1 /* 2 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 /* 6 * Copyright 1993 by OpenVision Technologies, Inc. 7 * 8 * Permission to use, copy, modify, distribute, and sell this software 9 * and its documentation for any purpose is hereby granted without fee, 10 * provided that the above copyright notice appears in all copies and 11 * that both that copyright notice and this permission notice appear in 12 * supporting documentation, and that the name of OpenVision not be used 13 * in advertising or publicity pertaining to distribution of the software 14 * without specific, written prior permission. OpenVision makes no 15 * representations about the suitability of this software for any 16 * purpose. It is provided "as is" without express or implied warranty. 17 * 18 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 19 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 20 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR 21 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF 22 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 23 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 24 * PERFORMANCE OF THIS SOFTWARE. 25 */ 26 27 #ifndef _GSSAPI_KRB5_H_ 28 #define _GSSAPI_KRB5_H_ 29 30 #include <gssapi/gssapi.h> 31 #include <gssapi/gssapi_ext.h> 32 #include <krb5.h> 33 34 /* SUNW15resync */ 35 #ifndef GSS_DLLIMP 36 #define GSS_DLLIMP 37 #endif 38 39 /* C++ friendlyness */ 40 #ifdef __cplusplus 41 extern "C" { 42 #endif /* __cplusplus */ 43 44 /* Reserved static storage for GSS_oids. See rfc 1964 for more details. */ 45 46 /* 2.1.1. Kerberos Principal Name Form: */ 47 GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME; 48 /* This name form shall be represented by the Object Identifier {iso(1) 49 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 50 * krb5(2) krb5_name(1)}. The recommended symbolic name for this type 51 * is "GSS_KRB5_NT_PRINCIPAL_NAME". */ 52 53 /* 2.1.2. Host-Based Service Name Form */ 54 #define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE 55 /* This name form shall be represented by the Object Identifier {iso(1) 56 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 57 * generic(1) service_name(4)}. The previously recommended symbolic 58 * name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME". The 59 * currently preferred symbolic name for this type is 60 * "GSS_C_NT_HOSTBASED_SERVICE". */ 61 62 /* 2.2.1. User Name Form */ 63 #define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME 64 /* This name form shall be represented by the Object Identifier {iso(1) 65 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 66 * generic(1) user_name(1)}. The recommended symbolic name for this 67 * type is "GSS_KRB5_NT_USER_NAME". */ 68 69 /* 2.2.2. Machine UID Form */ 70 #define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME 71 /* This name form shall be represented by the Object Identifier {iso(1) 72 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 73 * generic(1) machine_uid_name(2)}. The recommended symbolic name for 74 * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */ 75 76 /* 2.2.3. String UID Form */ 77 #define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME 78 /* This name form shall be represented by the Object Identifier {iso(1) 79 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) 80 * generic(1) string_uid_name(3)}. The recommended symbolic name for 81 * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ 82 83 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5; 84 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old; 85 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_wrong; 86 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5; 87 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_old; 88 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_both; 89 90 GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_name; 91 GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_principal; 92 93 GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[]; 94 95 #define gss_krb5_nt_general_name gss_nt_krb5_name 96 #define gss_krb5_nt_principal gss_nt_krb5_principal 97 #define gss_krb5_nt_service_name gss_nt_service_name 98 #define gss_krb5_nt_user_name gss_nt_user_name 99 #define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name 100 #define gss_krb5_nt_string_uid_name gss_nt_string_uid_name 101 102 103 #if defined(_WIN32) 104 typedef unsigned __int64 gss_uint64; 105 #else /*windows*/ 106 107 #ifdef _KERNEL 108 #include <sys/inttypes.h> 109 #else /* _KERNEL */ 110 #include <inttypes.h> 111 #endif /* _KERNEL */ 112 113 typedef uint64_t gss_uint64; 114 #endif 115 116 117 typedef struct gss_krb5_lucid_key { 118 OM_uint32 type; /* key encryption type */ 119 OM_uint32 length; /* length of key data */ 120 void * data; /* actual key data */ 121 } gss_krb5_lucid_key_t; 122 123 typedef struct gss_krb5_rfc1964_keydata { 124 OM_uint32 sign_alg; /* signing algorthm */ 125 OM_uint32 seal_alg; /* seal/encrypt algorthm */ 126 gss_krb5_lucid_key_t ctx_key; 127 /* Context key 128 (Kerberos session key or subkey) */ 129 } gss_krb5_rfc1964_keydata_t; 130 131 typedef struct gss_krb5_cfx_keydata { 132 OM_uint32 have_acceptor_subkey; 133 /* 1 if there is an acceptor_subkey 134 present, 0 otherwise */ 135 gss_krb5_lucid_key_t ctx_key; 136 /* Context key 137 (Kerberos session key or subkey) */ 138 gss_krb5_lucid_key_t acceptor_subkey; 139 /* acceptor-asserted subkey or 140 0's if no acceptor subkey */ 141 } gss_krb5_cfx_keydata_t; 142 143 typedef struct gss_krb5_lucid_context_v1 { 144 OM_uint32 version; /* Structure version number (1) 145 MUST be at beginning of struct! */ 146 OM_uint32 initiate; /* Are we the initiator? */ 147 OM_uint32 endtime; /* expiration time of context */ 148 gss_uint64 send_seq; /* sender sequence number */ 149 gss_uint64 recv_seq; /* receive sequence number */ 150 OM_uint32 protocol; /* 0: rfc1964, 151 1: draft-ietf-krb-wg-gssapi-cfx-07 */ 152 /* 153 * if (protocol == 0) rfc1964_kd should be used 154 * and cfx_kd contents are invalid and should be zero 155 * if (protocol == 1) cfx_kd should be used 156 * and rfc1964_kd contents are invalid and should be zero 157 */ 158 gss_krb5_rfc1964_keydata_t rfc1964_kd; 159 gss_krb5_cfx_keydata_t cfx_kd; 160 } gss_krb5_lucid_context_v1_t; 161 162 /* 163 * Mask for determining the returned structure version. 164 * See example below for usage. 165 */ 166 typedef struct gss_krb5_lucid_context_version { 167 OM_uint32 version; /* Structure version number */ 168 } gss_krb5_lucid_context_version_t; 169 170 171 172 173 /* Alias for Heimdal compat. */ 174 #define gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity 175 176 OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *); 177 178 OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache 179 (OM_uint32 *minor_status, 180 gss_cred_id_t cred_handle, 181 krb5_ccache out_ccache); 182 183 OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name 184 (OM_uint32 *minor_status, const char *name, 185 const char **out_name); 186 187 /* 188 * gss_krb5_set_allowable_enctypes 189 * 190 * This function may be called by a context initiator after calling 191 * gss_acquire_cred(), but before calling gss_init_sec_context(), 192 * to restrict the set of enctypes which will be negotiated during 193 * context establishment to those in the provided array. 194 * 195 * 'cred' must be a valid credential handle obtained via 196 * gss_acquire_cred(). It may not be GSS_C_NO_CREDENTIAL. 197 * gss_acquire_cred() may have been called to get a handle to 198 * the default credential. 199 * 200 * The purpose of this function is to limit the keys that may 201 * be exported via gss_krb5_export_lucid_sec_context(); thus it 202 * should limit the enctypes of all keys that will be needed 203 * after the security context has been established. 204 * (i.e. context establishment may use a session key with a 205 * stronger enctype than in the provided array, however a 206 * subkey must be established within the enctype limits 207 * established by this function.) 208 * 209 */ 210 OM_uint32 KRB5_CALLCONV 211 gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, 212 gss_cred_id_t cred, 213 OM_uint32 num_ktypes, 214 krb5_enctype *ktypes); 215 216 /* 217 * Returns a non-opaque (lucid) version of the internal context 218 * information. 219 * 220 * Note that context_handle must not be used again by the caller 221 * after this call. The GSS implementation is free to release any 222 * resources associated with the original context. It is up to the 223 * GSS implementation whether it returns pointers to existing data, 224 * or copies of the data. The caller should treat the returned 225 * lucid context as read-only. 226 * 227 * The caller must call gss_krb5_free_lucid_context() to free 228 * the context and allocated resources when it is finished with it. 229 * 230 * 'version' is an integer indicating the highest version of lucid 231 * context understood by the caller. The highest version 232 * understood by both the caller and the GSS implementation must 233 * be returned. The caller can determine which version of the 234 * structure was actually returned by examining the version field 235 * of the returned structure. gss_krb5_lucid_context_version_t 236 * may be used as a mask to examine the returned structure version. 237 * 238 * If there are no common versions, an error should be returned. 239 * (XXX Need error definition(s)) 240 * 241 * For example: 242 * void *return_ctx; 243 * gss_krb5_lucid_context_v1_t *ctx; 244 * OM_uint32 min_stat, maj_stat; 245 * OM_uint32 vers; 246 * gss_ctx_id_t *ctx_handle; 247 * 248 * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat, 249 * ctx_handle, 1, &return_ctx); 250 * // Verify success 251 * 252 * vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version; 253 * switch (vers) { 254 * case 1: 255 * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx; 256 * break; 257 * default: 258 * // Error, unknown version returned 259 * break; 260 * } 261 * 262 */ 263 264 OM_uint32 KRB5_CALLCONV 265 gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status, 266 gss_ctx_id_t *context_handle, 267 OM_uint32 version, 268 void **kctx); 269 270 /* 271 * Frees the allocated storage associated with an 272 * exported struct gss_krb5_lucid_context. 273 */ 274 OM_uint32 KRB5_CALLCONV 275 gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status, 276 void *kctx); 277 278 279 OM_uint32 KRB5_CALLCONV 280 gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status, 281 const gss_ctx_id_t context_handle, 282 int ad_type, 283 gss_buffer_t ad_data); 284 285 OM_uint32 KRB5_CALLCONV 286 gss_krb5_set_cred_rcache(OM_uint32 *minor_status, 287 gss_cred_id_t cred, 288 krb5_rcache rcache); 289 290 OM_uint32 KRB5_CALLCONV 291 gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, krb5_timestamp *); 292 293 294 #ifdef __cplusplus 295 } 296 #endif /* __cplusplus */ 297 298 #endif /* _GSSAPI_KRB5_H_ */ 299
Indexes created Tue Nov 24 19:14:31 UTC 2009
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.