2 * Copyright 2000 by the Massachusetts Institute of Technology.
5 * Export of this software from the United States of America may
6 * require a specific license from the United States Government.
7 * It is the responsibility of any person or organization contemplating
8 * export to obtain such a license before exporting.
10 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
11 * distribute this software and its documentation for any purpose and
12 * without fee is hereby granted, provided that the above copyright
13 * notice appear in all copies and that both that copyright notice and
14 * this permission notice appear in supporting documentation, and that
15 * the name of M.I.T. not be used in advertising or publicity pertaining
16 * to distribution of the software without specific, written prior
17 * permission. Furthermore if you modify this software you must label
18 * your software as modified software and not distribute it in such a
19 * fashion that it might be confused with the original M.I.T. software.
20 * M.I.T. makes no representations about the suitability of
21 * this software for any purpose. It is provided "as is" without express
22 * or implied warranty.
26 * Copyright 1993 by OpenVision Technologies, Inc.
28 * Permission to use, copy, modify, distribute, and sell this software
29 * and its documentation for any purpose is hereby granted without fee,
30 * provided that the above copyright notice appears in all copies and
31 * that both that copyright notice and this permission notice appear in
32 * supporting documentation, and that the name of OpenVision not be used
33 * in advertising or publicity pertaining to distribution of the software
34 * without specific, written prior permission. OpenVision makes no
35 * representations about the suitability of this software for any
36 * purpose. It is provided "as is" without express or implied warranty.
38 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
39 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
40 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
41 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
42 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
43 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
44 * PERFORMANCE OF THIS SOFTWARE.
47 #ifndef _GSSAPIP_KRB5_H_
48 #define _GSSAPIP_KRB5_H_
56 /* work around sunos braindamage */
64 #include "gssapiP_generic.h"
66 /* The include of gssapi_krb5.h will dtrt with the above #defines in
69 #include "gssapi_krb5.h"
70 #include "gssapi_err_krb5.h"
74 #define CKSUMTYPE_KG_CB 0x8003
76 #define KG_TOK_CTX_AP_REQ 0x0100
77 #define KG_TOK_CTX_AP_REP 0x0200
78 #define KG_TOK_CTX_ERROR 0x0300
79 #define KG_TOK_SIGN_MSG 0x0101
80 #define KG_TOK_SEAL_MSG 0x0201
81 #define KG_TOK_MIC_MSG 0x0101
82 #define KG_TOK_WRAP_MSG 0x0201
83 #define KG_TOK_DEL_CTX 0x0102
85 #define KG_IMPLFLAGS(x) (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | \
87 ((x) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \
88 GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG)))
90 #define KG2_TOK_INITIAL 0x0101
91 #define KG2_TOK_RESPONSE 0x0202
92 #define KG2_TOK_MIC 0x0303
93 #define KG2_TOK_WRAP_INTEG 0x0404
94 #define KG2_TOK_WRAP_PRIV 0x0505
96 #define KRB5_GSS_FOR_CREDS_OPTION 1
98 #define KG2_RESP_FLAG_ERROR 0x0001
99 #define KG2_RESP_FLAG_DELEG_OK 0x0002
101 /* These are to be stored in little-endian order, i.e., des-mac is
104 SGN_ALG_DES_MAC_MD5 = 0x0000,
105 SGN_ALG_MD2_5 = 0x0001,
106 SGN_ALG_DES_MAC = 0x0002,
107 SGN_ALG_3 = 0x0003, /* not published */
108 SGN_ALG_HMAC_MD5 = 0x0011, /* microsoft w2k; */
109 SGN_ALG_HMAC_SHA1_DES3_KD = 0x0004
112 SEAL_ALG_NONE = 0xffff,
113 SEAL_ALG_DES = 0x0000,
114 SEAL_ALG_1 = 0x0001, /* not published */
115 SEAL_ALG_MICROSOFT_RC4 = 0x0010, /* microsoft w2k; */
116 SEAL_ALG_DES3KD = 0x0002
119 #define KG_USAGE_SEAL 22
120 #define KG_USAGE_SIGN 23
121 #define KG_USAGE_SEQ 24
124 GSS_KRB5_INTEG_C_QOP_MD5 = 0x0001, /* *partial* MD5 = "MD2.5" */
125 GSS_KRB5_INTEG_C_QOP_DES_MD5 = 0x0002,
126 GSS_KRB5_INTEG_C_QOP_DES_MAC = 0x0003,
127 GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004,
128 GSS_KRB5_INTEG_C_QOP_MASK = 0x00ff,
129 GSS_KRB5_CONF_C_QOP_DES = 0x0100,
130 GSS_KRB5_CONF_C_QOP_DES3_KD = 0x0200,
131 GSS_KRB5_CONF_C_QOP_MASK = 0xff00
134 /** internal types **/
136 typedef krb5_principal krb5_gss_name_t;
138 typedef struct _krb5_gss_cred_id_rec {
139 /* name/type of credential */
140 gss_cred_usage_t usage;
141 krb5_principal princ; /* this is not interned as a gss_name_t */
145 /* keytab (accept) data */
149 /* ccache (init) data */
151 krb5_timestamp tgt_expire;
152 } krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;
154 typedef struct _krb5_gss_ctx_id_rec {
155 int initiate; /* nonzero if initiating, zero if accepting */
158 unsigned char seed[16];
160 krb5_principal there;
161 krb5_keyblock *subkey;
167 krb5_timestamp endtime;
168 krb5_flags krb_flags;
169 /* XXX these used to be signed. the old spec is inspecific, and
170 the new spec specifies unsigned. I don't believe that the change
171 affects the wire encoding. */
177 krb5_auth_context auth_context;
178 gss_OID_desc *mech_used;
180 krb5_cksumtype *ctypes;
181 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
187 #define kg_save_name(name) g_save_name(&kg_vdb,name)
188 #define kg_save_cred_id(cred) g_save_cred_id(&kg_vdb,cred)
189 #define kg_save_ctx_id(ctx) g_save_ctx_id(&kg_vdb,ctx)
191 #define kg_validate_name(name) g_validate_name(&kg_vdb,name)
192 #define kg_validate_cred_id(cred) g_validate_cred_id(&kg_vdb,cred)
193 #define kg_validate_ctx_id(ctx) g_validate_ctx_id(&kg_vdb,ctx)
195 #define kg_delete_name(name) g_delete_name(&kg_vdb,name)
196 #define kg_delete_cred_id(cred) g_delete_cred_id(&kg_vdb,cred)
197 #define kg_delete_ctx_id(ctx) g_delete_ctx_id(&kg_vdb,ctx)
199 /** helper functions **/
201 OM_uint32 kg_get_defcred
202 (OM_uint32 *minor_status,
203 gss_cred_id_t *cred);
205 OM_uint32 kg_release_defcred (OM_uint32 *minor_status);
207 krb5_error_code kg_checksum_channel_bindings
208 (krb5_context context, gss_channel_bindings_t cb,
209 krb5_checksum *cksum,
212 krb5_error_code kg_make_seq_num (krb5_context context,
214 int direction, krb5_ui_4 seqnum, unsigned char *cksum,
217 krb5_error_code kg_get_seq_num (krb5_context context,
219 unsigned char *cksum, unsigned char *buf, int *direction,
222 krb5_error_code kg_make_seed (krb5_context context,
224 unsigned char *seed);
226 int kg_confounder_size (krb5_context context, krb5_keyblock *key);
228 krb5_error_code kg_make_confounder (krb5_context context,
229 krb5_keyblock *key, unsigned char *buf);
231 krb5_error_code kg_encrypt (krb5_context context,
232 krb5_keyblock *key, int usage,
236 unsigned int length);
238 kg_arcfour_docrypt (const krb5_keyblock *longterm_key , int ms_usage,
239 const unsigned char *kd_data, size_t kd_data_len,
240 const unsigned char *input_buf, size_t input_len,
241 unsigned char *output_buf);
243 krb5_error_code kg_decrypt (krb5_context context,
244 krb5_keyblock *key, int usage,
248 unsigned int length);
250 OM_uint32 kg_seal (krb5_context context,
251 OM_uint32 *minor_status,
252 gss_ctx_id_t context_handle,
255 gss_buffer_t input_message_buffer,
257 gss_buffer_t output_message_buffer,
260 OM_uint32 kg_unseal (krb5_context context,
261 OM_uint32 *minor_status,
262 gss_ctx_id_t context_handle,
263 gss_buffer_t input_token_buffer,
264 gss_buffer_t message_buffer,
269 OM_uint32 kg_seal_size (krb5_context context,
270 OM_uint32 *minor_status,
271 gss_ctx_id_t context_handle,
274 OM_uint32 output_size,
275 OM_uint32 *input_size);
277 krb5_error_code kg_ctx_size (krb5_context kcontext,
281 krb5_error_code kg_ctx_externalize (krb5_context kcontext,
286 krb5_error_code kg_ctx_internalize (krb5_context kcontext,
291 OM_uint32 kg_get_context (OM_uint32 *minor_status,
292 krb5_context *context);
294 /** declarations of internal name mechanism functions **/
296 OM_uint32 krb5_gss_acquire_cred
297 (OM_uint32*, /* minor_status */
298 gss_name_t, /* desired_name */
299 OM_uint32, /* time_req */
300 gss_OID_set, /* desired_mechs */
301 gss_cred_usage_t, /* cred_usage */
302 gss_cred_id_t*, /* output_cred_handle */
303 gss_OID_set*, /* actual_mechs */
304 OM_uint32* /* time_rec */
307 OM_uint32 krb5_gss_release_cred
308 (OM_uint32*, /* minor_status */
309 gss_cred_id_t* /* cred_handle */
312 OM_uint32 krb5_gss_init_sec_context
313 (OM_uint32*, /* minor_status */
314 gss_cred_id_t, /* claimant_cred_handle */
315 gss_ctx_id_t*, /* context_handle */
316 gss_name_t, /* target_name */
317 gss_OID, /* mech_type */
318 OM_uint32, /* req_flags */
319 OM_uint32, /* time_req */
320 gss_channel_bindings_t,
321 /* input_chan_bindings */
322 gss_buffer_t, /* input_token */
323 gss_OID*, /* actual_mech_type */
324 gss_buffer_t, /* output_token */
325 OM_uint32*, /* ret_flags */
326 OM_uint32* /* time_rec */
329 OM_uint32 krb5_gss_accept_sec_context
330 (OM_uint32*, /* minor_status */
331 gss_ctx_id_t*, /* context_handle */
332 gss_cred_id_t, /* verifier_cred_handle */
333 gss_buffer_t, /* input_token_buffer */
334 gss_channel_bindings_t,
335 /* input_chan_bindings */
336 gss_name_t*, /* src_name */
337 gss_OID*, /* mech_type */
338 gss_buffer_t, /* output_token */
339 OM_uint32*, /* ret_flags */
340 OM_uint32*, /* time_rec */
341 gss_cred_id_t* /* delegated_cred_handle */
344 OM_uint32 krb5_gss_process_context_token
345 (OM_uint32*, /* minor_status */
346 gss_ctx_id_t, /* context_handle */
347 gss_buffer_t /* token_buffer */
350 OM_uint32 krb5_gss_delete_sec_context
351 (OM_uint32*, /* minor_status */
352 gss_ctx_id_t*, /* context_handle */
353 gss_buffer_t /* output_token */
356 OM_uint32 krb5_gss_context_time
357 (OM_uint32*, /* minor_status */
358 gss_ctx_id_t, /* context_handle */
359 OM_uint32* /* time_rec */
362 OM_uint32 krb5_gss_sign
363 (OM_uint32*, /* minor_status */
364 gss_ctx_id_t, /* context_handle */
366 gss_buffer_t, /* message_buffer */
367 gss_buffer_t /* message_token */
370 OM_uint32 krb5_gss_verify
371 (OM_uint32*, /* minor_status */
372 gss_ctx_id_t, /* context_handle */
373 gss_buffer_t, /* message_buffer */
374 gss_buffer_t, /* token_buffer */
378 OM_uint32 krb5_gss_seal
379 (OM_uint32*, /* minor_status */
380 gss_ctx_id_t, /* context_handle */
381 int, /* conf_req_flag */
383 gss_buffer_t, /* input_message_buffer */
384 int*, /* conf_state */
385 gss_buffer_t /* output_message_buffer */
388 OM_uint32 krb5_gss_unseal
389 (OM_uint32*, /* minor_status */
390 gss_ctx_id_t, /* context_handle */
391 gss_buffer_t, /* input_message_buffer */
392 gss_buffer_t, /* output_message_buffer */
393 int*, /* conf_state */
397 OM_uint32 krb5_gss_display_status
398 (OM_uint32*, /* minor_status */
399 OM_uint32, /* status_value */
400 int, /* status_type */
401 gss_OID, /* mech_type */
402 OM_uint32*, /* message_context */
403 gss_buffer_t /* status_string */
406 OM_uint32 krb5_gss_indicate_mechs
407 (OM_uint32*, /* minor_status */
408 gss_OID_set* /* mech_set */
411 OM_uint32 krb5_gss_compare_name
412 (OM_uint32*, /* minor_status */
413 gss_name_t, /* name1 */
414 gss_name_t, /* name2 */
415 int* /* name_equal */
418 OM_uint32 krb5_gss_display_name
419 (OM_uint32*, /* minor_status */
420 gss_name_t, /* input_name */
421 gss_buffer_t, /* output_name_buffer */
422 gss_OID* /* output_name_type */
425 OM_uint32 krb5_gss_import_name
426 (OM_uint32*, /* minor_status */
427 gss_buffer_t, /* input_name_buffer */
428 gss_OID, /* input_name_type */
429 gss_name_t* /* output_name */
432 OM_uint32 krb5_gss_release_name
433 (OM_uint32*, /* minor_status */
434 gss_name_t* /* input_name */
437 OM_uint32 krb5_gss_inquire_cred
438 (OM_uint32 *, /* minor_status */
439 gss_cred_id_t, /* cred_handle */
440 gss_name_t *, /* name */
441 OM_uint32 *, /* lifetime */
442 gss_cred_usage_t*,/* cred_usage */
443 gss_OID_set * /* mechanisms */
446 OM_uint32 krb5_gss_inquire_context
447 (OM_uint32*, /* minor_status */
448 gss_ctx_id_t, /* context_handle */
449 gss_name_t*, /* initiator_name */
450 gss_name_t*, /* acceptor_name */
451 OM_uint32*, /* lifetime_rec */
452 gss_OID*, /* mech_type */
453 OM_uint32*, /* ret_flags */
454 int*, /* locally_initiated */
458 /* New V2 entry points */
459 OM_uint32 krb5_gss_get_mic
460 (OM_uint32 *, /* minor_status */
461 gss_ctx_id_t, /* context_handle */
462 gss_qop_t, /* qop_req */
463 gss_buffer_t, /* message_buffer */
464 gss_buffer_t /* message_token */
467 OM_uint32 krb5_gss_verify_mic
468 (OM_uint32 *, /* minor_status */
469 gss_ctx_id_t, /* context_handle */
470 gss_buffer_t, /* message_buffer */
471 gss_buffer_t, /* message_token */
472 gss_qop_t * /* qop_state */
475 OM_uint32 krb5_gss_wrap
476 (OM_uint32 *, /* minor_status */
477 gss_ctx_id_t, /* context_handle */
478 int, /* conf_req_flag */
479 gss_qop_t, /* qop_req */
480 gss_buffer_t, /* input_message_buffer */
481 int *, /* conf_state */
482 gss_buffer_t /* output_message_buffer */
485 OM_uint32 krb5_gss_unwrap
486 (OM_uint32 *, /* minor_status */
487 gss_ctx_id_t, /* context_handle */
488 gss_buffer_t, /* input_message_buffer */
489 gss_buffer_t, /* output_message_buffer */
490 int *, /* conf_state */
491 gss_qop_t * /* qop_state */
494 OM_uint32 krb5_gss_wrap_size_limit
495 (OM_uint32 *, /* minor_status */
496 gss_ctx_id_t, /* context_handle */
497 int, /* conf_req_flag */
498 gss_qop_t, /* qop_req */
499 OM_uint32, /* req_output_size */
500 OM_uint32 * /* max_input_size */
503 OM_uint32 krb5_gss_import_name_object
504 (OM_uint32 *, /* minor_status */
505 void *, /* input_name */
506 gss_OID, /* input_name_type */
507 gss_name_t * /* output_name */
510 OM_uint32 krb5_gss_export_name_object
511 (OM_uint32 *, /* minor_status */
512 gss_name_t, /* input_name */
513 gss_OID, /* desired_name_type */
514 void * * /* output_name */
517 OM_uint32 krb5_gss_add_cred
518 (OM_uint32 *, /* minor_status */
519 gss_cred_id_t, /* input_cred_handle */
520 gss_name_t, /* desired_name */
521 gss_OID, /* desired_mech */
522 gss_cred_usage_t, /* cred_usage */
523 OM_uint32, /* initiator_time_req */
524 OM_uint32, /* acceptor_time_req */
525 gss_cred_id_t *, /* output_cred_handle */
526 gss_OID_set *, /* actual_mechs */
527 OM_uint32 *, /* initiator_time_rec */
528 OM_uint32 * /* acceptor_time_rec */
531 OM_uint32 krb5_gss_inquire_cred_by_mech
532 (OM_uint32 *, /* minor_status */
533 gss_cred_id_t, /* cred_handle */
534 gss_OID, /* mech_type */
535 gss_name_t *, /* name */
536 OM_uint32 *, /* initiator_lifetime */
537 OM_uint32 *, /* acceptor_lifetime */
538 gss_cred_usage_t * /* cred_usage */
541 OM_uint32 krb5_gss_export_sec_context
542 (OM_uint32 *, /* minor_status */
543 gss_ctx_id_t *, /* context_handle */
544 gss_buffer_t /* interprocess_token */
547 OM_uint32 krb5_gss_import_sec_context
548 (OM_uint32 *, /* minor_status */
549 gss_buffer_t, /* interprocess_token */
550 gss_ctx_id_t * /* context_handle */
553 OM_uint32 krb5_gss_release_oid
554 (OM_uint32 *, /* minor_status */
558 OM_uint32 krb5_gss_inquire_names_for_mech
559 (OM_uint32 *, /* minor_status */
560 gss_OID, /* mechanism */
561 gss_OID_set * /* name_types */
564 OM_uint32 krb5_gss_canonicalize_name
565 (OM_uint32 *, /* minor_status */
566 const gss_name_t, /* input_name */
567 const gss_OID, /* mech_type */
568 gss_name_t * /* output_name */
571 OM_uint32 krb5_gss_export_name
572 (OM_uint32 *, /* minor_status */
573 const gss_name_t, /* input_name */
574 gss_buffer_t /* exported_name */
577 OM_uint32 krb5_gss_duplicate_name
578 (OM_uint32 *, /* minor_status */
579 const gss_name_t, /* input_name */
580 gss_name_t * /* dest_name */
583 OM_uint32 krb5_gss_validate_cred
584 (OM_uint32 *, /* minor_status */
585 gss_cred_id_t /* cred */
588 gss_OID krb5_gss_convert_static_mech_oid
592 #endif /* _GSSAPIP_KRB5_H_ */