auth2-gss.c revision 1.4
1/* $OpenBSD: auth2-gss.c,v 1.4 2003/10/21 09:50:06 markus Exp $ */ 2 3/* 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27#include "includes.h" 28 29#ifdef GSSAPI 30 31#include "auth.h" 32#include "ssh2.h" 33#include "xmalloc.h" 34#include "log.h" 35#include "dispatch.h" 36#include "servconf.h" 37#include "compat.h" 38#include "packet.h" 39#include "monitor_wrap.h" 40 41#include "ssh-gss.h" 42 43extern ServerOptions options; 44 45static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); 46static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); 47static void input_gssapi_errtok(int, u_int32_t, void *); 48 49/* 50 * We only support those mechanisms that we know about (ie ones that we know 51 * how to check local user kuserok and the like 52 */ 53static int 54userauth_gssapi(Authctxt *authctxt) 55{ 56 gss_OID_desc oid = {0, NULL}; 57 Gssctxt *ctxt = NULL; 58 int mechs; 59 gss_OID_set supported; 60 int present; 61 OM_uint32 ms; 62 u_int len; 63 char *doid = NULL; 64 65 if (!authctxt->valid || authctxt->user == NULL) 66 return (0); 67 68 mechs = packet_get_int(); 69 if (mechs == 0) { 70 debug("Mechanism negotiation is not supported"); 71 return (0); 72 } 73 74 ssh_gssapi_supported_oids(&supported); 75 do { 76 mechs--; 77 78 if (doid) 79 xfree(doid); 80 81 doid = packet_get_string(&len); 82 if (len <= 2) 83 packet_disconnect("Short OID received"); 84 85 if (doid[0] != SSH_GSS_OIDTYPE || doid[1] != len-2) { 86 logit("Mechanism OID received using the old encoding form"); 87 oid.elements = doid; 88 oid.length = len; 89 } else { 90 oid.elements = doid + 2; 91 oid.length = len - 2; 92 } 93 gss_test_oid_set_member(&ms, &oid, supported, &present); 94 } while (mechs > 0 && !present); 95 96 gss_release_oid_set(&ms, &supported); 97 98 if (!present) { 99 xfree(doid); 100 return (0); 101 } 102 103 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &oid)))) { 104 xfree(doid); 105 return (0); 106 } 107 108 authctxt->methoddata=(void *)ctxt; 109 110 packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE); 111 112 /* Return OID in same format as we received it*/ 113 packet_put_string(doid, len); 114 115 packet_send(); 116 xfree(doid); 117 118 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); 119 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); 120 authctxt->postponed = 1; 121 122 return (0); 123} 124 125static void 126input_gssapi_token(int type, u_int32_t plen, void *ctxt) 127{ 128 Authctxt *authctxt = ctxt; 129 Gssctxt *gssctxt; 130 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 131 gss_buffer_desc recv_tok; 132 OM_uint32 maj_status, min_status; 133 u_int len; 134 135 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 136 fatal("No authentication or GSSAPI context"); 137 138 gssctxt = authctxt->methoddata; 139 recv_tok.value = packet_get_string(&len); 140 recv_tok.length = len; /* u_int vs. size_t */ 141 142 packet_check_eom(); 143 144 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 145 &send_tok, NULL)); 146 147 xfree(recv_tok.value); 148 149 if (GSS_ERROR(maj_status)) { 150 if (send_tok.length != 0) { 151 packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); 152 packet_put_string(send_tok.value, send_tok.length); 153 packet_send(); 154 } 155 authctxt->postponed = 0; 156 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 157 userauth_finish(authctxt, 0, "gssapi"); 158 } else { 159 if (send_tok.length != 0) { 160 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); 161 packet_put_string(send_tok.value, send_tok.length); 162 packet_send(); 163 } 164 if (maj_status == GSS_S_COMPLETE) { 165 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 166 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, 167 &input_gssapi_exchange_complete); 168 } 169 } 170 171 gss_release_buffer(&min_status, &send_tok); 172} 173 174static void 175input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) 176{ 177 Authctxt *authctxt = ctxt; 178 Gssctxt *gssctxt; 179 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 180 gss_buffer_desc recv_tok; 181 OM_uint32 maj_status; 182 u_int len; 183 184 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 185 fatal("No authentication or GSSAPI context"); 186 187 gssctxt = authctxt->methoddata; 188 recv_tok.value = packet_get_string(&len); 189 recv_tok.length = len; 190 191 packet_check_eom(); 192 193 /* Push the error token into GSSAPI to see what it says */ 194 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 195 &send_tok, NULL)); 196 197 xfree(recv_tok.value); 198 199 /* We can't return anything to the client, even if we wanted to */ 200 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 201 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 202 203 /* The client will have already moved on to the next auth */ 204 205 gss_release_buffer(&maj_status, &send_tok); 206} 207 208/* 209 * This is called when the client thinks we've completed authentication. 210 * It should only be enabled in the dispatch handler by the function above, 211 * which only enables it once the GSSAPI exchange is complete. 212 */ 213 214static void 215input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) 216{ 217 Authctxt *authctxt = ctxt; 218 Gssctxt *gssctxt; 219 int authenticated; 220 221 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 222 fatal("No authentication or GSSAPI context"); 223 224 gssctxt = authctxt->methoddata; 225 226 /* 227 * We don't need to check the status, because the stored credentials 228 * which userok uses are only populated once the context init step 229 * has returned complete. 230 */ 231 232 packet_check_eom(); 233 234 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); 235 236 authctxt->postponed = 0; 237 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 238 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 239 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 240 userauth_finish(authctxt, authenticated, "gssapi"); 241} 242 243Authmethod method_gssapi = { 244 "gssapi", 245 userauth_gssapi, 246 &options.gss_authentication 247}; 248 249#endif /* GSSAPI */ 250