1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab
/*
* Ceph - scalable distributed file system
*
* Copyright (c) 2018 SUSE LLC.
* Author: Daniel Oliveira <doliveira@suse.com>
*
* This is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License version 2.1, as published by the Free Software
* Foundation. See file COPYING.
*
*/
#ifndef KRB_PROTOCOL_HPP
#define KRB_PROTOCOL_HPP
#include "auth/Auth.h"
#include <errno.h>
#include <gssapi.h>
#include <gssapi/gssapi_generic.h>
#include <gssapi/gssapi_krb5.h>
#include <gssapi/gssapi_ext.h>
#include <map>
#include <sstream>
#include <string>
/*
Kerberos Version 5 GSS-API Mechanism
OID {1.2.840.113554.1.2.2}
RFC https://tools.ietf.org/html/rfc1964
*/
static const gss_OID_desc GSS_API_KRB5_OID_PTR =
{ 9, (void *)"\052\206\110\206\367\022\001\002\002" };
/*
Kerberos Version 5 GSS-API Mechanism
Simple and Protected GSS-API Negotiation Mechanism
OID {1.3.6.1.5.5.2}
RFC https://tools.ietf.org/html/rfc4178
*/
static const gss_OID_desc GSS_API_SPNEGO_OID_PTR =
{6, (void *)"\x2b\x06\x01\x05\x05\x02"};
static const std::string KRB_SERVICE_NAME("kerberos/gssapi");
static const std::string GSS_API_SPNEGO_OID("{1.3.6.1.5.5.2}");
static const std::string GSS_API_KRB5_OID("{1.2.840.113554.1.2.2}");
enum class GSSAuthenticationRequest {
GSS_CRYPTO_ERR = 1,
GSS_MUTUAL = 0x100,
GSS_TOKEN = 0x200,
GSS_REQUEST_MASK = 0x0F00
};
enum class GSSKeyExchange {
USERAUTH_GSSAPI_RESPONSE = 70,
USERAUTH_GSSAPI_TOKEN,
USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
USERAUTH_GSSAPI_ERROR,
USERAUTH_GSSAPI_ERRTOK,
USERAUTH_GSSAPI_MIC,
};
static constexpr auto CEPH_GSS_OIDTYPE(0x07);
struct AuthAuthorizer;
class KrbAuthorizer : public AuthAuthorizer {
public:
KrbAuthorizer() : AuthAuthorizer(CEPH_AUTH_GSS) { }
~KrbAuthorizer() = default;
bool build_authorizer(const EntityName& entity_name,
const uint64_t guid) {
uint8_t value = (1);
using ceph::encode;
encode(value, bl, 0);
encode(entity_name, bl, 0);
encode(guid, bl, 0);
return false;
}
bool verify_reply(bufferlist::const_iterator& buff_list,
std::string *connection_secret) override {
return true;
}
bool add_challenge(CephContext* ceph_ctx,
const bufferlist& buff_list) override {
return true;
}
};
class KrbRequest {
public:
void decode(bufferlist::const_iterator& buff_list) {
using ceph::decode;
decode(m_request_type, buff_list);
}
void encode(bufferlist& buff_list) const {
using ceph::encode;
encode(m_request_type, buff_list);
}
uint16_t m_request_type;
};
WRITE_CLASS_ENCODER(KrbRequest);
class KrbResponse {
public:
void decode(bufferlist::const_iterator& buff_list) {
using ceph::decode;
decode(m_response_type, buff_list);
}
void encode(bufferlist& buff_list) const {
using ceph::encode;
encode(m_response_type, buff_list);
}
uint16_t m_response_type;
};
WRITE_CLASS_ENCODER(KrbResponse);
class KrbTokenBlob {
public:
void decode(bufferlist::const_iterator& buff_list) {
uint8_t value = (0);
using ceph::decode;
decode(value, buff_list);
decode(m_token_blob, buff_list);
}
void encode(bufferlist& buff_list) const {
uint8_t value = (1);
using ceph::encode;
encode(value, buff_list, 0);
encode(m_token_blob, buff_list, 0);
}
bufferlist m_token_blob;
};
WRITE_CLASS_ENCODER(KrbTokenBlob);
std::string gss_auth_show_status(const OM_uint32 gss_major_status,
const OM_uint32 gss_minor_status);
#endif //-- KRB_PROTOCOL_HPP
|