1 /*
2     Copyright (c) 2007-2016 Contributors as noted in the AUTHORS file
3 
4     This file is part of libzmq, the ZeroMQ core engine in C++.
5 
6     libzmq is free software; you can redistribute it and/or modify it under
7     the terms of the GNU Lesser General Public License (LGPL) as published
8     by the Free Software Foundation; either version 3 of the License, or
9     (at your option) any later version.
10 
11     As a special exception, the Contributors give you permission to link
12     this library with independent modules to produce an executable,
13     regardless of the license terms of these independent modules, and to
14     copy and distribute the resulting executable under terms of your choice,
15     provided that you also meet, for each linked independent module, the
16     terms and conditions of the license of that module. An independent
17     module is a module which is not derived from or based on this library.
18     If you modify this library, you must extend this exception to your
19     version of the library.
20 
21     libzmq is distributed in the hope that it will be useful, but WITHOUT
22     ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
23     FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
24     License for more details.
25 
26     You should have received a copy of the GNU Lesser General Public License
27     along with this program.  If not, see <http://www.gnu.org/licenses/>.
28 */
29 
30 #ifndef __ZMQ_GSSAPI_MECHANISM_BASE_HPP_INCLUDED__
31 #define __ZMQ_GSSAPI_MECHANISM_BASE_HPP_INCLUDED__
32 
33 #ifdef HAVE_LIBGSSAPI_KRB5
34 
35 #if HAVE_GSSAPI_GSSAPI_GENERIC_H
36 #include <gssapi/gssapi_generic.h>
37 #endif
38 #include <gssapi/gssapi_krb5.h>
39 
40 #include "mechanism_base.hpp"
41 #include "options.hpp"
42 
43 namespace zmq
44 {
45 class msg_t;
46 
47 /// Commonalities between clients and servers are captured here.
48 /// For example, clients and servers both need to produce and
49 /// process context-level GSSAPI tokens (via INITIATE commands)
50 /// and per-message GSSAPI tokens (via MESSAGE commands).
51 class gssapi_mechanism_base_t : public virtual mechanism_base_t
52 {
53   public:
54     gssapi_mechanism_base_t (session_base_t *session_,
55                              const options_t &options_);
56     ~gssapi_mechanism_base_t () ZMQ_OVERRIDE = 0;
57 
58   protected:
59     //  Produce a context-level GSSAPI token (INITIATE command)
60     //  during security context initialization.
61     int produce_initiate (msg_t *msg_, void *data_, size_t data_len_);
62 
63     //  Process a context-level GSSAPI token (INITIATE command)
64     //  during security context initialization.
65     int process_initiate (msg_t *msg_, void **data_, size_t &data_len_);
66 
67     // Produce a metadata ready msg (READY) to conclude handshake
68     int produce_ready (msg_t *msg_);
69 
70     // Process a metadata ready msg (READY)
71     int process_ready (msg_t *msg_);
72 
73     //  Encode a per-message GSSAPI token (MESSAGE command) using
74     //  the established security context.
75     int encode_message (msg_t *msg_);
76 
77     //  Decode a per-message GSSAPI token (MESSAGE command) using
78     //  the  established security context.
79     int decode_message (msg_t *msg_);
80 
81     //  Convert ZMQ_GSSAPI_NT values to GSSAPI name_type
82     static const gss_OID convert_nametype (int zmq_name_type_);
83 
84     //  Acquire security context credentials from the
85     //  underlying mechanism.
86     static int acquire_credentials (char *principal_name_,
87                                     gss_cred_id_t *cred_,
88                                     gss_OID name_type_);
89 
90   protected:
91     //  Opaque GSSAPI token for outgoing data
92     gss_buffer_desc send_tok;
93 
94     //  Opaque GSSAPI token for incoming data
95     gss_buffer_desc recv_tok;
96 
97     //  Opaque GSSAPI representation of principal
98     gss_name_t target_name;
99 
100     //  Human-readable principal name
101     char *principal_name;
102 
103     //  Status code returned by GSSAPI functions
104     OM_uint32 maj_stat;
105 
106     //  Status code returned by the underlying mechanism
107     OM_uint32 min_stat;
108 
109     //  Status code returned by the underlying mechanism
110     //  during context initialization
111     OM_uint32 init_sec_min_stat;
112 
113     //  Flags returned by GSSAPI (ignored)
114     OM_uint32 ret_flags;
115 
116     //  Flags returned by GSSAPI (ignored)
117     OM_uint32 gss_flags;
118 
119     //  Credentials used to establish security context
120     gss_cred_id_t cred;
121 
122     //  Opaque GSSAPI representation of the security context
123     gss_ctx_id_t context;
124 
125     //  If true, use gss to encrypt messages. If false, only utilize gss for auth.
126     bool do_encryption;
127 };
128 }
129 
130 #endif
131 
132 #endif
133