 #define GSS_IOV_BUFFER_TYPE_STREAM 10 /* Complete wrap token */ 269 #define GSS_IOV_BUFFER_TYPE_SIGN_ONLY 11 /* Sign only packet data */ 270 #define GSS_IOV_BUFFER_TYPE_MIC_TOKEN 12 /* MIC token destination */ 271 272 #define GSS_IOV_BUFFER_FLAG_MASK 0xFFFF0000 273 #define GSS_IOV_BUFFER_FLAG_ALLOCATE 0x00010000 /* indicates GSS should allocate */ 274 #define GSS_IOV_BUFFER_FLAG_ALLOCATED 0x00020000 /* indicates caller should free */ 275 276 #define GSS_IOV_BUFFER_TYPE(_type) ((_type) & ~(GSS_IOV_BUFFER_FLAG_MASK)) 277 #define GSS_IOV_BUFFER_FLAGS(_type) ((_type) & GSS_IOV_BUFFER_FLAG_MASK) 278 279 /* 280 * Sign and optionally encrypt a sequence of buffers. The buffers 281 * shall be ordered HEADER | DATA | PADDING | TRAILER. Suitable 282 * space for the header, padding and trailer should be provided 283 * by calling gss_wrap_iov_length(), or the ALLOCATE flag should 284 * be set on those buffers. 285 * 286 * Encryption is in-place. SIGN_ONLY buffers are untouched. Only 287 * a single PADDING buffer should be provided. The order of the 288 * buffers in memory does not matter. Buffers in the IOV should 289 * be arranged in the order above, and in the case of multiple 290 * DATA buffers the sender and receiver should agree on the 291 * order. 292 * 293 * With GSS_C_DCE_STYLE it is acceptable to not provide PADDING 294 * and TRAILER, but the caller must guarantee the plaintext data 295 * being encrypted is correctly padded, otherwise an error will 296 * be returned. 297 * 298 * While applications that have knowledge of the underlying 299 * cryptosystem may request a specific configuration of data 300 * buffers, the only generally supported configurations are: 301 * 302 * HEADER | DATA | PADDING | TRAILER 303 * 304 * which will emit GSS_Wrap() compatible tokens, and: 305 * 306 * HEADER | SIGN_ONLY | DATA | PADDING | TRAILER 307 * 308 * for AEAD. 309 * 310 * The typical (special cased) usage for DCE is as follows: 311 * 312 * SIGN_ONLY_1 | DATA | SIGN_ONLY_2 | HEADER 313 */ 314 OM_uint32 KRB5_CALLCONV gss_wrap_iov 315 ( 316 OM_uint32 *, /* minor_status */ 317 gss_ctx_id_t, /* context_handle */ 318 int, /* conf_req_flag */ 319 gss_qop_t, /* qop_req */ 320 int *, /* conf_state */ 321 gss_iov_buffer_desc *, /* iov */ 322 int); /* iov_count */ 323 324 /* 325 * Verify and optionally decrypt a sequence of buffers. To process 326 * a GSS-API message without separate buffer, pass STREAM | DATA. 327 * Upon return DATA will contain the decrypted or integrity 328 * protected message. Only a single DATA buffer may be provided 329 * with this usage. DATA by default will point into STREAM, but if 330 * the ALLOCATE flag is set a copy will be returned. 331 * 332 * Otherwise, decryption is in-place. SIGN_ONLY buffers are 333 * untouched. 334 */ 335 OM_uint32 KRB5_CALLCONV gss_unwrap_iov 336 ( 337 OM_uint32 *, /* minor_status */ 338 gss_ctx_id_t, /* context_handle */ 339 int *, /* conf_state */ 340 gss_qop_t *, /* qop_state */ 341 gss_iov_buffer_desc *, /* iov */ 342 int); /* iov_count */ 343 344 /* 345 * Query HEADER, PADDING and TRAILER buffer lengths. DATA buffers 346 * should be provided so the correct padding length can be determined. 347 */ 348 OM_uint32 KRB5_CALLCONV gss_wrap_iov_length 349 ( 350 OM_uint32 *, /* minor_status */ 351 gss_ctx_id_t, /* context_handle */ 352 int, /* conf_req_flag */ 353 gss_qop_t, /* qop_req */ 354 int *, /* conf_state */ 355 gss_iov_buffer_desc *, /* iov */ 356 int); /* iov_count */ 357 358 /* 359 * Produce a GSSAPI MIC token for a sequence of buffers. All SIGN_ONLY and 360 * DATA buffers will be signed, in the order they appear. One MIC_TOKEN buffer 361 * must be included for the result. Suitable space should be provided for the 362 * MIC_TOKEN buffer by calling gss_get_mic_iov_length, or the ALLOCATE flag 363 * should be set on that buffer. If the ALLOCATE flag is used, use 364 * gss_release_iov_buffer to free the allocated buffer within the iov list when 365 * it is no longer needed. 366 */ 367 OM_uint32 KRB5_CALLCONV gss_get_mic_iov 368 ( 369 OM_uint32 *, /* minor_status */ 370 gss_ctx_id_t, /* context_handle */ 371 gss_qop_t, /* qop_req */ 372 gss_iov_buffer_desc *, /* iov */ 373 int); /* iov_count */ 374 375 /* 376 * Query the MIC_TOKEN buffer length within the iov list. 377 */ 378 OM_uint32 KRB5_CALLCONV gss_get_mic_iov_length( 379 OM_uint32 *, /* minor_status */ 380 gss_ctx_id_t, /* context_handle */ 381 gss_qop_t, /* qop_req */ 382 gss_iov_buffer_desc *, /* iov */ 383 int); /* iov_count */ 384 385 /* 386 * Verify the MIC_TOKEN buffer within the iov list against the SIGN_ONLY and 387 * DATA buffers in the order they appear. Return values are the same as for 388 * gss_verify_mic. 389 */ 390 OM_uint32 KRB5_CALLCONV gss_verify_mic_iov 391 ( 392 OM_uint32 *, /* minor_status */ 393 gss_ctx_id_t, /* context_handle */ 394 gss_qop_t *, /* qop_state */ 395 gss_iov_buffer_desc *, /* iov */ 396 int); /* iov_count */ 397 398 /* 399 * Release buffers that have the ALLOCATED flag set. 400 */ 401 OM_uint32 KRB5_CALLCONV gss_release_iov_buffer 402 ( 403 OM_uint32 *, /* minor_status */ 404 gss_iov_buffer_desc *, /* iov */ 405 int); /* iov_count */ 406 407 /* 408 * Protocol transition 409 */ 410 OM_uint32 KRB5_CALLCONV 411 gss_acquire_cred_impersonate_name( 412 OM_uint32 *, /* minor_status */ 413 const gss_cred_id_t, /* impersonator_cred_handle */ 414 const gss_name_t, /* desired_name */ 415 OM_uint32, /* time_req */ 416 const gss_OID_set, /* desired_mechs */ 417 gss_cred_usage_t, /* cred_usage */ 418 gss_cred_id_t *, /* output_cred_handle */ 419 gss_OID_set *, /* actual_mechs */ 420 OM_uint32 *); /* time_rec */ 421 422 OM_uint32 KRB5_CALLCONV 423 gss_add_cred_impersonate_name( 424 OM_uint32 *, /* minor_status */ 425 gss_cred_id_t, /* input_cred_handle */ 426 const gss_cred_id_t, /* impersonator_cred_handle */ 427 const gss_name_t, /* desired_name */ 428 const gss_OID, /* desired_mech */ 429 gss_cred_usage_t, /* cred_usage */ 430 OM_uint32, /* initiator_time_req */ 431 OM_uint32, /* acceptor_time_req */ 432 gss_cred_id_t *, /* output_cred_handle */ 433 gss_OID_set *, /* actual_mechs */ 434 OM_uint32 *, /* initiator_time_rec */ 435 OM_uint32 *); /* acceptor_time_rec */ 436 437 /* 438 * Naming extensions 439 */ 440 GSS_DLLIMP extern gss_buffer_t GSS_C_ATTR_LOCAL_LOGIN_USER; 441 GSS_DLLIMP extern gss_OID GSS_C_NT_COMPOSITE_EXPORT; 442 443 OM_uint32 KRB5_CALLCONV gss_display_name_ext 444 ( 445 OM_uint32 *, /* minor_status */ 446 gss_name_t, /* name */ 447 gss_OID, /* display_as_name_type */ 448 gss_buffer_t /* display_name */ 449 ); 450 451 OM_uint32 KRB5_CALLCONV gss_inquire_name 452 ( 453 OM_uint32 *, /* minor_status */ 454 gss_name_t, /* name */ 455 int *, /* name_is_MN */ 456 gss_OID *, /* MN_mech */ 457 gss_buffer_set_t * /* attrs */ 458 ); 459 460 OM_uint32 KRB5_CALLCONV gss_get_name_attribute 461 ( 462 OM_uint32 *, /* minor_status */ 463 gss_name_t, /* name */ 464 gss_buffer_t, /* attr */ 465 int *, /* authenticated */ 466 int *, /* complete */ 467 gss_buffer_t, /* value */ 468 gss_buffer_t, /* display_value */ 469 int * /* more */ 470 ); 471 472 OM_uint32 KRB5_CALLCONV gss_set_name_attribute 473 ( 474 OM_uint32 *, /* minor_status */ 475 gss_name_t, /* name */ 476 int, /* complete */ 477 gss_buffer_t, /* attr */ 478 gss_buffer_t /* value */ 479 ); 480 481 OM_uint32 KRB5_CALLCONV gss_delete_name_attribute 482 ( 483 OM_uint32 *, /* minor_status */ 484 gss_name_t, /* name */ 485 gss_buffer_t /* attr */ 486 ); 487 488 OM_uint32 KRB5_CALLCONV gss_export_name_composite 489 ( 490 OM_uint32 *, /* minor_status */ 491 gss_name_t, /* name */ 492 gss_buffer_t /* exp_composite_name */ 493 ); 494 495 typedef struct gss_any *gss_any_t; 496 497 OM_uint32 KRB5_CALLCONV gss_map_name_to_any 498 ( 499 OM_uint32 *, /* minor_status */ 500 gss_name_t, /* name */ 501 int, /* authenticated */ 502 gss_buffer_t, /* type_id */ 503 gss_any_t * /* output */ 504 ); 505 506 OM_uint32 KRB5_CALLCONV gss_release_any_name_mapping 507 ( 508 OM_uint32 *, /* minor_status */ 509 gss_name_t, /* name */ 510 gss_buffer_t, /* type_id */ 511 gss_any_t * /* input */ 512 ); 513 514 /* draft-josefsson-gss-capsulate */ 515 OM_uint32 KRB5_CALLCONV gss_encapsulate_token 516 ( 517 gss_const_buffer_t, /* input_token */ 518 gss_const_OID, /* token_oid */ 519 gss_buffer_t /* output_token */ 520 ); 521 522 OM_uint32 KRB5_CALLCONV gss_decapsulate_token 523 ( 524 gss_const_buffer_t, /* input_token */ 525 gss_const_OID, /* token_oid */ 526 gss_buffer_t /* output_token */ 527 ); 528 529 int KRB5_CALLCONV gss_oid_equal 530 ( 531 gss_const_OID, /* first_oid */ 532 gss_const_OID /* second_oid */ 533 ); 534 535 /* Credential store extensions */ 536 537 struct gss_key_value_element_struct { 538 const char *key; 539 const char *value; 540 }; 541 typedef struct gss_key_value_element_struct gss_key_value_element_desc; 542 543 struct gss_key_value_set_struct { 544 OM_uint32 count; 545 gss_key_value_element_desc *elements; 546 }; 547 typedef struct gss_key_value_set_struct gss_key_value_set_desc; 548 typedef const gss_key_value_set_desc *gss_const_key_value_set_t; 549 550 #define GSS_C_NO_CRED_STORE ((gss_const_key_value_set_t) 0) 551 552 OM_uint32 KRB5_CALLCONV 553 gss_acquire_cred_from( 554 OM_uint32 *, /* minor_status */ 555 gss_name_t, /* desired_name */ 556 OM_uint32, /* time_req */ 557 gss_OID_set, /* desired_mechs */ 558 gss_cred_usage_t, /* cred_usage */ 559 gss_const_key_value_set_t, /* cred_store */ 560 gss_cred_id_t *, /* output_cred_handle */ 561 gss_OID_set *, /* actual_mechs */ 562 OM_uint32 *); /* time_rec */ 563 564 OM_uint32 KRB5_CALLCONV 565 gss_add_cred_from( 566 OM_uint32 *, /* minor_status */ 567 gss_cred_id_t, /* input_cred_handle */ 568 gss_name_t, /* desired_name */ 569 gss_OID, /* desired_mech */ 570 gss_cred_usage_t, /* cred_usage */ 571 OM_uint32, /* initiator_time_req */ 572 OM_uint32, /* acceptor_time_req */ 573 gss_const_key_value_set_t, /* cred_store */ 574 gss_cred_id_t *, /* output_cred_handle */ 575 gss_OID_set *, /* actual_mechs */ 576 OM_uint32 *, /* initiator_time_rec */ 577 OM_uint32 *); /* acceptor_time_rec */ 578 579 OM_uint32 KRB5_CALLCONV 580 gss_store_cred_into( 581 OM_uint32 *, /* minor_status */ 582 gss_cred_id_t, /* input_cred_handle */ 583 gss_cred_usage_t, /* input_usage */ 584 gss_OID, /* desired_mech */ 585 OM_uint32, /* overwrite_cred */ 586 OM_uint32, /* default_cred */ 587 gss_const_key_value_set_t, /* cred_store */ 588 gss_OID_set *, /* elements_stored */ 589 gss_cred_usage_t *); /* cred_usage_stored */ 590 591 /* 592 * A mech can make itself negotiable via NegoEx (draft-zhu-negoex) by 593 * implementing the following three SPIs, and also implementing 594 * gss_inquire_sec_context_by_oid() and answering the GSS_C_INQ_NEGOEX_KEY and 595 * GSS_C_INQ_NEGOEX_VERIFY_KEY OIDs. The answer must be in two buffers: the 596 * first contains the key contents, and the second contains the key enctype as 597 * a four-byte little-endian integer. 598 * 599 * By default, NegoEx mechanisms will not be directly negotiated via SPNEGO. 600 * If direct SPNEGO negotiation is required for interoperability, implement 601 * gss_inquire_attrs_for_mech() and assert the GSS_C_MA_NEGOEX_AND_SPNEGO 602 * attribute (along with any applicable RFC 5587 attributes). 603 */ 604 605 #define GSS_C_CHANNEL_BOUND_FLAG 2048 /* 0x00000800 */ 606 607 OM_uint32 KRB5_CALLCONV 608 gssspi_query_meta_data( 609 OM_uint32 *minor_status, 610 gss_const_OID mech_oid, 611 gss_cred_id_t cred_handle, 612 gss_ctx_id_t *context_handle, 613 const gss_name_t targ_name, 614 OM_uint32 req_flags, 615 gss_buffer_t meta_data); 616 617 OM_uint32 KRB5_CALLCONV 618 gssspi_exchange_meta_data( 619 OM_uint32 *minor_status, 620 gss_const_OID mech_oid, 621 gss_cred_id_t cred_handle, 622 gss_ctx_id_t *context_handle, 623 const gss_name_t targ_name, 624 OM_uint32 req_flags, 625 gss_const_buffer_t meta_data); 626 627 OM_uint32 KRB5_CALLCONV 628 gssspi_query_mechanism_info( 629 OM_uint32 *minor_status, 630 gss_const_OID mech_oid, 631 unsigned char auth_scheme[16]); 632 633 GSS_DLLIMP extern gss_const_OID GSS_C_MA_NEGOEX_AND_SPNEGO; 634 635 #ifdef __cplusplus 636 } 637 #endif 638 639 /* 640 * When used with gss_inquire_sec_context_by_oid(), return a buffer set with 641 * the first member containing an unsigned 32-bit integer in network byte 642 * order. This is the Security Strength Factor (SSF) associated with the 643 * secure channel established by the security context. NOTE: This value is 644 * made available solely as an indication for use by APIs like Cyrus SASL that 645 * classify the strength of a secure channel via this number. The strength of 646 * a channel cannot necessarily be represented by a simple number. 647 */ 648 GSS_DLLIMP extern gss_OID GSS_C_SEC_CONTEXT_SASL_SSF; 649 650 #endif /* GSSAPI_EXT_H_ */ 651