2 * Copyright 2008 by the Massachusetts Institute of Technology.
5 * Export of this software from the United States of America may
6 * require a specific license from the United States Government.
7 * It is the responsibility of any person or organization contemplating
8 * export to obtain such a license before exporting.
10 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
11 * distribute this software and its documentation for any purpose and
12 * without fee is hereby granted, provided that the above copyright
13 * notice appear in all copies and that both that copyright notice and
14 * this permission notice appear in supporting documentation, and that
15 * the name of M.I.T. not be used in advertising or publicity pertaining
16 * to distribution of the software without specific, written prior
17 * permission. Furthermore if you modify this software you must label
18 * your software as modified software and not distribute it in such a
19 * fashion that it might be confused with the original M.I.T. software.
20 * M.I.T. makes no representations about the suitability of
21 * this software for any purpose. It is provided "as is" without express
22 * or implied warranty.
28 #include <gssapi/gssapi.h>
32 #endif /* __cplusplus */
38 OM_uint32 KRB5_CALLCONV
41 const gss_name_t name,
42 const gss_OID mech_type,
47 * Provides a platform-specific name for a GSSAPI name as interpreted by a
50 * @param name The gss name resulting from accept_sec_context
51 * @param mech_type The mechanism that will be asked to map @a name to a
53 * @param localname Pointer to a buffer_desc allocated by the caller
54 * that will be filled in with the local name on successful
57 OM_uint32 KRB5_CALLCONV
60 const gss_name_t name,
61 gss_const_OID mech_type,
62 gss_buffer_t localname);
64 /** Determine whether a mechanism name is authorized to act as a username.
66 * @param [in] name Mechanism name
67 * @param [in] username System username
69 * This is a simple wrapper around gss_authorize_localname(). It only supports
70 * system usernames as local names, and cannot distinguish between lack of
71 * authorization and other errors.
73 * @retval 1 @a name is authorized to act as @a username
74 * @retval 0 @a name is not authorized or an error occurred
77 gss_userok(const gss_name_t name,
78 const char *username);
80 /** Determine whether a mechanism name is authorized to act as a local name.
82 * @param [out] minor Minor status code
83 * @param [in] name Mechanism name
84 * @param [in] user Local name
86 * @a name is a mechanism name, typically the result of a completed
87 * gss_accept_sec_context(). @a user is an internal name representing a local
88 * name, such as a name imported by gss_import_name() with an @a
89 * input_name_type of @c GSS_C_NT_USER_NAME.
91 * @return Return GSS_S_COMPLETE if @a name is authorized to act as @a user,
92 * GSS_S_UNAUTHORIZED if not, or an appropriate GSS error code if an error
97 OM_uint32 KRB5_CALLCONV
98 gss_authorize_localname(OM_uint32 *minor,
99 const gss_name_t name,
100 const gss_name_t user);
102 OM_uint32 KRB5_CALLCONV
103 gss_acquire_cred_with_password(
104 OM_uint32 *, /* minor_status */
105 const gss_name_t, /* desired_name */
106 const gss_buffer_t, /* password */
107 OM_uint32, /* time_req */
108 const gss_OID_set, /* desired_mechs */
109 gss_cred_usage_t, /* cred_usage */
110 gss_cred_id_t *, /* output_cred_handle */
111 gss_OID_set *, /* actual_mechs */
112 OM_uint32 *); /* time_rec */
114 OM_uint32 KRB5_CALLCONV
115 gss_add_cred_with_password(
116 OM_uint32 *, /* minor_status */
117 const gss_cred_id_t,/* input_cred_handle */
118 const gss_name_t, /* desired_name */
119 const gss_OID, /* desired_mech */
120 const gss_buffer_t, /* password */
121 gss_cred_usage_t, /* cred_usage */
122 OM_uint32, /* initiator_time_req */
123 OM_uint32, /* acceptor_time_req */
124 gss_cred_id_t *, /* output_cred_handle */
125 gss_OID_set *, /* actual_mechs */
126 OM_uint32 *, /* initiator_time_rec */
127 OM_uint32 *); /* acceptor_time_rec */
132 typedef struct gss_buffer_set_desc_struct {
134 gss_buffer_desc *elements;
135 } gss_buffer_set_desc, *gss_buffer_set_t;
137 #define GSS_C_NO_BUFFER_SET ((gss_buffer_set_t) 0)
139 OM_uint32 KRB5_CALLCONV gss_create_empty_buffer_set
140 (OM_uint32 * /*minor_status*/,
141 gss_buffer_set_t * /*buffer_set*/);
143 OM_uint32 KRB5_CALLCONV gss_add_buffer_set_member
144 (OM_uint32 * /*minor_status*/,
145 const gss_buffer_t /*member_buffer*/,
146 gss_buffer_set_t * /*buffer_set*/);
148 OM_uint32 KRB5_CALLCONV gss_release_buffer_set
149 (OM_uint32 * /*minor_status*/,
150 gss_buffer_set_t * /*buffer_set*/);
152 OM_uint32 KRB5_CALLCONV gss_inquire_sec_context_by_oid
153 (OM_uint32 * /*minor_status*/,
154 const gss_ctx_id_t /*context_handle*/,
155 const gss_OID /*desired_object*/,
156 gss_buffer_set_t * /*data_set*/);
158 OM_uint32 KRB5_CALLCONV gss_inquire_cred_by_oid
159 (OM_uint32 * /*minor_status*/,
160 const gss_cred_id_t /*cred_handle*/,
161 const gss_OID /*desired_object*/,
162 gss_buffer_set_t * /*data_set*/);
164 OM_uint32 KRB5_CALLCONV gss_set_sec_context_option
165 (OM_uint32 * /*minor_status*/,
166 gss_ctx_id_t * /*cred_handle*/,
167 const gss_OID /*desired_object*/,
168 const gss_buffer_t /*value*/);
170 OM_uint32 KRB5_CALLCONV gss_set_cred_option
171 (OM_uint32 * /*minor_status*/,
172 gss_cred_id_t * /*cred*/,
173 const gss_OID /*desired_object*/,
174 const gss_buffer_t /*value*/);
176 OM_uint32 KRB5_CALLCONV gssspi_mech_invoke
177 (OM_uint32 * /*minor_status*/,
178 const gss_OID /*desired_mech*/,
179 const gss_OID /*desired_object*/,
180 gss_buffer_t /*value*/);
186 OM_uint32 KRB5_CALLCONV gss_wrap_aead
187 (OM_uint32 * /*minor_status*/,
188 gss_ctx_id_t /*context_handle*/,
189 int /*conf_req_flag*/,
190 gss_qop_t /*qop_req*/,
191 gss_buffer_t /*input_assoc_buffer*/,
192 gss_buffer_t /*input_payload_buffer*/,
193 int * /*conf_state*/,
194 gss_buffer_t /*output_message_buffer*/);
196 OM_uint32 KRB5_CALLCONV gss_unwrap_aead
197 (OM_uint32 * /*minor_status*/,
198 gss_ctx_id_t /*context_handle*/,
199 gss_buffer_t /*input_message_buffer*/,
200 gss_buffer_t /*input_assoc_buffer*/,
201 gss_buffer_t /*output_payload_buffer*/,
202 int * /*conf_state*/,
203 gss_qop_t * /*qop_state*/);
208 #define GSS_C_DCE_STYLE 0x1000
209 #define GSS_C_IDENTIFY_FLAG 0x2000
210 #define GSS_C_EXTENDED_ERROR_FLAG 0x4000
213 * Returns a buffer set with the first member containing the
214 * session key for SSPI compatibility. The optional second
215 * member contains an OID identifying the session key type.
217 GSS_DLLIMP extern gss_OID GSS_C_INQ_SSPI_SESSION_KEY;
219 OM_uint32 KRB5_CALLCONV gss_complete_auth_token
220 (OM_uint32 *minor_status,
221 const gss_ctx_id_t context_handle,
222 gss_buffer_t input_message_buffer);
224 typedef struct gss_iov_buffer_desc_struct {
226 gss_buffer_desc buffer;
227 } gss_iov_buffer_desc, *gss_iov_buffer_t;
229 #define GSS_C_NO_IOV_BUFFER ((gss_iov_buffer_t)0)
231 #define GSS_IOV_BUFFER_TYPE_EMPTY 0
232 #define GSS_IOV_BUFFER_TYPE_DATA 1 /* Packet data */
233 #define GSS_IOV_BUFFER_TYPE_HEADER 2 /* Mechanism header */
234 #define GSS_IOV_BUFFER_TYPE_MECH_PARAMS 3 /* Mechanism specific parameters */
235 #define GSS_IOV_BUFFER_TYPE_TRAILER 7 /* Mechanism trailer */
236 #define GSS_IOV_BUFFER_TYPE_PADDING 9 /* Padding */
237 #define GSS_IOV_BUFFER_TYPE_STREAM 10 /* Complete wrap token */
238 #define GSS_IOV_BUFFER_TYPE_SIGN_ONLY 11 /* Sign only packet data */
240 #define GSS_IOV_BUFFER_FLAG_MASK 0xFFFF0000
241 #define GSS_IOV_BUFFER_FLAG_ALLOCATE 0x00010000 /* indicates GSS should allocate */
242 #define GSS_IOV_BUFFER_FLAG_ALLOCATED 0x00020000 /* indicates caller should free */
244 #define GSS_IOV_BUFFER_TYPE(_type) ((_type) & ~(GSS_IOV_BUFFER_FLAG_MASK))
245 #define GSS_IOV_BUFFER_FLAGS(_type) ((_type) & GSS_IOV_BUFFER_FLAG_MASK)
248 * Sign and optionally encrypt a sequence of buffers. The buffers
249 * shall be ordered HEADER | DATA | PADDING | TRAILER. Suitable
250 * space for the header, padding and trailer should be provided
251 * by calling gss_wrap_iov_length(), or the ALLOCATE flag should
252 * be set on those buffers.
254 * Encryption is in-place. SIGN_ONLY buffers are untouched. Only
255 * a single PADDING buffer should be provided. The order of the
256 * buffers in memory does not matter. Buffers in the IOV should
257 * be arranged in the order above, and in the case of multiple
258 * DATA buffers the sender and receiver should agree on the
261 * With GSS_C_DCE_STYLE it is acceptable to not provide PADDING
262 * and TRAILER, but the caller must guarantee the plaintext data
263 * being encrypted is correctly padded, otherwise an error will
266 * While applications that have knowledge of the underlying
267 * cryptosystem may request a specific configuration of data
268 * buffers, the only generally supported configurations are:
270 * HEADER | DATA | PADDING | TRAILER
272 * which will emit GSS_Wrap() compatible tokens, and:
274 * HEADER | SIGN_ONLY | DATA | PADDING | TRAILER
278 * The typical (special cased) usage for DCE is as follows:
280 * SIGN_ONLY_1 | DATA | SIGN_ONLY_2 | HEADER
282 OM_uint32 KRB5_CALLCONV gss_wrap_iov
284 OM_uint32 *, /* minor_status */
285 gss_ctx_id_t, /* context_handle */
286 int, /* conf_req_flag */
287 gss_qop_t, /* qop_req */
288 int *, /* conf_state */
289 gss_iov_buffer_desc *, /* iov */
290 int); /* iov_count */
293 * Verify and optionally decrypt a sequence of buffers. To process
294 * a GSS-API message without separate buffer, pass STREAM | DATA.
295 * Upon return DATA will contain the decrypted or integrity
296 * protected message. Only a single DATA buffer may be provided
297 * with this usage. DATA by default will point into STREAM, but if
298 * the ALLOCATE flag is set a copy will be returned.
300 * Otherwise, decryption is in-place. SIGN_ONLY buffers are
303 OM_uint32 KRB5_CALLCONV gss_unwrap_iov
305 OM_uint32 *, /* minor_status */
306 gss_ctx_id_t, /* context_handle */
307 int *, /* conf_state */
308 gss_qop_t *, /* qop_state */
309 gss_iov_buffer_desc *, /* iov */
310 int); /* iov_count */
313 * Query HEADER, PADDING and TRAILER buffer lengths. DATA buffers
314 * should be provided so the correct padding length can be determined.
316 OM_uint32 KRB5_CALLCONV gss_wrap_iov_length
318 OM_uint32 *, /* minor_status */
319 gss_ctx_id_t, /* context_handle */
320 int, /* conf_req_flag */
321 gss_qop_t, /* qop_req */
322 int *, /* conf_state */
323 gss_iov_buffer_desc *, /* iov */
324 int); /* iov_count */
327 * Release buffers that have the ALLOCATED flag set.
329 OM_uint32 KRB5_CALLCONV gss_release_iov_buffer
331 OM_uint32 *, /* minor_status */
332 gss_iov_buffer_desc *, /* iov */
333 int); /* iov_count */
336 * Protocol transition
338 OM_uint32 KRB5_CALLCONV
339 gss_acquire_cred_impersonate_name(
340 OM_uint32 *, /* minor_status */
341 const gss_cred_id_t, /* impersonator_cred_handle */
342 const gss_name_t, /* desired_name */
343 OM_uint32, /* time_req */
344 const gss_OID_set, /* desired_mechs */
345 gss_cred_usage_t, /* cred_usage */
346 gss_cred_id_t *, /* output_cred_handle */
347 gss_OID_set *, /* actual_mechs */
348 OM_uint32 *); /* time_rec */
350 OM_uint32 KRB5_CALLCONV
351 gss_add_cred_impersonate_name(
352 OM_uint32 *, /* minor_status */
353 gss_cred_id_t, /* input_cred_handle */
354 const gss_cred_id_t, /* impersonator_cred_handle */
355 const gss_name_t, /* desired_name */
356 const gss_OID, /* desired_mech */
357 gss_cred_usage_t, /* cred_usage */
358 OM_uint32, /* initiator_time_req */
359 OM_uint32, /* acceptor_time_req */
360 gss_cred_id_t *, /* output_cred_handle */
361 gss_OID_set *, /* actual_mechs */
362 OM_uint32 *, /* initiator_time_rec */
363 OM_uint32 *); /* acceptor_time_rec */
368 GSS_DLLIMP extern gss_buffer_t GSS_C_ATTR_LOCAL_LOGIN_USER;
370 OM_uint32 KRB5_CALLCONV gss_display_name_ext
372 OM_uint32 *, /* minor_status */
373 gss_name_t, /* name */
374 gss_OID, /* display_as_name_type */
375 gss_buffer_t /* display_name */
378 OM_uint32 KRB5_CALLCONV gss_inquire_name
380 OM_uint32 *, /* minor_status */
381 gss_name_t, /* name */
382 int *, /* name_is_MN */
383 gss_OID *, /* MN_mech */
384 gss_buffer_set_t * /* attrs */
387 OM_uint32 KRB5_CALLCONV gss_get_name_attribute
389 OM_uint32 *, /* minor_status */
390 gss_name_t, /* name */
391 gss_buffer_t, /* attr */
392 int *, /* authenticated */
393 int *, /* complete */
394 gss_buffer_t, /* value */
395 gss_buffer_t, /* display_value */
399 OM_uint32 KRB5_CALLCONV gss_set_name_attribute
401 OM_uint32 *, /* minor_status */
402 gss_name_t, /* name */
404 gss_buffer_t, /* attr */
405 gss_buffer_t /* value */
408 OM_uint32 KRB5_CALLCONV gss_delete_name_attribute
410 OM_uint32 *, /* minor_status */
411 gss_name_t, /* name */
412 gss_buffer_t /* attr */
415 OM_uint32 KRB5_CALLCONV gss_export_name_composite
417 OM_uint32 *, /* minor_status */
418 gss_name_t, /* name */
419 gss_buffer_t /* exp_composite_name */
422 typedef struct gss_any *gss_any_t;
424 OM_uint32 KRB5_CALLCONV gss_map_name_to_any
426 OM_uint32 *, /* minor_status */
427 gss_name_t, /* name */
428 int, /* authenticated */
429 gss_buffer_t, /* type_id */
430 gss_any_t * /* output */
433 OM_uint32 KRB5_CALLCONV gss_release_any_name_mapping
435 OM_uint32 *, /* minor_status */
436 gss_name_t, /* name */
437 gss_buffer_t, /* type_id */
438 gss_any_t * /* input */
441 /* draft-josefsson-gss-capsulate */
442 OM_uint32 KRB5_CALLCONV gss_encapsulate_token
444 gss_const_buffer_t, /* input_token */
445 gss_const_OID, /* token_oid */
446 gss_buffer_t /* output_token */
449 OM_uint32 KRB5_CALLCONV gss_decapsulate_token
451 gss_const_buffer_t, /* input_token */
452 gss_const_OID, /* token_oid */
453 gss_buffer_t /* output_token */
456 int KRB5_CALLCONV gss_oid_equal
458 gss_const_OID, /* first_oid */
459 gss_const_OID /* second_oid */
466 #endif /* GSSAPI_EXT_H_ */