1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-07-09 15:23:50 -05:00

Patch from Alejandro Sedeno, somewhat modified by me, which

reorganises the GSSAPI support so that it handles alternative
implementations of the GSS-API. In particular, this means PuTTY can
now talk to MIT Kerberos for Windows instead of being limited to
SSPI. I don't know for sure whether further tweaking will be needed
(to the UI, most likely, or to automatic selection of credentials),
but testing reports suggest it's now at least worth committing to
trunk to get it more widely tested.

[originally from svn r8952]
This commit is contained in:
Simon Tatham
2010-05-19 18:22:17 +00:00
parent f2b737cdd6
commit 99fffd6ed3
21 changed files with 1148 additions and 303 deletions

114
sshgss.h
View File

@ -1,4 +1,9 @@
#include "puttyps.h"
#ifndef PUTTY_SSHGSS_H
#define PUTTY_SSHGSS_H
#include "putty.h"
#include "pgssapi.h"
#ifndef NO_GSSAPI
#define SSH2_GSS_OIDTYPE 0x06
typedef void *Ssh_gss_ctx;
@ -18,46 +23,54 @@ typedef enum Ssh_gss_stat {
(*buf).value = NULL; \
} while (0)
/* Functions, provided by either wingss.c or uxgss.c */
typedef gss_buffer_desc Ssh_gss_buf;
typedef gss_name_t Ssh_gss_name;
/* Functions, provided by either wingss.c or sshgssc.c */
struct ssh_gss_library;
/*
* Do startup-time initialisation for using GSSAPI. (On Windows,
* for instance, this dynamically loads the GSSAPI DLL and
* retrieves some function pointers.)
* Do startup-time initialisation for using GSSAPI. This should
* correctly initialise the array of struct ssh_gss_library declared
* below.
*
* Return value is 1 on success, or 0 if initialisation failed.
*
* May be called multiple times (since the most convenient place
* to call it _from_ is the ssh.c setup code), and will harmlessly
* Must be callable multiple times (since the most convenient place
* to call it _from_ is the ssh.c setup code), and should harmlessly
* return success if already initialised.
*/
int ssh_gss_init(void);
void ssh_gss_init(void);
/*
* Fills in buf with a string describing the GSSAPI mechanism in
* use. buf->data is not dynamically allocated.
*/
Ssh_gss_stat ssh_gss_indicate_mech(Ssh_gss_buf *buf);
typedef Ssh_gss_stat (*t_ssh_gss_indicate_mech)(struct ssh_gss_library *lib,
Ssh_gss_buf *buf);
/*
* Converts a name such as a hostname into a GSSAPI internal form,
* which is placed in "out". The result should be freed by
* ssh_gss_release_name().
*/
Ssh_gss_stat ssh_gss_import_name(char *in, Ssh_gss_name *out);
typedef Ssh_gss_stat (*t_ssh_gss_import_name)(struct ssh_gss_library *lib,
char *in, Ssh_gss_name *out);
/*
* Frees the contents of an Ssh_gss_name structure filled in by
* ssh_gss_import_name().
*/
Ssh_gss_stat ssh_gss_release_name(Ssh_gss_name *name);
typedef Ssh_gss_stat (*t_ssh_gss_release_name)(struct ssh_gss_library *lib,
Ssh_gss_name *name);
/*
* The main GSSAPI security context setup function. The "out"
* parameter will need to be freed by ssh_gss_free_tok.
*/
Ssh_gss_stat ssh_gss_init_sec_context(Ssh_gss_ctx *ctx, Ssh_gss_name name, int delegate,
Ssh_gss_buf *in, Ssh_gss_buf *out);
typedef Ssh_gss_stat (*t_ssh_gss_init_sec_context)
(struct ssh_gss_library *lib,
Ssh_gss_ctx *ctx, Ssh_gss_name name, int delegate,
Ssh_gss_buf *in, Ssh_gss_buf *out);
/*
* Frees the contents of an Ssh_gss_buf filled in by
@ -66,26 +79,30 @@ Ssh_gss_stat ssh_gss_init_sec_context(Ssh_gss_ctx *ctx, Ssh_gss_name name, int d
* different free function) or something filled in by any other
* way.
*/
Ssh_gss_stat ssh_gss_free_tok(Ssh_gss_buf *);
typedef Ssh_gss_stat (*t_ssh_gss_free_tok)(struct ssh_gss_library *lib,
Ssh_gss_buf *);
/*
* Acquires the credentials to perform authentication in the first
* place. Needs to be freed by ssh_gss_release_cred().
*/
Ssh_gss_stat ssh_gss_acquire_cred(Ssh_gss_ctx *);
typedef Ssh_gss_stat (*t_ssh_gss_acquire_cred)(struct ssh_gss_library *lib,
Ssh_gss_ctx *);
/*
* Frees the contents of an Ssh_gss_ctx filled in by
* ssh_gss_acquire_cred().
*/
Ssh_gss_stat ssh_gss_release_cred(Ssh_gss_ctx *);
typedef Ssh_gss_stat (*t_ssh_gss_release_cred)(struct ssh_gss_library *lib,
Ssh_gss_ctx *);
/*
* Gets a MIC for some input data. "out" needs to be freed by
* ssh_gss_free_mic().
*/
Ssh_gss_stat ssh_gss_get_mic(Ssh_gss_ctx ctx, Ssh_gss_buf *in,
Ssh_gss_buf *out);
typedef Ssh_gss_stat (*t_ssh_gss_get_mic)(struct ssh_gss_library *lib,
Ssh_gss_ctx ctx, Ssh_gss_buf *in,
Ssh_gss_buf *out);
/*
* Frees the contents of an Ssh_gss_buf filled in by
@ -94,7 +111,8 @@ Ssh_gss_stat ssh_gss_get_mic(Ssh_gss_ctx ctx, Ssh_gss_buf *in,
* different free function) or something filled in by any other
* way.
*/
Ssh_gss_stat ssh_gss_free_mic(Ssh_gss_buf *);
typedef Ssh_gss_stat (*t_ssh_gss_free_mic)(struct ssh_gss_library *lib,
Ssh_gss_buf *);
/*
* Return an error message after authentication failed. The
@ -103,4 +121,56 @@ Ssh_gss_stat ssh_gss_free_mic(Ssh_gss_buf *);
* containing one more character which is a trailing NUL.
* buf->data should be manually freed by the caller.
*/
Ssh_gss_stat ssh_gss_display_status(Ssh_gss_ctx, Ssh_gss_buf *buf);
typedef Ssh_gss_stat (*t_ssh_gss_display_status)(struct ssh_gss_library *lib,
Ssh_gss_ctx, Ssh_gss_buf *buf);
struct ssh_gss_library {
/*
* Identifying number in the enumeration used by the
* configuration code to specify a preference order.
*/
int id;
/*
* Filled in at initialisation time, if there's anything
* interesting to say about how GSSAPI was initialised (e.g.
* which of a number of alternative libraries was used).
*/
const char *gsslogmsg;
/*
* Function pointers implementing the SSH wrapper layer on top
* of GSSAPI. (Defined in sshgssc, typically, though Windows
* provides an alternative layer to sit on top of the annoyingly
* different SSPI.)
*/
t_ssh_gss_indicate_mech indicate_mech;
t_ssh_gss_import_name import_name;
t_ssh_gss_release_name release_name;
t_ssh_gss_init_sec_context init_sec_context;
t_ssh_gss_free_tok free_tok;
t_ssh_gss_acquire_cred acquire_cred;
t_ssh_gss_release_cred release_cred;
t_ssh_gss_get_mic get_mic;
t_ssh_gss_free_mic free_mic;
t_ssh_gss_display_status display_status;
/*
* Additional data for the wrapper layers.
*/
union {
struct gssapi_functions gssapi;
/*
* The SSPI wrappers don't need to store their Windows API
* function pointers in this structure, because there can't
* be more than one set of them available.
*/
} u;
};
extern struct ssh_gss_library ssh_gss_libraries[];
extern int n_ssh_gss_libraries;
#endif /* NO_GSSAPI */
#endif /*PUTTY_SSHGSS_H*/