openssh/kexgsss.c

   1 /*
   2  * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
   3  *
   4  * Redistribution and use in source and binary forms, with or without
   5  * modification, are permitted provided that the following conditions
   6  * are met:
   7  * 1. Redistributions of source code must retain the above copyright
   8  *    notice, this list of conditions and the following disclaimer.
   9  * 2. Redistributions in binary form must reproduce the above copyright
  10  *    notice, this list of conditions and the following disclaimer in the
  11  *    documentation and/or other materials provided with the distribution.
  12  *
  13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
  14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23  */
  24
  25 #include "includes.h"
  26
  27 #ifdef GSSAPI
  28
  29 #include <openssl/crypto.h>
  30 #include <openssl/bn.h>
  31
  32 #include "xmalloc.h"
  33 #include "buffer.h"
  34 #include "bufaux.h"
  35 #include "kex.h"
  36 #include "log.h"
  37 #include "packet.h"
  38 #include "dh.h"
  39 #include "ssh2.h"
  40 #include "ssh-gss.h"
  41 #include "monitor_wrap.h"
  42
  43 static void kex_gss_send_error(Gssctxt *ctxt);
  44
  45 void
  46 kexgss_server(Kex *kex)
  47 {
  48         OM_uint32 maj_status, min_status;
  49
  50         /*
  51          * Some GSSAPI implementations use the input value of ret_flags (an
  52          * output variable) as a means of triggering mechanism specific
  53          * features. Initializing it to zero avoids inadvertently
  54          * activating this non-standard behaviour.
  55          */
  56
  57         OM_uint32 ret_flags = 0;
  58         gss_buffer_desc gssbuf, recv_tok, msg_tok;
  59         gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
  60         Gssctxt *ctxt = NULL;
  61         unsigned int klen, kout;
  62         unsigned char *kbuf, *hash;
  63         DH *dh;
  64         int min = -1, max = -1, nbits = -1;
  65         BIGNUM *shared_secret = NULL;
  66         BIGNUM *dh_client_pub = NULL;
  67         int type = 0;
  68         int gex;
  69         u_int slen;
  70         gss_OID oid;
  71
  72         /* Initialise GSSAPI */
  73
  74         /* If we're rekeying, privsep means that some of the private structures
  75          * in the GSSAPI code are no longer available. This kludges them back
  76          * into life
  77          */
  78         if (!ssh_gssapi_oid_table_ok())
  79                 ssh_gssapi_server_mechanisms();
  80
  81         debug2("%s: Identifying %s", __func__, kex->name);
  82         oid = ssh_gssapi_id_kex(NULL, kex->name, &gex);
  83         if (oid == NULL)
  84            fatal("Unknown gssapi mechanism");
  85
  86         debug2("%s: Acquiring credentials", __func__);
  87
  88         if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) {
  89                 kex_gss_send_error(ctxt);
  90                 fatal("Unable to acquire credentials for the server");
  91         }
  92
  93         if (gex) {
  94                 debug("Doing group exchange");
  95                 packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
  96                 min = packet_get_int();
  97                 nbits = packet_get_int();
  98                 max = packet_get_int();
  99                 min = MAX(DH_GRP_MIN, min);
 100                 max = MIN(DH_GRP_MAX, max);
 101                 packet_check_eom();
 102                 if (max < min || nbits < min || max < nbits)
 103                         fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
 104                             min, nbits, max);
 105                 dh = PRIVSEP(choose_dh(min, nbits, max));
 106                 if (dh == NULL)
 107                         packet_disconnect("Protocol error: no matching group found");
 108
 109                 packet_start(SSH2_MSG_KEXGSS_GROUP);
 110                 packet_put_bignum2(dh->p);
 111                 packet_put_bignum2(dh->g);
 112                 packet_send();
 113
 114                 packet_write_wait();
 115
 116         } else {
 117                 dh = dh_new_group1();
 118         }
 119         dh_gen_key(dh, kex->we_need * 8);
 120
 121         do {
 122                 debug("Wait SSH2_MSG_GSSAPI_INIT");
 123                 type = packet_read();
 124                 switch(type) {
 125                 case SSH2_MSG_KEXGSS_INIT:
 126                         if (dh_client_pub != NULL)
 127                                 fatal("Received KEXGSS_INIT after initialising");
 128                         recv_tok.value = packet_get_string(&slen);
 129                         recv_tok.length = slen;
 130
 131                         if ((dh_client_pub = BN_new()) == NULL)
 132                                 fatal("dh_client_pub == NULL");
 133
 134                         packet_get_bignum2(dh_client_pub);
 135
 136                         /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
 137                         break;
 138                 case SSH2_MSG_KEXGSS_CONTINUE:
 139                         recv_tok.value = packet_get_string(&slen);
 140                         recv_tok.length = slen;
 141                         break;
 142                 default:
 143                         packet_disconnect(
 144                             "Protocol error: didn't expect packet type %d",
 145                             type);
 146                 }
 147
 148                 maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok,
 149                     &send_tok, &ret_flags));
 150
 151                 xfree(recv_tok.value);
 152
 153                 if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
 154                         fatal("Zero length token output when incomplete");
 155
 156                 if (dh_client_pub == NULL)
 157                         fatal("No client public key");
 158
 159                 if (maj_status & GSS_S_CONTINUE_NEEDED) {
 160                         debug("Sending GSSAPI_CONTINUE");
 161                         packet_start(SSH2_MSG_KEXGSS_CONTINUE);
 162                         packet_put_string(send_tok.value, send_tok.length);
 163                         packet_send();
 164                         gss_release_buffer(&min_status, &send_tok);
 165                 }
 166         } while (maj_status & GSS_S_CONTINUE_NEEDED);
 167
 168         if (GSS_ERROR(maj_status)) {
 169                 kex_gss_send_error(ctxt);
 170                 if (send_tok.length > 0) {
 171                         packet_start(SSH2_MSG_KEXGSS_CONTINUE);
 172                         packet_put_string(send_tok.value, send_tok.length);
 173                         packet_send();
 174                 }
 175                 packet_disconnect("GSSAPI Key Exchange handshake failed");
 176         }
 177
 178         if (!(ret_flags & GSS_C_MUTUAL_FLAG))
 179                 fatal("Mutual Authentication flag wasn't set");
 180
 181         if (!(ret_flags & GSS_C_INTEG_FLAG))
 182                 fatal("Integrity flag wasn't set");
 183
 184         if (!dh_pub_is_valid(dh, dh_client_pub))
 185                 packet_disconnect("bad client public DH value");
 186
 187         klen = DH_size(dh);
 188         kbuf = xmalloc(klen);
 189         kout = DH_compute_key(kbuf, dh_client_pub, dh);
 190
 191         shared_secret = BN_new();
 192         BN_bin2bn(kbuf, kout, shared_secret);
 193         memset(kbuf, 0, klen);
 194         xfree(kbuf);
 195
 196         if (gex) {
 197                 hash = kexgex_hash(
 198                     kex->client_version_string, kex->server_version_string,
 199                     buffer_ptr(&kex->peer), buffer_len(&kex->peer),
 200                     buffer_ptr(&kex->my), buffer_len(&kex->my),
 201                     NULL, 0,
 202                     min, nbits, max,
 203                     dh->p, dh->g,
 204                     dh_client_pub,
 205                     dh->pub_key,
 206                     shared_secret
 207                 );
 208         }
 209         else {
 210                 /* The GSSAPI hash is identical to the Diffie Helman one */
 211                 hash = kex_dh_hash(
 212                     kex->client_version_string, kex->server_version_string,
 213                     buffer_ptr(&kex->peer), buffer_len(&kex->peer),
 214                     buffer_ptr(&kex->my), buffer_len(&kex->my),
 215                     NULL, 0, /* Change this if we start sending host keys */
 216                     dh_client_pub, dh->pub_key, shared_secret
 217                 );
 218         }
 219         BN_free(dh_client_pub);
 220
 221         if (kex->session_id == NULL) {
 222                 kex->session_id_len = 20;
 223                 kex->session_id = xmalloc(kex->session_id_len);
 224                 memcpy(kex->session_id, hash, kex->session_id_len);
 225         }
 226
 227         gssbuf.value = hash;
 228         gssbuf.length = 20; /* Hashlen appears to always be 20 */
 229
 230         if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok))))
 231                 fatal("Couldn't get MIC");
 232
 233         packet_start(SSH2_MSG_KEXGSS_COMPLETE);
 234         packet_put_bignum2(dh->pub_key);
 235         packet_put_string((char *)msg_tok.value,msg_tok.length);
 236
 237         if (send_tok.length != 0) {
 238                 packet_put_char(1); /* true */
 239                 packet_put_string((char *)send_tok.value, send_tok.length);
 240         } else {
 241                 packet_put_char(0); /* false */
 242         }
 243         packet_send();
 244
 245         gss_release_buffer(&min_status, &send_tok);
 246         gss_release_buffer(&min_status, &msg_tok);
 247
 248         if (gss_kex_context == NULL)
 249                 gss_kex_context = ctxt;
 250         else
 251                 ssh_gssapi_delete_ctx(&ctxt);
 252
 253         DH_free(dh);
 254
 255         kex_derive_keys(kex, hash, shared_secret);
 256         BN_clear_free(shared_secret);
 257         kex_finish(kex);
 258 }
 259
 260 static void
 261 kex_gss_send_error(Gssctxt *ctxt) {
 262         char *errstr;
 263         OM_uint32 maj,min;
 264
 265         errstr=PRIVSEP(ssh_gssapi_last_error(ctxt,&maj,&min));
 266         if (errstr) {
 267                 packet_start(SSH2_MSG_KEXGSS_ERROR);
 268                 packet_put_int(maj);
 269                 packet_put_int(min);
 270                 packet_put_cstring(errstr);
 271                 packet_put_cstring("");
 272                 packet_send();
 273                 packet_write_wait();
 274                 /* XXX - We should probably log the error locally here */
 275                 xfree(errstr);
 276         }
 277 }
 278 #endif /* GSSAPI */