1 files changed, 172 insertions, 1 deletions
diff --git a/gss-genr.c b/gss-genr.c
index 9bc31aa2a..9dec270a3 100644
--- a/gss-genr.c
+++ b/gss-genr.c
@@ -1,7 +1,7 @@
 /*      $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $        */
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -34,12 +34,152 @@
 #include "log.h"
 #include "monitor_wrap.h"
 #include "ssh2.h"
+#include <openssl/evp.h>
 #include "ssh-gss.h"
 extern u_char *session_id2;
 extern u_int session_id2_len;
+typedef struct {
+        char *encoded;
+        gss_OID oid;
+} ssh_gss_kex_mapping;
+/*
+ * XXX - It would be nice to find a more elegant way of handling the
+ * XXX   passing of the key exchange context to the userauth routines
+ */
+Gssctxt *gss_kex_context = NULL;
+static ssh_gss_kex_mapping *gss_enc2oid = NULL;
+int 
+ssh_gssapi_oid_table_ok() {
+        return (gss_enc2oid != NULL);
+}
+/*
+ * Return a list of the gss-group1-sha1 mechanisms supported by this program
+ *
+ * We test mechanisms to ensure that we can use them, to avoid starting
+ * a key exchange with a bad mechanism
+ */
+char *
+ssh_gssapi_client_mechanisms(const char *host) {
+        gss_OID_set gss_supported;
+        OM_uint32 min_status;
+        gss_indicate_mechs(&min_status, &gss_supported);
+        return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
+            (void *)host));
+}
+char *
+ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
+    void *data) {
+        Buffer buf;
+        int i, oidpos, enclen;
+        char *mechs, *encoded;
+        char digest[EVP_MAX_MD_SIZE];
+        char deroid[2];
+        const EVP_MD *evp_md = EVP_md5();
+        EVP_MD_CTX md;
+        if (gss_enc2oid != NULL) {
+                for (i=0;gss_enc2oid[i].encoded!=NULL;i++)
+                        xfree(gss_enc2oid[i].encoded);
+                xfree(gss_enc2oid);
+        }
+        gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping)*
+            (gss_supported->count+1));
+        buffer_init(&buf);
+        oidpos = 0;
+        for (i = 0;i < gss_supported->count;i++) {
+                if (gss_supported->elements[i].length < 128 &&
+                    (*check)(&(gss_supported->elements[i]), data)) {
+                        deroid[0] = SSH_GSS_OIDTYPE;
+                        deroid[1] = gss_supported->elements[i].length;
+                        EVP_DigestInit(&md, evp_md);
+                        EVP_DigestUpdate(&md, deroid, 2);
+                        EVP_DigestUpdate(&md,
+                            gss_supported->elements[i].elements,
+                            gss_supported->elements[i].length);
+                        EVP_DigestFinal(&md, digest, NULL);
+                        encoded = xmalloc(EVP_MD_size(evp_md)*2);
+                        enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
+                            encoded, EVP_MD_size(evp_md)*2);
+                        if (oidpos != 0)
+                            buffer_put_char(&buf, ',');
+                        buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
+                            sizeof(KEX_GSS_GEX_SHA1_ID)-1);
+                        buffer_append(&buf, encoded, enclen);
+                        buffer_put_char(&buf,',');
+                        buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, 
+                            sizeof(KEX_GSS_GRP1_SHA1_ID)-1);
+                        buffer_append(&buf, encoded, enclen);
+                        gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
+                        gss_enc2oid[oidpos].encoded = encoded;
+                        oidpos++;
+                }
+        }
+        gss_enc2oid[oidpos].oid = NULL;
+        gss_enc2oid[oidpos].encoded = NULL;
+        buffer_put_char(&buf, '\0');
+        mechs = xmalloc(buffer_len(&buf));
+        buffer_get(&buf, mechs, buffer_len(&buf));
+        buffer_free(&buf);
+        if (strlen(mechs) == 0) {
+                xfree(mechs);
+                mechs = NULL;
+        }
+        
+        return (mechs);
+}
+gss_OID
+ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int *gex) {
+        int i = 0;
+        if (strncmp(name, KEX_GSS_GRP1_SHA1_ID,
+            sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) {
+                name+=sizeof(KEX_GSS_GRP1_SHA1_ID)-1;
+                *gex = 0;
+        } else if (strncmp(name, KEX_GSS_GEX_SHA1_ID,
+            sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) {
+                name+=sizeof(KEX_GSS_GEX_SHA1_ID)-1;
+                *gex = 1;
+        } else {
+                return NULL;
+        }
+        while (gss_enc2oid[i].encoded != NULL &&
+            strcmp(name, gss_enc2oid[i].encoded) != 0) {
+                i++;
+        }
+        if (gss_enc2oid[i].oid != NULL && ctx != NULL)
+                ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
+        return gss_enc2oid[i].oid;
+}
 /* Check that the OID in a data stream matches that in the context */
 int
 ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
@@ -250,6 +390,9 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
 OM_uint32
 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
 {
+        if (ctx == NULL) 
+                return -1;
        if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
            GSS_C_QOP_DEFAULT, buffer, hash)))
                ssh_gssapi_error(ctx);
@@ -257,6 +400,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
        return (ctx->major);
 }
+/* Priviledged when used by server */
+OM_uint32
+ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+{
+        if (ctx == NULL)
+                return -1;
+        ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
+            gssbuf, gssmic, NULL);
+        return (ctx->major);
+}
 void
 ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
    const char *context)
@@ -278,4 +434,19 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) {
        return (ssh_gssapi_acquire_cred(*ctx));
 }
+int
+ssh_gssapi_check_mechanism(gss_OID oid, void *host) {
+        Gssctxt * ctx = NULL;
+        gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+        OM_uint32 major, minor;
+        
+        ssh_gssapi_build_ctx(&ctx);
+        ssh_gssapi_set_oid(ctx, oid);
+        ssh_gssapi_import_name(ctx, host);
+        major = ssh_gssapi_init_ctx(ctx, 0, GSS_C_NO_BUFFER, &token, NULL);
+        gss_release_buffer(&minor, &token);
+        ssh_gssapi_delete_ctx(&ctx);
+        return (!GSS_ERROR(major));
+}
 #endif /* GSSAPI */

diff --git a/gss-genr.c b/gss-genr.c index 9bc31aa2a..9dec270a3 100644 --- a/gss-genr.c +++ b/gss-genr.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */	1	/* $OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2005 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -34,12 +34,152 @@
34	#include "log.h"	34	#include "log.h"
35	#include "monitor_wrap.h"	35	#include "monitor_wrap.h"
36	#include "ssh2.h"	36	#include "ssh2.h"
		37	#include <openssl/evp.h>
37		38
38	#include "ssh-gss.h"	39	#include "ssh-gss.h"
39		40
40	extern u_char *session_id2;	41	extern u_char *session_id2;
41	extern u_int session_id2_len;	42	extern u_int session_id2_len;
42		43
		44	typedef struct {
		45	char *encoded;
		46	gss_OID oid;
		47	} ssh_gss_kex_mapping;
		48
		49	/*
		50	* XXX - It would be nice to find a more elegant way of handling the
		51	* XXX passing of the key exchange context to the userauth routines
		52	*/
		53
		54	Gssctxt *gss_kex_context = NULL;
		55
		56	static ssh_gss_kex_mapping *gss_enc2oid = NULL;
		57
		58	int
		59	ssh_gssapi_oid_table_ok() {
		60	return (gss_enc2oid != NULL);
		61	}
		62
		63	/*
		64	* Return a list of the gss-group1-sha1 mechanisms supported by this program
		65	*
		66	* We test mechanisms to ensure that we can use them, to avoid starting
		67	* a key exchange with a bad mechanism
		68	*/
		69
		70
		71	char *
		72	ssh_gssapi_client_mechanisms(const char *host) {
		73	gss_OID_set gss_supported;
		74	OM_uint32 min_status;
		75
		76	gss_indicate_mechs(&min_status, &gss_supported);
		77
		78	return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
		79	(void *)host));
		80	}
		81
		82	char *
		83	ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
		84	void *data) {
		85	Buffer buf;
		86	int i, oidpos, enclen;
		87	char mechs, encoded;
		88	char digest[EVP_MAX_MD_SIZE];
		89	char deroid[2];
		90	const EVP_MD *evp_md = EVP_md5();
		91	EVP_MD_CTX md;
		92
		93	if (gss_enc2oid != NULL) {
		94	for (i=0;gss_enc2oid[i].encoded!=NULL;i++)
		95	xfree(gss_enc2oid[i].encoded);
		96	xfree(gss_enc2oid);
		97	}
		98
		99	gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping)*
		100	(gss_supported->count+1));
		101
		102	buffer_init(&buf);
		103
		104	oidpos = 0;
		105	for (i = 0;i < gss_supported->count;i++) {
		106	if (gss_supported->elements[i].length < 128 &&
		107	(*check)(&(gss_supported->elements[i]), data)) {
		108
		109	deroid[0] = SSH_GSS_OIDTYPE;
		110	deroid[1] = gss_supported->elements[i].length;
		111
		112	EVP_DigestInit(&md, evp_md);
		113	EVP_DigestUpdate(&md, deroid, 2);
		114	EVP_DigestUpdate(&md,
		115	gss_supported->elements[i].elements,
		116	gss_supported->elements[i].length);
		117	EVP_DigestFinal(&md, digest, NULL);
		118
		119	encoded = xmalloc(EVP_MD_size(evp_md)*2);
		120	enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
		121	encoded, EVP_MD_size(evp_md)*2);
		122
		123	if (oidpos != 0)
		124	buffer_put_char(&buf, ',');
		125
		126	buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
		127	sizeof(KEX_GSS_GEX_SHA1_ID)-1);
		128	buffer_append(&buf, encoded, enclen);
		129	buffer_put_char(&buf,',');
		130	buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
		131	sizeof(KEX_GSS_GRP1_SHA1_ID)-1);
		132	buffer_append(&buf, encoded, enclen);
		133
		134	gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
		135	gss_enc2oid[oidpos].encoded = encoded;
		136	oidpos++;
		137	}
		138	}
		139	gss_enc2oid[oidpos].oid = NULL;
		140	gss_enc2oid[oidpos].encoded = NULL;
		141
		142	buffer_put_char(&buf, '\0');
		143
		144	mechs = xmalloc(buffer_len(&buf));
		145	buffer_get(&buf, mechs, buffer_len(&buf));
		146	buffer_free(&buf);
		147
		148	if (strlen(mechs) == 0) {
		149	xfree(mechs);
		150	mechs = NULL;
		151	}
		152
		153	return (mechs);
		154	}
		155
		156	gss_OID
		157	ssh_gssapi_id_kex(Gssctxt ctx, char name, int *gex) {
		158	int i = 0;
		159
		160	if (strncmp(name, KEX_GSS_GRP1_SHA1_ID,
		161	sizeof(KEX_GSS_GRP1_SHA1_ID)-1) == 0) {
		162	name+=sizeof(KEX_GSS_GRP1_SHA1_ID)-1;
		163	*gex = 0;
		164	} else if (strncmp(name, KEX_GSS_GEX_SHA1_ID,
		165	sizeof(KEX_GSS_GEX_SHA1_ID)-1) == 0) {
		166	name+=sizeof(KEX_GSS_GEX_SHA1_ID)-1;
		167	*gex = 1;
		168	} else {
		169	return NULL;
		170	}
		171
		172	while (gss_enc2oid[i].encoded != NULL &&
		173	strcmp(name, gss_enc2oid[i].encoded) != 0) {
		174	i++;
		175	}
		176
		177	if (gss_enc2oid[i].oid != NULL && ctx != NULL)
		178	ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
		179
		180	return gss_enc2oid[i].oid;
		181	}
		182
43	/* Check that the OID in a data stream matches that in the context */	183	/* Check that the OID in a data stream matches that in the context */
44	int	184	int
45	ssh_gssapi_check_oid(Gssctxt ctx, void data, size_t len)	185	ssh_gssapi_check_oid(Gssctxt ctx, void data, size_t len)
@@ -250,6 +390,9 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
250	OM_uint32	390	OM_uint32
251	ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)	391	ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
252	{	392	{
		393	if (ctx == NULL)
		394	return -1;
		395
253	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,	396	if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
254	GSS_C_QOP_DEFAULT, buffer, hash)))	397	GSS_C_QOP_DEFAULT, buffer, hash)))
255	ssh_gssapi_error(ctx);	398	ssh_gssapi_error(ctx);
@@ -257,6 +400,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
257	return (ctx->major);	400	return (ctx->major);
258	}	401	}
259		402
		403	/* Priviledged when used by server */
		404	OM_uint32
		405	ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
		406	{
		407	if (ctx == NULL)
		408	return -1;
		409
		410	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
		411	gssbuf, gssmic, NULL);
		412
		413	return (ctx->major);
		414	}
		415
260	void	416	void
261	ssh_gssapi_buildmic(Buffer b, const char user, const char *service,	417	ssh_gssapi_buildmic(Buffer b, const char user, const char *service,
262	const char *context)	418	const char *context)
@@ -278,4 +434,19 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) {
278	return (ssh_gssapi_acquire_cred(*ctx));	434	return (ssh_gssapi_acquire_cred(*ctx));
279	}	435	}
280		436
		437	int
		438	ssh_gssapi_check_mechanism(gss_OID oid, void *host) {
		439	Gssctxt * ctx = NULL;
		440	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
		441	OM_uint32 major, minor;
		442
		443	ssh_gssapi_build_ctx(&ctx);
		444	ssh_gssapi_set_oid(ctx, oid);
		445	ssh_gssapi_import_name(ctx, host);
		446	major = ssh_gssapi_init_ctx(ctx, 0, GSS_C_NO_BUFFER, &token, NULL);
		447	gss_release_buffer(&minor, &token);
		448	ssh_gssapi_delete_ctx(&ctx);
		449	return (!GSS_ERROR(major));
		450	}
		451
281	#endif /* GSSAPI */	452	#endif /* GSSAPI */