]>
Commit | Line | Data |
---|---|---|
12471842 PL |
1 | /* |
2 | * This file is part of PowerDNS or dnsdist. | |
3 | * Copyright -- PowerDNS.COM B.V. and its contributors | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of version 2 of the GNU General Public License as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * In addition, for the avoidance of any doubt, permission is granted to | |
10 | * link this program with OpenSSL and to (re)distribute the binaries | |
11 | * produced as the result of such linking. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License | |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
21 | */ | |
b53bf23e AT |
22 | #pragma once |
23 | ||
24 | #ifdef ENABLE_GSS_TSIG | |
25 | #include <gssapi/gssapi.h> | |
26 | #include <gssapi/gssapi_krb5.h> | |
27 | #include <gssapi/gssapi_ext.h> | |
28 | #endif | |
29 | ||
30 | //! Generic errors | |
31 | enum GssContextError { | |
32 | GSS_CONTEXT_NO_ERROR, | |
33 | GSS_CONTEXT_UNSUPPORTED, | |
34 | GSS_CONTEXT_NOT_FOUND, | |
35 | GSS_CONTEXT_NOT_INITIALIZED, | |
36 | GSS_CONTEXT_INVALID, | |
37 | GSS_CONTEXT_EXPIRED, | |
38 | GSS_CONTEXT_ALREADY_INITIALIZED | |
39 | }; | |
40 | ||
41 | //! GSS context types | |
42 | enum GssContextType { | |
43 | GSS_CONTEXT_NONE, | |
44 | GSS_CONTEXT_INIT, | |
45 | GSS_CONTEXT_ACCEPT | |
46 | }; | |
47 | ||
48 | class GssSecContext; | |
49 | ||
50 | /*! Class for representing GSS names, such as host/host.domain.com@REALM. | |
51 | */ | |
52 | class GssName { | |
53 | public: | |
54 | //! Initialize to empty name | |
55 | GssName() { | |
56 | setName(""); | |
57 | }; | |
58 | ||
319a548e | 59 | //! Initialize using specific name |
b53bf23e AT |
60 | GssName(const std::string& name) { |
61 | setName(name); | |
62 | }; | |
63 | ||
64 | //! Parse name into native representation | |
65 | bool setName(const std::string& name) { | |
66 | #ifdef ENABLE_GSS_TSIG | |
67 | gss_buffer_desc buffer; | |
68 | d_name = GSS_C_NO_NAME; | |
69 | ||
70 | if (!name.empty()) { | |
71 | buffer.length = name.size(); | |
72 | buffer.value = (void*)name.c_str(); | |
73 | d_maj = gss_import_name(&d_min, &buffer, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &d_name); | |
74 | return d_maj == GSS_S_COMPLETE; | |
75 | } | |
76 | ||
77 | return true; | |
78 | #endif | |
79 | return false; | |
80 | }; | |
81 | ||
82 | ~GssName() { | |
83 | #ifdef ENABLE_GSS_TSIG | |
84 | if (d_name != GSS_C_NO_NAME) | |
85 | gss_release_name(&d_min, &d_name); | |
86 | #endif | |
87 | }; | |
88 | ||
89 | //! Compare two Gss Names, if no gss support is compiled in, returns false always | |
d51d0c77 | 90 | //! This is not necessarily same as string comparison between two non-parsed names |
b53bf23e AT |
91 | bool operator==(const GssName& rhs) { |
92 | #ifdef ENABLE_GSS_TSIG | |
93 | OM_uint32 maj,min; | |
94 | int result; | |
95 | maj = gss_compare_name(&min, d_name, rhs.d_name, &result); | |
96 | return (maj == GSS_S_COMPLETE && result != 0); | |
97 | #endif | |
98 | return false; | |
99 | } | |
100 | ||
101 | //! Compare two Gss Names, if no gss support is compiled in, returns false always | |
d51d0c77 | 102 | //! This is not necessarily same as string comparison between two non-parsed names |
b53bf23e AT |
103 | bool match(const std::string& name) { |
104 | #ifdef ENABLE_GSS_TSIG | |
105 | OM_uint32 maj,min; | |
106 | int result; | |
107 | gss_name_t comp; | |
108 | gss_buffer_desc buffer; | |
109 | buffer.length = name.size(); | |
110 | buffer.value = (void*)name.c_str(); | |
111 | maj = gss_import_name(&min, &buffer, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &comp); | |
112 | if (maj != GSS_S_COMPLETE) | |
335da0ba | 113 | throw PDNSException("Could not import " + name + ": " + std::to_string(maj) + string(",") + std::to_string(min)); |
b53bf23e AT |
114 | // do comparison |
115 | maj = gss_compare_name(&min, d_name, comp, &result); | |
116 | gss_release_name(&min, &comp); | |
117 | return (maj == GSS_S_COMPLETE && result != 0); | |
118 | #else | |
119 | return false; | |
120 | #endif | |
121 | }; | |
122 | ||
123 | //! Check if GSS name was parsed successfully. | |
124 | bool valid() { | |
125 | #ifdef ENABLE_GSS_TSIG | |
126 | return d_maj == GSS_S_COMPLETE; | |
127 | #else | |
128 | return false; | |
129 | #endif | |
130 | } | |
131 | private: | |
132 | #ifdef ENABLE_GSS_TSIG | |
133 | OM_uint32 d_maj,d_min; | |
134 | gss_name_t d_name; | |
135 | #endif | |
136 | }; | |
137 | ||
138 | class GssContext { | |
139 | public: | |
140 | static bool supported(); //<! Returns true if GSS is supported in the first place | |
141 | GssContext(); //<! Construct new GSS context with random name | |
1635f12b | 142 | GssContext(const DNSName& label); //<! Create or open existing named context |
b53bf23e AT |
143 | |
144 | void setLocalPrincipal(const std::string& name); //<! Set our gss name | |
145 | bool getLocalPrincipal(std::string& name); //<! Get our name | |
146 | void setPeerPrincipal(const std::string& name); //<! Set remote name (do not use after negotiation) | |
b5acc3a9 | 147 | bool getPeerPrincipal(std::string &name); //<! Return remote name, returns actual name after negotiation |
b53bf23e AT |
148 | |
149 | void generateLabel(const std::string& suffix); //<! Generate random context name using suffix (such as mydomain.com) | |
1635f12b AT |
150 | void setLabel(const DNSName& label); //<! Set context name to this label |
151 | const DNSName& getLabel() { return d_label; } //<! Return context name | |
b53bf23e AT |
152 | |
153 | bool init(const std::string &input, std::string& output); //<! Perform GSS Initiate Security Context handshake | |
a53f574f | 154 | bool accept(const std::string &input, std::string& output); //<! Perform GSS Accept Security Context handshake |
b53bf23e AT |
155 | bool destroy(); //<! Release the cached context |
156 | bool expired(); //<! Check if context is expired | |
157 | bool valid(); //<! Check if context is valid | |
158 | ||
159 | bool sign(const std::string &input, std::string& output); //<! Sign something using gss | |
160 | bool verify(const std::string &input, const std::string &signature); //<! Validate gss signature with something | |
161 | ||
162 | GssContextError getError(); //<! Get error | |
163 | const std::vector<std::string> getErrorStrings() { return d_gss_errors; } //<! Get native error texts | |
164 | private: | |
165 | void release(); //<! Release context | |
166 | void initialize(); //<! Initialize context | |
167 | #ifdef ENABLE_GSS_TSIG | |
168 | void processError(const string& method, OM_uint32 maj, OM_uint32 min); //<! Process and fill error text vector | |
169 | #endif | |
1635f12b | 170 | DNSName d_label; //<! Context name |
b53bf23e AT |
171 | std::string d_peerPrincipal; //<! Remote name |
172 | std::string d_localPrincipal; //<! Our name | |
173 | GssContextError d_error; //<! Context error | |
174 | GssContextType d_type; //<! Context type | |
175 | std::vector<std::string> d_gss_errors; //<! Native error string(s) | |
176 | boost::shared_ptr<GssSecContext> d_ctx; //<! Attached security context | |
177 | }; | |
178 | ||
21a3792f KM |
179 | bool gss_add_signature(const DNSName& context, const std::string& message, std::string& mac); //<! Create signature |
180 | bool gss_verify_signature(const DNSName& context, const std::string& message, const std::string& mac); //<! Validate signature |