src/lib/gssapi/krb5/gssapiP_krb5.h

   1 /* -*- mode: c; indent-tabs-mode: nil -*- */
   2 /*
   3  * Copyright 2000, 2008 by the Massachusetts Institute of Technology.
   4  * All Rights Reserved.
   5  *
   6  * Export of this software from the United States of America may
   7  *   require a specific license from the United States Government.
   8  *   It is the responsibility of any person or organization contemplating
   9  *   export to obtain such a license before exporting.
  10  *
  11  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  12  * distribute this software and its documentation for any purpose and
  13  * without fee is hereby granted, provided that the above copyright
  14  * notice appear in all copies and that both that copyright notice and
  15  * this permission notice appear in supporting documentation, and that
  16  * the name of M.I.T. not be used in advertising or publicity pertaining
  17  * to distribution of the software without specific, written prior
  18  * permission.  Furthermore if you modify this software you must label
  19  * your software as modified software and not distribute it in such a
  20  * fashion that it might be confused with the original M.I.T. software.
  21  * M.I.T. makes no representations about the suitability of
  22  * this software for any purpose.  It is provided "as is" without express
  23  * or implied warranty.
  24  *
  25  */
  26 /*
  27  * Copyright 1993 by OpenVision Technologies, Inc.
  28  *
  29  * Permission to use, copy, modify, distribute, and sell this software
  30  * and its documentation for any purpose is hereby granted without fee,
  31  * provided that the above copyright notice appears in all copies and
  32  * that both that copyright notice and this permission notice appear in
  33  * supporting documentation, and that the name of OpenVision not be used
  34  * in advertising or publicity pertaining to distribution of the software
  35  * without specific, written prior permission. OpenVision makes no
  36  * representations about the suitability of this software for any
  37  * purpose.  It is provided "as is" without express or implied warranty.
  38  *
  39  * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
  40  * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
  41  * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
  42  * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
  43  * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
  44  * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  45  * PERFORMANCE OF THIS SOFTWARE.
  46  */
  47
  48 #ifndef _GSSAPIP_KRB5_H_
  49 #define _GSSAPIP_KRB5_H_
  50
  51 #include <k5-int.h>
  52
  53 #ifdef HAVE_MEMORY_H
  54 #include <memory.h>
  55 #endif
  56
  57 /* work around sunos braindamage */
  58 #ifdef major
  59 #undef major
  60 #endif
  61 #ifdef minor
  62 #undef minor
  63 #endif
  64
  65 #include "gssapiP_generic.h"
  66
  67 /* The include of gssapi_krb5.h will dtrt with the above #defines in
  68  * effect.
  69  */
  70 #include "gssapi_krb5.h"
  71 #include "gssapi_err_krb5.h"
  72 #include "gssapi_ext.h"
  73
  74 /* for debugging */
  75 #undef CFX_EXERCISE
  76
  77 /** constants **/
  78
  79 #define GSS_MECH_KRB5_OID_LENGTH 9
  80 #define GSS_MECH_KRB5_OID "\052\206\110\206\367\022\001\002\002"
  81
  82 #define GSS_MECH_KRB5_OLD_OID_LENGTH 5
  83 #define GSS_MECH_KRB5_OLD_OID "\053\005\001\005\002"
  84
  85 /* Incorrect krb5 mech OID emitted by MS. */
  86 #define GSS_MECH_KRB5_WRONG_OID_LENGTH 9
  87 #define GSS_MECH_KRB5_WRONG_OID "\052\206\110\202\367\022\001\002\002"
  88
  89 /* IAKERB variant */
  90 #define GSS_MECH_IAKERB_OID_LENGTH 6
  91 #define GSS_MECH_IAKERB_OID "\053\006\001\005\002\005"
  92
  93 extern const gss_OID_set kg_all_mechs;
  94
  95 #define CKSUMTYPE_KG_CB         0x8003
  96
  97 #define KG_TOK_CTX_AP_REQ       0x0100
  98 #define KG_TOK_CTX_AP_REP       0x0200
  99 #define KG_TOK_CTX_ERROR        0x0300
 100 #define KG_TOK_SIGN_MSG         0x0101
 101 #define KG_TOK_SEAL_MSG         0x0201
 102 #define KG_TOK_MIC_MSG          0x0101
 103 #define KG_TOK_WRAP_MSG         0x0201
 104 #define KG_TOK_DEL_CTX          0x0102
 105 #define KG2_TOK_MIC_MSG         0x0404
 106 #define KG2_TOK_WRAP_MSG        0x0504
 107 #define KG2_TOK_DEL_CTX         0x0405
 108 #define IAKERB_TOK_PROXY        0x0501
 109
 110 #define KRB5_GSS_FOR_CREDS_OPTION 1
 111
 112 #define KG2_RESP_FLAG_ERROR             0x0001
 113 #define KG2_RESP_FLAG_DELEG_OK          0x0002
 114
 115 /** CFX flags **/
 116 #define FLAG_SENDER_IS_ACCEPTOR 0x01
 117 #define FLAG_WRAP_CONFIDENTIAL  0x02
 118 #define FLAG_ACCEPTOR_SUBKEY    0x04
 119
 120 /* These are to be stored in little-endian order, i.e., des-mac is
 121    stored as 02 00.  */
 122 enum sgn_alg {
 123     SGN_ALG_DES_MAC_MD5           = 0x0000,
 124     SGN_ALG_MD2_5                 = 0x0001,
 125     SGN_ALG_DES_MAC               = 0x0002,
 126     SGN_ALG_3                     = 0x0003, /* not published */
 127     SGN_ALG_HMAC_MD5              = 0x0011, /* microsoft w2k;  */
 128     SGN_ALG_HMAC_SHA1_DES3_KD     = 0x0004
 129 };
 130 enum seal_alg {
 131     SEAL_ALG_NONE            = 0xffff,
 132     SEAL_ALG_DES             = 0x0000,
 133     SEAL_ALG_1               = 0x0001, /* not published */
 134     SEAL_ALG_MICROSOFT_RC4   = 0x0010, /* microsoft w2k;  */
 135     SEAL_ALG_DES3KD          = 0x0002
 136 };
 137
 138 /* for 3DES */
 139 #define KG_USAGE_SEAL 22
 140 #define KG_USAGE_SIGN 23
 141 #define KG_USAGE_SEQ  24
 142
 143 /* for draft-ietf-krb-wg-gssapi-cfx-01 */
 144 #define KG_USAGE_ACCEPTOR_SEAL  22
 145 #define KG_USAGE_ACCEPTOR_SIGN  23
 146 #define KG_USAGE_INITIATOR_SEAL 24
 147 #define KG_USAGE_INITIATOR_SIGN 25
 148
 149 enum qop {
 150     GSS_KRB5_INTEG_C_QOP_MD5       = 0x0001, /* *partial* MD5 = "MD2.5" */
 151     GSS_KRB5_INTEG_C_QOP_DES_MD5   = 0x0002,
 152     GSS_KRB5_INTEG_C_QOP_DES_MAC   = 0x0003,
 153     GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004,
 154     GSS_KRB5_INTEG_C_QOP_MASK      = 0x00ff,
 155     GSS_KRB5_CONF_C_QOP_DES        = 0x0100,
 156     GSS_KRB5_CONF_C_QOP_DES3_KD    = 0x0200,
 157     GSS_KRB5_CONF_C_QOP_MASK       = 0xff00
 158 };
 159
 160 /** internal types **/
 161
 162 typedef struct _krb5_gss_name_rec {
 163     krb5_principal princ;       /* immutable */
 164     char *service;              /* immutable */
 165     char *host;                 /* immutable */
 166     k5_mutex_t lock;            /* protects ad_context only for now */
 167     krb5_authdata_context ad_context;
 168 } krb5_gss_name_rec, *krb5_gss_name_t;
 169
 170 typedef struct _krb5_gss_cred_id_rec {
 171     /* protect against simultaneous accesses */
 172     k5_mutex_t lock;
 173
 174     /* name/type of credential */
 175     gss_cred_usage_t usage;
 176     krb5_gss_name_t name;
 177     krb5_principal impersonator;
 178     unsigned int default_identity : 1;
 179     unsigned int iakerb_mech : 1;
 180     unsigned int destroy_ccache : 1;
 181     unsigned int suppress_ci_flags : 1;
 182
 183     /* keytab (accept) data */
 184     krb5_keytab keytab;
 185     krb5_rcache rcache;
 186
 187     /* ccache (init) data */
 188     krb5_ccache ccache;
 189     krb5_keytab client_keytab;
 190     krb5_boolean have_tgt;
 191     krb5_timestamp expire;
 192     krb5_timestamp refresh_time;
 193     krb5_enctype *req_enctypes;  /* limit negotiated enctypes to this list */
 194     char *password;
 195 } krb5_gss_cred_id_rec, *krb5_gss_cred_id_t;
 196
 197 typedef struct _krb5_gss_ctx_ext_rec {
 198     struct {
 199         krb5_data *conv;
 200         int verified;
 201     } iakerb;
 202 } krb5_gss_ctx_ext_rec, *krb5_gss_ctx_ext_t;
 203
 204 typedef struct _krb5_gss_ctx_id_rec {
 205     krb5_magic magic;
 206     unsigned int initiate : 1;   /* nonzero if initiating, zero if accepting */
 207     unsigned int established : 1;
 208     unsigned int have_acceptor_subkey : 1;
 209     unsigned int seed_init : 1;  /* XXX tested but never actually set */
 210     unsigned int terminated : 1;
 211     OM_uint32 gss_flags;
 212     unsigned char seed[16];
 213     krb5_gss_name_t here;
 214     krb5_gss_name_t there;
 215     krb5_key subkey; /* One of two potential keys to use with RFC 4121
 216                       * packets; this key must always be set. */
 217     int signalg;
 218     size_t cksum_size;
 219     int sealalg;
 220     krb5_key enc; /* RFC 1964 encryption key; seq xored with a constant
 221                    * for DES, seq for other RFC 1964 enctypes  */
 222     krb5_key seq; /* RFC 1964 sequencing key */
 223     krb5_ticket_times krb_times;
 224     krb5_flags krb_flags;
 225     /* XXX these used to be signed.  the old spec is inspecific, and
 226        the new spec specifies unsigned.  I don't believe that the change
 227        affects the wire encoding. */
 228     uint64_t seq_send;
 229     uint64_t seq_recv;
 230     g_seqnum_state seqstate;
 231     krb5_context k5_context;
 232     krb5_auth_context auth_context;
 233     gss_OID_desc *mech_used;
 234     /* Protocol spec revision for sending packets
 235        0 => RFC 1964 with 3DES and RC4 enhancements
 236        1 => RFC 4121
 237        No others defined so far.  It is always permitted to receive
 238        tokens in RFC 4121 format.  If enc is non-null, receiving RFC
 239        1964 tokens is permitted.*/
 240     int proto;
 241     krb5_cksumtype cksumtype;    /* for "main" subkey */
 242     krb5_key acceptor_subkey; /* CFX only */
 243     krb5_cksumtype acceptor_subkey_cksumtype;
 244     int cred_rcache;             /* did we get rcache from creds? */
 245     krb5_authdata **authdata;
 246 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
 247
 248 extern g_set kg_vdb;
 249
 250 #ifndef LEAN_CLIENT
 251 extern k5_mutex_t gssint_krb5_keytab_lock;
 252 #endif /* LEAN_CLIENT */
 253
 254 /** helper functions **/
 255
 256 OM_uint32 kg_get_defcred
 257 (OM_uint32 *minor_status,
 258  gss_cred_id_t *cred);
 259
 260 krb5_error_code kg_checksum_channel_bindings
 261 (krb5_context context, gss_channel_bindings_t cb,
 262  krb5_checksum *cksum);
 263
 264 krb5_error_code kg_make_seq_num (krb5_context context,
 265                                  krb5_key key,
 266                                  int direction, krb5_ui_4 seqnum, unsigned char *cksum,
 267                                  unsigned char *buf);
 268
 269 krb5_error_code kg_get_seq_num (krb5_context context,
 270                                 krb5_key key,
 271                                 unsigned char *cksum, unsigned char *buf, int *direction,
 272                                 krb5_ui_4 *seqnum);
 273
 274 krb5_error_code kg_make_seed (krb5_context context,
 275                               krb5_key key,
 276                               unsigned char *seed);
 277
 278 krb5_error_code
 279 kg_setup_keys(krb5_context context,
 280               krb5_gss_ctx_id_rec *ctx,
 281               krb5_key subkey,
 282               krb5_cksumtype *cksumtype);
 283
 284 int kg_confounder_size (krb5_context context, krb5_enctype enctype);
 285
 286 krb5_error_code kg_make_confounder (krb5_context context,
 287                                     krb5_enctype enctype, unsigned char *buf);
 288
 289 krb5_error_code kg_encrypt (krb5_context context,
 290                             krb5_key key, int usage,
 291                             krb5_pointer iv,
 292                             krb5_const_pointer in,
 293                             krb5_pointer out,
 294                             unsigned int length);
 295
 296 /* Encrypt length bytes at ptr in place, with the given key and usage.  If
 297  * iv is not NULL, use it as the cipher state. */
 298 krb5_error_code kg_encrypt_inplace(krb5_context context, krb5_key key,
 299                                    int usage, krb5_pointer iv,
 300                                    krb5_pointer ptr, unsigned int length);
 301
 302 krb5_error_code kg_encrypt_iov (krb5_context context,
 303                                 int proto, int dce_style,
 304                                 size_t ec, size_t rrc,
 305                                 krb5_key key, int usage,
 306                                 krb5_pointer iv,
 307                                 gss_iov_buffer_desc *iov,
 308                                 int iov_count);
 309
 310 krb5_error_code
 311 kg_arcfour_docrypt (const krb5_keyblock *keyblock, int usage,
 312                     const unsigned char *kd_data, size_t kd_data_len,
 313                     const unsigned char *input_buf, size_t input_len,
 314                     unsigned char *output_buf);
 315
 316 krb5_error_code
 317 kg_arcfour_docrypt_iov (krb5_context context,
 318                         const krb5_keyblock *keyblock, int usage,
 319                         const unsigned char *kd_data, size_t kd_data_len,
 320                         gss_iov_buffer_desc *iov,
 321                         int iov_count);
 322
 323 krb5_error_code kg_decrypt (krb5_context context,
 324                             krb5_key key,  int usage,
 325                             krb5_pointer iv,
 326                             krb5_const_pointer in,
 327                             krb5_pointer out,
 328                             unsigned int length);
 329
 330 krb5_error_code kg_decrypt_iov (krb5_context context,
 331                                 int proto, int dce_style,
 332                                 size_t ec, size_t rrc,
 333                                 krb5_key key,  int usage,
 334                                 krb5_pointer iv,
 335                                 gss_iov_buffer_desc *iov,
 336                                 int iov_count);
 337
 338 OM_uint32 kg_seal (OM_uint32 *minor_status,
 339                    gss_ctx_id_t context_handle,
 340                    int conf_req_flag,
 341                    gss_qop_t qop_req,
 342                    gss_buffer_t input_message_buffer,
 343                    int *conf_state,
 344                    gss_buffer_t output_message_buffer,
 345                    int toktype);
 346
 347 OM_uint32 kg_unseal (OM_uint32 *minor_status,
 348                      gss_ctx_id_t context_handle,
 349                      gss_buffer_t input_token_buffer,
 350                      gss_buffer_t message_buffer,
 351                      int *conf_state,
 352                      gss_qop_t *qop_state,
 353                      int toktype);
 354
 355 OM_uint32 kg_seal_size (OM_uint32 *minor_status,
 356                         gss_ctx_id_t context_handle,
 357                         int conf_req_flag,
 358                         gss_qop_t qop_req,
 359                         OM_uint32 output_size,
 360                         OM_uint32 *input_size);
 361
 362 krb5_error_code kg_ctx_size (krb5_context kcontext,
 363                              krb5_pointer arg,
 364                              size_t *sizep);
 365
 366 krb5_error_code kg_ctx_externalize (krb5_context kcontext,
 367                                     krb5_pointer arg,
 368                                     krb5_octet **buffer,
 369                                     size_t *lenremain);
 370
 371 krb5_error_code kg_ctx_internalize (krb5_context kcontext,
 372                                     krb5_pointer *argp,
 373                                     krb5_octet **buffer,
 374                                     size_t *lenremain);
 375
 376 OM_uint32 kg_sync_ccache_name (krb5_context context, OM_uint32 *minor_status);
 377
 378 OM_uint32 kg_caller_provided_ccache_name (OM_uint32 *minor_status,
 379                                           int *out_caller_provided_name);
 380
 381 OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status,
 382                               const char **out_name);
 383
 384 OM_uint32 kg_set_ccache_name (OM_uint32 *minor_status,
 385                               const char *name);
 386
 387 /* AEAD */
 388
 389 krb5_error_code gss_krb5int_make_seal_token_v3_iov(krb5_context context,
 390                            krb5_gss_ctx_id_rec *ctx,
 391                            int conf_req_flag,
 392                            int *conf_state,
 393                            gss_iov_buffer_desc *iov,
 394                            int iov_count,
 395                            int toktype);
 396
 397 OM_uint32 gss_krb5int_unseal_v3_iov(krb5_context context,
 398                           OM_uint32 *minor_status,
 399                           krb5_gss_ctx_id_rec *ctx,
 400                           gss_iov_buffer_desc *iov,
 401                           int iov_count,
 402                           int *conf_state,
 403                           gss_qop_t *qop_state,
 404                           int toktype);
 405
 406 gss_iov_buffer_t kg_locate_iov (gss_iov_buffer_desc *iov,
 407               int iov_count,
 408               OM_uint32 type);
 409
 410 gss_iov_buffer_t kg_locate_header_iov(gss_iov_buffer_desc *iov, int iov_count,
 411                                       int toktype);
 412
 413 void kg_iov_msglen(gss_iov_buffer_desc *iov,
 414               int iov_count,
 415               size_t *data_length,
 416               size_t *assoc_data_length);
 417
 418 void kg_release_iov(gss_iov_buffer_desc *iov,
 419                int iov_count);
 420
 421 krb5_error_code kg_make_checksum_iov_v1(krb5_context context,
 422                 krb5_cksumtype type,
 423                 size_t token_cksum_len,
 424                 krb5_key seq,
 425                 krb5_key enc, /* for conf len */
 426                 krb5_keyusage sign_usage,
 427                 gss_iov_buffer_desc *iov,
 428                 int iov_count,
 429                 int toktype,
 430                 krb5_checksum *checksum);
 431
 432 krb5_error_code kg_make_checksum_iov_v3(krb5_context context,
 433                 krb5_cksumtype type,
 434                 size_t rrc,
 435                 krb5_key key,
 436                 krb5_keyusage sign_usage,
 437                 gss_iov_buffer_desc *iov,
 438                 int iov_count,
 439                 int toktype);
 440
 441 krb5_error_code kg_verify_checksum_iov_v3(krb5_context context,
 442                 krb5_cksumtype type,
 443                 size_t rrc,
 444                 krb5_key key,
 445                 krb5_keyusage sign_usage,
 446                 gss_iov_buffer_desc *iov,
 447                 int iov_count,
 448                 int toktype,
 449                 krb5_boolean *valid);
 450
 451 OM_uint32 kg_seal_iov (OM_uint32 *minor_status,
 452             gss_ctx_id_t context_handle,
 453             int conf_req_flag,
 454             gss_qop_t qop_req,
 455             int *conf_state,
 456             gss_iov_buffer_desc *iov,
 457             int iov_count,
 458             int toktype);
 459
 460 OM_uint32 kg_unseal_iov (OM_uint32 *minor_status,
 461             gss_ctx_id_t context_handle,
 462             int *conf_state,
 463             gss_qop_t *qop_state,
 464             gss_iov_buffer_desc *iov,
 465             int iov_count,
 466             int toktype);
 467
 468 OM_uint32 kg_seal_iov_length(OM_uint32 *minor_status,
 469            gss_ctx_id_t context_handle,
 470            int conf_req_flag,
 471            gss_qop_t qop_req,
 472            int *conf_state,
 473            gss_iov_buffer_desc *iov,
 474            int iov_count,
 475            int toktype);
 476
 477 krb5_cryptotype kg_translate_flag_iov(OM_uint32 type);
 478
 479 OM_uint32 kg_fixup_padding_iov(OM_uint32 *minor_status,
 480         gss_iov_buffer_desc *iov,
 481         int iov_count);
 482
 483 krb5_boolean kg_integ_only_iov(gss_iov_buffer_desc *iov, int iov_count);
 484
 485 krb5_error_code kg_allocate_iov(gss_iov_buffer_t iov, size_t size);
 486
 487 krb5_error_code
 488 krb5_to_gss_cred(krb5_context context,
 489                  krb5_creds *creds,
 490                  krb5_gss_cred_id_t *out_cred);
 491
 492 krb5_boolean
 493 kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred);
 494
 495 void
 496 kg_cred_set_initial_refresh(krb5_context context, krb5_gss_cred_id_rec *cred,
 497                             krb5_ticket_times *times);
 498
 499 OM_uint32
 500 kg_cred_resolve(OM_uint32 *minor_status, krb5_context context,
 501                 gss_cred_id_t cred_handle, gss_name_t target_name);
 502
 503 /** declarations of internal name mechanism functions **/
 504
 505 OM_uint32 KRB5_CALLCONV krb5_gss_acquire_cred
 506 (OM_uint32*,       /* minor_status */
 507  gss_name_t,       /* desired_name */
 508  OM_uint32,        /* time_req */
 509  gss_OID_set,      /* desired_mechs */
 510  gss_cred_usage_t, /* cred_usage */
 511  gss_cred_id_t*,   /* output_cred_handle */
 512  gss_OID_set*,     /* actual_mechs */
 513  OM_uint32*        /* time_rec */
 514 );
 515
 516 OM_uint32 KRB5_CALLCONV iakerb_gss_acquire_cred
 517 (OM_uint32*,       /* minor_status */
 518  gss_name_t,       /* desired_name */
 519  OM_uint32,        /* time_req */
 520  gss_OID_set,      /* desired_mechs */
 521  gss_cred_usage_t, /* cred_usage */
 522  gss_cred_id_t*,   /* output_cred_handle */
 523  gss_OID_set*,     /* actual_mechs */
 524  OM_uint32*        /* time_rec */
 525 );
 526
 527 OM_uint32 KRB5_CALLCONV
 528 krb5_gss_acquire_cred_with_password(
 529     OM_uint32 *minor_status,
 530     const gss_name_t desired_name,
 531     const gss_buffer_t password,
 532     OM_uint32 time_req,
 533     const gss_OID_set desired_mechs,
 534     int cred_usage,
 535     gss_cred_id_t *output_cred_handle,
 536     gss_OID_set *actual_mechs,
 537     OM_uint32 *time_rec);
 538
 539 OM_uint32 KRB5_CALLCONV
 540 iakerb_gss_acquire_cred_with_password(
 541     OM_uint32 *minor_status,
 542     const gss_name_t desired_name,
 543     const gss_buffer_t password,
 544     OM_uint32 time_req,
 545     const gss_OID_set desired_mechs,
 546     int cred_usage,
 547     gss_cred_id_t *output_cred_handle,
 548     gss_OID_set *actual_mechs,
 549     OM_uint32 *time_rec);
 550
 551 OM_uint32 KRB5_CALLCONV krb5_gss_release_cred
 552 (OM_uint32*,       /* minor_status */
 553  gss_cred_id_t*    /* cred_handle */
 554 );
 555
 556 OM_uint32 KRB5_CALLCONV krb5_gss_init_sec_context
 557 (OM_uint32*,       /* minor_status */
 558  gss_cred_id_t,    /* claimant_cred_handle */
 559  gss_ctx_id_t*,    /* context_handle */
 560  gss_name_t,       /* target_name */
 561  gss_OID,          /* mech_type */
 562  OM_uint32,        /* req_flags */
 563  OM_uint32,        /* time_req */
 564  gss_channel_bindings_t,
 565  /* input_chan_bindings */
 566  gss_buffer_t,     /* input_token */
 567  gss_OID*,         /* actual_mech_type */
 568  gss_buffer_t,     /* output_token */
 569  OM_uint32*,       /* ret_flags */
 570  OM_uint32*        /* time_rec */
 571 );
 572
 573 OM_uint32 krb5_gss_init_sec_context_ext
 574 (OM_uint32*,       /* minor_status */
 575  gss_cred_id_t,    /* claimant_cred_handle */
 576  gss_ctx_id_t*,    /* context_handle */
 577  gss_name_t,       /* target_name */
 578  gss_OID,          /* mech_type */
 579  OM_uint32,        /* req_flags */
 580  OM_uint32,        /* time_req */
 581  gss_channel_bindings_t,
 582  /* input_chan_bindings */
 583  gss_buffer_t,     /* input_token */
 584  gss_OID*,         /* actual_mech_type */
 585  gss_buffer_t,     /* output_token */
 586  OM_uint32*,       /* ret_flags */
 587  OM_uint32*,       /* time_rec */
 588  krb5_gss_ctx_ext_t /* exts */
 589 );
 590
 591 #ifndef LEAN_CLIENT
 592 OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context
 593 (OM_uint32*,       /* minor_status */
 594  gss_ctx_id_t*,    /* context_handle */
 595  gss_cred_id_t,    /* verifier_cred_handle */
 596  gss_buffer_t,     /* input_token_buffer */
 597  gss_channel_bindings_t,
 598  /* input_chan_bindings */
 599  gss_name_t*,      /* src_name */
 600  gss_OID*,         /* mech_type */
 601  gss_buffer_t,     /* output_token */
 602  OM_uint32*,       /* ret_flags */
 603  OM_uint32*,       /* time_rec */
 604  gss_cred_id_t*    /* delegated_cred_handle */
 605 );
 606
 607 OM_uint32 KRB5_CALLCONV krb5_gss_accept_sec_context_ext
 608 (OM_uint32*,       /* minor_status */
 609  gss_ctx_id_t*,    /* context_handle */
 610  gss_cred_id_t,    /* verifier_cred_handle */
 611  gss_buffer_t,     /* input_token_buffer */
 612  gss_channel_bindings_t,
 613  /* input_chan_bindings */
 614  gss_name_t*,      /* src_name */
 615  gss_OID*,         /* mech_type */
 616  gss_buffer_t,     /* output_token */
 617  OM_uint32*,       /* ret_flags */
 618  OM_uint32*,       /* time_rec */
 619  gss_cred_id_t*,   /* delegated_cred_handle */
 620  krb5_gss_ctx_ext_t/*exts */
 621 );
 622 #endif /* LEAN_CLIENT */
 623
 624 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_sec_context_by_oid
 625 (OM_uint32*,       /* minor_status */
 626  const gss_ctx_id_t,
 627  /* context_handle */
 628  const gss_OID,    /* desired_object */
 629  gss_buffer_set_t* /* data_set */
 630 );
 631
 632 OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option
 633 (OM_uint32*,       /* minor_status */
 634  gss_ctx_id_t*,    /* context_handle */
 635  const gss_OID,    /* desired_object */
 636  const gss_buffer_t/* value */
 637 );
 638
 639 OM_uint32 KRB5_CALLCONV krb5_gss_process_context_token
 640 (OM_uint32*,       /* minor_status */
 641  gss_ctx_id_t,     /* context_handle */
 642  gss_buffer_t      /* token_buffer */
 643 );
 644
 645 OM_uint32 KRB5_CALLCONV krb5_gss_delete_sec_context
 646 (OM_uint32*,       /* minor_status */
 647  gss_ctx_id_t*,    /* context_handle */
 648  gss_buffer_t      /* output_token */
 649 );
 650
 651 OM_uint32 KRB5_CALLCONV krb5_gss_context_time
 652 (OM_uint32*,       /* minor_status */
 653  gss_ctx_id_t,     /* context_handle */
 654  OM_uint32*        /* time_rec */
 655 );
 656
 657 OM_uint32 KRB5_CALLCONV krb5_gss_display_status
 658 (OM_uint32*,       /* minor_status */
 659  OM_uint32,        /* status_value */
 660  int,              /* status_type */
 661  gss_OID,          /* mech_type */
 662  OM_uint32*,       /* message_context */
 663  gss_buffer_t      /* status_string */
 664 );
 665
 666 OM_uint32 KRB5_CALLCONV krb5_gss_indicate_mechs
 667 (OM_uint32*,       /* minor_status */
 668  gss_OID_set*      /* mech_set */
 669 );
 670
 671 OM_uint32 KRB5_CALLCONV krb5_gss_compare_name
 672 (OM_uint32*,       /* minor_status */
 673  gss_name_t,       /* name1 */
 674  gss_name_t,       /* name2 */
 675  int*              /* name_equal */
 676 );
 677
 678 OM_uint32 KRB5_CALLCONV krb5_gss_display_name
 679 (OM_uint32*,      /* minor_status */
 680  gss_name_t,      /* input_name */
 681  gss_buffer_t,    /* output_name_buffer */
 682  gss_OID*         /* output_name_type */
 683 );
 684
 685
 686 OM_uint32 KRB5_CALLCONV krb5_gss_import_name
 687 (OM_uint32*,       /* minor_status */
 688  gss_buffer_t,     /* input_name_buffer */
 689  gss_OID,          /* input_name_type */
 690  gss_name_t*       /* output_name */
 691 );
 692
 693 OM_uint32 KRB5_CALLCONV krb5_gss_release_name
 694 (OM_uint32*,       /* minor_status */
 695  gss_name_t*       /* input_name */
 696 );
 697
 698 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_cred
 699 (OM_uint32 *,      /* minor_status */
 700  gss_cred_id_t,    /* cred_handle */
 701  gss_name_t *,     /* name */
 702  OM_uint32 *,      /* lifetime */
 703  gss_cred_usage_t*,/* cred_usage */
 704  gss_OID_set *     /* mechanisms */
 705 );
 706
 707 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_context
 708 (OM_uint32*,       /* minor_status */
 709  gss_ctx_id_t,     /* context_handle */
 710  gss_name_t*,      /* initiator_name */
 711  gss_name_t*,      /* acceptor_name */
 712  OM_uint32*,       /* lifetime_rec */
 713  gss_OID*,         /* mech_type */
 714  OM_uint32*,       /* ret_flags */
 715  int*,             /* locally_initiated */
 716  int*              /* open */
 717 );
 718
 719 /* New V2 entry points */
 720 OM_uint32 KRB5_CALLCONV krb5_gss_get_mic
 721 (OM_uint32 *,           /* minor_status */
 722  gss_ctx_id_t,               /* context_handle */
 723  gss_qop_t,                  /* qop_req */
 724  gss_buffer_t,               /* message_buffer */
 725  gss_buffer_t                /* message_token */
 726 );
 727
 728 OM_uint32 KRB5_CALLCONV krb5_gss_get_mic_iov
 729 (OM_uint32 *,                /* minor_status */
 730  gss_ctx_id_t,               /* context_handle */
 731  gss_qop_t,                  /* qop_req */
 732  gss_iov_buffer_desc *,      /* iov */
 733  int                         /* iov_count */
 734 );
 735
 736 OM_uint32 KRB5_CALLCONV krb5_gss_get_mic_iov_length
 737 (OM_uint32 *,                /* minor_status */
 738  gss_ctx_id_t,               /* context_handle */
 739  gss_qop_t,                  /* qop_req */
 740  gss_iov_buffer_desc *,      /* iov */
 741  int                         /* iov_count */
 742 );
 743
 744 OM_uint32 KRB5_CALLCONV krb5_gss_verify_mic
 745 (OM_uint32 *,           /* minor_status */
 746  gss_ctx_id_t,               /* context_handle */
 747  gss_buffer_t,               /* message_buffer */
 748  gss_buffer_t,               /* message_token */
 749  gss_qop_t *                 /* qop_state */
 750 );
 751
 752 OM_uint32 KRB5_CALLCONV krb5_gss_verify_mic_iov
 753 (OM_uint32 *,                /* minor_status */
 754  gss_ctx_id_t,               /* context_handle */
 755  gss_qop_t *,                /* qop_state */
 756  gss_iov_buffer_desc *,      /* iov */
 757  int                         /* iov_count */
 758 );
 759
 760 OM_uint32 KRB5_CALLCONV krb5_gss_wrap
 761 (OM_uint32 *,           /* minor_status */
 762  gss_ctx_id_t,               /* context_handle */
 763  int,                        /* conf_req_flag */
 764  gss_qop_t,                  /* qop_req */
 765  gss_buffer_t,               /* input_message_buffer */
 766  int *,                      /* conf_state */
 767  gss_buffer_t                /* output_message_buffer */
 768 );
 769
 770 OM_uint32 KRB5_CALLCONV krb5_gss_wrap_iov
 771 (OM_uint32 *,           /* minor_status */
 772  gss_ctx_id_t,              /* context_handle */
 773  int,                       /* conf_req_flag */
 774  gss_qop_t,                 /* qop_req */
 775  int *,                     /* conf_state */
 776  gss_iov_buffer_desc *,     /* iov */
 777  int                        /* iov_count */
 778 );
 779
 780 OM_uint32 KRB5_CALLCONV krb5_gss_wrap_iov_length
 781 (OM_uint32 *,           /* minor_status */
 782  gss_ctx_id_t,              /* context_handle */
 783  int,                       /* conf_req_flag */
 784  gss_qop_t,                 /* qop_req */
 785  int *,                     /* conf_state */
 786  gss_iov_buffer_desc *,     /* iov */
 787  int                        /* iov_count */
 788 );
 789
 790 OM_uint32 KRB5_CALLCONV krb5_gss_unwrap
 791 (OM_uint32 *,           /* minor_status */
 792  gss_ctx_id_t,               /* context_handle */
 793  gss_buffer_t,               /* input_message_buffer */
 794  gss_buffer_t,               /* output_message_buffer */
 795  int *,                      /* conf_state */
 796  gss_qop_t *                 /* qop_state */
 797 );
 798
 799 OM_uint32 KRB5_CALLCONV krb5_gss_unwrap_iov
 800 (OM_uint32 *,           /* minor_status */
 801  gss_ctx_id_t,              /* context_handle */
 802  int *,                     /* conf_state */
 803  gss_qop_t *,               /* qop_state */
 804  gss_iov_buffer_desc *,     /* iov */
 805  int                        /* iov_count */
 806 );
 807
 808 OM_uint32 KRB5_CALLCONV krb5_gss_wrap_size_limit
 809 (OM_uint32 *,           /* minor_status */
 810  gss_ctx_id_t,               /* context_handle */
 811  int,                        /* conf_req_flag */
 812  gss_qop_t,                  /* qop_req */
 813  OM_uint32,                  /* req_output_size */
 814  OM_uint32 *                 /* max_input_size */
 815 );
 816
 817 OM_uint32 KRB5_CALLCONV krb5_gss_import_name_object
 818 (OM_uint32 *,           /* minor_status */
 819  void *,                     /* input_name */
 820  gss_OID,                    /* input_name_type */
 821  gss_name_t *                /* output_name */
 822 );
 823
 824 OM_uint32 KRB5_CALLCONV krb5_gss_export_name_object
 825 (OM_uint32 *,           /* minor_status */
 826  gss_name_t,                 /* input_name */
 827  gss_OID,                    /* desired_name_type */
 828  void * *                    /* output_name */
 829 );
 830
 831 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_cred_by_mech
 832 (OM_uint32  *,          /* minor_status */
 833  gss_cred_id_t,              /* cred_handle */
 834  gss_OID,                    /* mech_type */
 835  gss_name_t *,               /* name */
 836  OM_uint32 *,                /* initiator_lifetime */
 837  OM_uint32 *,                /* acceptor_lifetime */
 838  gss_cred_usage_t *          /* cred_usage */
 839 );
 840 #ifndef LEAN_CLIENT
 841 OM_uint32 KRB5_CALLCONV krb5_gss_export_sec_context
 842 (OM_uint32 *,           /* minor_status */
 843  gss_ctx_id_t *,             /* context_handle */
 844  gss_buffer_t                /* interprocess_token */
 845 );
 846
 847 OM_uint32 KRB5_CALLCONV krb5_gss_import_sec_context
 848 (OM_uint32 *,           /* minor_status */
 849  gss_buffer_t,               /* interprocess_token */
 850  gss_ctx_id_t *              /* context_handle */
 851 );
 852 #endif /* LEAN_CLIENT */
 853
 854 krb5_error_code krb5_gss_ser_init(krb5_context);
 855
 856 OM_uint32 krb5_gss_release_oid
 857 (OM_uint32 *,           /* minor_status */
 858  gss_OID *                   /* oid */
 859 );
 860
 861 OM_uint32 KRB5_CALLCONV krb5_gss_internal_release_oid
 862 (OM_uint32 *,           /* minor_status */
 863  gss_OID *                   /* oid */
 864 );
 865
 866 OM_uint32 KRB5_CALLCONV krb5_gss_inquire_names_for_mech
 867 (OM_uint32 *,           /* minor_status */
 868  gss_OID,                    /* mechanism */
 869  gss_OID_set *               /* name_types */
 870 );
 871
 872 OM_uint32 krb5_gss_canonicalize_name
 873 (OM_uint32  *,          /* minor_status */
 874  const gss_name_t,           /* input_name */
 875  const gss_OID,              /* mech_type */
 876  gss_name_t *                /* output_name */
 877 );
 878
 879 OM_uint32 KRB5_CALLCONV krb5_gss_export_name
 880 (OM_uint32  *,          /* minor_status */
 881  const gss_name_t,           /* input_name */
 882  gss_buffer_t                /* exported_name */
 883 );
 884
 885 OM_uint32 KRB5_CALLCONV krb5_gss_duplicate_name
 886 (OM_uint32  *,          /* minor_status */
 887  const gss_name_t,           /* input_name */
 888  gss_name_t *                /* dest_name */
 889 );
 890
 891 OM_uint32 krb5_gss_validate_cred
 892 (OM_uint32 *,           /* minor_status */
 893  gss_cred_id_t               /* cred */
 894 );
 895
 896 OM_uint32 KRB5_CALLCONV krb5_gss_acquire_cred_impersonate_name(
 897     OM_uint32 *,            /* minor_status */
 898     const gss_cred_id_t,    /* impersonator_cred_handle */
 899     const gss_name_t,       /* desired_name */
 900     OM_uint32,              /* time_req */
 901     const gss_OID_set,      /* desired_mechs */
 902     gss_cred_usage_t,       /* cred_usage */
 903     gss_cred_id_t *,        /* output_cred_handle */
 904     gss_OID_set *,          /* actual_mechs */
 905     OM_uint32 *);           /* time_rec */
 906
 907 OM_uint32
 908 krb5_gss_validate_cred_1(OM_uint32 * /* minor_status */,
 909                          gss_cred_id_t /* cred_handle */,
 910                          krb5_context /* context */);
 911
 912 gss_OID krb5_gss_convert_static_mech_oid(gss_OID oid);
 913
 914 krb5_error_code gss_krb5int_make_seal_token_v3(krb5_context,
 915                                                krb5_gss_ctx_id_rec *,
 916                                                const gss_buffer_desc *,
 917                                                gss_buffer_t,
 918                                                int, int);
 919
 920 OM_uint32 gss_krb5int_unseal_token_v3(krb5_context *contextptr,
 921                                       OM_uint32 *minor_status,
 922                                       krb5_gss_ctx_id_rec *ctx,
 923                                       unsigned char *ptr,
 924                                       unsigned int bodysize,
 925                                       gss_buffer_t message_buffer,
 926                                       int *conf_state, gss_qop_t *qop_state,
 927                                       int toktype);
 928
 929 int gss_krb5int_rotate_left (void *ptr, size_t bufsiz, size_t rc);
 930
 931 /* naming_exts.c */
 932 #define KG_INIT_NAME_NO_COPY 0x1
 933
 934 krb5_error_code
 935 kg_init_name(krb5_context context, krb5_principal principal,
 936              char *service, char *host, krb5_authdata_context ad_context,
 937              krb5_flags flags, krb5_gss_name_t *name);
 938
 939 krb5_error_code
 940 kg_release_name(krb5_context context, krb5_gss_name_t *name);
 941
 942 krb5_error_code
 943 kg_duplicate_name(krb5_context context, const krb5_gss_name_t src,
 944                   krb5_gss_name_t *dst);
 945
 946 krb5_boolean
 947 kg_compare_name(krb5_context context,
 948                 krb5_gss_name_t name1,
 949                 krb5_gss_name_t name2);
 950
 951 krb5_boolean
 952 kg_acceptor_princ(krb5_context context, krb5_gss_name_t name,
 953                   krb5_principal *princ_out);
 954
 955 OM_uint32 KRB5_CALLCONV
 956 krb5_gss_display_name_ext(OM_uint32 *minor_status,
 957                           gss_name_t name,
 958                           gss_OID display_as_name_type,
 959                           gss_buffer_t display_name);
 960
 961 OM_uint32 KRB5_CALLCONV
 962 krb5_gss_inquire_name(OM_uint32 *minor_status,
 963                       gss_name_t name,
 964                       int *name_is_MN,
 965                       gss_OID *MN_mech,
 966                       gss_buffer_set_t *attrs);
 967
 968 OM_uint32 KRB5_CALLCONV
 969 krb5_gss_get_name_attribute(OM_uint32 *minor_status,
 970                             gss_name_t name,
 971                             gss_buffer_t attr,
 972                             int *authenticated,
 973                             int *complete,
 974                             gss_buffer_t value,
 975                             gss_buffer_t display_value,
 976                             int *more);
 977
 978 OM_uint32 KRB5_CALLCONV
 979 krb5_gss_set_name_attribute(OM_uint32 *minor_status,
 980                             gss_name_t name,
 981                             int complete,
 982                             gss_buffer_t attr,
 983                             gss_buffer_t value);
 984
 985 OM_uint32 KRB5_CALLCONV
 986 krb5_gss_delete_name_attribute(OM_uint32 *minor_status,
 987                                gss_name_t name,
 988                                gss_buffer_t attr);
 989
 990 OM_uint32 KRB5_CALLCONV
 991 krb5_gss_export_name_composite(OM_uint32 *minor_status,
 992                                gss_name_t name,
 993                                gss_buffer_t exp_composite_name);
 994
 995 OM_uint32 KRB5_CALLCONV
 996 krb5_gss_map_name_to_any(OM_uint32 *minor_status,
 997                          gss_name_t name,
 998                          int authenticated,
 999                          gss_buffer_t type_id,
1000                          gss_any_t *output);
1001
1002 OM_uint32 KRB5_CALLCONV
1003 krb5_gss_release_any_name_mapping(OM_uint32 *minor_status,
1004                                   gss_name_t name,
1005                                   gss_buffer_t type_id,
1006                                   gss_any_t *input);
1007
1008 OM_uint32 KRB5_CALLCONV
1009 krb5_gss_pseudo_random(OM_uint32 *minor_status,
1010                        gss_ctx_id_t context,
1011                        int prf_key,
1012                        const gss_buffer_t prf_in,
1013                        ssize_t desired_output_len,
1014                        gss_buffer_t prf_out);
1015
1016 OM_uint32 KRB5_CALLCONV
1017 krb5_gss_store_cred(OM_uint32 *minor_status,
1018                     gss_cred_id_t input_cred_handle,
1019                     gss_cred_usage_t cred_usage,
1020                     const gss_OID desired_mech,
1021                     OM_uint32 overwrite_cred,
1022                     OM_uint32 default_cred,
1023                     gss_OID_set *elements_stored,
1024                     gss_cred_usage_t *cred_usage_stored);
1025
1026 /* s4u_gss_glue.c */
1027 OM_uint32
1028 kg_compose_deleg_cred(OM_uint32 *minor_status,
1029                       krb5_gss_cred_id_t impersonator_cred,
1030                       krb5_creds *subject_creds,
1031                       OM_uint32 time_req,
1032                       krb5_gss_cred_id_t *output_cred,
1033                       OM_uint32 *time_rec,
1034                       krb5_context context);
1035
1036 /*
1037  * These take unglued krb5-mech-specific contexts.
1038  */
1039
1040 #define GSS_KRB5_GET_TKT_FLAGS_OID_LENGTH 11
1041 #define GSS_KRB5_GET_TKT_FLAGS_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x01"
1042
1043 OM_uint32 gss_krb5int_get_tkt_flags
1044 (OM_uint32 *minor_status,
1045  const gss_ctx_id_t context_handle,
1046  const gss_OID desired_object,
1047  gss_buffer_set_t *data_set);
1048
1049 #define GSS_KRB5_COPY_CCACHE_OID_LENGTH 11
1050 #define GSS_KRB5_COPY_CCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x02"
1051
1052 OM_uint32 gss_krb5int_copy_ccache
1053 (OM_uint32 *minor_status,
1054  gss_cred_id_t *cred_handle,
1055  const gss_OID desired_oid,
1056  const gss_buffer_t value);
1057
1058 #define GSS_KRB5_CCACHE_NAME_OID_LENGTH 11
1059 #define GSS_KRB5_CCACHE_NAME_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x03"
1060
1061 struct krb5_gss_ccache_name_req {
1062     const char *name;
1063     const char **out_name;
1064 };
1065
1066 OM_uint32
1067 gss_krb5int_ccache_name(OM_uint32 *minor_status, const gss_OID, const gss_OID,
1068                         const gss_buffer_t);
1069
1070 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
1071 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
1072
1073 OM_uint32
1074 gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *);
1075
1076 #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH 11
1077 #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x04"
1078
1079 struct krb5_gss_set_allowable_enctypes_req {
1080     OM_uint32 num_ktypes;
1081     krb5_enctype *ktypes;
1082 };
1083
1084 OM_uint32
1085 gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
1086                                    gss_cred_id_t *cred,
1087                                    const gss_OID desired_oid,
1088                                    const gss_buffer_t value);
1089
1090 #define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH 11
1091 #define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06"
1092
1093 OM_uint32
1094 gss_krb5int_export_lucid_sec_context(OM_uint32 *minor_status,
1095                                      const gss_ctx_id_t context_handle,
1096                                      const gss_OID desired_object,
1097                                      gss_buffer_set_t *data_set);
1098
1099 #define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH 11
1100 #define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07"
1101
1102 OM_uint32
1103 gss_krb5int_free_lucid_sec_context(OM_uint32 *, const gss_OID,
1104                                    const gss_OID, gss_buffer_t);
1105
1106 extern k5_mutex_t kg_kdc_flag_mutex;
1107 krb5_error_code krb5_gss_init_context (krb5_context *ctxp);
1108
1109 #define GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH 11
1110 #define GSS_KRB5_USE_KDC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08"
1111
1112 OM_uint32 krb5int_gss_use_kdc_context(OM_uint32 *, const gss_OID,
1113                                       const gss_OID, gss_buffer_t);
1114
1115 krb5_error_code krb5_gss_use_kdc_context(void);
1116
1117 #define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH 11
1118 #define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x09"
1119
1120 OM_uint32
1121 gss_krb5int_register_acceptor_identity(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t);
1122
1123 #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 11
1124 #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0a"
1125
1126 OM_uint32
1127 gss_krb5int_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
1128                                                 const gss_ctx_id_t context_handle,
1129                                                 const gss_OID desired_object,
1130                                                 gss_buffer_set_t *ad_data);
1131
1132 #define GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH 11
1133 #define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0b"
1134
1135 OM_uint32
1136 gss_krb5int_set_cred_rcache(OM_uint32 *, gss_cred_id_t *, const gss_OID, const gss_buffer_t);
1137
1138 #define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11
1139 #define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c"
1140
1141 OM_uint32
1142 gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *,
1143                                               const gss_ctx_id_t,
1144                                               const gss_OID,
1145                                               gss_buffer_set_t *);
1146
1147 #define GSS_KRB5_IMPORT_CRED_OID_LENGTH 11
1148 #define GSS_KRB5_IMPORT_CRED_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0d"
1149
1150 struct krb5_gss_import_cred_req {
1151     krb5_ccache id;
1152     krb5_principal keytab_principal;
1153     krb5_keytab keytab;
1154 };
1155
1156 OM_uint32
1157 gss_krb5int_import_cred(OM_uint32 *minor_status,
1158                         gss_cred_id_t *cred,
1159                         const gss_OID desired_oid,
1160                         const gss_buffer_t value);
1161
1162 #ifdef _GSS_STATIC_LINK
1163 int gss_krb5int_lib_init(void);
1164 void gss_krb5int_lib_fini(void);
1165 #endif /* _GSS_STATIC_LINK */
1166
1167 OM_uint32 gss_krb5int_initialize_library(void);
1168 void gss_krb5int_cleanup_library(void);
1169
1170 /* For error message handling.  */
1171 /* Returns a shared string, not a private copy!  */
1172 extern char *
1173 krb5_gss_get_error_message(OM_uint32 minor_code);
1174 extern void
1175 krb5_gss_save_error_string(OM_uint32 minor_code, char *msg);
1176 extern void
1177 krb5_gss_save_error_message(OM_uint32 minor_code, const char *format, ...)
1178 #if !defined(__cplusplus) && (__GNUC__ > 2)
1179     __attribute__((__format__(__printf__, 2, 3)))
1180 #endif
1181     ;
1182     extern void
1183     krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx);
1184 #define get_error_message krb5_gss_get_error_message
1185 #define save_error_string krb5_gss_save_error_string
1186 #define save_error_message krb5_gss_save_error_message
1187 #ifdef KRB5_KERNEL
1188 /* Error messages aren't needed in the kernel, so reduce dependencies. */
1189 #define save_error_info(x,y)
1190 #else
1191 #define save_error_info krb5_gss_save_error_info
1192 #endif
1193 extern void krb5_gss_delete_error_info(void *p);
1194
1195 /* Prefix concatenated with Kerberos encryption type */
1196 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10
1197 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID  "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04"
1198
1199 /* IAKERB */
1200
1201 OM_uint32 KRB5_CALLCONV
1202 iakerb_gss_init_sec_context(OM_uint32 *minor_status,
1203                             gss_cred_id_t claimant_cred_handle,
1204                             gss_ctx_id_t *context_handle,
1205                             gss_name_t target_name,
1206                             gss_OID mech_type,
1207                             OM_uint32 req_flags,
1208                             OM_uint32 time_req,
1209                             gss_channel_bindings_t input_chan_bindings,
1210                             gss_buffer_t input_token,
1211                             gss_OID *actual_mech_type,
1212                             gss_buffer_t output_token,
1213                             OM_uint32 *ret_flags,
1214                             OM_uint32 *time_rec);
1215
1216 OM_uint32 KRB5_CALLCONV
1217 iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
1218                               gss_ctx_id_t *context_handler,
1219                               gss_cred_id_t verifier_cred_handle,
1220                               gss_buffer_t input_token,
1221                               gss_channel_bindings_t input_chan_bindings,
1222                               gss_name_t *src_name,
1223                               gss_OID *mech_type,
1224                               gss_buffer_t output_token,
1225                               OM_uint32 *ret_flags,
1226                               OM_uint32 *time_rec,
1227                               gss_cred_id_t *delegated_cred_handle);
1228
1229 OM_uint32 KRB5_CALLCONV
1230 iakerb_gss_delete_sec_context(OM_uint32 *minor_status,
1231                               gss_ctx_id_t *context_handle,
1232                               gss_buffer_t output_token);
1233
1234 krb5_error_code
1235 iakerb_make_finished(krb5_context context,
1236                      krb5_key key,
1237                      const krb5_data *conv,
1238                      krb5_data **finished);
1239
1240 krb5_error_code
1241 iakerb_verify_finished(krb5_context context,
1242                        krb5_key key,
1243                        const krb5_data *conv,
1244                        const krb5_data *finished);
1245
1246 /*
1247  * Transfer contents of a krb5_data to a gss_buffer and invalidate the source
1248  * On unix, this is a simple pointer copy
1249  * On windows, memory is reallocated and copied.
1250  */
1251 static inline krb5_error_code
1252 data_to_gss(krb5_data *input_k5data, gss_buffer_t output_buffer)
1253 {
1254     krb5_error_code code = 0;
1255     output_buffer->length = input_k5data->length;
1256 #if defined(_WIN32) || defined(DEBUG_GSSALLOC)
1257     if (output_buffer->length > 0) {
1258         output_buffer->value = gssalloc_malloc(output_buffer->length);
1259         if (output_buffer->value)
1260             memcpy(output_buffer->value, input_k5data->data, output_buffer->length);
1261         else
1262             code = ENOMEM;
1263     } else {
1264         output_buffer->value = NULL;
1265     }
1266     free(input_k5data->data);
1267 #else
1268     output_buffer->value = input_k5data->data;
1269 #endif
1270     *input_k5data = empty_data();
1271     return code;
1272 }
1273
1274 #define KRB5_GSS_EXTS_IAKERB_FINISHED 1
1275
1276
1277 /* Credential store extensions */
1278
1279 #define KRB5_CS_CLI_KEYTAB_URN "client_keytab"
1280 #define KRB5_CS_KEYTAB_URN "keytab"
1281 #define KRB5_CS_CCACHE_URN "ccache"
1282 #define KRB5_CS_RCACHE_URN "rcache"
1283
1284 OM_uint32
1285 kg_value_from_cred_store(gss_const_key_value_set_t cred_store,
1286                          const char *type, const char **value);
1287
1288 OM_uint32 KRB5_CALLCONV
1289 krb5_gss_acquire_cred_from(
1290     OM_uint32 *,               /* minor_status */
1291     const gss_name_t,          /* desired_name */
1292     OM_uint32,                 /* time_req */
1293     const gss_OID_set,         /* desired_mechs */
1294     gss_cred_usage_t,          /* cred_usage */
1295     gss_const_key_value_set_t, /* cred_store */
1296     gss_cred_id_t *,           /* output_cred_handle */
1297     gss_OID_set *,             /* actual_mechs */
1298     OM_uint32 *);              /* time_rec */
1299
1300 OM_uint32 KRB5_CALLCONV
1301 krb5_gss_store_cred_into(
1302     OM_uint32 *,               /* minor_status */
1303     gss_cred_id_t,             /* input_cred_handle */
1304     gss_cred_usage_t,          /* input_usage */
1305     const gss_OID,             /* desired_mech */
1306     OM_uint32,                 /* overwrite_cred */
1307     OM_uint32,                 /* default_cred */
1308     gss_const_key_value_set_t, /* cred_store */
1309     gss_OID_set *,             /* elements_stored */
1310     gss_cred_usage_t *);       /* cred_usage_stored */
1311
1312 OM_uint32 KRB5_CALLCONV
1313 krb5_gss_export_cred(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
1314                      gss_buffer_t token);
1315
1316 OM_uint32 KRB5_CALLCONV
1317 krb5_gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token,
1318                      gss_cred_id_t *cred_handle);
1319
1320 OM_uint32 KRB5_CALLCONV
1321 iakerb_gss_process_context_token(OM_uint32 *minor_status,
1322                                  const gss_ctx_id_t context_handle,
1323                                  const gss_buffer_t token_buffer);
1324
1325 OM_uint32 KRB5_CALLCONV
1326 iakerb_gss_context_time(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1327                         OM_uint32 *time_rec);
1328
1329 OM_uint32 KRB5_CALLCONV
1330 iakerb_gss_inquire_context(OM_uint32 *minor_status,
1331                            gss_ctx_id_t context_handle, gss_name_t *src_name,
1332                            gss_name_t *targ_name, OM_uint32 *lifetime_rec,
1333                            gss_OID *mech_type, OM_uint32 *ctx_flags,
1334                            int *locally_initiated, int *opened);
1335
1336 OM_uint32 KRB5_CALLCONV
1337 iakerb_gss_get_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1338                    gss_qop_t qop_req, gss_buffer_t message_buffer,
1339                    gss_buffer_t message_token);
1340
1341 OM_uint32 KRB5_CALLCONV
1342 iakerb_gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1343                        gss_qop_t qop_req, gss_iov_buffer_desc *iov,
1344                        int iov_count);
1345
1346 OM_uint32 KRB5_CALLCONV
1347 iakerb_gss_get_mic_iov_length(OM_uint32 *minor_status,
1348                               gss_ctx_id_t context_handle, gss_qop_t qop_req,
1349                               gss_iov_buffer_desc *iov, int iov_count);
1350
1351 OM_uint32 KRB5_CALLCONV
1352 iakerb_gss_verify_mic(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1353                       gss_buffer_t msg_buffer, gss_buffer_t token_buffer,
1354                       gss_qop_t *qop_state);
1355
1356 OM_uint32 KRB5_CALLCONV
1357 iakerb_gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1358                           gss_qop_t *qop_state, gss_iov_buffer_desc *iov,
1359                           int iov_count);
1360
1361 OM_uint32 KRB5_CALLCONV
1362 iakerb_gss_wrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1363                 int conf_req_flag, gss_qop_t qop_req,
1364                 gss_buffer_t input_message_buffer, int *conf_state,
1365                 gss_buffer_t output_message_buffer);
1366
1367 OM_uint32 KRB5_CALLCONV
1368 iakerb_gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1369                     int conf_req_flag, gss_qop_t qop_req, int *conf_state,
1370                     gss_iov_buffer_desc *iov, int iov_count);
1371
1372 OM_uint32 KRB5_CALLCONV
1373 iakerb_gss_wrap_iov_length(OM_uint32 *minor_status,
1374                            gss_ctx_id_t context_handle, int conf_req_flag,
1375                            gss_qop_t qop_req, int *conf_state,
1376                            gss_iov_buffer_desc *iov, int iov_count);
1377
1378 OM_uint32 KRB5_CALLCONV
1379 iakerb_gss_unwrap(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1380                   gss_buffer_t input_message_buffer,
1381                   gss_buffer_t output_message_buffer, int *conf_state,
1382                   gss_qop_t *qop_state);
1383
1384 OM_uint32 KRB5_CALLCONV
1385 iakerb_gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1386                       int *conf_state, gss_qop_t *qop_state,
1387                       gss_iov_buffer_desc *iov, int iov_count);
1388
1389 OM_uint32 KRB5_CALLCONV
1390 iakerb_gss_wrap_size_limit(OM_uint32 *minor_status,
1391                            gss_ctx_id_t context_handle, int conf_req_flag,
1392                            gss_qop_t qop_req, OM_uint32 req_output_size,
1393                            OM_uint32 *max_input_size);
1394
1395 #ifndef LEAN_CLIENT
1396 OM_uint32 KRB5_CALLCONV
1397 iakerb_gss_export_sec_context(OM_uint32 *minor_status,
1398                               gss_ctx_id_t *context_handle,
1399                               gss_buffer_t interprocess_token);
1400
1401 OM_uint32 KRB5_CALLCONV
1402 iakerb_gss_import_sec_context(OM_uint32 *minor_status,
1403                               const gss_buffer_t interprocess_token,
1404                               gss_ctx_id_t *context_handle);
1405 #endif /* LEAN_CLIENT */
1406
1407 OM_uint32 KRB5_CALLCONV
1408 iakerb_gss_inquire_sec_context_by_oid(OM_uint32 *minor_status,
1409                                       const gss_ctx_id_t context_handle,
1410                                       const gss_OID desired_object,
1411                                       gss_buffer_set_t *data_set);
1412
1413 OM_uint32 KRB5_CALLCONV
1414 iakerb_gss_set_sec_context_option(OM_uint32 *minor_status,
1415                                   gss_ctx_id_t *context_handle,
1416                                   const gss_OID desired_object,
1417                                   const gss_buffer_t value);
1418
1419 OM_uint32 KRB5_CALLCONV
1420 iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle,
1421                          int prf_key, const gss_buffer_t prf_in,
1422                          ssize_t desired_output_len, gss_buffer_t prf_out);
1423
1424 /* Magic string to identify exported krb5 GSS credentials.  Increment this if
1425  * the format changes. */
1426 #define CRED_EXPORT_MAGIC "K5C1"
1427
1428 #endif /* _GSSAPIP_KRB5_H_ */