GssApiWithMicAuthentication.java

  1. /*
  2.  * Copyright (C) 2018, Thomas Wolf <thomas.wolf@paranor.ch> and others
  3.  *
  4.  * This program and the accompanying materials are made available under the
  5.  * terms of the Eclipse Distribution License v. 1.0 which is available at
  6.  * https://www.eclipse.org/org/documents/edl-v10.php.
  7.  *
  8.  * SPDX-License-Identifier: BSD-3-Clause
  9.  */
  10. package org.eclipse.jgit.internal.transport.sshd;

  12. import static java.text.MessageFormat.format;

  14. import java.io.IOException;
  15. import java.net.InetAddress;
  16. import java.net.InetSocketAddress;
  17. import java.net.SocketAddress;
  18. import java.net.UnknownHostException;
  19. import java.util.Collection;
  20. import java.util.Iterator;

  22. import org.apache.sshd.client.auth.AbstractUserAuth;
  23. import org.apache.sshd.client.session.ClientSession;
  24. import org.apache.sshd.common.SshConstants;
  25. import org.apache.sshd.common.util.buffer.Buffer;
  26. import org.apache.sshd.common.util.buffer.ByteArrayBuffer;
  27. import org.ietf.jgss.GSSContext;
  28. import org.ietf.jgss.GSSException;
  29. import org.ietf.jgss.MessageProp;
  30. import org.ietf.jgss.Oid;

  32. /**
  33.  * GSSAPI-with-MIC authentication handler (Kerberos 5).
  34.  *
  35.  * @see <a href="https://tools.ietf.org/html/rfc4462">RFC 4462</a>
  36.  */
  37. public class GssApiWithMicAuthentication extends AbstractUserAuth {

  39.     /** Synonym used in RFC 4462. */
  40.     private static final byte SSH_MSG_USERAUTH_GSSAPI_RESPONSE = SshConstants.SSH_MSG_USERAUTH_INFO_REQUEST;

  42.     /** Synonym used in RFC 4462. */
  43.     private static final byte SSH_MSG_USERAUTH_GSSAPI_TOKEN = SshConstants.SSH_MSG_USERAUTH_INFO_RESPONSE;

  45.     private enum ProtocolState {
  46.         STARTED, TOKENS, MIC_SENT, FAILED
  47.     }

  49.     private Collection<Oid> mechanisms;

  51.     private Iterator<Oid> nextMechanism;

  53.     private Oid currentMechanism;

  55.     private ProtocolState state;

  57.     private GSSContext context;

  59.     /** Creates a new {@link GssApiWithMicAuthentication}. */
  60.     public GssApiWithMicAuthentication() {
  61.         super(GssApiWithMicAuthFactory.NAME);
  62.     }

  64.     @Override
  65.     protected boolean sendAuthDataRequest(ClientSession session, String service)
  66.             throws Exception {
  67.         if (mechanisms == null) {
  68.             mechanisms = GssApiMechanisms.getSupportedMechanisms();
  69.             nextMechanism = mechanisms.iterator();
  70.         }
  71.         if (context != null) {
  72.             close(false);
  73.         }
  74.         if (!nextMechanism.hasNext()) {
  75.             return false;
  76.         }
  77.         state = ProtocolState.STARTED;
  78.         currentMechanism = nextMechanism.next();
  79.         // RFC 4462 states that SPNEGO must not be used with ssh
  80.         while (GssApiMechanisms.SPNEGO.equals(currentMechanism)) {
  81.             if (!nextMechanism.hasNext()) {
  82.                 return false;
  83.             }
  84.             currentMechanism = nextMechanism.next();
  85.         }
  86.         try {
  87.             String hostName = getHostName(session);
  88.             context = GssApiMechanisms.createContext(currentMechanism,
  89.                     hostName);
  90.             context.requestMutualAuth(true);
  91.             context.requestConf(true);
  92.             context.requestInteg(true);
  93.             context.requestCredDeleg(true);
  94.             context.requestAnonymity(false);
  95.         } catch (GSSException | NullPointerException e) {
  96.             close(true);
  97.             if (log.isDebugEnabled()) {
  98.                 log.debug(format(SshdText.get().gssapiInitFailure,
  99.                         currentMechanism.toString()));
  100.             }
  101.             currentMechanism = null;
  102.             state = ProtocolState.FAILED;
  103.             return false;
  104.         }
  105.         Buffer buffer = session
  106.                 .createBuffer(SshConstants.SSH_MSG_USERAUTH_REQUEST);
  107.         buffer.putString(session.getUsername());
  108.         buffer.putString(service);
  109.         buffer.putString(getName());
  110.         buffer.putInt(1);
  111.         buffer.putBytes(currentMechanism.getDER());
  112.         session.writePacket(buffer);
  113.         return true;
  114.     }

  116.     @Override
  117.     protected boolean processAuthDataRequest(ClientSession session,
  118.             String service, Buffer in) throws Exception {
  119.         // SSH_MSG_USERAUTH_FAILURE and SSH_MSG_USERAUTH_SUCCESS, as well as
  120.         // SSH_MSG_USERAUTH_BANNER are handled by the framework.
  121.         int command = in.getUByte();
  122.         if (context == null) {
  123.             return false;
  124.         }
  125.         try {
  126.             switch (command) {
  127.             case SSH_MSG_USERAUTH_GSSAPI_RESPONSE: {
  128.                 if (state != ProtocolState.STARTED) {
  129.                     return unexpectedMessage(command);
  130.                 }
  131.                 // Initial reply from the server with the mechanism to use.
  132.                 Oid mechanism = new Oid(in.getBytes());
  133.                 if (!currentMechanism.equals(mechanism)) {
  134.                     return false;
  135.                 }
  136.                 replyToken(session, service, new byte[0]);
  137.                 return true;
  138.             }
  139.             case SSH_MSG_USERAUTH_GSSAPI_TOKEN: {
  140.                 if (context.isEstablished() || state != ProtocolState.TOKENS) {
  141.                     return unexpectedMessage(command);
  142.                 }
  143.                 // Server sent us a token
  144.                 replyToken(session, service, in.getBytes());
  145.                 return true;
  146.             }
  147.             default:
  148.                 return unexpectedMessage(command);
  149.             }
  150.         } catch (GSSException e) {
  151.             log.warn(format(SshdText.get().gssapiFailure,
  152.                     currentMechanism.toString()), e);
  153.             state = ProtocolState.FAILED;
  154.             return false;
  155.         }
  156.     }

  158.     @Override
  159.     public void destroy() {
  160.         try {
  161.             close(false);
  162.         } finally {
  163.             super.destroy();
  164.         }
  165.     }

  167.     private void close(boolean silent) {
  168.         try {
  169.             if (context != null) {
  170.                 context.dispose();
  171.                 context = null;
  172.             }
  173.         } catch (GSSException e) {
  174.             if (!silent) {
  175.                 log.warn(SshdText.get().gssapiFailure, e);
  176.             }
  177.         }
  178.     }

  180.     private void sendToken(ClientSession session, byte[] receivedToken)
  181.             throws IOException, GSSException {
  182.         state = ProtocolState.TOKENS;
  183.         byte[] token = context.initSecContext(receivedToken, 0,
  184.                 receivedToken.length);
  185.         if (token != null) {
  186.             Buffer buffer = session.createBuffer(SSH_MSG_USERAUTH_GSSAPI_TOKEN);
  187.             buffer.putBytes(token);
  188.             session.writePacket(buffer);
  189.         }
  190.     }

  192.     private void sendMic(ClientSession session, String service)
  193.             throws IOException, GSSException {
  194.         state = ProtocolState.MIC_SENT;
  195.         // Produce MIC
  196.         Buffer micBuffer = new ByteArrayBuffer();
  197.         micBuffer.putBytes(session.getSessionId());
  198.         micBuffer.putByte(SshConstants.SSH_MSG_USERAUTH_REQUEST);
  199.         micBuffer.putString(session.getUsername());
  200.         micBuffer.putString(service);
  201.         micBuffer.putString(getName());
  202.         byte[] micBytes = micBuffer.getCompactData();
  203.         byte[] mic = context.getMIC(micBytes, 0, micBytes.length,
  204.                 new MessageProp(0, true));
  205.         Buffer buffer = session
  206.                 .createBuffer(SshConstants.SSH_MSG_USERAUTH_GSSAPI_MIC);
  207.         buffer.putBytes(mic);
  208.         session.writePacket(buffer);
  209.     }

  211.     private void replyToken(ClientSession session, String service, byte[] bytes)
  212.             throws IOException, GSSException {
  213.         sendToken(session, bytes);
  214.         if (context.isEstablished()) {
  215.             sendMic(session, service);
  216.         }
  217.     }

  219.     private String getHostName(ClientSession session) {
  220.         SocketAddress remote = session.getConnectAddress();
  221.         if (remote instanceof InetSocketAddress) {
  222.             InetAddress address = GssApiMechanisms
  223.                     .resolve((InetSocketAddress) remote);
  224.             if (address != null) {
  225.                 return address.getCanonicalHostName();
  226.             }
  227.         }
  228.         if (session instanceof JGitClientSession) {
  229.             String hostName = ((JGitClientSession) session).getHostConfigEntry()
  230.                     .getHostName();
  231.             try {
  232.                 hostName = InetAddress.getByName(hostName)
  233.                         .getCanonicalHostName();
  234.             } catch (UnknownHostException e) {
  235.                 // Ignore here; try with the non-canonical name
  236.             }
  237.             return hostName;
  238.         }
  239.         throw new IllegalStateException(
  240.                 "Wrong session class :" + session.getClass().getName()); //$NON-NLS-1$
  241.     }

  243.     private boolean unexpectedMessage(int command) {
  244.         log.warn(format(SshdText.get().gssapiUnexpectedMessage, getName(),
  245.                 Integer.toString(command)));
  246.         return false;
  247.     }

  249. }
Created with JaCoCo 0.8.6.202009150832