auth2-gss.c revision 1.1
1/* $OpenBSD: auth2-gss.c,v 1.1 2003/08/22 10:56:08 markus Exp $ */ 2 3/* 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27#include "includes.h" 28 29#ifdef GSSAPI 30 31#include "auth.h" 32#include "ssh2.h" 33#include "xmalloc.h" 34#include "log.h" 35#include "dispatch.h" 36#include "servconf.h" 37#include "compat.h" 38#include "packet.h" 39#include "monitor_wrap.h" 40 41#include "ssh-gss.h" 42 43extern ServerOptions options; 44 45static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); 46static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); 47static void input_gssapi_errtok(int, u_int32_t, void *); 48 49/* 50 * We only support those mechanisms that we know about (ie ones that we know 51 * how to check local user kuserok and the like 52 */ 53static int 54userauth_gssapi(Authctxt *authctxt) 55{ 56 gss_OID_desc oid = {0, NULL}; 57 Gssctxt *ctxt = NULL; 58 int mechs; 59 gss_OID_set supported; 60 int present; 61 OM_uint32 ms; 62 u_int len; 63 char *doid = NULL; 64 65 if (!authctxt->valid || authctxt->user == NULL) 66 return (0); 67 68 mechs = packet_get_int(); 69 if (mechs == 0) { 70 debug("Mechanism negotiation is not supported"); 71 return (0); 72 } 73 74 ssh_gssapi_supported_oids(&supported); 75 do { 76 mechs--; 77 78 if (doid) 79 xfree(doid); 80 81 doid = packet_get_string(&len); 82 83 if (doid[0] != SSH_GSS_OIDTYPE || doid[1] != len-2) { 84 logit("Mechanism OID received using the old encoding form"); 85 oid.elements = doid; 86 oid.length = len; 87 } else { 88 oid.elements = doid + 2; 89 oid.length = len - 2; 90 } 91 gss_test_oid_set_member(&ms, &oid, supported, &present); 92 } while (mechs > 0 && !present); 93 94 gss_release_oid_set(&ms, &supported); 95 96 if (!present) { 97 xfree(doid); 98 return (0); 99 } 100 101 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &oid)))) 102 return (0); 103 104 authctxt->methoddata=(void *)ctxt; 105 106 packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE); 107 108 /* Return OID in same format as we received it*/ 109 packet_put_string(doid, len); 110 111 packet_send(); 112 xfree(doid); 113 114 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); 115 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); 116 authctxt->postponed = 1; 117 118 return (0); 119} 120 121static void 122input_gssapi_token(int type, u_int32_t plen, void *ctxt) 123{ 124 Authctxt *authctxt = ctxt; 125 Gssctxt *gssctxt; 126 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 127 gss_buffer_desc recv_tok; 128 OM_uint32 maj_status, min_status; 129 u_int len; 130 131 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 132 fatal("No authentication or GSSAPI context"); 133 134 gssctxt = authctxt->methoddata; 135 recv_tok.value = packet_get_string(&len); 136 recv_tok.length = len; /* u_int vs. size_t */ 137 138 packet_check_eom(); 139 140 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 141 &send_tok, NULL)); 142 143 xfree(recv_tok.value); 144 145 if (GSS_ERROR(maj_status)) { 146 if (send_tok.length != 0) { 147 packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); 148 packet_put_string(send_tok.value, send_tok.length); 149 packet_send(); 150 } 151 authctxt->postponed = 0; 152 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 153 userauth_finish(authctxt, 0, "gssapi"); 154 } else { 155 if (send_tok.length != 0) { 156 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); 157 packet_put_string(send_tok.value, send_tok.length); 158 packet_send(); 159 } 160 if (maj_status == GSS_S_COMPLETE) { 161 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 162 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, 163 &input_gssapi_exchange_complete); 164 } 165 } 166 167 gss_release_buffer(&min_status, &send_tok); 168} 169 170static void 171input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) 172{ 173 Authctxt *authctxt = ctxt; 174 Gssctxt *gssctxt; 175 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 176 gss_buffer_desc recv_tok; 177 OM_uint32 maj_status; 178 179 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 180 fatal("No authentication or GSSAPI context"); 181 182 gssctxt = authctxt->methoddata; 183 recv_tok.value = packet_get_string(&recv_tok.length); 184 185 packet_check_eom(); 186 187 /* Push the error token into GSSAPI to see what it says */ 188 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 189 &send_tok, NULL)); 190 191 xfree(recv_tok.value); 192 193 /* We can't return anything to the client, even if we wanted to */ 194 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 195 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 196 197 /* The client will have already moved on to the next auth */ 198 199 gss_release_buffer(&maj_status, &send_tok); 200} 201 202/* 203 * This is called when the client thinks we've completed authentication. 204 * It should only be enabled in the dispatch handler by the function above, 205 * which only enables it once the GSSAPI exchange is complete. 206 */ 207 208static void 209input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) 210{ 211 Authctxt *authctxt = ctxt; 212 Gssctxt *gssctxt; 213 int authenticated; 214 215 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 216 fatal("No authentication or GSSAPI context"); 217 218 gssctxt = authctxt->methoddata; 219 220 /* 221 * We don't need to check the status, because the stored credentials 222 * which userok uses are only populated once the context init step 223 * has returned complete. 224 */ 225 226 packet_check_eom(); 227 228 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); 229 230 authctxt->postponed = 0; 231 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 232 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 233 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 234 userauth_finish(authctxt, authenticated, "gssapi"); 235} 236 237Authmethod method_gssapi = { 238 "gssapi", 239 userauth_gssapi, 240 &options.gss_authentication 241}; 242 243#endif /* GSSAPI */ 244