1 /* $OpenBSD: auth2-gss.c,v 1.3 2003/09/01 20:44:54 markus Exp $ */ 2 3 /* 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include "includes.h" 28 29 #ifdef GSSAPI 30 31 #include "auth.h" 32 #include "ssh2.h" 33 #include "xmalloc.h" 34 #include "log.h" 35 #include "dispatch.h" 36 #include "servconf.h" 37 #include "compat.h" 38 #include "packet.h" 39 #include "monitor_wrap.h" 40 41 #include "ssh-gss.h" 42 43 extern ServerOptions options; 44 45 static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); 46 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); 47 static void input_gssapi_errtok(int, u_int32_t, void *); 48 49 /* 50 * We only support those mechanisms that we know about (ie ones that we know 51 * how to check local user kuserok and the like 52 */ 53 static int 54 userauth_gssapi(Authctxt *authctxt) 55 { 56 gss_OID_desc oid = {0, NULL}; 57 Gssctxt *ctxt = NULL; 58 int mechs; 59 gss_OID_set supported; 60 int present; 61 OM_uint32 ms; 62 u_int len; 63 char *doid = NULL; 64 65 if (!authctxt->valid || authctxt->user == NULL) 66 return (0); 67 68 mechs = packet_get_int(); 69 if (mechs == 0) { 70 debug("Mechanism negotiation is not supported"); 71 return (0); 72 } 73 74 ssh_gssapi_supported_oids(&supported); 75 do { 76 mechs--; 77 78 if (doid) 79 xfree(doid); 80 81 doid = packet_get_string(&len); 82 83 if (doid[0] != SSH_GSS_OIDTYPE || doid[1] != len-2) { 84 logit("Mechanism OID received using the old encoding form"); 85 oid.elements = doid; 86 oid.length = len; 87 } else { 88 oid.elements = doid + 2; 89 oid.length = len - 2; 90 } 91 gss_test_oid_set_member(&ms, &oid, supported, &present); 92 } while (mechs > 0 && !present); 93 94 gss_release_oid_set(&ms, &supported); 95 96 if (!present) { 97 xfree(doid); 98 return (0); 99 } 100 101 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &oid)))) { 102 xfree(doid); 103 return (0); 104 } 105 106 authctxt->methoddata=(void *)ctxt; 107 108 packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE); 109 110 /* Return OID in same format as we received it*/ 111 packet_put_string(doid, len); 112 113 packet_send(); 114 xfree(doid); 115 116 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); 117 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); 118 authctxt->postponed = 1; 119 120 return (0); 121 } 122 123 static void 124 input_gssapi_token(int type, u_int32_t plen, void *ctxt) 125 { 126 Authctxt *authctxt = ctxt; 127 Gssctxt *gssctxt; 128 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 129 gss_buffer_desc recv_tok; 130 OM_uint32 maj_status, min_status; 131 u_int len; 132 133 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 134 fatal("No authentication or GSSAPI context"); 135 136 gssctxt = authctxt->methoddata; 137 recv_tok.value = packet_get_string(&len); 138 recv_tok.length = len; /* u_int vs. size_t */ 139 140 packet_check_eom(); 141 142 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 143 &send_tok, NULL)); 144 145 xfree(recv_tok.value); 146 147 if (GSS_ERROR(maj_status)) { 148 if (send_tok.length != 0) { 149 packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); 150 packet_put_string(send_tok.value, send_tok.length); 151 packet_send(); 152 } 153 authctxt->postponed = 0; 154 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 155 userauth_finish(authctxt, 0, "gssapi"); 156 } else { 157 if (send_tok.length != 0) { 158 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); 159 packet_put_string(send_tok.value, send_tok.length); 160 packet_send(); 161 } 162 if (maj_status == GSS_S_COMPLETE) { 163 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 164 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, 165 &input_gssapi_exchange_complete); 166 } 167 } 168 169 gss_release_buffer(&min_status, &send_tok); 170 } 171 172 static void 173 input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) 174 { 175 Authctxt *authctxt = ctxt; 176 Gssctxt *gssctxt; 177 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; 178 gss_buffer_desc recv_tok; 179 OM_uint32 maj_status; 180 u_int len; 181 182 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 183 fatal("No authentication or GSSAPI context"); 184 185 gssctxt = authctxt->methoddata; 186 recv_tok.value = packet_get_string(&len); 187 recv_tok.length = len; 188 189 packet_check_eom(); 190 191 /* Push the error token into GSSAPI to see what it says */ 192 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, 193 &send_tok, NULL)); 194 195 xfree(recv_tok.value); 196 197 /* We can't return anything to the client, even if we wanted to */ 198 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 199 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 200 201 /* The client will have already moved on to the next auth */ 202 203 gss_release_buffer(&maj_status, &send_tok); 204 } 205 206 /* 207 * This is called when the client thinks we've completed authentication. 208 * It should only be enabled in the dispatch handler by the function above, 209 * which only enables it once the GSSAPI exchange is complete. 210 */ 211 212 static void 213 input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) 214 { 215 Authctxt *authctxt = ctxt; 216 Gssctxt *gssctxt; 217 int authenticated; 218 219 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) 220 fatal("No authentication or GSSAPI context"); 221 222 gssctxt = authctxt->methoddata; 223 224 /* 225 * We don't need to check the status, because the stored credentials 226 * which userok uses are only populated once the context init step 227 * has returned complete. 228 */ 229 230 packet_check_eom(); 231 232 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); 233 234 authctxt->postponed = 0; 235 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 236 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 237 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 238 userauth_finish(authctxt, authenticated, "gssapi"); 239 } 240 241 Authmethod method_gssapi = { 242 "gssapi", 243 userauth_gssapi, 244 &options.gss_authentication 245 }; 246 247 #endif /* GSSAPI */ 248