openssh/kexgsss.c

   1 /*
   2  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  * 1. Redistributions of source code must retain the above copyright
   8  *    notice, this list of conditions and the following disclaimer.
   9  * 2. Redistributions in binary form must reproduce the above copyright
  10  *    notice, this list of conditions and the following disclaimer in the
  11  *    documentation and/or other materials provided with the distribution.
  12  *
  13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
  14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23  */
  24
  25 #include "includes.h"
  26
  27 #ifdef GSSAPI
  28
  29 #include <openssl/crypto.h>
  30 #include <openssl/bn.h>
  31
  32 #include "xmalloc.h"
  33 #include "buffer.h"
  34 #include "bufaux.h"
  35 #include "kex.h"
  36 #include "log.h"
  37 #include "packet.h"
  38 #include "dh.h"
  39 #include "ssh2.h"
  40 #include "ssh-gss.h"
  41 #include "monitor_wrap.h"
  42
  43 static void kex_gss_send_error(Gssctxt *ctxt);
  44
  45 void
  46 kexgss_server(Kex *kex)
  47 {
  48         OM_uint32 maj_status, min_status;
  49
  50         /* Some GSSAPI implementations use the input value of ret_flags (an
  51          * output variable) as a means of triggering mechanism specific
  52          * features. Initializing it to zero avoids inadvertently
  53          * activating this non-standard behaviour.*/
  54
  55         OM_uint32 ret_flags = 0;
  56         gss_buffer_desc gssbuf,send_tok,recv_tok,msg_tok;
  57         Gssctxt *ctxt = NULL;
  58         unsigned int klen, kout;
  59         unsigned char *kbuf;
  60         unsigned char *hash;
  61         DH *dh;
  62         BIGNUM *shared_secret = NULL;
  63         BIGNUM *dh_client_pub = NULL;
  64         int type =0;
  65         u_int slen;
  66         gss_OID oid;
  67
  68         /* Initialise GSSAPI */
  69
  70         debug2("%s: Identifying %s",__func__,kex->name);
  71         oid=ssh_gssapi_server_id_kex(kex->name);
  72         if (oid==NULL) {
  73            fatal("Unknown gssapi mechanism");
  74         }
  75
  76         debug2("%s: Acquiring credentials",__func__);
  77
  78         if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt,oid)))) {
  79                 kex_gss_send_error(ctxt);
  80                 fatal("Unable to acquire credentials for the server");
  81         }
  82
  83         do {
  84                 debug("Wait SSH2_MSG_GSSAPI_INIT");
  85                 type = packet_read();
  86                 switch(type) {
  87                 case SSH2_MSG_KEXGSS_INIT:
  88                         if (dh_client_pub!=NULL)
  89                                 fatal("Received KEXGSS_INIT after initialising");
  90                         recv_tok.value=packet_get_string(&slen);
  91                         recv_tok.length=slen; /* int vs. size_t */
  92
  93                         dh_client_pub = BN_new();
  94
  95                         if (dh_client_pub == NULL)
  96                                 fatal("dh_client_pub == NULL");
  97                         packet_get_bignum2(dh_client_pub);
  98
  99                         /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
 100                         break;
 101                 case SSH2_MSG_KEXGSS_CONTINUE:
 102                         recv_tok.value=packet_get_string(&slen);
 103                         recv_tok.length=slen; /* int vs. size_t */
 104                         break;
 105                 default:
 106                         packet_disconnect("Protocol error: didn't expect packet type %d",
 107                                            type);
 108                 }
 109
 110                 maj_status=PRIVSEP(ssh_gssapi_accept_ctx(ctxt,&recv_tok,
 111                                                          &send_tok, &ret_flags));
 112
 113                 gss_release_buffer(&min_status,&recv_tok);
 114
 115                 if (maj_status!=GSS_S_COMPLETE && send_tok.length==0) {
 116                         fatal("Zero length token output when incomplete");
 117                 }
 118
 119                 if (dh_client_pub == NULL)
 120                         fatal("No client public key");
 121
 122                 if (maj_status & GSS_S_CONTINUE_NEEDED) {
 123                         debug("Sending GSSAPI_CONTINUE");
 124                         packet_start(SSH2_MSG_KEXGSS_CONTINUE);
 125                         packet_put_string(send_tok.value,send_tok.length);
 126                         packet_send();
 127                         packet_write_wait();
 128                         gss_release_buffer(&min_status, &send_tok);
 129                 }
 130         } while (maj_status & GSS_S_CONTINUE_NEEDED);
 131
 132         if (GSS_ERROR(maj_status)) {
 133                 kex_gss_send_error(ctxt);
 134                 if (send_tok.length>0) {
 135                         packet_start(SSH2_MSG_KEXGSS_CONTINUE);
 136                         packet_put_string(send_tok.value,send_tok.length);
 137                         packet_send();
 138                         packet_write_wait();
 139                 }
 140                 fatal("accept_ctx died");
 141         }
 142
 143         debug("gss_complete");
 144         if (!(ret_flags & GSS_C_MUTUAL_FLAG))
 145                 fatal("mutual authentication flag wasn't set");
 146
 147         if (!(ret_flags & GSS_C_INTEG_FLAG))
 148                 fatal("Integrity flag wasn't set");
 149
 150         dh = dh_new_group1();
 151         dh_gen_key(dh, kex->we_need * 8);
 152
 153         if (!dh_pub_is_valid(dh, dh_client_pub))
 154                 packet_disconnect("bad client public DH value");
 155
 156         klen = DH_size(dh);
 157         kbuf = xmalloc(klen);
 158         kout = DH_compute_key(kbuf, dh_client_pub, dh);
 159
 160         shared_secret = BN_new();
 161         BN_bin2bn(kbuf, kout, shared_secret);
 162         memset(kbuf, 0, klen);
 163         xfree(kbuf);
 164
 165         /* The GSSAPI hash is identical to the Diffie Helman one */
 166         hash = kex_dh_hash(
 167             kex->client_version_string,
 168             kex->server_version_string,
 169             buffer_ptr(&kex->peer), buffer_len(&kex->peer),
 170             buffer_ptr(&kex->my), buffer_len(&kex->my),
 171             NULL, 0, /* Change this if we start sending host keys */
 172             dh_client_pub,
 173             dh->pub_key,
 174             shared_secret
 175         );
 176         BN_free(dh_client_pub);
 177
 178         if (kex->session_id == NULL) {
 179                 kex->session_id_len = 20;
 180                 kex->session_id = xmalloc(kex->session_id_len);
 181                 memcpy(kex->session_id, hash, kex->session_id_len);
 182         }
 183
 184         gssbuf.value = hash;
 185         gssbuf.length = 20; /* Hashlen appears to always be 20 */
 186
 187         if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok)))) {
 188                 kex_gss_send_error(ctxt);
 189                 fatal("Couldn't get MIC");
 190         }
 191
 192         packet_start(SSH2_MSG_KEXGSS_COMPLETE);
 193         packet_put_bignum2(dh->pub_key);
 194         packet_put_string((char *)msg_tok.value,msg_tok.length);
 195
 196         if (send_tok.length!=0) {
 197                 packet_put_char(1); /* true */
 198                 packet_put_string((char *)send_tok.value,send_tok.length);
 199         } else {
 200                 packet_put_char(0); /* false */
 201         }
 202         packet_send();
 203         packet_write_wait();
 204
 205         /* We used to store the client name and credentials here for later
 206          * use. With privsep, its easier to do this as a by product of the
 207          * call to accept_context, which stores delegated information when
 208          * the context is complete */
 209
 210         gss_release_buffer(&min_status, &send_tok);
 211
 212         /* If we've got a context, delete it. It may be NULL if we've been
 213          * using privsep */
 214         ssh_gssapi_delete_ctx(&ctxt);
 215
 216         DH_free(dh);
 217
 218         kex_derive_keys(kex, hash, shared_secret);
 219         BN_clear_free(shared_secret);
 220         kex_finish(kex);
 221 }
 222
 223 static void
 224 kex_gss_send_error(Gssctxt *ctxt) {
 225         char *errstr;
 226         OM_uint32 maj,min;
 227
 228         errstr=PRIVSEP(ssh_gssapi_last_error(ctxt,&maj,&min));
 229         if (errstr) {
 230                 packet_start(SSH2_MSG_KEXGSS_ERROR);
 231                 packet_put_int(maj);
 232                 packet_put_int(min);
 233                 packet_put_cstring(errstr);
 234                 packet_put_cstring("");
 235                 packet_send();
 236                 packet_write_wait();
 237                 /* XXX - We should probably log the error locally here */
 238                 xfree(errstr);
 239         }
 240 }
 241 #endif /* GSSAPI */