1 /*
2  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 /*
6  * Copyright 1993 by OpenVision Technologies, Inc.
7  *
8  * Permission to use, copy, modify, distribute, and sell this software
9  * and its documentation for any purpose is hereby granted without fee,
10  * provided that the above copyright notice appears in all copies and
11  * that both that copyright notice and this permission notice appear in
12  * supporting documentation, and that the name of OpenVision not be used
13  * in advertising or publicity pertaining to distribution of the software
14  * without specific, written prior permission. OpenVision makes no
15  * representations about the suitability of this software for any
16  * purpose.  It is provided "as is" without express or implied warranty.
17  *
18  * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
19  * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
20  * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
21  * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
22  * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
23  * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
24  * PERFORMANCE OF THIS SOFTWARE.
25  */
26 
27 #ifndef _GSSAPI_KRB5_H_
28 #define _GSSAPI_KRB5_H_
29 
30 #include <gssapi/gssapi.h>
31 #include <gssapi/gssapi_ext.h>
32 #include <krb5.h>
33 
34 /* SUNW15resync */
35 #ifndef GSS_DLLIMP
36 #define GSS_DLLIMP
37 #endif
38 
39 /* C++ friendlyness */
40 #ifdef __cplusplus
41 extern "C" {
42 #endif /* __cplusplus */
43 
44 /* Reserved static storage for GSS_oids.  See rfc 1964 for more details. */
45 
46 /* 2.1.1. Kerberos Principal Name Form: */
47 GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME;
48 /* This name form shall be represented by the Object Identifier {iso(1)
49  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
50  * krb5(2) krb5_name(1)}.  The recommended symbolic name for this type
51  * is "GSS_KRB5_NT_PRINCIPAL_NAME". */
52 
53 /* 2.1.2. Host-Based Service Name Form */
54 #define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE
55 /* This name form shall be represented by the Object Identifier {iso(1)
56  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
57  * generic(1) service_name(4)}.  The previously recommended symbolic
58  * name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME".  The
59  * currently preferred symbolic name for this type is
60  * "GSS_C_NT_HOSTBASED_SERVICE". */
61 
62 /* 2.2.1. User Name Form */
63 #define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME
64 /* This name form shall be represented by the Object Identifier {iso(1)
65  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
66  * generic(1) user_name(1)}.  The recommended symbolic name for this
67  * type is "GSS_KRB5_NT_USER_NAME". */
68 
69 /* 2.2.2. Machine UID Form */
70 #define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME
71 /* This name form shall be represented by the Object Identifier {iso(1)
72  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
73  * generic(1) machine_uid_name(2)}.  The recommended symbolic name for
74  * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */
75 
76 /* 2.2.3. String UID Form */
77 #define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME
78 /* This name form shall be represented by the Object Identifier {iso(1)
79  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
80  * generic(1) string_uid_name(3)}.  The recommended symbolic name for
81  * this type is "GSS_KRB5_NT_STRING_UID_NAME". */
82 
83 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5;
84 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old;
85 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_wrong;
86 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5;
87 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_old;
88 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_both;
89 
90 GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_name;
91 GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_principal;
92 
93 GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[];
94 
95 #define gss_krb5_nt_general_name	gss_nt_krb5_name
96 #define gss_krb5_nt_principal		gss_nt_krb5_principal
97 #define gss_krb5_nt_service_name	gss_nt_service_name
98 #define gss_krb5_nt_user_name		gss_nt_user_name
99 #define gss_krb5_nt_machine_uid_name	gss_nt_machine_uid_name
100 #define gss_krb5_nt_string_uid_name	gss_nt_string_uid_name
101 
102 
103 #if defined(_WIN32)
104 typedef  unsigned __int64 gss_uint64;
105 #else /*windows*/
106 
107 #ifdef _KERNEL
108 #include <sys/inttypes.h>
109 #else /* _KERNEL */
110 #include <inttypes.h>
111 #endif /* _KERNEL */
112 
113 typedef  uint64_t gss_uint64;
114 #endif
115 
116 
117 typedef struct gss_krb5_lucid_key {
118 	OM_uint32	type;		/* key encryption type */
119 	OM_uint32	length;		/* length of key data */
120 	void *		data;		/* actual key data */
121 } gss_krb5_lucid_key_t;
122 
123 typedef struct gss_krb5_rfc1964_keydata {
124 	OM_uint32	sign_alg;	/* signing algorthm */
125 	OM_uint32	seal_alg;	/* seal/encrypt algorthm */
126 	gss_krb5_lucid_key_t	ctx_key;
127 					/* Context key
128 					   (Kerberos session key or subkey) */
129 } gss_krb5_rfc1964_keydata_t;
130 
131 typedef struct gss_krb5_cfx_keydata {
132 	OM_uint32		have_acceptor_subkey;
133 					/* 1 if there is an acceptor_subkey
134 					   present, 0 otherwise */
135 	gss_krb5_lucid_key_t	ctx_key;
136 					/* Context key
137 					   (Kerberos session key or subkey) */
138 	gss_krb5_lucid_key_t	acceptor_subkey;
139 					/* acceptor-asserted subkey or
140 					   0's if no acceptor subkey */
141 } gss_krb5_cfx_keydata_t;
142 
143 typedef struct gss_krb5_lucid_context_v1 {
144 	OM_uint32	version;	/* Structure version number (1)
145 					   MUST be at beginning of struct! */
146 	OM_uint32	initiate;	/* Are we the initiator? */
147 	OM_uint32	endtime;	/* expiration time of context */
148 	gss_uint64	send_seq;	/* sender sequence number */
149 	gss_uint64	recv_seq;	/* receive sequence number */
150 	OM_uint32	protocol;	/* 0: rfc1964,
151 					   1: draft-ietf-krb-wg-gssapi-cfx-07 */
152 	/*
153 	 * if (protocol == 0) rfc1964_kd should be used
154 	 * and cfx_kd contents are invalid and should be zero
155 	 * if (protocol == 1) cfx_kd should be used
156 	 * and rfc1964_kd contents are invalid and should be zero
157 	 */
158 	gss_krb5_rfc1964_keydata_t rfc1964_kd;
159 	gss_krb5_cfx_keydata_t	   cfx_kd;
160 } gss_krb5_lucid_context_v1_t;
161 
162 /*
163  * Mask for determining the returned structure version.
164  * See example below for usage.
165  */
166 typedef struct gss_krb5_lucid_context_version {
167 	OM_uint32	version;	/* Structure version number */
168 } gss_krb5_lucid_context_version_t;
169 
170 
171 
172 
173 /* Alias for Heimdal compat. */
174 #define gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity
175 
176 OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *);
177 
178 OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache
179 	(OM_uint32 *minor_status,
180 		   gss_cred_id_t cred_handle,
181 		   krb5_ccache out_ccache);
182 
183 OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name
184 	(OM_uint32 *minor_status, const char *name,
185 		   const char **out_name);
186 
187 /*
188  * gss_krb5_set_allowable_enctypes
189  *
190  * This function may be called by a context initiator after calling
191  * gss_acquire_cred(), but before calling gss_init_sec_context(),
192  * to restrict the set of enctypes which will be negotiated during
193  * context establishment to those in the provided array.
194  *
195  * 'cred' must be a valid credential handle obtained via
196  * gss_acquire_cred().  It may not be GSS_C_NO_CREDENTIAL.
197  * gss_acquire_cred() may have been called to get a handle to
198  * the default credential.
199  *
200  * The purpose of this function is to limit the keys that may
201  * be exported via gss_krb5_export_lucid_sec_context(); thus it
202  * should limit the enctypes of all keys that will be needed
203  * after the security context has been established.
204  * (i.e. context establishment may use a session key with a
205  * stronger enctype than in the provided array, however a
206  * subkey must be established within the enctype limits
207  * established by this function.)
208  *
209  */
210 OM_uint32 KRB5_CALLCONV
211 gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
212 				gss_cred_id_t cred,
213 				OM_uint32 num_ktypes,
214 				krb5_enctype *ktypes);
215 
216 /*
217  * Returns a non-opaque (lucid) version of the internal context
218  * information.
219  *
220  * Note that context_handle must not be used again by the caller
221  * after this call.  The GSS implementation is free to release any
222  * resources associated with the original context.  It is up to the
223  * GSS implementation whether it returns pointers to existing data,
224  * or copies of the data.  The caller should treat the returned
225  * lucid context as read-only.
226  *
227  * The caller must call gss_krb5_free_lucid_context() to free
228  * the context and allocated resources when it is finished with it.
229  *
230  * 'version' is an integer indicating the highest version of lucid
231  * context understood by the caller.  The highest version
232  * understood by both the caller and the GSS implementation must
233  * be returned.  The caller can determine which version of the
234  * structure was actually returned by examining the version field
235  * of the returned structure.  gss_krb5_lucid_context_version_t
236  * may be used as a mask to examine the returned structure version.
237  *
238  * If there are no common versions, an error should be returned.
239  * (XXX Need error definition(s))
240  *
241  * For example:
242  *	void *return_ctx;
243  *	gss_krb5_lucid_context_v1_t *ctx;
244  *	OM_uint32 min_stat, maj_stat;
245  *	OM_uint32 vers;
246  *	gss_ctx_id_t *ctx_handle;
247  *
248  *	maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
249  *			ctx_handle, 1, &return_ctx);
250  *	// Verify success
251  *
252  *	vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
253  *	switch (vers) {
254  *	case 1:
255  *		ctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
256  *		break;
257  *	default:
258  *		// Error, unknown version returned
259  *		break;
260  *	}
261  *
262  */
263 
264 OM_uint32 KRB5_CALLCONV
265 gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
266 				  gss_ctx_id_t *context_handle,
267 				  OM_uint32 version,
268 				  void **kctx);
269 
270 /*
271  * Frees the allocated storage associated with an
272  * exported struct gss_krb5_lucid_context.
273  */
274 OM_uint32 KRB5_CALLCONV
275 gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status,
276 				void *kctx);
277 
278 
279 OM_uint32 KRB5_CALLCONV
280 gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
281                                             const gss_ctx_id_t context_handle,
282                                             int ad_type,
283                                             gss_buffer_t ad_data);
284 
285 OM_uint32 KRB5_CALLCONV
286 gss_krb5_set_cred_rcache(OM_uint32 *minor_status,
287                          gss_cred_id_t cred,
288                          krb5_rcache rcache);
289 
290 OM_uint32 KRB5_CALLCONV
291 gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, krb5_timestamp *);
292 
293 
294 #ifdef __cplusplus
295 }
296 #endif /* __cplusplus */
297 
298 #endif /* _GSSAPI_KRB5_H_ */
299