2 * Copyright (C) 2004-2007, 2009-2011 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000, 2001 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: gssapi.h,v 1.16 2011-01-08 23:47:01 tbox Exp $ */
21 #define DST_GSSAPI_H 1
23 /*! \file dst/gssapi.h */
25 #include <isc/formatcheck.h>
27 #include <isc/platform.h>
28 #include <isc/types.h>
29 #include <dns/types.h>
34 * MSVC does not like macros in #include lines.
36 #include <gssapi/gssapi.h>
37 #include <gssapi/gssapi_krb5.h>
39 #include ISC_PLATFORM_GSSAPIHEADER
40 #ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER
41 #include ISC_PLATFORM_GSSAPI_KRB5_HEADER
44 #ifndef GSS_SPNEGO_MECHANISM
45 #define GSS_SPNEGO_MECHANISM ((void*)0)
60 dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
63 * Acquires GSS credentials.
66 * 'name' is a valid name, preferably one known by the GSS provider
67 * 'initiate' indicates whether the credentials are for initiating or
69 * 'cred' is a pointer to NULL, which will be allocated with the
70 * credential handle. Call dst_gssapi_releasecred to free
74 * ISC_R_SUCCESS msg was successfully updated to include the
76 * other an error occurred while building the message
80 dst_gssapi_releasecred(gss_cred_id_t *cred);
82 * Releases GSS credentials. Calling this function does release the
83 * memory allocated for the credential in dst_gssapi_acquirecred()
86 * 'mctx' is a valid memory context
87 * 'cred' is a pointer to the credential to be released
90 * ISC_R_SUCCESS credential was released successfully
91 * other an error occurred while releaseing
96 dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
97 isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
98 isc_mem_t *mctx, char **err_message);
100 * Initiates a GSS context.
103 * 'name' is a valid name, preferably one known by the GSS
105 * 'intoken' is a token received from the acceptor, or NULL if
107 * 'outtoken' is a buffer to receive the token generated by
108 * gss_init_sec_context() to be sent to the acceptor
109 * 'context' is a pointer to a valid gss_ctx_id_t
110 * (which may have the value GSS_C_NO_CONTEXT)
113 * ISC_R_SUCCESS msg was successfully updated to include the
115 * other an error occurred while building the message
116 * *err_message optional error message
120 dst_gssapi_acceptctx(gss_cred_id_t cred,
121 const char *gssapi_keytab,
122 isc_region_t *intoken, isc_buffer_t **outtoken,
123 gss_ctx_id_t *context, dns_name_t *principal,
126 * Accepts a GSS context.
129 * 'mctx' is a valid memory context
130 * 'cred' is the acceptor's valid GSS credential handle
131 * 'intoken' is a token received from the initiator
132 * 'outtoken' is a pointer a buffer pointer used to return the token
133 * generated by gss_accept_sec_context() to be sent to the
135 * 'context' is a valid pointer to receive the generated context handle.
136 * On the initial call, it should be a pointer to NULL, which
137 * will be allocated as a gss_ctx_id_t. Subsequent calls
138 * should pass in the handle generated on the first call.
139 * Call dst_gssapi_releasecred to delete the context and free
143 * 'outtoken' to != NULL && *outtoken == NULL.
146 * ISC_R_SUCCESS msg was successfully updated to include the
148 * other an error occurred while building the message
152 dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx);
154 * Destroys a GSS context. This function deletes the context from the GSS
155 * provider and then frees the memory used by the context pointer.
158 * 'mctx' is a valid memory context
159 * 'context' is a valid GSS context
167 gss_log(int level, const char *fmt, ...)
168 ISC_FORMAT_PRINTF(2, 3);
170 * Logging function for GSS.
173 * 'level' is the log level to be used, as an integer
174 * 'fmt' is a printf format specifier
178 gss_error_tostring(isc_uint32_t major, isc_uint32_t minor,
179 char *buf, size_t buflen);
181 * Render a GSS major status/minor status pair into a string
184 * 'major' is a GSS major status code
185 * 'minor' is a GSS minor status code
188 * A string containing the text representation of the error codes.
189 * Users should copy the string if they wish to keep it.
193 dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
196 * Compare a "signer" (in the format of a Kerberos-format Kerberos5
197 * principal: host/example.com@EXAMPLE.COM) to the realm name stored
198 * in "name" (which represents the realm name).
203 dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
206 * Compare a "signer" (in the format of a Kerberos-format Kerberos5
207 * principal: host/example.com@EXAMPLE.COM) to the realm name stored
208 * in "name" (which represents the realm name).
214 #endif /* DST_GSSAPI_H */