2 * Copyright 2000 by the Massachusetts Institute of Technology.
5 * Export of this software from the United States of America may
6 * require a specific license from the United States Government.
7 * It is the responsibility of any person or organization contemplating
8 * export to obtain such a license before exporting.
10 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
11 * distribute this software and its documentation for any purpose and
12 * without fee is hereby granted, provided that the above copyright
13 * notice appear in all copies and that both that copyright notice and
14 * this permission notice appear in supporting documentation, and that
15 * the name of M.I.T. not be used in advertising or publicity pertaining
16 * to distribution of the software without specific, written prior
17 * permission. Furthermore if you modify this software you must label
18 * your software as modified software and not distribute it in such a
19 * fashion that it might be confused with the original M.I.T. software.
20 * M.I.T. makes no representations about the suitability of
21 * this software for any purpose. It is provided "as is" without express
22 * or implied warranty.
26 * Copyright 1993 by OpenVision Technologies, Inc.
28 * Permission to use, copy, modify, distribute, and sell this software
29 * and its documentation for any purpose is hereby granted without fee,
30 * provided that the above copyright notice appears in all copies and
31 * that both that copyright notice and this permission notice appear in
32 * supporting documentation, and that the name of OpenVision not be used
33 * in advertising or publicity pertaining to distribution of the software
34 * without specific, written prior permission. OpenVision makes no
35 * representations about the suitability of this software for any
36 * purpose. It is provided "as is" without express or implied warranty.
38 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
39 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
40 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
41 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
42 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
43 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
44 * PERFORMANCE OF THIS SOFTWARE.
47 #ifndef _GSSAPIP_KRB5_H_
48 #define _GSSAPIP_KRB5_H_
51 #include <Kerberos/krb5.h>
59 /* work around sunos braindamage */
67 #include "gssapiP_generic.h"
69 /* The include of gssapi_krb5.h will dtrt with the above #defines in
72 #include "gssapi_krb5.h"
73 #include "gssapi_err_krb5.h"
77 #define CKSUMTYPE_KG_CB 0x8003
79 #define KG_TOK_CTX_AP_REQ 0x0100
80 #define KG_TOK_CTX_AP_REP 0x0200
81 #define KG_TOK_CTX_ERROR 0x0300
82 #define KG_TOK_SIGN_MSG 0x0101
83 #define KG_TOK_SEAL_MSG 0x0201
84 #define KG_TOK_MIC_MSG 0x0101
85 #define KG_TOK_WRAP_MSG 0x0201
86 #define KG_TOK_DEL_CTX 0x0102
88 #define KG_IMPLFLAGS(x) (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | \
89 GSS_C_TRANS_FLAG | GSS_C_PROT_READY_FLAG | \
90 ((x) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \
91 GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)))
93 #define KG2_TOK_INITIAL 0x0101
94 #define KG2_TOK_RESPONSE 0x0202
95 #define KG2_TOK_MIC 0x0303
96 #define KG2_TOK_WRAP_INTEG 0x0404
97 #define KG2_TOK_WRAP_PRIV 0x0505
99 #define KRB5_GSS_FOR_CREDS_OPTION 1
101 #define KG2_RESP_FLAG_ERROR 0x0001
102 #define KG2_RESP_FLAG_DELEG_OK 0x0002
104 /* These are to be stored in little-endian order, i.e., des-mac is
107 SGN_ALG_DES_MAC_MD5 = 0x0000,
108 SGN_ALG_MD2_5 = 0x0001,
109 SGN_ALG_DES_MAC = 0x0002,
110 SGN_ALG_3 = 0x0003, /* not published */
111 SGN_ALG_HMAC_MD5 = 0x0011, /* microsoft w2k; */
112 SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004
115 SEAL_ALG_NONE = 0xffff,
116 SEAL_ALG_DES = 0x0000,
117 SEAL_ALG_1 = 0x0001, /* not published */
118 SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */
119 SEAL_ALG_DES3KD = 0x0002
122 #define KG_USAGE_SEAL 22
123 #define KG_USAGE_SIGN 23
124 #define KG_USAGE_SEQ 24
127 GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, /* *partial* MD5 = "MD2.5" */
128 GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002,
129 GSS_KRB5_INTEG_C_QOP_DES_MAC = 0x0003,
130 GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004,
131 GSS_KRB5_INTEG_C_QOP_MASK = 0x00ff,
132 GSS_KRB5_CONF_C_QOP_DES = 0x0100,
133 GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200,
134 GSS_KRB5_CONF_C_QOP_MASK = 0xff00
137 /** internal types **/
139 typedef krb5_principal krb5_gss_name_t;
141 typedef struct _krb5_gss_cred_id_rec {
142 /* name/type of credential */
143 gss_cred_usage_t usage;
144 krb5_principal princ; /* this is not interned as a gss_name_t */
148 /* keytab (accept) data */
152 /* ccache (init) data */
154 krb5_timestamp tgt_expire;
155 } krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;
157 typedef struct _krb5_gss_ctx_id_rec {
158 int initiate; /* nonzero if initiating, zero if accepting */
161 unsigned char seed[16];
163 krb5_principal there;
164 krb5_keyblock *subkey;
170 krb5_timestamp endtime;
171 krb5_flags krb_flags;
172 /* XXX these used to be signed. the old spec is inspecific, and
173 the new spec specifies unsigned. I don't believe that the change
174 affects the wire encoding. */
180 krb5_auth_context auth_context;
181 gss_OID_desc *mech_used;
183 krb5_cksumtype *ctypes;
184 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
190 #define kg_save_name(name) g_save_name(&kg_vdb,name)
191 #define kg_save_cred_id(cred) g_save_cred_id(&kg_vdb,cred)
192 #define kg_save_ctx_id(ctx) g_save_ctx_id(&kg_vdb,ctx)
194 #define kg_validate_name(name) g_validate_name(&kg_vdb,name)
195 #define kg_validate_cred_id(cred) g_validate_cred_id(&kg_vdb,cred)
196 #define kg_validate_ctx_id(ctx) g_validate_ctx_id(&kg_vdb,ctx)
198 #define kg_delete_name(name) g_delete_name(&kg_vdb,name)
199 #define kg_delete_cred_id(cred) g_delete_cred_id(&kg_vdb,cred)
200 #define kg_delete_ctx_id(ctx) g_delete_ctx_id(&kg_vdb,ctx)
202 /** helper functions **/
204 OM_uint32 kg_get_defcred
205 (OM_uint32 *minor_status,
206 gss_cred_id_t *cred);
208 OM_uint32 kg_release_defcred (OM_uint32 *minor_status);
210 krb5_error_code kg_checksum_channel_bindings
211 (krb5_context context, gss_channel_bindings_t cb,
212 krb5_checksum *cksum,
215 krb5_error_code kg_make_seq_num (krb5_context context,
217 int direction, krb5_ui_4 seqnum, unsigned char *cksum,
220 krb5_error_code kg_get_seq_num (krb5_context context,
222 unsigned char *cksum, unsigned char *buf, int *direction,
225 krb5_error_code kg_make_seed (krb5_context context,
227 unsigned char *seed);
229 int kg_confounder_size (krb5_context context, krb5_keyblock *key);
231 krb5_error_code kg_make_confounder (krb5_context context,
232 krb5_keyblock *key, unsigned char *buf);
234 krb5_error_code kg_encrypt (krb5_context context,
235 krb5_keyblock *key, int usage,
239 unsigned int length);
241 kg_arcfour_docrypt (const krb5_keyblock *longterm_key , int ms_usage,
242 const unsigned char *kd_data, size_t kd_data_len,
243 const unsigned char *input_buf, size_t input_len,
244 unsigned char *output_buf);
246 krb5_error_code kg_decrypt (krb5_context context,
247 krb5_keyblock *key, int usage,
251 unsigned int length);
253 OM_uint32 kg_seal (krb5_context context,
254 OM_uint32 *minor_status,
255 gss_ctx_id_t context_handle,
258 gss_buffer_t input_message_buffer,
260 gss_buffer_t output_message_buffer,
263 OM_uint32 kg_unseal (krb5_context context,
264 OM_uint32 *minor_status,
265 gss_ctx_id_t context_handle,
266 gss_buffer_t input_token_buffer,
267 gss_buffer_t message_buffer,
272 OM_uint32 kg_seal_size (krb5_context context,
273 OM_uint32 *minor_status,
274 gss_ctx_id_t context_handle,
277 OM_uint32 output_size,
278 OM_uint32 *input_size);
280 krb5_error_code kg_ctx_size (krb5_context kcontext,
284 krb5_error_code kg_ctx_externalize (krb5_context kcontext,
289 krb5_error_code kg_ctx_internalize (krb5_context kcontext,
294 OM_uint32 kg_get_context (OM_uint32 *minor_status,
295 krb5_context *context);
297 /** declarations of internal name mechanism functions **/
299 OM_uint32 krb5_gss_acquire_cred
300 (OM_uint32*, /* minor_status */
301 gss_name_t, /* desired_name */
302 OM_uint32, /* time_req */
303 gss_OID_set, /* desired_mechs */
304 gss_cred_usage_t, /* cred_usage */
305 gss_cred_id_t*, /* output_cred_handle */
306 gss_OID_set*, /* actual_mechs */
307 OM_uint32* /* time_rec */
310 OM_uint32 krb5_gss_release_cred
311 (OM_uint32*, /* minor_status */
312 gss_cred_id_t* /* cred_handle */
315 OM_uint32 krb5_gss_init_sec_context
316 (OM_uint32*, /* minor_status */
317 gss_cred_id_t, /* claimant_cred_handle */
318 gss_ctx_id_t*, /* context_handle */
319 gss_name_t, /* target_name */
320 gss_OID, /* mech_type */
321 OM_uint32, /* req_flags */
322 OM_uint32, /* time_req */
323 gss_channel_bindings_t,
324 /* input_chan_bindings */
325 gss_buffer_t, /* input_token */
326 gss_OID*, /* actual_mech_type */
327 gss_buffer_t, /* output_token */
328 OM_uint32*, /* ret_flags */
329 OM_uint32* /* time_rec */
332 OM_uint32 krb5_gss_accept_sec_context
333 (OM_uint32*, /* minor_status */
334 gss_ctx_id_t*, /* context_handle */
335 gss_cred_id_t, /* verifier_cred_handle */
336 gss_buffer_t, /* input_token_buffer */
337 gss_channel_bindings_t,
338 /* input_chan_bindings */
339 gss_name_t*, /* src_name */
340 gss_OID*, /* mech_type */
341 gss_buffer_t, /* output_token */
342 OM_uint32*, /* ret_flags */
343 OM_uint32*, /* time_rec */
344 gss_cred_id_t* /* delegated_cred_handle */
347 OM_uint32 krb5_gss_process_context_token
348 (OM_uint32*, /* minor_status */
349 gss_ctx_id_t, /* context_handle */
350 gss_buffer_t /* token_buffer */
353 OM_uint32 krb5_gss_delete_sec_context
354 (OM_uint32*, /* minor_status */
355 gss_ctx_id_t*, /* context_handle */
356 gss_buffer_t /* output_token */
359 OM_uint32 krb5_gss_context_time
360 (OM_uint32*, /* minor_status */
361 gss_ctx_id_t, /* context_handle */
362 OM_uint32* /* time_rec */
365 OM_uint32 krb5_gss_sign
366 (OM_uint32*, /* minor_status */
367 gss_ctx_id_t, /* context_handle */
369 gss_buffer_t, /* message_buffer */
370 gss_buffer_t /* message_token */
373 OM_uint32 krb5_gss_verify
374 (OM_uint32*, /* minor_status */
375 gss_ctx_id_t, /* context_handle */
376 gss_buffer_t, /* message_buffer */
377 gss_buffer_t, /* token_buffer */
381 OM_uint32 krb5_gss_seal
382 (OM_uint32*, /* minor_status */
383 gss_ctx_id_t, /* context_handle */
384 int, /* conf_req_flag */
386 gss_buffer_t, /* input_message_buffer */
387 int*, /* conf_state */
388 gss_buffer_t /* output_message_buffer */
391 OM_uint32 krb5_gss_unseal
392 (OM_uint32*, /* minor_status */
393 gss_ctx_id_t, /* context_handle */
394 gss_buffer_t, /* input_message_buffer */
395 gss_buffer_t, /* output_message_buffer */
396 int*, /* conf_state */
400 OM_uint32 krb5_gss_display_status
401 (OM_uint32*, /* minor_status */
402 OM_uint32, /* status_value */
403 int, /* status_type */
404 gss_OID, /* mech_type */
405 OM_uint32*, /* message_context */
406 gss_buffer_t /* status_string */
409 OM_uint32 krb5_gss_indicate_mechs
410 (OM_uint32*, /* minor_status */
411 gss_OID_set* /* mech_set */
414 OM_uint32 krb5_gss_compare_name
415 (OM_uint32*, /* minor_status */
416 gss_name_t, /* name1 */
417 gss_name_t, /* name2 */
418 int* /* name_equal */
421 OM_uint32 krb5_gss_display_name
422 (OM_uint32*, /* minor_status */
423 gss_name_t, /* input_name */
424 gss_buffer_t, /* output_name_buffer */
425 gss_OID* /* output_name_type */
428 OM_uint32 krb5_gss_import_name
429 (OM_uint32*, /* minor_status */
430 gss_buffer_t, /* input_name_buffer */
431 gss_OID, /* input_name_type */
432 gss_name_t* /* output_name */
435 OM_uint32 krb5_gss_release_name
436 (OM_uint32*, /* minor_status */
437 gss_name_t* /* input_name */
440 OM_uint32 krb5_gss_inquire_cred
441 (OM_uint32 *, /* minor_status */
442 gss_cred_id_t, /* cred_handle */
443 gss_name_t *, /* name */
444 OM_uint32 *, /* lifetime */
445 gss_cred_usage_t*,/* cred_usage */
446 gss_OID_set * /* mechanisms */
449 OM_uint32 krb5_gss_inquire_context
450 (OM_uint32*, /* minor_status */
451 gss_ctx_id_t, /* context_handle */
452 gss_name_t*, /* initiator_name */
453 gss_name_t*, /* acceptor_name */
454 OM_uint32*, /* lifetime_rec */
455 gss_OID*, /* mech_type */
456 OM_uint32*, /* ret_flags */
457 int*, /* locally_initiated */
461 /* New V2 entry points */
462 OM_uint32 krb5_gss_get_mic
463 (OM_uint32 *, /* minor_status */
464 gss_ctx_id_t, /* context_handle */
465 gss_qop_t, /* qop_req */
466 gss_buffer_t, /* message_buffer */
467 gss_buffer_t /* message_token */
470 OM_uint32 krb5_gss_verify_mic
471 (OM_uint32 *, /* minor_status */
472 gss_ctx_id_t, /* context_handle */
473 gss_buffer_t, /* message_buffer */
474 gss_buffer_t, /* message_token */
475 gss_qop_t * /* qop_state */
478 OM_uint32 krb5_gss_wrap
479 (OM_uint32 *, /* minor_status */
480 gss_ctx_id_t, /* context_handle */
481 int, /* conf_req_flag */
482 gss_qop_t, /* qop_req */
483 gss_buffer_t, /* input_message_buffer */
484 int *, /* conf_state */
485 gss_buffer_t /* output_message_buffer */
488 OM_uint32 krb5_gss_unwrap
489 (OM_uint32 *, /* minor_status */
490 gss_ctx_id_t, /* context_handle */
491 gss_buffer_t, /* input_message_buffer */
492 gss_buffer_t, /* output_message_buffer */
493 int *, /* conf_state */
494 gss_qop_t * /* qop_state */
497 OM_uint32 krb5_gss_wrap_size_limit
498 (OM_uint32 *, /* minor_status */
499 gss_ctx_id_t, /* context_handle */
500 int, /* conf_req_flag */
501 gss_qop_t, /* qop_req */
502 OM_uint32, /* req_output_size */
503 OM_uint32 * /* max_input_size */
506 OM_uint32 krb5_gss_import_name_object
507 (OM_uint32 *, /* minor_status */
508 void *, /* input_name */
509 gss_OID, /* input_name_type */
510 gss_name_t * /* output_name */
513 OM_uint32 krb5_gss_export_name_object
514 (OM_uint32 *, /* minor_status */
515 gss_name_t, /* input_name */
516 gss_OID, /* desired_name_type */
517 void * * /* output_name */
520 OM_uint32 krb5_gss_add_cred
521 (OM_uint32 *, /* minor_status */
522 gss_cred_id_t, /* input_cred_handle */
523 gss_name_t, /* desired_name */
524 gss_OID, /* desired_mech */
525 gss_cred_usage_t, /* cred_usage */
526 OM_uint32, /* initiator_time_req */
527 OM_uint32, /* acceptor_time_req */
528 gss_cred_id_t *, /* output_cred_handle */
529 gss_OID_set *, /* actual_mechs */
530 OM_uint32 *, /* initiator_time_rec */
531 OM_uint32 * /* acceptor_time_rec */
534 OM_uint32 krb5_gss_inquire_cred_by_mech
535 (OM_uint32 *, /* minor_status */
536 gss_cred_id_t, /* cred_handle */
537 gss_OID, /* mech_type */
538 gss_name_t *, /* name */
539 OM_uint32 *, /* initiator_lifetime */
540 OM_uint32 *, /* acceptor_lifetime */
541 gss_cred_usage_t * /* cred_usage */
544 OM_uint32 krb5_gss_export_sec_context
545 (OM_uint32 *, /* minor_status */
546 gss_ctx_id_t *, /* context_handle */
547 gss_buffer_t /* interprocess_token */
550 OM_uint32 krb5_gss_import_sec_context
551 (OM_uint32 *, /* minor_status */
552 gss_buffer_t, /* interprocess_token */
553 gss_ctx_id_t * /* context_handle */
556 OM_uint32 krb5_gss_release_oid
557 (OM_uint32 *, /* minor_status */
561 OM_uint32 krb5_gss_inquire_names_for_mech
562 (OM_uint32 *, /* minor_status */
563 gss_OID, /* mechanism */
564 gss_OID_set * /* name_types */
567 OM_uint32 krb5_gss_canonicalize_name
568 (OM_uint32 *, /* minor_status */
569 const gss_name_t, /* input_name */
570 const gss_OID, /* mech_type */
571 gss_name_t * /* output_name */
574 OM_uint32 krb5_gss_export_name
575 (OM_uint32 *, /* minor_status */
576 const gss_name_t, /* input_name */
577 gss_buffer_t /* exported_name */
580 OM_uint32 krb5_gss_duplicate_name
581 (OM_uint32 *, /* minor_status */
582 const gss_name_t, /* input_name */
583 gss_name_t * /* dest_name */
586 OM_uint32 krb5_gss_validate_cred
587 (OM_uint32 *, /* minor_status */
588 gss_cred_id_t /* cred */
591 gss_OID krb5_gss_convert_static_mech_oid
595 #endif /* _GSSAPIP_KRB5_H_ */