1 /*
   2  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  * 1. Redistributions of source code must retain the above copyright
   8  *    notice, this list of conditions and the following disclaimer.
   9  * 2. Redistributions in binary form must reproduce the above copyright
  10  *    notice, this list of conditions and the following disclaimer in the
  11  *    documentation and/or other materials provided with the distribution.
  12  *
  13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
  14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23  */
  24 /*
  25  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  26  * Use is subject to license terms.
  27  */
  28 
  29 #ifndef _SSH_GSS_H
  30 #define _SSH_GSS_H
  31 
  32 #pragma ident   "%Z%%M% %I%     %E% SMI"
  33 
  34 #ifdef GSSAPI
  35 
  36 #include "kex.h"
  37 #include "buffer.h"
  38 
  39 #ifdef SUNW_GSSAPI
  40 #include <gssapi/gssapi.h>
  41 #include <gssapi/gssapi_ext.h>
  42 #else
  43 #ifdef GSS_KRB5
  44 #ifndef HEIMDAL
  45 #include <gssapi_generic.h>
  46 
  47 /* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
  48 #ifndef GSS_C_NT_HOSTBASED_SERVICE
  49 #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
  50 #endif /* GSS_C_NT_... */
  51 #endif /* !HEIMDAL */
  52 #endif /* GSS_KRB5 */
  53 #endif /* SUNW_GSSAPI */
  54 
  55 /* draft-ietf-secsh-gsskeyex-03 */
  56 #define SSH2_MSG_KEXGSS_INIT                            30
  57 #define SSH2_MSG_KEXGSS_CONTINUE                        31
  58 #define SSH2_MSG_KEXGSS_COMPLETE                        32
  59 #define SSH2_MSG_KEXGSS_HOSTKEY                         33
  60 #define SSH2_MSG_KEXGSS_ERROR                           34
  61 #define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE               60
  62 #define SSH2_MSG_USERAUTH_GSSAPI_TOKEN                  61
  63 #define SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE      63
  64 #define SSH2_MSG_USERAUTH_GSSAPI_ERROR                  64
  65 #define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK                 65
  66 #define SSH2_MSG_USERAUTH_GSSAPI_MIC                    66
  67 
  68 #define KEX_GSS_SHA1                                    "gss-group1-sha1-"
  69 #define SSH_GSS_HOSTBASED_SERVICE                       "host"
  70 
  71 #ifndef HAVE_GSS_STORE_CRED
  72 typedef struct ssh_gssapi_cred_store ssh_gssapi_cred_store; /* server-only */
  73 #endif /* !HAVE_GSS_STORE_CRED */
  74 
  75 typedef struct {
  76         OM_uint32               major;
  77         OM_uint32               minor;
  78         int                     local; /* true on client, false on server */
  79         int                     established;
  80         OM_uint32               flags;
  81         gss_ctx_id_t            context;
  82         gss_OID                 desired_mech;   /* client-side only */
  83         gss_OID                 actual_mech;
  84         gss_name_t              desired_name;   /* targ on both */
  85         gss_name_t              src_name;
  86         gss_name_t              dst_name;
  87         gss_cred_id_t           creds;          /* server-side only */
  88         gss_cred_id_t           deleg_creds;    /* server-side only */
  89         int                     default_creds;  /* server-side only */
  90 #ifndef HAVE_GSS_STORE_CRED
  91         ssh_gssapi_cred_store   *cred_store;    /* server-side only */
  92 #endif /* !HAVE_GSS_STORE_CRED */
  93 } Gssctxt;
  94 
  95 /* Functions to get supported mech lists */
  96 void ssh_gssapi_server_mechs(gss_OID_set *mechs);
  97 void ssh_gssapi_client_mechs(const char *server_host, gss_OID_set *mechs);
  98 
  99 /* Functions to get fix KEX proposals (needed for rekey cases) */
 100 void ssh_gssapi_modify_kex(Kex *kex, gss_OID_set mechs, char **proposal);
 101 void ssh_gssapi_server_kex_hook(Kex *kex, char **proposal);
 102 void ssh_gssapi_client_kex_hook(Kex *kex, char **proposal);
 103 
 104 /* Map an encoded mechanism keyex name to a mechanism OID */
 105 void ssh_gssapi_mech_oid_to_kexname(const gss_OID mech, char **kexname);
 106 void ssh_gssapi_mech_oids_to_kexnames(const gss_OID_set mechs,
 107     char **kexname_list);
 108 /* dup oid? */
 109 void ssh_gssapi_oid_of_kexname(const char *kexname, gss_OID *mech);
 110 
 111 /*
 112  * Unfortunately, the GSS-API is not generic enough for some things --
 113  * see gss-serv.c and ssh-gss.c
 114  */
 115 int  ssh_gssapi_is_spnego(gss_OID oid);
 116 int  ssh_gssapi_is_krb5(gss_OID oid);
 117 int  ssh_gssapi_is_gsi(gss_OID oid);
 118 int  ssh_gssapi_is_dh(gss_OID oid);
 119 
 120 /* GSS_Init/Accept_sec_context() and GSS_Acquire_cred() wrappers */
 121 /* client-only */
 122 OM_uint32 ssh_gssapi_init_ctx(Gssctxt *ctx, const char *server_host,
 123     int deleg_creds, gss_buffer_t recv_tok, gss_buffer_t send_tok);
 124 /* server-only */
 125 OM_uint32 ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_t recv_tok,
 126     gss_buffer_t send_tok);
 127 /* server-only */
 128 OM_uint32 ssh_gssapi_acquire_cred(Gssctxt *ctx);
 129 
 130 /* MIC wrappers */
 131 OM_uint32 ssh_gssapi_get_mic(Gssctxt *ctx, gss_buffer_t buffer,
 132                                 gss_buffer_t hash);
 133 OM_uint32 ssh_gssapi_verify_mic(Gssctxt *ctx, gss_buffer_t buffer,
 134                                 gss_buffer_t hash);
 135 
 136 /* Gssctxt functions */
 137 void     ssh_gssapi_build_ctx(Gssctxt **ctx, int client, gss_OID mech);
 138 void     ssh_gssapi_delete_ctx(Gssctxt **ctx);
 139 int      ssh_gssapi_check_mech_oid(Gssctxt *ctx, void *data, size_t len);
 140 void     ssh_gssapi_error(Gssctxt *ctx, const char *where);
 141 char    *ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *maj, OM_uint32 *min);
 142 
 143 /* Server-side */
 144 int      ssh_gssapi_userok(Gssctxt *ctx, char *name);
 145 char    *ssh_gssapi_localname(Gssctxt *ctx);
 146 
 147 /* Server-side, if PAM and gss_store_cred() are available, ... */
 148 struct Authctxt; /* needed to avoid conflicts between auth.h, sshconnect2.c */
 149 void    ssh_gssapi_storecreds(Gssctxt *ctx, struct Authctxt *authctxt);
 150 
 151 /* ... else, if other interfaces are available for GSS-API cred storing */
 152 void    ssh_gssapi_do_child(Gssctxt *ctx, char ***envp, uint_t *envsizep);
 153 void    ssh_gssapi_cleanup_creds(Gssctxt *ctx);
 154 
 155 /* Misc */
 156 int              ssh_gssapi_import_name(Gssctxt *ctx, const char *server_host);
 157 const char      *ssh_gssapi_oid_to_name(gss_OID oid);
 158 char            *ssh_gssapi_oid_to_str(gss_OID oid);
 159 gss_OID          ssh_gssapi_dup_oid(gss_OID oid);
 160 gss_OID          ssh_gssapi_make_oid(size_t length, void *elements);
 161 gss_OID          ssh_gssapi_make_oid_ext(size_t length, void *elements,
 162                     int der_wrapped);
 163 void            *ssh_gssapi_der_wrap(size_t, size_t *length);
 164 size_t           ssh_gssapi_der_wrap_size(size_t, size_t *length);
 165 void             ssh_gssapi_release_oid(gss_OID *oid);
 166 #endif /* GSSAPI */
 167 
 168 #endif /* _SSH_GSS_H */