1*00b67f09SDavid van Moolenbroek /* $NetBSD: gssapi.h,v 1.5 2014/12/10 04:37:58 christos Exp $ */ 2*00b67f09SDavid van Moolenbroek 3*00b67f09SDavid van Moolenbroek /* 4*00b67f09SDavid van Moolenbroek * Copyright (C) 2004-2007, 2009-2011, 2013 Internet Systems Consortium, Inc. ("ISC") 5*00b67f09SDavid van Moolenbroek * Copyright (C) 2000, 2001 Internet Software Consortium. 6*00b67f09SDavid van Moolenbroek * 7*00b67f09SDavid van Moolenbroek * Permission to use, copy, modify, and/or distribute this software for any 8*00b67f09SDavid van Moolenbroek * purpose with or without fee is hereby granted, provided that the above 9*00b67f09SDavid van Moolenbroek * copyright notice and this permission notice appear in all copies. 10*00b67f09SDavid van Moolenbroek * 11*00b67f09SDavid van Moolenbroek * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 12*00b67f09SDavid van Moolenbroek * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 13*00b67f09SDavid van Moolenbroek * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 14*00b67f09SDavid van Moolenbroek * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 15*00b67f09SDavid van Moolenbroek * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 16*00b67f09SDavid van Moolenbroek * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 17*00b67f09SDavid van Moolenbroek * PERFORMANCE OF THIS SOFTWARE. 18*00b67f09SDavid van Moolenbroek */ 19*00b67f09SDavid van Moolenbroek 20*00b67f09SDavid van Moolenbroek /* Id: gssapi.h,v 1.16 2011/01/08 23:47:01 tbox Exp */ 21*00b67f09SDavid van Moolenbroek 22*00b67f09SDavid van Moolenbroek #ifndef DST_GSSAPI_H 23*00b67f09SDavid van Moolenbroek #define DST_GSSAPI_H 1 24*00b67f09SDavid van Moolenbroek 25*00b67f09SDavid van Moolenbroek /*! \file dst/gssapi.h */ 26*00b67f09SDavid van Moolenbroek 27*00b67f09SDavid van Moolenbroek #include <isc/formatcheck.h> 28*00b67f09SDavid van Moolenbroek #include <isc/lang.h> 29*00b67f09SDavid van Moolenbroek #include <isc/platform.h> 30*00b67f09SDavid van Moolenbroek #include <isc/types.h> 31*00b67f09SDavid van Moolenbroek #include <dns/types.h> 32*00b67f09SDavid van Moolenbroek 33*00b67f09SDavid van Moolenbroek #ifdef GSSAPI 34*00b67f09SDavid van Moolenbroek #ifdef WIN32 35*00b67f09SDavid van Moolenbroek /* 36*00b67f09SDavid van Moolenbroek * MSVC does not like macros in #include lines. 37*00b67f09SDavid van Moolenbroek */ 38*00b67f09SDavid van Moolenbroek #include <gssapi/gssapi.h> 39*00b67f09SDavid van Moolenbroek #include <gssapi/gssapi_krb5.h> 40*00b67f09SDavid van Moolenbroek #else 41*00b67f09SDavid van Moolenbroek #include ISC_PLATFORM_GSSAPIHEADER 42*00b67f09SDavid van Moolenbroek #ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER 43*00b67f09SDavid van Moolenbroek #include ISC_PLATFORM_GSSAPI_KRB5_HEADER 44*00b67f09SDavid van Moolenbroek #endif 45*00b67f09SDavid van Moolenbroek #endif 46*00b67f09SDavid van Moolenbroek #ifndef GSS_SPNEGO_MECHANISM 47*00b67f09SDavid van Moolenbroek #define GSS_SPNEGO_MECHANISM ((void*)0) 48*00b67f09SDavid van Moolenbroek #endif 49*00b67f09SDavid van Moolenbroek #endif 50*00b67f09SDavid van Moolenbroek 51*00b67f09SDavid van Moolenbroek ISC_LANG_BEGINDECLS 52*00b67f09SDavid van Moolenbroek 53*00b67f09SDavid van Moolenbroek /*** 54*00b67f09SDavid van Moolenbroek *** Types 55*00b67f09SDavid van Moolenbroek ***/ 56*00b67f09SDavid van Moolenbroek 57*00b67f09SDavid van Moolenbroek /*** 58*00b67f09SDavid van Moolenbroek *** Functions 59*00b67f09SDavid van Moolenbroek ***/ 60*00b67f09SDavid van Moolenbroek 61*00b67f09SDavid van Moolenbroek isc_result_t 62*00b67f09SDavid van Moolenbroek dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, 63*00b67f09SDavid van Moolenbroek gss_cred_id_t *cred); 64*00b67f09SDavid van Moolenbroek /* 65*00b67f09SDavid van Moolenbroek * Acquires GSS credentials. 66*00b67f09SDavid van Moolenbroek * 67*00b67f09SDavid van Moolenbroek * Requires: 68*00b67f09SDavid van Moolenbroek * 'name' is a valid name, preferably one known by the GSS provider 69*00b67f09SDavid van Moolenbroek * 'initiate' indicates whether the credentials are for initiating or 70*00b67f09SDavid van Moolenbroek * accepting contexts 71*00b67f09SDavid van Moolenbroek * 'cred' is a pointer to NULL, which will be allocated with the 72*00b67f09SDavid van Moolenbroek * credential handle. Call dst_gssapi_releasecred to free 73*00b67f09SDavid van Moolenbroek * the memory. 74*00b67f09SDavid van Moolenbroek * 75*00b67f09SDavid van Moolenbroek * Returns: 76*00b67f09SDavid van Moolenbroek * ISC_R_SUCCESS msg was successfully updated to include the 77*00b67f09SDavid van Moolenbroek * query to be sent 78*00b67f09SDavid van Moolenbroek * other an error occurred while building the message 79*00b67f09SDavid van Moolenbroek */ 80*00b67f09SDavid van Moolenbroek 81*00b67f09SDavid van Moolenbroek isc_result_t 82*00b67f09SDavid van Moolenbroek dst_gssapi_releasecred(gss_cred_id_t *cred); 83*00b67f09SDavid van Moolenbroek /* 84*00b67f09SDavid van Moolenbroek * Releases GSS credentials. Calling this function does release the 85*00b67f09SDavid van Moolenbroek * memory allocated for the credential in dst_gssapi_acquirecred() 86*00b67f09SDavid van Moolenbroek * 87*00b67f09SDavid van Moolenbroek * Requires: 88*00b67f09SDavid van Moolenbroek * 'mctx' is a valid memory context 89*00b67f09SDavid van Moolenbroek * 'cred' is a pointer to the credential to be released 90*00b67f09SDavid van Moolenbroek * 91*00b67f09SDavid van Moolenbroek * Returns: 92*00b67f09SDavid van Moolenbroek * ISC_R_SUCCESS credential was released successfully 93*00b67f09SDavid van Moolenbroek * other an error occurred while releaseing 94*00b67f09SDavid van Moolenbroek * the credential 95*00b67f09SDavid van Moolenbroek */ 96*00b67f09SDavid van Moolenbroek 97*00b67f09SDavid van Moolenbroek isc_result_t 98*00b67f09SDavid van Moolenbroek dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken, 99*00b67f09SDavid van Moolenbroek isc_buffer_t *outtoken, gss_ctx_id_t *gssctx, 100*00b67f09SDavid van Moolenbroek isc_mem_t *mctx, char **err_message); 101*00b67f09SDavid van Moolenbroek /* 102*00b67f09SDavid van Moolenbroek * Initiates a GSS context. 103*00b67f09SDavid van Moolenbroek * 104*00b67f09SDavid van Moolenbroek * Requires: 105*00b67f09SDavid van Moolenbroek * 'name' is a valid name, preferably one known by the GSS 106*00b67f09SDavid van Moolenbroek * provider 107*00b67f09SDavid van Moolenbroek * 'intoken' is a token received from the acceptor, or NULL if 108*00b67f09SDavid van Moolenbroek * there isn't one 109*00b67f09SDavid van Moolenbroek * 'outtoken' is a buffer to receive the token generated by 110*00b67f09SDavid van Moolenbroek * gss_init_sec_context() to be sent to the acceptor 111*00b67f09SDavid van Moolenbroek * 'context' is a pointer to a valid gss_ctx_id_t 112*00b67f09SDavid van Moolenbroek * (which may have the value GSS_C_NO_CONTEXT) 113*00b67f09SDavid van Moolenbroek * 114*00b67f09SDavid van Moolenbroek * Returns: 115*00b67f09SDavid van Moolenbroek * ISC_R_SUCCESS msg was successfully updated to include the 116*00b67f09SDavid van Moolenbroek * query to be sent 117*00b67f09SDavid van Moolenbroek * other an error occurred while building the message 118*00b67f09SDavid van Moolenbroek * *err_message optional error message 119*00b67f09SDavid van Moolenbroek */ 120*00b67f09SDavid van Moolenbroek 121*00b67f09SDavid van Moolenbroek isc_result_t 122*00b67f09SDavid van Moolenbroek dst_gssapi_acceptctx(gss_cred_id_t cred, 123*00b67f09SDavid van Moolenbroek const char *gssapi_keytab, 124*00b67f09SDavid van Moolenbroek isc_region_t *intoken, isc_buffer_t **outtoken, 125*00b67f09SDavid van Moolenbroek gss_ctx_id_t *context, dns_name_t *principal, 126*00b67f09SDavid van Moolenbroek isc_mem_t *mctx); 127*00b67f09SDavid van Moolenbroek /* 128*00b67f09SDavid van Moolenbroek * Accepts a GSS context. 129*00b67f09SDavid van Moolenbroek * 130*00b67f09SDavid van Moolenbroek * Requires: 131*00b67f09SDavid van Moolenbroek * 'mctx' is a valid memory context 132*00b67f09SDavid van Moolenbroek * 'cred' is the acceptor's valid GSS credential handle 133*00b67f09SDavid van Moolenbroek * 'intoken' is a token received from the initiator 134*00b67f09SDavid van Moolenbroek * 'outtoken' is a pointer a buffer pointer used to return the token 135*00b67f09SDavid van Moolenbroek * generated by gss_accept_sec_context() to be sent to the 136*00b67f09SDavid van Moolenbroek * initiator 137*00b67f09SDavid van Moolenbroek * 'context' is a valid pointer to receive the generated context handle. 138*00b67f09SDavid van Moolenbroek * On the initial call, it should be a pointer to NULL, which 139*00b67f09SDavid van Moolenbroek * will be allocated as a gss_ctx_id_t. Subsequent calls 140*00b67f09SDavid van Moolenbroek * should pass in the handle generated on the first call. 141*00b67f09SDavid van Moolenbroek * Call dst_gssapi_releasecred to delete the context and free 142*00b67f09SDavid van Moolenbroek * the memory. 143*00b67f09SDavid van Moolenbroek * 144*00b67f09SDavid van Moolenbroek * Requires: 145*00b67f09SDavid van Moolenbroek * 'outtoken' to != NULL && *outtoken == NULL. 146*00b67f09SDavid van Moolenbroek * 147*00b67f09SDavid van Moolenbroek * Returns: 148*00b67f09SDavid van Moolenbroek * ISC_R_SUCCESS msg was successfully updated to include the 149*00b67f09SDavid van Moolenbroek * query to be sent 150*00b67f09SDavid van Moolenbroek * other an error occurred while building the message 151*00b67f09SDavid van Moolenbroek */ 152*00b67f09SDavid van Moolenbroek 153*00b67f09SDavid van Moolenbroek isc_result_t 154*00b67f09SDavid van Moolenbroek dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx); 155*00b67f09SDavid van Moolenbroek /* 156*00b67f09SDavid van Moolenbroek * Destroys a GSS context. This function deletes the context from the GSS 157*00b67f09SDavid van Moolenbroek * provider and then frees the memory used by the context pointer. 158*00b67f09SDavid van Moolenbroek * 159*00b67f09SDavid van Moolenbroek * Requires: 160*00b67f09SDavid van Moolenbroek * 'mctx' is a valid memory context 161*00b67f09SDavid van Moolenbroek * 'context' is a valid GSS context 162*00b67f09SDavid van Moolenbroek * 163*00b67f09SDavid van Moolenbroek * Returns: 164*00b67f09SDavid van Moolenbroek * ISC_R_SUCCESS 165*00b67f09SDavid van Moolenbroek */ 166*00b67f09SDavid van Moolenbroek 167*00b67f09SDavid van Moolenbroek 168*00b67f09SDavid van Moolenbroek void 169*00b67f09SDavid van Moolenbroek gss_log(int level, const char *fmt, ...) 170*00b67f09SDavid van Moolenbroek ISC_FORMAT_PRINTF(2, 3); 171*00b67f09SDavid van Moolenbroek /* 172*00b67f09SDavid van Moolenbroek * Logging function for GSS. 173*00b67f09SDavid van Moolenbroek * 174*00b67f09SDavid van Moolenbroek * Requires 175*00b67f09SDavid van Moolenbroek * 'level' is the log level to be used, as an integer 176*00b67f09SDavid van Moolenbroek * 'fmt' is a printf format specifier 177*00b67f09SDavid van Moolenbroek */ 178*00b67f09SDavid van Moolenbroek 179*00b67f09SDavid van Moolenbroek char * 180*00b67f09SDavid van Moolenbroek gss_error_tostring(isc_uint32_t major, isc_uint32_t minor, 181*00b67f09SDavid van Moolenbroek char *buf, size_t buflen); 182*00b67f09SDavid van Moolenbroek /* 183*00b67f09SDavid van Moolenbroek * Render a GSS major status/minor status pair into a string 184*00b67f09SDavid van Moolenbroek * 185*00b67f09SDavid van Moolenbroek * Requires: 186*00b67f09SDavid van Moolenbroek * 'major' is a GSS major status code 187*00b67f09SDavid van Moolenbroek * 'minor' is a GSS minor status code 188*00b67f09SDavid van Moolenbroek * 189*00b67f09SDavid van Moolenbroek * Returns: 190*00b67f09SDavid van Moolenbroek * A string containing the text representation of the error codes. 191*00b67f09SDavid van Moolenbroek * Users should copy the string if they wish to keep it. 192*00b67f09SDavid van Moolenbroek */ 193*00b67f09SDavid van Moolenbroek 194*00b67f09SDavid van Moolenbroek isc_boolean_t 195*00b67f09SDavid van Moolenbroek dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name, 196*00b67f09SDavid van Moolenbroek dns_name_t *realm); 197*00b67f09SDavid van Moolenbroek /* 198*00b67f09SDavid van Moolenbroek * Compare a "signer" (in the format of a Kerberos-format Kerberos5 199*00b67f09SDavid van Moolenbroek * principal: host/example.com@EXAMPLE.COM) to the realm name stored 200*00b67f09SDavid van Moolenbroek * in "name" (which represents the realm name). 201*00b67f09SDavid van Moolenbroek * 202*00b67f09SDavid van Moolenbroek */ 203*00b67f09SDavid van Moolenbroek 204*00b67f09SDavid van Moolenbroek isc_boolean_t 205*00b67f09SDavid van Moolenbroek dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name, 206*00b67f09SDavid van Moolenbroek dns_name_t *realm); 207*00b67f09SDavid van Moolenbroek /* 208*00b67f09SDavid van Moolenbroek * Compare a "signer" (in the format of a Kerberos-format Kerberos5 209*00b67f09SDavid van Moolenbroek * principal: host/example.com@EXAMPLE.COM) to the realm name stored 210*00b67f09SDavid van Moolenbroek * in "name" (which represents the realm name). 211*00b67f09SDavid van Moolenbroek * 212*00b67f09SDavid van Moolenbroek */ 213*00b67f09SDavid van Moolenbroek 214*00b67f09SDavid van Moolenbroek ISC_LANG_ENDDECLS 215*00b67f09SDavid van Moolenbroek 216*00b67f09SDavid van Moolenbroek #endif /* DST_GSSAPI_H */ 217