2000-11-18 03:01:17 +00:00
|
|
|
/*
|
2010-12-20 23:47:21 +00:00
|
|
|
* Copyright (C) 2004-2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
|
2001-01-09 22:01:04 +00:00
|
|
|
* Copyright (C) 2000, 2001 Internet Software Consortium.
|
2000-11-18 03:01:17 +00:00
|
|
|
*
|
2007-06-18 23:47:57 +00:00
|
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
2000-11-18 03:01:17 +00:00
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
|
|
|
|
*
|
2004-03-05 05:14:21 +00:00
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
|
|
|
|
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
|
|
|
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
|
|
|
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
|
|
|
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
|
|
|
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
|
|
|
* PERFORMANCE OF THIS SOFTWARE.
|
2000-11-18 03:01:17 +00:00
|
|
|
*/
|
|
|
|
|
|
2010-12-20 23:47:21 +00:00
|
|
|
/* $Id: gssapi.h,v 1.14 2010/12/20 23:47:21 tbox Exp $ */
|
2000-11-18 03:01:17 +00:00
|
|
|
|
2000-10-07 00:45:13 +00:00
|
|
|
#ifndef DST_GSSAPI_H
|
|
|
|
|
#define DST_GSSAPI_H 1
|
|
|
|
|
|
2006-12-22 01:46:19 +00:00
|
|
|
/*! \file dst/gssapi.h */
|
2005-04-27 04:57:32 +00:00
|
|
|
|
2006-12-04 01:54:53 +00:00
|
|
|
#include <isc/formatcheck.h>
|
2000-10-07 00:45:13 +00:00
|
|
|
#include <isc/lang.h>
|
2006-12-04 01:54:53 +00:00
|
|
|
#include <isc/platform.h>
|
2000-10-07 00:45:13 +00:00
|
|
|
#include <isc/types.h>
|
2006-12-04 01:54:53 +00:00
|
|
|
#include <dns/types.h>
|
|
|
|
|
|
|
|
|
|
#ifdef GSSAPI
|
|
|
|
|
#ifdef _WINDOWS
|
|
|
|
|
/*
|
|
|
|
|
* MSVC does not like macros in #include lines.
|
|
|
|
|
*/
|
|
|
|
|
#include <gssapi/gssapi.h>
|
2010-12-18 01:56:23 +00:00
|
|
|
#include <gssapi/gssapi_krb5.h>
|
2006-12-04 01:54:53 +00:00
|
|
|
#else
|
|
|
|
|
#include ISC_PLATFORM_GSSAPIHEADER
|
2010-12-18 14:46:21 +00:00
|
|
|
#ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER
|
2010-12-18 01:56:23 +00:00
|
|
|
#include ISC_PLATFORM_GSSAPI_KRB5_HEADER
|
2006-12-04 01:54:53 +00:00
|
|
|
#endif
|
2010-12-18 14:46:21 +00:00
|
|
|
#endif
|
2006-12-04 01:54:53 +00:00
|
|
|
#ifndef GSS_SPNEGO_MECHANISM
|
|
|
|
|
#define GSS_SPNEGO_MECHANISM ((void*)0)
|
|
|
|
|
#endif
|
|
|
|
|
#endif
|
2000-10-07 00:45:13 +00:00
|
|
|
|
|
|
|
|
ISC_LANG_BEGINDECLS
|
|
|
|
|
|
|
|
|
|
/***
|
|
|
|
|
*** Types
|
|
|
|
|
***/
|
|
|
|
|
|
|
|
|
|
/***
|
|
|
|
|
*** Functions
|
|
|
|
|
***/
|
|
|
|
|
|
|
|
|
|
isc_result_t
|
2006-12-04 01:54:53 +00:00
|
|
|
dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
|
|
|
|
|
gss_cred_id_t *cred);
|
|
|
|
|
/*
|
|
|
|
|
* Acquires GSS credentials.
|
|
|
|
|
*
|
|
|
|
|
* Requires:
|
|
|
|
|
* 'name' is a valid name, preferably one known by the GSS provider
|
|
|
|
|
* 'initiate' indicates whether the credentials are for initiating or
|
|
|
|
|
* accepting contexts
|
|
|
|
|
* 'cred' is a pointer to NULL, which will be allocated with the
|
|
|
|
|
* credential handle. Call dst_gssapi_releasecred to free
|
|
|
|
|
* the memory.
|
|
|
|
|
*
|
|
|
|
|
* Returns:
|
|
|
|
|
* ISC_R_SUCCESS msg was successfully updated to include the
|
|
|
|
|
* query to be sent
|
|
|
|
|
* other an error occurred while building the message
|
|
|
|
|
*/
|
2000-10-07 00:45:13 +00:00
|
|
|
|
|
|
|
|
isc_result_t
|
2006-12-04 01:54:53 +00:00
|
|
|
dst_gssapi_releasecred(gss_cred_id_t *cred);
|
|
|
|
|
/*
|
|
|
|
|
* Releases GSS credentials. Calling this function does release the
|
|
|
|
|
* memory allocated for the credential in dst_gssapi_acquirecred()
|
|
|
|
|
*
|
|
|
|
|
* Requires:
|
|
|
|
|
* 'mctx' is a valid memory context
|
|
|
|
|
* 'cred' is a pointer to the credential to be released
|
|
|
|
|
*
|
|
|
|
|
* Returns:
|
|
|
|
|
* ISC_R_SUCCESS credential was released successfully
|
|
|
|
|
* other an error occurred while releaseing
|
|
|
|
|
* the credential
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
isc_result_t
|
|
|
|
|
dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
|
2010-12-18 01:56:23 +00:00
|
|
|
isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
|
|
|
|
|
dns_name_t *zone, isc_mem_t *mctx, char **err_message);
|
2006-12-04 01:54:53 +00:00
|
|
|
/*
|
|
|
|
|
* Initiates a GSS context.
|
|
|
|
|
*
|
|
|
|
|
* Requires:
|
|
|
|
|
* 'name' is a valid name, preferably one known by the GSS
|
|
|
|
|
* provider
|
|
|
|
|
* 'intoken' is a token received from the acceptor, or NULL if
|
|
|
|
|
* there isn't one
|
|
|
|
|
* 'outtoken' is a buffer to receive the token generated by
|
|
|
|
|
* gss_init_sec_context() to be sent to the acceptor
|
|
|
|
|
* 'context' is a pointer to a valid gss_ctx_id_t
|
|
|
|
|
* (which may have the value GSS_C_NO_CONTEXT)
|
|
|
|
|
*
|
|
|
|
|
* Returns:
|
|
|
|
|
* ISC_R_SUCCESS msg was successfully updated to include the
|
|
|
|
|
* query to be sent
|
|
|
|
|
* other an error occurred while building the message
|
2010-12-18 01:56:23 +00:00
|
|
|
* *err_message optional error message
|
2006-12-04 01:54:53 +00:00
|
|
|
*/
|
2000-10-07 00:45:13 +00:00
|
|
|
|
|
|
|
|
isc_result_t
|
2006-12-04 01:54:53 +00:00
|
|
|
dst_gssapi_acceptctx(gss_cred_id_t cred,
|
2010-12-18 01:56:23 +00:00
|
|
|
const char *gssapi_keytab,
|
2006-12-05 21:59:12 +00:00
|
|
|
isc_region_t *intoken, isc_buffer_t **outtoken,
|
2006-12-04 01:54:53 +00:00
|
|
|
gss_ctx_id_t *context, dns_name_t *principal,
|
|
|
|
|
isc_mem_t *mctx);
|
|
|
|
|
/*
|
|
|
|
|
* Accepts a GSS context.
|
|
|
|
|
*
|
|
|
|
|
* Requires:
|
|
|
|
|
* 'mctx' is a valid memory context
|
|
|
|
|
* 'cred' is the acceptor's valid GSS credential handle
|
|
|
|
|
* 'intoken' is a token received from the initiator
|
2006-12-05 21:59:12 +00:00
|
|
|
* 'outtoken' is a pointer a buffer pointer used to return the token
|
|
|
|
|
* generated by gss_accept_sec_context() to be sent to the
|
|
|
|
|
* initiator
|
2006-12-04 01:54:53 +00:00
|
|
|
* 'context' is a valid pointer to receive the generated context handle.
|
|
|
|
|
* On the initial call, it should be a pointer to NULL, which
|
|
|
|
|
* will be allocated as a gss_ctx_id_t. Subsequent calls
|
|
|
|
|
* should pass in the handle generated on the first call.
|
|
|
|
|
* Call dst_gssapi_releasecred to delete the context and free
|
|
|
|
|
* the memory.
|
|
|
|
|
*
|
2006-12-05 21:59:12 +00:00
|
|
|
* Requires:
|
|
|
|
|
* 'outtoken' to != NULL && *outtoken == NULL.
|
|
|
|
|
*
|
2006-12-04 01:54:53 +00:00
|
|
|
* Returns:
|
|
|
|
|
* ISC_R_SUCCESS msg was successfully updated to include the
|
|
|
|
|
* query to be sent
|
|
|
|
|
* other an error occurred while building the message
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
isc_result_t
|
|
|
|
|
dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx);
|
|
|
|
|
/*
|
|
|
|
|
* Destroys a GSS context. This function deletes the context from the GSS
|
|
|
|
|
* provider and then frees the memory used by the context pointer.
|
|
|
|
|
*
|
|
|
|
|
* Requires:
|
|
|
|
|
* 'mctx' is a valid memory context
|
|
|
|
|
* 'context' is a valid GSS context
|
|
|
|
|
*
|
|
|
|
|
* Returns:
|
|
|
|
|
* ISC_R_SUCCESS
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
gss_log(int level, const char *fmt, ...)
|
|
|
|
|
ISC_FORMAT_PRINTF(2, 3);
|
|
|
|
|
/*
|
2009-01-17 13:33:29 +00:00
|
|
|
* Logging function for GSS.
|
2009-01-17 23:47:43 +00:00
|
|
|
*
|
2006-12-04 01:54:53 +00:00
|
|
|
* Requires
|
|
|
|
|
* 'level' is the log level to be used, as an integer
|
|
|
|
|
* 'fmt' is a printf format specifier
|
|
|
|
|
*/
|
2000-10-07 00:45:13 +00:00
|
|
|
|
2006-12-04 01:54:53 +00:00
|
|
|
char *
|
|
|
|
|
gss_error_tostring(isc_uint32_t major, isc_uint32_t minor,
|
|
|
|
|
char *buf, size_t buflen);
|
2000-10-07 00:45:13 +00:00
|
|
|
/*
|
2006-12-04 01:54:53 +00:00
|
|
|
* Render a GSS major status/minor status pair into a string
|
|
|
|
|
*
|
|
|
|
|
* Requires:
|
|
|
|
|
* 'major' is a GSS major status code
|
|
|
|
|
* 'minor' is a GSS minor status code
|
|
|
|
|
*
|
|
|
|
|
* Returns:
|
|
|
|
|
* A string containing the text representation of the error codes.
|
|
|
|
|
* Users should copy the string if they wish to keep it.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
isc_boolean_t
|
|
|
|
|
dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
|
|
|
|
|
dns_name_t *realm);
|
|
|
|
|
/*
|
|
|
|
|
* Compare a "signer" (in the format of a Kerberos-format Kerberos5
|
2009-01-17 13:33:29 +00:00
|
|
|
* principal: host/example.com@EXAMPLE.COM) to the realm name stored
|
2006-12-04 01:54:53 +00:00
|
|
|
* in "name" (which represents the realm name).
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
isc_boolean_t
|
|
|
|
|
dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
|
|
|
|
|
dns_name_t *realm);
|
|
|
|
|
/*
|
|
|
|
|
* Compare a "signer" (in the format of a Kerberos-format Kerberos5
|
2009-01-17 13:33:29 +00:00
|
|
|
* principal: host/example.com@EXAMPLE.COM) to the realm name stored
|
2006-12-04 01:54:53 +00:00
|
|
|
* in "name" (which represents the realm name).
|
|
|
|
|
*
|
2000-10-07 00:45:13 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
ISC_LANG_ENDDECLS
|
|
|
|
|
|
|
|
|
|
#endif /* DST_GSSAPI_H */
|
