auth2-gss.c revision 1.25
1/* $OpenBSD: auth2-gss.c,v 1.25 2017/05/30 14:29:59 markus Exp $ */ 2 3/* 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27#ifdef GSSAPI 28 29#include <sys/types.h> 30 31#include "xmalloc.h" 32#include "key.h" 33#include "hostfile.h" 34#include "auth.h" 35#include "ssh2.h" 36#include "log.h" 37#include "dispatch.h" 38#include "buffer.h" 39#include "servconf.h" 40#include "packet.h" 41#include "ssh-gss.h" 42#include "monitor_wrap.h" 43 44extern ServerOptions options; 45 46static int input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh); 47static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh); 48static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh); 49static int input_gssapi_errtok(int, u_int32_t, struct ssh *); 50 51/* 52 * We only support those mechanisms that we know about (ie ones that we know 53 * how to check local user kuserok and the like) 54 */ 55static int 56userauth_gssapi(struct ssh *ssh) 57{ 58 Authctxt *authctxt = ssh->authctxt; 59 gss_OID_desc goid = {0, NULL}; 60 Gssctxt *ctxt = NULL; 61 int mechs; 62 int present; 63 OM_uint32 ms; 64 u_int len; 65 u_char *doid = NULL; 66 67 if (!authctxt->valid || authctxt->user == NULL) 68 return (0); 69 70 mechs = packet_get_int(); 71 if (mechs == 0) { 72 debug("Mechanism negotiation is not supported"); 73 return (0); 74 } 75 76 do { 77 mechs--; 78 79 free(doid); 80 81 present = 0; 82 doid = packet_get_string(&len); 83 84 if (len > 2 && doid[0] == SSH_GSS_OIDTYPE && 85 doid[1] == len - 2) { 86 goid.elements = doid + 2; 87 goid.length = len - 2; 88 ssh_gssapi_test_oid_supported(&ms, &goid, &present); 89 } else { 90 logit("Badly formed OID received"); 91 } 92 } while (mechs > 0 && !present); 93 94 if (!present) { 95 free(doid); 96 authctxt->server_caused_failure = 1; 97 return (0); 98 } 99 100 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { 101 if (ctxt != NULL) 102 ssh_gssapi_delete_ctx(&ctxt); 103 free(doid); 104 authctxt->server_caused_failure = 1; 105 return (0); 106 } 107 108 authctxt->methoddata = (void *)ctxt; 109 110 packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE); 111 112 /* Return the OID that we received */ 113 packet_put_string(doid, len); 114 115 packet_send(); 116 free(doid); 117 118 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); 119 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); 120 authctxt->postponed = 1; 121 122 return (0); 123} 124 125static int 126input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh) 127{ 128 Authctxt *authctxt = ssh->authctxt; 129 Gssctxt *gssctxt; 130 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 131 gss_buffer_desc recv_tok; 132 OM_uint32 maj_status, min_status, flags; 133 u_int len; 134 135 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 136 fatal("No authentication or GSSAPI context"); 137 138 gssctxt = authctxt->methoddata; 139 recv_tok.value = packet_get_string(&len); 140 recv_tok.length = len; /* u_int vs. size_t */ 141 142 packet_check_eom(); 143 144 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 145 &send_tok, &flags)); 146 147 free(recv_tok.value); 148 149 if (GSS_ERROR(maj_status)) { 150 if (send_tok.length != 0) { 151 packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); 152 packet_put_string(send_tok.value, send_tok.length); 153 packet_send(); 154 } 155 authctxt->postponed = 0; 156 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 157 userauth_finish(ssh, 0, "gssapi-with-mic", NULL); 158 } else { 159 if (send_tok.length != 0) { 160 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); 161 packet_put_string(send_tok.value, send_tok.length); 162 packet_send(); 163 } 164 if (maj_status == GSS_S_COMPLETE) { 165 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 166 if (flags & GSS_C_INTEG_FLAG) 167 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC, 168 &input_gssapi_mic); 169 else 170 ssh_dispatch_set(ssh, 171 SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, 172 &input_gssapi_exchange_complete); 173 } 174 } 175 176 gss_release_buffer(&min_status, &send_tok); 177 return 0; 178} 179 180static int 181input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh) 182{ 183 Authctxt *authctxt = ssh->authctxt; 184 Gssctxt *gssctxt; 185 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 186 gss_buffer_desc recv_tok; 187 OM_uint32 maj_status; 188 u_int len; 189 190 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 191 fatal("No authentication or GSSAPI context"); 192 193 gssctxt = authctxt->methoddata; 194 recv_tok.value = packet_get_string(&len); 195 recv_tok.length = len; 196 197 packet_check_eom(); 198 199 /* Push the error token into GSSAPI to see what it says */ 200 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 201 &send_tok, NULL)); 202 203 free(recv_tok.value); 204 205 /* We can't return anything to the client, even if we wanted to */ 206 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 207 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 208 209 /* The client will have already moved on to the next auth */ 210 211 gss_release_buffer(&maj_status, &send_tok); 212 return 0; 213} 214 215/* 216 * This is called when the client thinks we've completed authentication. 217 * It should only be enabled in the dispatch handler by the function above, 218 * which only enables it once the GSSAPI exchange is complete. 219 */ 220 221static int 222input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) 223{ 224 Authctxt *authctxt = ssh->authctxt; 225 int authenticated; 226 227 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 228 fatal("No authentication or GSSAPI context"); 229 230 /* 231 * We don't need to check the status, because we're only enabled in 232 * the dispatcher once the exchange is complete 233 */ 234 235 packet_check_eom(); 236 237 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); 238 239 authctxt->postponed = 0; 240 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 241 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 242 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); 243 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 244 userauth_finish(ssh, authenticated, "gssapi-with-mic", NULL); 245 return 0; 246} 247 248static int 249input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) 250{ 251 Authctxt *authctxt = ssh->authctxt; 252 Gssctxt *gssctxt; 253 int authenticated = 0; 254 Buffer b; 255 gss_buffer_desc mic, gssbuf; 256 u_int len; 257 258 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 259 fatal("No authentication or GSSAPI context"); 260 261 gssctxt = authctxt->methoddata; 262 263 mic.value = packet_get_string(&len); 264 mic.length = len; 265 266 ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, 267 "gssapi-with-mic"); 268 269 gssbuf.value = buffer_ptr(&b); 270 gssbuf.length = buffer_len(&b); 271 272 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 273 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); 274 else 275 logit("GSSAPI MIC check failed"); 276 277 buffer_free(&b); 278 free(mic.value); 279 280 authctxt->postponed = 0; 281 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 282 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 283 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); 284 ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 285 userauth_finish(ssh, authenticated, "gssapi-with-mic", NULL); 286 return 0; 287} 288 289Authmethod method_gssapi = { 290 "gssapi-with-mic", 291 userauth_gssapi, 292 &options.gss_authentication 293}; 294#endif 295