1 /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */ 2 3 /* 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include "includes.h" 28 29 #ifdef GSSAPI 30 31 #include <sys/types.h> 32 33 #include <stdarg.h> 34 35 #include "xmalloc.h" 36 #include "key.h" 37 #include "hostfile.h" 38 #include "auth.h" 39 #include "ssh2.h" 40 #include "log.h" 41 #include "dispatch.h" 42 #include "buffer.h" 43 #include "servconf.h" 44 #include "packet.h" 45 #include "ssh-gss.h" 46 #include "monitor_wrap.h" 47 48 extern ServerOptions options; 49 50 static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); 51 static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); 52 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); 53 static void input_gssapi_errtok(int, u_int32_t, void *); 54 55 /* 56 * We only support those mechanisms that we know about (ie ones that we know 57 * how to check local user kuserok and the like) 58 */ 59 static int 60 userauth_gssapi(Authctxt *authctxt) 61 { 62 gss_OID_desc goid = {0, NULL}; 63 Gssctxt *ctxt = NULL; 64 int mechs; 65 gss_OID_set supported; 66 int present; 67 OM_uint32 ms; 68 u_int len; 69 u_char *doid = NULL; 70 71 if (!authctxt->valid || authctxt->user == NULL) 72 return (0); 73 74 mechs = packet_get_int(); 75 if (mechs == 0) { 76 debug("Mechanism negotiation is not supported"); 77 return (0); 78 } 79 80 ssh_gssapi_supported_oids(&supported); 81 do { 82 mechs--; 83 84 free(doid); 85 86 present = 0; 87 doid = packet_get_string(&len); 88 89 if (len > 2 && doid[0] == SSH_GSS_OIDTYPE && 90 doid[1] == len - 2) { 91 goid.elements = doid + 2; 92 goid.length = len - 2; 93 gss_test_oid_set_member(&ms, &goid, supported, 94 &present); 95 } else { 96 logit("Badly formed OID received"); 97 } 98 } while (mechs > 0 && !present); 99 100 gss_release_oid_set(&ms, &supported); 101 102 if (!present) { 103 free(doid); 104 authctxt->server_caused_failure = 1; 105 return (0); 106 } 107 108 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { 109 if (ctxt != NULL) 110 ssh_gssapi_delete_ctx(&ctxt); 111 free(doid); 112 authctxt->server_caused_failure = 1; 113 return (0); 114 } 115 116 authctxt->methoddata = (void *)ctxt; 117 118 packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE); 119 120 /* Return the OID that we received */ 121 packet_put_string(doid, len); 122 123 packet_send(); 124 free(doid); 125 126 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); 127 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); 128 authctxt->postponed = 1; 129 130 return (0); 131 } 132 133 static void 134 input_gssapi_token(int type, u_int32_t plen, void *ctxt) 135 { 136 Authctxt *authctxt = ctxt; 137 Gssctxt *gssctxt; 138 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 139 gss_buffer_desc recv_tok; 140 OM_uint32 maj_status, min_status, flags; 141 u_int len; 142 143 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 144 fatal("No authentication or GSSAPI context"); 145 146 gssctxt = authctxt->methoddata; 147 recv_tok.value = packet_get_string(&len); 148 recv_tok.length = len; /* u_int vs. size_t */ 149 150 packet_check_eom(); 151 152 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 153 &send_tok, &flags)); 154 155 free(recv_tok.value); 156 157 if (GSS_ERROR(maj_status)) { 158 if (send_tok.length != 0) { 159 packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); 160 packet_put_string(send_tok.value, send_tok.length); 161 packet_send(); 162 } 163 authctxt->postponed = 0; 164 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 165 userauth_finish(authctxt, 0, "gssapi-with-mic", NULL); 166 } else { 167 if (send_tok.length != 0) { 168 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); 169 packet_put_string(send_tok.value, send_tok.length); 170 packet_send(); 171 } 172 if (maj_status == GSS_S_COMPLETE) { 173 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 174 if (flags & GSS_C_INTEG_FLAG) 175 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, 176 &input_gssapi_mic); 177 else 178 dispatch_set( 179 SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, 180 &input_gssapi_exchange_complete); 181 } 182 } 183 184 gss_release_buffer(&min_status, &send_tok); 185 } 186 187 static void 188 input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) 189 { 190 Authctxt *authctxt = ctxt; 191 Gssctxt *gssctxt; 192 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 193 gss_buffer_desc recv_tok; 194 OM_uint32 maj_status; 195 u_int len; 196 197 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 198 fatal("No authentication or GSSAPI context"); 199 200 gssctxt = authctxt->methoddata; 201 recv_tok.value = packet_get_string(&len); 202 recv_tok.length = len; 203 204 packet_check_eom(); 205 206 /* Push the error token into GSSAPI to see what it says */ 207 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 208 &send_tok, NULL)); 209 210 free(recv_tok.value); 211 212 /* We can't return anything to the client, even if we wanted to */ 213 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 214 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 215 216 /* The client will have already moved on to the next auth */ 217 218 gss_release_buffer(&maj_status, &send_tok); 219 } 220 221 /* 222 * This is called when the client thinks we've completed authentication. 223 * It should only be enabled in the dispatch handler by the function above, 224 * which only enables it once the GSSAPI exchange is complete. 225 */ 226 227 static void 228 input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) 229 { 230 Authctxt *authctxt = ctxt; 231 int authenticated; 232 233 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 234 fatal("No authentication or GSSAPI context"); 235 236 /* 237 * We don't need to check the status, because we're only enabled in 238 * the dispatcher once the exchange is complete 239 */ 240 241 packet_check_eom(); 242 243 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); 244 245 authctxt->postponed = 0; 246 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 247 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 248 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); 249 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 250 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); 251 } 252 253 static void 254 input_gssapi_mic(int type, u_int32_t plen, void *ctxt) 255 { 256 Authctxt *authctxt = ctxt; 257 Gssctxt *gssctxt; 258 int authenticated = 0; 259 Buffer b; 260 gss_buffer_desc mic, gssbuf; 261 u_int len; 262 263 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 264 fatal("No authentication or GSSAPI context"); 265 266 gssctxt = authctxt->methoddata; 267 268 mic.value = packet_get_string(&len); 269 mic.length = len; 270 271 ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, 272 "gssapi-with-mic"); 273 274 gssbuf.value = buffer_ptr(&b); 275 gssbuf.length = buffer_len(&b); 276 277 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) 278 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); 279 else 280 logit("GSSAPI MIC check failed"); 281 282 buffer_free(&b); 283 free(mic.value); 284 285 authctxt->postponed = 0; 286 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 287 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 288 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); 289 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 290 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); 291 } 292 293 Authmethod method_gssapi = { 294 "gssapi-with-mic", 295 userauth_gssapi, 296 &options.gss_authentication 297 }; 298 299 #endif /* GSSAPI */ 300