]> andersk Git - gssapi-openssh.git/blame_incremental - openssh/auth2-gss.c
andersk / gssapi-openssh.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
be sure not to call xfree(NULL)
[gssapi-openssh.git] / openssh / auth2-gss.c
... / ...
CommitLineData
1/* $OpenBSD: auth2-gss.c,v 1.8 2004/06/21 17:36:31 avsm Exp $ */
2
3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include "includes.h"
28
29#ifdef GSSAPI
30
31#include "auth.h"
32#include "ssh2.h"
33#include "xmalloc.h"
34#include "log.h"
35#include "dispatch.h"
36#include "servconf.h"
37#include "compat.h"
38#include "packet.h"
39#include "monitor_wrap.h"
40
41#include "ssh-gss.h"
42
43extern ServerOptions options;
44
45static void ssh_gssapi_userauth_error(Gssctxt *ctxt);
46static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
47static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
48static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
49static void input_gssapi_errtok(int, u_int32_t, void *);
50
51static int gssapi_with_mic = 1; /* flag to toggle "gssapi-with-mic" vs.
52 "gssapi" */
53
54static int
55userauth_external(Authctxt *authctxt)
56{
57 packet_check_eom();
58
59 if (authctxt->valid && authctxt->user && authctxt->user[0]) {
60 return(PRIVSEP(ssh_gssapi_userok(authctxt->user)));
61 }
62 return 0;
63}
64
65/*
66 * We only support those mechanisms that we know about (ie ones that we know
67 * how to check local user kuserok and the like
68 */
69static int
70userauth_gssapi(Authctxt *authctxt)
71{
72 gss_OID_desc goid = {0, NULL};
73 Gssctxt *ctxt = NULL;
74 int mechs;
75 gss_OID_set supported;
76 int present;
77 OM_uint32 ms;
78 u_int len;
79 char *doid = NULL;
80
81 /* authctxt->valid may be 0 if we haven't yet determined
82 username from gssapi context. */
83
84 if (authctxt->user == NULL)
85 return (0);
86
87 mechs = packet_get_int();
88 if (mechs == 0) {
89 debug("Mechanism negotiation is not supported");
90 return (0);
91 }
92
93 ssh_gssapi_supported_oids(&supported);
94 do {
95 mechs--;
96
97 if (doid)
98 xfree(doid);
99
100 present = 0;
101 doid = packet_get_string(&len);
102
103 if (doid[0] != SSH_GSS_OIDTYPE || doid[1] != len-2) {
104 logit("Mechanism OID received using the old encoding form");
105 goid.elements = doid;
106 goid.length = len;
107 } else {
108 goid.elements = doid + 2;
109 goid.length = len - 2;
110 }
111 gss_test_oid_set_member(&ms, &goid, supported, &present);
112 } while (mechs > 0 && !present);
113
114 gss_release_oid_set(&ms, &supported);
115
116 if (!present) {
117 xfree(doid);
118 return (0);
119 }
120
121 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
122 xfree(doid);
123 return (0);
124 }
125
126 authctxt->methoddata=(void *)ctxt;
127
128 packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
129
130 /* Return the OID that we received */
131 packet_put_string(doid, len);
132
133 packet_send();
134 xfree(doid);
135
136 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
137 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
138 authctxt->postponed = 1;
139
140 return (0);
141}
142
143static void
144input_gssapi_token(int type, u_int32_t plen, void *ctxt)
145{
146 Authctxt *authctxt = ctxt;
147 Gssctxt *gssctxt;
148 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
149 gss_buffer_desc recv_tok;
150 OM_uint32 maj_status, min_status, flags=0;
151 u_int len;
152
153 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
154 fatal("No authentication or GSSAPI context");
155
156 gssctxt = authctxt->methoddata;
157 recv_tok.value = packet_get_string(&len);
158 recv_tok.length = len; /* u_int vs. size_t */
159
160 packet_check_eom();
161
162 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
163 &send_tok, &flags));
164
165 xfree(recv_tok.value);
166
167 if (GSS_ERROR(maj_status)) {
168 ssh_gssapi_userauth_error(gssctxt);
169 if (send_tok.length != 0) {
170 packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
171 packet_put_string(send_tok.value, send_tok.length);
172 packet_send();
173 }
174 authctxt->postponed = 0;
175 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
176 userauth_finish(authctxt, 0,
177 gssapi_with_mic ? "gssapi-with-mic" :
178 "gssapi");
179 } else {
180 if (send_tok.length != 0) {
181 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
182 packet_put_string(send_tok.value, send_tok.length);
183 packet_send();
184 }
185 if (maj_status == GSS_S_COMPLETE) {
186 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
187 if (flags & GSS_C_INTEG_FLAG && gssapi_with_mic)
188 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC,
189 &input_gssapi_mic);
190 else
191 dispatch_set(
192 SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
193 &input_gssapi_exchange_complete);
194 }
195 }
196
197 gss_release_buffer(&min_status, &send_tok);
198}
199
200static void
201input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
202{
203 Authctxt *authctxt = ctxt;
204 Gssctxt *gssctxt;
205 gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
206 gss_buffer_desc recv_tok;
207 OM_uint32 maj_status;
208 u_int len;
209
210 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
211 fatal("No authentication or GSSAPI context");
212
213 gssctxt = authctxt->methoddata;
214 recv_tok.value = packet_get_string(&len);
215 recv_tok.length = len;
216
217 packet_check_eom();
218
219 /* Push the error token into GSSAPI to see what it says */
220 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
221 &send_tok, NULL));
222
223 xfree(recv_tok.value);
224
225 /* We can't return anything to the client, even if we wanted to */
226 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
227 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
228
229 /* The client will have already moved on to the next auth */
230
231 gss_release_buffer(&maj_status, &send_tok);
232}
233
234static void
235gssapi_set_implicit_username(Authctxt *authctxt)
236{
237 if ((authctxt->user == NULL) || (authctxt->user[0] == '\0')) {
238 char *lname = NULL;
239 PRIVSEP(ssh_gssapi_localname(&lname));
240 if (lname && lname[0] != '\0') {
241 if (authctxt->user) xfree(authctxt->user);
242 authctxt->user = lname;
243 debug("set username to %s from gssapi context", lname);
244 authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
245 if (authctxt->pw) {
246 authctxt->valid = 1;
247 }
248 } else {
249 debug("failed to set username from gssapi context");
250 }
251 }
252 if (authctxt->pw) {
253#ifdef USE_PAM
254 if (options.use_pam)
255 PRIVSEP(start_pam(authctxt));
256#endif
257 }
258}
259
260/*
261 * This is called when the client thinks we've completed authentication.
262 * It should only be enabled in the dispatch handler by the function above,
263 * which only enables it once the GSSAPI exchange is complete.
264 */
265
266static void
267input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
268{
269 Authctxt *authctxt = ctxt;
270 Gssctxt *gssctxt;
271 int authenticated;
272
273 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
274 fatal("No authentication or GSSAPI context");
275
276 gssapi_set_implicit_username(authctxt);
277
278 gssctxt = authctxt->methoddata;
279
280 /*
281 * We don't need to check the status, because we're only enabled in
282 * the dispatcher once the exchange is complete
283 */
284
285 packet_check_eom();
286
287 /* user should be set if valid but we double-check here */
288 if (authctxt->valid && authctxt->user && authctxt->user[0]) {
289 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
290 } else {
291 authenticated = 0;
292 }
293
294 authctxt->postponed = 0;
295 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
296 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
297 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
298 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
299 userauth_finish(authctxt, authenticated,
300 gssapi_with_mic ? "gssapi-with-mic" : "gssapi");
301}
302
303static int
304userauth_gssapi_with_mic(Authctxt *authctxt)
305{
306 gssapi_with_mic = 1;
307 return userauth_gssapi(authctxt);
308}
309
310static int
311userauth_gssapi_without_mic(Authctxt *authctxt)
312{
313 gssapi_with_mic = 0;
314 return userauth_gssapi(authctxt);
315}
316
317static void
318input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
319{
320 Authctxt *authctxt = ctxt;
321 Gssctxt *gssctxt;
322 int authenticated = 0;
323 Buffer b;
324 gss_buffer_desc mic, gssbuf;
325 u_int len;
326
327 if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
328 fatal("No authentication or GSSAPI context");
329
330 gssapi_set_implicit_username(authctxt);
331
332 gssctxt = authctxt->methoddata;
333
334 mic.value = packet_get_string(&len);
335 mic.length = len;
336
337 ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
338 "gssapi-with-mic");
339
340 gssbuf.value = buffer_ptr(&b);
341 gssbuf.length = buffer_len(&b);
342
343 if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
344 if (authctxt->valid && authctxt->user && authctxt->user[0]) {
345 authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
346 } else {
347 authenticated = 0;
348 }
349 else
350 logit("GSSAPI MIC check failed");
351
352 buffer_free(&b);
353 xfree(mic.value);
354
355 authctxt->postponed = 0;
356 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
357 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
358 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
359 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
360 userauth_finish(authctxt, authenticated, "gssapi-with-mic");
361}
362
363static void ssh_gssapi_userauth_error(Gssctxt *ctxt) {
364 char *errstr;
365 OM_uint32 maj,min;
366
367 errstr=PRIVSEP(ssh_gssapi_last_error(ctxt,&maj,&min));
368 if (errstr) {
369 packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERROR);
370 packet_put_int(maj);
371 packet_put_int(min);
372 packet_put_cstring(errstr);
373 packet_put_cstring("");
374 packet_send();
375 packet_write_wait();
376 xfree(errstr);
377 }
378}
379
380Authmethod method_external = {
381 "external-keyx",
382 userauth_external,
383 &options.gss_authentication
384};
385
386Authmethod method_gssapi = {
387 "gssapi-with-mic",
388 userauth_gssapi_with_mic,
389 &options.gss_authentication
390};
391
392Authmethod method_gssapi_compat = {
393 "gssapi",
394 userauth_gssapi_without_mic,
395 &options.gss_authentication
396};
397
398#endif /* GSSAPI */
git-cvsimport mirror of GSI OpenSSH
This page took 0.042093 seconds and 5 git commands to generate.