1/* This is the gssapi_krb5.h prologue. */ 2#include <stdint.h> 3/* End of gssapi_krb5.h prologue. */ 4/* -*- mode: c; indent-tabs-mode: nil -*- */ 5/* 6 * Copyright 1993 by OpenVision Technologies, Inc. 7 * 8 * Permission to use, copy, modify, distribute, and sell this software 9 * and its documentation for any purpose is hereby granted without fee, 10 * provided that the above copyright notice appears in all copies and 11 * that both that copyright notice and this permission notice appear in 12 * supporting documentation, and that the name of OpenVision not be used 13 * in advertising or publicity pertaining to distribution of the software 14 * without specific, written prior permission. OpenVision makes no 15 * representations about the suitability of this software for any 16 * purpose. It is provided "as is" without express or implied warranty. 17 * 18 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 19 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 20 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR 21 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF 22 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 23 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 24 * PERFORMANCE OF THIS SOFTWARE. 25 */ 26 27#ifndef _GSSAPI_KRB5_H_ 28#define _GSSAPI_KRB5_H_ 29 30#include "mit-gssapi.h" 31#include "mit-krb5.h" 32 33/* C++ friendlyness */ 34#ifdef __cplusplus 35extern "C" { 36#endif /* __cplusplus */ 37 38/* Reserved static storage for GSS_oids. See rfc 1964 for more details. */ 39 40/* 2.1.1. Kerberos Principal Name Form: */ 41GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME; 42/* This name form shall be represented by the Object Identifier {iso(1) 43 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 44 * krb5(2) krb5_name(1)}. The recommended symbolic name for this type 45 * is "GSS_KRB5_NT_PRINCIPAL_NAME". */ 46 47/* 2.1.2. Host-Based Service Name Form */ 48#define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE 49/* This name form shall be represented by the Object Identifier {iso(1) 50 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 51 * generic(1) service_name(4)}. The previously recommended symbolic 52 * name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME". The 53 * currently preferred symbolic name for this type is 54 * "GSS_C_NT_HOSTBASED_SERVICE". */ 55 56/* 2.2.1. User Name Form */ 57#define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME 58/* This name form shall be represented by the Object Identifier {iso(1) 59 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 60 * generic(1) user_name(1)}. The recommended symbolic name for this 61 * type is "GSS_KRB5_NT_USER_NAME". */ 62 63/* 2.2.2. Machine UID Form */ 64#define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME 65/* This name form shall be represented by the Object Identifier {iso(1) 66 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 67 * generic(1) machine_uid_name(2)}. The recommended symbolic name for 68 * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */ 69 70/* 2.2.3. String UID Form */ 71#define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME 72/* This name form shall be represented by the Object Identifier {iso(1) 73 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 74 * generic(1) string_uid_name(3)}. The recommended symbolic name for 75 * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ 76 77GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5; 78GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old; 79GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_wrong; 80GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5; 81GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_old; 82GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_both; 83 84GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_name; 85GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_principal; 86 87GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[]; 88 89#define gss_krb5_nt_general_name gss_nt_krb5_name 90#define gss_krb5_nt_principal gss_nt_krb5_principal 91#define gss_krb5_nt_service_name gss_nt_service_name 92#define gss_krb5_nt_user_name gss_nt_user_name 93#define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name 94#define gss_krb5_nt_string_uid_name gss_nt_string_uid_name 95 96 97#if defined(_WIN32) 98typedef unsigned __int64 gss_uint64; 99#else /*windows*/ 100#include <inttypes.h> 101typedef uint64_t gss_uint64; 102#endif 103 104 105typedef struct gss_krb5_lucid_key { 106 OM_uint32 type; /* key encryption type */ 107 OM_uint32 length; /* length of key data */ 108 void * data; /* actual key data */ 109} gss_krb5_lucid_key_t; 110 111typedef struct gss_krb5_rfc1964_keydata { 112 OM_uint32 sign_alg; /* signing algorthm */ 113 OM_uint32 seal_alg; /* seal/encrypt algorthm */ 114 gss_krb5_lucid_key_t ctx_key; 115 /* Context key 116 (Kerberos session key or subkey) */ 117} gss_krb5_rfc1964_keydata_t; 118 119typedef struct gss_krb5_cfx_keydata { 120 OM_uint32 have_acceptor_subkey; 121 /* 1 if there is an acceptor_subkey 122 present, 0 otherwise */ 123 gss_krb5_lucid_key_t ctx_key; 124 /* Context key 125 (Kerberos session key or subkey) */ 126 gss_krb5_lucid_key_t acceptor_subkey; 127 /* acceptor-asserted subkey or 128 0's if no acceptor subkey */ 129} gss_krb5_cfx_keydata_t; 130 131typedef struct gss_krb5_lucid_context_v1 { 132 OM_uint32 version; /* Structure version number (1) 133 MUST be at beginning of struct! */ 134 OM_uint32 initiate; /* Are we the initiator? */ 135 OM_uint32 endtime; /* expiration time of context */ 136 gss_uint64 send_seq; /* sender sequence number */ 137 gss_uint64 recv_seq; /* receive sequence number */ 138 OM_uint32 protocol; /* 0: rfc1964, 139 1: draft-ietf-krb-wg-gssapi-cfx-07 */ 140 /* 141 * if (protocol == 0) rfc1964_kd should be used 142 * and cfx_kd contents are invalid and should be zero 143 * if (protocol == 1) cfx_kd should be used 144 * and rfc1964_kd contents are invalid and should be zero 145 */ 146 gss_krb5_rfc1964_keydata_t rfc1964_kd; 147 gss_krb5_cfx_keydata_t cfx_kd; 148} gss_krb5_lucid_context_v1_t; 149 150/* 151 * Mask for determining the returned structure version. 152 * See example below for usage. 153 */ 154typedef struct gss_krb5_lucid_context_version { 155 OM_uint32 version; /* Structure version number */ 156} gss_krb5_lucid_context_version_t; 157 158 159typedef struct apple_gss_krb5_authdata_if_relevant_key { 160OM_uint32 type; /* key encryption type */ 161OM_uint32 length; /* length of key data */ 162void * data; /* actual key data */ 163} apple_gss_krb5_authdata_if_relevant; 164 165 166/* Alias for Heimdal compat. */ 167#define gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity 168 169OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *); 170 171OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags( 172 OM_uint32 *minor_status, 173 gss_ctx_id_t context_handle, 174 krb5_flags *ticket_flags); 175 176OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache( 177 OM_uint32 *minor_status, 178 gss_cred_id_t cred_handle, 179 krb5_ccache out_ccache); 180 181OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name( 182 OM_uint32 *minor_status, const char *name, 183 const char **out_name); 184 185/* 186 * gss_krb5_set_allowable_enctypes 187 * 188 * This function may be called by a context initiator after calling 189 * gss_acquire_cred(), but before calling gss_init_sec_context(), 190 * to restrict the set of enctypes which will be negotiated during 191 * context establishment to those in the provided array. 192 * 193 * 'cred' must be a valid credential handle obtained via 194 * gss_acquire_cred(). It may not be GSS_C_NO_CREDENTIAL. 195 * gss_acquire_cred() may have been called to get a handle to 196 * the default credential. 197 * 198 * The purpose of this function is to limit the keys that may 199 * be exported via gss_krb5_export_lucid_sec_context(); thus it 200 * should limit the enctypes of all keys that will be needed 201 * after the security context has been established. 202 * (i.e. context establishment may use a session key with a 203 * stronger enctype than in the provided array, however a 204 * subkey must be established within the enctype limits 205 * established by this function.) 206 * 207 */ 208OM_uint32 KRB5_CALLCONV 209gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, 210 gss_cred_id_t cred, 211 OM_uint32 num_ktypes, 212 krb5_enctype *ktypes); 213 214/* 215 * Returns a non-opaque (lucid) version of the internal context 216 * information. 217 * 218 * Note that context_handle must not be used again by the caller 219 * after this call. The GSS implementation is free to release any 220 * resources associated with the original context. It is up to the 221 * GSS implementation whether it returns pointers to existing data, 222 * or copies of the data. The caller should treat the returned 223 * lucid context as read-only. 224 * 225 * The caller must call gss_krb5_free_lucid_context() to free 226 * the context and allocated resources when it is finished with it. 227 * 228 * 'version' is an integer indicating the highest version of lucid 229 * context understood by the caller. The highest version 230 * understood by both the caller and the GSS implementation must 231 * be returned. The caller can determine which version of the 232 * structure was actually returned by examining the version field 233 * of the returned structure. gss_krb5_lucid_context_version_t 234 * may be used as a mask to examine the returned structure version. 235 * 236 * If there are no common versions, an error should be returned. 237 * (XXX Need error definition(s)) 238 * 239 * For example: 240 * void *return_ctx; 241 * gss_krb5_lucid_context_v1_t *ctx; 242 * OM_uint32 min_stat, maj_stat; 243 * OM_uint32 vers; 244 * gss_ctx_id_t *ctx_handle; 245 * 246 * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, 247 * ctx_handle, 1, &return_ctx); 248 * // Verify success 249 * 250 * vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version; 251 * switch (vers) { 252 * case 1: 253 * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx; 254 * break; 255 * default: 256 * // Error, unknown version returned 257 * break; 258 * } 259 * 260 */ 261 262OM_uint32 KRB5_CALLCONV 263gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, 264 gss_ctx_id_t *context_handle, 265 OM_uint32 version, 266 void **kctx); 267 268 269 270/* 271 * Returns a non-opaque (lucid) version of the internal context 272 * information. 273 * 274 * Note that context_handle must not be used again by the caller 275 * after this call. The GSS implementation is free to release any 276 * resources associated with the original context. It is up to the 277 * GSS implementation whether it returns pointers to existing data, 278 * or copies of the data. The caller should treat the returned 279 * lucid context as read-only. 280 * 281 * The caller must call gss_krb5_free_lucid_context() to free 282 * the context and allocated resources when it is finished with it. 283 * 284 * 'version' is an integer indicating the highest version of lucid 285 * context understood by the caller. The highest version 286 * understood by both the caller and the GSS implementation must 287 * be returned. The caller can determine which version of the 288 * structure was actually returned by examining the version field 289 * of the returned structure. gss_krb5_lucid_context_version_t 290 * may be used as a mask to examine the returned structure version. 291 * 292 * If there are no common versions, an error should be returned. 293 * (XXX Need error definition(s)) 294 * 295 * 296 */ 297 298OM_uint32 KRB5_CALLCONV 299apple_gss_krb5_export_authdata_if_relevant_context(OM_uint32 *minor_status, 300 gss_ctx_id_t *context_handle, 301 OM_uint32 version, 302 void **kctx); 303 304/* 305* Frees the allocated storage associated with an 306* exported struct apple_gss_krb5_authdata_if_relevant. 307*/ 308OM_uint32 KRB5_CALLCONV 309apple_gss_krb5_free_authdata_if_relevant(OM_uint32 *minor_status, 310void *kctx); 311 312 313 314/* 315 * Frees the allocated storage associated with an 316 * exported struct gss_krb5_lucid_context. 317 */ 318OM_uint32 KRB5_CALLCONV 319gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, 320 void *kctx); 321 322#define GSS_KRB5_UI_ALLOW 1 323#define GSS_KRB5_UI_DENY 2 324#define GSS_KRB5_UI_PROBE 3 325 326OM_uint32 KRB5_CALLCONV 327gss_krb5_ui(OM_uint32 * /* minor_status */, OM_uint32 /* flag */); 328 329#ifdef __cplusplus 330} 331#endif /* __cplusplus */ 332 333#endif /* _GSSAPI_KRB5_H_ */ 334