1/*	$NetBSD: gssapi.h,v 1.2.6.1 2012/06/05 21:15:50 bouyer Exp $	*/
2
3/*
4 * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
5 * Copyright (C) 2000, 2001  Internet Software Consortium.
6 *
7 * Permission to use, copy, modify, and/or distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 * PERFORMANCE OF THIS SOFTWARE.
18 */
19
20/* Id: gssapi.h,v 1.16 2011/01/08 23:47:01 tbox Exp  */
21
22#ifndef DST_GSSAPI_H
23#define DST_GSSAPI_H 1
24
25/*! \file dst/gssapi.h */
26
27#include <isc/formatcheck.h>
28#include <isc/lang.h>
29#include <isc/platform.h>
30#include <isc/types.h>
31#include <dns/types.h>
32
33#ifdef GSSAPI
34#ifdef _WINDOWS
35/*
36 * MSVC does not like macros in #include lines.
37 */
38#include <gssapi/gssapi.h>
39#include <gssapi/gssapi_krb5.h>
40#else
41#include ISC_PLATFORM_GSSAPIHEADER
42#ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER
43#include ISC_PLATFORM_GSSAPI_KRB5_HEADER
44#endif
45#endif
46#ifndef GSS_SPNEGO_MECHANISM
47#define GSS_SPNEGO_MECHANISM ((void*)0)
48#endif
49#endif
50
51ISC_LANG_BEGINDECLS
52
53/***
54 *** Types
55 ***/
56
57/***
58 *** Functions
59 ***/
60
61isc_result_t
62dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
63		       gss_cred_id_t *cred);
64/*
65 *	Acquires GSS credentials.
66 *
67 *	Requires:
68 * 	'name' 	    is a valid name, preferably one known by the GSS provider
69 * 	'initiate'  indicates whether the credentials are for initiating or
70 *		    accepting contexts
71 *      'cred'      is a pointer to NULL, which will be allocated with the
72 *		    credential handle.  Call dst_gssapi_releasecred to free
73 *		    the memory.
74 *
75 *	Returns:
76 *		ISC_R_SUCCESS msg was successfully updated to include the
77 *				      query to be sent
78 *		other		  an error occurred while building the message
79 */
80
81isc_result_t
82dst_gssapi_releasecred(gss_cred_id_t *cred);
83/*
84 *	Releases GSS credentials.  Calling this function does release the
85 *  memory allocated for the credential in dst_gssapi_acquirecred()
86 *
87 *	Requires:
88 *      'mctx'  is a valid memory context
89 *      'cred'  is a pointer to the credential to be released
90 *
91 *	Returns:
92 *		ISC_R_SUCCESS 	credential was released successfully
93 *		other		an error occurred while releaseing
94 *				the credential
95 */
96
97isc_result_t
98dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
99		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
100		   isc_mem_t *mctx, char **err_message);
101/*
102 *	Initiates a GSS context.
103 *
104 *	Requires:
105 * 	'name'     is a valid name, preferably one known by the GSS
106 * 	provider
107 * 	'intoken'  is a token received from the acceptor, or NULL if
108 *		   there isn't one
109 * 	'outtoken' is a buffer to receive the token generated by
110 *		   gss_init_sec_context() to be sent to the acceptor
111 *      'context'  is a pointer to a valid gss_ctx_id_t
112 *                 (which may have the value GSS_C_NO_CONTEXT)
113 *
114 *	Returns:
115 *		ISC_R_SUCCESS   msg was successfully updated to include the
116 * 				query to be sent
117 *		other		an error occurred while building the message
118 *		*err_message	optional error message
119 */
120
121isc_result_t
122dst_gssapi_acceptctx(gss_cred_id_t cred,
123		     const char *gssapi_keytab,
124		     isc_region_t *intoken, isc_buffer_t **outtoken,
125		     gss_ctx_id_t *context, dns_name_t *principal,
126		     isc_mem_t *mctx);
127/*
128 *	Accepts a GSS context.
129 *
130 *	Requires:
131 * 	'mctx'     is a valid memory context
132 *      'cred'     is the acceptor's valid GSS credential handle
133 * 	'intoken'  is a token received from the initiator
134 * 	'outtoken' is a pointer a buffer pointer used to return the token
135 *		   generated by gss_accept_sec_context() to be sent to the
136 *		   initiator
137 *      'context'  is a valid pointer to receive the generated context handle.
138 *                 On the initial call, it should be a pointer to NULL, which
139 *		   will be allocated as a gss_ctx_id_t.  Subsequent calls
140 *		   should pass in the handle generated on the first call.
141 *		   Call dst_gssapi_releasecred to delete the context and free
142 *		   the memory.
143 *
144 *	Requires:
145 *		'outtoken' to != NULL && *outtoken == NULL.
146 *
147 *	Returns:
148 *		ISC_R_SUCCESS   msg was successfully updated to include the
149 * 				query to be sent
150 *		other 		an error occurred while building the message
151 */
152
153isc_result_t
154dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx);
155/*
156 *	Destroys a GSS context.  This function deletes the context from the GSS
157 *  	provider and then frees the memory used by the context pointer.
158 *
159 *	Requires:
160 *      'mctx'    is a valid memory context
161 *	'context' is a valid GSS context
162 *
163 *	Returns:
164 *		ISC_R_SUCCESS
165 */
166
167
168void
169gss_log(int level, const char *fmt, ...)
170ISC_FORMAT_PRINTF(2, 3);
171/*
172 * Logging function for GSS.
173 *
174 *  Requires
175 *      'level' is the log level to be used, as an integer
176 *      'fmt'   is a printf format specifier
177 */
178
179char *
180gss_error_tostring(isc_uint32_t major, isc_uint32_t minor,
181		   char *buf, size_t buflen);
182/*
183 *	Render a GSS major status/minor status pair into a string
184 *
185 *	Requires:
186 *      'major' is a GSS major status code
187 * 	'minor' is a GSS minor status code
188 *
189 *	Returns:
190 *		A string containing the text representation of the error codes.
191 *      	Users should copy the string if they wish to keep it.
192 */
193
194isc_boolean_t
195dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
196			      dns_name_t *realm);
197/*
198 *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
199 *	principal: host/example.com@EXAMPLE.COM) to the realm name stored
200 *	in "name" (which represents the realm name).
201 *
202 */
203
204isc_boolean_t
205dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
206			    dns_name_t *realm);
207/*
208 *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
209 *	principal: host/example.com@EXAMPLE.COM) to the realm name stored
210 *	in "name" (which represents the realm name).
211 *
212 */
213
214ISC_LANG_ENDDECLS
215
216#endif /* DST_GSSAPI_H */
217