1 /* $OpenBSD: gss-genr.c,v 1.29 2024/02/01 02:37:33 djm Exp $ */
2
3 /*
4 * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27 #ifdef GSSAPI
28
29
30 #include <stdarg.h>
31 #include <string.h>
32 #include <limits.h>
33
34 #include "xmalloc.h"
35 #include "ssherr.h"
36 #include "sshbuf.h"
37 #include "log.h"
38 #include "ssh2.h"
39
40 #include "ssh-gss.h"
41
42 /* sshbuf_get for gss_buffer_desc */
43 int
ssh_gssapi_get_buffer_desc(struct sshbuf * b,gss_buffer_desc * g)44 ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
45 {
46 int r;
47 u_char *p;
48 size_t len;
49
50 if ((r = sshbuf_get_string(b, &p, &len)) != 0)
51 return r;
52 g->value = p;
53 g->length = len;
54 return 0;
55 }
56
57 /* Check that the OID in a data stream matches that in the context */
58 int
ssh_gssapi_check_oid(Gssctxt * ctx,void * data,size_t len)59 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
60 {
61 return (ctx != NULL && ctx->oid != GSS_C_NO_OID &&
62 ctx->oid->length == len &&
63 memcmp(ctx->oid->elements, data, len) == 0);
64 }
65
66 /* Set the contexts OID from a data stream */
67 void
ssh_gssapi_set_oid_data(Gssctxt * ctx,void * data,size_t len)68 ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len)
69 {
70 if (ctx->oid != GSS_C_NO_OID) {
71 free(ctx->oid->elements);
72 free(ctx->oid);
73 }
74 ctx->oid = xcalloc(1, sizeof(gss_OID_desc));
75 ctx->oid->length = len;
76 ctx->oid->elements = xmalloc(len);
77 memcpy(ctx->oid->elements, data, len);
78 }
79
80 /* Set the contexts OID */
81 void
ssh_gssapi_set_oid(Gssctxt * ctx,gss_OID oid)82 ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid)
83 {
84 ssh_gssapi_set_oid_data(ctx, oid->elements, oid->length);
85 }
86
87 /* All this effort to report an error ... */
88 void
ssh_gssapi_error(Gssctxt * ctxt)89 ssh_gssapi_error(Gssctxt *ctxt)
90 {
91 char *s;
92
93 s = ssh_gssapi_last_error(ctxt, NULL, NULL);
94 debug("%s", s);
95 free(s);
96 }
97
98 char *
ssh_gssapi_last_error(Gssctxt * ctxt,OM_uint32 * major_status,OM_uint32 * minor_status)99 ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
100 OM_uint32 *minor_status)
101 {
102 OM_uint32 lmin;
103 gss_buffer_desc msg = GSS_C_EMPTY_BUFFER;
104 OM_uint32 ctx;
105 struct sshbuf *b;
106 char *ret;
107 int r;
108
109 if ((b = sshbuf_new()) == NULL)
110 fatal_f("sshbuf_new failed");
111
112 if (major_status != NULL)
113 *major_status = ctxt->major;
114 if (minor_status != NULL)
115 *minor_status = ctxt->minor;
116
117 ctx = 0;
118 /* The GSSAPI error */
119 do {
120 gss_display_status(&lmin, ctxt->major,
121 GSS_C_GSS_CODE, ctxt->oid, &ctx, &msg);
122
123 if ((r = sshbuf_put(b, msg.value, msg.length)) != 0 ||
124 (r = sshbuf_put_u8(b, '\n')) != 0)
125 fatal_fr(r, "assemble GSS_CODE");
126
127 gss_release_buffer(&lmin, &msg);
128 } while (ctx != 0);
129
130 /* The mechanism specific error */
131 do {
132 gss_display_status(&lmin, ctxt->minor,
133 GSS_C_MECH_CODE, ctxt->oid, &ctx, &msg);
134
135 if ((r = sshbuf_put(b, msg.value, msg.length)) != 0 ||
136 (r = sshbuf_put_u8(b, '\n')) != 0)
137 fatal_fr(r, "assemble MECH_CODE");
138
139 gss_release_buffer(&lmin, &msg);
140 } while (ctx != 0);
141
142 if ((r = sshbuf_put_u8(b, '\n')) != 0)
143 fatal_fr(r, "assemble newline");
144 ret = xstrdup((const char *)sshbuf_ptr(b));
145 sshbuf_free(b);
146 return (ret);
147 }
148
149 /*
150 * Initialise our GSSAPI context. We use this opaque structure to contain all
151 * of the data which both the client and server need to persist across
152 * {accept,init}_sec_context calls, so that when we do it from the userauth
153 * stuff life is a little easier
154 */
155 void
ssh_gssapi_build_ctx(Gssctxt ** ctx)156 ssh_gssapi_build_ctx(Gssctxt **ctx)
157 {
158 *ctx = xcalloc(1, sizeof (Gssctxt));
159 (*ctx)->context = GSS_C_NO_CONTEXT;
160 (*ctx)->name = GSS_C_NO_NAME;
161 (*ctx)->oid = GSS_C_NO_OID;
162 (*ctx)->creds = GSS_C_NO_CREDENTIAL;
163 (*ctx)->client = GSS_C_NO_NAME;
164 (*ctx)->client_creds = GSS_C_NO_CREDENTIAL;
165 }
166
167 /* Delete our context, providing it has been built correctly */
168 void
ssh_gssapi_delete_ctx(Gssctxt ** ctx)169 ssh_gssapi_delete_ctx(Gssctxt **ctx)
170 {
171 OM_uint32 ms;
172
173 if ((*ctx) == NULL)
174 return;
175 if ((*ctx)->context != GSS_C_NO_CONTEXT)
176 gss_delete_sec_context(&ms, &(*ctx)->context, GSS_C_NO_BUFFER);
177 if ((*ctx)->name != GSS_C_NO_NAME)
178 gss_release_name(&ms, &(*ctx)->name);
179 if ((*ctx)->oid != GSS_C_NO_OID) {
180 free((*ctx)->oid->elements);
181 free((*ctx)->oid);
182 (*ctx)->oid = GSS_C_NO_OID;
183 }
184 if ((*ctx)->creds != GSS_C_NO_CREDENTIAL)
185 gss_release_cred(&ms, &(*ctx)->creds);
186 if ((*ctx)->client != GSS_C_NO_NAME)
187 gss_release_name(&ms, &(*ctx)->client);
188 if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL)
189 gss_release_cred(&ms, &(*ctx)->client_creds);
190
191 free(*ctx);
192 *ctx = NULL;
193 }
194
195 /*
196 * Wrapper to init_sec_context
197 * Requires that the context contains:
198 * oid
199 * server name (from ssh_gssapi_import_name)
200 */
201 OM_uint32
ssh_gssapi_init_ctx(Gssctxt * ctx,int deleg_creds,gss_buffer_desc * recv_tok,gss_buffer_desc * send_tok,OM_uint32 * flags)202 ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
203 gss_buffer_desc* send_tok, OM_uint32 *flags)
204 {
205 int deleg_flag = 0;
206
207 if (deleg_creds) {
208 deleg_flag = GSS_C_DELEG_FLAG;
209 debug("Delegating credentials");
210 }
211
212 ctx->major = gss_init_sec_context(&ctx->minor,
213 GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,
214 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
215 0, NULL, recv_tok, NULL, send_tok, flags, NULL);
216
217 if (GSS_ERROR(ctx->major))
218 ssh_gssapi_error(ctx);
219
220 return (ctx->major);
221 }
222
223 /* Create a service name for the given host */
224 OM_uint32
ssh_gssapi_import_name(Gssctxt * ctx,const char * host)225 ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
226 {
227 gss_buffer_desc gssbuf;
228 char *val;
229
230 xasprintf(&val, "host@%s", host);
231 gssbuf.value = val;
232 gssbuf.length = strlen(gssbuf.value);
233
234 if ((ctx->major = gss_import_name(&ctx->minor,
235 &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
236 ssh_gssapi_error(ctx);
237
238 free(gssbuf.value);
239 return (ctx->major);
240 }
241
242 OM_uint32
ssh_gssapi_sign(Gssctxt * ctx,gss_buffer_t buffer,gss_buffer_t hash)243 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
244 {
245 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
246 GSS_C_QOP_DEFAULT, buffer, hash)))
247 ssh_gssapi_error(ctx);
248
249 return (ctx->major);
250 }
251
252 void
ssh_gssapi_buildmic(struct sshbuf * b,const char * user,const char * service,const char * context,const struct sshbuf * session_id)253 ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
254 const char *context, const struct sshbuf *session_id)
255 {
256 int r;
257
258 sshbuf_reset(b);
259 if ((r = sshbuf_put_stringb(b, session_id)) != 0 ||
260 (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
261 (r = sshbuf_put_cstring(b, user)) != 0 ||
262 (r = sshbuf_put_cstring(b, service)) != 0 ||
263 (r = sshbuf_put_cstring(b, context)) != 0)
264 fatal_fr(r, "assemble buildmic");
265 }
266
267 int
ssh_gssapi_check_mechanism(Gssctxt ** ctx,gss_OID oid,const char * host)268 ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
269 {
270 gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
271 OM_uint32 major, minor;
272 gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
273
274 /* RFC 4462 says we MUST NOT do SPNEGO */
275 if (oid->length == spnego_oid.length &&
276 (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0))
277 return 0; /* false */
278
279 ssh_gssapi_build_ctx(ctx);
280 ssh_gssapi_set_oid(*ctx, oid);
281 major = ssh_gssapi_import_name(*ctx, host);
282 if (!GSS_ERROR(major)) {
283 major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
284 NULL);
285 gss_release_buffer(&minor, &token);
286 if ((*ctx)->context != GSS_C_NO_CONTEXT)
287 gss_delete_sec_context(&minor, &(*ctx)->context,
288 GSS_C_NO_BUFFER);
289 }
290
291 if (GSS_ERROR(major))
292 ssh_gssapi_delete_ctx(ctx);
293
294 return (!GSS_ERROR(major));
295 }
296
297 #endif /* GSSAPI */
298