2 * Copyright 1993 by OpenVision Technologies, Inc.
4 * Permission to use, copy, modify, distribute, and sell this software
5 * and its documentation for any purpose is hereby granted without fee,
6 * provided that the above copyright notice appears in all copies and
7 * that both that copyright notice and this permission notice appear in
8 * supporting documentation, and that the name of OpenVision not be used
9 * in advertising or publicity pertaining to distribution of the software
10 * without specific, written prior permission. OpenVision makes no
11 * representations about the suitability of this software for any
12 * purpose. It is provided "as is" without express or implied warranty.
14 * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
16 * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
18 * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
19 * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
20 * PERFORMANCE OF THIS SOFTWARE.
23 #ifndef _GSSAPI_KRB5_H_
24 #define _GSSAPI_KRB5_H_
26 #include <gssapi/gssapi.h>
29 /* C++ friendlyness */
32 #endif /* __cplusplus */
34 /* Reserved static storage for GSS_oids. See rfc 1964 for more details. */
36 /* 2.1.1. Kerberos Principal Name Form: */
37 GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME;
38 /* This name form shall be represented by the Object Identifier {iso(1)
39 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
40 * krb5(2) krb5_name(1)}. The recommended symbolic name for this type
41 * is "GSS_KRB5_NT_PRINCIPAL_NAME". */
43 /* 2.1.2. Host-Based Service Name Form */
44 #define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE
45 /* This name form shall be represented by the Object Identifier {iso(1)
46 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
47 * generic(1) service_name(4)}. The previously recommended symbolic
48 * name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME". The
49 * currently preferred symbolic name for this type is
50 * "GSS_C_NT_HOSTBASED_SERVICE". */
52 /* 2.2.1. User Name Form */
53 #define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME
54 /* This name form shall be represented by the Object Identifier {iso(1)
55 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
56 * generic(1) user_name(1)}. The recommended symbolic name for this
57 * type is "GSS_KRB5_NT_USER_NAME". */
59 /* 2.2.2. Machine UID Form */
60 #define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME
61 /* This name form shall be represented by the Object Identifier {iso(1)
62 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
63 * generic(1) machine_uid_name(2)}. The recommended symbolic name for
64 * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */
66 /* 2.2.3. String UID Form */
67 #define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME
68 /* This name form shall be represented by the Object Identifier {iso(1)
69 * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
70 * generic(1) string_uid_name(3)}. The recommended symbolic name for
71 * this type is "GSS_KRB5_NT_STRING_UID_NAME". */
73 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5;
74 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_old;
75 GSS_DLLIMP extern const gss_OID_desc * const gss_mech_krb5_wrong;
76 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5;
77 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_old;
78 GSS_DLLIMP extern const gss_OID_set_desc * const gss_mech_set_krb5_both;
80 GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_name;
81 GSS_DLLIMP extern const gss_OID_desc * const gss_nt_krb5_principal;
83 GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[];
85 #define gss_krb5_nt_general_name gss_nt_krb5_name
86 #define gss_krb5_nt_principal gss_nt_krb5_principal
87 #define gss_krb5_nt_service_name gss_nt_service_name
88 #define gss_krb5_nt_user_name gss_nt_user_name
89 #define gss_krb5_nt_machine_uid_name gss_nt_machine_uid_name
90 #define gss_krb5_nt_string_uid_name gss_nt_string_uid_name
94 typedef unsigned __int64 gss_uint64;
97 typedef uint64_t gss_uint64;
101 typedef struct gss_krb5_lucid_key {
102 OM_uint32 type; /* key encryption type */
103 OM_uint32 length; /* length of key data */
104 void * data; /* actual key data */
105 } gss_krb5_lucid_key_t;
107 typedef struct gss_krb5_rfc1964_keydata {
108 OM_uint32 sign_alg; /* signing algorthm */
109 OM_uint32 seal_alg; /* seal/encrypt algorthm */
110 gss_krb5_lucid_key_t ctx_key;
112 (Kerberos session key or subkey) */
113 } gss_krb5_rfc1964_keydata_t;
115 typedef struct gss_krb5_cfx_keydata {
116 OM_uint32 have_acceptor_subkey;
117 /* 1 if there is an acceptor_subkey
118 present, 0 otherwise */
119 gss_krb5_lucid_key_t ctx_key;
121 (Kerberos session key or subkey) */
122 gss_krb5_lucid_key_t acceptor_subkey;
123 /* acceptor-asserted subkey or
124 0's if no acceptor subkey */
125 } gss_krb5_cfx_keydata_t;
127 typedef struct gss_krb5_lucid_context_v1 {
128 OM_uint32 version; /* Structure version number (1)
129 MUST be at beginning of struct! */
130 OM_uint32 initiate; /* Are we the initiator? */
131 OM_uint32 endtime; /* expiration time of context */
132 gss_uint64 send_seq; /* sender sequence number */
133 gss_uint64 recv_seq; /* receive sequence number */
134 OM_uint32 protocol; /* 0: rfc1964,
135 1: draft-ietf-krb-wg-gssapi-cfx-07 */
137 * if (protocol == 0) rfc1964_kd should be used
138 * and cfx_kd contents are invalid and should be zero
139 * if (protocol == 1) cfx_kd should be used
140 * and rfc1964_kd contents are invalid and should be zero
142 gss_krb5_rfc1964_keydata_t rfc1964_kd;
143 gss_krb5_cfx_keydata_t cfx_kd;
144 } gss_krb5_lucid_context_v1_t;
147 * Mask for determining the returned structure version.
148 * See example below for usage.
150 typedef struct gss_krb5_lucid_context_version {
151 OM_uint32 version; /* Structure version number */
152 } gss_krb5_lucid_context_version_t;
157 /* Alias for Heimdal compat. */
158 #define gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity
160 OM_uint32 KRB5_CALLCONV krb5_gss_register_acceptor_identity(const char *);
162 OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags
163 (OM_uint32 *minor_status,
164 gss_ctx_id_t context_handle,
165 krb5_flags *ticket_flags);
167 OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache
168 (OM_uint32 *minor_status,
169 gss_cred_id_t cred_handle,
170 krb5_ccache out_ccache);
172 OM_uint32 KRB5_CALLCONV gss_krb5_ccache_name
173 (OM_uint32 *minor_status, const char *name,
174 const char **out_name);
177 * gss_krb5_set_allowable_enctypes
179 * This function may be called by a context initiator after calling
180 * gss_acquire_cred(), but before calling gss_init_sec_context(),
181 * to restrict the set of enctypes which will be negotiated during
182 * context establishment to those in the provided array.
184 * 'cred' must be a valid credential handle obtained via
185 * gss_acquire_cred(). It may not be GSS_C_NO_CREDENTIAL.
186 * gss_acquire_cred() may have been called to get a handle to
187 * the default credential.
189 * The purpose of this function is to limit the keys that may
190 * be exported via gss_krb5_export_lucid_sec_context(); thus it
191 * should limit the enctypes of all keys that will be needed
192 * after the security context has been established.
193 * (i.e. context establishment may use a session key with a
194 * stronger enctype than in the provided array, however a
195 * subkey must be established within the enctype limits
196 * established by this function.)
199 OM_uint32 KRB5_CALLCONV
200 gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
202 OM_uint32 num_ktypes,
203 krb5_enctype *ktypes);
206 * Returns a non-opaque (lucid) version of the internal context
209 * Note that context_handle must not be used again by the caller
210 * after this call. The GSS implementation is free to release any
211 * resources associated with the original context. It is up to the
212 * GSS implementation whether it returns pointers to existing data,
213 * or copies of the data. The caller should treat the returned
214 * lucid context as read-only.
216 * The caller must call gss_krb5_free_lucid_context() to free
217 * the context and allocated resources when it is finished with it.
219 * 'version' is an integer indicating the highest version of lucid
220 * context understood by the caller. The highest version
221 * understood by both the caller and the GSS implementation must
222 * be returned. The caller can determine which version of the
223 * structure was actually returned by examining the version field
224 * of the returned structure. gss_krb5_lucid_context_version_t
225 * may be used as a mask to examine the returned structure version.
227 * If there are no common versions, an error should be returned.
228 * (XXX Need error definition(s))
232 * gss_krb5_lucid_context_v1_t *ctx;
233 * OM_uint32 min_stat, maj_stat;
235 * gss_ctx_id_t *ctx_handle;
237 * maj_stat = gss_krb5_export_lucid_sec_context(&min_stat,
238 * ctx_handle, 1, &return_ctx);
241 * vers = ((gss_krb5_lucid_context_version_t *)return_ctx)->version;
244 * ctx = (gss_krb5_lucid_context_v1_t *) return_ctx;
247 * // Error, unknown version returned
253 OM_uint32 KRB5_CALLCONV
254 gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
255 gss_ctx_id_t *context_handle,
260 * Frees the allocated storage associated with an
261 * exported struct gss_krb5_lucid_context.
263 OM_uint32 KRB5_CALLCONV
264 gss_krb5_free_lucid_sec_context(OM_uint32 *minor_status,
270 #endif /* __cplusplus */
272 #endif /* _GSSAPI_KRB5_H_ */