1 /* 2 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 #pragma ident "%Z%%M% %I% %E% SMI" 7 8 /* 9 * Copyright 1993 by OpenVision Technologies, Inc. 10 * 11 * Permission to use, copy, modify, distribute, and sell this software 12 * and its documentation for any purpose is hereby granted without fee, 13 * provided that the above copyright notice appears in all copies and 14 * that both that copyright notice and this permission notice appear in 15 * supporting documentation, and that the name of OpenVision not be used 16 * in advertising or publicity pertaining to distribution of the software 17 * without specific, written prior permission. OpenVision makes no 18 * representations about the suitability of this software for any 19 * purpose. It is provided "as is" without express or implied warranty. 20 * 21 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 22 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 23 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR 24 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF 25 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 26 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 27 * PERFORMANCE OF THIS SOFTWARE. 28 */ 29 30 #ifndef _GSSAPI_KRB5_H_ 31 #define _GSSAPI_KRB5_H_ 32 33 #include <gssapi/gssapi.h> 34 #include <gssapi/gssapi_ext.h> 35 #include <krb5.h> 36 37 /* SUNW15resync */ 38 #ifndef GSS_DLLIMP 39 #define GSS_DLLIMP 40 #endif 41 42 /* C++ friendlyness */ 43 #ifdef __cplusplus 44 extern "C" { 45 #endif /* __cplusplus */ 46 47 /* Reserved static storage for GSS_oids. See rfc 1964 for more details. */ 48 49 /* 2.1.1. Kerberos Principal Name Form: */ 50 GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME; 51 /* This name form shall be represented by the Object Identifier {iso(1) 52 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 53 * krb5(2) krb5_name(1)}. The recommended symbolic name for this type 54 * is "GSS_KRB5_NT_PRINCIPAL_NAME". */ 55 56 /* 2.1.2. Host-Based Service Name Form */ 57 #define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE 58 /* This name form shall be represented by the Object Identifier {iso(1) 59 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 60 * generic(1) service_name(4)}. The previously recommended symbolic 61 * name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME". The 62 * currently preferred symbolic name for this type is 63 * "GSS_C_NT_HOSTBASED_SERVICE". */ 64 65 /* 2.2.1. User Name Form */ 66 #define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME 67 /* This name form shall be represented by the Object Identifier {iso(1) 68 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 69 * generic(1) user_name(1)}. The recommended symbolic name for this 70 * type is "GSS_KRB5_NT_USER_NAME". */ 71 72 /* 2.2.2. Machine UID Form */ 73 #define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME 74 /* This name form shall be represented by the Object Identifier {iso(1) 75 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 76 * generic(1) machine_uid_name(2)}. The recommended symbolic name for 77 * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */ 78 79 /* 2.2.3. String UID Form */ 80 #define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME 81 /* This name form shall be represented by the Object Identifier {iso(1) 82 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 83 * generic(1) string_uid_name(3)}. The recommended symbolic name for 84 * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ 85 86 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5; 87 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old; 88 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_wrong; 89 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5; 90 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_old; 91 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_both; 92 93 GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_name; 94 GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_principal; 95 96 GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[]; 97 98 #define gss_krb5_nt_general_name gss_nt_krb5_name 99 #define gss_krb5_nt_principal gss_nt_krb5_principal 100 #define gss_krb5_nt_service_name gss_nt_service_name 101 #define gss_krb5_nt_user_name gss_nt_user_name 102 #define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name 103 #define gss_krb5_nt_string_uid_name gss_nt_string_uid_name 104 105 106 #if defined(_WIN32) 107 typedef unsigned __int64 gss_uint64; 108 #else /*windows*/ 109 110 #ifdef _KERNEL 111 #include <sys/inttypes.h> 112 #else /* _KERNEL */ 113 #include <inttypes.h> 114 #endif /* _KERNEL */ 115 116 typedef uint64_t gss_uint64; 117 #endif 118 119 120 typedef struct gss_krb5_lucid_key { 121 OM_uint32 type; /* key encryption type */ 122 OM_uint32 length; /* length of key data */ 123 void * data; /* actual key data */ 124 } gss_krb5_lucid_key_t; 125 126 typedef struct gss_krb5_rfc1964_keydata { 127 OM_uint32 sign_alg; /* signing algorthm */ 128 OM_uint32 seal_alg; /* seal/encrypt algorthm */ 129 gss_krb5_lucid_key_t ctx_key; 130 /* Context key 131 (Kerberos session key or subkey) */ 132 } gss_krb5_rfc1964_keydata_t; 133 134 typedef struct gss_krb5_cfx_keydata { 135 OM_uint32 have_acceptor_subkey; 136 /* 1 if there is an acceptor_subkey 137 present, 0 otherwise */ 138 gss_krb5_lucid_key_t ctx_key; 139 /* Context key 140 (Kerberos session key or subkey) */ 141 gss_krb5_lucid_key_t acceptor_subkey; 142 /* acceptor-asserted subkey or 143 0's if no acceptor subkey */ 144 } gss_krb5_cfx_keydata_t; 145 146 typedef struct gss_krb5_lucid_context_v1 { 147 OM_uint32 version; /* Structure version number (1) 148 MUST be at beginning of struct! */ 149 OM_uint32 initiate; /* Are we the initiator? */ 150 OM_uint32 endtime; /* expiration time of context */ 151 gss_uint64 send_seq; /* sender sequence number */ 152 gss_uint64 recv_seq; /* receive sequence number */ 153 OM_uint32 protocol; /* 0: rfc1964, 154 1: draft-ietf-krb-wg-gssapi-cfx-07 */ 155 /* 156 * if (protocol == 0) rfc1964_kd should be used 157 * and cfx_kd contents are invalid and should be zero 158 * if (protocol == 1) cfx_kd should be used 159 * and rfc1964_kd contents are invalid and should be zero 160 */ 161 gss_krb5_rfc1964_keydata_t rfc1964_kd; 162 gss_krb5_cfx_keydata_t cfx_kd; 163 } gss_krb5_lucid_context_v1_t; 164 165 /* 166 * Mask for determining the returned structure version. 167 * See example below for usage. 168 */ 169 typedef struct gss_krb5_lucid_context_version { 170 OM_uint32 version; /* Structure version number */ 171 } gss_krb5_lucid_context_version_t; 172 173 174 175 176 /* Alias for Heimdal compat. */ 177 #define gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity 178 179 OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *); 180 181 /* 182 * SUNW15resync 183 * The name has changed (_krb5_ to _krb5int_) in MIT's 184 * get_tkt_flags.c but did not change here 185 * ...a bug I assume so we change it here. 186 */ 187 OM_uint32 KRB5_CALLCONV gss_krb5int_get_tkt_flags 188 (OM_uint32 *minor_status, 189 gss_ctx_id_t context_handle, 190 krb5_flags *ticket_flags); 191 192 OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache 193 (OM_uint32 *minor_status, 194 gss_cred_id_t cred_handle, 195 krb5_ccache out_ccache); 196 197 OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name 198 (OM_uint32 *minor_status, const char *name, 199 const char **out_name); 200 201 /* 202 * gss_krb5_set_allowable_enctypes 203 * 204 * This function may be called by a context initiator after calling 205 * gss_acquire_cred(), but before calling gss_init_sec_context(), 206 * to restrict the set of enctypes which will be negotiated during 207 * context establishment to those in the provided array. 208 * 209 * 'cred' must be a valid credential handle obtained via 210 * gss_acquire_cred(). It may not be GSS_C_NO_CREDENTIAL. 211 * gss_acquire_cred() may have been called to get a handle to 212 * the default credential. 213 * 214 * The purpose of this function is to limit the keys that may 215 * be exported via gss_krb5_export_lucid_sec_context(); thus it 216 * should limit the enctypes of all keys that will be needed 217 * after the security context has been established. 218 * (i.e. context establishment may use a session key with a 219 * stronger enctype than in the provided array, however a 220 * subkey must be established within the enctype limits 221 * established by this function.) 222 * 223 */ 224 OM_uint32 KRB5_CALLCONV 225 gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, 226 gss_cred_id_t cred, 227 OM_uint32 num_ktypes, 228 krb5_enctype *ktypes); 229 230 /* 231 * Returns a non-opaque (lucid) version of the internal context 232 * information. 233 * 234 * Note that context_handle must not be used again by the caller 235 * after this call. The GSS implementation is free to release any 236 * resources associated with the original context. It is up to the 237 * GSS implementation whether it returns pointers to existing data, 238 * or copies of the data. The caller should treat the returned 239 * lucid context as read-only. 240 * 241 * The caller must call gss_krb5_free_lucid_context() to free 242 * the context and allocated resources when it is finished with it. 243 * 244 * 'version' is an integer indicating the highest version of lucid 245 * context understood by the caller. The highest version 246 * understood by both the caller and the GSS implementation must 247 * be returned. The caller can determine which version of the 248 * structure was actually returned by examining the version field 249 * of the returned structure. gss_krb5_lucid_context_version_t 250 * may be used as a mask to examine the returned structure version. 251 * 252 * If there are no common versions, an error should be returned. 253 * (XXX Need error definition(s)) 254 * 255 * For example: 256 * void *return_ctx; 257 * gss_krb5_lucid_context_v1_t *ctx; 258 * OM_uint32 min_stat, maj_stat; 259 * OM_uint32 vers; 260 * gss_ctx_id_t *ctx_handle; 261 * 262 * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, 263 * ctx_handle, 1, &return_ctx); 264 * // Verify success 265 * 266 * vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version; 267 * switch (vers) { 268 * case 1: 269 * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx; 270 * break; 271 * default: 272 * // Error, unknown version returned 273 * break; 274 * } 275 * 276 */ 277 278 OM_uint32 KRB5_CALLCONV 279 gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, 280 gss_ctx_id_t *context_handle, 281 OM_uint32 version, 282 void **kctx); 283 284 /* 285 * Frees the allocated storage associated with an 286 * exported struct gss_krb5_lucid_context. 287 */ 288 OM_uint32 KRB5_CALLCONV 289 gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, 290 void *kctx); 291 292 293 #ifdef __cplusplus 294 } 295 #endif /* __cplusplus */ 296 297 #endif /* _GSSAPI_KRB5_H_ */ 298