X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/fe4ad27384e843fd03f01a4e4a0d457a90f312be..22ce3a3becb01f9487f7fa12b859100c162e231c:/openssh/gss-genr.c

diff --git a/openssh/gss-genr.c b/openssh/gss-genr.c
index 26e20b9..dff0921 100644
--- a/openssh/gss-genr.c
+++ b/openssh/gss-genr.c
@@ -1,7 +1,7 @@
-/*	$OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $	*/
+/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
 
 /*
- * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -28,16 +28,21 @@
 
 #ifdef GSSAPI
 
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
 #include "xmalloc.h"
 #include "buffer.h"
-#include "bufaux.h"
-#include "compat.h"
-#include <openssl/evp.h>
-#include "kex.h"
 #include "log.h"
-#include "monitor_wrap.h"
 #include "canohost.h"
 #include "ssh2.h"
+#include "cipher.h"
+#include "key.h"
+#include "kex.h"
 #include <openssl/evp.h>
 
 #include "ssh-gss.h"
@@ -71,45 +76,45 @@ ssh_gssapi_oid_table_ok() {
  * a key exchange with a bad mechanism
  */
 
-
 char *
-ssh_gssapi_client_mechanisms(const char *host) {
+ssh_gssapi_client_mechanisms(const char *host, const char *client) {
 	gss_OID_set gss_supported;
 	OM_uint32 min_status;
 
-	gss_indicate_mechs(&min_status, &gss_supported);
+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))
+		return NULL;
 
 	return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
-	    (void *)host));
+	    host, client));
 }
 
 char *
 ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
-    void *data) {
+    const char *host, const char *client) {
 	Buffer buf;
 	size_t i;
 	int oidpos, enclen;
 	char *mechs, *encoded;
-	unsigned char digest[EVP_MAX_MD_SIZE];
+	u_char digest[EVP_MAX_MD_SIZE];
 	char deroid[2];
 	const EVP_MD *evp_md = EVP_md5();
 	EVP_MD_CTX md;
 
 	if (gss_enc2oid != NULL) {
-		for (i=0;gss_enc2oid[i].encoded!=NULL;i++)
+		for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
 			xfree(gss_enc2oid[i].encoded);
 		xfree(gss_enc2oid);
 	}
 
-	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping)*
-	    (gss_supported->count+1));
+	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
+	    (gss_supported->count + 1));
 
 	buffer_init(&buf);
 
 	oidpos = 0;
-	for (i = 0;i < gss_supported->count;i++) {
+	for (i = 0; i < gss_supported->count; i++) {
 		if (gss_supported->elements[i].length < 128 &&
-		    (*check)(&(gss_supported->elements[i]), data)) {
+		    (*check)(NULL, &(gss_supported->elements[i]), host, client)) {
 
 			deroid[0] = SSH_GSS_OIDTYPE;
 			deroid[1] = gss_supported->elements[i].length;
@@ -121,19 +126,23 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
 			    gss_supported->elements[i].length);
 			EVP_DigestFinal(&md, digest, NULL);
 
-			encoded = xmalloc(EVP_MD_size(evp_md)*2);
+			encoded = xmalloc(EVP_MD_size(evp_md) * 2);
 			enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
-			    encoded, EVP_MD_size(evp_md)*2);
+			    encoded, EVP_MD_size(evp_md) * 2);
 
 			if (oidpos != 0)
-			    buffer_put_char(&buf, ',');
+				buffer_put_char(&buf, ',');
 
 			buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
-			    sizeof(KEX_GSS_GEX_SHA1_ID)-1);
+			    sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
 			buffer_append(&buf, encoded, enclen);
-			buffer_put_char(&buf,',');
+			buffer_put_char(&buf, ',');
 			buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 
-			    sizeof(KEX_GSS_GRP1_SHA1_ID)-1);
+			    sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
+			buffer_append(&buf, encoded, enclen);
+			buffer_put_char(&buf, ',');
+			buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
+			    sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
 			buffer_append(&buf, encoded, enclen);
 
 			gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
@@ -159,25 +168,32 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
 }
 
 gss_OID
-ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int *gex) {
+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
 	int i = 0;
-
-	if (strncmp(name, KEX_GSS_GRP1_SHA1_ID,
-	    sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) {
-		name+=sizeof(KEX_GSS_GRP1_SHA1_ID)-1;
-		*gex = 0;
-	} else if (strncmp(name, KEX_GSS_GEX_SHA1_ID,
-	    sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) {
-		name+=sizeof(KEX_GSS_GEX_SHA1_ID)-1;
-		*gex = 1;
-	} else {
-		return NULL;
+	
+	switch (kex_type) {
+	case KEX_GSS_GRP1_SHA1:
+		if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))
+			return GSS_C_NO_OID;
+		name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;
+		break;
+	case KEX_GSS_GRP14_SHA1:
+		if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))
+			return GSS_C_NO_OID;
+		name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
+		break;
+	case KEX_GSS_GEX_SHA1:
+		if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
+			return GSS_C_NO_OID;
+		name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
+		break;
+	default:
+		return GSS_C_NO_OID;
 	}
 
 	while (gss_enc2oid[i].encoded != NULL &&
-	    strcmp(name, gss_enc2oid[i].encoded) != 0) {
+	    strcmp(name, gss_enc2oid[i].encoded) != 0)
 		i++;
-	}
 
 	if (gss_enc2oid[i].oid != NULL && ctx != NULL)
 		ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
@@ -219,7 +235,11 @@ ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid)
 void
 ssh_gssapi_error(Gssctxt *ctxt)
 {
-	debug("%s", ssh_gssapi_last_error(ctxt, NULL, NULL));
+	char *s;
+
+	s = ssh_gssapi_last_error(ctxt, NULL, NULL);
+	debug("%s", s);
+	xfree(s);
 }
 
 char *
@@ -278,9 +298,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status,
 void
 ssh_gssapi_build_ctx(Gssctxt **ctx)
 {
-	*ctx = xmalloc(sizeof (Gssctxt));
-	(*ctx)->major = 0;
-	(*ctx)->minor = 0;
+	*ctx = xcalloc(1, sizeof (Gssctxt));
 	(*ctx)->context = GSS_C_NO_CONTEXT;
 	(*ctx)->name = GSS_C_NO_NAME;
 	(*ctx)->oid = GSS_C_NO_OID;
@@ -339,7 +357,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
 	}
 
 	ctx->major = gss_init_sec_context(&ctx->minor,
-	    GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,
+	    ctx->client_creds, &ctx->context, ctx->name, ctx->oid,
 	    GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
 	    0, NULL, recv_tok, NULL, send_tok, flags, NULL);
 
@@ -355,6 +373,7 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
 {
 	gss_buffer_desc gssbuf;
 	char *xhost;
+	char *val;
 
 	/* Make a copy of the host name, in case it was returned by a
 	 * previous call to gethostbyname(). */	
@@ -364,9 +383,9 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
 	 * this for us themselves */
 	resolve_localhost(&xhost);
 	
-	gssbuf.length = sizeof("host@") + strlen(xhost);
-	gssbuf.value = xmalloc(gssbuf.length);
-	snprintf(gssbuf.value, gssbuf.length, "host@%s", xhost);
+	xasprintf(&val, "host@%s", xhost);
+	gssbuf.value = val;
+	gssbuf.length = strlen(gssbuf.value);
 
 	if ((ctx->major = gss_import_name(&ctx->minor,
 	    &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
@@ -377,33 +396,35 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
 	return (ctx->major);
 }
 
-/* Acquire credentials for a server running on the current host.
- * Requires that the context structure contains a valid OID
- */
-
-/* Returns a GSSAPI error code */
 OM_uint32
-ssh_gssapi_acquire_cred(Gssctxt *ctx)
+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)
 {
+	gss_buffer_desc gssbuf;
+	gss_name_t gssname;
 	OM_uint32 status;
-	char lname[MAXHOSTNAMELEN];
 	gss_OID_set oidset;
 
+	gssbuf.value = (void *) name;
+	gssbuf.length = strlen(gssbuf.value);
+
 	gss_create_empty_oid_set(&status, &oidset);
 	gss_add_oid_set_member(&status, ctx->oid, &oidset);
 
-	if (gethostname(lname, MAXHOSTNAMELEN))
-		return (-1);
+	ctx->major = gss_import_name(&ctx->minor, &gssbuf,
+	    GSS_C_NT_USER_NAME, &gssname);
+
+	if (!ctx->major)
+		ctx->major = gss_acquire_cred(&ctx->minor, 
+		    gssname, 0, oidset, GSS_C_INITIATE, 
+		    &ctx->client_creds, NULL, NULL);
 
-	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname)))
-		return (ctx->major);
+	gss_release_name(&status, &gssname);
+	gss_release_oid_set(&status, &oidset);
 
-	if ((ctx->major = gss_acquire_cred(&ctx->minor,
-	    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
+	if (ctx->major)
 		ssh_gssapi_error(ctx);
 
-	gss_release_oid_set(&status, &oidset);
-	return (ctx->major);
+	return(ctx->major);
 }
 
 OM_uint32
@@ -444,28 +465,99 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
 	buffer_put_cstring(b, context);
 }
 
-OM_uint32
-ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) {
-	if (*ctx)
-		ssh_gssapi_delete_ctx(ctx);
+int
+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host, 
+    const char *client)
+{
+	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+	OM_uint32 major, minor;
+	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
+	Gssctxt *intctx = NULL;
+
+	if (ctx == NULL)
+		ctx = &intctx;
+
+	/* RFC 4462 says we MUST NOT do SPNEGO */
+	if (oid->length == spnego_oid.length && 
+	    (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0))
+		return 0; /* false */
+
 	ssh_gssapi_build_ctx(ctx);
 	ssh_gssapi_set_oid(*ctx, oid);
-	return (ssh_gssapi_acquire_cred(*ctx));
+	major = ssh_gssapi_import_name(*ctx, host);
+
+	if (!GSS_ERROR(major) && client)
+		major = ssh_gssapi_client_identity(*ctx, client);
+
+	if (!GSS_ERROR(major)) {
+		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
+		    NULL);
+		gss_release_buffer(&minor, &token);
+		if ((*ctx)->context != GSS_C_NO_CONTEXT)
+			gss_delete_sec_context(&minor, &(*ctx)->context,
+			    GSS_C_NO_BUFFER);
+	}
+
+	if (GSS_ERROR(major) || intctx != NULL) 
+		ssh_gssapi_delete_ctx(ctx);
+
+	return (!GSS_ERROR(major));
 }
 
 int
-ssh_gssapi_check_mechanism(gss_OID oid, void *host) {
-	Gssctxt * ctx = NULL;
-	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
-	OM_uint32 major, minor;
+ssh_gssapi_credentials_updated(Gssctxt *ctxt) {
+	static gss_name_t saved_name = GSS_C_NO_NAME;
+	static OM_uint32 saved_lifetime = 0;
+	static gss_OID saved_mech = GSS_C_NO_OID;
+	static gss_name_t name;
+	static OM_uint32 last_call = 0;
+	OM_uint32 lifetime, now, major, minor;
+	int equal;
 	
-	ssh_gssapi_build_ctx(&ctx);
-	ssh_gssapi_set_oid(ctx, oid);
-	ssh_gssapi_import_name(ctx, host);
-	major = ssh_gssapi_init_ctx(ctx, 0, GSS_C_NO_BUFFER, &token, NULL);
-	gss_release_buffer(&minor, &token);
-	ssh_gssapi_delete_ctx(&ctx);
-	return (!GSS_ERROR(major));
+	now = time(NULL);
+
+	if (ctxt) {
+		debug("Rekey has happened - updating saved versions");
+
+		if (saved_name != GSS_C_NO_NAME)
+			gss_release_name(&minor, &saved_name);
+
+		major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
+		    &saved_name, &saved_lifetime, NULL, NULL);
+
+		if (!GSS_ERROR(major)) {
+			saved_mech = ctxt->oid;
+		        saved_lifetime+= now;
+		} else {
+			/* Handle the error */
+		}
+		return 0;
+	}
+
+	if (now - last_call < 10)
+		return 0;
+
+	last_call = now;
+
+	if (saved_mech == GSS_C_NO_OID)
+		return 0;
+	
+	major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, 
+	    &name, &lifetime, NULL, NULL);
+	if (major == GSS_S_CREDENTIALS_EXPIRED)
+		return 0;
+	else if (GSS_ERROR(major))
+		return 0;
+
+	major = gss_compare_name(&minor, saved_name, name, &equal);
+	gss_release_name(&minor, &name);
+	if (GSS_ERROR(major))
+		return 0;
+
+	if (equal && (saved_lifetime < lifetime + now - 10))
+		return 1;
+
+	return 0;
 }
 
 #endif /* GSSAPI */