xref: /minix3/external/bsd/bind/dist/lib/dns/include/dst/gssapi.h (revision 00b67f09dd46474d133c95011a48590a8e8f94c7) 
1 /*	$NetBSD: gssapi.h,v 1.5 2014/12/10 04:37:58 christos Exp $	*/
2 
3 /*
4  * Copyright (C) 2004-2007, 2009-2011, 2013  Internet Systems Consortium, Inc. ("ISC")
5  * Copyright (C) 2000, 2001  Internet Software Consortium.
6  *
7  * Permission to use, copy, modify, and/or distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17  * PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 /* Id: gssapi.h,v 1.16 2011/01/08 23:47:01 tbox Exp  */
21 
22 #ifndef DST_GSSAPI_H
23 #define DST_GSSAPI_H 1
24 
25 /*! \file dst/gssapi.h */
26 
27 #include <isc/formatcheck.h>
28 #include <isc/lang.h>
29 #include <isc/platform.h>
30 #include <isc/types.h>
31 #include <dns/types.h>
32 
33 #ifdef GSSAPI
34 #ifdef WIN32
35 /*
36  * MSVC does not like macros in #include lines.
37  */
38 #include <gssapi/gssapi.h>
39 #include <gssapi/gssapi_krb5.h>
40 #else
41 #include ISC_PLATFORM_GSSAPIHEADER
42 #ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER
43 #include ISC_PLATFORM_GSSAPI_KRB5_HEADER
44 #endif
45 #endif
46 #ifndef GSS_SPNEGO_MECHANISM
47 #define GSS_SPNEGO_MECHANISM ((void*)0)
48 #endif
49 #endif
50 
51 ISC_LANG_BEGINDECLS
52 
53 /***
54  *** Types
55  ***/
56 
57 /***
58  *** Functions
59  ***/
60 
61 isc_result_t
62 dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
63 		       gss_cred_id_t *cred);
64 /*
65  *	Acquires GSS credentials.
66  *
67  *	Requires:
68  * 	'name' 	    is a valid name, preferably one known by the GSS provider
69  * 	'initiate'  indicates whether the credentials are for initiating or
70  *		    accepting contexts
71  *      'cred'      is a pointer to NULL, which will be allocated with the
72  *		    credential handle.  Call dst_gssapi_releasecred to free
73  *		    the memory.
74  *
75  *	Returns:
76  *		ISC_R_SUCCESS msg was successfully updated to include the
77  *				      query to be sent
78  *		other		  an error occurred while building the message
79  */
80 
81 isc_result_t
82 dst_gssapi_releasecred(gss_cred_id_t *cred);
83 /*
84  *	Releases GSS credentials.  Calling this function does release the
85  *  memory allocated for the credential in dst_gssapi_acquirecred()
86  *
87  *	Requires:
88  *      'mctx'  is a valid memory context
89  *      'cred'  is a pointer to the credential to be released
90  *
91  *	Returns:
92  *		ISC_R_SUCCESS 	credential was released successfully
93  *		other		an error occurred while releaseing
94  *				the credential
95  */
96 
97 isc_result_t
98 dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
99 		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
100 		   isc_mem_t *mctx, char **err_message);
101 /*
102  *	Initiates a GSS context.
103  *
104  *	Requires:
105  * 	'name'     is a valid name, preferably one known by the GSS
106  * 	provider
107  * 	'intoken'  is a token received from the acceptor, or NULL if
108  *		   there isn't one
109  * 	'outtoken' is a buffer to receive the token generated by
110  *		   gss_init_sec_context() to be sent to the acceptor
111  *      'context'  is a pointer to a valid gss_ctx_id_t
112  *                 (which may have the value GSS_C_NO_CONTEXT)
113  *
114  *	Returns:
115  *		ISC_R_SUCCESS   msg was successfully updated to include the
116  * 				query to be sent
117  *		other		an error occurred while building the message
118  *		*err_message	optional error message
119  */
120 
121 isc_result_t
122 dst_gssapi_acceptctx(gss_cred_id_t cred,
123 		     const char *gssapi_keytab,
124 		     isc_region_t *intoken, isc_buffer_t **outtoken,
125 		     gss_ctx_id_t *context, dns_name_t *principal,
126 		     isc_mem_t *mctx);
127 /*
128  *	Accepts a GSS context.
129  *
130  *	Requires:
131  * 	'mctx'     is a valid memory context
132  *      'cred'     is the acceptor's valid GSS credential handle
133  * 	'intoken'  is a token received from the initiator
134  * 	'outtoken' is a pointer a buffer pointer used to return the token
135  *		   generated by gss_accept_sec_context() to be sent to the
136  *		   initiator
137  *      'context'  is a valid pointer to receive the generated context handle.
138  *                 On the initial call, it should be a pointer to NULL, which
139  *		   will be allocated as a gss_ctx_id_t.  Subsequent calls
140  *		   should pass in the handle generated on the first call.
141  *		   Call dst_gssapi_releasecred to delete the context and free
142  *		   the memory.
143  *
144  *	Requires:
145  *		'outtoken' to != NULL && *outtoken == NULL.
146  *
147  *	Returns:
148  *		ISC_R_SUCCESS   msg was successfully updated to include the
149  * 				query to be sent
150  *		other 		an error occurred while building the message
151  */
152 
153 isc_result_t
154 dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx);
155 /*
156  *	Destroys a GSS context.  This function deletes the context from the GSS
157  *  	provider and then frees the memory used by the context pointer.
158  *
159  *	Requires:
160  *      'mctx'    is a valid memory context
161  *	'context' is a valid GSS context
162  *
163  *	Returns:
164  *		ISC_R_SUCCESS
165  */
166 
167 
168 void
169 gss_log(int level, const char *fmt, ...)
170 ISC_FORMAT_PRINTF(2, 3);
171 /*
172  * Logging function for GSS.
173  *
174  *  Requires
175  *      'level' is the log level to be used, as an integer
176  *      'fmt'   is a printf format specifier
177  */
178 
179 char *
180 gss_error_tostring(isc_uint32_t major, isc_uint32_t minor,
181 		   char *buf, size_t buflen);
182 /*
183  *	Render a GSS major status/minor status pair into a string
184  *
185  *	Requires:
186  *      'major' is a GSS major status code
187  * 	'minor' is a GSS minor status code
188  *
189  *	Returns:
190  *		A string containing the text representation of the error codes.
191  *      	Users should copy the string if they wish to keep it.
192  */
193 
194 isc_boolean_t
195 dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
196 			      dns_name_t *realm);
197 /*
198  *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
199  *	principal: host/example.com@EXAMPLE.COM) to the realm name stored
200  *	in "name" (which represents the realm name).
201  *
202  */
203 
204 isc_boolean_t
205 dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
206 			    dns_name_t *realm);
207 /*
208  *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
209  *	principal: host/example.com@EXAMPLE.COM) to the realm name stored
210  *	in "name" (which represents the realm name).
211  *
212  */
213 
214 ISC_LANG_ENDDECLS
215 
216 #endif /* DST_GSSAPI_H */
217