include/gssapi/gssapi_krb5.h

0001 /* -*- mode: c; indent-tabs-mode: nil -*- */
0002 /*
0003  * Copyright 1993 by OpenVision Technologies, Inc.
0004  *
0005  * Permission to use, copy, modify, distribute, and sell this software
0006  * and its documentation for any purpose is hereby granted without fee,
0007  * provided that the above copyright notice appears in all copies and
0008  * that both that copyright notice and this permission notice appear in
0009  * supporting documentation, and that the name of OpenVision not be used
0010  * in advertising or publicity pertaining to distribution of the software
0011  * without specific, written prior permission. OpenVision makes no
0012  * representations about the suitability of this software for any
0013  * purpose.  It is provided "as is" without express or implied warranty.
0014  *
0015  * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
0016  * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
0017  * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
0018  * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
0019  * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
0020  * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0021  * PERFORMANCE OF THIS SOFTWARE.
0022  */
0023
0024 #ifndef _GSSAPI_KRB5_H_
0025 #define _GSSAPI_KRB5_H_
0026
0027 #include <gssapi/gssapi.h>
0028 #include <gssapi/gssapi_ext.h>
0029 #include <krb5.h>
0030 #include <stdint.h>
0031
0032 /* C++ friendlyness */
0033 #ifdef __cplusplus
0034 extern "C" {
0035 #endif /* __cplusplus */
0036
0037 /* Reserved static storage for GSS_oids.  See rfc 1964 for more details. */
0038
0039 /* 2.1.1. Kerberos Principal Name Form: */
0040 GSS_DLLIMP extern const gss_OID GSS_KRB5_NT_PRINCIPAL_NAME;
0041 /* This name form shall be represented by the Object Identifier {iso(1)
0042  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
0043  * krb5(2) krb5_name(1)}.  The recommended symbolic name for this type
0044  * is "GSS_KRB5_NT_PRINCIPAL_NAME". */
0045
0046 /* 2.1.2. Host-Based Service Name Form */
0047 #define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE
0048 /* This name form shall be represented by the Object Identifier {iso(1)
0049  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
0050  * generic(1) service_name(4)}.  The previously recommended symbolic
0051  * name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME".  The
0052  * currently preferred symbolic name for this type is
0053  * "GSS_C_NT_HOSTBASED_SERVICE". */
0054
0055 /* 2.2.1. User Name Form */
0056 #define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME
0057 /* This name form shall be represented by the Object Identifier {iso(1)
0058  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
0059  * generic(1) user_name(1)}.  The recommended symbolic name for this
0060  * type is "GSS_KRB5_NT_USER_NAME". */
0061
0062 /* 2.2.2. Machine UID Form */
0063 #define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME
0064 /* This name form shall be represented by the Object Identifier {iso(1)
0065  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
0066  * generic(1) machine_uid_name(2)}.  The recommended symbolic name for
0067  * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */
0068
0069 /* 2.2.3. String UID Form */
0070 #define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME
0071 /* This name form shall be represented by the Object Identifier {iso(1)
0072  * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
0073  * generic(1) string_uid_name(3)}.  The recommended symbolic name for
0074  * this type is "GSS_KRB5_NT_STRING_UID_NAME". */
0075
0076 /* Kerberos Enterprise Name Form (see RFC 6806 section 5): */
0077 GSS_DLLIMP extern const gss_OID GSS_KRB5_NT_ENTERPRISE_NAME;
0078 /* {iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
0079  * krb5(2) krb5-enterprise-name(6)}. */
0080
0081 /* Kerberos X.509 DER-encoded certificate */
0082 GSS_DLLIMP extern const gss_OID GSS_KRB5_NT_X509_CERT;
0083 /* {iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
0084  * krb5(2) krb5-x509-cert(7)}. */
0085
0086 GSS_DLLIMP extern const gss_OID gss_mech_krb5;
0087 GSS_DLLIMP extern const gss_OID gss_mech_krb5_old;
0088 GSS_DLLIMP extern const gss_OID gss_mech_krb5_wrong;
0089 GSS_DLLIMP extern const gss_OID gss_mech_iakerb;
0090 GSS_DLLIMP extern const gss_OID_set gss_mech_set_krb5;
0091 GSS_DLLIMP extern const gss_OID_set gss_mech_set_krb5_old;
0092 GSS_DLLIMP extern const gss_OID_set gss_mech_set_krb5_both;
0093
0094 GSS_DLLIMP extern const gss_OID gss_nt_krb5_name;
0095 GSS_DLLIMP extern const gss_OID gss_nt_krb5_principal;
0096
0097 GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[];
0098
0099 /*
0100  * This OID can be used with gss_set_cred_option() to suppress the
0101  * confidentiality and integrity flags from being asserted in initial context
0102  * tokens.
0103  *
0104  * iso(1) member-body(2) Sweden(752) Stockholm University(43) Heimdal GSS-API
0105  * Extensions(13) no_ci_flags(29)
0106  */
0107 GSS_DLLIMP extern const gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X;
0108
0109 /*
0110  * This OID can be used with gss_inquire_cred_by_oid(0 to retrieve the
0111  * impersonator name (if any).
0112  *
0113  * iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
0114  * krb5(2) krb5-gssapi-ext(5) get-cred-impersonator(14)
0115  */
0116 GSS_DLLIMP extern const gss_OID GSS_KRB5_GET_CRED_IMPERSONATOR;
0117
0118 #define gss_krb5_nt_general_name        gss_nt_krb5_name
0119 #define gss_krb5_nt_principal           gss_nt_krb5_principal
0120 #define gss_krb5_nt_service_name        gss_nt_service_name
0121 #define gss_krb5_nt_user_name           gss_nt_user_name
0122 #define gss_krb5_nt_machine_uid_name    gss_nt_machine_uid_name
0123 #define gss_krb5_nt_string_uid_name     gss_nt_string_uid_name
0124
0125 typedef struct gss_krb5_lucid_key {
0126     OM_uint32       type;           /* key encryption type */
0127     OM_uint32       length;         /* length of key data */
0128     void *          data;           /* actual key data */
0129 } gss_krb5_lucid_key_t;
0130
0131 typedef struct gss_krb5_rfc1964_keydata {
0132     OM_uint32       sign_alg;       /* signing algorithm */
0133     OM_uint32       seal_alg;       /* seal/encrypt algorithm */
0134     gss_krb5_lucid_key_t    ctx_key;
0135     /* Context key
0136        (Kerberos session key or subkey) */
0137 } gss_krb5_rfc1964_keydata_t;
0138
0139 typedef struct gss_krb5_cfx_keydata {
0140     OM_uint32               have_acceptor_subkey;
0141     /* 1 if there is an acceptor_subkey
0142        present, 0 otherwise */
0143     gss_krb5_lucid_key_t    ctx_key;
0144     /* Context key
0145        (Kerberos session key or subkey) */
0146     gss_krb5_lucid_key_t    acceptor_subkey;
0147     /* acceptor-asserted subkey or
0148        0's if no acceptor subkey */
0149 } gss_krb5_cfx_keydata_t;
0150
0151 typedef struct gss_krb5_lucid_context_v1 {
0152     OM_uint32       version;        /* Structure version number (1)
0153                                        MUST be at beginning of struct! */
0154     OM_uint32       initiate;       /* Are we the initiator? */
0155     OM_uint32       endtime;        /* expiration time of context */
0156     uint64_t        send_seq;       /* sender sequence number */
0157     uint64_t        recv_seq;       /* receive sequence number */
0158     OM_uint32       protocol;       /* 0: rfc1964,
0159                                        1: draft-ietf-krb-wg-gssapi-cfx-07 */
0160     /*
0161      * if (protocol == 0) rfc1964_kd should be used
0162      * and cfx_kd contents are invalid and should be zero
0163      * if (protocol == 1) cfx_kd should be used
0164      * and rfc1964_kd contents are invalid and should be zero
0165      */
0166     gss_krb5_rfc1964_keydata_t rfc1964_kd;
0167     gss_krb5_cfx_keydata_t     cfx_kd;
0168 } gss_krb5_lucid_context_v1_t;
0169
0170 /*
0171  * Mask for determining the version of a lucid context structure.  Callers
0172  * should not require this.
0173  */
0174 typedef struct gss_krb5_lucid_context_version {
0175     OM_uint32       version;        /* Structure version number */
0176 } gss_krb5_lucid_context_version_t;
0177
0178
0179
0180
0181 /* Alias for Heimdal compat. */
0182 #define gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity
0183
0184 OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *);
0185
0186 OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags(
0187     OM_uint32 *minor_status,
0188     gss_ctx_id_t context_handle,
0189     krb5_flags *ticket_flags);
0190
0191 /*
0192  * Copy krb5 creds from cred_handle into out_ccache, which must already be
0193  * initialized.  Use gss_store_cred_into() (new in krb5 1.11) instead, if
0194  * possible.
0195  */
0196 OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache(
0197     OM_uint32 *minor_status,
0198     gss_cred_id_t cred_handle,
0199     krb5_ccache out_ccache);
0200
0201 OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name(
0202     OM_uint32 *minor_status, const char *name,
0203     const char **out_name);
0204
0205 /*
0206  * gss_krb5_set_allowable_enctypes
0207  *
0208  * This function may be called by a context initiator after calling
0209  * gss_acquire_cred(), but before calling gss_init_sec_context(),
0210  * to restrict the set of enctypes which will be negotiated during
0211  * context establishment to those in the provided array.
0212  *
0213  * 'cred' must be a valid credential handle obtained via
0214  * gss_acquire_cred().  It may not be GSS_C_NO_CREDENTIAL.
0215  * gss_acquire_cred() may have been called to get a handle to
0216  * the default credential.
0217  *
0218  * The purpose of this function is to limit the keys that may
0219  * be exported via gss_krb5_export_lucid_sec_context(); thus it
0220  * should limit the enctypes of all keys that will be needed
0221  * after the security context has been established.
0222  * (i.e. context establishment may use a session key with a
0223  * stronger enctype than in the provided array, however a
0224  * subkey must be established within the enctype limits
0225  * established by this function.)
0226  *
0227  */
0228 OM_uint32 KRB5_CALLCONV
0229 gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
0230                                 gss_cred_id_t cred,
0231                                 OM_uint32 num_ktypes,
0232                                 krb5_enctype *ktypes);
0233
0234 /*
0235  * Returns a non-opaque (lucid) version of the internal context
0236  * information.
0237  *
0238  * Note that context_handle must not be used again by the caller
0239  * after this call.  The GSS implementation is free to release any
0240  * resources associated with the original context.  It is up to the
0241  * GSS implementation whether it returns pointers to existing data,
0242  * or copies of the data.  The caller should treat the returned
0243  * lucid context as read-only.
0244  *
0245  * The caller must call gss_krb5_free_lucid_context() to free
0246  * the context and allocated resources when it is finished with it.
0247  *
0248  * 'version' is an integer indicating the requested version of the lucid
0249  * context.  If the implementation does not understand the requested version,
0250  * it will return an error.
0251  *
0252  * For example:
0253  *      void *return_ctx;
0254  *      gss_krb5_lucid_context_v1_t *ctx;
0255  *      OM_uint32 min_stat, maj_stat;
0256  *      OM_uint32 vers;
0257  *      gss_ctx_id_t *ctx_handle;
0258  *
0259  *      maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
0260  *                      ctx_handle, 1, &return_ctx);
0261  *      // Verify success
0262  *      ctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
0263  */
0264
0265 OM_uint32 KRB5_CALLCONV
0266 gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
0267                                   gss_ctx_id_t *context_handle,
0268                                   OM_uint32 version,
0269                                   void **kctx);
0270
0271 /*
0272  * Frees the allocated storage associated with an
0273  * exported struct gss_krb5_lucid_context.
0274  */
0275 OM_uint32 KRB5_CALLCONV
0276 gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status,
0277                                 void *kctx);
0278
0279
0280 OM_uint32 KRB5_CALLCONV
0281 gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
0282                                             const gss_ctx_id_t context_handle,
0283                                             int ad_type,
0284                                             gss_buffer_t ad_data);
0285
0286 OM_uint32 KRB5_CALLCONV
0287 gss_krb5_set_cred_rcache(OM_uint32 *minor_status,
0288                          gss_cred_id_t cred,
0289                          krb5_rcache rcache);
0290
0291 OM_uint32 KRB5_CALLCONV
0292 gsskrb5_extract_authtime_from_sec_context(OM_uint32 *, gss_ctx_id_t, krb5_timestamp *);
0293
0294 OM_uint32 KRB5_CALLCONV
0295 gss_krb5_import_cred(OM_uint32 *minor_status,
0296                      krb5_ccache id,
0297                      krb5_principal keytab_principal,
0298                      krb5_keytab keytab,
0299                      gss_cred_id_t *cred);
0300
0301 #ifdef __cplusplus
0302 }
0303 #endif /* __cplusplus */
0304
0305 #endif /* _GSSAPI_KRB5_H_ */