summaryrefslogtreecommitdiff
path: root/gss-genr.c
diff options
context:
space:
mode:
Diffstat (limited to 'gss-genr.c')
-rw-r--r--gss-genr.c173
1 files changed, 172 insertions, 1 deletions
diff --git a/gss-genr.c b/gss-genr.c
index 9bc31aa2a..9dec270a3 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,7 +1,7 @@
1/* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */ 1/* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
5 * 5 *
6 * Redistribution and use in source and binary forms, with or without 6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions 7 * modification, are permitted provided that the following conditions
@@ -34,12 +34,152 @@
34#include "log.h" 34#include "log.h"
35#include "monitor_wrap.h" 35#include "monitor_wrap.h"
36#include "ssh2.h" 36#include "ssh2.h"
37#include <openssl/evp.h>
37 38
38#include "ssh-gss.h" 39#include "ssh-gss.h"
39 40
40extern u_char *session_id2; 41extern u_char *session_id2;
41extern u_int session_id2_len; 42extern u_int session_id2_len;
42 43
44typedef struct {
45 char *encoded;
46 gss_OID oid;
47} ssh_gss_kex_mapping;
48
49/*
50 * XXX - It would be nice to find a more elegant way of handling the
51 * XXX passing of the key exchange context to the userauth routines
52 */
53
54Gssctxt *gss_kex_context = NULL;
55
56static ssh_gss_kex_mapping *gss_enc2oid = NULL;
57
58int
59ssh_gssapi_oid_table_ok() {
60 return (gss_enc2oid != NULL);
61}
62
63/*
64 * Return a list of the gss-group1-sha1 mechanisms supported by this program
65 *
66 * We test mechanisms to ensure that we can use them, to avoid starting
67 * a key exchange with a bad mechanism
68 */
69
70
71char *
72ssh_gssapi_client_mechanisms(const char *host) {
73 gss_OID_set gss_supported;
74 OM_uint32 min_status;
75
76 gss_indicate_mechs(&min_status, &gss_supported);
77
78 return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
79 (void *)host));
80}
81
82char *
83ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
84 void *data) {
85 Buffer buf;
86 int i, oidpos, enclen;
87 char *mechs, *encoded;
88 char digest[EVP_MAX_MD_SIZE];
89 char deroid[2];
90 const EVP_MD *evp_md = EVP_md5();
91 EVP_MD_CTX md;
92
93 if (gss_enc2oid != NULL) {
94 for (i=0;gss_enc2oid[i].encoded!=NULL;i++)
95 xfree(gss_enc2oid[i].encoded);
96 xfree(gss_enc2oid);
97 }
98
99 gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping)*
100 (gss_supported->count+1));
101
102 buffer_init(&buf);
103
104 oidpos = 0;
105 for (i = 0;i < gss_supported->count;i++) {
106 if (gss_supported->elements[i].length < 128 &&
107 (*check)(&(gss_supported->elements[i]), data)) {
108
109 deroid[0] = SSH_GSS_OIDTYPE;
110 deroid[1] = gss_supported->elements[i].length;
111
112 EVP_DigestInit(&md, evp_md);
113 EVP_DigestUpdate(&md, deroid, 2);
114 EVP_DigestUpdate(&md,
115 gss_supported->elements[i].elements,
116 gss_supported->elements[i].length);
117 EVP_DigestFinal(&md, digest, NULL);
118
119 encoded = xmalloc(EVP_MD_size(evp_md)*2);
120 enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
121 encoded, EVP_MD_size(evp_md)*2);
122
123 if (oidpos != 0)
124 buffer_put_char(&buf, ',');
125
126 buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
127 sizeof(KEX_GSS_GEX_SHA1_ID)-1);
128 buffer_append(&buf, encoded, enclen);
129 buffer_put_char(&buf,',');
130 buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
131 sizeof(KEX_GSS_GRP1_SHA1_ID)-1);
132 buffer_append(&buf, encoded, enclen);
133
134 gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
135 gss_enc2oid[oidpos].encoded = encoded;
136 oidpos++;
137 }
138 }
139 gss_enc2oid[oidpos].oid = NULL;
140 gss_enc2oid[oidpos].encoded = NULL;
141
142 buffer_put_char(&buf, '\0');
143
144 mechs = xmalloc(buffer_len(&buf));
145 buffer_get(&buf, mechs, buffer_len(&buf));
146 buffer_free(&buf);
147
148 if (strlen(mechs) == 0) {
149 xfree(mechs);
150 mechs = NULL;
151 }
152
153 return (mechs);
154}
155
156gss_OID
157ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int *gex) {
158 int i = 0;
159
160 if (strncmp(name, KEX_GSS_GRP1_SHA1_ID,
161 sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) {
162 name+=sizeof(KEX_GSS_GRP1_SHA1_ID)-1;
163 *gex = 0;
164 } else if (strncmp(name, KEX_GSS_GEX_SHA1_ID,
165 sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) {
166 name+=sizeof(KEX_GSS_GEX_SHA1_ID)-1;
167 *gex = 1;
168 } else {
169 return NULL;
170 }
171
172 while (gss_enc2oid[i].encoded != NULL &&
173 strcmp(name, gss_enc2oid[i].encoded) != 0) {
174 i++;
175 }
176
177 if (gss_enc2oid[i].oid != NULL && ctx != NULL)
178 ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
179
180 return gss_enc2oid[i].oid;
181}
182
43/* Check that the OID in a data stream matches that in the context */ 183/* Check that the OID in a data stream matches that in the context */
44int 184int
45ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) 185ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
@@ -250,6 +390,9 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
250OM_uint32 390OM_uint32
251ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) 391ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
252{ 392{
393 if (ctx == NULL)
394 return -1;
395
253 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, 396 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
254 GSS_C_QOP_DEFAULT, buffer, hash))) 397 GSS_C_QOP_DEFAULT, buffer, hash)))
255 ssh_gssapi_error(ctx); 398 ssh_gssapi_error(ctx);
@@ -257,6 +400,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
257 return (ctx->major); 400 return (ctx->major);
258} 401}
259 402
403/* Priviledged when used by server */
404OM_uint32
405ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
406{
407 if (ctx == NULL)
408 return -1;
409
410 ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
411 gssbuf, gssmic, NULL);
412
413 return (ctx->major);
414}
415
260void 416void
261ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, 417ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
262 const char *context) 418 const char *context)
@@ -278,4 +434,19 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) {
278 return (ssh_gssapi_acquire_cred(*ctx)); 434 return (ssh_gssapi_acquire_cred(*ctx));
279} 435}
280 436
437int
438ssh_gssapi_check_mechanism(gss_OID oid, void *host) {
439 Gssctxt * ctx = NULL;
440 gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
441 OM_uint32 major, minor;
442
443 ssh_gssapi_build_ctx(&ctx);
444 ssh_gssapi_set_oid(ctx, oid);
445 ssh_gssapi_import_name(ctx, host);
446 major = ssh_gssapi_init_ctx(ctx, 0, GSS_C_NO_BUFFER, &token, NULL);
447 gss_release_buffer(&minor, &token);
448 ssh_gssapi_delete_ctx(&ctx);
449 return (!GSS_ERROR(major));
450}
451
281#endif /* GSSAPI */ 452#endif /* GSSAPI */