[thirdparty/pdns.git] / pdns / gss_context.hh

/*
 * This file is part of PowerDNS or dnsdist.
 * Copyright -- PowerDNS.COM B.V. and its contributors
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * In addition, for the avoidance of any doubt, permission is granted to
 * link this program with OpenSSL and to (re)distribute the binaries
 * produced as the result of such linking.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
#pragma once

#ifdef ENABLE_GSS_TSIG
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_krb5.h>
#include <gssapi/gssapi_ext.h>
#endif

//! Generic errors
enum GssContextError {
  GSS_CONTEXT_NO_ERROR,
  GSS_CONTEXT_UNSUPPORTED,
  GSS_CONTEXT_NOT_FOUND,
  GSS_CONTEXT_NOT_INITIALIZED,
  GSS_CONTEXT_INVALID,
  GSS_CONTEXT_EXPIRED,
  GSS_CONTEXT_ALREADY_INITIALIZED
};

//! GSS context types
enum GssContextType {
  GSS_CONTEXT_NONE,
  GSS_CONTEXT_INIT,
  GSS_CONTEXT_ACCEPT
};

class GssSecContext;

/*! Class for representing GSS names, such as host/host.domain.com@REALM.
*/
class GssName {
public:
  //! Initialize to empty name
  GssName() {
    setName("");
  };

  //! Initialize using specific name
  GssName(const std::string& name) {
    setName(name);
  };

  //! Parse name into native representation
  bool setName(const std::string& name) {
#ifdef ENABLE_GSS_TSIG
    gss_buffer_desc buffer;
    d_name = GSS_C_NO_NAME;

    if (!name.empty()) {
      buffer.length = name.size();
      buffer.value = (void*)name.c_str();
      d_maj = gss_import_name(&d_min, &buffer, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &d_name);
      return d_maj == GSS_S_COMPLETE;
    }

    return true;
#endif
    return false;
  };

  ~GssName() {
#ifdef ENABLE_GSS_TSIG
     if (d_name != GSS_C_NO_NAME)
       gss_release_name(&d_min, &d_name);
#endif
  };

  //! Compare two Gss Names, if no gss support is compiled in, returns false always
  //! This is not necessarily same as string comparison between two non-parsed names
  bool operator==(const GssName& rhs) {
#ifdef ENABLE_GSS_TSIG
    OM_uint32 maj,min;
    int result;
    maj = gss_compare_name(&min, d_name, rhs.d_name, &result);
    return (maj == GSS_S_COMPLETE && result != 0);
#endif
    return false;
  }

  //! Compare two Gss Names, if no gss support is compiled in, returns false always
  //! This is not necessarily same as string comparison between two non-parsed names
  bool match(const std::string& name) {
#ifdef ENABLE_GSS_TSIG
    OM_uint32 maj,min;
    int result;
    gss_name_t comp;
    gss_buffer_desc buffer;
    buffer.length = name.size();
    buffer.value = (void*)name.c_str();
    maj = gss_import_name(&min, &buffer, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &comp);
    if (maj != GSS_S_COMPLETE)
      throw PDNSException("Could not import " + name + ": " + std::to_string(maj) + string(",") + std::to_string(min));
    // do comparison
    maj = gss_compare_name(&min, d_name, comp, &result);
    gss_release_name(&min, &comp);
    return (maj == GSS_S_COMPLETE && result != 0);
#else
   return false;
#endif
  };

  //! Check if GSS name was parsed successfully.
  bool valid() {
#ifdef ENABLE_GSS_TSIG
    return d_maj == GSS_S_COMPLETE;
#else
    return false;
#endif
  }
private:
#ifdef ENABLE_GSS_TSIG
  OM_uint32 d_maj,d_min;
  gss_name_t d_name;
#endif
};

class GssContext {
public:
  static bool supported(); //<! Returns true if GSS is supported in the first place
  GssContext(); //<! Construct new GSS context with random name
  GssContext(const DNSName& label); //<! Create or open existing named context

  void setLocalPrincipal(const std::string& name); //<! Set our gss name
  bool getLocalPrincipal(std::string& name); //<! Get our name
  void setPeerPrincipal(const std::string& name); //<! Set remote name (do not use after negotiation)
  bool getPeerPrincipal(std::string &name); //<! Return remote name, returns actual name after negotiation

  void generateLabel(const std::string& suffix); //<! Generate random context name using suffix (such as mydomain.com)
  void setLabel(const DNSName& label); //<! Set context name to this label
  const DNSName& getLabel() { return d_label; } //<! Return context name

  bool init(const std::string &input, std::string& output); //<! Perform GSS Initiate Security Context handshake
  bool accept(const std::string &input, std::string& output); //<! Perform GSS Accept Security Context handshake
  bool destroy(); //<! Release the cached context
  bool expired(); //<! Check if context is expired
  bool valid(); //<! Check if context is valid

  bool sign(const std::string &input, std::string& output); //<! Sign something using gss
  bool verify(const std::string &input, const std::string &signature); //<! Validate gss signature with something

  GssContextError getError(); //<! Get error
  const std::vector<std::string> getErrorStrings() { return d_gss_errors; } //<! Get native error texts
 private:
  void release(); //<! Release context
  void initialize(); //<! Initialize context
#ifdef ENABLE_GSS_TSIG
  void processError(const string& method, OM_uint32 maj, OM_uint32 min); //<! Process and fill error text vector
#endif
  DNSName d_label; //<! Context name
  std::string d_peerPrincipal; //<! Remote name
  std::string d_localPrincipal; //<! Our name
  GssContextError d_error; //<! Context error
  GssContextType d_type; //<! Context type
  std::vector<std::string> d_gss_errors; //<! Native error string(s)
  boost::shared_ptr<GssSecContext> d_ctx; //<! Attached security context
};

bool gss_add_signature(const DNSName& context, const std::string& message, std::string& mac); //<! Create signature
bool gss_verify_signature(const DNSName& context, const std::string& message, const std::string& mac); //<! Validate signature
Commit	Line	Data
12471842 PL	1	/*
	2	* This file is part of PowerDNS or dnsdist.
	3	* Copyright -- PowerDNS.COM B.V. and its contributors
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of version 2 of the GNU General Public License as
	7	* published by the Free Software Foundation.
	8	*
	9	* In addition, for the avoidance of any doubt, permission is granted to
	10	* link this program with OpenSSL and to (re)distribute the binaries
	11	* produced as the result of such linking.
	12	*
	13	* This program is distributed in the hope that it will be useful,
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	* GNU General Public License for more details.
	17	*
	18	* You should have received a copy of the GNU General Public License
	19	* along with this program; if not, write to the Free Software
	20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	21	*/
b53bf23e AT	22	#pragma once
	23
	24	#ifdef ENABLE_GSS_TSIG
	25	#include <gssapi/gssapi.h>
	26	#include <gssapi/gssapi_krb5.h>
	27	#include <gssapi/gssapi_ext.h>
	28	#endif
	29
	30	//! Generic errors
	31	enum GssContextError {
	32	GSS_CONTEXT_NO_ERROR,
	33	GSS_CONTEXT_UNSUPPORTED,
	34	GSS_CONTEXT_NOT_FOUND,
	35	GSS_CONTEXT_NOT_INITIALIZED,
	36	GSS_CONTEXT_INVALID,
	37	GSS_CONTEXT_EXPIRED,
	38	GSS_CONTEXT_ALREADY_INITIALIZED
	39	};
	40
	41	//! GSS context types
	42	enum GssContextType {
	43	GSS_CONTEXT_NONE,
	44	GSS_CONTEXT_INIT,
	45	GSS_CONTEXT_ACCEPT
	46	};
	47
	48	class GssSecContext;
	49
	50	/*! Class for representing GSS names, such as host/host.domain.com@REALM.
	51	*/
	52	class GssName {
	53	public:
	54	//! Initialize to empty name
	55	GssName() {
	56	setName("");
	57	};
	58
319a548e	59	//! Initialize using specific name
b53bf23e AT	60	GssName(const std::string& name) {
	61	setName(name);
	62	};
	63
	64	//! Parse name into native representation
	65	bool setName(const std::string& name) {
	66	#ifdef ENABLE_GSS_TSIG
	67	gss_buffer_desc buffer;
	68	d_name = GSS_C_NO_NAME;
	69
	70	if (!name.empty()) {
	71	buffer.length = name.size();
	72	buffer.value = (void*)name.c_str();
	73	d_maj = gss_import_name(&d_min, &buffer, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &d_name);
	74	return d_maj == GSS_S_COMPLETE;
	75	}
	76
	77	return true;
	78	#endif
	79	return false;
	80	};
	81
	82	~GssName() {
	83	#ifdef ENABLE_GSS_TSIG
	84	if (d_name != GSS_C_NO_NAME)
	85	gss_release_name(&d_min, &d_name);
	86	#endif
	87	};
	88
	89	//! Compare two Gss Names, if no gss support is compiled in, returns false always
d51d0c77	90	//! This is not necessarily same as string comparison between two non-parsed names
b53bf23e AT	91	bool operator==(const GssName& rhs) {
	92	#ifdef ENABLE_GSS_TSIG
	93	OM_uint32 maj,min;
	94	int result;
	95	maj = gss_compare_name(&min, d_name, rhs.d_name, &result);
	96	return (maj == GSS_S_COMPLETE && result != 0);
	97	#endif
	98	return false;
	99	}
	100
	101	//! Compare two Gss Names, if no gss support is compiled in, returns false always
d51d0c77	102	//! This is not necessarily same as string comparison between two non-parsed names
b53bf23e AT	103	bool match(const std::string& name) {
	104	#ifdef ENABLE_GSS_TSIG
	105	OM_uint32 maj,min;
	106	int result;
	107	gss_name_t comp;
	108	gss_buffer_desc buffer;
	109	buffer.length = name.size();
	110	buffer.value = (void*)name.c_str();
	111	maj = gss_import_name(&min, &buffer, (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME, &comp);
	112	if (maj != GSS_S_COMPLETE)
335da0ba	113	throw PDNSException("Could not import " + name + ": " + std::to_string(maj) + string(",") + std::to_string(min));
b53bf23e AT	114	// do comparison
	115	maj = gss_compare_name(&min, d_name, comp, &result);
	116	gss_release_name(&min, &comp);
	117	return (maj == GSS_S_COMPLETE && result != 0);
	118	#else
	119	return false;
	120	#endif
	121	};
	122
	123	//! Check if GSS name was parsed successfully.
	124	bool valid() {
	125	#ifdef ENABLE_GSS_TSIG
	126	return d_maj == GSS_S_COMPLETE;
	127	#else
	128	return false;
	129	#endif
	130	}
	131	private:
	132	#ifdef ENABLE_GSS_TSIG
	133	OM_uint32 d_maj,d_min;
	134	gss_name_t d_name;
	135	#endif
	136	};
	137
	138	class GssContext {
	139	public:
	140	static bool supported(); //<! Returns true if GSS is supported in the first place
	141	GssContext(); //<! Construct new GSS context with random name
1635f12b	142	GssContext(const DNSName& label); //<! Create or open existing named context
b53bf23e AT	143
	144	void setLocalPrincipal(const std::string& name); //<! Set our gss name
	145	bool getLocalPrincipal(std::string& name); //<! Get our name
	146	void setPeerPrincipal(const std::string& name); //<! Set remote name (do not use after negotiation)
b5acc3a9	147	bool getPeerPrincipal(std::string &name); //<! Return remote name, returns actual name after negotiation
b53bf23e AT	148
b53bf23e AT	149	void generateLabel(const std::string& suffix); //<! Generate random context name using suffix (such as mydomain.com)
1635f12b AT	150	void setLabel(const DNSName& label); //<! Set context name to this label
1635f12b AT	151	const DNSName& getLabel() { return d_label; } //<! Return context name
b53bf23e AT	152
b53bf23e AT	153	bool init(const std::string &input, std::string& output); //<! Perform GSS Initiate Security Context handshake
a53f574f	154	bool accept(const std::string &input, std::string& output); //<! Perform GSS Accept Security Context handshake
b53bf23e AT	155	bool destroy(); //<! Release the cached context
	156	bool expired(); //<! Check if context is expired
	157	bool valid(); //<! Check if context is valid
	158
	159	bool sign(const std::string &input, std::string& output); //<! Sign something using gss
	160	bool verify(const std::string &input, const std::string &signature); //<! Validate gss signature with something
	161
	162	GssContextError getError(); //<! Get error
	163	const std::vector<std::string> getErrorStrings() { return d_gss_errors; } //<! Get native error texts
	164	private:
	165	void release(); //<! Release context
	166	void initialize(); //<! Initialize context
	167	#ifdef ENABLE_GSS_TSIG
	168	void processError(const string& method, OM_uint32 maj, OM_uint32 min); //<! Process and fill error text vector
	169	#endif
1635f12b	170	DNSName d_label; //<! Context name
b53bf23e AT	171	std::string d_peerPrincipal; //<! Remote name
	172	std::string d_localPrincipal; //<! Our name
	173	GssContextError d_error; //<! Context error
	174	GssContextType d_type; //<! Context type
	175	std::vector<std::string> d_gss_errors; //<! Native error string(s)
	176	boost::shared_ptr<GssSecContext> d_ctx; //<! Attached security context
	177	};
	178
21a3792f KM	179	bool gss_add_signature(const DNSName& context, const std::string& message, std::string& mac); //<! Create signature
21a3792f KM	180	bool gss_verify_signature(const DNSName& context, const std::string& message, const std::string& mac); //<! Validate signature