diff options
Diffstat (limited to 'gss-genr.c')
-rw-r--r-- | gss-genr.c | 173 |
1 files changed, 172 insertions, 1 deletions
diff --git a/gss-genr.c b/gss-genr.c index 9bc31aa2a..9dec270a3 100644 --- a/gss-genr.c +++ b/gss-genr.c | |||
@@ -1,7 +1,7 @@ | |||
1 | /* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */ | 1 | /* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved. |
5 | * | 5 | * |
6 | * Redistribution and use in source and binary forms, with or without | 6 | * Redistribution and use in source and binary forms, with or without |
7 | * modification, are permitted provided that the following conditions | 7 | * modification, are permitted provided that the following conditions |
@@ -34,12 +34,152 @@ | |||
34 | #include "log.h" | 34 | #include "log.h" |
35 | #include "monitor_wrap.h" | 35 | #include "monitor_wrap.h" |
36 | #include "ssh2.h" | 36 | #include "ssh2.h" |
37 | #include <openssl/evp.h> | ||
37 | 38 | ||
38 | #include "ssh-gss.h" | 39 | #include "ssh-gss.h" |
39 | 40 | ||
40 | extern u_char *session_id2; | 41 | extern u_char *session_id2; |
41 | extern u_int session_id2_len; | 42 | extern u_int session_id2_len; |
42 | 43 | ||
44 | typedef struct { | ||
45 | char *encoded; | ||
46 | gss_OID oid; | ||
47 | } ssh_gss_kex_mapping; | ||
48 | |||
49 | /* | ||
50 | * XXX - It would be nice to find a more elegant way of handling the | ||
51 | * XXX passing of the key exchange context to the userauth routines | ||
52 | */ | ||
53 | |||
54 | Gssctxt *gss_kex_context = NULL; | ||
55 | |||
56 | static ssh_gss_kex_mapping *gss_enc2oid = NULL; | ||
57 | |||
58 | int | ||
59 | ssh_gssapi_oid_table_ok() { | ||
60 | return (gss_enc2oid != NULL); | ||
61 | } | ||
62 | |||
63 | /* | ||
64 | * Return a list of the gss-group1-sha1 mechanisms supported by this program | ||
65 | * | ||
66 | * We test mechanisms to ensure that we can use them, to avoid starting | ||
67 | * a key exchange with a bad mechanism | ||
68 | */ | ||
69 | |||
70 | |||
71 | char * | ||
72 | ssh_gssapi_client_mechanisms(const char *host) { | ||
73 | gss_OID_set gss_supported; | ||
74 | OM_uint32 min_status; | ||
75 | |||
76 | gss_indicate_mechs(&min_status, &gss_supported); | ||
77 | |||
78 | return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism, | ||
79 | (void *)host)); | ||
80 | } | ||
81 | |||
82 | char * | ||
83 | ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check, | ||
84 | void *data) { | ||
85 | Buffer buf; | ||
86 | int i, oidpos, enclen; | ||
87 | char *mechs, *encoded; | ||
88 | char digest[EVP_MAX_MD_SIZE]; | ||
89 | char deroid[2]; | ||
90 | const EVP_MD *evp_md = EVP_md5(); | ||
91 | EVP_MD_CTX md; | ||
92 | |||
93 | if (gss_enc2oid != NULL) { | ||
94 | for (i=0;gss_enc2oid[i].encoded!=NULL;i++) | ||
95 | xfree(gss_enc2oid[i].encoded); | ||
96 | xfree(gss_enc2oid); | ||
97 | } | ||
98 | |||
99 | gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping)* | ||
100 | (gss_supported->count+1)); | ||
101 | |||
102 | buffer_init(&buf); | ||
103 | |||
104 | oidpos = 0; | ||
105 | for (i = 0;i < gss_supported->count;i++) { | ||
106 | if (gss_supported->elements[i].length < 128 && | ||
107 | (*check)(&(gss_supported->elements[i]), data)) { | ||
108 | |||
109 | deroid[0] = SSH_GSS_OIDTYPE; | ||
110 | deroid[1] = gss_supported->elements[i].length; | ||
111 | |||
112 | EVP_DigestInit(&md, evp_md); | ||
113 | EVP_DigestUpdate(&md, deroid, 2); | ||
114 | EVP_DigestUpdate(&md, | ||
115 | gss_supported->elements[i].elements, | ||
116 | gss_supported->elements[i].length); | ||
117 | EVP_DigestFinal(&md, digest, NULL); | ||
118 | |||
119 | encoded = xmalloc(EVP_MD_size(evp_md)*2); | ||
120 | enclen = __b64_ntop(digest, EVP_MD_size(evp_md), | ||
121 | encoded, EVP_MD_size(evp_md)*2); | ||
122 | |||
123 | if (oidpos != 0) | ||
124 | buffer_put_char(&buf, ','); | ||
125 | |||
126 | buffer_append(&buf, KEX_GSS_GEX_SHA1_ID, | ||
127 | sizeof(KEX_GSS_GEX_SHA1_ID)-1); | ||
128 | buffer_append(&buf, encoded, enclen); | ||
129 | buffer_put_char(&buf,','); | ||
130 | buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, | ||
131 | sizeof(KEX_GSS_GRP1_SHA1_ID)-1); | ||
132 | buffer_append(&buf, encoded, enclen); | ||
133 | |||
134 | gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]); | ||
135 | gss_enc2oid[oidpos].encoded = encoded; | ||
136 | oidpos++; | ||
137 | } | ||
138 | } | ||
139 | gss_enc2oid[oidpos].oid = NULL; | ||
140 | gss_enc2oid[oidpos].encoded = NULL; | ||
141 | |||
142 | buffer_put_char(&buf, '\0'); | ||
143 | |||
144 | mechs = xmalloc(buffer_len(&buf)); | ||
145 | buffer_get(&buf, mechs, buffer_len(&buf)); | ||
146 | buffer_free(&buf); | ||
147 | |||
148 | if (strlen(mechs) == 0) { | ||
149 | xfree(mechs); | ||
150 | mechs = NULL; | ||
151 | } | ||
152 | |||
153 | return (mechs); | ||
154 | } | ||
155 | |||
156 | gss_OID | ||
157 | ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int *gex) { | ||
158 | int i = 0; | ||
159 | |||
160 | if (strncmp(name, KEX_GSS_GRP1_SHA1_ID, | ||
161 | sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) { | ||
162 | name+=sizeof(KEX_GSS_GRP1_SHA1_ID)-1; | ||
163 | *gex = 0; | ||
164 | } else if (strncmp(name, KEX_GSS_GEX_SHA1_ID, | ||
165 | sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) { | ||
166 | name+=sizeof(KEX_GSS_GEX_SHA1_ID)-1; | ||
167 | *gex = 1; | ||
168 | } else { | ||
169 | return NULL; | ||
170 | } | ||
171 | |||
172 | while (gss_enc2oid[i].encoded != NULL && | ||
173 | strcmp(name, gss_enc2oid[i].encoded) != 0) { | ||
174 | i++; | ||
175 | } | ||
176 | |||
177 | if (gss_enc2oid[i].oid != NULL && ctx != NULL) | ||
178 | ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid); | ||
179 | |||
180 | return gss_enc2oid[i].oid; | ||
181 | } | ||
182 | |||
43 | /* Check that the OID in a data stream matches that in the context */ | 183 | /* Check that the OID in a data stream matches that in the context */ |
44 | int | 184 | int |
45 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) | 185 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) |
@@ -250,6 +390,9 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) | |||
250 | OM_uint32 | 390 | OM_uint32 |
251 | ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) | 391 | ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) |
252 | { | 392 | { |
393 | if (ctx == NULL) | ||
394 | return -1; | ||
395 | |||
253 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, | 396 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, |
254 | GSS_C_QOP_DEFAULT, buffer, hash))) | 397 | GSS_C_QOP_DEFAULT, buffer, hash))) |
255 | ssh_gssapi_error(ctx); | 398 | ssh_gssapi_error(ctx); |
@@ -257,6 +400,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) | |||
257 | return (ctx->major); | 400 | return (ctx->major); |
258 | } | 401 | } |
259 | 402 | ||
403 | /* Priviledged when used by server */ | ||
404 | OM_uint32 | ||
405 | ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | ||
406 | { | ||
407 | if (ctx == NULL) | ||
408 | return -1; | ||
409 | |||
410 | ctx->major = gss_verify_mic(&ctx->minor, ctx->context, | ||
411 | gssbuf, gssmic, NULL); | ||
412 | |||
413 | return (ctx->major); | ||
414 | } | ||
415 | |||
260 | void | 416 | void |
261 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | 417 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, |
262 | const char *context) | 418 | const char *context) |
@@ -278,4 +434,19 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) { | |||
278 | return (ssh_gssapi_acquire_cred(*ctx)); | 434 | return (ssh_gssapi_acquire_cred(*ctx)); |
279 | } | 435 | } |
280 | 436 | ||
437 | int | ||
438 | ssh_gssapi_check_mechanism(gss_OID oid, void *host) { | ||
439 | Gssctxt * ctx = NULL; | ||
440 | gss_buffer_desc token = GSS_C_EMPTY_BUFFER; | ||
441 | OM_uint32 major, minor; | ||
442 | |||
443 | ssh_gssapi_build_ctx(&ctx); | ||
444 | ssh_gssapi_set_oid(ctx, oid); | ||
445 | ssh_gssapi_import_name(ctx, host); | ||
446 | major = ssh_gssapi_init_ctx(ctx, 0, GSS_C_NO_BUFFER, &token, NULL); | ||
447 | gss_release_buffer(&minor, &token); | ||
448 | ssh_gssapi_delete_ctx(&ctx); | ||
449 | return (!GSS_ERROR(major)); | ||
450 | } | ||
451 | |||
281 | #endif /* GSSAPI */ | 452 | #endif /* GSSAPI */ |