src/TortoisePlink/ssh/gssc.c

   1 #include "putty.h"
   2
   3 #include <string.h>
   4 #include <limits.h>
   5 #include "gssc.h"
   6 #include "misc.h"
   7
   8 #ifndef NO_GSSAPI
   9
  10 static Ssh_gss_stat ssh_gssapi_indicate_mech(struct ssh_gss_library *lib,
  11                                              Ssh_gss_buf *mech)
  12 {
  13     /* Copy constant into mech */
  14     mech->length  = GSS_MECH_KRB5->length;
  15     mech->value = GSS_MECH_KRB5->elements;
  16     return SSH_GSS_OK;
  17 }
  18
  19 static Ssh_gss_stat ssh_gssapi_import_name(struct ssh_gss_library *lib,
  20                                            char *host,
  21                                            Ssh_gss_name *srv_name)
  22 {
  23     struct gssapi_functions *gss = &lib->u.gssapi;
  24     OM_uint32 min_stat,maj_stat;
  25     gss_buffer_desc host_buf;
  26     char *pStr;
  27
  28     pStr = dupcat("host@", host);
  29
  30     host_buf.value = pStr;
  31     host_buf.length = strlen(pStr);
  32
  33     maj_stat = gss->import_name(&min_stat, &host_buf,
  34                                 GSS_C_NT_HOSTBASED_SERVICE, srv_name);
  35     /* Release buffer */
  36     sfree(pStr);
  37     if (maj_stat == GSS_S_COMPLETE) return SSH_GSS_OK;
  38     return SSH_GSS_FAILURE;
  39 }
  40
  41 static Ssh_gss_stat ssh_gssapi_acquire_cred(struct ssh_gss_library *lib,
  42                                             Ssh_gss_ctx *ctx,
  43                                             time_t *expiry)
  44 {
  45     struct gssapi_functions *gss = &lib->u.gssapi;
  46     gss_OID_set_desc k5only = { 1, GSS_MECH_KRB5 };
  47     gss_cred_id_t cred;
  48     OM_uint32 dummy;
  49     OM_uint32 time_rec;
  50     gssapi_ssh_gss_ctx *gssctx = snew(gssapi_ssh_gss_ctx);
  51
  52     gssctx->ctx = GSS_C_NO_CONTEXT;
  53     gssctx->expiry = 0;
  54
  55     gssctx->maj_stat =
  56         gss->acquire_cred(&gssctx->min_stat, GSS_C_NO_NAME, GSS_C_INDEFINITE,
  57                           &k5only, GSS_C_INITIATE, &cred,
  58                           (gss_OID_set *)0, &time_rec);
  59
  60     if (gssctx->maj_stat != GSS_S_COMPLETE) {
  61         sfree(gssctx);
  62         return SSH_GSS_FAILURE;
  63     }
  64
  65     /*
  66      * When the credential lifetime is not yet available due to deferred
  67      * processing, gss_acquire_cred should return a 0 lifetime which is
  68      * distinct from GSS_C_INDEFINITE which signals a crential that never
  69      * expires.  However, not all implementations get this right, and with
  70      * Kerberos, initiator credentials always expire at some point.  So when
  71      * lifetime is 0 or GSS_C_INDEFINITE we call gss_inquire_cred_by_mech() to
  72      * complete deferred processing.
  73      */
  74     if (time_rec == GSS_C_INDEFINITE || time_rec == 0) {
  75         gssctx->maj_stat =
  76             gss->inquire_cred_by_mech(&gssctx->min_stat, cred,
  77                                       (gss_OID) GSS_MECH_KRB5,
  78                                       NULL,
  79                                       &time_rec,
  80                                       NULL,
  81                                       NULL);
  82     }
  83     (void) gss->release_cred(&dummy, &cred);
  84
  85     if (gssctx->maj_stat != GSS_S_COMPLETE) {
  86         sfree(gssctx);
  87         return SSH_GSS_FAILURE;
  88     }
  89
  90     if (time_rec != GSS_C_INDEFINITE)
  91         gssctx->expiry = time(NULL) + time_rec;
  92     else
  93         gssctx->expiry = GSS_NO_EXPIRATION;
  94
  95     if (expiry) {
  96         *expiry = gssctx->expiry;
  97     }
  98
  99     *ctx = (Ssh_gss_ctx) gssctx;
 100     return SSH_GSS_OK;
 101 }
 102
 103 static Ssh_gss_stat ssh_gssapi_init_sec_context(struct ssh_gss_library *lib,
 104                                                 Ssh_gss_ctx *ctx,
 105                                                 Ssh_gss_name srv_name,
 106                                                 int to_deleg,
 107                                                 Ssh_gss_buf *recv_tok,
 108                                                 Ssh_gss_buf *send_tok,
 109                                                 time_t *expiry,
 110                                                 unsigned long *lifetime)
 111 {
 112     struct gssapi_functions *gss = &lib->u.gssapi;
 113     gssapi_ssh_gss_ctx *gssctx = (gssapi_ssh_gss_ctx*) *ctx;
 114     OM_uint32 ret_flags;
 115     OM_uint32 lifetime_rec;
 116
 117     if (to_deleg) to_deleg = GSS_C_DELEG_FLAG;
 118     gssctx->maj_stat = gss->init_sec_context(&gssctx->min_stat,
 119                                              GSS_C_NO_CREDENTIAL,
 120                                              &gssctx->ctx,
 121                                              srv_name,
 122                                              (gss_OID) GSS_MECH_KRB5,
 123                                              GSS_C_MUTUAL_FLAG |
 124                                              GSS_C_INTEG_FLAG | to_deleg,
 125                                              0,
 126                                              GSS_C_NO_CHANNEL_BINDINGS,
 127                                              recv_tok,
 128                                              NULL,   /* ignore mech type */
 129                                              send_tok,
 130                                              &ret_flags,
 131                                              &lifetime_rec);
 132
 133     if (lifetime) {
 134         if (lifetime_rec == GSS_C_INDEFINITE)
 135             *lifetime = ULONG_MAX;
 136         else
 137             *lifetime = lifetime_rec;
 138     }
 139     if (expiry) {
 140         if (lifetime_rec == GSS_C_INDEFINITE)
 141             *expiry = GSS_NO_EXPIRATION;
 142         else
 143             *expiry = time(NULL) + lifetime_rec;
 144     }
 145
 146     if (gssctx->maj_stat == GSS_S_COMPLETE) return SSH_GSS_S_COMPLETE;
 147     if (gssctx->maj_stat == GSS_S_CONTINUE_NEEDED) return SSH_GSS_S_CONTINUE_NEEDED;
 148     return SSH_GSS_FAILURE;
 149 }
 150
 151 static Ssh_gss_stat ssh_gssapi_display_status(struct ssh_gss_library *lib,
 152                                               Ssh_gss_ctx ctx,
 153                                               Ssh_gss_buf *buf)
 154 {
 155     struct gssapi_functions *gss = &lib->u.gssapi;
 156     gssapi_ssh_gss_ctx *gssctx = (gssapi_ssh_gss_ctx *) ctx;
 157     OM_uint32 lmin,lmax;
 158     OM_uint32 ccc;
 159     gss_buffer_desc msg_maj=GSS_C_EMPTY_BUFFER;
 160     gss_buffer_desc msg_min=GSS_C_EMPTY_BUFFER;
 161
 162     /* Return empty buffer in case of failure */
 163     SSH_GSS_CLEAR_BUF(buf);
 164
 165     /* get first mesg from GSS */
 166     ccc=0;
 167     lmax=gss->display_status(&lmin,gssctx->maj_stat,GSS_C_GSS_CODE,(gss_OID) GSS_MECH_KRB5,&ccc,&msg_maj);
 168
 169     if (lmax != GSS_S_COMPLETE) return SSH_GSS_FAILURE;
 170
 171     /* get first mesg from Kerberos */
 172     ccc=0;
 173     lmax=gss->display_status(&lmin,gssctx->min_stat,GSS_C_MECH_CODE,(gss_OID) GSS_MECH_KRB5,&ccc,&msg_min);
 174
 175     if (lmax != GSS_S_COMPLETE) {
 176         gss->release_buffer(&lmin, &msg_maj);
 177         return SSH_GSS_FAILURE;
 178     }
 179
 180     /* copy data into buffer */
 181     buf->length = msg_maj.length + msg_min.length + 1;
 182     buf->value = snewn(buf->length + 1, char);
 183
 184     /* copy mem */
 185     memcpy((char *)buf->value, msg_maj.value, msg_maj.length);
 186     ((char *)buf->value)[msg_maj.length] = ' ';
 187     memcpy((char *)buf->value + msg_maj.length + 1, msg_min.value, msg_min.length);
 188     ((char *)buf->value)[buf->length] = 0;
 189     /* free mem & exit */
 190     gss->release_buffer(&lmin, &msg_maj);
 191     gss->release_buffer(&lmin, &msg_min);
 192     return SSH_GSS_OK;
 193 }
 194
 195 static Ssh_gss_stat ssh_gssapi_free_tok(struct ssh_gss_library *lib,
 196                                         Ssh_gss_buf *send_tok)
 197 {
 198     struct gssapi_functions *gss = &lib->u.gssapi;
 199     OM_uint32 min_stat,maj_stat;
 200     maj_stat = gss->release_buffer(&min_stat, send_tok);
 201
 202     if (maj_stat == GSS_S_COMPLETE) return SSH_GSS_OK;
 203     return SSH_GSS_FAILURE;
 204 }
 205
 206 static Ssh_gss_stat ssh_gssapi_release_cred(struct ssh_gss_library *lib,
 207                                             Ssh_gss_ctx *ctx)
 208 {
 209     struct gssapi_functions *gss = &lib->u.gssapi;
 210     gssapi_ssh_gss_ctx *gssctx = (gssapi_ssh_gss_ctx *) *ctx;
 211     OM_uint32 min_stat;
 212     OM_uint32 maj_stat=GSS_S_COMPLETE;
 213
 214     if (gssctx == NULL) return SSH_GSS_FAILURE;
 215     if (gssctx->ctx != GSS_C_NO_CONTEXT)
 216         maj_stat = gss->delete_sec_context(&min_stat,&gssctx->ctx,GSS_C_NO_BUFFER);
 217     sfree(gssctx);
 218     *ctx = NULL;
 219
 220     if (maj_stat == GSS_S_COMPLETE) return SSH_GSS_OK;
 221     return SSH_GSS_FAILURE;
 222 }
 223
 224
 225 static Ssh_gss_stat ssh_gssapi_release_name(struct ssh_gss_library *lib,
 226                                             Ssh_gss_name *srv_name)
 227 {
 228     struct gssapi_functions *gss = &lib->u.gssapi;
 229     OM_uint32 min_stat,maj_stat;
 230     maj_stat = gss->release_name(&min_stat, srv_name);
 231
 232     if (maj_stat == GSS_S_COMPLETE) return SSH_GSS_OK;
 233     return SSH_GSS_FAILURE;
 234 }
 235
 236 static Ssh_gss_stat ssh_gssapi_get_mic(struct ssh_gss_library *lib,
 237                                        Ssh_gss_ctx ctx, Ssh_gss_buf *buf,
 238                                        Ssh_gss_buf *hash)
 239 {
 240     struct gssapi_functions *gss = &lib->u.gssapi;
 241     gssapi_ssh_gss_ctx *gssctx = (gssapi_ssh_gss_ctx *) ctx;
 242     if (gssctx == NULL) return SSH_GSS_FAILURE;
 243     return gss->get_mic(&(gssctx->min_stat), gssctx->ctx, 0, buf, hash);
 244 }
 245
 246 static Ssh_gss_stat ssh_gssapi_verify_mic(struct ssh_gss_library *lib,
 247                                           Ssh_gss_ctx ctx, Ssh_gss_buf *buf,
 248                                           Ssh_gss_buf *hash)
 249 {
 250     struct gssapi_functions *gss = &lib->u.gssapi;
 251     gssapi_ssh_gss_ctx *gssctx = (gssapi_ssh_gss_ctx *) ctx;
 252     if (gssctx == NULL) return SSH_GSS_FAILURE;
 253     return gss->verify_mic(&(gssctx->min_stat), gssctx->ctx, buf, hash, NULL);
 254 }
 255
 256 static Ssh_gss_stat ssh_gssapi_free_mic(struct ssh_gss_library *lib,
 257                                         Ssh_gss_buf *hash)
 258 {
 259     /* On Unix this is the same freeing process as ssh_gssapi_free_tok. */
 260     return ssh_gssapi_free_tok(lib, hash);
 261 }
 262
 263 void ssh_gssapi_bind_fns(struct ssh_gss_library *lib)
 264 {
 265     lib->indicate_mech = ssh_gssapi_indicate_mech;
 266     lib->import_name = ssh_gssapi_import_name;
 267     lib->release_name = ssh_gssapi_release_name;
 268     lib->init_sec_context = ssh_gssapi_init_sec_context;
 269     lib->free_tok = ssh_gssapi_free_tok;
 270     lib->acquire_cred = ssh_gssapi_acquire_cred;
 271     lib->release_cred = ssh_gssapi_release_cred;
 272     lib->get_mic = ssh_gssapi_get_mic;
 273     lib->verify_mic = ssh_gssapi_verify_mic;
 274     lib->free_mic = ssh_gssapi_free_mic;
 275     lib->display_status = ssh_gssapi_display_status;
 276 }
 277
 278 #else
 279
 280 /* Dummy function so this source file defines something if NO_GSSAPI
 281    is defined. */
 282
 283 int ssh_gssapi_init(void)
 284 {
 285     return 0;
 286 }
 287
 288 #endif