1 /* -*- mode: c; indent-tabs-mode: nil -*- */
3 * Copyright 2000, 2008 by the Massachusetts Institute of Technology.
6 * Export of this software from the United States of America may
7 * require a specific license from the United States Government.
8 * It is the responsibility of any person or organization contemplating
9 * export to obtain such a license before exporting.
11 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
12 * distribute this software and its documentation for any purpose and
13 * without fee is hereby granted, provided that the above copyright
14 * notice appear in all copies and that both that copyright notice and
15 * this permission notice appear in supporting documentation, and that
16 * the name of M.I.T. not be used in advertising or publicity pertaining
17 * to distribution of the software without specific, written prior
18 * permission. Furthermore if you modify this software you must label
19 * your software as modified software and not distribute it in such a
20 * fashion that it might be confused with the original M.I.T. software.
21 * M.I.T. makes no representations about the suitability of
22 * this software for any purpose. It is provided "as is" without express
23 * or implied warranty.
27 * Copyright 1993 by OpenVision Technologies, Inc.
29 * Permission to use, copy, modify, distribute, and sell this software
30 * and its documentation for any purpose is hereby granted without fee,
31 * provided that the above copyright notice appears in all copies and
32 * that both that copyright notice and this permission notice appear in
33 * supporting documentation, and that the name of OpenVision not be used
34 * in advertising or publicity pertaining to distribution of the software
35 * without specific, written prior permission. OpenVision makes no
36 * representations about the suitability of this software for any
37 * purpose. It is provided "as is" without express or implied warranty.
39 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
40 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
41 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
42 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
43 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
44 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
45 * PERFORMANCE OF THIS SOFTWARE.
48 #ifndef _GSSAPIP_KRB5_H_
49 #define _GSSAPIP_KRB5_H_
57 /* work around sunos braindamage */
65 #include "gssapiP_generic.h"
67 /* The include of gssapi_krb5.h will dtrt with the above #defines in
70 #include "gssapi_krb5.h"
71 #include "gssapi_err_krb5.h"
72 #include "gssapi_ext.h"
79 #define GSS_MECH_KRB5_OID_LENGTH 9
80 #define GSS_MECH_KRB5_OID "\052\206\110\206\367\022\001\002\002"
82 #define GSS_MECH_KRB5_OLD_OID_LENGTH 5
83 #define GSS_MECH_KRB5_OLD_OID "\053\005\001\005\002"
85 /* Incorrect krb5 mech OID emitted by MS. */
86 #define GSS_MECH_KRB5_WRONG_OID_LENGTH 9
87 #define GSS_MECH_KRB5_WRONG_OID "\052\206\110\202\367\022\001\002\002"
90 #define GSS_MECH_IAKERB_OID_LENGTH 6
91 #define GSS_MECH_IAKERB_OID "\053\006\001\005\002\005"
93 #define CKSUMTYPE_KG_CB 0x8003
95 #define KG_TOK_CTX_AP_REQ 0x0100
96 #define KG_TOK_CTX_AP_REP 0x0200
97 #define KG_TOK_CTX_ERROR 0x0300
98 #define KG_TOK_SIGN_MSG 0x0101
99 #define KG_TOK_SEAL_MSG 0x0201
100 #define KG_TOK_MIC_MSG 0x0101
101 #define KG_TOK_WRAP_MSG 0x0201
102 #define KG_TOK_DEL_CTX 0x0102
103 #define KG2_TOK_MIC_MSG 0x0404
104 #define KG2_TOK_WRAP_MSG 0x0504
105 #define KG2_TOK_DEL_CTX 0x0405
106 #define IAKERB_TOK_PROXY 0x0501
108 #define KRB5_GSS_FOR_CREDS_OPTION 1
110 #define KG2_RESP_FLAG_ERROR 0x0001
111 #define KG2_RESP_FLAG_DELEG_OK 0x0002
114 #define FLAG_SENDER_IS_ACCEPTOR 0x01
115 #define FLAG_WRAP_CONFIDENTIAL 0x02
116 #define FLAG_ACCEPTOR_SUBKEY 0x04
118 /* These are to be stored in little-endian order, i.e., des-mac is
121 SGN_ALG_DES_MAC_MD5 = 0x0000,
122 SGN_ALG_MD2_5 = 0x0001,
123 SGN_ALG_DES_MAC = 0x0002,
124 SGN_ALG_3 = 0x0003, /* not published */
125 SGN_ALG_HMAC_MD5 = 0x0011, /* microsoft w2k; */
126 SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004
129 SEAL_ALG_NONE = 0xffff,
130 SEAL_ALG_DES = 0x0000,
131 SEAL_ALG_1 = 0x0001, /* not published */
132 SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */
133 SEAL_ALG_DES3KD = 0x0002
137 #define KG_USAGE_SEAL 22
138 #define KG_USAGE_SIGN 23
139 #define KG_USAGE_SEQ 24
141 /* for draft-ietf-krb-wg-gssapi-cfx-01 */
142 #define KG_USAGE_ACCEPTOR_SEAL 22
143 #define KG_USAGE_ACCEPTOR_SIGN 23
144 #define KG_USAGE_INITIATOR_SEAL 24
145 #define KG_USAGE_INITIATOR_SIGN 25
148 GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, /* *partial* MD5 = "MD2.5" */
149 GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002,
150 GSS_KRB5_INTEG_C_QOP_DES_MAC = 0x0003,
151 GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004,
152 GSS_KRB5_INTEG_C_QOP_MASK = 0x00ff,
153 GSS_KRB5_CONF_C_QOP_DES = 0x0100,
154 GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200,
155 GSS_KRB5_CONF_C_QOP_MASK = 0xff00
158 /** internal types **/
160 typedef struct _krb5_gss_name_rec {
161 krb5_principal princ; /* immutable */
162 char *service; /* immutable */
163 char *host; /* immutable */
164 k5_mutex_t lock; /* protects ad_context only for now */
165 krb5_authdata_context ad_context;
166 } krb5_gss_name_rec, *krb5_gss_name_t;
168 typedef struct _krb5_gss_cred_id_rec {
169 /* protect against simultaneous accesses */
172 /* name/type of credential */
173 gss_cred_usage_t usage;
174 krb5_gss_name_t name;
175 krb5_principal impersonator;
176 unsigned int default_identity : 1;
177 unsigned int iakerb_mech : 1;
178 unsigned int destroy_ccache : 1;
180 /* keytab (accept) data */
184 /* ccache (init) data */
186 krb5_timestamp tgt_expire;
187 krb5_enctype *req_enctypes; /* limit negotiated enctypes to this list */
189 } krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;
191 typedef struct _krb5_gss_ctx_ext_rec {
196 } krb5_gss_ctx_ext_rec, *krb5_gss_ctx_ext_t;
198 typedef struct _krb5_gss_ctx_id_rec {
200 unsigned int initiate : 1; /* nonzero if initiating, zero if accepting */
201 unsigned int established : 1;
202 unsigned int big_endian : 1;
203 unsigned int have_acceptor_subkey : 1;
204 unsigned int seed_init : 1; /* XXX tested but never actually set */
206 unsigned char seed[16];
207 krb5_gss_name_t here;
208 krb5_gss_name_t there;
209 krb5_key subkey; /* One of two potential keys to use with RFC 4121
210 * packets; this key must always be set. */
214 krb5_key enc; /* RFC 1964 encryption key; seq xored with a constant
215 * for DES, seq for other RFC 1964 enctypes */
216 krb5_key seq; /* RFC 1964 sequencing key */
217 krb5_ticket_times krb_times;
218 krb5_flags krb_flags;
219 /* XXX these used to be signed. the old spec is inspecific, and
220 the new spec specifies unsigned. I don't believe that the change
221 affects the wire encoding. */
222 gssint_uint64 seq_send;
223 gssint_uint64 seq_recv;
225 krb5_context k5_context;
226 krb5_auth_context auth_context;
227 gss_OID_desc *mech_used;
228 /* Protocol spec revision for sending packets
229 0 => RFC 1964 with 3DES and RC4 enhancements
231 No others defined so far. It is always permitted to receive
232 tokens in RFC 4121 format. If enc is non-null, receiving RFC
233 1964 tokens is permitted.*/
235 krb5_cksumtype cksumtype; /* for "main" subkey */
236 krb5_key acceptor_subkey; /* CFX only */
237 krb5_cksumtype acceptor_subkey_cksumtype;
238 int cred_rcache; /* did we get rcache from creds? */
239 krb5_authdata **authdata;
240 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
245 extern k5_mutex_t gssint_krb5_keytab_lock;
246 #endif /* LEAN_CLIENT */
248 /** helper functions **/
250 OM_uint32 kg_get_defcred
251 (OM_uint32 *minor_status,
252 gss_cred_id_t *cred);
254 krb5_error_code kg_checksum_channel_bindings
255 (krb5_context context, gss_channel_bindings_t cb,
256 krb5_checksum *cksum,
259 krb5_error_code kg_make_seq_num (krb5_context context,
261 int direction, krb5_ui_4 seqnum, unsigned char *cksum,
264 krb5_error_code kg_get_seq_num (krb5_context context,
266 unsigned char *cksum, unsigned char *buf, int *direction,
269 krb5_error_code kg_make_seed (krb5_context context,
271 unsigned char *seed);
274 kg_setup_keys(krb5_context context,
275 krb5_gss_ctx_id_rec *ctx,
277 krb5_cksumtype *cksumtype);
279 int kg_confounder_size (krb5_context context, krb5_enctype enctype);
281 krb5_error_code kg_make_confounder (krb5_context context,
282 krb5_enctype enctype, unsigned char *buf);
284 krb5_error_code kg_encrypt (krb5_context context,
285 krb5_key key, int usage,
287 krb5_const_pointer in,
289 unsigned int length);
291 /* Encrypt length bytes at ptr in place, with the given key and usage. If
292 * iv is not NULL, use it as the cipher state. */
293 krb5_error_code kg_encrypt_inplace(krb5_context context, krb5_key key,
294 int usage, krb5_pointer iv,
295 krb5_pointer ptr, unsigned int length);
297 krb5_error_code kg_encrypt_iov (krb5_context context,
298 int proto, int dce_style,
299 size_t ec, size_t rrc,
300 krb5_key key, int usage,
302 gss_iov_buffer_desc *iov,
306 kg_arcfour_docrypt (const krb5_keyblock *keyblock, int usage,
307 const unsigned char *kd_data, size_t kd_data_len,
308 const unsigned char *input_buf, size_t input_len,
309 unsigned char *output_buf);
312 kg_arcfour_docrypt_iov (krb5_context context,
313 const krb5_keyblock *keyblock, int usage,
314 const unsigned char *kd_data, size_t kd_data_len,
315 gss_iov_buffer_desc *iov,
318 krb5_error_code kg_decrypt (krb5_context context,
319 krb5_key key, int usage,
321 krb5_const_pointer in,
323 unsigned int length);
325 krb5_error_code kg_decrypt_iov (krb5_context context,
326 int proto, int dce_style,
327 size_t ec, size_t rrc,
328 krb5_key key, int usage,
330 gss_iov_buffer_desc *iov,
333 OM_uint32 kg_seal (OM_uint32 *minor_status,
334 gss_ctx_id_t context_handle,
337 gss_buffer_t input_message_buffer,
339 gss_buffer_t output_message_buffer,
342 OM_uint32 kg_unseal (OM_uint32 *minor_status,
343 gss_ctx_id_t context_handle,
344 gss_buffer_t input_token_buffer,
345 gss_buffer_t message_buffer,
347 gss_qop_t *qop_state,
350 OM_uint32 kg_seal_size (OM_uint32 *minor_status,
351 gss_ctx_id_t context_handle,
354 OM_uint32 output_size,
355 OM_uint32 *input_size);
357 krb5_error_code kg_ctx_size (krb5_context kcontext,
361 krb5_error_code kg_ctx_externalize (krb5_context kcontext,
366 krb5_error_code kg_ctx_internalize (krb5_context kcontext,
371 OM_uint32 kg_sync_ccache_name (krb5_context context, OM_uint32 *minor_status);
373 OM_uint32 kg_caller_provided_ccache_name (OM_uint32 *minor_status,
374 int *out_caller_provided_name);
376 OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status,
377 const char **out_name);
379 OM_uint32 kg_set_ccache_name (OM_uint32 *minor_status,
384 krb5_error_code gss_krb5int_make_seal_token_v3_iov(krb5_context context,
385 krb5_gss_ctx_id_rec *ctx,
388 gss_iov_buffer_desc *iov,
392 OM_uint32 gss_krb5int_unseal_v3_iov(krb5_context context,
393 OM_uint32 *minor_status,
394 krb5_gss_ctx_id_rec *ctx,
395 gss_iov_buffer_desc *iov,
398 gss_qop_t *qop_state,
401 gss_iov_buffer_t kg_locate_iov (gss_iov_buffer_desc *iov,
405 void kg_iov_msglen(gss_iov_buffer_desc *iov,
408 size_t *assoc_data_length);
410 void kg_release_iov(gss_iov_buffer_desc *iov,
413 krb5_error_code kg_make_checksum_iov_v1(krb5_context context,
415 size_t token_cksum_len,
417 krb5_key enc, /* for conf len */
418 krb5_keyusage sign_usage,
419 gss_iov_buffer_desc *iov,
422 krb5_checksum *checksum);
424 krb5_error_code kg_make_checksum_iov_v3(krb5_context context,
428 krb5_keyusage sign_usage,
429 gss_iov_buffer_desc *iov,
432 krb5_error_code kg_verify_checksum_iov_v3(krb5_context context,
436 krb5_keyusage sign_usage,
437 gss_iov_buffer_desc *iov,
439 krb5_boolean *valid);
441 OM_uint32 kg_seal_iov (OM_uint32 *minor_status,
442 gss_ctx_id_t context_handle,
446 gss_iov_buffer_desc *iov,
450 OM_uint32 kg_unseal_iov (OM_uint32 *minor_status,
451 gss_ctx_id_t context_handle,
453 gss_qop_t *qop_state,
454 gss_iov_buffer_desc *iov,
458 OM_uint32 kg_seal_iov_length(OM_uint32 *minor_status,
459 gss_ctx_id_t context_handle,
463 gss_iov_buffer_desc *iov,
466 krb5_cryptotype kg_translate_flag_iov(OM_uint32 type);
468 OM_uint32 kg_fixup_padding_iov(OM_uint32 *minor_status,
469 gss_iov_buffer_desc *iov,
472 krb5_boolean kg_integ_only_iov(gss_iov_buffer_desc *iov, int iov_count);
474 krb5_error_code kg_allocate_iov(gss_iov_buffer_t iov, size_t size);
477 krb5_to_gss_cred(krb5_context context,
479 krb5_gss_cred_id_t *out_cred);
482 kg_cred_resolve(OM_uint32 *minor_status, krb5_context context,
483 gss_cred_id_t cred_handle, gss_name_t target_name);
485 /** declarations of internal name mechanism functions **/
487 OM_uint32 KRB5_CALLCONV krb5_gss_acquire_cred
488 (OM_uint32*, /* minor_status */
489 gss_name_t, /* desired_name */
490 OM_uint32, /* time_req */
491 gss_OID_set, /* desired_mechs */
492 gss_cred_usage_t, /* cred_usage */
493 gss_cred_id_t*, /* output_cred_handle */
494 gss_OID_set*, /* actual_mechs */
495 OM_uint32* /* time_rec */
498 OM_uint32 KRB5_CALLCONV iakerb_gss_acquire_cred
499 (OM_uint32*, /* minor_status */
500 gss_name_t, /* desired_name */
501 OM_uint32, /* time_req */
502 gss_OID_set, /* desired_mechs */
503 gss_cred_usage_t, /* cred_usage */
504 gss_cred_id_t*, /* output_cred_handle */
505 gss_OID_set*, /* actual_mechs */
506 OM_uint32* /* time_rec */
509 OM_uint32 KRB5_CALLCONV
510 krb5_gss_acquire_cred_with_password(
511 OM_uint32 *minor_status,
512 const gss_name_t desired_name,
513 const gss_buffer_t password,
515 const gss_OID_set desired_mechs,
517 gss_cred_id_t *output_cred_handle,
518 gss_OID_set *actual_mechs,
519 OM_uint32 *time_rec);
521 OM_uint32 KRB5_CALLCONV
522 iakerb_gss_acquire_cred_with_password(
523 OM_uint32 *minor_status,
524 const gss_name_t desired_name,
525 const gss_buffer_t password,
527 const gss_OID_set desired_mechs,
529 gss_cred_id_t *output_cred_handle,
530 gss_OID_set *actual_mechs,
531 OM_uint32 *time_rec);
533 OM_uint32 KRB5_CALLCONV krb5_gss_release_cred
534 (OM_uint32*, /* minor_status */
535 gss_cred_id_t* /* cred_handle */
538 OM_uint32 KRB5_CALLCONV krb5_gss_init_sec_context
539 (OM_uint32*, /* minor_status */
540 gss_cred_id_t, /* claimant_cred_handle */
541 gss_ctx_id_t*, /* context_handle */
542 gss_name_t, /* target_name */
543 gss_OID, /* mech_type */
544 OM_uint32, /* req_flags */
545 OM_uint32, /* time_req */
546 gss_channel_bindings_t,
547 /* input_chan_bindings */
548 gss_buffer_t, /* input_token */
549 gss_OID*, /* actual_mech_type */
550 gss_buffer_t, /* output_token */
551 OM_uint32*, /* ret_flags */
552 OM_uint32* /* time_rec */
555 OM_uint32 krb5_gss_init_sec_context_ext
556 (OM_uint32*, /* minor_status */
557 gss_cred_id_t, /* claimant_cred_handle */
558 gss_ctx_id_t*, /* context_handle */
559 gss_name_t, /* target_name */
560 gss_OID, /* mech_type */
561 OM_uint32, /* req_flags */
562 OM_uint32, /* time_req */
563 gss_channel_bindings_t,
564 /* input_chan_bindings */
565 gss_buffer_t, /* input_token */
566 gss_OID*, /* actual_mech_type */
567 gss_buffer_t, /* output_token */
568 OM_uint32*, /* ret_flags */
569 OM_uint32*, /* time_rec */
570 krb5_gss_ctx_ext_t /* exts */
574 OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context
575 (OM_uint32*, /* minor_status */
576 gss_ctx_id_t*, /* context_handle */
577 gss_cred_id_t, /* verifier_cred_handle */
578 gss_buffer_t, /* input_token_buffer */
579 gss_channel_bindings_t,
580 /* input_chan_bindings */
581 gss_name_t*, /* src_name */
582 gss_OID*, /* mech_type */
583 gss_buffer_t, /* output_token */
584 OM_uint32*, /* ret_flags */
585 OM_uint32*, /* time_rec */
586 gss_cred_id_t* /* delegated_cred_handle */
589 OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext
590 (OM_uint32*, /* minor_status */
591 gss_ctx_id_t*, /* context_handle */
592 gss_cred_id_t, /* verifier_cred_handle */
593 gss_buffer_t, /* input_token_buffer */
594 gss_channel_bindings_t,
595 /* input_chan_bindings */
596 gss_name_t*, /* src_name */
597 gss_OID*, /* mech_type */
598 gss_buffer_t, /* output_token */
599 OM_uint32*, /* ret_flags */
600 OM_uint32*, /* time_rec */
601 gss_cred_id_t*, /* delegated_cred_handle */
602 krb5_gss_ctx_ext_t/*exts */
604 #endif /* LEAN_CLIENT */
606 OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token
607 (OM_uint32*, /* minor_status */
608 gss_ctx_id_t, /* context_handle */
609 gss_buffer_t /* token_buffer */
612 OM_uint32 KRB5_CALLCONV krb5_gss_delete_sec_context
613 (OM_uint32*, /* minor_status */
614 gss_ctx_id_t*, /* context_handle */
615 gss_buffer_t /* output_token */
618 OM_uint32 KRB5_CALLCONV krb5_gss_context_time
619 (OM_uint32*, /* minor_status */
620 gss_ctx_id_t, /* context_handle */
621 OM_uint32* /* time_rec */
624 OM_uint32 KRB5_CALLCONV krb5_gss_display_status
625 (OM_uint32*, /* minor_status */
626 OM_uint32, /* status_value */
627 int, /* status_type */
628 gss_OID, /* mech_type */
629 OM_uint32*, /* message_context */
630 gss_buffer_t /* status_string */
633 OM_uint32 KRB5_CALLCONV krb5_gss_indicate_mechs
634 (OM_uint32*, /* minor_status */
635 gss_OID_set* /* mech_set */
638 OM_uint32 KRB5_CALLCONV krb5_gss_compare_name
639 (OM_uint32*, /* minor_status */
640 gss_name_t, /* name1 */
641 gss_name_t, /* name2 */
642 int* /* name_equal */
645 OM_uint32 KRB5_CALLCONV krb5_gss_display_name
646 (OM_uint32*, /* minor_status */
647 gss_name_t, /* input_name */
648 gss_buffer_t, /* output_name_buffer */
649 gss_OID* /* output_name_type */
653 OM_uint32 KRB5_CALLCONV krb5_gss_import_name
654 (OM_uint32*, /* minor_status */
655 gss_buffer_t, /* input_name_buffer */
656 gss_OID, /* input_name_type */
657 gss_name_t* /* output_name */
660 OM_uint32 KRB5_CALLCONV krb5_gss_release_name
661 (OM_uint32*, /* minor_status */
662 gss_name_t* /* input_name */
665 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_cred
666 (OM_uint32 *, /* minor_status */
667 gss_cred_id_t, /* cred_handle */
668 gss_name_t *, /* name */
669 OM_uint32 *, /* lifetime */
670 gss_cred_usage_t*,/* cred_usage */
671 gss_OID_set * /* mechanisms */
674 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_context
675 (OM_uint32*, /* minor_status */
676 gss_ctx_id_t, /* context_handle */
677 gss_name_t*, /* initiator_name */
678 gss_name_t*, /* acceptor_name */
679 OM_uint32*, /* lifetime_rec */
680 gss_OID*, /* mech_type */
681 OM_uint32*, /* ret_flags */
682 int*, /* locally_initiated */
686 /* New V2 entry points */
687 OM_uint32 KRB5_CALLCONV krb5_gss_get_mic
688 (OM_uint32 *, /* minor_status */
689 gss_ctx_id_t, /* context_handle */
690 gss_qop_t, /* qop_req */
691 gss_buffer_t, /* message_buffer */
692 gss_buffer_t /* message_token */
695 OM_uint32 KRB5_CALLCONV krb5_gss_verify_mic
696 (OM_uint32 *, /* minor_status */
697 gss_ctx_id_t, /* context_handle */
698 gss_buffer_t, /* message_buffer */
699 gss_buffer_t, /* message_token */
700 gss_qop_t * /* qop_state */
703 OM_uint32 KRB5_CALLCONV krb5_gss_wrap
704 (OM_uint32 *, /* minor_status */
705 gss_ctx_id_t, /* context_handle */
706 int, /* conf_req_flag */
707 gss_qop_t, /* qop_req */
708 gss_buffer_t, /* input_message_buffer */
709 int *, /* conf_state */
710 gss_buffer_t /* output_message_buffer */
713 OM_uint32 KRB5_CALLCONV krb5_gss_wrap_iov
714 (OM_uint32 *, /* minor_status */
715 gss_ctx_id_t, /* context_handle */
716 int, /* conf_req_flag */
717 gss_qop_t, /* qop_req */
718 int *, /* conf_state */
719 gss_iov_buffer_desc *, /* iov */
723 OM_uint32 KRB5_CALLCONV krb5_gss_wrap_iov_length
724 (OM_uint32 *, /* minor_status */
725 gss_ctx_id_t, /* context_handle */
726 int, /* conf_req_flag */
727 gss_qop_t, /* qop_req */
728 int *, /* conf_state */
729 gss_iov_buffer_desc *, /* iov */
733 OM_uint32 KRB5_CALLCONV krb5_gss_unwrap
734 (OM_uint32 *, /* minor_status */
735 gss_ctx_id_t, /* context_handle */
736 gss_buffer_t, /* input_message_buffer */
737 gss_buffer_t, /* output_message_buffer */
738 int *, /* conf_state */
739 gss_qop_t * /* qop_state */
742 OM_uint32 KRB5_CALLCONV krb5_gss_unwrap_iov
743 (OM_uint32 *, /* minor_status */
744 gss_ctx_id_t, /* context_handle */
745 int *, /* conf_state */
746 gss_qop_t *, /* qop_state */
747 gss_iov_buffer_desc *, /* iov */
751 OM_uint32 KRB5_CALLCONV krb5_gss_wrap_size_limit
752 (OM_uint32 *, /* minor_status */
753 gss_ctx_id_t, /* context_handle */
754 int, /* conf_req_flag */
755 gss_qop_t, /* qop_req */
756 OM_uint32, /* req_output_size */
757 OM_uint32 * /* max_input_size */
760 OM_uint32 KRB5_CALLCONV krb5_gss_import_name_object
761 (OM_uint32 *, /* minor_status */
762 void *, /* input_name */
763 gss_OID, /* input_name_type */
764 gss_name_t * /* output_name */
767 OM_uint32 KRB5_CALLCONV krb5_gss_export_name_object
768 (OM_uint32 *, /* minor_status */
769 gss_name_t, /* input_name */
770 gss_OID, /* desired_name_type */
771 void * * /* output_name */
774 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_cred_by_mech
775 (OM_uint32 *, /* minor_status */
776 gss_cred_id_t, /* cred_handle */
777 gss_OID, /* mech_type */
778 gss_name_t *, /* name */
779 OM_uint32 *, /* initiator_lifetime */
780 OM_uint32 *, /* acceptor_lifetime */
781 gss_cred_usage_t * /* cred_usage */
784 OM_uint32 KRB5_CALLCONV krb5_gss_export_sec_context
785 (OM_uint32 *, /* minor_status */
786 gss_ctx_id_t *, /* context_handle */
787 gss_buffer_t /* interprocess_token */
790 OM_uint32 KRB5_CALLCONV krb5_gss_import_sec_context
791 (OM_uint32 *, /* minor_status */
792 gss_buffer_t, /* interprocess_token */
793 gss_ctx_id_t * /* context_handle */
795 #endif /* LEAN_CLIENT */
797 krb5_error_code krb5_gss_ser_init(krb5_context);
799 OM_uint32 krb5_gss_release_oid
800 (OM_uint32 *, /* minor_status */
804 OM_uint32 KRB5_CALLCONV krb5_gss_internal_release_oid
805 (OM_uint32 *, /* minor_status */
809 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_names_for_mech
810 (OM_uint32 *, /* minor_status */
811 gss_OID, /* mechanism */
812 gss_OID_set * /* name_types */
815 OM_uint32 krb5_gss_canonicalize_name
816 (OM_uint32 *, /* minor_status */
817 const gss_name_t, /* input_name */
818 const gss_OID, /* mech_type */
819 gss_name_t * /* output_name */
822 OM_uint32 KRB5_CALLCONV krb5_gss_export_name
823 (OM_uint32 *, /* minor_status */
824 const gss_name_t, /* input_name */
825 gss_buffer_t /* exported_name */
828 OM_uint32 KRB5_CALLCONV krb5_gss_duplicate_name
829 (OM_uint32 *, /* minor_status */
830 const gss_name_t, /* input_name */
831 gss_name_t * /* dest_name */
834 OM_uint32 krb5_gss_validate_cred
835 (OM_uint32 *, /* minor_status */
836 gss_cred_id_t /* cred */
839 OM_uint32 KRB5_CALLCONV krb5_gss_acquire_cred_impersonate_name(
840 OM_uint32 *, /* minor_status */
841 const gss_cred_id_t, /* impersonator_cred_handle */
842 const gss_name_t, /* desired_name */
843 OM_uint32, /* time_req */
844 const gss_OID_set, /* desired_mechs */
845 gss_cred_usage_t, /* cred_usage */
846 gss_cred_id_t *, /* output_cred_handle */
847 gss_OID_set *, /* actual_mechs */
848 OM_uint32 *); /* time_rec */
851 krb5_gss_validate_cred_1(OM_uint32 * /* minor_status */,
852 gss_cred_id_t /* cred_handle */,
853 krb5_context /* context */);
855 gss_OID krb5_gss_convert_static_mech_oid(gss_OID oid);
857 krb5_error_code gss_krb5int_make_seal_token_v3(krb5_context,
858 krb5_gss_ctx_id_rec *,
859 const gss_buffer_desc *,
863 OM_uint32 gss_krb5int_unseal_token_v3(krb5_context *contextptr,
864 OM_uint32 *minor_status,
865 krb5_gss_ctx_id_rec *ctx,
867 unsigned int bodysize,
868 gss_buffer_t message_buffer,
869 int *conf_state, gss_qop_t *qop_state,
872 int gss_krb5int_rotate_left (void *ptr, size_t bufsiz, size_t rc);
875 #define KG_INIT_NAME_NO_COPY 0x1
878 kg_init_name(krb5_context context, krb5_principal principal,
879 char *service, char *host, krb5_authdata_context ad_context,
880 krb5_flags flags, krb5_gss_name_t *name);
883 kg_release_name(krb5_context context, krb5_gss_name_t *name);
886 kg_duplicate_name(krb5_context context, const krb5_gss_name_t src,
887 krb5_gss_name_t *dst);
890 kg_compare_name(krb5_context context,
891 krb5_gss_name_t name1,
892 krb5_gss_name_t name2);
895 kg_acceptor_princ(krb5_context context, krb5_gss_name_t name,
896 krb5_principal *princ_out);
898 OM_uint32 KRB5_CALLCONV
899 krb5_gss_display_name_ext(OM_uint32 *minor_status,
901 gss_OID display_as_name_type,
902 gss_buffer_t display_name);
904 OM_uint32 KRB5_CALLCONV
905 krb5_gss_inquire_name(OM_uint32 *minor_status,
909 gss_buffer_set_t *attrs);
911 OM_uint32 KRB5_CALLCONV
912 krb5_gss_get_name_attribute(OM_uint32 *minor_status,
918 gss_buffer_t display_value,
921 OM_uint32 KRB5_CALLCONV
922 krb5_gss_set_name_attribute(OM_uint32 *minor_status,
928 OM_uint32 KRB5_CALLCONV
929 krb5_gss_delete_name_attribute(OM_uint32 *minor_status,
933 OM_uint32 KRB5_CALLCONV
934 krb5_gss_export_name_composite(OM_uint32 *minor_status,
936 gss_buffer_t exp_composite_name);
938 OM_uint32 KRB5_CALLCONV
939 krb5_gss_map_name_to_any(OM_uint32 *minor_status,
942 gss_buffer_t type_id,
945 OM_uint32 KRB5_CALLCONV
946 krb5_gss_release_any_name_mapping(OM_uint32 *minor_status,
948 gss_buffer_t type_id,
951 OM_uint32 KRB5_CALLCONV
952 krb5_gss_pseudo_random(OM_uint32 *minor_status,
953 gss_ctx_id_t context,
955 const gss_buffer_t prf_in,
956 ssize_t desired_output_len,
957 gss_buffer_t prf_out);
959 OM_uint32 KRB5_CALLCONV
960 krb5_gss_store_cred(OM_uint32 *minor_status,
961 gss_cred_id_t input_cred_handle,
962 gss_cred_usage_t cred_usage,
963 const gss_OID desired_mech,
964 OM_uint32 overwrite_cred,
965 OM_uint32 default_cred,
966 gss_OID_set *elements_stored,
967 gss_cred_usage_t *cred_usage_stored);
971 kg_compose_deleg_cred(OM_uint32 *minor_status,
972 krb5_gss_cred_id_t impersonator_cred,
973 krb5_creds *subject_creds,
975 krb5_gss_cred_id_t *output_cred,
977 krb5_context context);
980 * These take unglued krb5-mech-specific contexts.
983 #define GSS_KRB5_GET_TKT_FLAGS_OID_LENGTH 11
984 #define GSS_KRB5_GET_TKT_FLAGS_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x01"
986 OM_uint32 gss_krb5int_get_tkt_flags
987 (OM_uint32 *minor_status,
988 const gss_ctx_id_t context_handle,
989 const gss_OID desired_object,
990 gss_buffer_set_t *data_set);
992 #define GSS_KRB5_COPY_CCACHE_OID_LENGTH 11
993 #define GSS_KRB5_COPY_CCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x02"
995 OM_uint32 gss_krb5int_copy_ccache
996 (OM_uint32 *minor_status,
997 gss_cred_id_t *cred_handle,
998 const gss_OID desired_oid,
999 const gss_buffer_t value);
1001 #define GSS_KRB5_CCACHE_NAME_OID_LENGTH 11
1002 #define GSS_KRB5_CCACHE_NAME_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x03"
1004 struct krb5_gss_ccache_name_req {
1006 const char **out_name;
1010 gss_krb5int_ccache_name(OM_uint32 *minor_status, const gss_OID, const gss_OID,
1011 const gss_buffer_t);
1013 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
1014 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
1017 gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *);
1019 #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH 11
1020 #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x04"
1022 struct krb5_gss_set_allowable_enctypes_req {
1023 OM_uint32 num_ktypes;
1024 krb5_enctype *ktypes;
1028 gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
1029 gss_cred_id_t *cred,
1030 const gss_OID desired_oid,
1031 const gss_buffer_t value);
1033 #define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH 11
1034 #define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06"
1037 gss_krb5int_export_lucid_sec_context(OM_uint32 *minor_status,
1038 const gss_ctx_id_t context_handle,
1039 const gss_OID desired_object,
1040 gss_buffer_set_t *data_set);
1042 #define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH 11
1043 #define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07"
1046 gss_krb5int_free_lucid_sec_context(OM_uint32 *, const gss_OID,
1047 const gss_OID, gss_buffer_t);
1049 extern k5_mutex_t kg_kdc_flag_mutex;
1050 krb5_error_code krb5_gss_init_context (krb5_context *ctxp);
1052 #define GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH 11
1053 #define GSS_KRB5_USE_KDC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08"
1055 OM_uint32 krb5int_gss_use_kdc_context(OM_uint32 *, const gss_OID,
1056 const gss_OID, gss_buffer_t);
1058 krb5_error_code krb5_gss_use_kdc_context(void);
1060 #define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH 11
1061 #define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x09"
1064 gss_krb5int_register_acceptor_identity(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t);
1066 #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 11
1067 #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0a"
1070 gss_krb5int_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
1071 const gss_ctx_id_t context_handle,
1072 const gss_OID desired_object,
1073 gss_buffer_set_t *ad_data);
1075 #define GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH 11
1076 #define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0b"
1079 gss_krb5int_set_cred_rcache(OM_uint32 *, gss_cred_id_t *, const gss_OID, const gss_buffer_t);
1081 #define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11
1082 #define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c"
1085 gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *,
1088 gss_buffer_set_t *);
1090 #define GSS_KRB5_IMPORT_CRED_OID_LENGTH 11
1091 #define GSS_KRB5_IMPORT_CRED_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0d"
1093 struct krb5_gss_import_cred_req {
1095 krb5_principal keytab_principal;
1100 gss_krb5int_import_cred(OM_uint32 *minor_status,
1101 gss_cred_id_t *cred,
1102 const gss_OID desired_oid,
1103 const gss_buffer_t value);
1105 #ifdef _GSS_STATIC_LINK
1106 int gss_krb5int_lib_init(void);
1107 void gss_krb5int_lib_fini(void);
1108 #endif /* _GSS_STATIC_LINK */
1110 OM_uint32 gss_krb5int_initialize_library(void);
1111 void gss_krb5int_cleanup_library(void);
1113 /* For error message handling. */
1114 /* Returns a shared string, not a private copy! */
1116 krb5_gss_get_error_message(OM_uint32 minor_code);
1118 krb5_gss_save_error_string(OM_uint32 minor_code, char *msg);
1120 krb5_gss_save_error_message(OM_uint32 minor_code, const char *format, ...)
1121 #if !defined(__cplusplus) && (__GNUC__ > 2)
1122 __attribute__((__format__(__printf__, 2, 3)))
1126 krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx);
1127 #define get_error_message krb5_gss_get_error_message
1128 #define save_error_string krb5_gss_save_error_string
1129 #define save_error_message krb5_gss_save_error_message
1131 /* Error messages aren't needed in the kernel, so reduce dependencies. */
1132 #define save_error_info(x,y)
1134 #define save_error_info krb5_gss_save_error_info
1136 extern void krb5_gss_delete_error_info(void *p);
1138 /* Prefix concatenated with Kerberos encryption type */
1139 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10
1140 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04"
1144 OM_uint32 KRB5_CALLCONV
1145 iakerb_gss_init_sec_context(OM_uint32 *minor_status,
1146 gss_cred_id_t claimant_cred_handle,
1147 gss_ctx_id_t *context_handle,
1148 gss_name_t target_name,
1150 OM_uint32 req_flags,
1152 gss_channel_bindings_t input_chan_bindings,
1153 gss_buffer_t input_token,
1154 gss_OID *actual_mech_type,
1155 gss_buffer_t output_token,
1156 OM_uint32 *ret_flags,
1157 OM_uint32 *time_rec);
1159 OM_uint32 KRB5_CALLCONV
1160 iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
1161 gss_ctx_id_t *context_handler,
1162 gss_cred_id_t verifier_cred_handle,
1163 gss_buffer_t input_token,
1164 gss_channel_bindings_t input_chan_bindings,
1165 gss_name_t *src_name,
1167 gss_buffer_t output_token,
1168 OM_uint32 *ret_flags,
1169 OM_uint32 *time_rec,
1170 gss_cred_id_t *delegated_cred_handle);
1172 OM_uint32 KRB5_CALLCONV
1173 iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
1174 gss_ctx_id_t *context_handle,
1175 gss_buffer_t output_token);
1178 iakerb_make_finished(krb5_context context,
1180 const krb5_data *conv,
1181 krb5_data **finished);
1184 iakerb_verify_finished(krb5_context context,
1186 const krb5_data *conv,
1187 const krb5_data *finished);
1190 * Transfer contents of a krb5_data to a gss_buffer and invalidate the source
1191 * On unix, this is a simple pointer copy
1192 * On windows, memory is reallocated and copied.
1194 static inline krb5_error_code
1195 data_to_gss(krb5_data *input_k5data, gss_buffer_t output_buffer)
1197 krb5_error_code code = 0;
1198 output_buffer->length = input_k5data->length;
1200 if (output_buffer->length > 0) {
1201 output_buffer->value = gssalloc_malloc(output_buffer->length);
1202 if (output_buffer->value)
1203 memcpy(output_buffer->value, input_k5data->data, output_buffer->length);
1207 output_buffer->value = NULL;
1209 free(input_k5data->data);
1211 output_buffer->value = input_k5data->data;
1213 *input_k5data = empty_data();
1217 #define KRB5_GSS_EXTS_IAKERB_FINISHED 1
1219 #endif /* _GSSAPIP_KRB5_H_ */