1 /* |
|
2 * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved |
|
3 */ |
|
4 /* |
|
5 * This file is a local copy of: |
|
6 * ON:usr/src/uts/common/gssapi/mechs/krb5/include/gssapi_krb5.h |
|
7 * which is not published as the public API in /usr/include/gssapi/ |
|
8 * It is extended by gss_krb5_import_cred() entry needed for Samba4 |
|
9 * build. |
|
10 */ |
|
11 /* |
|
12 * Copyright 1993 by OpenVision Technologies, Inc. |
|
13 * |
|
14 * Permission to use, copy, modify, distribute, and sell this software |
|
15 * and its documentation for any purpose is hereby granted without fee, |
|
16 * provided that the above copyright notice appears in all copies and |
|
17 * that both that copyright notice and this permission notice appear in |
|
18 * supporting documentation, and that the name of OpenVision not be used |
|
19 * in advertising or publicity pertaining to distribution of the software |
|
20 * without specific, written prior permission. OpenVision makes no |
|
21 * representations about the suitability of this software for any |
|
22 * purpose. It is provided "as is" without express or implied warranty. |
|
23 * |
|
24 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, |
|
25 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO |
|
26 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR |
|
27 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF |
|
28 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR |
|
29 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR |
|
30 * PERFORMANCE OF THIS SOFTWARE. |
|
31 */ |
|
32 |
|
33 #ifndef _GSSAPI_KRB5_H_ |
|
34 #define _GSSAPI_KRB5_H_ |
|
35 |
|
36 #include <gssapi/gssapi.h> |
|
37 #include <gssapi/gssapi_ext.h> |
|
38 #include <krb5.h> |
|
39 |
|
40 /* SUNW15resync */ |
|
41 #ifndef GSS_DLLIMP |
|
42 #define GSS_DLLIMP |
|
43 #endif |
|
44 |
|
45 /* C++ friendlyness */ |
|
46 #ifdef __cplusplus |
|
47 extern "C" { |
|
48 #endif /* __cplusplus */ |
|
49 |
|
50 /* Reserved static storage for GSS_oids. See rfc 1964 for more details. */ |
|
51 |
|
52 /* 2.1.1. Kerberos Principal Name Form: */ |
|
53 GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME; |
|
54 /* This name form shall be represented by the Object Identifier {iso(1) |
|
55 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) |
|
56 * krb5(2) krb5_name(1)}. The recommended symbolic name for this type |
|
57 * is "GSS_KRB5_NT_PRINCIPAL_NAME". */ |
|
58 |
|
59 /* 2.1.2. Host-Based Service Name Form */ |
|
60 #define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE |
|
61 /* This name form shall be represented by the Object Identifier {iso(1) |
|
62 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) |
|
63 * generic(1) service_name(4)}. The previously recommended symbolic |
|
64 * name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME". The |
|
65 * currently preferred symbolic name for this type is |
|
66 * "GSS_C_NT_HOSTBASED_SERVICE". */ |
|
67 |
|
68 /* 2.2.1. User Name Form */ |
|
69 #define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME |
|
70 /* This name form shall be represented by the Object Identifier {iso(1) |
|
71 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) |
|
72 * generic(1) user_name(1)}. The recommended symbolic name for this |
|
73 * type is "GSS_KRB5_NT_USER_NAME". */ |
|
74 |
|
75 /* 2.2.2. Machine UID Form */ |
|
76 #define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME |
|
77 /* This name form shall be represented by the Object Identifier {iso(1) |
|
78 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) |
|
79 * generic(1) machine_uid_name(2)}. The recommended symbolic name for |
|
80 * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */ |
|
81 |
|
82 /* 2.2.3. String UID Form */ |
|
83 #define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME |
|
84 /* This name form shall be represented by the Object Identifier {iso(1) |
|
85 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) |
|
86 * generic(1) string_uid_name(3)}. The recommended symbolic name for |
|
87 * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ |
|
88 |
|
89 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5; |
|
90 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old; |
|
91 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_wrong; |
|
92 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5; |
|
93 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_old; |
|
94 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_both; |
|
95 |
|
96 GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_name; |
|
97 GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_principal; |
|
98 |
|
99 GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[]; |
|
100 |
|
101 #define gss_krb5_nt_general_name gss_nt_krb5_name |
|
102 #define gss_krb5_nt_principal gss_nt_krb5_principal |
|
103 #define gss_krb5_nt_service_name gss_nt_service_name |
|
104 #define gss_krb5_nt_user_name gss_nt_user_name |
|
105 #define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name |
|
106 #define gss_krb5_nt_string_uid_name gss_nt_string_uid_name |
|
107 |
|
108 |
|
109 #if defined(_WIN32) |
|
110 typedef unsigned __int64 gss_uint64; |
|
111 #else /*windows*/ |
|
112 |
|
113 #ifdef _KERNEL |
|
114 #include <sys/inttypes.h> |
|
115 #else /* _KERNEL */ |
|
116 #include <inttypes.h> |
|
117 #endif /* _KERNEL */ |
|
118 |
|
119 typedef uint64_t gss_uint64; |
|
120 #endif |
|
121 |
|
122 |
|
123 typedef struct gss_krb5_lucid_key { |
|
124 OM_uint32 type; /* key encryption type */ |
|
125 OM_uint32 length; /* length of key data */ |
|
126 void * data; /* actual key data */ |
|
127 } gss_krb5_lucid_key_t; |
|
128 |
|
129 typedef struct gss_krb5_rfc1964_keydata { |
|
130 OM_uint32 sign_alg; /* signing algorthm */ |
|
131 OM_uint32 seal_alg; /* seal/encrypt algorthm */ |
|
132 gss_krb5_lucid_key_t ctx_key; |
|
133 /* Context key |
|
134 (Kerberos session key or subkey) */ |
|
135 } gss_krb5_rfc1964_keydata_t; |
|
136 |
|
137 typedef struct gss_krb5_cfx_keydata { |
|
138 OM_uint32 have_acceptor_subkey; |
|
139 /* 1 if there is an acceptor_subkey |
|
140 present, 0 otherwise */ |
|
141 gss_krb5_lucid_key_t ctx_key; |
|
142 /* Context key |
|
143 (Kerberos session key or subkey) */ |
|
144 gss_krb5_lucid_key_t acceptor_subkey; |
|
145 /* acceptor-asserted subkey or |
|
146 0's if no acceptor subkey */ |
|
147 } gss_krb5_cfx_keydata_t; |
|
148 |
|
149 typedef struct gss_krb5_lucid_context_v1 { |
|
150 OM_uint32 version; /* Structure version number (1) |
|
151 MUST be at beginning of struct! */ |
|
152 OM_uint32 initiate; /* Are we the initiator? */ |
|
153 OM_uint32 endtime; /* expiration time of context */ |
|
154 gss_uint64 send_seq; /* sender sequence number */ |
|
155 gss_uint64 recv_seq; /* receive sequence number */ |
|
156 OM_uint32 protocol; /* 0: rfc1964, |
|
157 1: draft-ietf-krb-wg-gssapi-cfx-07 */ |
|
158 /* |
|
159 * if (protocol == 0) rfc1964_kd should be used |
|
160 * and cfx_kd contents are invalid and should be zero |
|
161 * if (protocol == 1) cfx_kd should be used |
|
162 * and rfc1964_kd contents are invalid and should be zero |
|
163 */ |
|
164 gss_krb5_rfc1964_keydata_t rfc1964_kd; |
|
165 gss_krb5_cfx_keydata_t cfx_kd; |
|
166 } gss_krb5_lucid_context_v1_t; |
|
167 |
|
168 /* |
|
169 * Mask for determining the returned structure version. |
|
170 * See example below for usage. |
|
171 */ |
|
172 typedef struct gss_krb5_lucid_context_version { |
|
173 OM_uint32 version; /* Structure version number */ |
|
174 } gss_krb5_lucid_context_version_t; |
|
175 |
|
176 |
|
177 |
|
178 |
|
179 /* Alias for Heimdal compat. */ |
|
180 #define gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity |
|
181 |
|
182 OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *); |
|
183 |
|
184 OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache |
|
185 (OM_uint32 *minor_status, |
|
186 gss_cred_id_t cred_handle, |
|
187 krb5_ccache out_ccache); |
|
188 |
|
189 OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name |
|
190 (OM_uint32 *minor_status, const char *name, |
|
191 const char **out_name); |
|
192 |
|
193 /* |
|
194 * gss_krb5_set_allowable_enctypes |
|
195 * |
|
196 * This function may be called by a context initiator after calling |
|
197 * gss_acquire_cred(), but before calling gss_init_sec_context(), |
|
198 * to restrict the set of enctypes which will be negotiated during |
|
199 * context establishment to those in the provided array. |
|
200 * |
|
201 * 'cred' must be a valid credential handle obtained via |
|
202 * gss_acquire_cred(). It may not be GSS_C_NO_CREDENTIAL. |
|
203 * gss_acquire_cred() may have been called to get a handle to |
|
204 * the default credential. |
|
205 * |
|
206 * The purpose of this function is to limit the keys that may |
|
207 * be exported via gss_krb5_export_lucid_sec_context(); thus it |
|
208 * should limit the enctypes of all keys that will be needed |
|
209 * after the security context has been established. |
|
210 * (i.e. context establishment may use a session key with a |
|
211 * stronger enctype than in the provided array, however a |
|
212 * subkey must be established within the enctype limits |
|
213 * established by this function.) |
|
214 * |
|
215 */ |
|
216 OM_uint32 KRB5_CALLCONV |
|
217 gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, |
|
218 gss_cred_id_t cred, |
|
219 OM_uint32 num_ktypes, |
|
220 krb5_enctype *ktypes); |
|
221 |
|
222 /* |
|
223 * Returns a non-opaque (lucid) version of the internal context |
|
224 * information. |
|
225 * |
|
226 * Note that context_handle must not be used again by the caller |
|
227 * after this call. The GSS implementation is free to release any |
|
228 * resources associated with the original context. It is up to the |
|
229 * GSS implementation whether it returns pointers to existing data, |
|
230 * or copies of the data. The caller should treat the returned |
|
231 * lucid context as read-only. |
|
232 * |
|
233 * The caller must call gss_krb5_free_lucid_context() to free |
|
234 * the context and allocated resources when it is finished with it. |
|
235 * |
|
236 * 'version' is an integer indicating the highest version of lucid |
|
237 * context understood by the caller. The highest version |
|
238 * understood by both the caller and the GSS implementation must |
|
239 * be returned. The caller can determine which version of the |
|
240 * structure was actually returned by examining the version field |
|
241 * of the returned structure. gss_krb5_lucid_context_version_t |
|
242 * may be used as a mask to examine the returned structure version. |
|
243 * |
|
244 * If there are no common versions, an error should be returned. |
|
245 * (XXX Need error definition(s)) |
|
246 * |
|
247 * For example: |
|
248 * void *return_ctx; |
|
249 * gss_krb5_lucid_context_v1_t *ctx; |
|
250 * OM_uint32 min_stat, maj_stat; |
|
251 * OM_uint32 vers; |
|
252 * gss_ctx_id_t *ctx_handle; |
|
253 * |
|
254 * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, |
|
255 * ctx_handle, 1, &return_ctx); |
|
256 * // Verify success |
|
257 * |
|
258 * vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version; |
|
259 * switch (vers) { |
|
260 * case 1: |
|
261 * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx; |
|
262 * break; |
|
263 * default: |
|
264 * // Error, unknown version returned |
|
265 * break; |
|
266 * } |
|
267 * |
|
268 */ |
|
269 |
|
270 OM_uint32 KRB5_CALLCONV |
|
271 gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, |
|
272 gss_ctx_id_t *context_handle, |
|
273 OM_uint32 version, |
|
274 void **kctx); |
|
275 |
|
276 /* |
|
277 * Frees the allocated storage associated with an |
|
278 * exported struct gss_krb5_lucid_context. |
|
279 */ |
|
280 OM_uint32 KRB5_CALLCONV |
|
281 gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, |
|
282 void *kctx); |
|
283 |
|
284 |
|
285 OM_uint32 KRB5_CALLCONV |
|
286 gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, |
|
287 const gss_ctx_id_t context_handle, |
|
288 int ad_type, |
|
289 gss_buffer_t ad_data); |
|
290 |
|
291 OM_uint32 KRB5_CALLCONV |
|
292 gss_krb5_set_cred_rcache(OM_uint32 *minor_status, |
|
293 gss_cred_id_t cred, |
|
294 krb5_rcache rcache); |
|
295 |
|
296 OM_uint32 KRB5_CALLCONV |
|
297 gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, krb5_timestamp *); |
|
298 |
|
299 /* |
|
300 * gss_krb5_import_cred contains bare minimum functionality to make Samba 4 |
|
301 * work. It does not conform to API MIT Kerberos v5 1.9(+) specification. |
|
302 */ |
|
303 OM_uint32 KRB5_CALLCONV |
|
304 gss_krb5_import_cred(OM_uint32 *minor_status, |
|
305 krb5_ccache id, |
|
306 krb5_principal keytab_principal, |
|
307 krb5_keytab keytab, |
|
308 gss_cred_id_t *cred); |
|
309 |
|
310 |
|
311 #ifdef __cplusplus |
|
312 } |
|
313 #endif /* __cplusplus */ |
|
314 |
|
315 #endif /* _GSSAPI_KRB5_H_ */ |
|