src/com/jcraft/jsch/UserAuthGSSAPIWithMIC.java

/* -*-mode:java; c-basic-offset:2; indent-tabs-mode:nil -*- */
/*
Copyright (c) 2006-2010 ymnk, JCraft,Inc. All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice,
     this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in
     the documentation and/or other materials provided with the distribution.

  3. The names of the authors may not be used to endorse or promote products
     derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JCRAFT,
INC. OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING
NEGLIGENCE OR OTHERWISE)ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

package com.jcraft.jsch;

public class UserAuthGSSAPIWithMIC extends UserAuth {
  private static final int SSH_MSG_USERAUTH_GSSAPI_RESPONSE=         60;
  private static final int SSH_MSG_USERAUTH_GSSAPI_TOKEN=            61;
  private static final int SSH_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE=63;
  private static final int SSH_MSG_USERAUTH_GSSAPI_ERROR=            64;
  private static final int SSH_MSG_USERAUTH_GSSAPI_ERRTOK=           65;
  private static final int SSH_MSG_USERAUTH_GSSAPI_MIC=              66;

  private static final byte[][] supported_oid={
    // OID 1.2.840.113554.1.2.2 in DER
    {(byte)0x6,(byte)0x9,(byte)0x2a,(byte)0x86,(byte)0x48,
     (byte)0x86,(byte)0xf7,(byte)0x12,(byte)0x1,(byte)0x2,
     (byte)0x2}
  };

  private static final String[] supported_method={
    "gssapi-with-mic.krb5"
  };

  public boolean start(Session session)throws Exception{
    super.start(session);

    byte[] _username=Util.str2byte(username);

    packet.reset();

    // byte            SSH_MSG_USERAUTH_REQUEST(50)
    // string          user name(in ISO-10646 UTF-8 encoding)
    // string          service name(in US-ASCII)
    // string          "gssapi"(US-ASCII)
    // uint32          n, the number of OIDs client supports
    // string[n]       mechanism OIDS
    buf.putByte((byte)SSH_MSG_USERAUTH_REQUEST);
    buf.putString(_username);
    buf.putString(Util.str2byte("ssh-connection"));
    buf.putString(Util.str2byte("gssapi-with-mic"));
    buf.putInt(supported_oid.length);
    for(int i=0; i<supported_oid.length; i++){
      buf.putString(supported_oid[i]);
    }
    session.write(packet);

    String method=null;
    int command;
    while(true){
      buf=session.read(buf);
      command=buf.getCommand()&0xff;

      if(command==SSH_MSG_USERAUTH_FAILURE){
        return false;
      }

      if(command==SSH_MSG_USERAUTH_GSSAPI_RESPONSE){
        buf.getInt(); buf.getByte(); buf.getByte();
        byte[] message=buf.getString();

        for(int i=0; i<supported_oid.length; i++){
          if(Util.array_equals(message, supported_oid[i])){
            method=supported_method[i];
            break;
          }
        }

        if(method==null){
          return false;
        }

        break; // success
      }

      if(command==SSH_MSG_USERAUTH_BANNER){
        buf.getInt(); buf.getByte(); buf.getByte();
        byte[] _message=buf.getString();
        byte[] lang=buf.getString();
        String message=Util.byte2str(_message);
        if(userinfo!=null){
          userinfo.showMessage(message);
        }
        continue;
      }
      return false;
    }

    GSSContext context=null;
    try{
      Class c=Class.forName(session.getConfig(method));
      context=(GSSContext)(c.newInstance());
    }
    catch(Exception e){
      return false;
    }

    try{
      context.create(username, session.host);
    }
    catch(JSchException e){
      return false;
    }

    byte[] token=new byte[0];

    while(!context.isEstablished()){
      try{
        token=context.init(token, 0, token.length);
      }
      catch(JSchException e){
        // TODO
        // ERRTOK should be sent?
        // byte        SSH_MSG_USERAUTH_GSSAPI_ERRTOK
        // string      error token
        return false;
      }

      if(token!=null){
        packet.reset();
        buf.putByte((byte)SSH_MSG_USERAUTH_GSSAPI_TOKEN);
        buf.putString(token);
        session.write(packet);
      }

      if(!context.isEstablished()){
        buf=session.read(buf);
        command=buf.getCommand()&0xff;
        if(command==SSH_MSG_USERAUTH_GSSAPI_ERROR){
          // uint32    major_status
          // uint32    minor_status
          // string    message
          // string    language tag

          buf=session.read(buf);
          command=buf.getCommand()&0xff;
          //return false;
        }
        else if(command==SSH_MSG_USERAUTH_GSSAPI_ERRTOK){
          // string error token

          buf=session.read(buf);
          command=buf.getCommand()&0xff;
          //return false;
        }

        if(command==SSH_MSG_USERAUTH_FAILURE){
          return false;
        }

        buf.getInt(); buf.getByte(); buf.getByte();
        token=buf.getString();
      }
    }

    Buffer mbuf=new Buffer();
    // string    session identifier
    // byte      SSH_MSG_USERAUTH_REQUEST
    // string    user name
    // string    service
    // string    "gssapi-with-mic"
    mbuf.putString(session.getSessionId());
    mbuf.putByte((byte)SSH_MSG_USERAUTH_REQUEST);
    mbuf.putString(_username);
    mbuf.putString(Util.str2byte("ssh-connection"));
    mbuf.putString(Util.str2byte("gssapi-with-mic"));

    byte[] mic=context.getMIC(mbuf.buffer, 0, mbuf.getLength());

    if(mic==null){
      return false;
    }

    packet.reset();
    buf.putByte((byte)SSH_MSG_USERAUTH_GSSAPI_MIC);
    buf.putString(mic);
    session.write(packet);

    context.dispose();

    buf=session.read(buf);
    command=buf.getCommand()&0xff;

    if(command==SSH_MSG_USERAUTH_SUCCESS){
      return true;
    }
    else if(command==SSH_MSG_USERAUTH_FAILURE){
      buf.getInt(); buf.getByte(); buf.getByte();
      byte[] foo=buf.getString();
      int partial_success=buf.getByte();
      //System.err.println(new String(foo)+
      //		 " partial_success:"+(partial_success!=0));
      if(partial_success!=0){
        throw new JSchPartialAuthException(Util.byte2str(foo));
      }
    }
    return false;
  }
}
Commit	Line	Data
	1	/* --mode:java; c-basic-offset:2; indent-tabs-mode:nil -- */
	2	/*
	3	Copyright (c) 2006-2010 ymnk, JCraft,Inc. All rights reserved.
	4
	5	Redistribution and use in source and binary forms, with or without
	6	modification, are permitted provided that the following conditions are met:
	7
	8	1. Redistributions of source code must retain the above copyright notice,
	9	this list of conditions and the following disclaimer.
	10
	11	2. Redistributions in binary form must reproduce the above copyright
	12	notice, this list of conditions and the following disclaimer in
	13	the documentation and/or other materials provided with the distribution.
	14
	15	3. The names of the authors may not be used to endorse or promote products
	16	derived from this software without specific prior written permission.
	17
	18	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
	19	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
	20	FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JCRAFT,
	21	INC. OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
	22	INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT
	23	LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
	24	OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF
	25	LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING
	26	NEGLIGENCE OR OTHERWISE)ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
	27	EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	28	*/
	29
	30	package com.jcraft.jsch;
	31
	32	public class UserAuthGSSAPIWithMIC extends UserAuth {
	33	private static final int SSH_MSG_USERAUTH_GSSAPI_RESPONSE= 60;
	34	private static final int SSH_MSG_USERAUTH_GSSAPI_TOKEN= 61;
	35	private static final int SSH_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE=63;
	36	private static final int SSH_MSG_USERAUTH_GSSAPI_ERROR= 64;
	37	private static final int SSH_MSG_USERAUTH_GSSAPI_ERRTOK= 65;
	38	private static final int SSH_MSG_USERAUTH_GSSAPI_MIC= 66;
	39
	40	private static final byte[][] supported_oid={
	41	// OID 1.2.840.113554.1.2.2 in DER
	42	{(byte)0x6,(byte)0x9,(byte)0x2a,(byte)0x86,(byte)0x48,
	43	(byte)0x86,(byte)0xf7,(byte)0x12,(byte)0x1,(byte)0x2,
	44	(byte)0x2}
	45	};
	46
	47	private static final String[] supported_method={
	48	"gssapi-with-mic.krb5"
	49	};
	50
	51	public boolean start(Session session)throws Exception{
	52	super.start(session);
	53
	54	byte[] _username=Util.str2byte(username);
	55
	56	packet.reset();
	57
	58	// byte SSH_MSG_USERAUTH_REQUEST(50)
	59	// string user name(in ISO-10646 UTF-8 encoding)
	60	// string service name(in US-ASCII)
	61	// string "gssapi"(US-ASCII)
	62	// uint32 n, the number of OIDs client supports
	63	// string[n] mechanism OIDS
	64	buf.putByte((byte)SSH_MSG_USERAUTH_REQUEST);
	65	buf.putString(_username);
	66	buf.putString(Util.str2byte("ssh-connection"));
	67	buf.putString(Util.str2byte("gssapi-with-mic"));
	68	buf.putInt(supported_oid.length);
	69	for(int i=0; i<supported_oid.length; i++){
	70	buf.putString(supported_oid[i]);
	71	}
	72	session.write(packet);
	73
	74	String method=null;
	75	int command;
	76	while(true){
	77	buf=session.read(buf);
	78	command=buf.getCommand()&0xff;
	79
	80	if(command==SSH_MSG_USERAUTH_FAILURE){
	81	return false;
	82	}
	83
	84	if(command==SSH_MSG_USERAUTH_GSSAPI_RESPONSE){
	85	buf.getInt(); buf.getByte(); buf.getByte();
	86	byte[] message=buf.getString();
	87
	88	for(int i=0; i<supported_oid.length; i++){
	89	if(Util.array_equals(message, supported_oid[i])){
	90	method=supported_method[i];
	91	break;
	92	}
	93	}
	94
	95	if(method==null){
	96	return false;
	97	}
	98
	99	break; // success
	100	}
	101
	102	if(command==SSH_MSG_USERAUTH_BANNER){
	103	buf.getInt(); buf.getByte(); buf.getByte();
	104	byte[] _message=buf.getString();
	105	byte[] lang=buf.getString();
	106	String message=Util.byte2str(_message);
	107	if(userinfo!=null){
	108	userinfo.showMessage(message);
	109	}
	110	continue;
	111	}
	112	return false;
	113	}
	114
	115	GSSContext context=null;
	116	try{
	117	Class c=Class.forName(session.getConfig(method));
	118	context=(GSSContext)(c.newInstance());
	119	}
	120	catch(Exception e){
	121	return false;
	122	}
	123
	124	try{
	125	context.create(username, session.host);
	126	}
	127	catch(JSchException e){
	128	return false;
	129	}
	130
	131	byte[] token=new byte[0];
	132
	133	while(!context.isEstablished()){
	134	try{
	135	token=context.init(token, 0, token.length);
	136	}
	137	catch(JSchException e){
	138	// TODO
	139	// ERRTOK should be sent?
	140	// byte SSH_MSG_USERAUTH_GSSAPI_ERRTOK
	141	// string error token
	142	return false;
	143	}
	144
	145	if(token!=null){
	146	packet.reset();
	147	buf.putByte((byte)SSH_MSG_USERAUTH_GSSAPI_TOKEN);
	148	buf.putString(token);
	149	session.write(packet);
	150	}
	151
	152	if(!context.isEstablished()){
	153	buf=session.read(buf);
	154	command=buf.getCommand()&0xff;
	155	if(command==SSH_MSG_USERAUTH_GSSAPI_ERROR){
	156	// uint32 major_status
	157	// uint32 minor_status
	158	// string message
	159	// string language tag
	160
	161	buf=session.read(buf);
	162	command=buf.getCommand()&0xff;
	163	//return false;
	164	}
	165	else if(command==SSH_MSG_USERAUTH_GSSAPI_ERRTOK){
	166	// string error token
	167
	168	buf=session.read(buf);
	169	command=buf.getCommand()&0xff;
	170	//return false;
	171	}
	172
	173	if(command==SSH_MSG_USERAUTH_FAILURE){
	174	return false;
	175	}
	176
	177	buf.getInt(); buf.getByte(); buf.getByte();
	178	token=buf.getString();
	179	}
	180	}
	181
	182	Buffer mbuf=new Buffer();
	183	// string session identifier
	184	// byte SSH_MSG_USERAUTH_REQUEST
	185	// string user name
	186	// string service
	187	// string "gssapi-with-mic"
	188	mbuf.putString(session.getSessionId());
	189	mbuf.putByte((byte)SSH_MSG_USERAUTH_REQUEST);
	190	mbuf.putString(_username);
	191	mbuf.putString(Util.str2byte("ssh-connection"));
	192	mbuf.putString(Util.str2byte("gssapi-with-mic"));
	193
	194	byte[] mic=context.getMIC(mbuf.buffer, 0, mbuf.getLength());
	195
	196	if(mic==null){
	197	return false;
	198	}
	199
	200	packet.reset();
	201	buf.putByte((byte)SSH_MSG_USERAUTH_GSSAPI_MIC);
	202	buf.putString(mic);
	203	session.write(packet);
	204
	205	context.dispose();
	206
	207	buf=session.read(buf);
	208	command=buf.getCommand()&0xff;
	209
	210	if(command==SSH_MSG_USERAUTH_SUCCESS){
	211	return true;
	212	}
	213	else if(command==SSH_MSG_USERAUTH_FAILURE){
	214	buf.getInt(); buf.getByte(); buf.getByte();
	215	byte[] foo=buf.getString();
	216	int partial_success=buf.getByte();
	217	//System.err.println(new String(foo)+
	218	// " partial_success:"+(partial_success!=0));
	219	if(partial_success!=0){
	220	throw new JSchPartialAuthException(Util.byte2str(foo));
	221	}
	222	}
	223	return false;
	224	}
	225	}
	226
	227