Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/krb5/src/lib/gssapi/generic/gssapi_ext.h
39563 views
1
/*

2
 * Copyright 2008 by the Massachusetts Institute of Technology.

3
 * All Rights Reserved.

4
 *

5
 * Export of this software from the United States of America may

6
 *   require a specific license from the United States Government.

7
 *   It is the responsibility of any person or organization contemplating

8
 *   export to obtain such a license before exporting.

9
 *

10
 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and

11
 * distribute this software and its documentation for any purpose and

12
 * without fee is hereby granted, provided that the above copyright

13
 * notice appear in all copies and that both that copyright notice and

14
 * this permission notice appear in supporting documentation, and that

15
 * the name of M.I.T. not be used in advertising or publicity pertaining

16
 * to distribution of the software without specific, written prior

17
 * permission.  Furthermore if you modify this software you must label

18
 * your software as modified software and not distribute it in such a

19
 * fashion that it might be confused with the original M.I.T. software.

20
 * M.I.T. makes no representations about the suitability of

21
 * this software for any purpose.  It is provided "as is" without express

22
 * or implied warranty.

23
 */

24


25
#ifndef GSSAPI_EXT_H_

26
#define GSSAPI_EXT_H_

27


28
#include <gssapi/gssapi.h>

29


30
#ifdef __cplusplus

31
extern "C" {

32
#endif /* __cplusplus */

33


34
/*

35
 * Solaris extensions

36
 */

37
#ifndef _WIN32

38
OM_uint32 KRB5_CALLCONV

39
gss_pname_to_uid

40
	(OM_uint32 *minor,

41
         const gss_name_t name,

42
	 const gss_OID mech_type,

43
	 uid_t *uidOut);

44
#endif

45


46
/**

47
 * Provides a platform-specific name for a GSSAPI name as interpreted by a

48
 * given mechanism.

49
 *

50
 * @param [out] minor      Minor status code

51
 * @param [in] name        The gss name resulting from accept_sec_context

52
 * @param [in] mech_type   The mechanism that will be asked to map @a name to a

53
 *                         local name

54
 * @param [out] localname  Caller-allocated buffer to be filled in with the

55
 *                         local name on success

56
 */

57
OM_uint32 KRB5_CALLCONV

58
gss_localname

59
	(OM_uint32 *minor,

60
	 const gss_name_t name,

61
	 gss_const_OID mech_type,

62
	 gss_buffer_t localname);

63


64
/**

65
 * Determine whether a mechanism name is authorized to act as a username.

66
 *

67
 * @param [in] name      Mechanism name

68
 * @param [in] username  System username

69
 *

70
 * This is a simple wrapper around gss_authorize_localname().  It only supports

71
 * system usernames as local names, and cannot distinguish between lack of

72
 * authorization and other errors.

73
 *

74
 * @retval 1 @a name is authorized to act as @a username

75
 * @retval 0 @a name is not authorized or an error occurred

76
 */

77
int KRB5_CALLCONV

78
gss_userok(const gss_name_t name,

79
           const char *username);

80


81
/**

82
 *  Determine whether a mechanism name is authorized to act as a local name.

83
 *

84
 * @param [out] minor  Minor status code

85
 * @param [in] name    Mechanism name

86
 * @param [in] user    Local name

87
 *

88
 * @a name is a mechanism name, typically the result of a completed

89
 * gss_accept_sec_context().  @a user is an internal name representing a local

90
 * name, such as a name imported by gss_import_name() with an @a

91
 * input_name_type of @c GSS_C_NT_USER_NAME.

92
 *

93
 * @return Return GSS_S_COMPLETE if @a name is authorized to act as @a user,

94
 * GSS_S_UNAUTHORIZED if not, or an appropriate GSS error code if an error

95
 * occurred.

96
 *

97
 * @sa gss_userok

98
 */

99
OM_uint32 KRB5_CALLCONV

100
gss_authorize_localname(OM_uint32 *minor,

101
                        const gss_name_t name,

102
                        const gss_name_t user);

103


104
OM_uint32 KRB5_CALLCONV

105
gss_acquire_cred_with_password(

106
    OM_uint32 *,        /* minor_status */

107
    const gss_name_t,   /* desired_name */

108
    const gss_buffer_t, /* password */

109
    OM_uint32,          /* time_req */

110
    const gss_OID_set,  /* desired_mechs */

111
    gss_cred_usage_t,   /* cred_usage */

112
    gss_cred_id_t *,    /* output_cred_handle */

113
    gss_OID_set *,      /* actual_mechs */

114
    OM_uint32 *);       /* time_rec */

115


116
OM_uint32 KRB5_CALLCONV

117
gss_add_cred_with_password(

118
    OM_uint32 *,        /* minor_status */

119
    const gss_cred_id_t,/* input_cred_handle */

120
    const gss_name_t,   /* desired_name */

121
    const gss_OID,      /* desired_mech */

122
    const gss_buffer_t, /* password */

123
    gss_cred_usage_t,   /* cred_usage */

124
    OM_uint32,          /* initiator_time_req */

125
    OM_uint32,          /* acceptor_time_req */

126
    gss_cred_id_t *,    /* output_cred_handle */

127
    gss_OID_set *,      /* actual_mechs */

128
    OM_uint32 *,        /* initiator_time_rec */

129
    OM_uint32 *);       /* acceptor_time_rec */

130


131
/*

132
 * GGF extensions

133
 */

134
typedef struct gss_buffer_set_desc_struct {

135
    size_t count;

136
    gss_buffer_desc *elements;

137
} gss_buffer_set_desc, *gss_buffer_set_t;

138


139
#define GSS_C_NO_BUFFER_SET ((gss_buffer_set_t) 0)

140


141
OM_uint32 KRB5_CALLCONV gss_create_empty_buffer_set

142
	(OM_uint32 * /*minor_status*/,

143
	 gss_buffer_set_t * /*buffer_set*/);

144


145
OM_uint32 KRB5_CALLCONV gss_add_buffer_set_member

146
	(OM_uint32 * /*minor_status*/,

147
	 const gss_buffer_t /*member_buffer*/,

148
	 gss_buffer_set_t * /*buffer_set*/);

149


150
OM_uint32 KRB5_CALLCONV gss_release_buffer_set

151
	(OM_uint32 * /*minor_status*/,

152
	 gss_buffer_set_t * /*buffer_set*/);

153


154
OM_uint32 KRB5_CALLCONV gss_inquire_sec_context_by_oid

155
	(OM_uint32 * /*minor_status*/,

156
	 const gss_ctx_id_t /*context_handle*/,

157
	 const gss_OID /*desired_object*/,

158
	 gss_buffer_set_t * /*data_set*/);

159


160
OM_uint32 KRB5_CALLCONV gss_inquire_cred_by_oid

161
	(OM_uint32 * /*minor_status*/,

162
	 const gss_cred_id_t /*cred_handle*/,

163
	 const gss_OID /*desired_object*/,

164
	 gss_buffer_set_t * /*data_set*/);

165


166
OM_uint32 KRB5_CALLCONV gss_set_sec_context_option

167
	(OM_uint32 * /*minor_status*/,

168
	 gss_ctx_id_t * /*cred_handle*/,

169
	 const gss_OID /*desired_object*/,

170
	 const gss_buffer_t /*value*/);

171


172
/*

173
 * Export import cred extensions from GGF, but using Heimdal's signatures

174
 */

175
OM_uint32 KRB5_CALLCONV gss_export_cred

176
	(OM_uint32 * /* minor_status */,

177
	 gss_cred_id_t /* cred_handle */,

178
	 gss_buffer_t /* token */);

179


180
OM_uint32 KRB5_CALLCONV gss_import_cred

181
	(OM_uint32 * /* minor_status */,

182
	 gss_buffer_t /* token */,

183
	 gss_cred_id_t * /* cred_handle */);

184


185
/*

186
 * Heimdal extension

187
 */

188
OM_uint32 KRB5_CALLCONV gss_set_cred_option

189
	(OM_uint32 * /*minor_status*/,

190
	 gss_cred_id_t * /*cred*/,

191
	 const gss_OID /*desired_object*/,

192
	 const gss_buffer_t /*value*/);

193


194
/*

195
 * Call the given method on the given mechanism

196
 */

197
OM_uint32 KRB5_CALLCONV gssspi_mech_invoke

198
	(OM_uint32 * /*minor_status*/,

199
	 const gss_OID /*desired_mech*/,

200
	 const gss_OID /*desired_object*/,

201
	 gss_buffer_t /*value*/);

202


203
/*

204
 * AEAD extensions

205
 */

206


207
OM_uint32 KRB5_CALLCONV gss_wrap_aead

208
	(OM_uint32 * /*minor_status*/,

209
	 gss_ctx_id_t /*context_handle*/,

210
	 int /*conf_req_flag*/,

211
	 gss_qop_t /*qop_req*/,

212
	 gss_buffer_t /*input_assoc_buffer*/,

213
	 gss_buffer_t /*input_payload_buffer*/,

214
	 int * /*conf_state*/,

215
	 gss_buffer_t /*output_message_buffer*/);

216


217
OM_uint32 KRB5_CALLCONV gss_unwrap_aead

218
	(OM_uint32 * /*minor_status*/,

219
	 gss_ctx_id_t /*context_handle*/,

220
	 gss_buffer_t /*input_message_buffer*/,

221
	 gss_buffer_t /*input_assoc_buffer*/,

222
	 gss_buffer_t /*output_payload_buffer*/,

223
	 int * /*conf_state*/,

224
	 gss_qop_t * /*qop_state*/);

225


226
/*

227
 * SSPI extensions

228
 */

229
#define GSS_C_DCE_STYLE			0x1000

230
#define GSS_C_IDENTIFY_FLAG		0x2000

231
#define GSS_C_EXTENDED_ERROR_FLAG	0x4000

232


233
/*

234
 * Returns a buffer set with the first member containing the

235
 * session key for SSPI compatibility. The optional second

236
 * member contains an OID identifying the session key type.

237
 */

238
GSS_DLLIMP extern gss_OID GSS_C_INQ_SSPI_SESSION_KEY;

239


240
/*

241
 * Returns a buffer set with the first member containing the ticket session key

242
 * for ODBC compatibility.  The optional second member contains an OID

243
 * identifying the session key type.

244
 */

245
GSS_DLLIMP extern gss_OID GSS_C_INQ_ODBC_SESSION_KEY;

246


247
GSS_DLLIMP extern gss_OID GSS_C_INQ_NEGOEX_KEY;

248
GSS_DLLIMP extern gss_OID GSS_C_INQ_NEGOEX_VERIFY_KEY;

249


250
OM_uint32 KRB5_CALLCONV gss_complete_auth_token

251
	(OM_uint32 *minor_status,

252
	 const gss_ctx_id_t context_handle,

253
	 gss_buffer_t input_message_buffer);

254


255
typedef struct gss_iov_buffer_desc_struct {

256
    OM_uint32 type;

257
    gss_buffer_desc buffer;

258
} gss_iov_buffer_desc, *gss_iov_buffer_t;

259


260
#define GSS_C_NO_IOV_BUFFER		    ((gss_iov_buffer_t)0)

261


262
#define GSS_IOV_BUFFER_TYPE_EMPTY	    0

263
#define GSS_IOV_BUFFER_TYPE_DATA	    1	/* Packet data */

264
#define GSS_IOV_BUFFER_TYPE_HEADER	    2	/* Mechanism header */

265
#define GSS_IOV_BUFFER_TYPE_MECH_PARAMS	    3	/* Mechanism specific parameters */

266
#define GSS_IOV_BUFFER_TYPE_TRAILER	    7	/* Mechanism trailer */

267
#define GSS_IOV_BUFFER_TYPE_PADDING	    9	/* Padding */

268
#define GSS_IOV_BUFFER_TYPE_STREAM	    10	/* Complete wrap token */

269
#define GSS_IOV_BUFFER_TYPE_SIGN_ONLY	    11	/* Sign only packet data */

270
#define GSS_IOV_BUFFER_TYPE_MIC_TOKEN	    12	/* MIC token destination */

271


272
#define GSS_IOV_BUFFER_FLAG_MASK	    0xFFFF0000

273
#define GSS_IOV_BUFFER_FLAG_ALLOCATE	    0x00010000	/* indicates GSS should allocate */

274
#define GSS_IOV_BUFFER_FLAG_ALLOCATED	    0x00020000	/* indicates caller should free */

275


276
#define GSS_IOV_BUFFER_TYPE(_type)	    ((_type) & ~(GSS_IOV_BUFFER_FLAG_MASK))

277
#define GSS_IOV_BUFFER_FLAGS(_type)	    ((_type) & GSS_IOV_BUFFER_FLAG_MASK)

278


279
/*

280
 * Sign and optionally encrypt a sequence of buffers. The buffers

281
 * shall be ordered HEADER | DATA | PADDING | TRAILER. Suitable

282
 * space for the header, padding and trailer should be provided

283
 * by calling gss_wrap_iov_length(), or the ALLOCATE flag should

284
 * be set on those buffers.

285
 *

286
 * Encryption is in-place. SIGN_ONLY buffers are untouched. Only

287
 * a single PADDING buffer should be provided. The order of the

288
 * buffers in memory does not matter. Buffers in the IOV should

289
 * be arranged in the order above, and in the case of multiple

290
 * DATA buffers the sender and receiver should agree on the

291
 * order.

292
 *

293
 * With GSS_C_DCE_STYLE it is acceptable to not provide PADDING

294
 * and TRAILER, but the caller must guarantee the plaintext data

295
 * being encrypted is correctly padded, otherwise an error will

296
 * be returned.

297
 *

298
 * While applications that have knowledge of the underlying

299
 * cryptosystem may request a specific configuration of data

300
 * buffers, the only generally supported configurations are:

301
 *

302
 *  HEADER | DATA | PADDING | TRAILER

303
 *

304
 * which will emit GSS_Wrap() compatible tokens, and:

305
 *

306
 *  HEADER | SIGN_ONLY | DATA | PADDING | TRAILER

307
 *

308
 * for AEAD.

309
 *

310
 * The typical (special cased) usage for DCE is as follows:

311
 *

312
 *  SIGN_ONLY_1 | DATA | SIGN_ONLY_2 | HEADER

313
 */

314
OM_uint32 KRB5_CALLCONV gss_wrap_iov

315
(

316
    OM_uint32 *,	/* minor_status */

317
    gss_ctx_id_t,       /* context_handle */

318
    int,		/* conf_req_flag */

319
    gss_qop_t,		/* qop_req */

320
    int *,		/* conf_state */

321
    gss_iov_buffer_desc *,    /* iov */

322
    int);		/* iov_count */

323


324
/*

325
 * Verify and optionally decrypt a sequence of buffers. To process

326
 * a GSS-API message without separate buffer, pass STREAM | DATA.

327
 * Upon return DATA will contain the decrypted or integrity

328
 * protected message. Only a single DATA buffer may be provided

329
 * with this usage. DATA by default will point into STREAM, but if

330
 * the ALLOCATE flag is set a copy will be returned.

331
 *

332
 * Otherwise, decryption is in-place. SIGN_ONLY buffers are

333
 * untouched.

334
 */

335
OM_uint32 KRB5_CALLCONV gss_unwrap_iov

336
(

337
    OM_uint32 *,	/* minor_status */

338
    gss_ctx_id_t,       /* context_handle */

339
    int *,		/* conf_state */

340
    gss_qop_t *,	/* qop_state */

341
    gss_iov_buffer_desc *,    /* iov */

342
    int);		/* iov_count */

343


344
/*

345
 * Query HEADER, PADDING and TRAILER buffer lengths. DATA buffers

346
 * should be provided so the correct padding length can be determined.

347
 */

348
OM_uint32 KRB5_CALLCONV gss_wrap_iov_length

349
(

350
    OM_uint32 *,	/* minor_status */

351
    gss_ctx_id_t,	/* context_handle */

352
    int,		/* conf_req_flag */

353
    gss_qop_t,		/* qop_req */

354
    int *,		/* conf_state */

355
    gss_iov_buffer_desc *, /* iov */

356
    int);		/* iov_count */

357


358
/*

359
 * Produce a GSSAPI MIC token for a sequence of buffers.  All SIGN_ONLY and

360
 * DATA buffers will be signed, in the order they appear.  One MIC_TOKEN buffer

361
 * must be included for the result.  Suitable space should be provided for the

362
 * MIC_TOKEN buffer by calling gss_get_mic_iov_length, or the ALLOCATE flag

363
 * should be set on that buffer.  If the ALLOCATE flag is used, use

364
 * gss_release_iov_buffer to free the allocated buffer within the iov list when

365
 * it is no longer needed.

366
 */

367
OM_uint32 KRB5_CALLCONV gss_get_mic_iov

368
(

369
    OM_uint32 *,	/* minor_status */

370
    gss_ctx_id_t,	/* context_handle */

371
    gss_qop_t,		/* qop_req */

372
    gss_iov_buffer_desc *, /* iov */

373
    int);		/* iov_count */

374


375
/*

376
 * Query the MIC_TOKEN buffer length within the iov list.

377
 */

378
OM_uint32 KRB5_CALLCONV gss_get_mic_iov_length(

379
    OM_uint32 *,	/* minor_status */

380
    gss_ctx_id_t,	/* context_handle */

381
    gss_qop_t,		/* qop_req */

382
    gss_iov_buffer_desc *, /* iov */

383
    int);		/* iov_count */

384


385
/*

386
 * Verify the MIC_TOKEN buffer within the iov list against the SIGN_ONLY and

387
 * DATA buffers in the order they appear.  Return values are the same as for

388
 * gss_verify_mic.

389
 */

390
OM_uint32 KRB5_CALLCONV gss_verify_mic_iov

391
(

392
    OM_uint32 *,	/* minor_status */

393
    gss_ctx_id_t,	/* context_handle */

394
    gss_qop_t *,	/* qop_state */

395
    gss_iov_buffer_desc *, /* iov */

396
    int);		/* iov_count */

397


398
/*

399
 * Release buffers that have the ALLOCATED flag set.

400
 */

401
OM_uint32 KRB5_CALLCONV gss_release_iov_buffer

402
(

403
    OM_uint32 *,	/* minor_status */

404
    gss_iov_buffer_desc *, /* iov */

405
    int);		/* iov_count */

406


407
/*

408
 * Protocol transition

409
 */

410
OM_uint32 KRB5_CALLCONV

411
gss_acquire_cred_impersonate_name(

412
    OM_uint32 *,	    /* minor_status */

413
    const gss_cred_id_t,    /* impersonator_cred_handle */

414
    const gss_name_t,	    /* desired_name */

415
    OM_uint32,		    /* time_req */

416
    const gss_OID_set,	    /* desired_mechs */

417
    gss_cred_usage_t,	    /* cred_usage */

418
    gss_cred_id_t *,	    /* output_cred_handle */

419
    gss_OID_set *,	    /* actual_mechs */

420
    OM_uint32 *);	    /* time_rec */

421


422
OM_uint32 KRB5_CALLCONV

423
gss_add_cred_impersonate_name(

424
    OM_uint32 *,	    /* minor_status */

425
    gss_cred_id_t,	    /* input_cred_handle */

426
    const gss_cred_id_t,    /* impersonator_cred_handle */

427
    const gss_name_t,	    /* desired_name */

428
    const gss_OID,	    /* desired_mech */

429
    gss_cred_usage_t,	    /* cred_usage */

430
    OM_uint32,		    /* initiator_time_req */

431
    OM_uint32,		    /* acceptor_time_req */

432
    gss_cred_id_t *,	    /* output_cred_handle */

433
    gss_OID_set *,	    /* actual_mechs */

434
    OM_uint32 *,	    /* initiator_time_rec */

435
    OM_uint32 *);	    /* acceptor_time_rec */

436


437
/*

438
 * Naming extensions

439
 */

440
GSS_DLLIMP extern gss_buffer_t GSS_C_ATTR_LOCAL_LOGIN_USER;

441
GSS_DLLIMP extern gss_OID GSS_C_NT_COMPOSITE_EXPORT;

442


443
OM_uint32 KRB5_CALLCONV gss_display_name_ext

444
(

445
    OM_uint32 *,	/* minor_status */

446
    gss_name_t,		/* name */

447
    gss_OID,		/* display_as_name_type */

448
    gss_buffer_t	/* display_name */

449
);

450


451
OM_uint32 KRB5_CALLCONV gss_inquire_name

452
(

453
    OM_uint32 *,	/* minor_status */

454
    gss_name_t,		/* name */

455
    int *,		/* name_is_MN */

456
    gss_OID *,		/* MN_mech */

457
    gss_buffer_set_t *	/* attrs */

458
);

459


460
OM_uint32 KRB5_CALLCONV gss_get_name_attribute

461
(

462
    OM_uint32 *,	/* minor_status */

463
    gss_name_t,		/* name */

464
    gss_buffer_t,	/* attr */

465
    int *,		/* authenticated */

466
    int *,		/* complete */

467
    gss_buffer_t,	/* value */

468
    gss_buffer_t,	/* display_value */

469
    int *		/* more */

470
);

471


472
OM_uint32 KRB5_CALLCONV gss_set_name_attribute

473
(

474
    OM_uint32 *,	/* minor_status */

475
    gss_name_t,		/* name */

476
    int,		/* complete */

477
    gss_buffer_t,	/* attr */

478
    gss_buffer_t	/* value */

479
);

480


481
OM_uint32 KRB5_CALLCONV gss_delete_name_attribute

482
(

483
    OM_uint32 *,	/* minor_status */

484
    gss_name_t,		/* name */

485
    gss_buffer_t	/* attr */

486
);

487


488
OM_uint32 KRB5_CALLCONV gss_export_name_composite

489
(

490
    OM_uint32 *,	/* minor_status */

491
    gss_name_t,		/* name */

492
    gss_buffer_t	/* exp_composite_name */

493
);

494


495
typedef struct gss_any *gss_any_t;

496


497
OM_uint32 KRB5_CALLCONV gss_map_name_to_any

498
(

499
    OM_uint32 *,	/* minor_status */

500
    gss_name_t,		/* name */

501
    int,		/* authenticated */

502
    gss_buffer_t,	/* type_id */

503
    gss_any_t *		/* output */

504
);

505


506
OM_uint32 KRB5_CALLCONV gss_release_any_name_mapping

507
(

508
    OM_uint32 *,	/* minor_status */

509
    gss_name_t,		/* name */

510
    gss_buffer_t,	/* type_id */

511
    gss_any_t *		/* input */

512
);

513


514
/* draft-josefsson-gss-capsulate */

515
OM_uint32 KRB5_CALLCONV gss_encapsulate_token

516
(

517
    gss_const_buffer_t, /* input_token */

518
    gss_const_OID,      /* token_oid */

519
    gss_buffer_t        /* output_token */

520
);

521


522
OM_uint32 KRB5_CALLCONV gss_decapsulate_token

523
(

524
    gss_const_buffer_t, /* input_token */

525
    gss_const_OID,      /* token_oid */

526
    gss_buffer_t        /* output_token */

527
);

528


529
int KRB5_CALLCONV gss_oid_equal

530
(

531
    gss_const_OID,      /* first_oid */

532
    gss_const_OID       /* second_oid */

533
);

534


535
/* Credential store extensions */

536


537
struct gss_key_value_element_struct {

538
    const char *key;

539
    const char *value;

540
};

541
typedef struct gss_key_value_element_struct gss_key_value_element_desc;

542


543
struct gss_key_value_set_struct {

544
    OM_uint32 count;

545
    gss_key_value_element_desc *elements;

546
};

547
typedef struct gss_key_value_set_struct gss_key_value_set_desc;

548
typedef const gss_key_value_set_desc *gss_const_key_value_set_t;

549


550
#define GSS_C_NO_CRED_STORE ((gss_const_key_value_set_t) 0)

551


552
OM_uint32 KRB5_CALLCONV

553
gss_acquire_cred_from(

554
    OM_uint32 *,               /* minor_status */

555
    gss_name_t,                /* desired_name */

556
    OM_uint32,                 /* time_req */

557
    gss_OID_set,               /* desired_mechs */

558
    gss_cred_usage_t,          /* cred_usage */

559
    gss_const_key_value_set_t, /* cred_store */

560
    gss_cred_id_t *,           /* output_cred_handle */

561
    gss_OID_set *,             /* actual_mechs */

562
    OM_uint32 *);              /* time_rec */

563


564
OM_uint32 KRB5_CALLCONV

565
gss_add_cred_from(

566
    OM_uint32 *,               /* minor_status */

567
    gss_cred_id_t,             /* input_cred_handle */

568
    gss_name_t,                /* desired_name */

569
    gss_OID,                   /* desired_mech */

570
    gss_cred_usage_t,          /* cred_usage */

571
    OM_uint32,                 /* initiator_time_req */

572
    OM_uint32,                 /* acceptor_time_req */

573
    gss_const_key_value_set_t, /* cred_store */

574
    gss_cred_id_t *,           /* output_cred_handle */

575
    gss_OID_set *,             /* actual_mechs */

576
    OM_uint32 *,               /* initiator_time_rec */

577
    OM_uint32 *);              /* acceptor_time_rec */

578


579
OM_uint32 KRB5_CALLCONV

580
gss_store_cred_into(

581
    OM_uint32 *,               /* minor_status */

582
    gss_cred_id_t,             /* input_cred_handle */

583
    gss_cred_usage_t,          /* input_usage */

584
    gss_OID,                   /* desired_mech */

585
    OM_uint32,                 /* overwrite_cred */

586
    OM_uint32,                 /* default_cred */

587
    gss_const_key_value_set_t, /* cred_store */

588
    gss_OID_set *,             /* elements_stored */

589
    gss_cred_usage_t *);       /* cred_usage_stored */

590


591
/*

592
 * A mech can make itself negotiable via NegoEx (draft-zhu-negoex) by

593
 * implementing the following three SPIs, and also implementing

594
 * gss_inquire_sec_context_by_oid() and answering the GSS_C_INQ_NEGOEX_KEY and

595
 * GSS_C_INQ_NEGOEX_VERIFY_KEY OIDs.  The answer must be in two buffers: the

596
 * first contains the key contents, and the second contains the key enctype as

597
 * a four-byte little-endian integer.

598
 *

599
 * By default, NegoEx mechanisms will not be directly negotiated via SPNEGO.

600
 * If direct SPNEGO negotiation is required for interoperability, implement

601
 * gss_inquire_attrs_for_mech() and assert the GSS_C_MA_NEGOEX_AND_SPNEGO

602
 * attribute (along with any applicable RFC 5587 attributes).

603
 */

604


605
#define GSS_C_CHANNEL_BOUND_FLAG 2048 /* 0x00000800 */

606


607
OM_uint32 KRB5_CALLCONV

608
gssspi_query_meta_data(

609
    OM_uint32 *minor_status,

610
    gss_const_OID mech_oid,

611
    gss_cred_id_t cred_handle,

612
    gss_ctx_id_t *context_handle,

613
    const gss_name_t targ_name,

614
    OM_uint32 req_flags,

615
    gss_buffer_t meta_data);

616


617
OM_uint32 KRB5_CALLCONV

618
gssspi_exchange_meta_data(

619
    OM_uint32 *minor_status,

620
    gss_const_OID mech_oid,

621
    gss_cred_id_t cred_handle,

622
    gss_ctx_id_t *context_handle,

623
    const gss_name_t targ_name,

624
    OM_uint32 req_flags,

625
    gss_const_buffer_t meta_data);

626


627
OM_uint32 KRB5_CALLCONV

628
gssspi_query_mechanism_info(

629
    OM_uint32 *minor_status,

630
    gss_const_OID mech_oid,

631
    unsigned char auth_scheme[16]);

632


633
GSS_DLLIMP extern gss_const_OID GSS_C_MA_NEGOEX_AND_SPNEGO;

634


635
#ifdef __cplusplus

636
}

637
#endif

638


639
/*

640
 * When used with gss_inquire_sec_context_by_oid(), return a buffer set with

641
 * the first member containing an unsigned 32-bit integer in network byte

642
 * order.  This is the Security Strength Factor (SSF) associated with the

643
 * secure channel established by the security context.  NOTE: This value is

644
 * made available solely as an indication for use by APIs like Cyrus SASL that

645
 * classify the strength of a secure channel via this number.  The strength of

646
 * a channel cannot necessarily be represented by a simple number.

647
 */

648
GSS_DLLIMP extern gss_OID GSS_C_SEC_CONTEXT_SASL_SSF;

649


650
#endif /* GSSAPI_EXT_H_ */

651


652