11305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ 21305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 31305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* 41305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. 51305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * 61305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * Redistribution and use in source and binary forms, with or without 71305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * modification, are permitted provided that the following conditions 81305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * are met: 91305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * 1. Redistributions of source code must retain the above copyright 101305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * notice, this list of conditions and the following disclaimer. 111305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * 2. Redistributions in binary form must reproduce the above copyright 121305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * notice, this list of conditions and the following disclaimer in the 131305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * documentation and/or other materials provided with the distribution. 141305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * 151305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR 161305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 171305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 181305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 191305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 201305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 211305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 221305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 231305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 241305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 251305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood */ 261305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 271305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "includes.h" 281305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 291305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#ifdef GSSAPI 301305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 311305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <sys/types.h> 321305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <sys/param.h> 331305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 341305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <stdarg.h> 351305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <string.h> 361305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include <unistd.h> 371305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 381305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "xmalloc.h" 391305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "buffer.h" 401305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "log.h" 411305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "ssh2.h" 421305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 431305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#include "ssh-gss.h" 441305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 451305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodextern u_char *session_id2; 461305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodextern u_int session_id2_len; 471305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 481305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* Check that the OID in a data stream matches that in the context */ 491305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodint 501305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) 511305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 521305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return (ctx != NULL && ctx->oid != GSS_C_NO_OID && 531305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ctx->oid->length == len && 541305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood memcmp(ctx->oid->elements, data, len) == 0); 551305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 561305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 571305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* Set the contexts OID from a data stream */ 581305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodvoid 591305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len) 601305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 611305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (ctx->oid != GSS_C_NO_OID) { 621305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(ctx->oid->elements); 631305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(ctx->oid); 641305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 651305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ctx->oid = xmalloc(sizeof(gss_OID_desc)); 661305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ctx->oid->length = len; 671305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ctx->oid->elements = xmalloc(len); 681305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood memcpy(ctx->oid->elements, data, len); 691305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 701305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 711305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* Set the contexts OID */ 721305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodvoid 731305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid) 741305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 751305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ssh_gssapi_set_oid_data(ctx, oid->elements, oid->length); 761305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 771305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 781305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* All this effort to report an error ... */ 791305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodvoid 801305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodssh_gssapi_error(Gssctxt *ctxt) 811305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 821305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood char *s; 831305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 841305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood s = ssh_gssapi_last_error(ctxt, NULL, NULL); 851305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug("%s", s); 861305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(s); 871305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 881305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 891305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodchar * 901305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status, 911305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood OM_uint32 *minor_status) 921305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 931305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood OM_uint32 lmin; 941305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_buffer_desc msg = GSS_C_EMPTY_BUFFER; 951305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood OM_uint32 ctx; 961305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood Buffer b; 971305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood char *ret; 981305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 991305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_init(&b); 1001305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1011305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (major_status != NULL) 1021305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood *major_status = ctxt->major; 1031305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (minor_status != NULL) 1041305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood *minor_status = ctxt->minor; 1051305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1061305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ctx = 0; 1071305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* The GSSAPI error */ 1081305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood do { 1091305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_display_status(&lmin, ctxt->major, 1101305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood GSS_C_GSS_CODE, ctxt->oid, &ctx, &msg); 1111305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1121305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_append(&b, msg.value, msg.length); 1131305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_char(&b, '\n'); 1141305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1151305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_release_buffer(&lmin, &msg); 1161305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } while (ctx != 0); 1171305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1181305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* The mechanism specific error */ 1191305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood do { 1201305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_display_status(&lmin, ctxt->minor, 1211305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood GSS_C_MECH_CODE, ctxt->oid, &ctx, &msg); 1221305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1231305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_append(&b, msg.value, msg.length); 1241305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_char(&b, '\n'); 1251305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1261305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_release_buffer(&lmin, &msg); 1271305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } while (ctx != 0); 1281305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1291305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_char(&b, '\0'); 1301305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ret = xmalloc(buffer_len(&b)); 1311305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_get(&b, ret, buffer_len(&b)); 1321305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_free(&b); 1331305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return (ret); 1341305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 1351305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1361305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* 1371305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * Initialise our GSSAPI context. We use this opaque structure to contain all 1381305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * of the data which both the client and server need to persist across 1391305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * {accept,init}_sec_context calls, so that when we do it from the userauth 1401305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * stuff life is a little easier 1411305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood */ 1421305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodvoid 1431305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodssh_gssapi_build_ctx(Gssctxt **ctx) 1441305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 1451305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood *ctx = xcalloc(1, sizeof (Gssctxt)); 1461305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood (*ctx)->context = GSS_C_NO_CONTEXT; 1471305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood (*ctx)->name = GSS_C_NO_NAME; 1481305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood (*ctx)->oid = GSS_C_NO_OID; 1491305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood (*ctx)->creds = GSS_C_NO_CREDENTIAL; 1501305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood (*ctx)->client = GSS_C_NO_NAME; 1511305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood (*ctx)->client_creds = GSS_C_NO_CREDENTIAL; 1521305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 1531305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1541305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* Delete our context, providing it has been built correctly */ 1551305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodvoid 1561305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodssh_gssapi_delete_ctx(Gssctxt **ctx) 1571305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 1581305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood OM_uint32 ms; 1591305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1601305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((*ctx) == NULL) 1611305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return; 1621305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((*ctx)->context != GSS_C_NO_CONTEXT) 1631305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_delete_sec_context(&ms, &(*ctx)->context, GSS_C_NO_BUFFER); 1641305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((*ctx)->name != GSS_C_NO_NAME) 1651305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_release_name(&ms, &(*ctx)->name); 1661305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((*ctx)->oid != GSS_C_NO_OID) { 1671305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree((*ctx)->oid->elements); 1681305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree((*ctx)->oid); 1691305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood (*ctx)->oid = GSS_C_NO_OID; 1701305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 1711305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((*ctx)->creds != GSS_C_NO_CREDENTIAL) 1721305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_release_cred(&ms, &(*ctx)->creds); 1731305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((*ctx)->client != GSS_C_NO_NAME) 1741305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_release_name(&ms, &(*ctx)->client); 1751305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL) 1761305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_release_cred(&ms, &(*ctx)->client_creds); 1771305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1781305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(*ctx); 1791305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood *ctx = NULL; 1801305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 1811305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1821305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* 1831305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * Wrapper to init_sec_context 1841305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * Requires that the context contains: 1851305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * oid 1861305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood * server name (from ssh_gssapi_import_name) 1871305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood */ 1881305e95ba6ff9fa202d0818caf10405df4b0f648Mike LockwoodOM_uint32 1891305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, 1901305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_buffer_desc* send_tok, OM_uint32 *flags) 1911305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 1921305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood int deleg_flag = 0; 1931305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1941305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (deleg_creds) { 1951305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood deleg_flag = GSS_C_DELEG_FLAG; 1961305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood debug("Delegating credentials"); 1971305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 1981305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 1991305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ctx->major = gss_init_sec_context(&ctx->minor, 2001305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid, 2011305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 2021305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 0, NULL, recv_tok, NULL, send_tok, flags, NULL); 2031305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2041305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (GSS_ERROR(ctx->major)) 2051305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ssh_gssapi_error(ctx); 2061305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2071305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return (ctx->major); 2081305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 2091305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2101305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood/* Create a service name for the given host */ 2111305e95ba6ff9fa202d0818caf10405df4b0f648Mike LockwoodOM_uint32 2121305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodssh_gssapi_import_name(Gssctxt *ctx, const char *host) 2131305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 2141305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_buffer_desc gssbuf; 2151305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood char *val; 2161305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2171305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xasprintf(&val, "host@%s", host); 2181305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gssbuf.value = val; 2191305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gssbuf.length = strlen(gssbuf.value); 2201305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2211305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((ctx->major = gss_import_name(&ctx->minor, 2221305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) 2231305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ssh_gssapi_error(ctx); 2241305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2251305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood xfree(gssbuf.value); 2261305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return (ctx->major); 2271305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 2281305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2291305e95ba6ff9fa202d0818caf10405df4b0f648Mike LockwoodOM_uint32 2301305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) 2311305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 2321305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, 2331305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood GSS_C_QOP_DEFAULT, buffer, hash))) 2341305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ssh_gssapi_error(ctx); 2351305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2361305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return (ctx->major); 2371305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 2381305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2391305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodvoid 2401305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, 2411305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood const char *context) 2421305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 2431305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_init(b); 2441305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_string(b, session_id2, session_id2_len); 2451305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_char(b, SSH2_MSG_USERAUTH_REQUEST); 2461305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_cstring(b, user); 2471305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_cstring(b, service); 2481305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood buffer_put_cstring(b, context); 2491305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 2501305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2511305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodint 2521305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwoodssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) 2531305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood{ 2541305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_buffer_desc token = GSS_C_EMPTY_BUFFER; 2551305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood OM_uint32 major, minor; 2561305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"}; 2571305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2581305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood /* RFC 4462 says we MUST NOT do SPNEGO */ 2591305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (oid->length == spnego_oid.length && 2601305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0)) 2611305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return 0; /* false */ 2621305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2631305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ssh_gssapi_build_ctx(ctx); 2641305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ssh_gssapi_set_oid(*ctx, oid); 2651305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood major = ssh_gssapi_import_name(*ctx, host); 2661305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (!GSS_ERROR(major)) { 2671305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 2681305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood NULL); 2691305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_release_buffer(&minor, &token); 2701305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if ((*ctx)->context != GSS_C_NO_CONTEXT) 2711305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood gss_delete_sec_context(&minor, &(*ctx)->context, 2721305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood GSS_C_NO_BUFFER); 2731305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood } 2741305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2751305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood if (GSS_ERROR(major)) 2761305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood ssh_gssapi_delete_ctx(ctx); 2771305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2781305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood return (!GSS_ERROR(major)); 2791305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood} 2801305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood 2811305e95ba6ff9fa202d0818caf10405df4b0f648Mike Lockwood#endif /* GSSAPI */ 282