1 files changed, 172 insertions, 1 deletions
diff --git a/gss-genr.c b/gss-genr.c
index c2b4f2dd8..dfaa708ea 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,7 +1,7 @@
 /*      $OpenBSD: gss-genr.c,v 1.6 2005/10/13 22:24:31 stevesk Exp $    */
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -32,12 +32,152 @@
 #include "bufaux.h"
 #include "log.h"
 #include "ssh2.h"
+#include <openssl/evp.h>
 #include "ssh-gss.h"
 extern u_char *session_id2;
 extern u_int session_id2_len;
+typedef struct {
+        char *encoded;
+        gss_OID oid;
+} ssh_gss_kex_mapping;
+/*
+ * XXX - It would be nice to find a more elegant way of handling the
+ * XXX   passing of the key exchange context to the userauth routines
+ */
+Gssctxt *gss_kex_context = NULL;
+static ssh_gss_kex_mapping *gss_enc2oid = NULL;
+int 
+ssh_gssapi_oid_table_ok() {
+        return (gss_enc2oid != NULL);
+}
+/*
+ * Return a list of the gss-group1-sha1 mechanisms supported by this program
+ *
+ * We test mechanisms to ensure that we can use them, to avoid starting
+ * a key exchange with a bad mechanism
+ */
+char *
+ssh_gssapi_client_mechanisms(const char *host) {
+        gss_OID_set gss_supported;
+        OM_uint32 min_status;
+        gss_indicate_mechs(&min_status, &gss_supported);
+        return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
+            (void *)host));
+}
+char *
+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
+    void *data) {
+        Buffer buf;
+        int i, oidpos, enclen;
+        char *mechs, *encoded;
+        char digest[EVP_MAX_MD_SIZE];
+        char deroid[2];
+        const EVP_MD *evp_md = EVP_md5();
+        EVP_MD_CTX md;
+        if (gss_enc2oid != NULL) {
+                for (i=0;gss_enc2oid[i].encoded!=NULL;i++)
+                        xfree(gss_enc2oid[i].encoded);
+                xfree(gss_enc2oid);
+        }
+        gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping)*
+            (gss_supported->count+1));
+        buffer_init(&buf);
+        oidpos = 0;
+        for (i = 0;i < gss_supported->count;i++) {
+                if (gss_supported->elements[i].length < 128 &&
+                    (*check)(&(gss_supported->elements[i]), data)) {
+                        deroid[0] = SSH_GSS_OIDTYPE;
+                        deroid[1] = gss_supported->elements[i].length;
+                        EVP_DigestInit(&md, evp_md);
+                        EVP_DigestUpdate(&md, deroid, 2);
+                        EVP_DigestUpdate(&md,
+                            gss_supported->elements[i].elements,
+                            gss_supported->elements[i].length);
+                        EVP_DigestFinal(&md, digest, NULL);
+                        encoded = xmalloc(EVP_MD_size(evp_md)*2);
+                        enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
+                            encoded, EVP_MD_size(evp_md)*2);
+                        if (oidpos != 0)
+                            buffer_put_char(&buf, ',');
+                        buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
+                            sizeof(KEX_GSS_GEX_SHA1_ID)-1);
+                        buffer_append(&buf, encoded, enclen);
+                        buffer_put_char(&buf,',');
+                        buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 
+                            sizeof(KEX_GSS_GRP1_SHA1_ID)-1);
+                        buffer_append(&buf, encoded, enclen);
+                        gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
+                        gss_enc2oid[oidpos].encoded = encoded;
+                        oidpos++;
+                }
+        }
+        gss_enc2oid[oidpos].oid = NULL;
+        gss_enc2oid[oidpos].encoded = NULL;
+        buffer_put_char(&buf, '\0');
+        mechs = xmalloc(buffer_len(&buf));
+        buffer_get(&buf, mechs, buffer_len(&buf));
+        buffer_free(&buf);
+        if (strlen(mechs) == 0) {
+                xfree(mechs);
+                mechs = NULL;
+        }
+        
+        return (mechs);
+}
+gss_OID
+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int *gex) {
+        int i = 0;
+        if (strncmp(name, KEX_GSS_GRP1_SHA1_ID,
+            sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) {
+                name+=sizeof(KEX_GSS_GRP1_SHA1_ID)-1;
+                *gex = 0;
+        } else if (strncmp(name, KEX_GSS_GEX_SHA1_ID,
+            sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) {
+                name+=sizeof(KEX_GSS_GEX_SHA1_ID)-1;
+                *gex = 1;
+        } else {
+                return NULL;
+        }
+        while (gss_enc2oid[i].encoded != NULL &&
+            strcmp(name, gss_enc2oid[i].encoded) != 0) {
+                i++;
+        }
+        if (gss_enc2oid[i].oid != NULL && ctx != NULL)
+                ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
+        return gss_enc2oid[i].oid;
+}
 /* Check that the OID in a data stream matches that in the context */
 int
 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
@@ -248,6 +388,9 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
 OM_uint32
 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
 {
+        if (ctx == NULL) 
+                return -1;
        if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
            GSS_C_QOP_DEFAULT, buffer, hash)))
                ssh_gssapi_error(ctx);
@@ -255,6 +398,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
        return (ctx->major);
 }
+/* Priviledged when used by server */
+OM_uint32
+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+{
+        if (ctx == NULL)
+                return -1;
+        ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+            gssbuf, gssmic, NULL);
+        return (ctx->major);
+}
 void
 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
    const char *context)
@@ -277,4 +433,19 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
        return (ssh_gssapi_acquire_cred(*ctx));
 }
+int
+ssh_gssapi_check_mechanism(gss_OID oid, void *host) {
+        Gssctxt * ctx = NULL;
+        gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        
+        ssh_gssapi_build_ctx(&ctx);
+        ssh_gssapi_set_oid(ctx, oid);
+        ssh_gssapi_import_name(ctx, host);
+        major = ssh_gssapi_init_ctx(ctx, 0, GSS_C_NO_BUFFER, &token, NULL);
+        gss_release_buffer(&minor, &token);
+        ssh_gssapi_delete_ctx(&ctx);
+        return (!GSS_ERROR(major));
+}
 #endif /* GSSAPI */

diff --git a/gss-genr.c b/gss-genr.c index c2b4f2dd8..dfaa708ea 100644 --- a/gss-genr.c +++ b/gss-genr.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: gss-genr.c,v 1.6 2005/10/13 22:24:31 stevesk Exp $ */	1	/* $OpenBSD: gss-genr.c,v 1.6 2005/10/13 22:24:31 stevesk Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -32,12 +32,152 @@
32	#include "bufaux.h"	32	#include "bufaux.h"
33	#include "log.h"	33	#include "log.h"
34	#include "ssh2.h"	34	#include "ssh2.h"
		35	#include <openssl/evp.h>
35		36
36	#include "ssh-gss.h"	37	#include "ssh-gss.h"
37		38
38	extern u_char *session_id2;	39	extern u_char *session_id2;
39	extern u_int session_id2_len;	40	extern u_int session_id2_len;
40		41
		42	typedef struct {
		43	char *encoded;
		44	gss_OID oid;
		45	} ssh_gss_kex_mapping;
		46
		47	/*
		48	* XXX - It would be nice to find a more elegant way of handling the
		49	* XXX passing of the key exchange context to the userauth routines
		50	*/
		51
		52	Gssctxt *gss_kex_context = NULL;
		53
		54	static ssh_gss_kex_mapping *gss_enc2oid = NULL;
		55
		56	int
		57	ssh_gssapi_oid_table_ok() {
		58	return (gss_enc2oid != NULL);
		59	}
		60
		61	/*
		62	* Return a list of the gss-group1-sha1 mechanisms supported by this program
		63	*
		64	* We test mechanisms to ensure that we can use them, to avoid starting
		65	* a key exchange with a bad mechanism
		66	*/
		67
		68
		69	char *
		70	ssh_gssapi_client_mechanisms(const char *host) {
		71	gss_OID_set gss_supported;
		72	OM_uint32 min_status;
		73
		74	gss_indicate_mechs(&min_status, &gss_supported);
		75
		76	return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
		77	(void *)host));
		78	}
		79
		80	char *
		81	ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
		82	void *data) {
		83	Buffer buf;
		84	int i, oidpos, enclen;
		85	char mechs, encoded;
		86	char digest[EVP_MAX_MD_SIZE];
		87	char deroid[2];
		88	const EVP_MD *evp_md = EVP_md5();
		89	EVP_MD_CTX md;
		90
		91	if (gss_enc2oid != NULL) {
		92	for (i=0;gss_enc2oid[i].encoded!=NULL;i++)
		93	xfree(gss_enc2oid[i].encoded);
		94	xfree(gss_enc2oid);
		95	}
		96
		97	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping)*
		98	(gss_supported->count+1));
		99
		100	buffer_init(&buf);
		101
		102	oidpos = 0;
		103	for (i = 0;i < gss_supported->count;i++) {
		104	if (gss_supported->elements[i].length < 128 &&
		105	(*check)(&(gss_supported->elements[i]), data)) {
		106
		107	deroid[0] = SSH_GSS_OIDTYPE;
		108	deroid[1] = gss_supported->elements[i].length;
		109
		110	EVP_DigestInit(&md, evp_md);
		111	EVP_DigestUpdate(&md, deroid, 2);
		112	EVP_DigestUpdate(&md,
		113	gss_supported->elements[i].elements,
		114	gss_supported->elements[i].length);
		115	EVP_DigestFinal(&md, digest, NULL);
		116
		117	encoded = xmalloc(EVP_MD_size(evp_md)*2);
		118	enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
		119	encoded, EVP_MD_size(evp_md)*2);
		120
		121	if (oidpos != 0)
		122	buffer_put_char(&buf, ',');
		123
		124	buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
		125	sizeof(KEX_GSS_GEX_SHA1_ID)-1);
		126	buffer_append(&buf, encoded, enclen);
		127	buffer_put_char(&buf,',');
		128	buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
		129	sizeof(KEX_GSS_GRP1_SHA1_ID)-1);
		130	buffer_append(&buf, encoded, enclen);
		131
		132	gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
		133	gss_enc2oid[oidpos].encoded = encoded;
		134	oidpos++;
		135	}
		136	}
		137	gss_enc2oid[oidpos].oid = NULL;
		138	gss_enc2oid[oidpos].encoded = NULL;
		139
		140	buffer_put_char(&buf, '\0');
		141
		142	mechs = xmalloc(buffer_len(&buf));
		143	buffer_get(&buf, mechs, buffer_len(&buf));
		144	buffer_free(&buf);
		145
		146	if (strlen(mechs) == 0) {
		147	xfree(mechs);
		148	mechs = NULL;
		149	}
		150
		151	return (mechs);
		152	}
		153
		154	gss_OID
		155	ssh_gssapi_id_kex(Gssctxt ctx, char name, int *gex) {
		156	int i = 0;
		157
		158	if (strncmp(name, KEX_GSS_GRP1_SHA1_ID,
		159	sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) {
		160	name+=sizeof(KEX_GSS_GRP1_SHA1_ID)-1;
		161	*gex = 0;
		162	} else if (strncmp(name, KEX_GSS_GEX_SHA1_ID,
		163	sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) {
		164	name+=sizeof(KEX_GSS_GEX_SHA1_ID)-1;
		165	*gex = 1;
		166	} else {
		167	return NULL;
		168	}
		169
		170	while (gss_enc2oid[i].encoded != NULL &&
		171	strcmp(name, gss_enc2oid[i].encoded) != 0) {
		172	i++;
		173	}
		174
		175	if (gss_enc2oid[i].oid != NULL && ctx != NULL)
		176	ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
		177
		178	return gss_enc2oid[i].oid;
		179	}
		180
41	/* Check that the OID in a data stream matches that in the context */	181	/* Check that the OID in a data stream matches that in the context */
42	int	182	int
43	ssh_gssapi_check_oid(Gssctxt ctx, void data, size_t len)	183	ssh_gssapi_check_oid(Gssctxt ctx, void data, size_t len)
@@ -248,6 +388,9 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
248	OM_uint32	388	OM_uint32
249	ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)	389	ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
250	{	390	{
		391	if (ctx == NULL)
		392	return -1;
		393
251	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,	394	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
252	GSS_C_QOP_DEFAULT, buffer, hash)))	395	GSS_C_QOP_DEFAULT, buffer, hash)))
253	ssh_gssapi_error(ctx);	396	ssh_gssapi_error(ctx);
@@ -255,6 +398,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
255	return (ctx->major);	398	return (ctx->major);
256	}	399	}
257		400
		401	/* Priviledged when used by server */
		402	OM_uint32
		403	ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
		404	{
		405	if (ctx == NULL)
		406	return -1;
		407
		408	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
		409	gssbuf, gssmic, NULL);
		410
		411	return (ctx->major);
		412	}
		413
258	void	414	void
259	ssh_gssapi_buildmic(Buffer b, const char user, const char *service,	415	ssh_gssapi_buildmic(Buffer b, const char user, const char *service,
260	const char *context)	416	const char *context)
@@ -277,4 +433,19 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
277	return (ssh_gssapi_acquire_cred(*ctx));	433	return (ssh_gssapi_acquire_cred(*ctx));
278	}	434	}
279		435
		436	int
		437	ssh_gssapi_check_mechanism(gss_OID oid, void *host) {
		438	Gssctxt * ctx = NULL;
		439	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
		440	OM_uint32 major, minor;
		441
		442	ssh_gssapi_build_ctx(&ctx);
		443	ssh_gssapi_set_oid(ctx, oid);
		444	ssh_gssapi_import_name(ctx, host);
		445	major = ssh_gssapi_init_ctx(ctx, 0, GSS_C_NO_BUFFER, &token, NULL);
		446	gss_release_buffer(&minor, &token);
		447	ssh_gssapi_delete_ctx(&ctx);
		448	return (!GSS_ERROR(major));
		449	}
		450
280	#endif /* GSSAPI */	451	#endif /* GSSAPI */