1 /*
   2  * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
   3  */
   4 /*
   5  * Copyright 2000 by the Massachusetts Institute of Technology.
   6  * All Rights Reserved.
   7  *
   8  * Export of this software from the United States of America may
   9  *   require a specific license from the United States Government.
  10  *   It is the responsibility of any person or organization contemplating
  11  *   export to obtain such a license before exporting.
  12  * 
  13  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  14  * distribute this software and its documentation for any purpose and
  15  * without fee is hereby granted, provided that the above copyright
  16  * notice appear in all copies and that both that copyright notice and
  17  * this permission notice appear in supporting documentation, and that
  18  * the name of M.I.T. not be used in advertising or publicity pertaining
  19  * to distribution of the software without specific, written prior
  20  * permission.  Furthermore if you modify this software you must label
  21  * your software as modified software and not distribute it in such a
  22  * fashion that it might be confused with the original M.I.T. software.
  23  * M.I.T. makes no representations about the suitability of
  24  * this software for any purpose.  It is provided "as is" without express
  25  * or implied warranty.
  26  * 
  27  */
  28 /*
  29  * Copyright 1993 by OpenVision Technologies, Inc.
  30  * 
  31  * Permission to use, copy, modify, distribute, and sell this software
  32  * and its documentation for any purpose is hereby granted without fee,
  33  * provided that the above copyright notice appears in all copies and
  34  * that both that copyright notice and this permission notice appear in
  35  * supporting documentation, and that the name of OpenVision not be used
  36  * in advertising or publicity pertaining to distribution of the software
  37  * without specific, written prior permission. OpenVision makes no
  38  * representations about the suitability of this software for any
  39  * purpose.  It is provided "as is" without express or implied warranty.
  40  * 
  41  * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
  42  * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
  43  * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
  44  * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
  45  * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
  46  * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  47  * PERFORMANCE OF THIS SOFTWARE.
  48  */
  49 
  50 #ifndef _GSSAPIP_KRB5_H_
  51 #define _GSSAPIP_KRB5_H_
  52 
  53 #include <k5-int.h>
  54 
  55 #ifdef HAVE_MEMORY_H
  56 #include <memory.h>
  57 #endif
  58 
  59 /* work around sunos braindamage */
  60 #ifdef major
  61 #undef major
  62 #endif
  63 #ifdef minor
  64 #undef minor
  65 #endif
  66 
  67 #include "gssapiP_generic.h"
  68 
  69 /* The include of gssapi_krb5.h will dtrt with the above #defines in
  70  * effect.
  71  */
  72 #include "gssapi_krb5.h"
  73 #include "gssapi_err_krb5.h"
  74 #include "gssapi_ext.h"
  75 
  76 /* for debugging */
  77 #undef CFX_EXERCISE
  78 
  79 /** constants **/
  80 
  81 #define GSS_MECH_KRB5_OID_LENGTH 9
  82 #define GSS_MECH_KRB5_OID "\052\206\110\206\367\022\001\002\002"
  83 
  84 #define GSS_MECH_KRB5_OLD_OID_LENGTH 5
  85 #define GSS_MECH_KRB5_OLD_OID "\053\005\001\005\002"
  86 
  87 /* Incorrect krb5 mech OID emitted by MS. */
  88 #define GSS_MECH_KRB5_WRONG_OID_LENGTH 9
  89 #define GSS_MECH_KRB5_WRONG_OID "\052\206\110\202\367\022\001\002\002"
  90 
  91 
  92 #define CKSUMTYPE_KG_CB         0x8003
  93 
  94 #define KG_TOK_CTX_AP_REQ       0x0100
  95 #define KG_TOK_CTX_AP_REP       0x0200
  96 #define KG_TOK_CTX_ERROR        0x0300
  97 #define KG_TOK_SIGN_MSG         0x0101
  98 #define KG_TOK_SEAL_MSG         0x0201
  99 #define KG_TOK_MIC_MSG          0x0101
 100 #define KG_TOK_WRAP_MSG         0x0201
 101 #define KG_TOK_DEL_CTX          0x0102
 102 
 103 #define KG2_TOK_INITIAL         0x0101
 104 #define KG2_TOK_RESPONSE        0x0202
 105 #define KG2_TOK_MIC             0x0303
 106 #define KG2_TOK_WRAP_INTEG      0x0404
 107 #define KG2_TOK_WRAP_PRIV       0x0505
 108 
 109 #define KRB5_GSS_FOR_CREDS_OPTION 1
 110 
 111 #define KG2_RESP_FLAG_ERROR             0x0001
 112 #define KG2_RESP_FLAG_DELEG_OK          0x0002
 113 
 114 /* These are to be stored in little-endian order, i.e., des-mac is
 115    stored as 02 00.  */
 116 enum sgn_alg {
 117   SGN_ALG_DES_MAC_MD5           = 0x0000,
 118   SGN_ALG_MD2_5                 = 0x0001,
 119   SGN_ALG_DES_MAC               = 0x0002,
 120   SGN_ALG_3                     = 0x0003, /* not published */
 121   SGN_ALG_HMAC_MD5              = 0x0011, /* microsoft w2k;  */
 122   SGN_ALG_HMAC_SHA1_DES3_KD     = 0x0004
 123 };
 124 enum seal_alg {
 125   SEAL_ALG_NONE            = 0xffff,
 126   SEAL_ALG_DES             = 0x0000,
 127   SEAL_ALG_1               = 0x0001, /* not published */
 128   SEAL_ALG_MICROSOFT_RC4   = 0x0010, /* microsoft w2k;  */
 129   SEAL_ALG_DES3KD          = 0x0002
 130 };
 131 
 132 /* for 3DES */
 133 #define KG_USAGE_SEAL 22
 134 #define KG_USAGE_SIGN 23
 135 #define KG_USAGE_SEQ  24
 136 
 137 /* for draft-ietf-krb-wg-gssapi-cfx-01 */
 138 #define KG_USAGE_ACCEPTOR_SEAL  22
 139 #define KG_USAGE_ACCEPTOR_SIGN  23
 140 #define KG_USAGE_INITIATOR_SEAL 24
 141 #define KG_USAGE_INITIATOR_SIGN 25
 142 
 143 enum qop {
 144   GSS_KRB5_INTEG_C_QOP_MD5       = 0x0001, /* *partial* MD5 = "MD2.5" */
 145   GSS_KRB5_INTEG_C_QOP_DES_MD5   = 0x0002,
 146   GSS_KRB5_INTEG_C_QOP_DES_MAC   = 0x0003,
 147   GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004,
 148   GSS_KRB5_INTEG_C_QOP_MASK      = 0x00ff,
 149   GSS_KRB5_CONF_C_QOP_DES        = 0x0100,
 150   GSS_KRB5_CONF_C_QOP_DES3_KD    = 0x0200,
 151   GSS_KRB5_CONF_C_QOP_MASK       = 0xff00
 152 };
 153 
 154 /** internal types **/
 155 
 156 typedef krb5_principal krb5_gss_name_t;
 157 
 158 typedef struct _krb5_gss_cred_id_rec {
 159    /* protect against simultaneous accesses */
 160    k5_mutex_t lock;
 161 
 162    /* name/type of credential */
 163    gss_cred_usage_t usage;
 164    krb5_principal princ;        /* this is not interned as a gss_name_t */
 165    int prerfc_mech;
 166    int rfc_mech;
 167 
 168    /* keytab (accept) data */
 169    krb5_keytab keytab;
 170    krb5_rcache rcache;
 171 
 172    /* ccache (init) data */
 173    krb5_ccache ccache;
 174    krb5_timestamp tgt_expire;
 175    krb5_enctype *req_enctypes;  /* limit negotiated enctypes to this list */
 176 } krb5_gss_cred_id_rec, *krb5_gss_cred_id_t; 
 177 
 178 typedef struct _krb5_gss_ctx_id_rec {
 179    unsigned int initiate : 1;   /* nonzero if initiating, zero if accepting */
 180    unsigned int established : 1;
 181    unsigned int big_endian : 1;
 182    unsigned int have_acceptor_subkey : 1;
 183    unsigned int seed_init : 1;  /* XXX tested but never actually set */
 184    OM_uint32 gss_flags;
 185    unsigned char seed[16];
 186    krb5_principal here;
 187    krb5_principal there;
 188    krb5_keyblock *subkey;
 189    int signalg;
 190    size_t cksum_size;
 191    int sealalg;
 192    krb5_keyblock *enc;
 193    krb5_keyblock *seq;
 194    krb5_timestamp endtime;
 195    krb5_ticket_times krb_times;
 196    krb5_flags krb_flags;
 197    /* XXX these used to be signed.  the old spec is inspecific, and
 198       the new spec specifies unsigned.  I don't believe that the change
 199       affects the wire encoding. */
 200    gssint_uint64 seq_send;
 201    gssint_uint64 seq_recv;
 202    void *seqstate;
 203    krb5_context k5_context;
 204    krb5_auth_context auth_context;
 205    gss_OID_desc *mech_used;
 206     /* Protocol spec revision
 207        0 => RFC 1964 with 3DES and RC4 enhancements
 208        1 => draft-ietf-krb-wg-gssapi-cfx-01
 209        No others defined so far.  */
 210    int proto;
 211    krb5_cksumtype cksumtype;    /* for "main" subkey */
 212    krb5_keyblock *acceptor_subkey; /* CFX only */
 213    krb5_cksumtype acceptor_subkey_cksumtype;
 214    int cred_rcache;             /* did we get rcache from creds? */
 215    krb5_authdata **authdata;
 216 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
 217 
 218 extern g_set kg_vdb;
 219 
 220 extern k5_mutex_t gssint_krb5_keytab_lock;
 221 
 222 /* helper macros */
 223 
 224 #define kg_save_name(name)              g_save_name(&kg_vdb,name)
 225 #define kg_save_cred_id(cred)           g_save_cred_id(&kg_vdb,cred)
 226 #define kg_save_ctx_id(ctx)             g_save_ctx_id(&kg_vdb,ctx)
 227 #define kg_save_lucidctx_id(lctx)       g_save_lucidctx_id(&kg_vdb,lctx)
 228 
 229 #define kg_validate_name(name)          g_validate_name(&kg_vdb,name)
 230 #define kg_validate_cred_id(cred)       g_validate_cred_id(&kg_vdb,cred)
 231 #define kg_validate_ctx_id(ctx)         g_validate_ctx_id(&kg_vdb,ctx)
 232 #define kg_validate_lucidctx_id(lctx)   g_validate_lucidctx_id(&kg_vdb,lctx)
 233 
 234 #define kg_delete_name(name)            g_delete_name(&kg_vdb,name)
 235 #define kg_delete_cred_id(cred)         g_delete_cred_id(&kg_vdb,cred)
 236 #define kg_delete_ctx_id(ctx)           g_delete_ctx_id(&kg_vdb,ctx)
 237 #define kg_delete_lucidctx_id(lctx)     g_delete_lucidctx_id(&kg_vdb,lctx)
 238 
 239 /** helper functions **/
 240 
 241 OM_uint32 kg_get_defcred 
 242         (OM_uint32 *minor_status, 
 243                    gss_cred_id_t *cred);
 244 
 245 krb5_error_code kg_checksum_channel_bindings
 246          (krb5_context context, gss_channel_bindings_t cb,
 247                                              krb5_checksum *cksum,
 248                                              int bigend);
 249 
 250 krb5_error_code kg_make_seq_num (krb5_context context,
 251                                            krb5_keyblock *key,
 252             int direction, krb5_ui_4 seqnum, unsigned char *cksum,
 253                                 unsigned char *buf);
 254 
 255 krb5_error_code kg_get_seq_num (krb5_context context,
 256                                           krb5_keyblock *key,
 257             unsigned char *cksum, unsigned char *buf, int *direction,
 258                                           krb5_ui_4 *seqnum);
 259 
 260 krb5_error_code kg_make_seed (krb5_context context,
 261                                         krb5_keyblock *key,
 262                                         unsigned char *seed);
 263 
 264 int kg_confounder_size (krb5_context context, krb5_keyblock *key);
 265 
 266 krb5_error_code kg_make_confounder (krb5_context context, 
 267             krb5_keyblock *key, unsigned char *buf);
 268 
 269 krb5_error_code kg_encrypt (krb5_context context, 
 270                                       krb5_keyblock *key, int usage,
 271                                       krb5_pointer iv,
 272                                       krb5_const_pointer in,
 273                                       krb5_pointer out,
 274                                       unsigned int length);
 275 krb5_error_code
 276 kg_arcfour_docrypt (krb5_context,
 277                     const krb5_keyblock *longterm_key , int ms_usage,
 278                     const unsigned char *kd_data, size_t kd_data_len,
 279                     const unsigned char *input_buf, size_t input_len,
 280                     unsigned char *output_buf);
 281 
 282 krb5_error_code kg_decrypt (krb5_context context,
 283                                       krb5_keyblock *key,  int usage,
 284                                       krb5_pointer iv,
 285                                       krb5_const_pointer in,
 286                                       krb5_pointer out,
 287                                       unsigned int length);
 288 
 289 OM_uint32 kg_seal (OM_uint32 *minor_status,
 290                   gss_ctx_id_t context_handle,
 291                   int conf_req_flag,
 292                   int qop_req,
 293                   gss_buffer_t input_message_buffer,
 294                   int *conf_state,
 295                   gss_buffer_t output_message_buffer,
 296                   int toktype);
 297 
 298 OM_uint32 kg_unseal (OM_uint32 *minor_status,
 299                     gss_ctx_id_t context_handle,
 300                     gss_buffer_t input_token_buffer,
 301                     gss_buffer_t message_buffer,
 302                     int *conf_state,
 303                     int *qop_state,
 304                     int toktype);
 305 
 306 OM_uint32 kg_seal_size (OM_uint32 *minor_status,
 307                                   gss_ctx_id_t context_handle,
 308                                   int conf_req_flag,
 309                                   gss_qop_t qop_req,
 310                                   OM_uint32 output_size,
 311                                   OM_uint32 *input_size);
 312 
 313 krb5_error_code kg_ctx_size (krb5_context kcontext,
 314                                        krb5_pointer arg,
 315                                        size_t *sizep);
 316 
 317 krb5_error_code kg_ctx_externalize (krb5_context kcontext,
 318                                               krb5_pointer arg,
 319                                               krb5_octet **buffer,
 320                                               size_t *lenremain);
 321 
 322 krb5_error_code kg_ctx_internalize (krb5_context kcontext,
 323                                               krb5_pointer *argp,
 324                                               krb5_octet **buffer,
 325                                               size_t *lenremain);
 326 
 327 OM_uint32 kg_sync_ccache_name (krb5_context context, OM_uint32 *minor_status);
 328 
 329 OM_uint32 kg_caller_provided_ccache_name (OM_uint32 *minor_status, 
 330                                           int *out_caller_provided_name);
 331 
 332 OM_uint32 kg_get_ccache_name (OM_uint32 *minor_status, 
 333                               const char **out_name);
 334 
 335 OM_uint32 kg_set_ccache_name (OM_uint32 *minor_status, 
 336                               const char *name);
 337 
 338 /** declarations of internal name mechanism functions **/
 339 
 340 OM_uint32 krb5_gss_acquire_cred
 341 (OM_uint32*,       /* minor_status */
 342             gss_name_t,       /* desired_name */
 343             OM_uint32,        /* time_req */
 344             gss_OID_set,      /* desired_mechs */
 345             gss_cred_usage_t, /* cred_usage */
 346             gss_cred_id_t*,   /* output_cred_handle */
 347             gss_OID_set*,     /* actual_mechs */
 348             OM_uint32*        /* time_rec */
 349            );
 350 
 351 OM_uint32 krb5_gss_release_cred
 352 (OM_uint32*,       /* minor_status */
 353             gss_cred_id_t*    /* cred_handle */
 354            );
 355 
 356 OM_uint32 krb5_gss_init_sec_context
 357 (OM_uint32*,       /* minor_status */
 358             gss_cred_id_t,    /* claimant_cred_handle */
 359             gss_ctx_id_t*,    /* context_handle */
 360             gss_name_t,       /* target_name */
 361             gss_OID,          /* mech_type */
 362             OM_uint32,        /* req_flags */
 363             OM_uint32,        /* time_req */
 364             gss_channel_bindings_t,
 365                               /* input_chan_bindings */
 366             gss_buffer_t,     /* input_token */
 367             gss_OID*,         /* actual_mech_type */
 368             gss_buffer_t,     /* output_token */
 369             OM_uint32*,       /* ret_flags */
 370             OM_uint32*        /* time_rec */
 371            );
 372 
 373 OM_uint32 krb5_gss_accept_sec_context
 374 (OM_uint32*,       /* minor_status */
 375             gss_ctx_id_t*,    /* context_handle */
 376             gss_cred_id_t,    /* verifier_cred_handle */
 377             gss_buffer_t,     /* input_token_buffer */
 378             gss_channel_bindings_t,
 379                               /* input_chan_bindings */
 380             gss_name_t*,      /* src_name */
 381             gss_OID*,         /* mech_type */
 382             gss_buffer_t,     /* output_token */
 383             OM_uint32*,       /* ret_flags */
 384             OM_uint32*,       /* time_rec */
 385             gss_cred_id_t*    /* delegated_cred_handle */
 386            );
 387 
 388 OM_uint32 krb5_gss_process_context_token
 389 (OM_uint32*,       /* minor_status */
 390             gss_ctx_id_t,     /* context_handle */
 391             gss_buffer_t      /* token_buffer */
 392            );
 393 
 394 OM_uint32 krb5_gss_delete_sec_context
 395 (OM_uint32*,       /* minor_status */
 396             gss_ctx_id_t*,    /* context_handle */
 397             gss_buffer_t      /* output_token */
 398 #ifdef  _KERNEL
 399             /* */, OM_uint32    /* context verifier */
 400 #endif
 401            );
 402 
 403 OM_uint32 krb5_gss_context_time
 404 (OM_uint32*,       /* minor_status */
 405             gss_ctx_id_t,     /* context_handle */
 406             OM_uint32*        /* time_rec */
 407            );
 408 
 409 OM_uint32 krb5_gss_sign
 410 (OM_uint32*,       /* minor_status */
 411             gss_ctx_id_t,     /* context_handle */
 412             int,              /* qop_req */
 413             gss_buffer_t,     /* message_buffer */
 414             gss_buffer_t      /* message_token */
 415 #ifdef  _KERNEL
 416             /* */, OM_uint32    /* context verifier */
 417 #endif
 418            );
 419 
 420 OM_uint32 krb5_gss_verify
 421 (OM_uint32*,       /* minor_status */
 422             gss_ctx_id_t,     /* context_handle */
 423             gss_buffer_t,     /* message_buffer */
 424             gss_buffer_t,     /* token_buffer */
 425             int*              /* qop_state */
 426 #ifdef  _KERNEL
 427             /* */, OM_uint32    /* context verifier */
 428 #endif
 429            );
 430 
 431 /* EXPORT DELETE START */
 432 OM_uint32 krb5_gss_seal
 433 (OM_uint32*,       /* minor_status */
 434             gss_ctx_id_t,     /* context_handle */
 435             int,              /* conf_req_flag */
 436             int,              /* qop_req */
 437             gss_buffer_t,     /* input_message_buffer */
 438             int*,             /* conf_state */
 439             gss_buffer_t      /* output_message_buffer */
 440 #ifdef  _KERNEL
 441             /* */, OM_uint32    /* context verifier */
 442 #endif
 443            );
 444 
 445 OM_uint32 krb5_gss_unseal
 446 (OM_uint32*,       /* minor_status */
 447             gss_ctx_id_t,     /* context_handle */
 448             gss_buffer_t,     /* input_message_buffer */
 449             gss_buffer_t,     /* output_message_buffer */
 450             int*,             /* conf_state */
 451             int*              /* qop_state */
 452 #ifdef  _KERNEL
 453             /* */, OM_uint32    /* context verifier */
 454 #endif
 455            );
 456 /* EXPORT DELETE END */
 457 
 458 OM_uint32 krb5_gss_display_status
 459 (OM_uint32*,       /* minor_status */
 460             OM_uint32,        /* status_value */
 461             int,              /* status_type */
 462             gss_OID,          /* mech_type */
 463             OM_uint32*,       /* message_context */
 464             gss_buffer_t      /* status_string */
 465            );
 466 
 467 OM_uint32 krb5_gss_indicate_mechs
 468 (OM_uint32*,       /* minor_status */
 469             gss_OID_set*      /* mech_set */
 470            );
 471 
 472 OM_uint32 krb5_gss_compare_name
 473 (OM_uint32*,       /* minor_status */
 474             gss_name_t,       /* name1 */
 475             gss_name_t,       /* name2 */
 476             int*              /* name_equal */
 477            );
 478 
 479 OM_uint32 krb5_gss_display_name
 480 (OM_uint32*,      /* minor_status */
 481             gss_name_t,      /* input_name */
 482             gss_buffer_t,    /* output_name_buffer */
 483             gss_OID*         /* output_name_type */
 484            );
 485 
 486 OM_uint32 krb5_gss_import_name
 487 (OM_uint32*,       /* minor_status */
 488             gss_buffer_t,     /* input_name_buffer */
 489             gss_OID,          /* input_name_type */
 490             gss_name_t*       /* output_name */
 491            );
 492 
 493 OM_uint32 krb5_gss_release_name
 494 (OM_uint32*,       /* minor_status */
 495             gss_name_t*       /* input_name */
 496            );
 497 
 498 OM_uint32 krb5_gss_inquire_cred
 499 (OM_uint32 *,      /* minor_status */
 500             gss_cred_id_t,    /* cred_handle */
 501             gss_name_t *,     /* name */
 502             OM_uint32 *,      /* lifetime */
 503             gss_cred_usage_t*,/* cred_usage */
 504             gss_OID_set *     /* mechanisms */
 505            );
 506 
 507 OM_uint32 krb5_gss_inquire_context
 508 (OM_uint32*,       /* minor_status */
 509             gss_ctx_id_t,     /* context_handle */
 510             gss_name_t*,      /* initiator_name */
 511             gss_name_t*,      /* acceptor_name */
 512             OM_uint32*,       /* lifetime_rec */
 513             gss_OID*,         /* mech_type */
 514             OM_uint32*,       /* ret_flags */
 515             int*,             /* locally_initiated */
 516             int*              /* open */
 517            );
 518 
 519 /* New V2 entry points */
 520 OM_uint32 krb5_gss_get_mic
 521 (OM_uint32 *,           /* minor_status */
 522             gss_ctx_id_t,               /* context_handle */
 523             gss_qop_t,                  /* qop_req */
 524             gss_buffer_t,               /* message_buffer */
 525             gss_buffer_t                /* message_token */
 526            );
 527 
 528 OM_uint32 krb5_gss_verify_mic
 529 (OM_uint32 *,           /* minor_status */
 530             gss_ctx_id_t,               /* context_handle */
 531             gss_buffer_t,               /* message_buffer */
 532             gss_buffer_t,               /* message_token */
 533             gss_qop_t *                 /* qop_state */
 534            );
 535 
 536 OM_uint32 krb5_gss_wrap
 537 (OM_uint32 *,           /* minor_status */
 538             gss_ctx_id_t,               /* context_handle */
 539             int,                        /* conf_req_flag */
 540             gss_qop_t,                  /* qop_req */
 541             gss_buffer_t,               /* input_message_buffer */
 542             int *,                      /* conf_state */
 543             gss_buffer_t                /* output_message_buffer */
 544            );
 545 
 546 OM_uint32 krb5_gss_unwrap
 547 (OM_uint32 *,           /* minor_status */
 548             gss_ctx_id_t,               /* context_handle */
 549             gss_buffer_t,               /* input_message_buffer */
 550             gss_buffer_t,               /* output_message_buffer */
 551             int *,                      /* conf_state */
 552             gss_qop_t *                 /* qop_state */
 553            );
 554 
 555 OM_uint32 krb5_gss_wrap_size_limit
 556 (OM_uint32 *,           /* minor_status */
 557             gss_ctx_id_t,               /* context_handle */
 558             int,                        /* conf_req_flag */
 559             gss_qop_t,                  /* qop_req */
 560             OM_uint32,                  /* req_output_size */
 561             OM_uint32 *                 /* max_input_size */
 562            );
 563 
 564 OM_uint32 krb5_gss_import_name_object
 565 (OM_uint32 *,           /* minor_status */
 566             void *,                     /* input_name */
 567             gss_OID,                    /* input_name_type */
 568             gss_name_t *                /* output_name */
 569            );
 570 
 571 OM_uint32 krb5_gss_export_name_object
 572 (OM_uint32 *,           /* minor_status */
 573             gss_name_t,                 /* input_name */
 574             gss_OID,                    /* desired_name_type */
 575             void * *                    /* output_name */
 576            );
 577 
 578 OM_uint32 krb5_gss_add_cred
 579 (OM_uint32 *,           /* minor_status */
 580             gss_cred_id_t,              /* input_cred_handle */
 581             gss_name_t,                 /* desired_name */
 582             gss_OID,                    /* desired_mech */
 583             gss_cred_usage_t,           /* cred_usage */
 584             OM_uint32,                  /* initiator_time_req */
 585             OM_uint32,                  /* acceptor_time_req */
 586             gss_cred_id_t *,            /* output_cred_handle */
 587             gss_OID_set *,              /* actual_mechs */
 588             OM_uint32 *,                /* initiator_time_rec */
 589             OM_uint32 *                 /* acceptor_time_rec */
 590            );
 591 
 592 OM_uint32 krb5_gss_inquire_cred_by_mech
 593 (OM_uint32  *,          /* minor_status */
 594             gss_cred_id_t,              /* cred_handle */
 595             gss_OID,                    /* mech_type */
 596             gss_name_t *,               /* name */
 597             OM_uint32 *,                /* initiator_lifetime */
 598             OM_uint32 *,                /* acceptor_lifetime */
 599             gss_cred_usage_t *          /* cred_usage */
 600            );
 601 
 602 OM_uint32 krb5_gss_export_sec_context
 603 (OM_uint32 *,           /* minor_status */
 604             gss_ctx_id_t *,             /* context_handle */
 605             gss_buffer_t                /* interprocess_token */
 606             );
 607 
 608 OM_uint32 krb5_gss_import_sec_context
 609 (OM_uint32 *,           /* minor_status */
 610             gss_buffer_t,               /* interprocess_token */
 611             gss_ctx_id_t *              /* context_handle */
 612             /* Note no _KERNEL context verifier */
 613             );
 614 
 615 krb5_error_code krb5_gss_ser_init(krb5_context);
 616 
 617 OM_uint32 krb5_gss_release_oid
 618 (OM_uint32 *,           /* minor_status */
 619             gss_OID *                   /* oid */
 620            );
 621 
 622 OM_uint32 krb5_gss_internal_release_oid
 623 (OM_uint32 *,           /* minor_status */
 624             gss_OID *                   /* oid */
 625            );
 626 
 627 OM_uint32 krb5_gss_inquire_names_for_mech
 628 (OM_uint32 *,           /* minor_status */
 629             gss_OID,                    /* mechanism */
 630             gss_OID_set *               /* name_types */
 631            );
 632 
 633 /* SUNW15resync - XXX nullify? */
 634 OM_uint32 krb5_gss_canonicalize_name
 635 (OM_uint32  *,          /* minor_status */
 636             const gss_name_t,           /* input_name */
 637             const gss_OID,              /* mech_type */
 638             gss_name_t *                /* output_name */
 639          );
 640         
 641 OM_uint32 krb5_gss_export_name
 642 (OM_uint32  *,          /* minor_status */
 643             const gss_name_t,           /* input_name */
 644             gss_buffer_t                /* exported_name */
 645          );
 646 
 647 OM_uint32 krb5_gss_duplicate_name
 648 (OM_uint32  *,          /* minor_status */
 649             const gss_name_t,           /* input_name */
 650             gss_name_t *                /* dest_name */
 651          );
 652 
 653 OM_uint32 krb5_gss_validate_cred
 654 (OM_uint32 *,           /* minor_status */
 655             gss_cred_id_t               /* cred */
 656          );
 657 
 658 OM_uint32
 659 krb5_gss_validate_cred_1(OM_uint32 * /* minor_status */,
 660                          gss_cred_id_t /* cred_handle */,
 661                          krb5_context /* context */);
 662 
 663 gss_OID krb5_gss_convert_static_mech_oid(gss_OID oid);
 664         
 665 krb5_error_code gss_krb5int_make_seal_token_v3(krb5_context,
 666                                                krb5_gss_ctx_id_rec *,
 667                                                const gss_buffer_desc *,
 668                                                gss_buffer_t,
 669                                                int, int);
 670 
 671 OM_uint32 gss_krb5int_unseal_token_v3(krb5_context *contextptr,
 672                                       OM_uint32 *minor_status,
 673                                       krb5_gss_ctx_id_rec *ctx,
 674                                       unsigned char *ptr, int bodysize,
 675                                       gss_buffer_t message_buffer,
 676                                       int *conf_state, int *qop_state, 
 677                                       int toktype);
 678 
 679 /*
 680  * SUNW15resync
 681  * Solaris specific interfaces start
 682  */
 683 
 684 OM_uint32 krb5_gss_store_cred (
 685             OM_uint32 *,            /* minor_status */
 686             const gss_cred_id_t,    /* input_cred */
 687             gss_cred_usage_t,       /* cred_usage */
 688             const gss_OID,          /* desired_mech */
 689             OM_uint32,              /* overwrite_cred */
 690             OM_uint32,              /* default_cred */
 691             gss_OID_set *,          /* elements_stored */
 692             gss_cred_usage_t *      /* cred_usage_stored */
 693            );
 694 
 695 OM_uint32 krb5_pname_to_uid(
 696                 OM_uint32 *,            /* minor status */
 697                 const gss_name_t,       /* pname */
 698                 uid_t *                 /* uidOUt */
 699                 );
 700 
 701 OM_uint32 krb5_gss_userok(
 702         OM_uint32 *,            /* minor status */
 703         const gss_name_t,       /* remote user principal name */
 704         const char *,           /* local unix user name */
 705         int *                   /* remote user ok to login w/out pw? */
 706         );
 707 
 708 
 709 /*
 710  * SUNW15resync
 711  * Solaris specific interfaces end
 712  */
 713 
 714 
 715 /*
 716  * These take unglued krb5-mech-specific contexts.
 717  */
 718 
 719 #define GSS_KRB5_GET_TKT_FLAGS_OID_LENGTH 11
 720 #define GSS_KRB5_GET_TKT_FLAGS_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x01"
 721 
 722 #ifndef _KERNEL
 723 OM_uint32  gss_krb5int_get_tkt_flags
 724 (OM_uint32 *minor_status,
 725  const gss_ctx_id_t context_handle,
 726  const gss_OID desired_object,
 727  gss_buffer_set_t *data_set);
 728 
 729 
 730 OM_uint32 KRB5_CALLCONV gss_krb5int_copy_ccache
 731         (OM_uint32 *minor_status,
 732                    gss_cred_id_t cred_handle,
 733                    krb5_ccache out_ccache);
 734 
 735 #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH 11
 736 #define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x04"
 737 
 738 struct krb5_gss_set_allowable_enctypes_req {
 739     OM_uint32 num_ktypes;
 740     krb5_enctype *ktypes;
 741 };
 742 
 743 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
 744 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
 745 
 746 OM_uint32
 747 gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *);
 748 
 749 OM_uint32 KRB5_CALLCONV
 750 gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status, 
 751                                    gss_cred_id_t cred,
 752                                    OM_uint32 num_ktypes,
 753                                    krb5_enctype *ktypes);
 754 
 755 #endif /* _KERNEL */
 756 
 757 #if 0
 758 /*
 759  * SUNW17PACresync
 760  * These two functions not needed yet, revisit for full 1.7 resync.
 761  */
 762 OM_uint32 KRB5_CALLCONV
 763 gss_krb5int_set_allowable_enctypes(OM_uint32 *minor_status,
 764                                    gss_cred_id_t cred,
 765                                    const gss_OID desired_oid,
 766                                    const gss_buffer_t value);
 767 
 768 OM_uint32 KRB5_CALLCONV
 769 gss_krb5int_export_lucid_sec_context(OM_uint32 *minor_status,
 770                                      gss_ctx_id_t *context_handle,
 771                                      OM_uint32 version,
 772                                      void **kctx);
 773 #endif
 774 
 775 #ifndef _KERNEL
 776 #define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH 11
 777 #define GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x06"
 778 
 779 OM_uint32
 780 gss_krb5int_export_lucid_sec_context(OM_uint32 *minor_status,
 781                                      const gss_ctx_id_t context_handle,
 782                                      const gss_OID desired_object,
 783                                      gss_buffer_set_t *data_set);
 784 
 785 #define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID_LENGTH 11
 786 #define GSS_KRB5_FREE_LUCID_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x07"
 787 
 788 OM_uint32
 789 gss_krb5int_free_lucid_sec_context(OM_uint32 *, const gss_OID,
 790                                    const gss_OID, gss_buffer_t);
 791 
 792 
 793 extern k5_mutex_t kg_kdc_flag_mutex;
 794 krb5_error_code krb5_gss_init_context (krb5_context *ctxp);
 795 
 796 
 797 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
 798 #define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
 799 
 800 OM_uint32
 801 gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *);
 802 
 803 
 804 #define GSS_KRB5_USE_KDC_CONTEXT_OID_LENGTH 11
 805 #define GSS_KRB5_USE_KDC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x08"
 806 
 807 OM_uint32 krb5int_gss_use_kdc_context(OM_uint32 *, const gss_OID,
 808                                       const gss_OID, gss_buffer_t);
 809 
 810 krb5_error_code krb5_gss_use_kdc_context(void);
 811 
 812 #define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID_LENGTH 11
 813 #define GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x09"
 814 
 815 OM_uint32
 816 gss_krb5int_register_acceptor_identity(OM_uint32 *, const gss_OID, const gss_OID, gss_buffer_t);
 817 
 818 #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID_LENGTH 11
 819 #define GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0a"
 820 
 821 OM_uint32
 822 gss_krb5int_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
 823                                                 const gss_ctx_id_t context_handle,
 824                                                 const gss_OID desired_object,
 825                                                 gss_buffer_set_t *ad_data);
 826 
 827 #define GSS_KRB5_SET_CRED_RCACHE_OID_LENGTH 11
 828 #define GSS_KRB5_SET_CRED_RCACHE_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0b"
 829 
 830 OM_uint32
 831 gss_krb5int_set_cred_rcache(OM_uint32 *, gss_cred_id_t, const gss_OID, const gss_buffer_t);
 832 
 833 #define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11
 834 #define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c"
 835 
 836 OM_uint32
 837 gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *,
 838                                               const gss_ctx_id_t,
 839                                               const gss_OID,
 840                                               gss_buffer_set_t *);
 841 #endif /* _KERNEL */
 842 
 843 OM_uint32 gss_krb5int_initialize_library(void);
 844 void gss_krb5int_cleanup_library(void);
 845 
 846 /* For error message handling.  */
 847 /* Returns a shared string, not a private copy!  */
 848 extern char *
 849 krb5_gss_get_error_message(OM_uint32 minor_code);
 850 extern void
 851 krb5_gss_save_error_string(OM_uint32 minor_code, char *msg);
 852 extern void
 853 krb5_gss_save_error_message(OM_uint32 minor_code, const char *format, ...)
 854 #if !defined(__cplusplus) && (__GNUC__ > 2)
 855     __attribute__((__format__(__printf__, 2, 3)))
 856 #endif
 857     ;
 858     extern void
 859     krb5_gss_save_error_info(OM_uint32 minor_code, krb5_context ctx);
 860 #define get_error_message krb5_gss_get_error_message
 861 #define save_error_string krb5_gss_save_error_string
 862 #define save_error_message krb5_gss_save_error_message
 863 
 864 
 865 /* Solaris Kerberos */
 866 #ifdef _KERNEL
 867 #define save_error_info(m, ctx)
 868 #else
 869 #define save_error_info krb5_gss_save_error_info
 870 #endif
 871 
 872 extern void krb5_gss_delete_error_info(void *p);
 873 
 874 /* Prefix concatenated with Kerberos encryption type */
 875 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10
 876 #define GSS_KRB5_SESSION_KEY_ENCTYPE_OID  "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x04"
 877 
 878 #endif /* _GSSAPIP_KRB5_H_ */