| blob | 0f86df9a1ae57cd9c6a9e4e711ef911fc677f742 |
1 /*
2 * Copyright (c) 1997, 1998, 1999 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this software
18 * must display the following acknowledgement:
19 * This product includes software developed by Kungliga Tekniska
20 * Högskolan and its contributors.
21 *
22 * 4. Neither the name of the Institute nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 * SUCH DAMAGE.
37 */
39 /* $Id$ */
41 #ifndef GSSAPI_H_
42 #define GSSAPI_H_
44 /*
45 * First, include stddef.h to get size_t defined.
46 */
47 #include <stddef.h>
49 #ifdef HAVE_CONFIG_H
50 #include <config.h>
51 #endif
53 #include <sys/types.h>
55 #include <krb5-types.h>
57 /*
58 * Now define the three implementation-dependent types.
59 */
63 /*
64 * This is to avoid having to include <krb5.h>
65 */
71 /* typedef void *gss_name_t; */
78 OM_uint32 flags;
86 OM_uint32 length;
92 gss_OID elements;
100 gss_name_t principal;
102 OM_uint32 lifetime;
103 gss_cred_usage_t usage;
104 gss_OID_set mechanisms;
115 OM_uint32 initiator_addrtype;
116 gss_buffer_desc initiator_address;
117 OM_uint32 acceptor_addrtype;
118 gss_buffer_desc acceptor_address;
119 gss_buffer_desc application_data;
122 /*
123 * For now, define a QOP-type as an OM_uint32
124 */
127 /*
128 * Flag bits for context-level services.
129 */
130 #define GSS_C_DELEG_FLAG 1
131 #define GSS_C_MUTUAL_FLAG 2
132 #define GSS_C_REPLAY_FLAG 4
133 #define GSS_C_SEQUENCE_FLAG 8
134 #define GSS_C_CONF_FLAG 16
135 #define GSS_C_INTEG_FLAG 32
136 #define GSS_C_ANON_FLAG 64
137 #define GSS_C_PROT_READY_FLAG 128
138 #define GSS_C_TRANS_FLAG 256
140 /*
141 * Credential usage options
142 */
143 #define GSS_C_BOTH 0
144 #define GSS_C_INITIATE 1
145 #define GSS_C_ACCEPT 2
147 /*
148 * Status code types for gss_display_status
149 */
150 #define GSS_C_GSS_CODE 1
151 #define GSS_C_MECH_CODE 2
153 /*
154 * The constant definitions for channel-bindings address families
155 */
156 #define GSS_C_AF_UNSPEC 0
157 #define GSS_C_AF_LOCAL 1
158 #define GSS_C_AF_INET 2
159 #define GSS_C_AF_IMPLINK 3
160 #define GSS_C_AF_PUP 4
161 #define GSS_C_AF_CHAOS 5
162 #define GSS_C_AF_NS 6
163 #define GSS_C_AF_NBS 7
164 #define GSS_C_AF_ECMA 8
165 #define GSS_C_AF_DATAKIT 9
166 #define GSS_C_AF_CCITT 10
167 #define GSS_C_AF_SNA 11
168 #define GSS_C_AF_DECnet 12
169 #define GSS_C_AF_DLI 13
170 #define GSS_C_AF_LAT 14
171 #define GSS_C_AF_HYLINK 15
172 #define GSS_C_AF_APPLETALK 16
173 #define GSS_C_AF_BSC 17
174 #define GSS_C_AF_DSS 18
175 #define GSS_C_AF_OSI 19
176 #define GSS_C_AF_X25 21
177 #define GSS_C_AF_INET6 24
179 #define GSS_C_AF_NULLADDR 255
181 /*
182 * Various Null values
183 */
184 #define GSS_C_NO_NAME ((gss_name_t) 0)
185 #define GSS_C_NO_BUFFER ((gss_buffer_t) 0)
186 #define GSS_C_NO_OID ((gss_OID) 0)
187 #define GSS_C_NO_OID_SET ((gss_OID_set) 0)
188 #define GSS_C_NO_CONTEXT ((gss_ctx_id_t) 0)
189 #define GSS_C_NO_CREDENTIAL ((gss_cred_id_t) 0)
190 #define GSS_C_NO_CHANNEL_BINDINGS ((gss_channel_bindings_t) 0)
191 #define GSS_C_EMPTY_BUFFER {0, NULL}
193 /*
194 * Some alternate names for a couple of the above
195 * values. These are defined for V1 compatibility.
196 */
197 #define GSS_C_NULL_OID GSS_C_NO_OID
198 #define GSS_C_NULL_OID_SET GSS_C_NO_OID_SET
200 /*
201 * Define the default Quality of Protection for per-message
202 * services. Note that an implementation that offers multiple
203 * levels of QOP may define GSS_C_QOP_DEFAULT to be either zero
204 * (as done here) to mean "default protection", or to a specific
205 * explicit QOP value. However, a value of 0 should always be
206 * interpreted by a GSSAPI implementation as a request for the
207 * default protection level.
208 */
209 #define GSS_C_QOP_DEFAULT 0
211 /*
212 * Expiration time of 2^32-1 seconds means infinite lifetime for a
213 * credential or security context
214 */
215 #define GSS_C_INDEFINITE 0xfffffffful
217 /*
218 * The implementation must reserve static storage for a
219 * gss_OID_desc object containing the value
220 * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
221 * "\x01\x02\x01\x01"},
222 * corresponding to an object-identifier value of
223 * {iso(1) member-body(2) United States(840) mit(113554)
224 * infosys(1) gssapi(2) generic(1) user_name(1)}. The constant
225 * GSS_C_NT_USER_NAME should be initialized to point
226 * to that gss_OID_desc.
227 */
230 /*
231 * The implementation must reserve static storage for a
232 * gss_OID_desc object containing the value
233 * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
234 * "\x01\x02\x01\x02"},
235 * corresponding to an object-identifier value of
236 * {iso(1) member-body(2) United States(840) mit(113554)
237 * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
238 * The constant GSS_C_NT_MACHINE_UID_NAME should be
239 * initialized to point to that gss_OID_desc.
240 */
243 /*
244 * The implementation must reserve static storage for a
245 * gss_OID_desc object containing the value
246 * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
247 * "\x01\x02\x01\x03"},
248 * corresponding to an object-identifier value of
249 * {iso(1) member-body(2) United States(840) mit(113554)
250 * infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
251 * The constant GSS_C_NT_STRING_UID_NAME should be
252 * initialized to point to that gss_OID_desc.
253 */
256 /*
257 * The implementation must reserve static storage for a
258 * gss_OID_desc object containing the value
259 * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
260 * corresponding to an object-identifier value of
261 * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
262 * 6(nametypes), 2(gss-host-based-services)}. The constant
263 * GSS_C_NT_HOSTBASED_SERVICE should be initialized to point
264 * to that gss_OID_desc.
265 */
268 /*
269 * The implementation must reserve static storage for a
270 * gss_OID_desc object containing the value
271 * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
272 * corresponding to an object identifier value of
273 * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
274 * 6(nametypes), 3(gss-anonymous-name)}. The constant
275 * and GSS_C_NT_ANONYMOUS should be initialized to point
276 * to that gss_OID_desc.
277 */
280 /*
281 * The implementation must reserve static storage for a
282 * gss_OID_desc object containing the value
283 * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
284 * corresponding to an object-identifier value of
285 * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
286 * 6(nametypes), 4(gss-api-exported-name)}. The constant
287 * GSS_C_NT_EXPORT_NAME should be initialized to point
288 * to that gss_OID_desc.
289 */
292 /*
293 * This if for kerberos5 names.
294 */
303 /* Major status codes */
305 #define GSS_S_COMPLETE 0
307 /*
308 * Some "helper" definitions to make the status code macros obvious.
309 */
310 #define GSS_C_CALLING_ERROR_OFFSET 24
311 #define GSS_C_ROUTINE_ERROR_OFFSET 16
312 #define GSS_C_SUPPLEMENTARY_OFFSET 0
313 #define GSS_C_CALLING_ERROR_MASK 0377ul
314 #define GSS_C_ROUTINE_ERROR_MASK 0377ul
315 #define GSS_C_SUPPLEMENTARY_MASK 0177777ul
317 /*
318 * The macros that test status codes for error conditions.
319 * Note that the GSS_ERROR() macro has changed slightly from
320 * the V1 GSSAPI so that it now evaluates its argument
321 * only once.
322 */
323 #define GSS_CALLING_ERROR(x) \
324 (x & (GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET))
325 #define GSS_ROUTINE_ERROR(x) \
326 (x & (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET))
327 #define GSS_SUPPLEMENTARY_INFO(x) \
328 (x & (GSS_C_SUPPLEMENTARY_MASK << GSS_C_SUPPLEMENTARY_OFFSET))
329 #define GSS_ERROR(x) \
330 (x & ((GSS_C_CALLING_ERROR_MASK << GSS_C_CALLING_ERROR_OFFSET) | \
331 (GSS_C_ROUTINE_ERROR_MASK << GSS_C_ROUTINE_ERROR_OFFSET)))
333 /*
334 * Now the actual status code definitions
335 */
337 /*
338 * Calling errors:
339 */
340 #define GSS_S_CALL_INACCESSIBLE_READ \
341 (1ul << GSS_C_CALLING_ERROR_OFFSET)
342 #define GSS_S_CALL_INACCESSIBLE_WRITE \
343 (2ul << GSS_C_CALLING_ERROR_OFFSET)
344 #define GSS_S_CALL_BAD_STRUCTURE \
345 (3ul << GSS_C_CALLING_ERROR_OFFSET)
347 /*
348 * Routine errors:
349 */
350 #define GSS_S_BAD_MECH (1ul << GSS_C_ROUTINE_ERROR_OFFSET)
351 #define GSS_S_BAD_NAME (2ul << GSS_C_ROUTINE_ERROR_OFFSET)
352 #define GSS_S_BAD_NAMETYPE (3ul << GSS_C_ROUTINE_ERROR_OFFSET)
354 #define GSS_S_BAD_BINDINGS (4ul << GSS_C_ROUTINE_ERROR_OFFSET)
355 #define GSS_S_BAD_STATUS (5ul << GSS_C_ROUTINE_ERROR_OFFSET)
356 #define GSS_S_BAD_SIG (6ul << GSS_C_ROUTINE_ERROR_OFFSET)
357 #define GSS_S_BAD_MIC GSS_S_BAD_SIG
358 #define GSS_S_NO_CRED (7ul << GSS_C_ROUTINE_ERROR_OFFSET)
359 #define GSS_S_NO_CONTEXT (8ul << GSS_C_ROUTINE_ERROR_OFFSET)
360 #define GSS_S_DEFECTIVE_TOKEN (9ul << GSS_C_ROUTINE_ERROR_OFFSET)
361 #define GSS_S_DEFECTIVE_CREDENTIAL (10ul << GSS_C_ROUTINE_ERROR_OFFSET)
362 #define GSS_S_CREDENTIALS_EXPIRED (11ul << GSS_C_ROUTINE_ERROR_OFFSET)
363 #define GSS_S_CONTEXT_EXPIRED (12ul << GSS_C_ROUTINE_ERROR_OFFSET)
364 #define GSS_S_FAILURE (13ul << GSS_C_ROUTINE_ERROR_OFFSET)
365 #define GSS_S_BAD_QOP (14ul << GSS_C_ROUTINE_ERROR_OFFSET)
366 #define GSS_S_UNAUTHORIZED (15ul << GSS_C_ROUTINE_ERROR_OFFSET)
367 #define GSS_S_UNAVAILABLE (16ul << GSS_C_ROUTINE_ERROR_OFFSET)
368 #define GSS_S_DUPLICATE_ELEMENT (17ul << GSS_C_ROUTINE_ERROR_OFFSET)
369 #define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
371 /*
372 * Supplementary info bits:
373 */
374 #define GSS_S_CONTINUE_NEEDED (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 0))
375 #define GSS_S_DUPLICATE_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 1))
376 #define GSS_S_OLD_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 2))
377 #define GSS_S_UNSEQ_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 3))
378 #define GSS_S_GAP_TOKEN (1ul << (GSS_C_SUPPLEMENTARY_OFFSET + 4))
380 /*
381 * From RFC1964:
382 *
383 * 4.1.1. Non-Kerberos-specific codes
384 */
386 #define GSS_KRB5_S_G_BAD_SERVICE_NAME 1
387 /* "No @ in SERVICE-NAME name string" */
388 #define GSS_KRB5_S_G_BAD_STRING_UID 2
389 /* "STRING-UID-NAME contains nondigits" */
390 #define GSS_KRB5_S_G_NOUSER 3
391 /* "UID does not resolve to username" */
392 #define GSS_KRB5_S_G_VALIDATE_FAILED 4
393 /* "Validation error" */
394 #define GSS_KRB5_S_G_BUFFER_ALLOC 5
395 /* "Couldn't allocate gss_buffer_t data" */
396 #define GSS_KRB5_S_G_BAD_MSG_CTX 6
397 /* "Message context invalid" */
398 #define GSS_KRB5_S_G_WRONG_SIZE 7
399 /* "Buffer is the wrong size" */
400 #define GSS_KRB5_S_G_BAD_USAGE 8
401 /* "Credential usage type is unknown" */
402 #define GSS_KRB5_S_G_UNKNOWN_QOP 9
403 /* "Unknown quality of protection specified" */
405 /*
406 * 4.1.2. Kerberos-specific-codes
407 */
409 #define GSS_KRB5_S_KG_CCACHE_NOMATCH 10
410 /* "Principal in credential cache does not match desired name" */
411 #define GSS_KRB5_S_KG_KEYTAB_NOMATCH 11
412 /* "No principal in keytab matches desired name" */
413 #define GSS_KRB5_S_KG_TGT_MISSING 12
414 /* "Credential cache has no TGT" */
415 #define GSS_KRB5_S_KG_NO_SUBKEY 13
416 /* "Authenticator has no subkey" */
417 #define GSS_KRB5_S_KG_CONTEXT_ESTABLISHED 14
418 /* "Context is already fully established" */
419 #define GSS_KRB5_S_KG_BAD_SIGN_TYPE 15
420 /* "Unknown signature type in token" */
421 #define GSS_KRB5_S_KG_BAD_LENGTH 16
422 /* "Invalid field length in token" */
423 #define GSS_KRB5_S_KG_CTX_INCOMPLETE 17
424 /* "Attempt to use incomplete security context" */
426 /*
427 * Finally, function prototypes for the GSS-API routines.
428 */
430 OM_uint32 gss_acquire_cred
433 OM_uint32 time_req,
435 gss_cred_usage_t cred_usage,
438 OM_uint32 * time_rec
439 );
441 OM_uint32 gss_release_cred
443 gss_cred_id_t * cred_handle
444 );
446 OM_uint32 gss_init_sec_context
452 OM_uint32 req_flags,
453 OM_uint32 time_req,
457 gss_buffer_t output_token,
459 OM_uint32 * time_rec
460 );
462 OM_uint32 gss_accept_sec_context
470 gss_buffer_t output_token,
473 gss_cred_id_t * delegated_cred_handle
474 );
476 OM_uint32 gss_process_context_token
479 const gss_buffer_t token_buffer
480 );
482 OM_uint32 gss_delete_sec_context
485 gss_buffer_t output_token
486 );
488 OM_uint32 gss_context_time
491 OM_uint32 * time_rec
492 );
494 OM_uint32 gss_get_mic
497 gss_qop_t qop_req,
499 gss_buffer_t message_token
500 );
502 OM_uint32 gss_verify_mic
507 gss_qop_t * qop_state
508 );
510 OM_uint32 gss_wrap
514 gss_qop_t qop_req,
517 gss_buffer_t output_message_buffer
518 );
520 OM_uint32 gss_unwrap
524 gss_buffer_t output_message_buffer,
526 gss_qop_t * qop_state
527 );
529 OM_uint32 gss_display_status
531 OM_uint32 status_value,
535 gss_buffer_t status_string
536 );
538 OM_uint32 gss_indicate_mechs
540 gss_OID_set * mech_set
541 );
543 OM_uint32 gss_compare_name
548 );
550 OM_uint32 gss_display_name
553 gss_buffer_t output_name_buffer,
554 gss_OID * output_name_type
555 );
557 OM_uint32 gss_import_name
561 gss_name_t * output_name
562 );
564 OM_uint32 gss_export_name
567 gss_buffer_t exported_name
568 );
570 OM_uint32 gss_release_name
572 gss_name_t * input_name
573 );
575 OM_uint32 gss_release_buffer
577 gss_buffer_t buffer
578 );
580 OM_uint32 gss_release_oid_set
582 gss_OID_set * set
583 );
585 OM_uint32 gss_inquire_cred
591 gss_OID_set * mechanisms
592 );
604 );
610 gss_qop_t qop_req,
611 OM_uint32 req_output_size,
612 OM_uint32 * max_input_size
613 );
620 gss_cred_usage_t cred_usage,
621 OM_uint32 initiator_time_req,
622 OM_uint32 acceptor_time_req,
626 OM_uint32 * acceptor_time_rec
627 );
636 gss_cred_usage_t * cred_usage
637 );
642 gss_buffer_t interprocess_token
643 );
648 gss_ctx_id_t * context_handle
649 );
653 gss_OID_set * oid_set
654 );
659 gss_OID_set * oid_set
660 );
667 );
672 gss_OID_set * name_types
673 );
678 gss_OID_set * mech_types
679 );
685 gss_name_t * output_name
686 );
691 gss_name_t * dest_name
692 );
694 /*
695 * The following routines are obsolete variants of gss_get_mic,
696 * gss_verify_mic, gss_wrap and gss_unwrap. They should be
697 * provided by GSSAPI V2 implementations for backwards
698 * compatibility with V1 applications. Distinct entrypoints
699 * (as opposed to #defines) should be provided, both to allow
700 * GSSAPI V1 applications to link against GSSAPI V2 implementations,
701 * and to retain the slight parameter type differences between the
702 * obsolete versions of these routines and their current forms.
703 */
705 OM_uint32 gss_sign
707 gss_ctx_id_t context_handle,
709 gss_buffer_t message_buffer,
710 gss_buffer_t message_token
711 );
713 OM_uint32 gss_verify
715 gss_ctx_id_t context_handle,
716 gss_buffer_t message_buffer,
717 gss_buffer_t token_buffer,
719 );
721 OM_uint32 gss_seal
723 gss_ctx_id_t context_handle,
726 gss_buffer_t input_message_buffer,
728 gss_buffer_t output_message_buffer
729 );
731 OM_uint32 gss_unseal
733 gss_ctx_id_t context_handle,
734 gss_buffer_t input_message_buffer,
735 gss_buffer_t output_message_buffer,
738 );
740 /*
741 * kerberos mechanism specific functions
742 */
744 OM_uint32 gsskrb5_register_acceptor_identity