xref: /illumos-gate/usr/src/uts/common/gssapi/mechs/krb5/include/gssapi_krb5.h (revision 581cede61ac9c14d8d4ea452562a567189eead78) 
1 /*
2  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 #pragma ident	"%Z%%M%	%I%	%E% SMI"
7 
8 /*
9  * Copyright 1993 by OpenVision Technologies, Inc.
10  *
11  * Permission to use, copy, modify, distribute, and sell this software
12  * and its documentation for any purpose is hereby granted without fee,
13  * provided that the above copyright notice appears in all copies and
14  * that both that copyright notice and this permission notice appear in
15  * supporting documentation, and that the name of OpenVision not be used
16  * in advertising or publicity pertaining to distribution of the software
17  * without specific, written prior permission. OpenVision makes no
18  * representations about the suitability of this software for any
19  * purpose.  It is provided "as is" without express or implied warranty.
20  *
21  * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
22  * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
23  * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
24  * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
25  * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
26  * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
27  * PERFORMANCE OF THIS SOFTWARE.
28  */
29 
30 #ifndef _GSSAPI_KRB5_H_
31 #define _GSSAPI_KRB5_H_
32 
33 #include <gssapi/gssapi.h>
34 #include <gssapi/gssapi_ext.h>
35 #include <krb5.h>
36 
37 /* SUNW15resync */
38 #ifndef GSS_DLLIMP
39 #define GSS_DLLIMP
40 #endif
41 
42 /* C++ friendlyness */
43 #ifdef __cplusplus
44 extern "C" {
45 #endif /* __cplusplus */
46 
47 /* Reserved static storage for GSS_oids.  See rfc 1964 for more details. */
48 
49 /* 2.1.1. Kerberos Principal Name Form: */
50 GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME;
51 /* This name form shall be represented by the Object Identifier {iso(1)
52  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
53  * krb5(2) krb5_name(1)}.  The recommended symbolic name for this type
54  * is "GSS_KRB5_NT_PRINCIPAL_NAME". */
55 
56 /* 2.1.2. Host-Based Service Name Form */
57 #define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE
58 /* This name form shall be represented by the Object Identifier {iso(1)
59  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
60  * generic(1) service_name(4)}.  The previously recommended symbolic
61  * name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME".  The
62  * currently preferred symbolic name for this type is
63  * "GSS_C_NT_HOSTBASED_SERVICE". */
64 
65 /* 2.2.1. User Name Form */
66 #define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME
67 /* This name form shall be represented by the Object Identifier {iso(1)
68  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
69  * generic(1) user_name(1)}.  The recommended symbolic name for this
70  * type is "GSS_KRB5_NT_USER_NAME". */
71 
72 /* 2.2.2. Machine UID Form */
73 #define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME
74 /* This name form shall be represented by the Object Identifier {iso(1)
75  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
76  * generic(1) machine_uid_name(2)}.  The recommended symbolic name for
77  * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */
78 
79 /* 2.2.3. String UID Form */
80 #define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME
81 /* This name form shall be represented by the Object Identifier {iso(1)
82  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
83  * generic(1) string_uid_name(3)}.  The recommended symbolic name for
84  * this type is "GSS_KRB5_NT_STRING_UID_NAME". */
85 
86 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5;
87 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old;
88 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_wrong;
89 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5;
90 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_old;
91 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_both;
92 
93 GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_name;
94 GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_principal;
95 
96 GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[];
97 
98 #define gss_krb5_nt_general_name	gss_nt_krb5_name
99 #define gss_krb5_nt_principal		gss_nt_krb5_principal
100 #define gss_krb5_nt_service_name	gss_nt_service_name
101 #define gss_krb5_nt_user_name		gss_nt_user_name
102 #define gss_krb5_nt_machine_uid_name	gss_nt_machine_uid_name
103 #define gss_krb5_nt_string_uid_name	gss_nt_string_uid_name
104 
105 
106 #if defined(_WIN32)
107 typedef  unsigned __int64 gss_uint64;
108 #else /*windows*/
109 
110 #ifdef _KERNEL
111 #include <sys/inttypes.h>
112 #else /* _KERNEL */
113 #include <inttypes.h>
114 #endif /* _KERNEL */
115 
116 typedef  uint64_t gss_uint64;
117 #endif
118 
119 
120 typedef struct gss_krb5_lucid_key {
121 	OM_uint32	type;		/* key encryption type */
122 	OM_uint32	length;		/* length of key data */
123 	void *		data;		/* actual key data */
124 } gss_krb5_lucid_key_t;
125 
126 typedef struct gss_krb5_rfc1964_keydata {
127 	OM_uint32	sign_alg;	/* signing algorthm */
128 	OM_uint32	seal_alg;	/* seal/encrypt algorthm */
129 	gss_krb5_lucid_key_t	ctx_key;
130 					/* Context key
131 					   (Kerberos session key or subkey) */
132 } gss_krb5_rfc1964_keydata_t;
133 
134 typedef struct gss_krb5_cfx_keydata {
135 	OM_uint32		have_acceptor_subkey;
136 					/* 1 if there is an acceptor_subkey
137 					   present, 0 otherwise */
138 	gss_krb5_lucid_key_t	ctx_key;
139 					/* Context key
140 					   (Kerberos session key or subkey) */
141 	gss_krb5_lucid_key_t	acceptor_subkey;
142 					/* acceptor-asserted subkey or
143 					   0's if no acceptor subkey */
144 } gss_krb5_cfx_keydata_t;
145 
146 typedef struct gss_krb5_lucid_context_v1 {
147 	OM_uint32	version;	/* Structure version number (1)
148 					   MUST be at beginning of struct! */
149 	OM_uint32	initiate;	/* Are we the initiator? */
150 	OM_uint32	endtime;	/* expiration time of context */
151 	gss_uint64	send_seq;	/* sender sequence number */
152 	gss_uint64	recv_seq;	/* receive sequence number */
153 	OM_uint32	protocol;	/* 0: rfc1964,
154 					   1: draft-ietf-krb-wg-gssapi-cfx-07 */
155 	/*
156 	 * if (protocol == 0) rfc1964_kd should be used
157 	 * and cfx_kd contents are invalid and should be zero
158 	 * if (protocol == 1) cfx_kd should be used
159 	 * and rfc1964_kd contents are invalid and should be zero
160 	 */
161 	gss_krb5_rfc1964_keydata_t rfc1964_kd;
162 	gss_krb5_cfx_keydata_t	   cfx_kd;
163 } gss_krb5_lucid_context_v1_t;
164 
165 /*
166  * Mask for determining the returned structure version.
167  * See example below for usage.
168  */
169 typedef struct gss_krb5_lucid_context_version {
170 	OM_uint32	version;	/* Structure version number */
171 } gss_krb5_lucid_context_version_t;
172 
173 
174 
175 
176 /* Alias for Heimdal compat. */
177 #define gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity
178 
179 OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *);
180 
181   /*
182    * SUNW15resync
183    * The name has changed (_krb5_ to _krb5int_) in MIT's
184    * get_tkt_flags.c but did not change here
185    * ...a bug I assume so we change it here.
186    */
187 OM_uint32 KRB5_CALLCONV gss_krb5int_get_tkt_flags
188 	(OM_uint32 *minor_status,
189 		   gss_ctx_id_t context_handle,
190 		   krb5_flags *ticket_flags);
191 
192 OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache
193 	(OM_uint32 *minor_status,
194 		   gss_cred_id_t cred_handle,
195 		   krb5_ccache out_ccache);
196 
197 OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name
198 	(OM_uint32 *minor_status, const char *name,
199 		   const char **out_name);
200 
201 /*
202  * gss_krb5_set_allowable_enctypes
203  *
204  * This function may be called by a context initiator after calling
205  * gss_acquire_cred(), but before calling gss_init_sec_context(),
206  * to restrict the set of enctypes which will be negotiated during
207  * context establishment to those in the provided array.
208  *
209  * 'cred' must be a valid credential handle obtained via
210  * gss_acquire_cred().  It may not be GSS_C_NO_CREDENTIAL.
211  * gss_acquire_cred() may have been called to get a handle to
212  * the default credential.
213  *
214  * The purpose of this function is to limit the keys that may
215  * be exported via gss_krb5_export_lucid_sec_context(); thus it
216  * should limit the enctypes of all keys that will be needed
217  * after the security context has been established.
218  * (i.e. context establishment may use a session key with a
219  * stronger enctype than in the provided array, however a
220  * subkey must be established within the enctype limits
221  * established by this function.)
222  *
223  */
224 OM_uint32 KRB5_CALLCONV
225 gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
226 				gss_cred_id_t cred,
227 				OM_uint32 num_ktypes,
228 				krb5_enctype *ktypes);
229 
230 /*
231  * Returns a non-opaque (lucid) version of the internal context
232  * information.
233  *
234  * Note that context_handle must not be used again by the caller
235  * after this call.  The GSS implementation is free to release any
236  * resources associated with the original context.  It is up to the
237  * GSS implementation whether it returns pointers to existing data,
238  * or copies of the data.  The caller should treat the returned
239  * lucid context as read-only.
240  *
241  * The caller must call gss_krb5_free_lucid_context() to free
242  * the context and allocated resources when it is finished with it.
243  *
244  * 'version' is an integer indicating the highest version of lucid
245  * context understood by the caller.  The highest version
246  * understood by both the caller and the GSS implementation must
247  * be returned.  The caller can determine which version of the
248  * structure was actually returned by examining the version field
249  * of the returned structure.  gss_krb5_lucid_context_version_t
250  * may be used as a mask to examine the returned structure version.
251  *
252  * If there are no common versions, an error should be returned.
253  * (XXX Need error definition(s))
254  *
255  * For example:
256  *	void *return_ctx;
257  *	gss_krb5_lucid_context_v1_t *ctx;
258  *	OM_uint32 min_stat, maj_stat;
259  *	OM_uint32 vers;
260  *	gss_ctx_id_t *ctx_handle;
261  *
262  *	maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
263  *			ctx_handle, 1, &return_ctx);
264  *	// Verify success
265  *
266  *	vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
267  *	switch (vers) {
268  *	case 1:
269  *		ctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
270  *		break;
271  *	default:
272  *		// Error, unknown version returned
273  *		break;
274  *	}
275  *
276  */
277 
278 OM_uint32 KRB5_CALLCONV
279 gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
280 				  gss_ctx_id_t *context_handle,
281 				  OM_uint32 version,
282 				  void **kctx);
283 
284 /*
285  * Frees the allocated storage associated with an
286  * exported struct gss_krb5_lucid_context.
287  */
288 OM_uint32 KRB5_CALLCONV
289 gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status,
290 				void *kctx);
291 
292 
293 #ifdef __cplusplus
294 }
295 #endif /* __cplusplus */
296 
297 #endif /* _GSSAPI_KRB5_H_ */
298