1/* This is the gssapi_krb5.h prologue. */
2#include <stdint.h>
3/* End of gssapi_krb5.h prologue. */
4/* -*- mode: c; indent-tabs-mode: nil -*- */
5/*
6 * Copyright 1993 by OpenVision Technologies, Inc.
7 *
8 * Permission to use, copy, modify, distribute, and sell this software
9 * and its documentation for any purpose is hereby granted without fee,
10 * provided that the above copyright notice appears in all copies and
11 * that both that copyright notice and this permission notice appear in
12 * supporting documentation, and that the name of OpenVision not be used
13 * in advertising or publicity pertaining to distribution of the software
14 * without specific, written prior permission. OpenVision makes no
15 * representations about the suitability of this software for any
16 * purpose.  It is provided "as is" without express or implied warranty.
17 *
18 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
19 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
20 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
21 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
22 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
23 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
24 * PERFORMANCE OF THIS SOFTWARE.
25 */
26
27#ifndef _GSSAPI_KRB5_H_
28#define _GSSAPI_KRB5_H_
29
30#include "mit-gssapi.h"
31#include "mit-krb5.h"
32
33/* C++ friendlyness */
34#ifdef __cplusplus
35extern "C" {
36#endif /* __cplusplus */
37
38/* Reserved static storage for GSS_oids.  See rfc 1964 for more details. */
39
40/* 2.1.1. Kerberos Principal Name Form: */
41GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME;
42/* This name form shall be represented by the Object Identifier {iso(1)
43 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
44 * krb5(2) krb5_name(1)}.  The recommended symbolic name for this type
45 * is "GSS_KRB5_NT_PRINCIPAL_NAME". */
46
47/* 2.1.2. Host-Based Service Name Form */
48#define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE
49/* This name form shall be represented by the Object Identifier {iso(1)
50 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
51 * generic(1) service_name(4)}.  The previously recommended symbolic
52 * name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME".  The
53 * currently preferred symbolic name for this type is
54 * "GSS_C_NT_HOSTBASED_SERVICE". */
55
56/* 2.2.1. User Name Form */
57#define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME
58/* This name form shall be represented by the Object Identifier {iso(1)
59 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
60 * generic(1) user_name(1)}.  The recommended symbolic name for this
61 * type is "GSS_KRB5_NT_USER_NAME". */
62
63/* 2.2.2. Machine UID Form */
64#define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME
65/* This name form shall be represented by the Object Identifier {iso(1)
66 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
67 * generic(1) machine_uid_name(2)}.  The recommended symbolic name for
68 * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */
69
70/* 2.2.3. String UID Form */
71#define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME
72/* This name form shall be represented by the Object Identifier {iso(1)
73 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
74 * generic(1) string_uid_name(3)}.  The recommended symbolic name for
75 * this type is "GSS_KRB5_NT_STRING_UID_NAME". */
76
77GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5;
78GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old;
79GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_wrong;
80GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5;
81GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_old;
82GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_both;
83
84GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_name;
85GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_principal;
86
87GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[];
88
89#define gss_krb5_nt_general_name        gss_nt_krb5_name
90#define gss_krb5_nt_principal           gss_nt_krb5_principal
91#define gss_krb5_nt_service_name        gss_nt_service_name
92#define gss_krb5_nt_user_name           gss_nt_user_name
93#define gss_krb5_nt_machine_uid_name    gss_nt_machine_uid_name
94#define gss_krb5_nt_string_uid_name     gss_nt_string_uid_name
95
96
97#if defined(_WIN32)
98typedef  unsigned __int64 gss_uint64;
99#else /*windows*/
100#include <inttypes.h>
101typedef  uint64_t gss_uint64;
102#endif
103
104
105typedef struct gss_krb5_lucid_key {
106    OM_uint32       type;           /* key encryption type */
107    OM_uint32       length;         /* length of key data */
108    void *          data;           /* actual key data */
109} gss_krb5_lucid_key_t;
110
111typedef struct gss_krb5_rfc1964_keydata {
112    OM_uint32       sign_alg;       /* signing algorthm */
113    OM_uint32       seal_alg;       /* seal/encrypt algorthm */
114    gss_krb5_lucid_key_t    ctx_key;
115    /* Context key
116       (Kerberos session key or subkey) */
117} gss_krb5_rfc1964_keydata_t;
118
119typedef struct gss_krb5_cfx_keydata {
120    OM_uint32               have_acceptor_subkey;
121    /* 1 if there is an acceptor_subkey
122       present, 0 otherwise */
123    gss_krb5_lucid_key_t    ctx_key;
124    /* Context key
125       (Kerberos session key or subkey) */
126    gss_krb5_lucid_key_t    acceptor_subkey;
127    /* acceptor-asserted subkey or
128       0's if no acceptor subkey */
129} gss_krb5_cfx_keydata_t;
130
131typedef struct gss_krb5_lucid_context_v1 {
132    OM_uint32       version;        /* Structure version number (1)
133                                       MUST be at beginning of struct! */
134    OM_uint32       initiate;       /* Are we the initiator? */
135    OM_uint32       endtime;        /* expiration time of context */
136    gss_uint64      send_seq;       /* sender sequence number */
137    gss_uint64      recv_seq;       /* receive sequence number */
138    OM_uint32       protocol;       /* 0: rfc1964,
139                                       1: draft-ietf-krb-wg-gssapi-cfx-07 */
140    /*
141     * if (protocol == 0) rfc1964_kd should be used
142     * and cfx_kd contents are invalid and should be zero
143     * if (protocol == 1) cfx_kd should be used
144     * and rfc1964_kd contents are invalid and should be zero
145     */
146    gss_krb5_rfc1964_keydata_t rfc1964_kd;
147    gss_krb5_cfx_keydata_t     cfx_kd;
148} gss_krb5_lucid_context_v1_t;
149
150/*
151 * Mask for determining the returned structure version.
152 * See example below for usage.
153 */
154typedef struct gss_krb5_lucid_context_version {
155    OM_uint32       version;        /* Structure version number */
156} gss_krb5_lucid_context_version_t;
157
158
159typedef struct apple_gss_krb5_authdata_if_relevant_key {
160OM_uint32	type;		/* key encryption type */
161OM_uint32	length;		/* length of key data */
162void *		data;		/* actual key data */
163} apple_gss_krb5_authdata_if_relevant;
164
165
166/* Alias for Heimdal compat. */
167#define gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity
168
169OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *);
170
171OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags(
172    OM_uint32 *minor_status,
173    gss_ctx_id_t context_handle,
174    krb5_flags *ticket_flags);
175
176OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache(
177    OM_uint32 *minor_status,
178    gss_cred_id_t cred_handle,
179    krb5_ccache out_ccache);
180
181OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name(
182    OM_uint32 *minor_status, const char *name,
183    const char **out_name);
184
185/*
186 * gss_krb5_set_allowable_enctypes
187 *
188 * This function may be called by a context initiator after calling
189 * gss_acquire_cred(), but before calling gss_init_sec_context(),
190 * to restrict the set of enctypes which will be negotiated during
191 * context establishment to those in the provided array.
192 *
193 * 'cred' must be a valid credential handle obtained via
194 * gss_acquire_cred().  It may not be GSS_C_NO_CREDENTIAL.
195 * gss_acquire_cred() may have been called to get a handle to
196 * the default credential.
197 *
198 * The purpose of this function is to limit the keys that may
199 * be exported via gss_krb5_export_lucid_sec_context(); thus it
200 * should limit the enctypes of all keys that will be needed
201 * after the security context has been established.
202 * (i.e. context establishment may use a session key with a
203 * stronger enctype than in the provided array, however a
204 * subkey must be established within the enctype limits
205 * established by this function.)
206 *
207 */
208OM_uint32 KRB5_CALLCONV
209gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
210                                gss_cred_id_t cred,
211                                OM_uint32 num_ktypes,
212                                krb5_enctype *ktypes);
213
214/*
215 * Returns a non-opaque (lucid) version of the internal context
216 * information.
217 *
218 * Note that context_handle must not be used again by the caller
219 * after this call.  The GSS implementation is free to release any
220 * resources associated with the original context.  It is up to the
221 * GSS implementation whether it returns pointers to existing data,
222 * or copies of the data.  The caller should treat the returned
223 * lucid context as read-only.
224 *
225 * The caller must call gss_krb5_free_lucid_context() to free
226 * the context and allocated resources when it is finished with it.
227 *
228 * 'version' is an integer indicating the highest version of lucid
229 * context understood by the caller.  The highest version
230 * understood by both the caller and the GSS implementation must
231 * be returned.  The caller can determine which version of the
232 * structure was actually returned by examining the version field
233 * of the returned structure.  gss_krb5_lucid_context_version_t
234 * may be used as a mask to examine the returned structure version.
235 *
236 * If there are no common versions, an error should be returned.
237 * (XXX Need error definition(s))
238 *
239 * For example:
240 *      void *return_ctx;
241 *      gss_krb5_lucid_context_v1_t *ctx;
242 *      OM_uint32 min_stat, maj_stat;
243 *      OM_uint32 vers;
244 *      gss_ctx_id_t *ctx_handle;
245 *
246 *      maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
247 *                      ctx_handle, 1, &return_ctx);
248 *      // Verify success
249 *
250 *      vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
251 *      switch (vers) {
252 *      case 1:
253 *              ctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
254 *              break;
255 *      default:
256 *              // Error, unknown version returned
257 *              break;
258 *      }
259 *
260 */
261
262OM_uint32 KRB5_CALLCONV
263gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
264                                  gss_ctx_id_t *context_handle,
265                                  OM_uint32 version,
266                                  void **kctx);
267
268
269
270/*
271 * Returns a non-opaque (lucid) version of the internal context
272 * information.
273 *
274 * Note that context_handle must not be used again by the caller
275 * after this call.  The GSS implementation is free to release any
276 * resources associated with the original context.  It is up to the
277 * GSS implementation whether it returns pointers to existing data,
278 * or copies of the data.  The caller should treat the returned
279 * lucid context as read-only.
280 *
281 * The caller must call gss_krb5_free_lucid_context() to free
282 * the context and allocated resources when it is finished with it.
283 *
284 * 'version' is an integer indicating the highest version of lucid
285 * context understood by the caller.  The highest version
286 * understood by both the caller and the GSS implementation must
287 * be returned.  The caller can determine which version of the
288 * structure was actually returned by examining the version field
289 * of the returned structure.  gss_krb5_lucid_context_version_t
290 * may be used as a mask to examine the returned structure version.
291 *
292 * If there are no common versions, an error should be returned.
293 * (XXX Need error definition(s))
294 *
295 *
296 */
297
298OM_uint32 KRB5_CALLCONV
299apple_gss_krb5_export_authdata_if_relevant_context(OM_uint32 *minor_status,
300                  gss_ctx_id_t *context_handle,
301                  OM_uint32 version,
302                  void **kctx);
303
304/*
305* Frees the allocated storage associated with an
306* exported struct apple_gss_krb5_authdata_if_relevant.
307*/
308OM_uint32 KRB5_CALLCONV
309apple_gss_krb5_free_authdata_if_relevant(OM_uint32 *minor_status,
310void *kctx);
311
312
313
314/*
315 * Frees the allocated storage associated with an
316 * exported struct gss_krb5_lucid_context.
317 */
318OM_uint32 KRB5_CALLCONV
319gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status,
320                                void *kctx);
321
322#define GSS_KRB5_UI_ALLOW	1
323#define GSS_KRB5_UI_DENY	2
324#define GSS_KRB5_UI_PROBE	3
325
326OM_uint32 KRB5_CALLCONV
327gss_krb5_ui(OM_uint32 * /* minor_status */, OM_uint32 /* flag */);
328
329#ifdef __cplusplus
330}
331#endif /* __cplusplus */
332
333#endif /* _GSSAPI_KRB5_H_ */
334