]>
Commit | Line | Data |
---|---|---|
00146caa | 1 | /* $OpenBSD: gss-genr.c,v 1.11 2006/07/22 20:48:23 stevesk Exp $ */ |
7364bd04 | 2 | |
3 | /* | |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in the | |
13 | * documentation and/or other materials provided with the distribution. | |
14 | * | |
15 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR | |
16 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
17 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
18 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
19 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
20 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
21 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
22 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
25 | */ | |
26 | ||
27 | #include "includes.h" | |
28 | ||
29 | #ifdef GSSAPI | |
30 | ||
00146caa | 31 | #include <string.h> |
28cb0a43 | 32 | #include <unistd.h> |
00146caa | 33 | |
7364bd04 | 34 | #include "xmalloc.h" |
35 | #include "bufaux.h" | |
7364bd04 | 36 | #include "log.h" |
0789992b | 37 | #include "ssh2.h" |
7364bd04 | 38 | |
39 | #include "ssh-gss.h" | |
40 | ||
0789992b | 41 | extern u_char *session_id2; |
42 | extern u_int session_id2_len; | |
7364bd04 | 43 | |
44 | /* Check that the OID in a data stream matches that in the context */ | |
45 | int | |
46 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) | |
47 | { | |
48 | return (ctx != NULL && ctx->oid != GSS_C_NO_OID && | |
49 | ctx->oid->length == len && | |
50 | memcmp(ctx->oid->elements, data, len) == 0); | |
51 | } | |
52 | ||
53 | /* Set the contexts OID from a data stream */ | |
54 | void | |
55 | ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len) | |
56 | { | |
57 | if (ctx->oid != GSS_C_NO_OID) { | |
58 | xfree(ctx->oid->elements); | |
59 | xfree(ctx->oid); | |
60 | } | |
61 | ctx->oid = xmalloc(sizeof(gss_OID_desc)); | |
62 | ctx->oid->length = len; | |
63 | ctx->oid->elements = xmalloc(len); | |
64 | memcpy(ctx->oid->elements, data, len); | |
65 | } | |
66 | ||
67 | /* Set the contexts OID */ | |
68 | void | |
69 | ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid) | |
70 | { | |
71 | ssh_gssapi_set_oid_data(ctx, oid->elements, oid->length); | |
72 | } | |
73 | ||
74 | /* All this effort to report an error ... */ | |
75 | void | |
76 | ssh_gssapi_error(Gssctxt *ctxt) | |
77 | { | |
0926fd19 | 78 | char *s; |
79 | ||
80 | s = ssh_gssapi_last_error(ctxt, NULL, NULL); | |
81 | debug("%s", s); | |
82 | xfree(s); | |
7364bd04 | 83 | } |
84 | ||
85 | char * | |
4e2e5cfd | 86 | ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status, |
87 | OM_uint32 *minor_status) | |
7364bd04 | 88 | { |
89 | OM_uint32 lmin; | |
90 | gss_buffer_desc msg = GSS_C_EMPTY_BUFFER; | |
91 | OM_uint32 ctx; | |
92 | Buffer b; | |
93 | char *ret; | |
94 | ||
95 | buffer_init(&b); | |
96 | ||
97 | if (major_status != NULL) | |
98 | *major_status = ctxt->major; | |
99 | if (minor_status != NULL) | |
100 | *minor_status = ctxt->minor; | |
101 | ||
102 | ctx = 0; | |
103 | /* The GSSAPI error */ | |
104 | do { | |
105 | gss_display_status(&lmin, ctxt->major, | |
106 | GSS_C_GSS_CODE, GSS_C_NULL_OID, &ctx, &msg); | |
107 | ||
108 | buffer_append(&b, msg.value, msg.length); | |
109 | buffer_put_char(&b, '\n'); | |
110 | ||
111 | gss_release_buffer(&lmin, &msg); | |
112 | } while (ctx != 0); | |
113 | ||
114 | /* The mechanism specific error */ | |
115 | do { | |
116 | gss_display_status(&lmin, ctxt->minor, | |
117 | GSS_C_MECH_CODE, GSS_C_NULL_OID, &ctx, &msg); | |
118 | ||
119 | buffer_append(&b, msg.value, msg.length); | |
120 | buffer_put_char(&b, '\n'); | |
121 | ||
122 | gss_release_buffer(&lmin, &msg); | |
123 | } while (ctx != 0); | |
124 | ||
125 | buffer_put_char(&b, '\0'); | |
126 | ret = xmalloc(buffer_len(&b)); | |
127 | buffer_get(&b, ret, buffer_len(&b)); | |
128 | buffer_free(&b); | |
129 | return (ret); | |
130 | } | |
131 | ||
132 | /* | |
133 | * Initialise our GSSAPI context. We use this opaque structure to contain all | |
134 | * of the data which both the client and server need to persist across | |
135 | * {accept,init}_sec_context calls, so that when we do it from the userauth | |
136 | * stuff life is a little easier | |
137 | */ | |
138 | void | |
139 | ssh_gssapi_build_ctx(Gssctxt **ctx) | |
140 | { | |
52e3daed | 141 | *ctx = xcalloc(1, sizeof (Gssctxt)); |
7364bd04 | 142 | (*ctx)->context = GSS_C_NO_CONTEXT; |
143 | (*ctx)->name = GSS_C_NO_NAME; | |
144 | (*ctx)->oid = GSS_C_NO_OID; | |
145 | (*ctx)->creds = GSS_C_NO_CREDENTIAL; | |
146 | (*ctx)->client = GSS_C_NO_NAME; | |
147 | (*ctx)->client_creds = GSS_C_NO_CREDENTIAL; | |
148 | } | |
149 | ||
150 | /* Delete our context, providing it has been built correctly */ | |
151 | void | |
152 | ssh_gssapi_delete_ctx(Gssctxt **ctx) | |
153 | { | |
154 | OM_uint32 ms; | |
155 | ||
156 | if ((*ctx) == NULL) | |
157 | return; | |
158 | if ((*ctx)->context != GSS_C_NO_CONTEXT) | |
159 | gss_delete_sec_context(&ms, &(*ctx)->context, GSS_C_NO_BUFFER); | |
160 | if ((*ctx)->name != GSS_C_NO_NAME) | |
161 | gss_release_name(&ms, &(*ctx)->name); | |
162 | if ((*ctx)->oid != GSS_C_NO_OID) { | |
163 | xfree((*ctx)->oid->elements); | |
164 | xfree((*ctx)->oid); | |
165 | (*ctx)->oid = GSS_C_NO_OID; | |
166 | } | |
167 | if ((*ctx)->creds != GSS_C_NO_CREDENTIAL) | |
168 | gss_release_cred(&ms, &(*ctx)->creds); | |
169 | if ((*ctx)->client != GSS_C_NO_NAME) | |
170 | gss_release_name(&ms, &(*ctx)->client); | |
171 | if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL) | |
172 | gss_release_cred(&ms, &(*ctx)->client_creds); | |
173 | ||
174 | xfree(*ctx); | |
175 | *ctx = NULL; | |
176 | } | |
177 | ||
178 | /* | |
179 | * Wrapper to init_sec_context | |
180 | * Requires that the context contains: | |
181 | * oid | |
182 | * server name (from ssh_gssapi_import_name) | |
183 | */ | |
184 | OM_uint32 | |
185 | ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, | |
186 | gss_buffer_desc* send_tok, OM_uint32 *flags) | |
187 | { | |
188 | int deleg_flag = 0; | |
189 | ||
190 | if (deleg_creds) { | |
191 | deleg_flag = GSS_C_DELEG_FLAG; | |
192 | debug("Delegating credentials"); | |
193 | } | |
194 | ||
195 | ctx->major = gss_init_sec_context(&ctx->minor, | |
196 | GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid, | |
197 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, | |
198 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); | |
199 | ||
200 | if (GSS_ERROR(ctx->major)) | |
201 | ssh_gssapi_error(ctx); | |
202 | ||
203 | return (ctx->major); | |
204 | } | |
205 | ||
206 | /* Create a service name for the given host */ | |
207 | OM_uint32 | |
208 | ssh_gssapi_import_name(Gssctxt *ctx, const char *host) | |
209 | { | |
210 | gss_buffer_desc gssbuf; | |
9c3c8eb1 | 211 | char *val; |
7364bd04 | 212 | |
9c3c8eb1 | 213 | xasprintf(&val, "host@%s", host); |
214 | gssbuf.value = val; | |
215 | gssbuf.length = strlen(gssbuf.value); | |
7364bd04 | 216 | |
217 | if ((ctx->major = gss_import_name(&ctx->minor, | |
218 | &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) | |
219 | ssh_gssapi_error(ctx); | |
220 | ||
221 | xfree(gssbuf.value); | |
222 | return (ctx->major); | |
223 | } | |
224 | ||
225 | /* Acquire credentials for a server running on the current host. | |
226 | * Requires that the context structure contains a valid OID | |
227 | */ | |
228 | ||
229 | /* Returns a GSSAPI error code */ | |
230 | OM_uint32 | |
231 | ssh_gssapi_acquire_cred(Gssctxt *ctx) | |
232 | { | |
233 | OM_uint32 status; | |
234 | char lname[MAXHOSTNAMELEN]; | |
235 | gss_OID_set oidset; | |
236 | ||
237 | gss_create_empty_oid_set(&status, &oidset); | |
238 | gss_add_oid_set_member(&status, ctx->oid, &oidset); | |
239 | ||
0926fd19 | 240 | if (gethostname(lname, MAXHOSTNAMELEN)) { |
241 | gss_release_oid_set(&status, &oidset); | |
7364bd04 | 242 | return (-1); |
0926fd19 | 243 | } |
7364bd04 | 244 | |
0926fd19 | 245 | if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { |
246 | gss_release_oid_set(&status, &oidset); | |
7364bd04 | 247 | return (ctx->major); |
0926fd19 | 248 | } |
7364bd04 | 249 | |
250 | if ((ctx->major = gss_acquire_cred(&ctx->minor, | |
251 | ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) | |
252 | ssh_gssapi_error(ctx); | |
253 | ||
254 | gss_release_oid_set(&status, &oidset); | |
255 | return (ctx->major); | |
256 | } | |
257 | ||
0789992b | 258 | OM_uint32 |
259 | ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) | |
260 | { | |
261 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, | |
262 | GSS_C_QOP_DEFAULT, buffer, hash))) | |
263 | ssh_gssapi_error(ctx); | |
b6453d99 | 264 | |
0789992b | 265 | return (ctx->major); |
266 | } | |
267 | ||
268 | void | |
aff51935 | 269 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
270 | const char *context) | |
b6453d99 | 271 | { |
0789992b | 272 | buffer_init(b); |
273 | buffer_put_string(b, session_id2, session_id2_len); | |
274 | buffer_put_char(b, SSH2_MSG_USERAUTH_REQUEST); | |
275 | buffer_put_cstring(b, user); | |
276 | buffer_put_cstring(b, service); | |
277 | buffer_put_cstring(b, context); | |
278 | } | |
279 | ||
7364bd04 | 280 | OM_uint32 |
8442cc66 | 281 | ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) |
282 | { | |
7364bd04 | 283 | if (*ctx) |
284 | ssh_gssapi_delete_ctx(ctx); | |
285 | ssh_gssapi_build_ctx(ctx); | |
286 | ssh_gssapi_set_oid(*ctx, oid); | |
287 | return (ssh_gssapi_acquire_cred(*ctx)); | |
288 | } | |
289 | ||
290 | #endif /* GSSAPI */ |