1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
|
/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* Copyright 1993 by OpenVision Technologies, Inc.
*
* Permission to use, copy, modify, distribute, and sell this software
* and its documentation for any purpose is hereby granted without fee,
* provided that the above copyright notice appears in all copies and
* that both that copyright notice and this permission notice appear in
* supporting documentation, and that the name of OpenVision not be used
* in advertising or publicity pertaining to distribution of the software
* without specific, written prior permission. OpenVision makes no
* representations about the suitability of this software for any
* purpose. It is provided "as is" without express or implied warranty.
*
* OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
* INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
* EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
* CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
* USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
* OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _GSSAPI_KRB5_H_
#define _GSSAPI_KRB5_H_
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_ext.h>
#include <krb5.h>
#include <stdint.h>
/* C++ friendlyness */
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
/* Reserved static storage for GSS_oids. See rfc 1964 for more details. */
/* 2.1.1. Kerberos Principal Name Form: */
GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME;
/* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* krb5(2) krb5_name(1)}. The recommended symbolic name for this type
* is "GSS_KRB5_NT_PRINCIPAL_NAME". */
/* 2.1.2. Host-Based Service Name Form */
#define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE
/* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) service_name(4)}. The previously recommended symbolic
* name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME". The
* currently preferred symbolic name for this type is
* "GSS_C_NT_HOSTBASED_SERVICE". */
/* 2.2.1. User Name Form */
#define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME
/* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) user_name(1)}. The recommended symbolic name for this
* type is "GSS_KRB5_NT_USER_NAME". */
/* 2.2.2. Machine UID Form */
#define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME
/* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) machine_uid_name(2)}. The recommended symbolic name for
* this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */
/* 2.2.3. String UID Form */
#define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME
/* This name form shall be represented by the Object Identifier {iso(1)
* member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
* generic(1) string_uid_name(3)}. The recommended symbolic name for
* this type is "GSS_KRB5_NT_STRING_UID_NAME". */
GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5;
GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old;
GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_wrong;
GSS_DLLIMP extern const gss_OID_desc * const gss_mech_iakerb;
GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5;
GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_old;
GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_both;
GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_name;
GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_principal;
GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[];
#define gss_krb5_nt_general_name gss_nt_krb5_name
#define gss_krb5_nt_principal gss_nt_krb5_principal
#define gss_krb5_nt_service_name gss_nt_service_name
#define gss_krb5_nt_user_name gss_nt_user_name
#define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name
#define gss_krb5_nt_string_uid_name gss_nt_string_uid_name
typedef uint64_t gss_uint64;
typedef struct gss_krb5_lucid_key {
OM_uint32 type; /* key encryption type */
OM_uint32 length; /* length of key data */
void * data; /* actual key data */
} gss_krb5_lucid_key_t;
typedef struct gss_krb5_rfc1964_keydata {
OM_uint32 sign_alg; /* signing algorthm */
OM_uint32 seal_alg; /* seal/encrypt algorthm */
gss_krb5_lucid_key_t ctx_key;
/* Context key
(Kerberos session key or subkey) */
} gss_krb5_rfc1964_keydata_t;
typedef struct gss_krb5_cfx_keydata {
OM_uint32 have_acceptor_subkey;
/* 1 if there is an acceptor_subkey
present, 0 otherwise */
gss_krb5_lucid_key_t ctx_key;
/* Context key
(Kerberos session key or subkey) */
gss_krb5_lucid_key_t acceptor_subkey;
/* acceptor-asserted subkey or
0's if no acceptor subkey */
} gss_krb5_cfx_keydata_t;
typedef struct gss_krb5_lucid_context_v1 {
OM_uint32 version; /* Structure version number (1)
MUST be at beginning of struct! */
OM_uint32 initiate; /* Are we the initiator? */
OM_uint32 endtime; /* expiration time of context */
gss_uint64 send_seq; /* sender sequence number */
gss_uint64 recv_seq; /* receive sequence number */
OM_uint32 protocol; /* 0: rfc1964,
1: draft-ietf-krb-wg-gssapi-cfx-07 */
/*
* if (protocol == 0) rfc1964_kd should be used
* and cfx_kd contents are invalid and should be zero
* if (protocol == 1) cfx_kd should be used
* and rfc1964_kd contents are invalid and should be zero
*/
gss_krb5_rfc1964_keydata_t rfc1964_kd;
gss_krb5_cfx_keydata_t cfx_kd;
} gss_krb5_lucid_context_v1_t;
/*
* Mask for determining the version of a lucid context structure. Callers
* should not require this.
*/
typedef struct gss_krb5_lucid_context_version {
OM_uint32 version; /* Structure version number */
} gss_krb5_lucid_context_version_t;
/* Alias for Heimdal compat. */
#define gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity
OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *);
OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags(
OM_uint32 *minor_status,
gss_ctx_id_t context_handle,
krb5_flags *ticket_flags);
OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache(
OM_uint32 *minor_status,
gss_cred_id_t cred_handle,
krb5_ccache out_ccache);
OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name(
OM_uint32 *minor_status, const char *name,
const char **out_name);
/*
* gss_krb5_set_allowable_enctypes
*
* This function may be called by a context initiator after calling
* gss_acquire_cred(), but before calling gss_init_sec_context(),
* to restrict the set of enctypes which will be negotiated during
* context establishment to those in the provided array.
*
* 'cred' must be a valid credential handle obtained via
* gss_acquire_cred(). It may not be GSS_C_NO_CREDENTIAL.
* gss_acquire_cred() may have been called to get a handle to
* the default credential.
*
* The purpose of this function is to limit the keys that may
* be exported via gss_krb5_export_lucid_sec_context(); thus it
* should limit the enctypes of all keys that will be needed
* after the security context has been established.
* (i.e. context establishment may use a session key with a
* stronger enctype than in the provided array, however a
* subkey must be established within the enctype limits
* established by this function.)
*
*/
OM_uint32 KRB5_CALLCONV
gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
gss_cred_id_t cred,
OM_uint32 num_ktypes,
krb5_enctype *ktypes);
/*
* Returns a non-opaque (lucid) version of the internal context
* information.
*
* Note that context_handle must not be used again by the caller
* after this call. The GSS implementation is free to release any
* resources associated with the original context. It is up to the
* GSS implementation whether it returns pointers to existing data,
* or copies of the data. The caller should treat the returned
* lucid context as read-only.
*
* The caller must call gss_krb5_free_lucid_context() to free
* the context and allocated resources when it is finished with it.
*
* 'version' is an integer indicating the requested version of the lucid
* context. If the implementation does not understand the requested version,
* it will return an error.
*
* For example:
* void *return_ctx;
* gss_krb5_lucid_context_v1_t *ctx;
* OM_uint32 min_stat, maj_stat;
* OM_uint32 vers;
* gss_ctx_id_t *ctx_handle;
*
* maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
* ctx_handle, 1, &return_ctx);
* // Verify success
* ctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
*/
OM_uint32 KRB5_CALLCONV
gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
OM_uint32 version,
void **kctx);
/*
* Frees the allocated storage associated with an
* exported struct gss_krb5_lucid_context.
*/
OM_uint32 KRB5_CALLCONV
gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status,
void *kctx);
OM_uint32 KRB5_CALLCONV
gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
const gss_ctx_id_t context_handle,
int ad_type,
gss_buffer_t ad_data);
OM_uint32 KRB5_CALLCONV
gss_krb5_set_cred_rcache(OM_uint32 *minor_status,
gss_cred_id_t cred,
krb5_rcache rcache);
OM_uint32 KRB5_CALLCONV
gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, krb5_timestamp *);
OM_uint32 KRB5_CALLCONV
gss_krb5_import_cred(OM_uint32 *minor_status,
krb5_ccache id,
krb5_principal keytab_principal,
krb5_keytab keytab,
gss_cred_id_t *cred);
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif /* _GSSAPI_KRB5_H_ */
|
