crypto/openssh/auth2-gss.c

141104Sharti/*	$OpenBSD: auth2-gss.c,v 1.7 2003/11/21 11:57:03 djm Exp $	*/
1590Srgrimes
1590Srgrimes/*
1590Srgrimes * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
1590Srgrimes *
1590Srgrimes * Redistribution and use in source and binary forms, with or without
1590Srgrimes * modification, are permitted provided that the following conditions
1590Srgrimes * are met:
1590Srgrimes * 1. Redistributions of source code must retain the above copyright
1590Srgrimes *    notice, this list of conditions and the following disclaimer.
1590Srgrimes * 2. Redistributions in binary form must reproduce the above copyright
1590Srgrimes *    notice, this list of conditions and the following disclaimer in the
1590Srgrimes *    documentation and/or other materials provided with the distribution.
1590Srgrimes *
1590Srgrimes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR
1590Srgrimes * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1590Srgrimes * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1590Srgrimes * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1590Srgrimes * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1590Srgrimes * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1590Srgrimes * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1590Srgrimes * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1590Srgrimes * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1590Srgrimes * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1590Srgrimes */
1590Srgrimes
1590Srgrimes#include "includes.h"
1590Srgrimes
1590Srgrimes#ifdef GSSAPI
1590Srgrimes
1590Srgrimes#include "auth.h"
1590Srgrimes#include "ssh2.h"
1590Srgrimes#include "xmalloc.h"
1590Srgrimes#include "log.h"
1590Srgrimes#include "dispatch.h"
1590Srgrimes#include "servconf.h"
62833Swsanchez#include "compat.h"
62833Swsanchez#include "packet.h"
1590Srgrimes#include "monitor_wrap.h"
1590Srgrimes
62833Swsanchez#include "ssh-gss.h"
94587Sobrien
1590Srgrimesextern ServerOptions options;
1590Srgrimes
1590Srgrimesstatic void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
1590Srgrimesstatic void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
1590Srgrimesstatic void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
1590Srgrimesstatic void input_gssapi_errtok(int, u_int32_t, void *);
1590Srgrimes
1590Srgrimes/*
1590Srgrimes * We only support those mechanisms that we know about (ie ones that we know
1590Srgrimes * how to check local user kuserok and the like
1590Srgrimes */
1590Srgrimesstatic int
141270Shartiuserauth_gssapi(Authctxt *authctxt)
141270Sharti{
146338Sharti	gss_OID_desc oid = {0, NULL};
141270Sharti	Gssctxt *ctxt = NULL;
1590Srgrimes	int mechs;
141270Sharti	gss_OID_set supported;
141270Sharti	int present;
141270Sharti	OM_uint32 ms;
1590Srgrimes	u_int len;
141270Sharti	char *doid = NULL;
141270Sharti
141270Sharti	if (!authctxt->valid || authctxt->user == NULL)
141270Sharti		return (0);
1590Srgrimes
141270Sharti	mechs = packet_get_int();
141270Sharti	if (mechs == 0) {
141270Sharti		debug("Mechanism negotiation is not supported");
141270Sharti		return (0);
1590Srgrimes	}
141270Sharti
141270Sharti	ssh_gssapi_supported_oids(&supported);
141270Sharti	do {
141270Sharti		mechs--;
141270Sharti
1590Srgrimes		if (doid)
141270Sharti			xfree(doid);
141270Sharti
141270Sharti		present = 0;
1590Srgrimes		doid = packet_get_string(&len);
141270Sharti
141270Sharti		if (len > 2 &&
1590Srgrimes		   doid[0] == SSH_GSS_OIDTYPE &&
141270Sharti		   doid[1] == len - 2) {
1590Srgrimes			oid.elements = doid + 2;
1590Srgrimes			oid.length   = len - 2;
141104Sharti			gss_test_oid_set_member(&ms, &oid, supported,
144387Sharti			    &present);
141104Sharti		} else {
141104Sharti			logit("Badly formed OID received");
141104Sharti		}
144387Sharti	} while (mechs > 0 && !present);
144387Sharti
176799Simp	gss_release_oid_set(&ms, &supported);
141104Sharti
141104Sharti	if (!present) {
141104Sharti		xfree(doid);
141104Sharti		return (0);
141104Sharti	}
1590Srgrimes
141104Sharti	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &oid)))) {
142457Sharti		xfree(doid);
200630Sstas		return (0);
141104Sharti	}
141104Sharti
141104Sharti	authctxt->methoddata=(void *)ctxt;
141104Sharti
141104Sharti	packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
146066Sharti
141104Sharti	/* Return the OID that we received */
141104Sharti	packet_put_string(doid, len);
141104Sharti
141104Sharti	packet_send();
1590Srgrimes	xfree(doid);
142173Sharti
142173Sharti	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
142173Sharti	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
142173Sharti	authctxt->postponed = 1;
142173Sharti
142173Sharti	return (0);
142173Sharti}
143657Sharti
144387Shartistatic void
1590Srgrimesinput_gssapi_token(int type, u_int32_t plen, void *ctxt)
1590Srgrimes{
144387Sharti	Authctxt *authctxt = ctxt;
144387Sharti	Gssctxt *gssctxt;
1590Srgrimes	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
144387Sharti	gss_buffer_desc recv_tok;
144387Sharti	OM_uint32 maj_status, min_status, flags;
144387Sharti	u_int len;
144387Sharti
144387Sharti	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
144387Sharti		fatal("No authentication or GSSAPI context");
144387Sharti
144387Sharti	gssctxt = authctxt->methoddata;
144387Sharti	recv_tok.value = packet_get_string(&len);
144387Sharti	recv_tok.length = len; /* u_int vs. size_t */
144387Sharti
144387Sharti	packet_check_eom();
144387Sharti
144387Sharti	maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
144387Sharti	    &send_tok, &flags));
144387Sharti
144387Sharti	xfree(recv_tok.value);
144387Sharti
144387Sharti	if (GSS_ERROR(maj_status)) {
144387Sharti		if (send_tok.length != 0) {
144387Sharti			packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
144387Sharti			packet_put_string(send_tok.value, send_tok.length);
144387Sharti			packet_send();
144387Sharti		}
144387Sharti		authctxt->postponed = 0;
144387Sharti		dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
144387Sharti		userauth_finish(authctxt, 0, "gssapi-with-mic");
144387Sharti	} else {
144387Sharti		if (send_tok.length != 0) {
144387Sharti			packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
144387Sharti			packet_put_string(send_tok.value, send_tok.length);
144387Sharti			packet_send();
144387Sharti		}
144387Sharti		if (maj_status == GSS_S_COMPLETE) {
144387Sharti			dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
144387Sharti			if (flags & GSS_C_INTEG_FLAG)
144387Sharti				dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC,
144387Sharti				    &input_gssapi_mic);
144387Sharti			else
144387Sharti				dispatch_set(
144387Sharti				    SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
144387Sharti				    &input_gssapi_exchange_complete);
144387Sharti		}
144387Sharti	}
144387Sharti
144387Sharti	gss_release_buffer(&min_status, &send_tok);
144387Sharti}
144387Sharti
144387Shartistatic void
144387Shartiinput_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
144387Sharti{
144387Sharti	Authctxt *authctxt = ctxt;
144387Sharti	Gssctxt *gssctxt;
144387Sharti	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
144387Sharti	gss_buffer_desc recv_tok;
144387Sharti	OM_uint32 maj_status;
144387Sharti	u_int len;
144387Sharti
144387Sharti	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
144387Sharti		fatal("No authentication or GSSAPI context");
144387Sharti
144387Sharti	gssctxt = authctxt->methoddata;
1590Srgrimes	recv_tok.value = packet_get_string(&len);
1590Srgrimes	recv_tok.length = len;
1590Srgrimes
1590Srgrimes	packet_check_eom();
1590Srgrimes
104696Sjmallett	/* Push the error token into GSSAPI to see what it says */
104696Sjmallett	maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
104696Sjmallett	    &send_tok, NULL));
1590Srgrimes
1590Srgrimes	xfree(recv_tok.value);
146338Sharti
1590Srgrimes	/* We can't return anything to the client, even if we wanted to */
1590Srgrimes	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
1590Srgrimes	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
1590Srgrimes
1590Srgrimes	/* The client will have already moved on to the next auth */
1590Srgrimes
1590Srgrimes	gss_release_buffer(&maj_status, &send_tok);
1590Srgrimes}
146338Sharti
138512Sharti/*
1590Srgrimes * This is called when the client thinks we've completed authentication.
142173Sharti * It should only be enabled in the dispatch handler by the function above,
142173Sharti * which only enables it once the GSSAPI exchange is complete.
142173Sharti */
142173Sharti
142173Shartistatic void
142173Shartiinput_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
142173Sharti{
141270Sharti	Authctxt *authctxt = ctxt;
1590Srgrimes	Gssctxt *gssctxt;
142173Sharti	int authenticated;
8874Srgrimes
142173Sharti	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
1590Srgrimes		fatal("No authentication or GSSAPI context");
142173Sharti
142173Sharti	gssctxt = authctxt->methoddata;
142173Sharti
142173Sharti	/*
142173Sharti	 * We don't need to check the status, because we're only enabled in
142173Sharti	 * the dispatcher once the exchange is complete
142937Sharti	 */
142173Sharti
142173Sharti	packet_check_eom();
8874Srgrimes
142173Sharti	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
142173Sharti
146338Sharti	authctxt->postponed = 0;
142173Sharti	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
142173Sharti	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
8874Srgrimes	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
142173Sharti	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
142173Sharti	userauth_finish(authctxt, authenticated, "gssapi-with-mic");
142173Sharti}
142173Sharti
142173Shartistatic void
1590Srgrimesinput_gssapi_mic(int type, u_int32_t plen, void *ctxt)
1590Srgrimes{
142173Sharti	Authctxt *authctxt = ctxt;
142173Sharti	Gssctxt *gssctxt;
146027Sharti	int authenticated = 0;
142173Sharti	Buffer b;
1590Srgrimes	gss_buffer_desc mic, gssbuf;
142173Sharti	u_int len;
142173Sharti
142173Sharti	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
142173Sharti		fatal("No authentication or GSSAPI context");
142173Sharti
142173Sharti	gssctxt = authctxt->methoddata;
1590Srgrimes
1590Srgrimes	mic.value = packet_get_string(&len);
142173Sharti	mic.length = len;
1590Srgrimes
142173Sharti	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
1590Srgrimes	    "gssapi-with-mic");
142173Sharti
142173Sharti	gssbuf.value = buffer_ptr(&b);
143105Sharti	gssbuf.length = buffer_len(&b);
1590Srgrimes
1590Srgrimes	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
142173Sharti		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
142173Sharti	else
142173Sharti		logit("GSSAPI MIC check failed");
142173Sharti
142173Sharti	buffer_free(&b);
142173Sharti	xfree(mic.value);
142173Sharti
142173Sharti	authctxt->postponed = 0;
142173Sharti	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
142937Sharti	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
142173Sharti	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
142173Sharti	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
142173Sharti	userauth_finish(authctxt, authenticated, "gssapi-with-mic");
142173Sharti}
142173Sharti
142173ShartiAuthmethod method_gssapi = {
146338Sharti	"gssapi-with-mic",
142173Sharti	userauth_gssapi,
142173Sharti	&options.gss_authentication
142173Sharti};
142173Sharti
142173Sharti#endif /* GSSAPI */
142173Sharti