Grid Community Toolkit  6.2.1705709074 (tag: v6.2.20240202)
 All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ssh-gss.h
1 /* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */
2 /*
3  * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  * notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  * notice, this list of conditions and the following disclaimer in the
12  * documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #ifndef _SSH_GSS_H
27 #define _SSH_GSS_H
28 
29 #ifdef GSSAPI
30 
31 #ifdef HAVE_GSSAPI_H
32 #include <gssapi.h>
33 #elif defined(HAVE_GSSAPI_GSSAPI_H)
34 #include <gssapi/gssapi.h>
35 #endif
36 
37 #ifdef KRB5
38 # ifndef HEIMDAL
39 # ifdef HAVE_GSSAPI_GENERIC_H
40 # include <gssapi_generic.h>
41 # elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H)
42 # include <gssapi/gssapi_generic.h>
43 # endif
44 
45 /* Old MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */
46 
47 # if !HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE
48 # define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
49 # endif /* !HAVE_DECL_GSS_C_NT_... */
50 
51 # endif /* !HEIMDAL */
52 
53 /* .k5users support */
54 extern char **k5users_allowed_cmds;
55 
56 #endif /* KRB5 */
57 
58 /* draft-ietf-secsh-gsskeyex-06 */
59 #define SSH2_MSG_USERAUTH_GSSAPI_RESPONSE 60
60 #define SSH2_MSG_USERAUTH_GSSAPI_TOKEN 61
61 #define SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE 63
62 #define SSH2_MSG_USERAUTH_GSSAPI_ERROR 64
63 #define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK 65
64 #define SSH2_MSG_USERAUTH_GSSAPI_MIC 66
65 
66 #define SSH_GSS_OIDTYPE 0x06
67 
68 #define SSH2_MSG_KEXGSS_INIT 30
69 #define SSH2_MSG_KEXGSS_CONTINUE 31
70 #define SSH2_MSG_KEXGSS_COMPLETE 32
71 #define SSH2_MSG_KEXGSS_HOSTKEY 33
72 #define SSH2_MSG_KEXGSS_ERROR 34
73 #define SSH2_MSG_KEXGSS_GROUPREQ 40
74 #define SSH2_MSG_KEXGSS_GROUP 41
75 #define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-"
76 #define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
77 #define KEX_GSS_GRP14_SHA256_ID "gss-group14-sha256-"
78 #define KEX_GSS_GRP16_SHA512_ID "gss-group16-sha512-"
79 #define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
80 #define KEX_GSS_NISTP256_SHA256_ID "gss-nistp256-sha256-"
81 #define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-"
82 
83 #define GSS_KEX_DEFAULT_KEX \
84  KEX_GSS_GRP14_SHA256_ID "," \
85  KEX_GSS_GRP16_SHA512_ID "," \
86  KEX_GSS_NISTP256_SHA256_ID "," \
87  KEX_GSS_C25519_SHA256_ID "," \
88  KEX_GSS_GRP14_SHA1_ID "," \
89  KEX_GSS_GEX_SHA1_ID
90 
91 typedef struct {
92  char *filename;
93  char *envvar;
94  char *envval;
95  struct passwd *owner;
96  void *data;
97 } ssh_gssapi_ccache;
98 
99 typedef struct {
100  gss_OID_desc oid;
101  gss_buffer_desc displayname;
102  gss_buffer_desc exportedname;
103  gss_cred_id_t creds;
104  gss_name_t cred_name, ctx_name;
105  struct ssh_gssapi_mech_struct *mech;
106  ssh_gssapi_ccache store;
107  gss_ctx_id_t context; /* needed for globus_gss_assist_map_and_authorize() */
108  int used;
109  int updated;
110 } ssh_gssapi_client;
111 
112 typedef struct ssh_gssapi_mech_struct {
113  char *enc_name;
114  char *name;
115  gss_OID_desc oid;
116  int (*dochild) (ssh_gssapi_client *);
117  int (*userok) (ssh_gssapi_client *, char *);
118  int (*localname) (ssh_gssapi_client *, char **);
119  int (*storecreds) (ssh_gssapi_client *);
120  int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
121 } ssh_gssapi_mech;
122 
123 typedef struct {
124  OM_uint32 major; /* both */
125  OM_uint32 minor; /* both */
126  gss_ctx_id_t context; /* both */
127  gss_name_t name; /* both */
128  gss_OID oid; /* both */
129  gss_cred_id_t creds; /* server */
130  gss_name_t client; /* server */
131  gss_cred_id_t client_creds; /* both */
132 } Gssctxt;
133 
134 extern ssh_gssapi_mech *supported_mechs[];
135 extern Gssctxt *gss_kex_context;
136 
137 int ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
138 void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
139 void ssh_gssapi_set_oid(Gssctxt *, gss_OID);
140 void ssh_gssapi_supported_oids(gss_OID_set *);
141 ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
142 void ssh_gssapi_prepare_supported_oids(void);
143 OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
144 
145 struct sshbuf;
146 int ssh_gssapi_get_buffer_desc(struct sshbuf *, gss_buffer_desc *);
147 int ssh_gssapi_sshpkt_get_buffer_desc(struct ssh *, gss_buffer_desc *);
148 
149 OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
150 OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
151  gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
152 OM_uint32 ssh_gssapi_accept_ctx(Gssctxt *,
153  gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
154 OM_uint32 ssh_gssapi_getclient(Gssctxt *, ssh_gssapi_client *);
155 void ssh_gssapi_error(Gssctxt *);
156 char *ssh_gssapi_last_error(Gssctxt *, OM_uint32 *, OM_uint32 *);
157 void ssh_gssapi_build_ctx(Gssctxt **);
158 void ssh_gssapi_delete_ctx(Gssctxt **);
159 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
160 void ssh_gssapi_buildmic(struct sshbuf *, const char *,
161  const char *, const char *, const struct sshbuf *);
162 int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
163 OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
164 int ssh_gssapi_credentials_updated(Gssctxt *);
165 
166 int ssh_gssapi_localname(char **name);
167 void ssh_gssapi_rekey_creds();
168 
169 /* In the server */
170 typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
171  const char *);
172 char *ssh_gssapi_client_mechanisms(const char *, const char *, const char *);
173 char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
174  const char *, const char *);
175 gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
176 int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
177  const char *);
178 OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
179 int ssh_gssapi_userok(char *name, struct passwd *, int kex);
180 OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
181 void ssh_gssapi_do_child(char ***, u_int *);
182 void ssh_gssapi_cleanup_creds(void);
183 int ssh_gssapi_storecreds(void);
184 const char *ssh_gssapi_displayname(void);
185 
186 char *ssh_gssapi_server_mechanisms(void);
187 int ssh_gssapi_oid_table_ok(void);
188 
189 int ssh_gssapi_update_creds(ssh_gssapi_ccache *store);
190 void ssh_gssapi_rekey_creds(void);
191 
192 #endif /* GSSAPI */
193 
194 #endif /* _SSH_GSS_H */