1 /* 2 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 /* 25 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 26 * Use is subject to license terms. 27 */ 28 29 #ifndef _SSH_GSS_H 30 #define _SSH_GSS_H 31 32 #pragma ident "%Z%%M% %I% %E% SMI" 33 34 #ifdef GSSAPI 35 36 #include "kex.h" 37 #include "buffer.h" 38 39 #ifdef SUNW_GSSAPI 40 #include <gssapi/gssapi.h> 41 #include <gssapi/gssapi_ext.h> 42 #else 43 #ifdef GSS_KRB5 44 #ifndef HEIMDAL 45 #include <gssapi_generic.h> 46 47 /* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ 48 #ifndef GSS_C_NT_HOSTBASED_SERVICE 49 #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name 50 #endif /* GSS_C_NT_... */ 51 #endif /* !HEIMDAL */ 52 #endif /* GSS_KRB5 */ 53 #endif /* SUNW_GSSAPI */ 54 55 /* draft-ietf-secsh-gsskeyex-03 */ 56 #define SSH2_MSG_KEXGSS_INIT 30 57 #define SSH2_MSG_KEXGSS_CONTINUE 31 58 #define SSH2_MSG_KEXGSS_COMPLETE 32 59 #define SSH2_MSG_KEXGSS_HOSTKEY 33 60 #define SSH2_MSG_KEXGSS_ERROR 34 61 #define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60 62 #define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61 63 #define SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE 63 64 #define SSH2_MSG_USERAUTH_GSSAPI_ERROR 64 65 #define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK 65 66 #define SSH2_MSG_USERAUTH_GSSAPI_MIC 66 67 68 #define KEX_GSS_SHA1 "gss-group1-sha1-" 69 #define SSH_GSS_HOSTBASED_SERVICE "host" 70 71 #ifndef HAVE_GSS_STORE_CRED 72 typedef struct ssh_gssapi_cred_store ssh_gssapi_cred_store; /* server-only */ 73 #endif /* !HAVE_GSS_STORE_CRED */ 74 75 typedef struct { 76 OM_uint32 major; 77 OM_uint32 minor; 78 int local; /* true on client, false on server */ 79 int established; 80 OM_uint32 flags; 81 gss_ctx_id_t context; 82 gss_OID desired_mech; /* client-side only */ 83 gss_OID actual_mech; 84 gss_name_t desired_name; /* targ on both */ 85 gss_name_t src_name; 86 gss_name_t dst_name; 87 gss_cred_id_t creds; /* server-side only */ 88 gss_cred_id_t deleg_creds; /* server-side only */ 89 int default_creds; /* server-side only */ 90 #ifndef HAVE_GSS_STORE_CRED 91 ssh_gssapi_cred_store *cred_store; /* server-side only */ 92 #endif /* !HAVE_GSS_STORE_CRED */ 93 } Gssctxt; 94 95 /* Functions to get supported mech lists */ 96 void ssh_gssapi_server_mechs(gss_OID_set *mechs); 97 void ssh_gssapi_client_mechs(const char *server_host, gss_OID_set *mechs); 98 99 /* Functions to get fix KEX proposals (needed for rekey cases) */ 100 void ssh_gssapi_modify_kex(Kex *kex, gss_OID_set mechs, char **proposal); 101 void ssh_gssapi_server_kex_hook(Kex *kex, char **proposal); 102 void ssh_gssapi_client_kex_hook(Kex *kex, char **proposal); 103 104 /* Map an encoded mechanism keyex name to a mechanism OID */ 105 void ssh_gssapi_mech_oid_to_kexname(const gss_OID mech, char **kexname); 106 void ssh_gssapi_mech_oids_to_kexnames(const gss_OID_set mechs, 107 char **kexname_list); 108 /* dup oid? */ 109 void ssh_gssapi_oid_of_kexname(const char *kexname, gss_OID *mech); 110 111 /* 112 * Unfortunately, the GSS-API is not generic enough for some things -- 113 * see gss-serv.c and ssh-gss.c 114 */ 115 int ssh_gssapi_is_spnego(gss_OID oid); 116 int ssh_gssapi_is_krb5(gss_OID oid); 117 int ssh_gssapi_is_gsi(gss_OID oid); 118 int ssh_gssapi_is_dh(gss_OID oid); 119 120 /* GSS_Init/Accept_sec_context() and GSS_Acquire_cred() wrappers */ 121 /* client-only */ 122 OM_uint32 ssh_gssapi_init_ctx(Gssctxt *ctx, const char *server_host, 123 int deleg_creds, gss_buffer_t recv_tok, gss_buffer_t send_tok); 124 /* server-only */ 125 OM_uint32 ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_t recv_tok, 126 gss_buffer_t send_tok); 127 /* server-only */ 128 OM_uint32 ssh_gssapi_acquire_cred(Gssctxt *ctx); 129 130 /* MIC wrappers */ 131 OM_uint32 ssh_gssapi_get_mic(Gssctxt *ctx, gss_buffer_t buffer, 132 gss_buffer_t hash); 133 OM_uint32 ssh_gssapi_verify_mic(Gssctxt *ctx, gss_buffer_t buffer, 134 gss_buffer_t hash); 135 136 /* Gssctxt functions */ 137 void ssh_gssapi_build_ctx(Gssctxt **ctx, int client, gss_OID mech); 138 void ssh_gssapi_delete_ctx(Gssctxt **ctx); 139 int ssh_gssapi_check_mech_oid(Gssctxt *ctx, void *data, size_t len); 140 void ssh_gssapi_error(Gssctxt *ctx, const char *where); 141 char *ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *maj, OM_uint32 *min); 142 143 /* Server-side */ 144 int ssh_gssapi_userok(Gssctxt *ctx, char *name); 145 char *ssh_gssapi_localname(Gssctxt *ctx); 146 147 /* Server-side, if PAM and gss_store_cred() are available, ... */ 148 struct Authctxt; /* needed to avoid conflicts between auth.h, sshconnect2.c */ 149 void ssh_gssapi_storecreds(Gssctxt *ctx, struct Authctxt *authctxt); 150 151 /* ... else, if other interfaces are available for GSS-API cred storing */ 152 void ssh_gssapi_do_child(Gssctxt *ctx, char ***envp, uint_t *envsizep); 153 void ssh_gssapi_cleanup_creds(Gssctxt *ctx); 154 155 /* Misc */ 156 int ssh_gssapi_import_name(Gssctxt *ctx, const char *server_host); 157 const char *ssh_gssapi_oid_to_name(gss_OID oid); 158 char *ssh_gssapi_oid_to_str(gss_OID oid); 159 gss_OID ssh_gssapi_dup_oid(gss_OID oid); 160 gss_OID ssh_gssapi_make_oid(size_t length, void *elements); 161 gss_OID ssh_gssapi_make_oid_ext(size_t length, void *elements, 162 int der_wrapped); 163 void *ssh_gssapi_der_wrap(size_t, size_t *length); 164 size_t ssh_gssapi_der_wrap_size(size_t, size_t *length); 165 void ssh_gssapi_release_oid(gss_OID *oid); 166 #endif /* GSSAPI */ 167 168 #endif /* _SSH_GSS_H */