1/*
2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34/* $Id$ */
35
36#ifndef GSSKRB5_LOCL_H
37#define GSSKRB5_LOCL_H
38
39#include <config.h>
40
41#include <gssapi_rewrite.h>
42
43#include <krb5_locl.h>
44#include <gkrb5_err.h>
45#include <gssapi.h>
46#include <gssapi_mech.h>
47#include <gssapi_krb5.h>
48#include <gssapi_spi.h>
49#include <assert.h>
50
51#include <heimbase.h>
52
53#include <pku2u_asn1.h>
54#include <gssapi_asn1.h>
55
56#include <gsskrb5_crypto.h>
57
58#include "cfx.h"
59
60#ifdef __APPLE_PRIVATE__
61#include <CommonCrypto/CommonCryptor.h>
62#ifndef __APPLE_TARGET_EMBEDDED__
63#include <CommonCrypto/CommonCryptorSPI.h>
64#endif
65#endif
66
67typedef struct gsskrb5_ctx *gsskrb5_ctx;
68typedef struct gsskrb5_cred *gsskrb5_cred;
69
70typedef OM_uint32
71(*gsskrb5_acceptor_state)(OM_uint32 *minor_status,
72			  gsskrb5_ctx ctx,
73			  krb5_context context,
74			  const gss_cred_id_t acceptor_cred_handle,
75			  const gss_buffer_t input_token_buffer,
76			  const gss_channel_bindings_t input_chan_bindings,
77			  gss_name_t * src_name,
78			  gss_OID * mech_type,
79			  gss_buffer_t output_token,
80			  OM_uint32 * ret_flags,
81			  OM_uint32 * time_rec,
82			  gss_cred_id_t * delegated_cred_handle);
83
84typedef OM_uint32
85(*gsskrb5_initator_state)(OM_uint32 * minor_status,
86			  gsskrb5_cred cred,
87			  gsskrb5_ctx ctx,
88			  krb5_context context,
89			  gss_name_t name,
90			  const gss_OID mech_type,
91			  OM_uint32 req_flags,
92			  OM_uint32 time_req,
93			  const gss_channel_bindings_t input_chan_bindings,
94			  const gss_buffer_t input_token,
95			  gss_buffer_t output_token,
96			  OM_uint32 * ret_flags,
97			  OM_uint32 * time_rec);
98
99/*
100 *
101 */
102
103struct gss_msg_order;
104
105struct gsskrb5_ctx {
106  struct gsskrb5_crypto gk5c;
107  gss_OID mech;
108  struct krb5_auth_context_data *auth_context;
109  struct krb5_auth_context_data *deleg_auth_context;
110  krb5_principal source, target;
111#define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0)
112    OM_uint32 flags;
113    enum { LOCAL			= 0x001,
114	   OPEN				= 0x002,
115	   COMPAT_OLD_DES3		= 0x004,
116	   COMPAT_OLD_DES3_SELECTED	= 0x008,
117	   CLOSE_CCACHE 		= 0x010,
118	   DESTROY_CCACHE		= 0x020,
119	   IS_CFX 			= 0x040,
120	   PAC_VALID		        = 0x080,
121	   RETRIED_SKEW			= 0x100,
122	   RETRIED_NEWTICKET		= 0x200,
123    } more_flags;
124    gsskrb5_acceptor_state acceptor_state;
125    gsskrb5_initator_state initiator_state;
126    krb5_creds *kcred;
127    krb5_ccache ccache;
128    struct krb5_ticket *ticket;
129    time_t endtime;
130    HEIMDAL_MUTEX ctx_id_mutex;
131    krb5_keyblock *service_keyblock;
132    krb5_data fwd_data;
133#ifdef PKINIT
134    hx509_cert cert;
135#endif
136    krb5_storage *messages;
137
138    /* IAKERB */
139    krb5_get_init_creds_opt *gic_opt;
140    krb5_init_creds_context asctx;
141    krb5_tkt_creds_context tgsctx;
142    krb5_data *cookie;
143    char *password;
144    krb5_realm iakerbrealm;
145    krb5_data friendlyname;
146    krb5_data lkdchostname;
147
148};
149
150struct gsskrb5_cred {
151    krb5_principal principal;
152    int cred_flags;
153#define GSS_CF_DESTROY_CRED_ON_RELEASE	1
154#define GSS_CF_NO_CI_FLAGS		2
155#define GSS_CF_IAKERB_RESOLVED		4
156    struct krb5_keytab_data *keytab;
157    time_t endtime;
158    gss_cred_usage_t usage;
159    struct krb5_ccache_data *ccache;
160    HEIMDAL_MUTEX cred_id_mutex;
161    krb5_enctype *enctypes;
162#ifdef PKINIT
163    hx509_cert cert;
164#endif
165    char *password;
166};
167
168typedef struct Principal *gsskrb5_name;
169
170/*
171 *
172 */
173
174extern krb5_keytab _gsskrb5_keytab;
175extern HEIMDAL_MUTEX gssapi_keytab_mutex;
176
177/*
178 * Prototypes
179 */
180
181#include <gsskrb5-private.h>
182
183#define GSSAPI_KRB5_INIT(ctx) do {				\
184    krb5_error_code kret_gss_init;				\
185    if((kret_gss_init = _gsskrb5_init (ctx)) != 0) {		\
186	*minor_status = kret_gss_init;				\
187	return GSS_S_FAILURE;					\
188    }								\
189} while (0)
190
191#define GSSAPI_KRB5_INIT_GOTO(ctx,_label) do {			\
192    krb5_error_code kret_gss_init;				\
193    if((kret_gss_init = _gsskrb5_init (ctx)) != 0)		\
194	goto _label;						\
195} while (0)
196
197#define GSSAPI_KRB5_INIT_VOID(ctx) do {				\
198    krb5_error_code kret_gss_init;				\
199    if((kret_gss_init = _gsskrb5_init (ctx)) != 0)		\
200	return;							\
201} while (0)
202
203#define GSSAPI_KRB5_INIT_STATUS(ctx, status) do {		\
204    krb5_error_code kret_gss_init;				\
205    if((kret_gss_init = _gsskrb5_init (ctx)) != 0)		\
206	return GSS_S_FAILURE;					\
207} while (0)
208
209
210/* sec_context flags */
211
212#define SC_LOCAL_ADDRESS  0x01
213#define SC_REMOTE_ADDRESS 0x02
214#define SC_KEYBLOCK	  0x04
215#define SC_LOCAL_SUBKEY	  0x08
216#define SC_REMOTE_SUBKEY  0x10
217
218/* type to signal that that dns canon maybe should be done */
219#define MAGIC_HOSTBASED_NAME_TYPE 4711
220
221extern heim_string_t _gsskrb5_kGSSICPassword;
222extern heim_string_t _gsskrb5_kGSSICKerberosCacheName;
223extern heim_string_t _gsskrb5_kGSSICCertificate;
224extern heim_string_t _gsskrb5_kGSSICLKDCHostname;
225extern heim_string_t _gsskrb5_kGSSICAppIdentifierACL;
226
227
228#endif
229