1/* 2 * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34/* $Id$ */ 35 36#ifndef GSSKRB5_LOCL_H 37#define GSSKRB5_LOCL_H 38 39#include <config.h> 40 41#include <gssapi_rewrite.h> 42 43#include <krb5_locl.h> 44#include <gkrb5_err.h> 45#include <gssapi.h> 46#include <gssapi_mech.h> 47#include <gssapi_krb5.h> 48#include <gssapi_spi.h> 49#include <assert.h> 50 51#include <heimbase.h> 52 53#include <pku2u_asn1.h> 54#include <gssapi_asn1.h> 55 56#include <gsskrb5_crypto.h> 57 58#include "cfx.h" 59 60#ifdef __APPLE_PRIVATE__ 61#include <CommonCrypto/CommonCryptor.h> 62#ifndef __APPLE_TARGET_EMBEDDED__ 63#include <CommonCrypto/CommonCryptorSPI.h> 64#endif 65#endif 66 67typedef struct gsskrb5_ctx *gsskrb5_ctx; 68typedef struct gsskrb5_cred *gsskrb5_cred; 69 70typedef OM_uint32 71(*gsskrb5_acceptor_state)(OM_uint32 *minor_status, 72 gsskrb5_ctx ctx, 73 krb5_context context, 74 const gss_cred_id_t acceptor_cred_handle, 75 const gss_buffer_t input_token_buffer, 76 const gss_channel_bindings_t input_chan_bindings, 77 gss_name_t * src_name, 78 gss_OID * mech_type, 79 gss_buffer_t output_token, 80 OM_uint32 * ret_flags, 81 OM_uint32 * time_rec, 82 gss_cred_id_t * delegated_cred_handle); 83 84typedef OM_uint32 85(*gsskrb5_initator_state)(OM_uint32 * minor_status, 86 gsskrb5_cred cred, 87 gsskrb5_ctx ctx, 88 krb5_context context, 89 gss_name_t name, 90 const gss_OID mech_type, 91 OM_uint32 req_flags, 92 OM_uint32 time_req, 93 const gss_channel_bindings_t input_chan_bindings, 94 const gss_buffer_t input_token, 95 gss_buffer_t output_token, 96 OM_uint32 * ret_flags, 97 OM_uint32 * time_rec); 98 99/* 100 * 101 */ 102 103struct gss_msg_order; 104 105struct gsskrb5_ctx { 106 struct gsskrb5_crypto gk5c; 107 gss_OID mech; 108 struct krb5_auth_context_data *auth_context; 109 struct krb5_auth_context_data *deleg_auth_context; 110 krb5_principal source, target; 111#define IS_DCE_STYLE(ctx) (((ctx)->flags & GSS_C_DCE_STYLE) != 0) 112 OM_uint32 flags; 113 enum { LOCAL = 0x001, 114 OPEN = 0x002, 115 COMPAT_OLD_DES3 = 0x004, 116 COMPAT_OLD_DES3_SELECTED = 0x008, 117 CLOSE_CCACHE = 0x010, 118 DESTROY_CCACHE = 0x020, 119 IS_CFX = 0x040, 120 PAC_VALID = 0x080, 121 RETRIED_SKEW = 0x100, 122 RETRIED_NEWTICKET = 0x200, 123 } more_flags; 124 gsskrb5_acceptor_state acceptor_state; 125 gsskrb5_initator_state initiator_state; 126 krb5_creds *kcred; 127 krb5_ccache ccache; 128 struct krb5_ticket *ticket; 129 time_t endtime; 130 HEIMDAL_MUTEX ctx_id_mutex; 131 krb5_keyblock *service_keyblock; 132 krb5_data fwd_data; 133#ifdef PKINIT 134 hx509_cert cert; 135#endif 136 krb5_storage *messages; 137 138 /* IAKERB */ 139 krb5_get_init_creds_opt *gic_opt; 140 krb5_init_creds_context asctx; 141 krb5_tkt_creds_context tgsctx; 142 krb5_data *cookie; 143 char *password; 144 krb5_realm iakerbrealm; 145 krb5_data friendlyname; 146 krb5_data lkdchostname; 147 148}; 149 150struct gsskrb5_cred { 151 krb5_principal principal; 152 int cred_flags; 153#define GSS_CF_DESTROY_CRED_ON_RELEASE 1 154#define GSS_CF_NO_CI_FLAGS 2 155#define GSS_CF_IAKERB_RESOLVED 4 156 struct krb5_keytab_data *keytab; 157 time_t endtime; 158 gss_cred_usage_t usage; 159 struct krb5_ccache_data *ccache; 160 HEIMDAL_MUTEX cred_id_mutex; 161 krb5_enctype *enctypes; 162#ifdef PKINIT 163 hx509_cert cert; 164#endif 165 char *password; 166}; 167 168typedef struct Principal *gsskrb5_name; 169 170/* 171 * 172 */ 173 174extern krb5_keytab _gsskrb5_keytab; 175extern HEIMDAL_MUTEX gssapi_keytab_mutex; 176 177/* 178 * Prototypes 179 */ 180 181#include <gsskrb5-private.h> 182 183#define GSSAPI_KRB5_INIT(ctx) do { \ 184 krb5_error_code kret_gss_init; \ 185 if((kret_gss_init = _gsskrb5_init (ctx)) != 0) { \ 186 *minor_status = kret_gss_init; \ 187 return GSS_S_FAILURE; \ 188 } \ 189} while (0) 190 191#define GSSAPI_KRB5_INIT_GOTO(ctx,_label) do { \ 192 krb5_error_code kret_gss_init; \ 193 if((kret_gss_init = _gsskrb5_init (ctx)) != 0) \ 194 goto _label; \ 195} while (0) 196 197#define GSSAPI_KRB5_INIT_VOID(ctx) do { \ 198 krb5_error_code kret_gss_init; \ 199 if((kret_gss_init = _gsskrb5_init (ctx)) != 0) \ 200 return; \ 201} while (0) 202 203#define GSSAPI_KRB5_INIT_STATUS(ctx, status) do { \ 204 krb5_error_code kret_gss_init; \ 205 if((kret_gss_init = _gsskrb5_init (ctx)) != 0) \ 206 return GSS_S_FAILURE; \ 207} while (0) 208 209 210/* sec_context flags */ 211 212#define SC_LOCAL_ADDRESS 0x01 213#define SC_REMOTE_ADDRESS 0x02 214#define SC_KEYBLOCK 0x04 215#define SC_LOCAL_SUBKEY 0x08 216#define SC_REMOTE_SUBKEY 0x10 217 218/* type to signal that that dns canon maybe should be done */ 219#define MAGIC_HOSTBASED_NAME_TYPE 4711 220 221extern heim_string_t _gsskrb5_kGSSICPassword; 222extern heim_string_t _gsskrb5_kGSSICKerberosCacheName; 223extern heim_string_t _gsskrb5_kGSSICCertificate; 224extern heim_string_t _gsskrb5_kGSSICLKDCHostname; 225extern heim_string_t _gsskrb5_kGSSICAppIdentifierACL; 226 227 228#endif 229