From 9da806e67101afdc0d3a1d304659927acf18f5c5 Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <simon@sxw.org.uk>
Date: Sun, 9 Feb 2014 16:09:48 +0000
Subject: GSSAPI key exchange support

This patch has been rejected upstream: "None of the OpenSSH developers are
in favour of adding this, and this situation has not changed for several
years.  This is not a slight on Simon's patch, which is of fine quality, but
just that a) we don't trust GSSAPI implementations that much and b) we don't
like adding new KEX since they are pre-auth attack surface.  This one is
particularly scary, since it requires hooks out to typically root-owned
system resources."

However, quite a lot of people rely on this in Debian, and it's better to
have it merged into the main openssh package rather than having separate
-krb5 packages (as we used to have).  It seems to have a generally good
security history.

Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242
Last-Updated: 2019-10-09

Patch-Name: gssapi.patch
---
 gss-genr.c | 300 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 296 insertions(+), 4 deletions(-)

(limited to 'gss-genr.c')

diff --git a/gss-genr.c b/gss-genr.c
index d56257b4a..763a63ffa 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */
 
 /*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -41,12 +41,36 @@
 #include "sshbuf.h"
 #include "log.h"
 #include "ssh2.h"
+#include "cipher.h"
+#include "sshkey.h"
+#include "kex.h"
+#include "digest.h"
+#include "packet.h"
 
 #include "ssh-gss.h"
 
 extern u_char *session_id2;
 extern u_int session_id2_len;
 
+typedef struct {
+	char *encoded;
+	gss_OID oid;
+} ssh_gss_kex_mapping;
+
+/*
+ * XXX - It would be nice to find a more elegant way of handling the
+ * XXX   passing of the key exchange context to the userauth routines
+ */
+
+Gssctxt *gss_kex_context = NULL;
+
+static ssh_gss_kex_mapping *gss_enc2oid = NULL;
+
+int
+ssh_gssapi_oid_table_ok(void) {
+	return (gss_enc2oid != NULL);
+}
+
 /* sshbuf_get for gss_buffer_desc */
 int
 ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
@@ -62,6 +86,162 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
 	return 0;
 }
 
+/* sshpkt_get of gss_buffer_desc */
+int
+ssh_gssapi_sshpkt_get_buffer_desc(struct ssh *ssh, gss_buffer_desc *g)
+{
+	int r;
+	u_char *p;
+	size_t len;
+
+	if ((r = sshpkt_get_string(ssh, &p, &len)) != 0)
+		return r;
+	g->value = p;
+	g->length = len;
+	return 0;
+}
+
+/*
+ * Return a list of the gss-group1-sha1 mechanisms supported by this program
+ *
+ * We test mechanisms to ensure that we can use them, to avoid starting
+ * a key exchange with a bad mechanism
+ */
+
+char *
+ssh_gssapi_client_mechanisms(const char *host, const char *client,
+    const char *kex) {
+	gss_OID_set gss_supported = NULL;
+	OM_uint32 min_status;
+
+	if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))
+		return NULL;
+
+	return ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
+	    host, client, kex);
+}
+
+char *
+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
+    const char *host, const char *client, const char *kex) {
+	struct sshbuf *buf = NULL;
+	size_t i;
+	int r = SSH_ERR_ALLOC_FAIL;
+	int oidpos, enclen;
+	char *mechs, *encoded;
+	u_char digest[SSH_DIGEST_MAX_LENGTH];
+	char deroid[2];
+	struct ssh_digest_ctx *md = NULL;
+	char *s, *cp, *p;
+
+	if (gss_enc2oid != NULL) {
+		for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
+			free(gss_enc2oid[i].encoded);
+		free(gss_enc2oid);
+	}
+
+	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
+	    (gss_supported->count + 1));
+
+	if ((buf = sshbuf_new()) == NULL)
+		fatal("%s: sshbuf_new failed", __func__);
+
+	oidpos = 0;
+	s = cp = xstrdup(kex);
+	for (i = 0; i < gss_supported->count; i++) {
+		if (gss_supported->elements[i].length < 128 &&
+		    (*check)(NULL, &(gss_supported->elements[i]), host, client)) {
+
+			deroid[0] = SSH_GSS_OIDTYPE;
+			deroid[1] = gss_supported->elements[i].length;
+
+			if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
+			    (r = ssh_digest_update(md, deroid, 2)) != 0 ||
+			    (r = ssh_digest_update(md,
+			        gss_supported->elements[i].elements,
+			        gss_supported->elements[i].length)) != 0 ||
+			    (r = ssh_digest_final(md, digest, sizeof(digest))) != 0)
+				fatal("%s: digest failed: %s", __func__,
+				    ssh_err(r));
+			ssh_digest_free(md);
+			md = NULL;
+
+			encoded = xmalloc(ssh_digest_bytes(SSH_DIGEST_MD5)
+			    * 2);
+			enclen = __b64_ntop(digest,
+			    ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
+			    ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
+
+			cp = strncpy(s, kex, strlen(kex));
+			for ((p = strsep(&cp, ",")); p && *p != '\0';
+				(p = strsep(&cp, ","))) {
+				if (sshbuf_len(buf) != 0 &&
+				    (r = sshbuf_put_u8(buf, ',')) != 0)
+					fatal("%s: sshbuf_put_u8 error: %s",
+					    __func__, ssh_err(r));
+				if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
+				    (r = sshbuf_put(buf, encoded, enclen)) != 0)
+					fatal("%s: sshbuf_put error: %s",
+					    __func__, ssh_err(r));
+			}
+
+			gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
+			gss_enc2oid[oidpos].encoded = encoded;
+			oidpos++;
+		}
+	}
+	free(s);
+	gss_enc2oid[oidpos].oid = NULL;
+	gss_enc2oid[oidpos].encoded = NULL;
+
+	if ((mechs = sshbuf_dup_string(buf)) == NULL)
+		fatal("%s: sshbuf_dup_string failed", __func__);
+
+	sshbuf_free(buf);
+
+	if (strlen(mechs) == 0) {
+		free(mechs);
+		mechs = NULL;
+	}
+
+	return (mechs);
+}
+
+gss_OID
+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
+	int i = 0;
+
+#define SKIP_KEX_NAME(type) \
+	case type: \
+		if (strlen(name) < sizeof(type##_ID)) \
+			return GSS_C_NO_OID; \
+		name += sizeof(type##_ID) - 1; \
+		break;
+
+	switch (kex_type) {
+	SKIP_KEX_NAME(KEX_GSS_GRP1_SHA1)
+	SKIP_KEX_NAME(KEX_GSS_GRP14_SHA1)
+	SKIP_KEX_NAME(KEX_GSS_GRP14_SHA256)
+	SKIP_KEX_NAME(KEX_GSS_GRP16_SHA512)
+	SKIP_KEX_NAME(KEX_GSS_GEX_SHA1)
+	SKIP_KEX_NAME(KEX_GSS_NISTP256_SHA256)
+	SKIP_KEX_NAME(KEX_GSS_C25519_SHA256)
+	default:
+		return GSS_C_NO_OID;
+	}
+
+#undef SKIP_KEX_NAME
+
+	while (gss_enc2oid[i].encoded != NULL &&
+	    strcmp(name, gss_enc2oid[i].encoded) != 0)
+		i++;
+
+	if (gss_enc2oid[i].oid != NULL && ctx != NULL)
+		ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
+
+	return gss_enc2oid[i].oid;
+}
+
 /* Check that the OID in a data stream matches that in the context */
 int
 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
@@ -218,7 +398,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
 	}
 
 	ctx->major = gss_init_sec_context(&ctx->minor,
-	    GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,
+	    ctx->client_creds, &ctx->context, ctx->name, ctx->oid,
 	    GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
 	    0, NULL, recv_tok, NULL, send_tok, flags, NULL);
 
@@ -247,9 +427,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
 	return (ctx->major);
 }
 
+OM_uint32
+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)
+{
+	gss_buffer_desc gssbuf;
+	gss_name_t gssname;
+	OM_uint32 status;
+	gss_OID_set oidset;
+
+	gssbuf.value = (void *) name;
+	gssbuf.length = strlen(gssbuf.value);
+
+	gss_create_empty_oid_set(&status, &oidset);
+	gss_add_oid_set_member(&status, ctx->oid, &oidset);
+
+	ctx->major = gss_import_name(&ctx->minor, &gssbuf,
+	    GSS_C_NT_USER_NAME, &gssname);
+
+	if (!ctx->major)
+		ctx->major = gss_acquire_cred(&ctx->minor,
+		    gssname, 0, oidset, GSS_C_INITIATE,
+		    &ctx->client_creds, NULL, NULL);
+
+	gss_release_name(&status, &gssname);
+	gss_release_oid_set(&status, &oidset);
+
+	if (ctx->major)
+		ssh_gssapi_error(ctx);
+
+	return(ctx->major);
+}
+
 OM_uint32
 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
 {
+	if (ctx == NULL)
+		return -1;
+
 	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
 	    GSS_C_QOP_DEFAULT, buffer, hash)))
 		ssh_gssapi_error(ctx);
@@ -257,6 +471,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
 	return (ctx->major);
 }
 
+/* Priviledged when used by server */
+OM_uint32
+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+{
+	if (ctx == NULL)
+		return -1;
+
+	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+	    gssbuf, gssmic, NULL);
+
+	return (ctx->major);
+}
+
 void
 ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
     const char *context)
@@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
 }
 
 int
-ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host,
+    const char *client)
 {
 	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
 	OM_uint32 major, minor;
 	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
+	Gssctxt *intctx = NULL;
+
+	if (ctx == NULL)
+		ctx = &intctx;
 
 	/* RFC 4462 says we MUST NOT do SPNEGO */
 	if (oid->length == spnego_oid.length && 
@@ -287,6 +519,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
 	ssh_gssapi_build_ctx(ctx);
 	ssh_gssapi_set_oid(*ctx, oid);
 	major = ssh_gssapi_import_name(*ctx, host);
+
+	if (!GSS_ERROR(major) && client)
+		major = ssh_gssapi_client_identity(*ctx, client);
+
 	if (!GSS_ERROR(major)) {
 		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
 		    NULL);
@@ -296,10 +532,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
 			    GSS_C_NO_BUFFER);
 	}
 
-	if (GSS_ERROR(major)) 
+	if (GSS_ERROR(major) || intctx != NULL)
 		ssh_gssapi_delete_ctx(ctx);
 
 	return (!GSS_ERROR(major));
 }
 
+int
+ssh_gssapi_credentials_updated(Gssctxt *ctxt) {
+	static gss_name_t saved_name = GSS_C_NO_NAME;
+	static OM_uint32 saved_lifetime = 0;
+	static gss_OID saved_mech = GSS_C_NO_OID;
+	static gss_name_t name;
+	static OM_uint32 last_call = 0;
+	OM_uint32 lifetime, now, major, minor;
+	int equal;
+
+	now = time(NULL);
+
+	if (ctxt) {
+		debug("Rekey has happened - updating saved versions");
+
+		if (saved_name != GSS_C_NO_NAME)
+			gss_release_name(&minor, &saved_name);
+
+		major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
+		    &saved_name, &saved_lifetime, NULL, NULL);
+
+		if (!GSS_ERROR(major)) {
+			saved_mech = ctxt->oid;
+		        saved_lifetime+= now;
+		} else {
+			/* Handle the error */
+		}
+		return 0;
+	}
+
+	if (now - last_call < 10)
+		return 0;
+
+	last_call = now;
+
+	if (saved_mech == GSS_C_NO_OID)
+		return 0;
+
+	major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
+	    &name, &lifetime, NULL, NULL);
+	if (major == GSS_S_CREDENTIALS_EXPIRED)
+		return 0;
+	else if (GSS_ERROR(major))
+		return 0;
+
+	major = gss_compare_name(&minor, saved_name, name, &equal);
+	gss_release_name(&minor, &name);
+	if (GSS_ERROR(major))
+		return 0;
+
+	if (equal && (saved_lifetime < lifetime + now - 10))
+		return 1;
+
+	return 0;
+}
+
 #endif /* GSSAPI */
-- 
cgit v1.2.3