1 /* 2 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 7 /* 8 * Copyright 2000 by the Massachusetts Institute of Technology. 9 * All Rights Reserved. 10 * 11 * Export of this software from the United States of America may 12 * require a specific license from the United States Government. 13 * It is the responsibility of any person or organization contemplating 14 * export to obtain such a license before exporting. 15 * 16 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 17 * distribute this software and its documentation for any purpose and 18 * without fee is hereby granted, provided that the above copyright 19 * notice appear in all copies and that both that copyright notice and 20 * this permission notice appear in supporting documentation, and that 21 * the name of M.I.T. not be used in advertising or publicity pertaining 22 * to distribution of the software without specific, written prior 23 * permission. Furthermore if you modify this software you must label 24 * your software as modified software and not distribute it in such a 25 * fashion that it might be confused with the original M.I.T. software. 26 * M.I.T. makes no representations about the suitability of 27 * this software for any purpose. It is provided "as is" without express 28 * or implied warranty. 29 * 30 */ 31 /* 32 * Copyright 1993 by OpenVision Technologies, Inc. 33 * 34 * Permission to use, copy, modify, distribute, and sell this software 35 * and its documentation for any purpose is hereby granted without fee, 36 * provided that the above copyright notice appears in all copies and 37 * that both that copyright notice and this permission notice appear in 38 * supporting documentation, and that the name of OpenVision not be used 39 * in advertising or publicity pertaining to distribution of the software 40 * without specific, written prior permission. OpenVision makes no 41 * representations about the suitability of this software for any 42 * purpose. It is provided "as is" without express or implied warranty. 43 * 44 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 45 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 46 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR 47 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF 48 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 49 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 50 * PERFORMANCE OF THIS SOFTWARE. 51 */ 52 53 #ifndef _GSSAPIP_KRB5_H_ 54 #define _GSSAPIP_KRB5_H_ 55 56 #include <k5-int.h> 57 58 #ifdef HAVE_MEMORY_H 59 #include <memory.h> 60 #endif 61 62 /* work around sunos braindamage */ 63 #ifdef major 64 #undef major 65 #endif 66 #ifdef minor 67 #undef minor 68 #endif 69 70 #include "gssapiP_generic.h" 71 72 /* The include of gssapi_krb5.h will dtrt with the above #defines in 73 * effect. 74 */ 75 #include "gssapi_krb5.h" 76 #include "gssapi_err_krb5.h" 77 #include "gssapi_ext.h" 78 79 /* for debugging */ 80 #undef CFX_EXERCISE 81 82 /** constants **/ 83 84 #define GSS_MECH_KRB5_OID_LENGTH 9 85 #define GSS_MECH_KRB5_OID "\052\206\110\206\367\022\001\002\002" 86 87 #define GSS_MECH_KRB5_OLD_OID_LENGTH 5 88 #define GSS_MECH_KRB5_OLD_OID "\053\005\001\005\002" 89 90 /* Incorrect krb5 mech OID emitted by MS. */ 91 #define GSS_MECH_KRB5_WRONG_OID_LENGTH 9 92 #define GSS_MECH_KRB5_WRONG_OID "\052\206\110\202\367\022\001\002\002" 93 94 95 #define CKSUMTYPE_KG_CB 0x8003 96 97 #define KG_TOK_CTX_AP_REQ 0x0100 98 #define KG_TOK_CTX_AP_REP 0x0200 99 #define KG_TOK_CTX_ERROR 0x0300 100 #define KG_TOK_SIGN_MSG 0x0101 101 #define KG_TOK_SEAL_MSG 0x0201 102 #define KG_TOK_MIC_MSG 0x0101 103 #define KG_TOK_WRAP_MSG 0x0201 104 #define KG_TOK_DEL_CTX 0x0102 105 106 #define KG2_TOK_INITIAL 0x0101 107 #define KG2_TOK_RESPONSE 0x0202 108 #define KG2_TOK_MIC 0x0303 109 #define KG2_TOK_WRAP_INTEG 0x0404 110 #define KG2_TOK_WRAP_PRIV 0x0505 111 112 #define KRB5_GSS_FOR_CREDS_OPTION 1 113 114 #define KG2_RESP_FLAG_ERROR 0x0001 115 #define KG2_RESP_FLAG_DELEG_OK 0x0002 116 117 /* These are to be stored in little-endian order, i.e., des-mac is 118 stored as 02 00. */ 119 enum sgn_alg { 120 SGN_ALG_DES_MAC_MD5 = 0x0000, 121 SGN_ALG_MD2_5 = 0x0001, 122 SGN_ALG_DES_MAC = 0x0002, 123 SGN_ALG_3 = 0x0003, /* not published */ 124 SGN_ALG_HMAC_MD5 = 0x0011, /* microsoft w2k; */ 125 SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004 126 }; 127 enum seal_alg { 128 SEAL_ALG_NONE = 0xffff, 129 SEAL_ALG_DES = 0x0000, 130 SEAL_ALG_1 = 0x0001, /* not published */ 131 SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */ 132 SEAL_ALG_DES3KD = 0x0002 133 }; 134 135 /* for 3DES */ 136 #define KG_USAGE_SEAL 22 137 #define KG_USAGE_SIGN 23 138 #define KG_USAGE_SEQ 24 139 140 /* for draft-ietf-krb-wg-gssapi-cfx-01 */ 141 #define KG_USAGE_ACCEPTOR_SEAL 22 142 #define KG_USAGE_ACCEPTOR_SIGN 23 143 #define KG_USAGE_INITIATOR_SEAL 24 144 #define KG_USAGE_INITIATOR_SIGN 25 145 146 enum qop { 147 GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, /* *partial* MD5 = "MD2.5" */ 148 GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002, 149 GSS_KRB5_INTEG_C_QOP_DES_MAC = 0x0003, 150 GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004, 151 GSS_KRB5_INTEG_C_QOP_MASK = 0x00ff, 152 GSS_KRB5_CONF_C_QOP_DES = 0x0100, 153 GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200, 154 GSS_KRB5_CONF_C_QOP_MASK = 0xff00 155 }; 156 157 /** internal types **/ 158 159 typedef krb5_principal krb5_gss_name_t; 160 161 typedef struct _krb5_gss_cred_id_rec { 162 /* protect against simultaneous accesses */ 163 k5_mutex_t lock; 164 165 /* name/type of credential */ 166 gss_cred_usage_t usage; 167 krb5_principal princ; /* this is not interned as a gss_name_t */ 168 int prerfc_mech; 169 int rfc_mech; 170 171 /* keytab (accept) data */ 172 krb5_keytab keytab; 173 krb5_rcache rcache; 174 175 /* ccache (init) data */ 176 krb5_ccache ccache; 177 krb5_timestamp tgt_expire; 178 krb5_enctype *req_enctypes; /* limit negotiated enctypes to this list */ 179 } krb5_gss_cred_id_rec, *krb5_gss_cred_id_t; 180 181 typedef struct _krb5_gss_ctx_id_rec { 182 unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */ 183 unsigned int established : 1; 184 unsigned int big_endian : 1; 185 unsigned int have_acceptor_subkey : 1; 186 unsigned int seed_init : 1; /* XXX tested but never actually set */ 187 OM_uint32 gss_flags; 188 unsigned char seed[16]; 189 krb5_principal here; 190 krb5_principal there; 191 krb5_keyblock *subkey; 192 int signalg; 193 size_t cksum_size; 194 int sealalg; 195 krb5_keyblock *enc; 196 krb5_keyblock *seq; 197 krb5_timestamp endtime; 198 krb5_ticket_times krb_times; 199 krb5_flags krb_flags; 200 /* XXX these used to be signed. the old spec is inspecific, and 201 the new spec specifies unsigned. I don't believe that the change 202 affects the wire encoding. */ 203 gssint_uint64 seq_send; 204 gssint_uint64 seq_recv; 205 void *seqstate; 206 krb5_context k5_context; 207 krb5_auth_context auth_context; 208 gss_OID_desc *mech_used; 209 /* Protocol spec revision 210 0 => RFC 1964 with 3DES and RC4 enhancements 211 1 => draft-ietf-krb-wg-gssapi-cfx-01 212 No others defined so far. */ 213 int proto; 214 krb5_cksumtype cksumtype; /* for "main" subkey */ 215 krb5_keyblock *acceptor_subkey; /* CFX only */ 216 krb5_cksumtype acceptor_subkey_cksumtype; 217 int cred_rcache; /* did we get rcache from creds? */ 218 krb5_authdata **authdata; 219 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t; 220 221 extern g_set kg_vdb; 222 223 extern k5_mutex_t gssint_krb5_keytab_lock; 224 225 /* helper macros */ 226 227 #define kg_save_name(name) g_save_name(&kg_vdb,name) 228 #define kg_save_cred_id(cred) g_save_cred_id(&kg_vdb,cred) 229 #define kg_save_ctx_id(ctx) g_save_ctx_id(&kg_vdb,ctx) 230 #define kg_save_lucidctx_id(lctx) g_save_lucidctx_id(&kg_vdb,lctx) 231 232 #define kg_validate_name(name) g_validate_name(&kg_vdb,name) 233 #define kg_validate_cred_id(cred) g_validate_cred_id(&kg_vdb,cred) 234 #define kg_validate_ctx_id(ctx) g_validate_ctx_id(&kg_vdb,ctx) 235 #define kg_validate_lucidctx_id(lctx) g_validate_lucidctx_id(&kg_vdb,lctx) 236 237 #define kg_delete_name(name) g_delete_name(&kg_vdb,name) 238 #define kg_delete_cred_id(cred) g_delete_cred_id(&kg_vdb,cred) 239 #define kg_delete_ctx_id(ctx) g_delete_ctx_id(&kg_vdb,ctx) 240 #define kg_delete_lucidctx_id(lctx) g_delete_lucidctx_id(&kg_vdb,lctx) 241 242 /** helper functions **/ 243 244 OM_uint32 kg_get_defcred 245 (OM_uint32 *minor_status, 246 gss_cred_id_t *cred); 247 248 krb5_error_code kg_checksum_channel_bindings 249 (krb5_context context, gss_channel_bindings_t cb, 250 krb5_checksum *cksum, 251 int bigend); 252 253 krb5_error_code kg_make_seq_num (krb5_context context, 254 krb5_keyblock *key, 255 int direction, krb5_ui_4 seqnum, unsigned char *cksum, 256 unsigned char *buf); 257 258 krb5_error_code kg_get_seq_num (krb5_context context, 259 krb5_keyblock *key, 260 unsigned char *cksum, unsigned char *buf, int *direction, 261 krb5_ui_4 *seqnum); 262 263 krb5_error_code kg_make_seed (krb5_context context, 264 krb5_keyblock *key, 265 unsigned char *seed); 266 267 int kg_confounder_size (krb5_context context, krb5_keyblock *key); 268 269 krb5_error_code kg_make_confounder (krb5_context context, 270 krb5_keyblock *key, unsigned char *buf); 271 272 krb5_error_code kg_encrypt (krb5_context context, 273 krb5_keyblock *key, int usage, 274 krb5_pointer iv, 275 krb5_const_pointer in, 276 krb5_pointer out, 277 unsigned int length); 278 krb5_error_code 279 kg_arcfour_docrypt (krb5_context, 280 const krb5_keyblock *longterm_key , int ms_usage, 281 const unsigned char *kd_data, size_t kd_data_len, 282 const unsigned char *input_buf, size_t input_len, 283 unsigned char *output_buf); 284 285 krb5_error_code kg_decrypt (krb5_context context, 286 krb5_keyblock *key, int usage, 287 krb5_pointer iv, 288 krb5_const_pointer in, 289 krb5_pointer out, 290 unsigned int length); 291 292 OM_uint32 kg_seal (OM_uint32 *minor_status, 293 gss_ctx_id_t context_handle, 294 int conf_req_flag, 295 int qop_req, 296 gss_buffer_t input_message_buffer, 297 int *conf_state, 298 gss_buffer_t output_message_buffer, 299 int toktype); 300 301 OM_uint32 kg_unseal (OM_uint32 *minor_status, 302 gss_ctx_id_t context_handle, 303 gss_buffer_t input_token_buffer, 304 gss_buffer_t message_buffer, 305 int *conf_state, 306 int *qop_state, 307 int toktype); 308 309 OM_uint32 kg_seal_size (OM_uint32 *minor_status, 310 gss_ctx_id_t context_handle, 311 int conf_req_flag, 312 gss_qop_t qop_req, 313 OM_uint32 output_size, 314 OM_uint32 *input_size); 315 316 krb5_error_code kg_ctx_size (krb5_context kcontext, 317 krb5_pointer arg, 318 size_t *sizep); 319 320 krb5_error_code kg_ctx_externalize (krb5_context kcontext, 321 krb5_pointer arg, 322 krb5_octet **buffer, 323 size_t *lenremain); 324 325 krb5_error_code kg_ctx_internalize (krb5_context kcontext, 326 krb5_pointer *argp, 327 krb5_octet **buffer, 328 size_t *lenremain); 329 330 OM_uint32 kg_sync_ccache_name (krb5_context context, OM_uint32 *minor_status); 331 332 OM_uint32 kg_caller_provided_ccache_name (OM_uint32 *minor_status, 333 int *out_caller_provided_name); 334 335 OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status, 336 const char **out_name); 337 338 OM_uint32 kg_set_ccache_name (OM_uint32 *minor_status, 339 const char *name); 340 341 /** declarations of internal name mechanism functions **/ 342 343 OM_uint32 krb5_gss_acquire_cred 344 (OM_uint32*, /* minor_status */ 345 gss_name_t, /* desired_name */ 346 OM_uint32, /* time_req */ 347 gss_OID_set, /* desired_mechs */ 348 gss_cred_usage_t, /* cred_usage */ 349 gss_cred_id_t*, /* output_cred_handle */ 350 gss_OID_set*, /* actual_mechs */ 351 OM_uint32* /* time_rec */ 352 ); 353 354 OM_uint32 krb5_gss_release_cred 355 (OM_uint32*, /* minor_status */ 356 gss_cred_id_t* /* cred_handle */ 357 ); 358 359 OM_uint32 krb5_gss_init_sec_context 360 (OM_uint32*, /* minor_status */ 361 gss_cred_id_t, /* claimant_cred_handle */ 362 gss_ctx_id_t*, /* context_handle */ 363 gss_name_t, /* target_name */ 364 gss_OID, /* mech_type */ 365 OM_uint32, /* req_flags */ 366 OM_uint32, /* time_req */ 367 gss_channel_bindings_t, 368 /* input_chan_bindings */ 369 gss_buffer_t, /* input_token */ 370 gss_OID*, /* actual_mech_type */ 371 gss_buffer_t, /* output_token */ 372 OM_uint32*, /* ret_flags */ 373 OM_uint32* /* time_rec */ 374 ); 375 376 OM_uint32 krb5_gss_accept_sec_context 377 (OM_uint32*, /* minor_status */ 378 gss_ctx_id_t*, /* context_handle */ 379 gss_cred_id_t, /* verifier_cred_handle */ 380 gss_buffer_t, /* input_token_buffer */ 381 gss_channel_bindings_t, 382 /* input_chan_bindings */ 383 gss_name_t*, /* src_name */ 384 gss_OID*, /* mech_type */ 385 gss_buffer_t, /* output_token */ 386 OM_uint32*, /* ret_flags */ 387 OM_uint32*, /* time_rec */ 388 gss_cred_id_t* /* delegated_cred_handle */ 389 ); 390 391 OM_uint32 krb5_gss_process_context_token 392 (OM_uint32*, /* minor_status */ 393 gss_ctx_id_t, /* context_handle */ 394 gss_buffer_t /* token_buffer */ 395 ); 396 397 OM_uint32 krb5_gss_delete_sec_context 398 (OM_uint32*, /* minor_status */ 399 gss_ctx_id_t*, /* context_handle */ 400 gss_buffer_t /* output_token */ 401 #ifdef _KERNEL 402 /* */, OM_uint32 /* context verifier */ 403 #endif 404 ); 405 406 OM_uint32 krb5_gss_context_time 407 (OM_uint32*, /* minor_status */ 408 gss_ctx_id_t, /* context_handle */ 409 OM_uint32* /* time_rec */ 410 ); 411 412 OM_uint32 krb5_gss_sign 413 (OM_uint32*, /* minor_status */ 414 gss_ctx_id_t, /* context_handle */ 415 int, /* qop_req */ 416 gss_buffer_t, /* message_buffer */ 417 gss_buffer_t /* message_token */ 418 #ifdef _KERNEL 419 /* */, OM_uint32 /* context verifier */ 420 #endif 421 ); 422 423 OM_uint32 krb5_gss_verify 424 (OM_uint32*, /* minor_status */ 425 gss_ctx_id_t, /* context_handle */ 426 gss_buffer_t, /* message_buffer */ 427 gss_buffer_t, /* token_buffer */ 428 int* /* qop_state */ 429 #ifdef _KERNEL 430 /* */, OM_uint32 /* context verifier */ 431 #endif 432 ); 433 434 /* EXPORT DELETE START */ 435 OM_uint32 krb5_gss_seal 436 (OM_uint32*, /* minor_status */ 437 gss_ctx_id_t, /* context_handle */ 438 int, /* conf_req_flag */ 439 int, /* qop_req */ 440 gss_buffer_t, /* input_message_buffer */ 441 int*, /* conf_state */ 442 gss_buffer_t /* output_message_buffer */ 443 #ifdef _KERNEL 444 /* */, OM_uint32 /* context verifier */ 445 #endif 446 ); 447 448 OM_uint32 krb5_gss_unseal 449 (OM_uint32*, /* minor_status */ 450 gss_ctx_id_t, /* context_handle */ 451 gss_buffer_t, /* input_message_buffer */ 452 gss_buffer_t, /* output_message_buffer */ 453 int*, /* conf_state */ 454 int* /* qop_state */ 455 #ifdef _KERNEL 456 /* */, OM_uint32 /* context verifier */ 457 #endif 458 ); 459 /* EXPORT DELETE END */ 460 461 OM_uint32 krb5_gss_display_status 462 (OM_uint32*, /* minor_status */ 463 OM_uint32, /* status_value */ 464 int, /* status_type */ 465 gss_OID, /* mech_type */ 466 OM_uint32*, /* message_context */ 467 gss_buffer_t /* status_string */ 468 ); 469 470 OM_uint32 krb5_gss_indicate_mechs 471 (OM_uint32*, /* minor_status */ 472 gss_OID_set* /* mech_set */ 473 ); 474 475 OM_uint32 krb5_gss_compare_name 476 (OM_uint32*, /* minor_status */ 477 gss_name_t, /* name1 */ 478 gss_name_t, /* name2 */ 479 int* /* name_equal */ 480 ); 481 482 OM_uint32 krb5_gss_display_name 483 (OM_uint32*, /* minor_status */ 484 gss_name_t, /* input_name */ 485 gss_buffer_t, /* output_name_buffer */ 486 gss_OID* /* output_name_type */ 487 ); 488 489 OM_uint32 krb5_gss_import_name 490 (OM_uint32*, /* minor_status */ 491 gss_buffer_t, /* input_name_buffer */ 492 gss_OID, /* input_name_type */ 493 gss_name_t* /* output_name */ 494 ); 495 496 OM_uint32 krb5_gss_release_name 497 (OM_uint32*, /* minor_status */ 498 gss_name_t* /* input_name */ 499 ); 500 501 OM_uint32 krb5_gss_inquire_cred 502 (OM_uint32 *, /* minor_status */ 503 gss_cred_id_t, /* cred_handle */ 504 gss_name_t *, /* name */ 505 OM_uint32 *, /* lifetime */ 506 gss_cred_usage_t*,/* cred_usage */ 507 gss_OID_set * /* mechanisms */ 508 ); 509 510 OM_uint32 krb5_gss_inquire_context 511 (OM_uint32*, /* minor_status */ 512 gss_ctx_id_t, /* context_handle */ 513 gss_name_t*, /* initiator_name */ 514 gss_name_t*, /* acceptor_name */ 515 OM_uint32*, /* lifetime_rec */ 516 gss_OID*, /* mech_type */ 517 OM_uint32*, /* ret_flags */ 518 int*, /* locally_initiated */ 519 int* /* open */ 520 ); 521 522 /* New V2 entry points */ 523 OM_uint32 krb5_gss_get_mic 524 (OM_uint32 *, /* minor_status */ 525 gss_ctx_id_t, /* context_handle */ 526 gss_qop_t, /* qop_req */ 527 gss_buffer_t, /* message_buffer */ 528 gss_buffer_t /* message_token */ 529 ); 530 531 OM_uint32 krb5_gss_verify_mic 532 (OM_uint32 *, /* minor_status */ 533 gss_ctx_id_t, /* context_handle */ 534 gss_buffer_t, /* message_buffer */ 535 gss_buffer_t, /* message_token */ 536 gss_qop_t * /* qop_state */ 537 ); 538 539 OM_uint32 krb5_gss_wrap 540 (OM_uint32 *, /* minor_status */ 541 gss_ctx_id_t, /* context_handle */ 542 int, /* conf_req_flag */ 543 gss_qop_t, /* qop_req */ 544 gss_buffer_t, /* input_message_buffer */ 545 int *, /* conf_state */ 546 gss_buffer_t /* output_message_buffer */ 547 ); 548 549 OM_uint32 krb5_gss_unwrap 550 (OM_uint32 *, /* minor_status */ 551 gss_ctx_id_t, /* context_handle */ 552 gss_buffer_t, /* input_message_buffer */ 553 gss_buffer_t, /* output_message_buffer */ 554 int *, /* conf_state */ 555 gss_qop_t * /* qop_state */ 556 ); 557 558 OM_uint32 krb5_gss_wrap_size_limit 559 (OM_uint32 *, /* minor_status */ 560 gss_ctx_id_t, /* context_handle */ 561 int, /* conf_req_flag */ 562 gss_qop_t, /* qop_req */ 563 OM_uint32, /* req_output_size */ 564 OM_uint32 * /* max_input_size */ 565 ); 566 567 OM_uint32 krb5_gss_import_name_object 568 (OM_uint32 *, /* minor_status */ 569 void *, /* input_name */ 570 gss_OID, /* input_name_type */ 571 gss_name_t * /* output_name */ 572 ); 573 574 OM_uint32 krb5_gss_export_name_object 575 (OM_uint32 *, /* minor_status */ 576 gss_name_t, /* input_name */ 577 gss_OID, /* desired_name_type */ 578 void * * /* output_name */ 579 ); 580 581 OM_uint32 krb5_gss_add_cred 582 (OM_uint32 *, /* minor_status */ 583 gss_cred_id_t, /* input_cred_handle */ 584 gss_name_t, /* desired_name */ 585 gss_OID, /* desired_mech */ 586 gss_cred_usage_t, /* cred_usage */ 587 OM_uint32, /* initiator_time_req */ 588 OM_uint32, /* acceptor_time_req */ 589 gss_cred_id_t *, /* output_cred_handle */ 590 gss_OID_set *, /* actual_mechs */ 591 OM_uint32 *, /* initiator_time_rec */ 592 OM_uint32 * /* acceptor_time_rec */ 593 ); 594 595 OM_uint32 krb5_gss_inquire_cred_by_mech 596 (OM_uint32 *, /* minor_status */ 597 gss_cred_id_t, /* cred_handle */ 598 gss_OID, /* mech_type */ 599 gss_name_t *, /* name */ 600 OM_uint32 *, /* initiator_lifetime */ 601 OM_uint32 *, /* acceptor_lifetime */ 602 gss_cred_usage_t * /* cred_usage */ 603 ); 604 605 OM_uint32 krb5_gss_export_sec_context 606 (OM_uint32 *, /* minor_status */ 607 gss_ctx_id_t *, /* context_handle */ 608 gss_buffer_t /* interprocess_token */ 609 ); 610 611 OM_uint32 krb5_gss_import_sec_context 612 (OM_uint32 *, /* minor_status */ 613 gss_buffer_t, /* interprocess_token */ 614 gss_ctx_id_t * /* context_handle */ 615 /* Note no _KERNEL context verifier */ 616 ); 617 618 krb5_error_code krb5_gss_ser_init(krb5_context); 619 620 OM_uint32 krb5_gss_release_oid 621 (OM_uint32 *, /* minor_status */ 622 gss_OID * /* oid */ 623 ); 624 625 OM_uint32 krb5_gss_internal_release_oid 626 (OM_uint32 *, /* minor_status */ 627 gss_OID * /* oid */ 628 ); 629 630 OM_uint32 krb5_gss_inquire_names_for_mech 631 (OM_uint32 *, /* minor_status */ 632 gss_OID, /* mechanism */ 633 gss_OID_set * /* name_types */ 634 ); 635 636 /* SUNW15resync - XXX nullify? */ 637 OM_uint32 krb5_gss_canonicalize_name 638 (OM_uint32 *, /* minor_status */ 639 const gss_name_t, /* input_name */ 640 const gss_OID, /* mech_type */ 641 gss_name_t * /* output_name */ 642 ); 643 644 OM_uint32 krb5_gss_export_name 645 (OM_uint32 *, /* minor_status */ 646 const gss_name_t, /* input_name */ 647 gss_buffer_t /* exported_name */ 648 ); 649 650 OM_uint32 krb5_gss_duplicate_name 651 (OM_uint32 *, /* minor_status */ 652 const gss_name_t, /* input_name */ 653 gss_name_t * /* dest_name */ 654 ); 655 656 OM_uint32 krb5_gss_validate_cred 657 (OM_uint32 *, /* minor_status */ 658 gss_cred_id_t /* cred */ 659 ); 660 661 OM_uint32 662 krb5_gss_validate_cred_1(OM_uint32 * /* minor_status */, 663 gss_cred_id_t /* cred_handle */, 664 krb5_context /* context */); 665 666 gss_OID krb5_gss_convert_static_mech_oid(gss_OID oid); 667 668 krb5_error_code gss_krb5int_make_seal_token_v3(krb5_context, 669 krb5_gss_ctx_id_rec *, 670 const gss_buffer_desc *, 671 gss_buffer_t, 672 int, int); 673 674 OM_uint32 gss_krb5int_unseal_token_v3(krb5_context *contextptr, 675 OM_uint32 *minor_status, 676 krb5_gss_ctx_id_rec *ctx, 677 unsigned char *ptr, int bodysize, 678 gss_buffer_t message_buffer, 679 int *conf_state, int *qop_state, 680 int toktype); 681 682 /* 683 * SUNW15resync 684 * Solaris specific interfaces start 685 */ 686 687 OM_uint32 krb5_gss_store_cred ( 688 OM_uint32 *, /* minor_status */ 689 const gss_cred_id_t, /* input_cred */ 690 gss_cred_usage_t, /* cred_usage */ 691 const gss_OID, /* desired_mech */ 692 OM_uint32, /* overwrite_cred */ 693 OM_uint32, /* default_cred */ 694 gss_OID_set *, /* elements_stored */ 695 gss_cred_usage_t * /* cred_usage_stored */ 696 ); 697 698 OM_uint32 krb5_pname_to_uid( 699 OM_uint32 *, /* minor status */ 700 const gss_name_t, /* pname */ 701 uid_t * /* uidOUt */ 702 ); 703 704 OM_uint32 krb5_gss_userok( 705 OM_uint32 *, /* minor status */ 706 const gss_name_t, /* remote user principal name */ 707 const char *, /* local unix user name */ 708 int * /* remote user ok to login w/out pw? */ 709 ); 710 711 712 /* 713 * SUNW15resync 714 * Solaris specific interfaces end 715 */ 716 717 718 /* 719 * These take unglued krb5-mech-specific contexts. 720 */ 721 722 #define GSS_KRB5_GET_TKT_FLAGS_OID_LENGTH 11 723 #define GSS_KRB5_GET_TKT_FLAGS_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x01" 724 725 #ifndef _KERNEL 726 OM_uint32 gss_krb5int_get_tkt_flags 727 (OM_uint32 *minor_status, 728 const gss_ctx_id_t context_handle, 729 const gss_OID desired_object, 730 gss_buffer_set_t *data_set); 731 732 733 OM_uint32 KRB5_CALLCONV gss_krb5int_copy_ccache 734 (OM_uint32 *minor_status, 735 gss_cred_id_t cred_handle, 736 krb5_ccache out_ccache); 737 738 #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH 11 739 #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x04" 740 741 struct krb5_gss_set_allowable_enctypes_req { 742 OM_uint32 num_ktypes; 743 krb5_enctype *ktypes; 744 }; 745 746 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11 747 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" 748 749 OM_uint32 750 gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); 751 752 OM_uint32 KRB5_CALLCONV 753 gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, 754 gss_cred_id_t cred, 755 OM_uint32 num_ktypes, 756 krb5_enctype *ktypes); 757 758 #endif /* _KERNEL */ 759 760 #if 0 761 /* 762 * SUNW17PACresync 763 * These two functions not needed yet, revisit for full 1.7 resync. 764 */ 765 OM_uint32 KRB5_CALLCONV 766 gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, 767 gss_cred_id_t cred, 768 const gss_OID desired_oid, 769 const gss_buffer_t value); 770 771 OM_uint32 KRB5_CALLCONV 772 gss_krb5int_export_lucid_sec_context(OM_uint32 *minor_status, 773 gss_ctx_id_t *context_handle, 774 OM_uint32 version, 775 void **kctx); 776 #endif 777 778 #ifndef _KERNEL 779 #define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH 11 780 #define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06" 781 782 OM_uint32 783 gss_krb5int_export_lucid_sec_context(OM_uint32 *minor_status, 784 const gss_ctx_id_t context_handle, 785 const gss_OID desired_object, 786 gss_buffer_set_t *data_set); 787 788 #define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH 11 789 #define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07" 790 791 OM_uint32 792 gss_krb5int_free_lucid_sec_context(OM_uint32 *, const gss_OID, 793 const gss_OID, gss_buffer_t); 794 795 796 extern k5_mutex_t kg_kdc_flag_mutex; 797 krb5_error_code krb5_gss_init_context (krb5_context *ctxp); 798 799 800 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11 801 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" 802 803 OM_uint32 804 gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *); 805 806 807 #define GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH 11 808 #define GSS_KRB5_USE_KDC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08" 809 810 OM_uint32 krb5int_gss_use_kdc_context(OM_uint32 *, const gss_OID, 811 const gss_OID, gss_buffer_t); 812 813 krb5_error_code krb5_gss_use_kdc_context(void); 814 815 #define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH 11 816 #define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x09" 817 818 OM_uint32 819 gss_krb5int_register_acceptor_identity(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t); 820 821 #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 11 822 #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0a" 823 824 OM_uint32 825 gss_krb5int_extract_authz_data_from_sec_context(OM_uint32 *minor_status, 826 const gss_ctx_id_t context_handle, 827 const gss_OID desired_object, 828 gss_buffer_set_t *ad_data); 829 830 #define GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH 11 831 #define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0b" 832 833 OM_uint32 834 gss_krb5int_set_cred_rcache(OM_uint32 *, gss_cred_id_t, const gss_OID, const gss_buffer_t); 835 836 #define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11 837 #define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c" 838 839 OM_uint32 840 gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *, 841 const gss_ctx_id_t, 842 const gss_OID, 843 gss_buffer_set_t *); 844 #endif /* _KERNEL */ 845 846 /* For error message handling. */ 847 /* Returns a shared string, not a private copy! */ 848 extern char * 849 krb5_gss_get_error_message(OM_uint32 minor_code); 850 extern void 851 krb5_gss_save_error_string(OM_uint32 minor_code, char *msg); 852 extern void 853 krb5_gss_save_error_message(OM_uint32 minor_code, const char *format, ...) 854 #if !defined(__cplusplus) && (__GNUC__ > 2) 855 __attribute__((__format__(__printf__, 2, 3))) 856 #endif 857 ; 858 extern void 859 krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx); 860 #define get_error_message krb5_gss_get_error_message 861 #define save_error_string krb5_gss_save_error_string 862 #define save_error_message krb5_gss_save_error_message 863 864 865 #if 0 /* SUNW17PACresync - revisit for full MIT 1.7 resync */ 866 #define save_error_info krb5_gss_save_error_info 867 #endif 868 #define save_error_info(m, ctx) 869 870 871 extern void krb5_gss_delete_error_info(void *p); 872 873 /* Prefix concatenated with Kerberos encryption type */ 874 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10 875 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04" 876 877 #endif /* _GSSAPIP_KRB5_H_ */ 878