Support GSS key exchange, for Kerberos 5 only.

This is a heavily edited (by me) version of a patch originally due to Nico Williams and Viktor Dukhovni. Their comments: * Don't delegate credentials when rekeying unless there's a new TGT or the old service ticket is nearly expired. * Check for the above conditions more frequently (every two minutes by default) and rekey when we would delegate credentials. * Do not rekey with very short service ticket lifetimes; some GSSAPI libraries may lose the race to use an almost expired ticket. Adjust the timing of rekey checks to try to avoid this possibility. My further comments: The most interesting thing about this patch to me is that the use of GSS key exchange causes a switch over to a completely different model of what host keys are for. This comes from RFC 4462 section 2.1: the basic idea is that when your session is mostly bidirectionally authenticated by the GSSAPI exchanges happening in initial kex and every rekey, host keys become more or less vestigial, and their remaining purpose is to allow a rekey to happen if the requirements of the SSH protocol demand it at an awkward moment when the GSS credentials are not currently available (e.g. timed out and haven't been renewed yet). As such, there's no need for host keys to be _permanent_ or to be a reliable identifier of a particular host, and RFC 4462 allows for the possibility that they might be purely transient and only for this kind of emergency fallback purpose. Therefore, once PuTTY has done a GSS key exchange, it disconnects itself completely from the permanent host key cache functions in storage.h, and instead switches to a _transient_ host key cache stored in memory with the lifetime of just that SSH session. That cache is populated with keys received from the server as a side effect of GSS kex (via the optional SSH2_MSG_KEXGSS_HOSTKEY message), and used if later in the session we have to fall back to a non-GSS key exchange. However, in practice servers we've tested against do not send a host key in that way, so we also have a fallback method of populating the transient cache by triggering an immediate non-GSS rekey straight after userauth (reusing the code path we also use to turn on OpenSSH delayed encryption without the race condition).
2025-07-15 01:57:40 -05:00 · 2018-04-26 07:18:59 +01:00
parent d50150c40f
commit d515e4f1a3
14 changed files with 1444 additions and 167 deletions
--- a/pgssapi.h
+++ b/pgssapi.h
@ -58,6 +58,7 @@ typedef void * gss_name_t;
 typedef void * gss_cred_id_t;

 typedef OM_uint32 gss_qop_t;
+typedef int gss_cred_usage_t;

 /* Flag bits for context-level services. */

@ -76,6 +77,13 @@ typedef OM_uint32 gss_qop_t;
 #define GSS_C_INITIATE 1
 #define GSS_C_ACCEPT   2

+/*-
+ * RFC 2744 Page 86
+ * Expiration time of 2^32-1 seconds means infinite lifetime for a
+ * credential or security context
+ */
+#define GSS_C_INDEFINITE 0xfffffffful
+
 /* Status code types for gss_display_status */
 #define GSS_C_GSS_CODE  1
 #define GSS_C_MECH_CODE 2
@ -256,6 +264,13 @@ typedef OM_uint32 (GSS_CC *t_gss_get_mic)
             const gss_buffer_t             /*message_buffer*/,
             gss_buffer_t                   /*msg_token*/);

+typedef OM_uint32 (GSS_CC *t_gss_verify_mic)
+            (OM_uint32                    * /*minor_status*/,
+             const gss_ctx_id_t             /*context_handle*/,
+             const gss_buffer_t             /*message_buffer*/,
+             const gss_buffer_t             /*msg_token*/,
+             gss_qop_t                    * /*qop_state*/);
+
 typedef OM_uint32 (GSS_CC *t_gss_display_status)
            (OM_uint32                   * /*minor_status*/,
             OM_uint32                     /*status_value*/,
@ -280,15 +295,37 @@ typedef OM_uint32 (GSS_CC *t_gss_release_buffer)
            (OM_uint32                   * /*minor_status*/,
             gss_buffer_t                  /*buffer*/);

+typedef OM_uint32 (GSS_CC *t_gss_acquire_cred)
+            (OM_uint32                    * /*minor_status*/,
+             const gss_name_t               /*desired_name*/,
+             OM_uint32                      /*time_req*/,
+             const gss_OID_set              /*desired_mechs*/,
+             gss_cred_usage_t               /*cred_usage*/,
+             gss_cred_id_t                * /*output_cred_handle*/,
+             gss_OID_set                  * /*actual_mechs*/,
+             OM_uint32                    * /*time_rec*/);
+
+typedef OM_uint32 (GSS_CC *t_gss_inquire_cred_by_mech)
+            (OM_uint32                    * /*minor_status*/,
+             const gss_cred_id_t            /*cred_handle*/,
+             const gss_OID                  /*mech_type*/,
+             gss_name_t                   * /*name*/,
+             OM_uint32                    * /*initiator_lifetime*/,
+             OM_uint32                    * /*acceptor_lifetime*/,
+             gss_cred_usage_t             * /*cred_usage*/);
+
 struct gssapi_functions {
    t_gss_delete_sec_context delete_sec_context;
    t_gss_display_status display_status;
    t_gss_get_mic get_mic;
+    t_gss_verify_mic verify_mic;
    t_gss_import_name import_name;
    t_gss_init_sec_context init_sec_context;
    t_gss_release_buffer release_buffer;
    t_gss_release_cred release_cred;
    t_gss_release_name release_name;
+    t_gss_acquire_cred acquire_cred;
+    t_gss_inquire_cred_by_mech inquire_cred_by_mech;
 };

 #endif /* NO_GSSAPI */