openssh/kexgsss.c

   1 /*
   2  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  * 1. Redistributions of source code must retain the above copyright
   8  *    notice, this list of conditions and the following disclaimer.
   9  * 2. Redistributions in binary form must reproduce the above copyright
  10  *    notice, this list of conditions and the following disclaimer in the
  11  *    documentation and/or other materials provided with the distribution.
  12  *
  13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
  14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23  */
  24
  25 #include "includes.h"
  26
  27 #ifdef GSSAPI
  28
  29 #include <openssl/crypto.h>
  30 #include <openssl/bn.h>
  31
  32 #include "xmalloc.h"
  33 #include "buffer.h"
  34 #include "bufaux.h"
  35 #include "kex.h"
  36 #include "log.h"
  37 #include "packet.h"
  38 #include "dh.h"
  39 #include "ssh2.h"
  40 #include "ssh-gss.h"
  41 #include "monitor_wrap.h"
  42
  43 static void kex_gss_send_error(Gssctxt *ctxt);
  44
  45 void
  46 kexgss_server(Kex *kex)
  47 {
  48         OM_uint32 maj_status, min_status;
  49
  50         /* Some GSSAPI implementations use the input value of ret_flags (an
  51          * output variable) as a means of triggering mechanism specific
  52          * features. Initializing it to zero avoids inadvertently
  53          * activating this non-standard behaviour.*/
  54
  55         OM_uint32 ret_flags = 0;
  56         gss_buffer_desc gssbuf,send_tok,recv_tok,msg_tok;
  57         Gssctxt *ctxt = NULL;
  58         unsigned int klen, kout;
  59         unsigned char *kbuf;
  60         unsigned char *hash;
  61         DH *dh;
  62         BIGNUM *shared_secret = NULL;
  63         BIGNUM *dh_client_pub = NULL;
  64         int type =0;
  65         u_int slen;
  66         gss_OID oid;
  67
  68         /* Initialise GSSAPI */
  69
  70         debug2("%s: Identifying %s",__func__,kex->name);
  71         oid=ssh_gssapi_server_id_kex(kex->name);
  72         if (oid==NULL) {
  73            packet_disconnect("Unknown gssapi mechanism");
  74         }
  75
  76         debug2("%s: Acquiring credentials",__func__);
  77
  78         if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt,oid)))) {
  79                 kex_gss_send_error(ctxt);
  80                 packet_disconnect("Unable to acquire credentials for the server");
  81         }
  82
  83         do {
  84                 debug("Wait SSH2_MSG_GSSAPI_INIT");
  85                 type = packet_read();
  86                 switch(type) {
  87                 case SSH2_MSG_KEXGSS_INIT:
  88                         if (dh_client_pub!=NULL)
  89                                 packet_disconnect("Received KEXGSS_INIT after initialising");
  90                         recv_tok.value=packet_get_string(&slen);
  91                         recv_tok.length=slen; /* int vs. size_t */
  92
  93                         dh_client_pub = BN_new();
  94
  95                         if (dh_client_pub == NULL)
  96                                 packet_disconnect("dh_client_pub == NULL");
  97                         packet_get_bignum2(dh_client_pub);
  98
  99                         /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
 100                         break;
 101                 case SSH2_MSG_KEXGSS_CONTINUE:
 102                         recv_tok.value=packet_get_string(&slen);
 103                         recv_tok.length=slen; /* int vs. size_t */
 104                         break;
 105                 default:
 106                         packet_disconnect("Protocol error: didn't expect packet type %d",
 107                                            type);
 108                 }
 109
 110                 maj_status=PRIVSEP(ssh_gssapi_accept_ctx(ctxt,&recv_tok,
 111                                                          &send_tok, &ret_flags));
 112
 113                 gss_release_buffer(&min_status,&recv_tok);
 114
 115 #ifdef GSS_C_GLOBUS_LIMITED_PROXY_FLAG
 116                 if (ret_flags & GSS_C_GLOBUS_LIMITED_PROXY_FLAG) {
 117                         packet_disconnect("Limited proxy is not allowed in gssapi key exchange.");
 118                 }
 119 #endif
 120
 121                 if (maj_status!=GSS_S_COMPLETE && send_tok.length==0) {
 122                         fatal("Zero length token output when incomplete");
 123                 }
 124
 125                 if (dh_client_pub == NULL)
 126                         fatal("No client public key");
 127
 128                 if (maj_status & GSS_S_CONTINUE_NEEDED) {
 129                         debug("Sending GSSAPI_CONTINUE");
 130                         packet_start(SSH2_MSG_KEXGSS_CONTINUE);
 131                         packet_put_string(send_tok.value,send_tok.length);
 132                         packet_send();
 133                         packet_write_wait();
 134                         gss_release_buffer(&min_status, &send_tok);
 135                 }
 136         } while (maj_status & GSS_S_CONTINUE_NEEDED);
 137
 138         if (GSS_ERROR(maj_status)) {
 139                 kex_gss_send_error(ctxt);
 140                 if (send_tok.length>0) {
 141                         packet_start(SSH2_MSG_KEXGSS_CONTINUE);
 142                         packet_put_string(send_tok.value,send_tok.length);
 143                         packet_send();
 144                         packet_write_wait();
 145                 }
 146                 packet_disconnect("gssapi key exchange handshake failed");
 147         }
 148
 149         debug("gss_complete");
 150         if (!(ret_flags & GSS_C_MUTUAL_FLAG))
 151                 packet_disconnect("gssapi_mutual authentication failed");
 152
 153         if (!(ret_flags & GSS_C_INTEG_FLAG))
 154                 packet_disconnect("gssapi channel integrity not established");
 155
 156         dh = dh_new_group1();
 157         dh_gen_key(dh, kex->we_need * 8);
 158
 159         if (!dh_pub_is_valid(dh, dh_client_pub))
 160                 packet_disconnect("bad client public DH value");
 161
 162         klen = DH_size(dh);
 163         kbuf = xmalloc(klen);
 164         kout = DH_compute_key(kbuf, dh_client_pub, dh);
 165
 166         shared_secret = BN_new();
 167         BN_bin2bn(kbuf, kout, shared_secret);
 168         memset(kbuf, 0, klen);
 169         xfree(kbuf);
 170
 171         /* The GSSAPI hash is identical to the Diffie Helman one */
 172         hash = kex_dh_hash(
 173             kex->client_version_string,
 174             kex->server_version_string,
 175             buffer_ptr(&kex->peer), buffer_len(&kex->peer),
 176             buffer_ptr(&kex->my), buffer_len(&kex->my),
 177             NULL, 0, /* Change this if we start sending host keys */
 178             dh_client_pub,
 179             dh->pub_key,
 180             shared_secret
 181         );
 182         BN_free(dh_client_pub);
 183
 184         if (kex->session_id == NULL) {
 185                 kex->session_id_len = 20;
 186                 kex->session_id = xmalloc(kex->session_id_len);
 187                 memcpy(kex->session_id, hash, kex->session_id_len);
 188         }
 189
 190         gssbuf.value = hash;
 191         gssbuf.length = 20; /* Hashlen appears to always be 20 */
 192
 193         if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok)))) {
 194                 kex_gss_send_error(ctxt);
 195                 fatal("Couldn't get MIC");
 196         }
 197
 198         packet_start(SSH2_MSG_KEXGSS_COMPLETE);
 199         packet_put_bignum2(dh->pub_key);
 200         packet_put_string((char *)msg_tok.value,msg_tok.length);
 201
 202         if (send_tok.length!=0) {
 203                 packet_put_char(1); /* true */
 204                 packet_put_string((char *)send_tok.value,send_tok.length);
 205         } else {
 206                 packet_put_char(0); /* false */
 207         }
 208         packet_send();
 209         packet_write_wait();
 210
 211         /* We used to store the client name and credentials here for later
 212          * use. With privsep, its easier to do this as a by product of the
 213          * call to accept_context, which stores delegated information when
 214          * the context is complete */
 215
 216         gss_release_buffer(&min_status, &send_tok);
 217
 218         /* If we've got a context, delete it. It may be NULL if we've been
 219          * using privsep */
 220         ssh_gssapi_delete_ctx(&ctxt);
 221
 222         DH_free(dh);
 223
 224         kex_derive_keys(kex, hash, shared_secret);
 225         BN_clear_free(shared_secret);
 226         kex_finish(kex);
 227 }
 228
 229 static void
 230 kex_gss_send_error(Gssctxt *ctxt) {
 231         char *errstr;
 232         OM_uint32 maj,min;
 233
 234         errstr=PRIVSEP(ssh_gssapi_last_error(ctxt,&maj,&min));
 235         if (errstr) {
 236                 packet_start(SSH2_MSG_KEXGSS_ERROR);
 237                 packet_put_int(maj);
 238                 packet_put_int(min);
 239                 packet_put_cstring(errstr);
 240                 packet_put_cstring("");
 241                 packet_send();
 242                 packet_write_wait();
 243                 /* XXX - We should probably log the error locally here */
 244                 xfree(errstr);
 245         }
 246 }
 247 #endif /* GSSAPI */