xref: /illumos-gate/usr/src/lib/gss_mechs/mech_spnego/mech/gssapiP_spnego.h (revision 2b24ab6b3865caeede9eeb9db6b83e1d89dcd1ea) 
1 /*
2  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #ifndef	_GSSAPIP_SPNEGO_H_
7 #define	_GSSAPIP_SPNEGO_H_
8 
9 /* #pragma ident	"@(#)gssapiP_spnego.h	1.3	03/09/18 SMI" */
10 
11 #ifdef	__cplusplus
12 extern "C" {
13 #endif
14 
15 #include <gssapi/gssapi.h>
16 #include <gssapi/gssapi_ext.h>
17 #include <syslog.h>
18 
19 #define	SEC_CONTEXT_TOKEN 1
20 #define	SPNEGO_SIZE_OF_INT 4
21 
22 #define	ACCEPT_COMPLETE 0
23 #define	ACCEPT_INCOMPLETE 1
24 #define	REJECT 2
25 #define REQUEST_MIC 3
26 #define	ACCEPT_DEFECTIVE_TOKEN 0xffffffffUL
27 
28 /*
29  * constants for der encoding/decoding routines.
30  */
31 
32 #define	MECH_OID		0x06
33 #define	OCTET_STRING		0x04
34 #define	CONTEXT			0xa0
35 #define	SEQUENCE		0x30
36 #define	SEQUENCE_OF		0x30
37 #define	BIT_STRING		0x03
38 #define	BIT_STRING_LENGTH	0x02
39 #define	BIT_STRING_PADDING	0x01
40 #define	ENUMERATED		0x0a
41 #define	ENUMERATION_LENGTH	1
42 #define	HEADER_ID		0x60
43 #define GENERAL_STRING		0x1b
44 
45 /*
46  * SPNEGO specific error codes (minor status codes)
47  */
48 #define	ERR_SPNEGO_NO_MECHS_AVAILABLE		0x20000001
49 #define	ERR_SPNEGO_NO_CREDS_ACQUIRED		0x20000002
50 #define	ERR_SPNEGO_NO_MECH_FROM_ACCEPTOR	0x20000003
51 #define	ERR_SPNEGO_NEGOTIATION_FAILED		0x20000004
52 #define	ERR_SPNEGO_NO_TOKEN_FROM_ACCEPTOR	0x20000005
53 
54 /*
55  * send_token_flag is used to indicate in later steps what type
56  * of token, if any should be sent or processed.
57  * NO_TOKEN_SEND = no token should be sent
58  * INIT_TOKEN_SEND = initial token will be sent
59  * CONT_TOKEN_SEND = continuing tokens to be sent
60  * CHECK_MIC = no token to be sent, but have a MIC to check.
61  * ERROR_TOKEN_SEND = error token from peer needs to be sent.
62  */
63 
64 typedef	enum {NO_TOKEN_SEND, INIT_TOKEN_SEND, CONT_TOKEN_SEND,
65 		CHECK_MIC, ERROR_TOKEN_SEND} send_token_flag;
66 
67 /*
68  * The Mech OID:
69  * { iso(1) org(3) dod(6) internet(1) security(5)
70  *  mechanism(5) spnego(2) }
71  */
72 
73 #define	SPNEGO_OID_LENGTH 6
74 #define	SPNEGO_OID "\053\006\001\005\005\002"
75 
76 typedef void *spnego_token_t;
77 
78 /* spnego name structure for internal representation. */
79 typedef struct {
80 	gss_OID type;
81 	gss_buffer_t buffer;
82 	gss_OID	mech_type;
83 	gss_name_t	mech_name;
84 } spnego_name_desc, *spnego_name_t;
85 
86 /* Structure for context handle */
87 typedef struct {
88 	OM_uint32	magic_num;
89 	gss_buffer_desc DER_mechTypes;
90 	gss_OID internal_mech;
91 	gss_ctx_id_t ctx_handle;
92 	char  *optionStr;
93 	gss_cred_id_t default_cred;
94 	int mic_reqd;
95 	int mic_sent;
96 	int mic_rcvd;
97 	int firstpass;
98 	int mech_complete;
99 	int nego_done;
100 	OM_uint32 ctx_flags;
101 	gss_name_t internal_name;
102 	gss_OID actual_mech;
103 } spnego_gss_ctx_id_rec, *spnego_gss_ctx_id_t;
104 
105 /*
106  * The magic number must be less than a standard pagesize
107  * to avoid a possible collision with a real address.
108  */
109 #define	SPNEGO_MAGIC_ID  0x00000fed
110 
111 /* SPNEGO oid declarations */
112 extern const gss_OID_desc * const gss_mech_spnego;
113 extern const gss_OID_set_desc * const gss_mech_set_spnego;
114 
115 /* SUNW17PACresync */
116 #define	TWRITE_STR(ptr, str, len) \
117 	memcpy((ptr), (char *)(str), (len)); \
118 	(ptr) += (len);
119 
120 #ifdef DEBUG
121 #define	dsyslog(a) syslog(LOG_DEBUG, a)
122 #else
123 #define	dsyslog(a)
124 #define	SPNEGO_STATIC
125 #endif	/* DEBUG */
126 
127 /*
128  * declarations of internal name mechanism functions
129  */
130 
131 OM_uint32 spnego_gss_acquire_cred
132 (
133 	OM_uint32 *,		/* minor_status */
134 	gss_name_t,		/* desired_name */
135 	OM_uint32,		/* time_req */
136 	gss_OID_set,		/* desired_mechs */
137 	gss_cred_usage_t,	/* cred_usage */
138 	gss_cred_id_t *,	/* output_cred_handle */
139 	gss_OID_set *,		/* actual_mechs */
140 	OM_uint32 *		/* time_rec */
141 );
142 
143 OM_uint32 glue_spnego_gss_acquire_cred
144 (
145 	void *,
146 	OM_uint32 *,		/* minor_status */
147 	gss_name_t,		/* desired_name */
148 	OM_uint32,		/* time_req */
149 	gss_OID_set,		/* desired_mechs */
150 	gss_cred_usage_t,	/* cred_usage */
151 	gss_cred_id_t *,	/* output_cred_handle */
152 	gss_OID_set *,		/* actual_mechs */
153 	OM_uint32 *		/* time_rec */
154 );
155 
156 OM_uint32 spnego_gss_release_cred
157 (
158 	OM_uint32 *,		/* minor_status */
159 	/* CSTYLED */
160 	gss_cred_id_t	*	/* cred_handle */
161 );
162 
163 OM_uint32 glue_spnego_gss_release_cred
164 (
165 	void *,
166 	OM_uint32 *,		/* minor_status */
167 	/* CSTYLED */
168 	gss_cred_id_t	*	/* cred_handle */
169 );
170 
171 OM_uint32 spnego_gss_init_sec_context
172 (
173 	OM_uint32 *,		/* minor_status */
174 	gss_cred_id_t,		/* claimant_cred_handle */
175 	gss_ctx_id_t *,		/* context_handle */
176 	gss_name_t,		/* target_name */
177 	gss_OID,		/* mech_type */
178 	OM_uint32,		/* req_flags */
179 	OM_uint32,		/* time_req */
180 	gss_channel_bindings_t, /* input_chan_bindings */
181 	gss_buffer_t,		/* input_token */
182 	gss_OID *,		/* actual_mech_type */
183 	gss_buffer_t,		/* output_token */
184 	OM_uint32 *,		/* ret_flags */
185 	OM_uint32 *		/* time_rec */
186 );
187 
188 OM_uint32 glue_spnego_gss_init_sec_context
189 (
190 	void *,
191 	OM_uint32 *,		/* minor_status */
192 	gss_cred_id_t,		/* claimant_cred_handle */
193 	gss_ctx_id_t *,		/* context_handle */
194 	gss_name_t,		/* target_name */
195 	gss_OID,		/* mech_type */
196 	OM_uint32,		/* req_flags */
197 	OM_uint32,		/* time_req */
198 	gss_channel_bindings_t, /* input_chan_bindings */
199 	gss_buffer_t,		/* input_token */
200 	gss_OID *,		/* actual_mech_type */
201 	gss_buffer_t,		/* output_token */
202 	OM_uint32 *,		/* ret_flags */
203 	OM_uint32 *		/* time_rec */
204 );
205 
206 #ifndef LEAN_CLIENT
207 OM_uint32 spnego_gss_accept_sec_context
208 (
209 	OM_uint32 *,		/* minor_status */
210 	gss_ctx_id_t *,		/* context_handle */
211 	gss_cred_id_t,		/* verifier_cred_handle */
212 	gss_buffer_t,		/* input_token_buffer */
213 	gss_channel_bindings_t, /* input_chan_bindings */
214 	gss_name_t *,		/* src_name */
215 	gss_OID *,		/* mech_type */
216 	gss_buffer_t,		/* output_token */
217 	OM_uint32 *,		/* ret_flags */
218 	OM_uint32 *,		/* time_rec */
219 	/* CSTYLED */
220 	gss_cred_id_t *		/* delegated_cred_handle */
221 );
222 OM_uint32 glue_spnego_gss_accept_sec_context
223 (
224 	void *,
225 	OM_uint32 *,		/* minor_status */
226 	gss_ctx_id_t *,		/* context_handle */
227 	gss_cred_id_t,		/* verifier_cred_handle */
228 	gss_buffer_t,		/* input_token_buffer */
229 	gss_channel_bindings_t, /* input_chan_bindings */
230 	gss_name_t *,		/* src_name */
231 	gss_OID *,		/* mech_type */
232 	gss_buffer_t,		/* output_token */
233 	OM_uint32 *,		/* ret_flags */
234 	OM_uint32 *,		/* time_rec */
235 	/* CSTYLED */
236 	gss_cred_id_t *		/* delegated_cred_handle */
237 );
238 
239 #endif /* LEAN_CLIENT */
240 
241 OM_uint32 spnego_gss_compare_name
242 (
243 	OM_uint32 *,		/* minor_status */
244 	const gss_name_t,	/* name1 */
245 	const gss_name_t,	/* name2 */
246 	int *			/* name_equal */
247 );
248 
249 OM_uint32 glue_spnego_gss_compare_name
250 (
251 	void *,
252 	OM_uint32 *,		/* minor_status */
253 	const gss_name_t,	/* name1 */
254 	const gss_name_t,	/* name2 */
255 	int *			/* name_equal */
256 );
257 
258 OM_uint32 spnego_gss_display_name
259 (
260 	OM_uint32 *,		/* minor_status */
261 	gss_name_t,		/*  input_name */
262 	gss_buffer_t,		/*  output_name_buffer */
263 	gss_OID *		/* output_name_type */
264 );
265 
266 OM_uint32 glue_spnego_gss_display_name
267 (
268 	void *,
269 	OM_uint32 *,		/* minor_status */
270 	gss_name_t,		/*  input_name */
271 	gss_buffer_t,		/*  output_name_buffer */
272 	gss_OID *		/* output_name_type */
273 );
274 
275 OM_uint32 spnego_gss_display_status
276 (
277 	OM_uint32 *,		/* minor_status */
278 	OM_uint32,		/* status_value */
279 	int,			/* status_type */
280 	gss_OID,		/* mech_type */
281 	OM_uint32 *,		/* message_context */
282 	gss_buffer_t		/* status_string */
283 );
284 
285 OM_uint32 glue_spnego_gss_display_status
286 (
287 	void *,
288 	OM_uint32 *,		/* minor_status */
289 	OM_uint32,		/* status_value */
290 	int,			/* status_type */
291 	gss_OID,		/* mech_type */
292 	OM_uint32 *,		/* message_context */
293 	gss_buffer_t		/* status_string */
294 );
295 
296 OM_uint32 spnego_gss_import_name
297 (
298 	OM_uint32 *,		/* minor_status */
299 	gss_buffer_t,		/* input_name_buffer */
300 	gss_OID,		/* input_name_type */
301 	/* CSTYLED */
302 	gss_name_t *		/* output_name */
303 );
304 
305 OM_uint32 glue_spnego_gss_import_name
306 (
307 	void *,
308 	OM_uint32 *,		/* minor_status */
309 	gss_buffer_t,		/* input_name_buffer */
310 	gss_OID,		/* input_name_type */
311 	/* CSTYLED */
312 	gss_name_t *		/* output_name */
313 );
314 OM_uint32 spnego_gss_release_name
315 (
316 	OM_uint32 *,		/* minor_status */
317 	/* CSTYLED */
318 	gss_name_t *		/* input_name */
319 );
320 
321 OM_uint32 glue_spnego_gss_release_name
322 (
323 	void *,
324 
325 	OM_uint32 *,		/* minor_status */
326 	/* CSTYLED */
327 	gss_name_t *		/* input_name */
328 );
329 
330 OM_uint32 spnego_gss_inquire_names_for_mech
331 (
332 	OM_uint32 *,		/* minor_status */
333 	gss_OID,		/* mechanism */
334 	gss_OID_set *		/* name_types */
335 );
336 
337 OM_uint32 glue_spnego_gss_inquire_names_for_mech
338 (
339 	void *,
340 	OM_uint32 *,		/* minor_status */
341 	gss_OID,		/* mechanism */
342 	gss_OID_set *		/* name_types */
343 );
344 
345 OM_uint32 spnego_gss_unwrap
346 (
347 	OM_uint32 *minor_status,
348 	gss_ctx_id_t context_handle,
349 	gss_buffer_t input_message_buffer,
350 	gss_buffer_t output_message_buffer,
351 	int *conf_state,
352 	gss_qop_t *qop_state
353 );
354 
355 OM_uint32 spnego_gss_wrap
356 (
357 	OM_uint32 *minor_status,
358 	gss_ctx_id_t context_handle,
359 	int conf_req_flag,
360 	gss_qop_t qop_req,
361 	gss_buffer_t input_message_buffer,
362 	int *conf_state,
363 	gss_buffer_t output_message_buffer
364 );
365 
366 OM_uint32 spnego_gss_process_context_token
367 (
368 	OM_uint32	*minor_status,
369 	const gss_ctx_id_t context_handle,
370 	const gss_buffer_t token_buffer
371 );
372 
373 OM_uint32 spnego_gss_delete_sec_context
374 (
375 	OM_uint32 *minor_status,
376 	gss_ctx_id_t *context_handle,
377 	gss_buffer_t output_token
378 );
379 
380 OM_uint32 glue_spnego_gss_delete_sec_context
381 (
382 	void *,
383 
384 	OM_uint32 *minor_status,
385 	gss_ctx_id_t *context_handle,
386 	gss_buffer_t output_token
387 );
388 
389 OM_uint32 spnego_gss_context_time
390 (
391 	OM_uint32	*minor_status,
392 	const gss_ctx_id_t context_handle,
393 	OM_uint32	*time_rec
394 );
395 OM_uint32 glue_spnego_gss_context_time
396 (
397 	void *,
398 	OM_uint32	*minor_status,
399 	const gss_ctx_id_t context_handle,
400 	OM_uint32	*time_rec
401 );
402 
403 #ifndef LEAN_CLIENT
404 OM_uint32 spnego_gss_export_sec_context
405 (
406 	OM_uint32	*minor_status,
407 	gss_ctx_id_t	*context_handle,
408 	gss_buffer_t	interprocess_token
409 );
410 
411 OM_uint32 glue_spnego_gss_export_sec_context
412 (
413 	void *,
414 	OM_uint32	*minor_status,
415 	gss_ctx_id_t	*context_handle,
416 	gss_buffer_t	interprocess_token
417 );
418 
419 OM_uint32 spnego_gss_import_sec_context
420 (
421 	OM_uint32		*minor_status,
422 	const gss_buffer_t	interprocess_token,
423 	gss_ctx_id_t		*context_handle
424 );
425 OM_uint32 glue_spnego_gss_import_sec_context
426 (
427 	void *,
428 	OM_uint32		*minor_status,
429 	const gss_buffer_t	interprocess_token,
430 	gss_ctx_id_t		*context_handle
431 );
432 #endif /* LEAN_CLIENT */
433 
434 OM_uint32 glue_spnego_gss_inquire_context
435 (
436 	void *,
437 	OM_uint32	*minor_status,
438 	const gss_ctx_id_t context_handle,
439 	gss_name_t	*src_name,
440 	gss_name_t	*targ_name,
441 	OM_uint32	*lifetime_rec,
442 	gss_OID		*mech_type,
443 	OM_uint32	*ctx_flags,
444 	int		*locally_initiated,
445 	int		*opened
446 );
447 
448 OM_uint32 spnego_gss_inquire_context
449 (
450 	OM_uint32	*minor_status,
451 	const gss_ctx_id_t context_handle,
452 	gss_name_t	*src_name,
453 	gss_name_t	*targ_name,
454 	OM_uint32	*lifetime_rec,
455 	gss_OID		*mech_type,
456 	OM_uint32	*ctx_flags,
457 	int		*locally_initiated,
458 	int		*opened
459 );
460 
461 OM_uint32 spnego_gss_wrap_size_limit
462 (
463 	OM_uint32	*minor_status,
464 	const gss_ctx_id_t context_handle,
465 	int		conf_req_flag,
466 	gss_qop_t	qop_req,
467 	OM_uint32	req_output_size,
468 	OM_uint32	*max_input_size
469 );
470 
471 OM_uint32 glue_spnego_gss_wrap_size_limit
472 (
473 	void *,
474 	OM_uint32	*minor_status,
475 	const gss_ctx_id_t context_handle,
476 	int		conf_req_flag,
477 	gss_qop_t	qop_req,
478 	OM_uint32	req_output_size,
479 	OM_uint32	*max_input_size
480 );
481 
482 OM_uint32 spnego_gss_get_mic
483 (
484 	OM_uint32 *minor_status,
485 	const gss_ctx_id_t context_handle,
486 	gss_qop_t qop_req,
487 	const gss_buffer_t message_buffer,
488 	gss_buffer_t message_token
489 );
490 
491 OM_uint32 spnego_gss_verify_mic
492 (
493 	OM_uint32 *minor_status,
494 	const gss_ctx_id_t context_handle,
495 	const gss_buffer_t msg_buffer,
496 	const gss_buffer_t token_buffer,
497 	gss_qop_t *qop_state
498 );
499 
500 OM_uint32
501 spnego_gss_inquire_sec_context_by_oid
502 (
503 	OM_uint32 *minor_status,
504 	const gss_ctx_id_t context_handle,
505 	const gss_OID desired_object,
506 	gss_buffer_set_t *data_set
507 );
508 
509 
510 #ifdef _GSS_STATIC_LINK
511 int gss_spnegoint_lib_init(void);
512 void gss_spnegoint_lib_fini(void);
513 #else
514 gss_mechanism KRB5_CALLCONV gss_mech_initialize(void);
515 #endif /* _GSS_STATIC_LINK */
516 
517 #if 0 /* SUNW17PACresync - will be needed for full MIT 1.7 resync */
518 OM_uint32 spnego_gss_wrap_aead
519 (
520 	OM_uint32 *minor_status,
521 	gss_ctx_id_t context_handle,
522 	int conf_req_flag,
523 	gss_qop_t qop_req,
524 	gss_buffer_t input_assoc_buffer,
525 	gss_buffer_t input_payload_buffer,
526 	int *conf_state,
527 	gss_buffer_t output_message_buffer
528 );
529 
530 OM_uint32 spnego_gss_unwrap_aead
531 (
532 	OM_uint32 *minor_status,
533 	gss_ctx_id_t context_handle,
534 	gss_buffer_t input_message_buffer,
535 	gss_buffer_t input_assoc_buffer,
536 	gss_buffer_t output_payload_buffer,
537 	int *conf_state,
538 	gss_qop_t *qop_state
539 );
540 
541 OM_uint32 spnego_gss_wrap_iov
542 (
543 	OM_uint32 *minor_status,
544 	gss_ctx_id_t context_handle,
545 	int conf_req_flag,
546 	gss_qop_t qop_req,
547 	int *conf_state,
548 	gss_iov_buffer_desc *iov,
549 	int iov_count
550 );
551 
552 OM_uint32 spnego_gss_unwrap_iov
553 (
554 	OM_uint32 *minor_status,
555 	gss_ctx_id_t context_handle,
556 	int *conf_state,
557 	gss_qop_t *qop_state,
558 	gss_iov_buffer_desc *iov,
559 	int iov_count
560 );
561 
562 OM_uint32 spnego_gss_wrap_iov_length
563 (
564 	OM_uint32 *minor_status,
565 	gss_ctx_id_t context_handle,
566 	int conf_req_flag,
567 	gss_qop_t qop_req,
568 	int *conf_state,
569 	gss_iov_buffer_desc *iov,
570 	int iov_count
571 );
572 
573 OM_uint32
574 spnego_gss_complete_auth_token
575 (
576 	OM_uint32 *minor_status,
577 	const gss_ctx_id_t context_handle,
578 	gss_buffer_t input_message_buffer
579 );
580 #endif /* 0 */
581 
582 #ifdef	__cplusplus
583 }
584 #endif
585 
586 #endif /* _GSSAPIP_SPNEGO_H_ */
587