From a7a2c02b618aea40ebd4f597ec956eaf0fe210f5 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Sat, 1 Feb 2014 15:59:21 -0500 Subject: Stop generating gssapi_krb5.h We started generating gssapi_krb5.h from gssapi_krb5.hin when we needed to use a 64-bit type for lucid contexts. Since we can now assume a standard name for 64-bit types, we can stop generating the header. --- src/kadmin/server/deps | 64 ++++----- src/lib/gssapi/krb5/Makefile.in | 13 +- src/lib/gssapi/krb5/gssapi_krb5.h | 273 ++++++++++++++++++++++++++++++++++++ src/lib/gssapi/krb5/gssapi_krb5.hin | 273 ------------------------------------ src/lib/gssapi/mechglue/deps | 21 +-- src/lib/kadm5/srv/deps | 8 +- 6 files changed, 323 insertions(+), 329 deletions(-) create mode 100644 src/lib/gssapi/krb5/gssapi_krb5.h delete mode 100644 src/lib/gssapi/krb5/gssapi_krb5.hin (limited to 'src') diff --git a/src/kadmin/server/deps b/src/kadmin/server/deps index 012a15236b..fa301cff3e 100644 --- a/src/kadmin/server/deps +++ b/src/kadmin/server/deps @@ -44,27 +44,27 @@ $(OUTPRE)ovsec_kadmd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.h \ - $(BUILDTOP)/lib/gssapi/krb5/gssapi_err_krb5.h $(BUILDTOP)/lib/gssapi/krb5/gssapi_krb5.h \ - $(COM_ERR_DEPS) $(VERTO_DEPS) $(top_srcdir)/include/adm_proto.h \ - $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \ - $(top_srcdir)/include/gssrpc/auth_gssapi.h $(top_srcdir)/include/gssrpc/auth_unix.h \ - $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ - $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ - $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ - $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/iprop.h \ - $(top_srcdir)/include/iprop_hdr.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/kdb_kt.h \ - $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/gssapi/generic/gssapiP_generic.h \ + $(BUILDTOP)/lib/gssapi/krb5/gssapi_err_krb5.h $(COM_ERR_DEPS) \ + $(VERTO_DEPS) $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_gssapi.h \ + $(top_srcdir)/include/gssrpc/auth_unix.h $(top_srcdir)/include/gssrpc/clnt.h \ + $(top_srcdir)/include/gssrpc/rename.h $(top_srcdir)/include/gssrpc/rpc.h \ + $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \ + $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \ + $(top_srcdir)/include/iprop.h $(top_srcdir)/include/iprop_hdr.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/kdb_kt.h $(top_srcdir)/include/kdb_log.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + $(top_srcdir)/lib/gssapi/generic/gssapiP_generic.h \ $(top_srcdir)/lib/gssapi/generic/gssapi_ext.h $(top_srcdir)/lib/gssapi/generic/gssapi_generic.h \ - $(top_srcdir)/lib/gssapi/krb5/gssapiP_krb5.h misc.h \ - ovsec_kadmd.c + $(top_srcdir)/lib/gssapi/krb5/gssapiP_krb5.h $(top_srcdir)/lib/gssapi/krb5/gssapi_krb5.h \ + misc.h ovsec_kadmd.c $(OUTPRE)schpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \ @@ -113,16 +113,16 @@ $(OUTPRE)ipropd_svc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \ $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/lib/gssapi/krb5/gssapi_krb5.h \ - $(COM_ERR_DEPS) $(VERTO_DEPS) $(top_srcdir)/include/adm_proto.h \ - $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \ - $(top_srcdir)/include/gssrpc/auth_unix.h $(top_srcdir)/include/gssrpc/clnt.h \ - $(top_srcdir)/include/gssrpc/rename.h $(top_srcdir)/include/gssrpc/rpc.h \ - $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \ - $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \ - $(top_srcdir)/include/iprop.h $(top_srcdir)/include/iprop_hdr.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/kdb_log.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/net-server.h $(top_srcdir)/lib/kadm5/srv/server_acl.h \ + $(BUILDTOP)/include/osconf.h $(COM_ERR_DEPS) $(VERTO_DEPS) \ + $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/iprop.h \ + $(top_srcdir)/include/iprop_hdr.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \ + $(top_srcdir)/lib/gssapi/krb5/gssapi_krb5.h $(top_srcdir)/lib/kadm5/srv/server_acl.h \ ipropd_svc.c misc.h diff --git a/src/lib/gssapi/krb5/Makefile.in b/src/lib/gssapi/krb5/Makefile.in index 342747868c..9f7bee704d 100644 --- a/src/lib/gssapi/krb5/Makefile.in +++ b/src/lib/gssapi/krb5/Makefile.in @@ -21,8 +21,6 @@ DEFINES=-D_GSS_STATIC_LINK=1 ##DOS##DLL_EXP_TYPE=GSS -include_stdint=@include_stdint@ -##DOS##include_stdint= ETSRCS= gssapi_err_krb5.c ETOBJS= $(OUTPRE)gssapi_err_krb5.$(OBJEXT) ETHDRS= gssapi_err_krb5.h @@ -213,11 +211,11 @@ all-windows:: $(EHDRDIR) $(GSSAPI_KRB5_HDR) $(SRCS) $(HDRS) MK_EHDRDIR=if test -d $(EHDRDIR); then :; else (set -x; mkdir $(EHDRDIR)); fi ##DOS##MK_EHDRDIR=rem -$(GSSAPI_KRB5_HDR): gssapi_krb5.h +$(GSSAPI_KRB5_HDR): $(srcdir)$(S)gssapi_krb5.h @$(MK_EHDRDIR) - $(CP) gssapi_krb5.h "$@" + $(CP) $(srcdir)$(S)gssapi_krb5.h "$@" -all-unix:: $(SRCS) $(HDRS) $(GSSAPI_KRB5_HDR) includes +all-unix:: $(SRCS) $(HDRS) $(GSSAPI_KRB5_HDR) all-unix:: all-libobjs error_map.h: $(top_srcdir)/util/gen-map.pl \ @@ -247,9 +245,6 @@ clean-windows:: generate-files-mac: gssapi_krb5.h error_map.h -gssapi_krb5.h: $(srcdir)/gssapi_krb5.hin - $(CP) $(srcdir)/gssapi_krb5.hin $@ - install-headers-unix install:: @set -x; for f in $(EXPORTED_HEADERS) ; \ do $(INSTALL_DATA) $$f \ @@ -258,8 +253,6 @@ install-headers-unix install:: depend:: $(ETSRCS) $(ETHDRS) $(GSSAPI_KRB5_HDR) error_map.h -includes:: gssapi_krb5.h - install:: @libobj_frag@ diff --git a/src/lib/gssapi/krb5/gssapi_krb5.h b/src/lib/gssapi/krb5/gssapi_krb5.h new file mode 100644 index 0000000000..1271f27bb4 --- /dev/null +++ b/src/lib/gssapi/krb5/gssapi_krb5.h @@ -0,0 +1,273 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* + * Copyright 1993 by OpenVision Technologies, Inc. + * + * Permission to use, copy, modify, distribute, and sell this software + * and its documentation for any purpose is hereby granted without fee, + * provided that the above copyright notice appears in all copies and + * that both that copyright notice and this permission notice appear in + * supporting documentation, and that the name of OpenVision not be used + * in advertising or publicity pertaining to distribution of the software + * without specific, written prior permission. OpenVision makes no + * representations about the suitability of this software for any + * purpose. It is provided "as is" without express or implied warranty. + * + * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO + * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR + * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF + * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR + * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _GSSAPI_KRB5_H_ +#define _GSSAPI_KRB5_H_ + +#include +#include +#include +#include + +/* C++ friendlyness */ +#ifdef __cplusplus +extern "C" { +#endif /* __cplusplus */ + +/* Reserved static storage for GSS_oids. See rfc 1964 for more details. */ + +/* 2.1.1. Kerberos Principal Name Form: */ +GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME; +/* This name form shall be represented by the Object Identifier {iso(1) + * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * krb5(2) krb5_name(1)}. The recommended symbolic name for this type + * is "GSS_KRB5_NT_PRINCIPAL_NAME". */ + +/* 2.1.2. Host-Based Service Name Form */ +#define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE +/* This name form shall be represented by the Object Identifier {iso(1) + * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * generic(1) service_name(4)}. The previously recommended symbolic + * name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME". The + * currently preferred symbolic name for this type is + * "GSS_C_NT_HOSTBASED_SERVICE". */ + +/* 2.2.1. User Name Form */ +#define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME +/* This name form shall be represented by the Object Identifier {iso(1) + * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * generic(1) user_name(1)}. The recommended symbolic name for this + * type is "GSS_KRB5_NT_USER_NAME". */ + +/* 2.2.2. Machine UID Form */ +#define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME +/* This name form shall be represented by the Object Identifier {iso(1) + * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * generic(1) machine_uid_name(2)}. The recommended symbolic name for + * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */ + +/* 2.2.3. String UID Form */ +#define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME +/* This name form shall be represented by the Object Identifier {iso(1) + * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * generic(1) string_uid_name(3)}. The recommended symbolic name for + * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ + +GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5; +GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old; +GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_wrong; +GSS_DLLIMP extern const gss_OID_desc * const gss_mech_iakerb; +GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5; +GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_old; +GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_both; + +GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_name; +GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_principal; + +GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[]; + +#define gss_krb5_nt_general_name gss_nt_krb5_name +#define gss_krb5_nt_principal gss_nt_krb5_principal +#define gss_krb5_nt_service_name gss_nt_service_name +#define gss_krb5_nt_user_name gss_nt_user_name +#define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name +#define gss_krb5_nt_string_uid_name gss_nt_string_uid_name + +typedef uint64_t gss_uint64; + +typedef struct gss_krb5_lucid_key { + OM_uint32 type; /* key encryption type */ + OM_uint32 length; /* length of key data */ + void * data; /* actual key data */ +} gss_krb5_lucid_key_t; + +typedef struct gss_krb5_rfc1964_keydata { + OM_uint32 sign_alg; /* signing algorthm */ + OM_uint32 seal_alg; /* seal/encrypt algorthm */ + gss_krb5_lucid_key_t ctx_key; + /* Context key + (Kerberos session key or subkey) */ +} gss_krb5_rfc1964_keydata_t; + +typedef struct gss_krb5_cfx_keydata { + OM_uint32 have_acceptor_subkey; + /* 1 if there is an acceptor_subkey + present, 0 otherwise */ + gss_krb5_lucid_key_t ctx_key; + /* Context key + (Kerberos session key or subkey) */ + gss_krb5_lucid_key_t acceptor_subkey; + /* acceptor-asserted subkey or + 0's if no acceptor subkey */ +} gss_krb5_cfx_keydata_t; + +typedef struct gss_krb5_lucid_context_v1 { + OM_uint32 version; /* Structure version number (1) + MUST be at beginning of struct! */ + OM_uint32 initiate; /* Are we the initiator? */ + OM_uint32 endtime; /* expiration time of context */ + gss_uint64 send_seq; /* sender sequence number */ + gss_uint64 recv_seq; /* receive sequence number */ + OM_uint32 protocol; /* 0: rfc1964, + 1: draft-ietf-krb-wg-gssapi-cfx-07 */ + /* + * if (protocol == 0) rfc1964_kd should be used + * and cfx_kd contents are invalid and should be zero + * if (protocol == 1) cfx_kd should be used + * and rfc1964_kd contents are invalid and should be zero + */ + gss_krb5_rfc1964_keydata_t rfc1964_kd; + gss_krb5_cfx_keydata_t cfx_kd; +} gss_krb5_lucid_context_v1_t; + +/* + * Mask for determining the version of a lucid context structure. Callers + * should not require this. + */ +typedef struct gss_krb5_lucid_context_version { + OM_uint32 version; /* Structure version number */ +} gss_krb5_lucid_context_version_t; + + + + +/* Alias for Heimdal compat. */ +#define gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity + +OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *); + +OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags( + OM_uint32 *minor_status, + gss_ctx_id_t context_handle, + krb5_flags *ticket_flags); + +OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache( + OM_uint32 *minor_status, + gss_cred_id_t cred_handle, + krb5_ccache out_ccache); + +OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name( + OM_uint32 *minor_status, const char *name, + const char **out_name); + +/* + * gss_krb5_set_allowable_enctypes + * + * This function may be called by a context initiator after calling + * gss_acquire_cred(), but before calling gss_init_sec_context(), + * to restrict the set of enctypes which will be negotiated during + * context establishment to those in the provided array. + * + * 'cred' must be a valid credential handle obtained via + * gss_acquire_cred(). It may not be GSS_C_NO_CREDENTIAL. + * gss_acquire_cred() may have been called to get a handle to + * the default credential. + * + * The purpose of this function is to limit the keys that may + * be exported via gss_krb5_export_lucid_sec_context(); thus it + * should limit the enctypes of all keys that will be needed + * after the security context has been established. + * (i.e. context establishment may use a session key with a + * stronger enctype than in the provided array, however a + * subkey must be established within the enctype limits + * established by this function.) + * + */ +OM_uint32 KRB5_CALLCONV +gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, + gss_cred_id_t cred, + OM_uint32 num_ktypes, + krb5_enctype *ktypes); + +/* + * Returns a non-opaque (lucid) version of the internal context + * information. + * + * Note that context_handle must not be used again by the caller + * after this call. The GSS implementation is free to release any + * resources associated with the original context. It is up to the + * GSS implementation whether it returns pointers to existing data, + * or copies of the data. The caller should treat the returned + * lucid context as read-only. + * + * The caller must call gss_krb5_free_lucid_context() to free + * the context and allocated resources when it is finished with it. + * + * 'version' is an integer indicating the requested version of the lucid + * context. If the implementation does not understand the requested version, + * it will return an error. + * + * For example: + * void *return_ctx; + * gss_krb5_lucid_context_v1_t *ctx; + * OM_uint32 min_stat, maj_stat; + * OM_uint32 vers; + * gss_ctx_id_t *ctx_handle; + * + * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, + * ctx_handle, 1, &return_ctx); + * // Verify success + * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx; + */ + +OM_uint32 KRB5_CALLCONV +gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, + OM_uint32 version, + void **kctx); + +/* + * Frees the allocated storage associated with an + * exported struct gss_krb5_lucid_context. + */ +OM_uint32 KRB5_CALLCONV +gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, + void *kctx); + + +OM_uint32 KRB5_CALLCONV +gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + int ad_type, + gss_buffer_t ad_data); + +OM_uint32 KRB5_CALLCONV +gss_krb5_set_cred_rcache(OM_uint32 *minor_status, + gss_cred_id_t cred, + krb5_rcache rcache); + +OM_uint32 KRB5_CALLCONV +gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, krb5_timestamp *); + +OM_uint32 KRB5_CALLCONV +gss_krb5_import_cred(OM_uint32 *minor_status, + krb5_ccache id, + krb5_principal keytab_principal, + krb5_keytab keytab, + gss_cred_id_t *cred); + +#ifdef __cplusplus +} +#endif /* __cplusplus */ + +#endif /* _GSSAPI_KRB5_H_ */ diff --git a/src/lib/gssapi/krb5/gssapi_krb5.hin b/src/lib/gssapi/krb5/gssapi_krb5.hin deleted file mode 100644 index 1271f27bb4..0000000000 --- a/src/lib/gssapi/krb5/gssapi_krb5.hin +++ /dev/null @@ -1,273 +0,0 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ -/* - * Copyright 1993 by OpenVision Technologies, Inc. - * - * Permission to use, copy, modify, distribute, and sell this software - * and its documentation for any purpose is hereby granted without fee, - * provided that the above copyright notice appears in all copies and - * that both that copyright notice and this permission notice appear in - * supporting documentation, and that the name of OpenVision not be used - * in advertising or publicity pertaining to distribution of the software - * without specific, written prior permission. OpenVision makes no - * representations about the suitability of this software for any - * purpose. It is provided "as is" without express or implied warranty. - * - * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, - * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO - * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR - * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF - * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR - * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - * PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef _GSSAPI_KRB5_H_ -#define _GSSAPI_KRB5_H_ - -#include -#include -#include -#include - -/* C++ friendlyness */ -#ifdef __cplusplus -extern "C" { -#endif /* __cplusplus */ - -/* Reserved static storage for GSS_oids. See rfc 1964 for more details. */ - -/* 2.1.1. Kerberos Principal Name Form: */ -GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME; -/* This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * krb5(2) krb5_name(1)}. The recommended symbolic name for this type - * is "GSS_KRB5_NT_PRINCIPAL_NAME". */ - -/* 2.1.2. Host-Based Service Name Form */ -#define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE -/* This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) service_name(4)}. The previously recommended symbolic - * name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME". The - * currently preferred symbolic name for this type is - * "GSS_C_NT_HOSTBASED_SERVICE". */ - -/* 2.2.1. User Name Form */ -#define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME -/* This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) user_name(1)}. The recommended symbolic name for this - * type is "GSS_KRB5_NT_USER_NAME". */ - -/* 2.2.2. Machine UID Form */ -#define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME -/* This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) machine_uid_name(2)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */ - -/* 2.2.3. String UID Form */ -#define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME -/* This name form shall be represented by the Object Identifier {iso(1) - * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) - * generic(1) string_uid_name(3)}. The recommended symbolic name for - * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ - -GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5; -GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old; -GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_wrong; -GSS_DLLIMP extern const gss_OID_desc * const gss_mech_iakerb; -GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5; -GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_old; -GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_both; - -GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_name; -GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_principal; - -GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[]; - -#define gss_krb5_nt_general_name gss_nt_krb5_name -#define gss_krb5_nt_principal gss_nt_krb5_principal -#define gss_krb5_nt_service_name gss_nt_service_name -#define gss_krb5_nt_user_name gss_nt_user_name -#define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name -#define gss_krb5_nt_string_uid_name gss_nt_string_uid_name - -typedef uint64_t gss_uint64; - -typedef struct gss_krb5_lucid_key { - OM_uint32 type; /* key encryption type */ - OM_uint32 length; /* length of key data */ - void * data; /* actual key data */ -} gss_krb5_lucid_key_t; - -typedef struct gss_krb5_rfc1964_keydata { - OM_uint32 sign_alg; /* signing algorthm */ - OM_uint32 seal_alg; /* seal/encrypt algorthm */ - gss_krb5_lucid_key_t ctx_key; - /* Context key - (Kerberos session key or subkey) */ -} gss_krb5_rfc1964_keydata_t; - -typedef struct gss_krb5_cfx_keydata { - OM_uint32 have_acceptor_subkey; - /* 1 if there is an acceptor_subkey - present, 0 otherwise */ - gss_krb5_lucid_key_t ctx_key; - /* Context key - (Kerberos session key or subkey) */ - gss_krb5_lucid_key_t acceptor_subkey; - /* acceptor-asserted subkey or - 0's if no acceptor subkey */ -} gss_krb5_cfx_keydata_t; - -typedef struct gss_krb5_lucid_context_v1 { - OM_uint32 version; /* Structure version number (1) - MUST be at beginning of struct! */ - OM_uint32 initiate; /* Are we the initiator? */ - OM_uint32 endtime; /* expiration time of context */ - gss_uint64 send_seq; /* sender sequence number */ - gss_uint64 recv_seq; /* receive sequence number */ - OM_uint32 protocol; /* 0: rfc1964, - 1: draft-ietf-krb-wg-gssapi-cfx-07 */ - /* - * if (protocol == 0) rfc1964_kd should be used - * and cfx_kd contents are invalid and should be zero - * if (protocol == 1) cfx_kd should be used - * and rfc1964_kd contents are invalid and should be zero - */ - gss_krb5_rfc1964_keydata_t rfc1964_kd; - gss_krb5_cfx_keydata_t cfx_kd; -} gss_krb5_lucid_context_v1_t; - -/* - * Mask for determining the version of a lucid context structure. Callers - * should not require this. - */ -typedef struct gss_krb5_lucid_context_version { - OM_uint32 version; /* Structure version number */ -} gss_krb5_lucid_context_version_t; - - - - -/* Alias for Heimdal compat. */ -#define gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity - -OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *); - -OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags( - OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - krb5_flags *ticket_flags); - -OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache( - OM_uint32 *minor_status, - gss_cred_id_t cred_handle, - krb5_ccache out_ccache); - -OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name( - OM_uint32 *minor_status, const char *name, - const char **out_name); - -/* - * gss_krb5_set_allowable_enctypes - * - * This function may be called by a context initiator after calling - * gss_acquire_cred(), but before calling gss_init_sec_context(), - * to restrict the set of enctypes which will be negotiated during - * context establishment to those in the provided array. - * - * 'cred' must be a valid credential handle obtained via - * gss_acquire_cred(). It may not be GSS_C_NO_CREDENTIAL. - * gss_acquire_cred() may have been called to get a handle to - * the default credential. - * - * The purpose of this function is to limit the keys that may - * be exported via gss_krb5_export_lucid_sec_context(); thus it - * should limit the enctypes of all keys that will be needed - * after the security context has been established. - * (i.e. context establishment may use a session key with a - * stronger enctype than in the provided array, however a - * subkey must be established within the enctype limits - * established by this function.) - * - */ -OM_uint32 KRB5_CALLCONV -gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, - gss_cred_id_t cred, - OM_uint32 num_ktypes, - krb5_enctype *ktypes); - -/* - * Returns a non-opaque (lucid) version of the internal context - * information. - * - * Note that context_handle must not be used again by the caller - * after this call. The GSS implementation is free to release any - * resources associated with the original context. It is up to the - * GSS implementation whether it returns pointers to existing data, - * or copies of the data. The caller should treat the returned - * lucid context as read-only. - * - * The caller must call gss_krb5_free_lucid_context() to free - * the context and allocated resources when it is finished with it. - * - * 'version' is an integer indicating the requested version of the lucid - * context. If the implementation does not understand the requested version, - * it will return an error. - * - * For example: - * void *return_ctx; - * gss_krb5_lucid_context_v1_t *ctx; - * OM_uint32 min_stat, maj_stat; - * OM_uint32 vers; - * gss_ctx_id_t *ctx_handle; - * - * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, - * ctx_handle, 1, &return_ctx); - * // Verify success - * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx; - */ - -OM_uint32 KRB5_CALLCONV -gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, - OM_uint32 version, - void **kctx); - -/* - * Frees the allocated storage associated with an - * exported struct gss_krb5_lucid_context. - */ -OM_uint32 KRB5_CALLCONV -gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, - void *kctx); - - -OM_uint32 KRB5_CALLCONV -gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, - const gss_ctx_id_t context_handle, - int ad_type, - gss_buffer_t ad_data); - -OM_uint32 KRB5_CALLCONV -gss_krb5_set_cred_rcache(OM_uint32 *minor_status, - gss_cred_id_t cred, - krb5_rcache rcache); - -OM_uint32 KRB5_CALLCONV -gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, krb5_timestamp *); - -OM_uint32 KRB5_CALLCONV -gss_krb5_import_cred(OM_uint32 *minor_status, - krb5_ccache id, - krb5_principal keytab_principal, - krb5_keytab keytab, - gss_cred_id_t *cred); - -#ifdef __cplusplus -} -#endif /* __cplusplus */ - -#endif /* _GSSAPI_KRB5_H_ */ diff --git a/src/lib/gssapi/mechglue/deps b/src/lib/gssapi/mechglue/deps index 6ace3c9b95..26f62aa8a2 100644 --- a/src/lib/gssapi/mechglue/deps +++ b/src/lib/gssapi/mechglue/deps @@ -233,16 +233,17 @@ g_initialize.so g_initialize.po $(OUTPRE)g_initialize.$(OBJEXT): \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../generic/gssapiP_generic.h \ $(srcdir)/../generic/gssapi_ext.h $(srcdir)/../generic/gssapi_generic.h \ - $(srcdir)/../krb5/gssapiP_krb5.h $(srcdir)/../spnego/gssapiP_spnego.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - ../generic/gssapi_err_generic.h ../krb5/gssapi_err_krb5.h \ - ../krb5/gssapi_krb5.h g_initialize.c mechglue.h mglueP.h + $(srcdir)/../krb5/gssapiP_krb5.h $(srcdir)/../krb5/gssapi_krb5.h \ + $(srcdir)/../spnego/gssapiP_spnego.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h ../generic/gssapi_err_generic.h \ + ../krb5/gssapi_err_krb5.h g_initialize.c mechglue.h \ + mglueP.h g_inq_context.so g_inq_context.po $(OUTPRE)g_inq_context.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssapi/gssapi_alloc.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \ diff --git a/src/lib/kadm5/srv/deps b/src/lib/kadm5/srv/deps index c0634ec813..aba75a0b25 100644 --- a/src/lib/kadm5/srv/deps +++ b/src/lib/kadm5/srv/deps @@ -201,10 +201,10 @@ server_init.so server_init.po $(OUTPRE)server_init.$(OBJEXT): \ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.h \ - $(BUILDTOP)/lib/gssapi/krb5/gssapi_err_krb5.h $(BUILDTOP)/lib/gssapi/krb5/gssapi_krb5.h \ - $(COM_ERR_DEPS) $(srcdir)/../../gssapi/generic/gssapiP_generic.h \ - $(srcdir)/../../gssapi/generic/gssapi_ext.h $(srcdir)/../../gssapi/generic/gssapi_generic.h \ - $(srcdir)/../../gssapi/krb5/gssapiP_krb5.h $(top_srcdir)/include/gssrpc/auth.h \ + $(BUILDTOP)/lib/gssapi/krb5/gssapi_err_krb5.h $(COM_ERR_DEPS) \ + $(srcdir)/../../gssapi/generic/gssapiP_generic.h $(srcdir)/../../gssapi/generic/gssapi_ext.h \ + $(srcdir)/../../gssapi/generic/gssapi_generic.h $(srcdir)/../../gssapi/krb5/gssapiP_krb5.h \ + $(srcdir)/../../gssapi/krb5/gssapi_krb5.h $(top_srcdir)/include/gssrpc/auth.h \ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ -- cgit