1 files changed, 272 insertions, 4 deletions
diff --git a/gss-genr.c b/gss-genr.c
index b39281bc1..b7d1b7dbf 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
 /*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -39,12 +39,167 @@
 #include "buffer.h"
 #include "log.h"
 #include "ssh2.h"
+#include "cipher.h"
+#include "key.h"
+#include "kex.h"
+#include <openssl/evp.h>
 #include "ssh-gss.h"
 extern u_char *session_id2;
 extern u_int session_id2_len;
+typedef struct {
+        char *encoded;
+        gss_OID oid;
+} ssh_gss_kex_mapping;
+/*
+ * XXX - It would be nice to find a more elegant way of handling the
+ * XXX   passing of the key exchange context to the userauth routines
+ */
+Gssctxt *gss_kex_context = NULL;
+static ssh_gss_kex_mapping *gss_enc2oid = NULL;
+int 
+ssh_gssapi_oid_table_ok() {
+        return (gss_enc2oid != NULL);
+}
+/*
+ * Return a list of the gss-group1-sha1 mechanisms supported by this program
+ *
+ * We test mechanisms to ensure that we can use them, to avoid starting
+ * a key exchange with a bad mechanism
+ */
+char *
+ssh_gssapi_client_mechanisms(const char *host, const char *client) {
+        gss_OID_set gss_supported;
+        OM_uint32 min_status;
+        if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))
+                return NULL;
+        return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
+            host, client));
+}
+char *
+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
+    const char *host, const char *client) {
+        Buffer buf;
+        size_t i;
+        int oidpos, enclen;
+        char *mechs, *encoded;
+        u_char digest[EVP_MAX_MD_SIZE];
+        char deroid[2];
+        const EVP_MD *evp_md = EVP_md5();
+        EVP_MD_CTX md;
+        if (gss_enc2oid != NULL) {
+                for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
+                        free(gss_enc2oid[i].encoded);
+                free(gss_enc2oid);
+        }
+        gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
+            (gss_supported->count + 1));
+        buffer_init(&buf);
+        oidpos = 0;
+        for (i = 0; i < gss_supported->count; i++) {
+                if (gss_supported->elements[i].length < 128 &&
+                    (*check)(NULL, &(gss_supported->elements[i]), host, client)) {
+                        deroid[0] = SSH_GSS_OIDTYPE;
+                        deroid[1] = gss_supported->elements[i].length;
+                        EVP_DigestInit(&md, evp_md);
+                        EVP_DigestUpdate(&md, deroid, 2);
+                        EVP_DigestUpdate(&md,
+                            gss_supported->elements[i].elements,
+                            gss_supported->elements[i].length);
+                        EVP_DigestFinal(&md, digest, NULL);
+                        encoded = xmalloc(EVP_MD_size(evp_md) * 2);
+                        enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
+                            encoded, EVP_MD_size(evp_md) * 2);
+                        if (oidpos != 0)
+                                buffer_put_char(&buf, ',');
+                        buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
+                            sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
+                        buffer_append(&buf, encoded, enclen);
+                        buffer_put_char(&buf, ',');
+                        buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 
+                            sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
+                        buffer_append(&buf, encoded, enclen);
+                        buffer_put_char(&buf, ',');
+                        buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
+                            sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
+                        buffer_append(&buf, encoded, enclen);
+                        gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
+                        gss_enc2oid[oidpos].encoded = encoded;
+                        oidpos++;
+                }
+        }
+        gss_enc2oid[oidpos].oid = NULL;
+        gss_enc2oid[oidpos].encoded = NULL;
+        buffer_put_char(&buf, '\0');
+        mechs = xmalloc(buffer_len(&buf));
+        buffer_get(&buf, mechs, buffer_len(&buf));
+        buffer_free(&buf);
+        if (strlen(mechs) == 0) {
+                free(mechs);
+                mechs = NULL;
+        }
+        
+        return (mechs);
+}
+gss_OID
+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
+        int i = 0;
+        
+        switch (kex_type) {
+        case KEX_GSS_GRP1_SHA1:
+                if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))
+                        return GSS_C_NO_OID;
+                name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;
+                break;
+        case KEX_GSS_GRP14_SHA1:
+                if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))
+                        return GSS_C_NO_OID;
+                name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
+                break;
+        case KEX_GSS_GEX_SHA1:
+                if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
+                        return GSS_C_NO_OID;
+                name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
+                break;
+        default:
+                return GSS_C_NO_OID;
+        }
+        while (gss_enc2oid[i].encoded != NULL &&
+            strcmp(name, gss_enc2oid[i].encoded) != 0)
+                i++;
+        if (gss_enc2oid[i].oid != NULL && ctx != NULL)
+                ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
+        return gss_enc2oid[i].oid;
+}
 /* Check that the OID in a data stream matches that in the context */
 int
 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
@@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
        }
        ctx->major = gss_init_sec_context(&ctx->minor,
-            GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,
+            ctx->client_creds, &ctx->context, ctx->name, ctx->oid,
            GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
            0, NULL, recv_tok, NULL, send_tok, flags, NULL);
@@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
 }
 OM_uint32
+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)
+{
+        gss_buffer_desc gssbuf;
+        gss_name_t gssname;
+        OM_uint32 status;
+        gss_OID_set oidset;
+        gssbuf.value = (void *) name;
+        gssbuf.length = strlen(gssbuf.value);
+        gss_create_empty_oid_set(&status, &oidset);
+        gss_add_oid_set_member(&status, ctx->oid, &oidset);
+        ctx->major = gss_import_name(&ctx->minor, &gssbuf,
+            GSS_C_NT_USER_NAME, &gssname);
+        if (!ctx->major)
+                ctx->major = gss_acquire_cred(&ctx->minor, 
+                    gssname, 0, oidset, GSS_C_INITIATE, 
+                    &ctx->client_creds, NULL, NULL);
+        gss_release_name(&status, &gssname);
+        gss_release_oid_set(&status, &oidset);
+        if (ctx->major)
+                ssh_gssapi_error(ctx);
+        return(ctx->major);
+}
+OM_uint32
 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
 {
+        if (ctx == NULL) 
+                return -1;
        if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
            GSS_C_QOP_DEFAULT, buffer, hash)))
                ssh_gssapi_error(ctx);
@@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
        return (ctx->major);
 }
+/* Priviledged when used by server */
+OM_uint32
+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+{
+        if (ctx == NULL)
+                return -1;
+        ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+            gssbuf, gssmic, NULL);
+        return (ctx->major);
+}
 void
 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
    const char *context)
@@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
 }
 int
-ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host, 
+    const char *client)
 {
        gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
        OM_uint32 major, minor;
        gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
+        Gssctxt *intctx = NULL;
+        if (ctx == NULL)
+                ctx = &intctx;
        /* RFC 4462 says we MUST NOT do SPNEGO */
        if (oid->length == spnego_oid.length && 
@@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
        ssh_gssapi_build_ctx(ctx);
        ssh_gssapi_set_oid(*ctx, oid);
        major = ssh_gssapi_import_name(*ctx, host);
+        if (!GSS_ERROR(major) && client)
+                major = ssh_gssapi_client_identity(*ctx, client);
        if (!GSS_ERROR(major)) {
                major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
                    NULL);
@@ -272,10 +483,67 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
                            GSS_C_NO_BUFFER);
        }
-        if (GSS_ERROR(major)) 
+        if (GSS_ERROR(major) || intctx != NULL) 
                ssh_gssapi_delete_ctx(ctx);
        return (!GSS_ERROR(major));
 }
+int
+ssh_gssapi_credentials_updated(Gssctxt *ctxt) {
+        static gss_name_t saved_name = GSS_C_NO_NAME;
+        static OM_uint32 saved_lifetime = 0;
+        static gss_OID saved_mech = GSS_C_NO_OID;
+        static gss_name_t name;
+        static OM_uint32 last_call = 0;
+        OM_uint32 lifetime, now, major, minor;
+        int equal;
+        gss_cred_usage_t usage = GSS_C_INITIATE;
+        
+        now = time(NULL);
+        if (ctxt) {
+                debug("Rekey has happened - updating saved versions");
+                if (saved_name != GSS_C_NO_NAME)
+                        gss_release_name(&minor, &saved_name);
+                major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
+                    &saved_name, &saved_lifetime, NULL, NULL);
+                if (!GSS_ERROR(major)) {
+                        saved_mech = ctxt->oid;
+                        saved_lifetime+= now;
+                } else {
+                        /* Handle the error */
+                }
+                return 0;
+        }
+        if (now - last_call < 10)
+                return 0;
+        last_call = now;
+        if (saved_mech == GSS_C_NO_OID)
+                return 0;
+        
+        major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, 
+            &name, &lifetime, NULL, NULL);
+        if (major == GSS_S_CREDENTIALS_EXPIRED)
+                return 0;
+        else if (GSS_ERROR(major))
+                return 0;
+        major = gss_compare_name(&minor, saved_name, name, &equal);
+        gss_release_name(&minor, &name);
+        if (GSS_ERROR(major))
+                return 0;
+        if (equal && (saved_lifetime < lifetime + now - 10))
+                return 1;
+        return 0;
+}
 #endif /* GSSAPI */

diff --git a/gss-genr.c b/gss-genr.c index b39281bc1..b7d1b7dbf 100644 --- a/gss-genr.c +++ b/gss-genr.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */	1	/* $OpenBSD: gss-genr.c,v 1.22 2013/11/08 00:39:15 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -39,12 +39,167 @@
39	#include "buffer.h"	39	#include "buffer.h"
40	#include "log.h"	40	#include "log.h"
41	#include "ssh2.h"	41	#include "ssh2.h"
		42	#include "cipher.h"
		43	#include "key.h"
		44	#include "kex.h"
		45	#include <openssl/evp.h>
42		46
43	#include "ssh-gss.h"	47	#include "ssh-gss.h"
44		48
45	extern u_char *session_id2;	49	extern u_char *session_id2;
46	extern u_int session_id2_len;	50	extern u_int session_id2_len;
47		51
		52	typedef struct {
		53	char *encoded;
		54	gss_OID oid;
		55	} ssh_gss_kex_mapping;
		56
		57	/*
		58	* XXX - It would be nice to find a more elegant way of handling the
		59	* XXX passing of the key exchange context to the userauth routines
		60	*/
		61
		62	Gssctxt *gss_kex_context = NULL;
		63
		64	static ssh_gss_kex_mapping *gss_enc2oid = NULL;
		65
		66	int
		67	ssh_gssapi_oid_table_ok() {
		68	return (gss_enc2oid != NULL);
		69	}
		70
		71	/*
		72	* Return a list of the gss-group1-sha1 mechanisms supported by this program
		73	*
		74	* We test mechanisms to ensure that we can use them, to avoid starting
		75	* a key exchange with a bad mechanism
		76	*/
		77
		78	char *
		79	ssh_gssapi_client_mechanisms(const char host, const char client) {
		80	gss_OID_set gss_supported;
		81	OM_uint32 min_status;
		82
		83	if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported)))
		84	return NULL;
		85
		86	return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
		87	host, client));
		88	}
		89
		90	char *
		91	ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
		92	const char host, const char client) {
		93	Buffer buf;
		94	size_t i;
		95	int oidpos, enclen;
		96	char mechs, encoded;
		97	u_char digest[EVP_MAX_MD_SIZE];
		98	char deroid[2];
		99	const EVP_MD *evp_md = EVP_md5();
		100	EVP_MD_CTX md;
		101
		102	if (gss_enc2oid != NULL) {
		103	for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
		104	free(gss_enc2oid[i].encoded);
		105	free(gss_enc2oid);
		106	}
		107
		108	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) *
		109	(gss_supported->count + 1));
		110
		111	buffer_init(&buf);
		112
		113	oidpos = 0;
		114	for (i = 0; i < gss_supported->count; i++) {
		115	if (gss_supported->elements[i].length < 128 &&
		116	(*check)(NULL, &(gss_supported->elements[i]), host, client)) {
		117
		118	deroid[0] = SSH_GSS_OIDTYPE;
		119	deroid[1] = gss_supported->elements[i].length;
		120
		121	EVP_DigestInit(&md, evp_md);
		122	EVP_DigestUpdate(&md, deroid, 2);
		123	EVP_DigestUpdate(&md,
		124	gss_supported->elements[i].elements,
		125	gss_supported->elements[i].length);
		126	EVP_DigestFinal(&md, digest, NULL);
		127
		128	encoded = xmalloc(EVP_MD_size(evp_md) * 2);
		129	enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
		130	encoded, EVP_MD_size(evp_md) * 2);
		131
		132	if (oidpos != 0)
		133	buffer_put_char(&buf, ',');
		134
		135	buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
		136	sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
		137	buffer_append(&buf, encoded, enclen);
		138	buffer_put_char(&buf, ',');
		139	buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
		140	sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
		141	buffer_append(&buf, encoded, enclen);
		142	buffer_put_char(&buf, ',');
		143	buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
		144	sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
		145	buffer_append(&buf, encoded, enclen);
		146
		147	gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
		148	gss_enc2oid[oidpos].encoded = encoded;
		149	oidpos++;
		150	}
		151	}
		152	gss_enc2oid[oidpos].oid = NULL;
		153	gss_enc2oid[oidpos].encoded = NULL;
		154
		155	buffer_put_char(&buf, '\0');
		156
		157	mechs = xmalloc(buffer_len(&buf));
		158	buffer_get(&buf, mechs, buffer_len(&buf));
		159	buffer_free(&buf);
		160
		161	if (strlen(mechs) == 0) {
		162	free(mechs);
		163	mechs = NULL;
		164	}
		165
		166	return (mechs);
		167	}
		168
		169	gss_OID
		170	ssh_gssapi_id_kex(Gssctxt ctx, char name, int kex_type) {
		171	int i = 0;
		172
		173	switch (kex_type) {
		174	case KEX_GSS_GRP1_SHA1:
		175	if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))
		176	return GSS_C_NO_OID;
		177	name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;
		178	break;
		179	case KEX_GSS_GRP14_SHA1:
		180	if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))
		181	return GSS_C_NO_OID;
		182	name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
		183	break;
		184	case KEX_GSS_GEX_SHA1:
		185	if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
		186	return GSS_C_NO_OID;
		187	name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
		188	break;
		189	default:
		190	return GSS_C_NO_OID;
		191	}
		192
		193	while (gss_enc2oid[i].encoded != NULL &&
		194	strcmp(name, gss_enc2oid[i].encoded) != 0)
		195	i++;
		196
		197	if (gss_enc2oid[i].oid != NULL && ctx != NULL)
		198	ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
		199
		200	return gss_enc2oid[i].oid;
		201	}
		202
48	/* Check that the OID in a data stream matches that in the context */	203	/* Check that the OID in a data stream matches that in the context */
49	int	204	int
50	ssh_gssapi_check_oid(Gssctxt ctx, void data, size_t len)	205	ssh_gssapi_check_oid(Gssctxt ctx, void data, size_t len)
@@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt ctx, int deleg_creds, gss_buffer_desc recv_tok,
197	}	352	}
198		353
199	ctx->major = gss_init_sec_context(&ctx->minor,	354	ctx->major = gss_init_sec_context(&ctx->minor,
200	GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid,	355	ctx->client_creds, &ctx->context, ctx->name, ctx->oid,
201	GSS_C_MUTUAL_FLAG \| GSS_C_INTEG_FLAG \| deleg_flag,	356	GSS_C_MUTUAL_FLAG \| GSS_C_INTEG_FLAG \| deleg_flag,
202	0, NULL, recv_tok, NULL, send_tok, flags, NULL);	357	0, NULL, recv_tok, NULL, send_tok, flags, NULL);
203		358
@@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt ctx, const char host)
227	}	382	}
228		383
229	OM_uint32	384	OM_uint32
		385	ssh_gssapi_client_identity(Gssctxt ctx, const char name)
		386	{
		387	gss_buffer_desc gssbuf;
		388	gss_name_t gssname;
		389	OM_uint32 status;
		390	gss_OID_set oidset;
		391
		392	gssbuf.value = (void *) name;
		393	gssbuf.length = strlen(gssbuf.value);
		394
		395	gss_create_empty_oid_set(&status, &oidset);
		396	gss_add_oid_set_member(&status, ctx->oid, &oidset);
		397
		398	ctx->major = gss_import_name(&ctx->minor, &gssbuf,
		399	GSS_C_NT_USER_NAME, &gssname);
		400
		401	if (!ctx->major)
		402	ctx->major = gss_acquire_cred(&ctx->minor,
		403	gssname, 0, oidset, GSS_C_INITIATE,
		404	&ctx->client_creds, NULL, NULL);
		405
		406	gss_release_name(&status, &gssname);
		407	gss_release_oid_set(&status, &oidset);
		408
		409	if (ctx->major)
		410	ssh_gssapi_error(ctx);
		411
		412	return(ctx->major);
		413	}
		414
		415	OM_uint32
230	ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)	416	ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
231	{	417	{
		418	if (ctx == NULL)
		419	return -1;
		420
232	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,	421	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
233	GSS_C_QOP_DEFAULT, buffer, hash)))	422	GSS_C_QOP_DEFAULT, buffer, hash)))
234	ssh_gssapi_error(ctx);	423	ssh_gssapi_error(ctx);
@@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
236	return (ctx->major);	425	return (ctx->major);
237	}	426	}
238		427
		428	/* Priviledged when used by server */
		429	OM_uint32
		430	ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
		431	{
		432	if (ctx == NULL)
		433	return -1;
		434
		435	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
		436	gssbuf, gssmic, NULL);
		437
		438	return (ctx->major);
		439	}
		440
239	void	441	void
240	ssh_gssapi_buildmic(Buffer b, const char user, const char *service,	442	ssh_gssapi_buildmic(Buffer b, const char user, const char *service,
241	const char *context)	443	const char *context)
@@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer b, const char user, const char *service,
249	}	451	}
250		452
251	int	453	int
252	ssh_gssapi_check_mechanism(Gssctxt *ctx, gss_OID oid, const char host)	454	ssh_gssapi_check_mechanism(Gssctxt *ctx, gss_OID oid, const char host,
		455	const char *client)
253	{	456	{
254	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;	457	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
255	OM_uint32 major, minor;	458	OM_uint32 major, minor;
256	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};	459	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
		460	Gssctxt *intctx = NULL;
		461
		462	if (ctx == NULL)
		463	ctx = &intctx;
257		464
258	/* RFC 4462 says we MUST NOT do SPNEGO */	465	/* RFC 4462 says we MUST NOT do SPNEGO */
259	if (oid->length == spnego_oid.length &&	466	if (oid->length == spnego_oid.length &&
@@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt *ctx, gss_OID oid, const char host)
263	ssh_gssapi_build_ctx(ctx);	470	ssh_gssapi_build_ctx(ctx);
264	ssh_gssapi_set_oid(*ctx, oid);	471	ssh_gssapi_set_oid(*ctx, oid);
265	major = ssh_gssapi_import_name(*ctx, host);	472	major = ssh_gssapi_import_name(*ctx, host);
		473
		474	if (!GSS_ERROR(major) && client)
		475	major = ssh_gssapi_client_identity(*ctx, client);
		476
266	if (!GSS_ERROR(major)) {	477	if (!GSS_ERROR(major)) {
267	major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,	478	major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
268	NULL);	479	NULL);
@@ -272,10 +483,67 @@ ssh_gssapi_check_mechanism(Gssctxt *ctx, gss_OID oid, const char host)
272	GSS_C_NO_BUFFER);	483	GSS_C_NO_BUFFER);
273	}	484	}
274		485
275	if (GSS_ERROR(major))	486	if (GSS_ERROR(major) \|\| intctx != NULL)
276	ssh_gssapi_delete_ctx(ctx);	487	ssh_gssapi_delete_ctx(ctx);
277		488
278	return (!GSS_ERROR(major));	489	return (!GSS_ERROR(major));
279	}	490	}
280		491
		492	int
		493	ssh_gssapi_credentials_updated(Gssctxt *ctxt) {
		494	static gss_name_t saved_name = GSS_C_NO_NAME;
		495	static OM_uint32 saved_lifetime = 0;
		496	static gss_OID saved_mech = GSS_C_NO_OID;
		497	static gss_name_t name;
		498	static OM_uint32 last_call = 0;
		499	OM_uint32 lifetime, now, major, minor;
		500	int equal;
		501	gss_cred_usage_t usage = GSS_C_INITIATE;
		502
		503	now = time(NULL);
		504
		505	if (ctxt) {
		506	debug("Rekey has happened - updating saved versions");
		507
		508	if (saved_name != GSS_C_NO_NAME)
		509	gss_release_name(&minor, &saved_name);
		510
		511	major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
		512	&saved_name, &saved_lifetime, NULL, NULL);
		513
		514	if (!GSS_ERROR(major)) {
		515	saved_mech = ctxt->oid;
		516	saved_lifetime+= now;
		517	} else {
		518	/* Handle the error */
		519	}
		520	return 0;
		521	}
		522
		523	if (now - last_call < 10)
		524	return 0;
		525
		526	last_call = now;
		527
		528	if (saved_mech == GSS_C_NO_OID)
		529	return 0;
		530
		531	major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL,
		532	&name, &lifetime, NULL, NULL);
		533	if (major == GSS_S_CREDENTIALS_EXPIRED)
		534	return 0;
		535	else if (GSS_ERROR(major))
		536	return 0;
		537
		538	major = gss_compare_name(&minor, saved_name, name, &equal);
		539	gss_release_name(&minor, &name);
		540	if (GSS_ERROR(major))
		541	return 0;
		542
		543	if (equal && (saved_lifetime < lifetime + now - 10))
		544	return 1;
		545
		546	return 0;
		547	}
		548
281	#endif /* GSSAPI */	549	#endif /* GSSAPI */