Support GSS key exchange, for Kerberos 5 only.

This is a heavily edited (by me) version of a patch originally due to
Nico Williams and Viktor Dukhovni. Their comments:

 * Don't delegate credentials when rekeying unless there's a new TGT
   or the old service ticket is nearly expired.

 * Check for the above conditions more frequently (every two minutes
   by default) and rekey when we would delegate credentials.

 * Do not rekey with very short service ticket lifetimes; some GSSAPI
   libraries may lose the race to use an almost expired ticket. Adjust
   the timing of rekey checks to try to avoid this possibility.

My further comments:

The most interesting thing about this patch to me is that the use of
GSS key exchange causes a switch over to a completely different model
of what host keys are for. This comes from RFC 4462 section 2.1: the
basic idea is that when your session is mostly bidirectionally
authenticated by the GSSAPI exchanges happening in initial kex and
every rekey, host keys become more or less vestigial, and their
remaining purpose is to allow a rekey to happen if the requirements of
the SSH protocol demand it at an awkward moment when the GSS
credentials are not currently available (e.g. timed out and haven't
been renewed yet). As such, there's no need for host keys to be
_permanent_ or to be a reliable identifier of a particular host, and
RFC 4462 allows for the possibility that they might be purely
transient and only for this kind of emergency fallback purpose.

Therefore, once PuTTY has done a GSS key exchange, it disconnects
itself completely from the permanent host key cache functions in
storage.h, and instead switches to a _transient_ host key cache stored
in memory with the lifetime of just that SSH session. That cache is
populated with keys received from the server as a side effect of GSS
kex (via the optional SSH2_MSG_KEXGSS_HOSTKEY message), and used if
later in the session we have to fall back to a non-GSS key exchange.
However, in practice servers we've tested against do not send a host
key in that way, so we also have a fallback method of populating the
transient cache by triggering an immediate non-GSS rekey straight
after userauth (reusing the code path we also use to turn on OpenSSH
delayed encryption without the race condition).

windows/wingss.c

@@ -1,5 +1,6 @@
 #ifndef NO_GSSAPI
 
+#include <limits.h>
 #include "putty.h"
 
 #define SECURITY_WIN32
@@ -11,6 +12,22 @@
 
 #include "misc.h"
 
+#define UNIX_EPOCH	11644473600ULL	/* Seconds from Windows epoch */
+#define CNS_PERSEC	10000000ULL	/* # 100ns per second */
+
+/*
+ * Note, as a special case, 0 relative to the Windows epoch (unspecified) maps
+ * to 0 relative to the POSIX epoch (unspecified)!
+ */
+#define TIME_WIN_TO_POSIX(ft, t) do { \
+    ULARGE_INTEGER uli; \
+    uli.LowPart  = (ft).dwLowDateTime; \
+    uli.HighPart = (ft).dwHighDateTime; \
+    if (uli.QuadPart != 0) \
+        uli.QuadPart = uli.QuadPart / CNS_PERSEC - UNIX_EPOCH; \
+    (t) = (time_t) uli.QuadPart; \
+} while(0)
+
 /* Windows code to set up the GSSAPI library list. */
 
 #ifdef _WIN64
@@ -55,6 +72,9 @@ DECL_WINDOWS_FUNCTION(static, SECURITY_STATUS,
 DECL_WINDOWS_FUNCTION(static, SECURITY_STATUS,
 		      MakeSignature,
 		      (PCtxtHandle, ULONG, PSecBufferDesc, ULONG));
+DECL_WINDOWS_FUNCTION(static, SECURITY_STATUS,
+                      VerifySignature,
+                      (PCtxtHandle, PSecBufferDesc, ULONG, PULONG));
 DECL_WINDOWS_FUNCTION(static, DLL_DIRECTORY_COOKIE,
                       AddDllDirectory,
                       (PCWSTR));
@@ -144,6 +164,7 @@ struct ssh_gss_liblist *ssh_gss_setup(Conf *conf)
         BIND_GSS_FN(delete_sec_context);
         BIND_GSS_FN(display_status);
         BIND_GSS_FN(get_mic);
+        BIND_GSS_FN(verify_mic);
         BIND_GSS_FN(import_name);
         BIND_GSS_FN(init_sec_context);
         BIND_GSS_FN(release_buffer);
@@ -172,6 +193,7 @@ struct ssh_gss_liblist *ssh_gss_setup(Conf *conf)
 	GET_WINDOWS_FUNCTION(module, DeleteSecurityContext);
 	GET_WINDOWS_FUNCTION(module, QueryContextAttributesA);
 	GET_WINDOWS_FUNCTION(module, MakeSignature);
+        GET_WINDOWS_FUNCTION(module, VerifySignature);
 
 	ssh_sspi_bind_fns(lib);
     }
@@ -224,6 +246,7 @@ struct ssh_gss_liblist *ssh_gss_setup(Conf *conf)
         BIND_GSS_FN(delete_sec_context);
         BIND_GSS_FN(display_status);
         BIND_GSS_FN(get_mic);
+        BIND_GSS_FN(verify_mic);
         BIND_GSS_FN(import_name);
         BIND_GSS_FN(init_sec_context);
         BIND_GSS_FN(release_buffer);
@@ -289,7 +312,8 @@ static Ssh_gss_stat ssh_sspi_import_name(struct ssh_gss_library *lib,
 }
 
 static Ssh_gss_stat ssh_sspi_acquire_cred(struct ssh_gss_library *lib,
-					  Ssh_gss_ctx *ctx)
+                                          Ssh_gss_ctx *ctx,
+                                          time_t *expiry)
 {
     winSsh_gss_ctx *winctx = snew(winSsh_gss_ctx);
     memset(winctx, 0, sizeof(winSsh_gss_ctx));
@@ -309,21 +333,68 @@ static Ssh_gss_stat ssh_sspi_acquire_cred(struct ssh_gss_library *lib,
 						   NULL,
 						   NULL,
 						   &winctx->cred_handle,
-						   &winctx->expiry);
+                                                   NULL);
+
+    if (winctx->maj_stat != SEC_E_OK) {
+        p_FreeCredentialsHandle(&winctx->cred_handle);
+        sfree(winctx);
+        return SSH_GSS_FAILURE;
+    }
+
+    /* Windows does not return a valid expiration from AcquireCredentials */
+    if (expiry)
+        *expiry = GSS_NO_EXPIRATION;
 
-    if (winctx->maj_stat != SEC_E_OK) return SSH_GSS_FAILURE;
-    
     *ctx = (Ssh_gss_ctx) winctx;
     return SSH_GSS_OK;
 }
 
+static void localexp_to_exp_lifetime(TimeStamp *localexp,
+                                     time_t *expiry, unsigned long *lifetime)
+{
+    FILETIME nowUTC;
+    FILETIME expUTC;
+    time_t now;
+    time_t exp;
+    time_t delta;
+
+    if (!lifetime && !expiry)
+        return;
+
+    GetSystemTimeAsFileTime(&nowUTC);
+    TIME_WIN_TO_POSIX(nowUTC, now);
+
+    if (lifetime)
+        *lifetime = 0;
+    if (expiry)
+        *expiry = GSS_NO_EXPIRATION;
+
+    if (!LocalFileTimeToFileTime(localexp, &expUTC))
+        return;
+
+    TIME_WIN_TO_POSIX(expUTC, exp);
+    delta = exp - now;
+    if (exp == 0 || delta <= 0)
+        return;
+
+    if (expiry)
+        *expiry = exp;
+    if (lifetime) {
+        if (delta <= ULONG_MAX)
+            *lifetime = (unsigned long)delta;
+        else
+            *lifetime = ULONG_MAX;
+    }
+}
 
 static Ssh_gss_stat ssh_sspi_init_sec_context(struct ssh_gss_library *lib,
 					      Ssh_gss_ctx *ctx,
 					      Ssh_gss_name srv_name,
 					      int to_deleg,
 					      Ssh_gss_buf *recv_tok,
-					      Ssh_gss_buf *send_tok)
+                                              Ssh_gss_buf *send_tok,
+                                              time_t *expiry,
+                                              unsigned long *lifetime)
 {
     winSsh_gss_ctx *winctx = (winSsh_gss_ctx *) *ctx;
     SecBuffer wsend_tok = {send_tok->length,SECBUFFER_TOKEN,send_tok->value};
@@ -333,6 +404,7 @@ static Ssh_gss_stat ssh_sspi_init_sec_context(struct ssh_gss_library *lib,
     unsigned long flags=ISC_REQ_MUTUAL_AUTH|ISC_REQ_REPLAY_DETECT|
 	ISC_REQ_CONFIDENTIALITY|ISC_REQ_ALLOCATE_MEMORY;
     unsigned long ret_flags=0;
+    TimeStamp localexp;
     
     /* check if we have to delegate ... */
     if (to_deleg) flags |= ISC_REQ_DELEGATE;
@@ -347,8 +419,10 @@ static Ssh_gss_stat ssh_sspi_init_sec_context(struct ssh_gss_library *lib,
 						    &winctx->context,
 						    &output_desc,
 						    &ret_flags,
-						    &winctx->expiry);
-  
+                                                    &localexp);
+
+    localexp_to_exp_lifetime(&localexp, expiry, lifetime);
+
     /* prepare for the next round */
     winctx->context_handle = &winctx->context;
     send_tok->value = wsend_tok.pvBuffer;
@@ -503,6 +577,36 @@ static Ssh_gss_stat ssh_sspi_get_mic(struct ssh_gss_library *lib,
     return winctx->maj_stat;
 }
 
+static Ssh_gss_stat ssh_sspi_verify_mic(struct ssh_gss_library *lib,
+                                        Ssh_gss_ctx ctx,
+                                        Ssh_gss_buf *buf,
+                                        Ssh_gss_buf *mic)
+{
+    winSsh_gss_ctx *winctx= (winSsh_gss_ctx *) ctx;
+    SecBufferDesc InputBufferDescriptor;
+    SecBuffer InputSecurityToken[2];
+    ULONG qop;
+
+    if (winctx == NULL) return SSH_GSS_FAILURE;
+
+    winctx->maj_stat = 0;
+
+    InputBufferDescriptor.cBuffers = 2;
+    InputBufferDescriptor.pBuffers = InputSecurityToken;
+    InputBufferDescriptor.ulVersion = SECBUFFER_VERSION;
+    InputSecurityToken[0].BufferType = SECBUFFER_DATA;
+    InputSecurityToken[0].cbBuffer = buf->length;
+    InputSecurityToken[0].pvBuffer = buf->value;
+    InputSecurityToken[1].BufferType = SECBUFFER_TOKEN;
+    InputSecurityToken[1].cbBuffer = mic->length;
+    InputSecurityToken[1].pvBuffer = mic->value;
+
+    winctx->maj_stat = p_VerifySignature(&winctx->context,
+                                       &InputBufferDescriptor,
+                                       0, &qop);
+    return winctx->maj_stat;
+}
+
 static Ssh_gss_stat ssh_sspi_free_mic(struct ssh_gss_library *lib,
 				      Ssh_gss_buf *hash)
 {
@@ -520,6 +624,7 @@ static void ssh_sspi_bind_fns(struct ssh_gss_library *lib)
     lib->acquire_cred = ssh_sspi_acquire_cred;
     lib->release_cred = ssh_sspi_release_cred;
     lib->get_mic = ssh_sspi_get_mic;
+    lib->verify_mic = ssh_sspi_verify_mic;
     lib->free_mic = ssh_sspi_free_mic;
     lib->display_status = ssh_sspi_display_status;
 }

windows/winhelp.h

@@ -104,6 +104,7 @@
 #define WINHELP_CTX_ssh_share "ssh.sharing:config-ssh-sharing"
 #define WINHELP_CTX_ssh_kexlist "ssh.kex.order:config-ssh-kex-order"
 #define WINHELP_CTX_ssh_hklist "ssh.hostkey.order:config-ssh-hostkey-order"
+#define WINHELP_CTX_ssh_gssapi_kex_delegation "ssh.kex.gssapi.delegation:config-ssh-kex-gssapi-delegation"
 #define WINHELP_CTX_ssh_kex_repeat "ssh.kex.repeat:config-ssh-kex-rekey"
 #define WINHELP_CTX_ssh_kex_manual_hostkeys "ssh.kex.manualhostkeys:config-ssh-kex-manual-hostkeys"
 #define WINHELP_CTX_ssh_auth_bypass "ssh.auth.bypass:config-ssh-noauth"