]>
Commit | Line | Data |
---|---|---|
b5afdff5 | 1 | /* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */ |
7cac2b65 | 2 | |
5598e598 | 3 | /* |
f97edba6 | 4 | * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
7cac2b65 | 5 | * |
5598e598 | 6 | * Redistribution and use in source and binary forms, with or without |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in the | |
13 | * documentation and/or other materials provided with the distribution. | |
14 | * | |
15 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR | |
16 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
17 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
18 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
19 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
20 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
21 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
22 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
25 | */ | |
26 | ||
27 | #include "includes.h" | |
28 | ||
29 | #ifdef GSSAPI | |
30 | ||
30460aeb | 31 | #include <sys/types.h> |
32 | #include <sys/param.h> | |
33 | ||
34 | #include <stdarg.h> | |
35 | #include <string.h> | |
36 | #include <unistd.h> | |
37 | ||
5598e598 | 38 | #include "xmalloc.h" |
30460aeb | 39 | #include "buffer.h" |
5598e598 | 40 | #include "log.h" |
4dd35ca9 | 41 | #include "canohost.h" |
540d72c3 | 42 | #include "ssh2.h" |
f713db99 | 43 | #include "cipher.h" |
44 | #include "key.h" | |
45 | #include "kex.h" | |
fe4ad273 | 46 | #include <openssl/evp.h> |
5598e598 | 47 | |
48 | #include "ssh-gss.h" | |
49 | ||
540d72c3 | 50 | extern u_char *session_id2; |
51 | extern u_int session_id2_len; | |
52 | ||
23987cb8 | 53 | typedef struct { |
54 | char *encoded; | |
55 | gss_OID oid; | |
56 | } ssh_gss_kex_mapping; | |
5598e598 | 57 | |
fe4ad273 | 58 | /* |
59 | * XXX - It would be nice to find a more elegant way of handling the | |
60 | * XXX passing of the key exchange context to the userauth routines | |
61 | */ | |
62 | ||
63 | Gssctxt *gss_kex_context = NULL; | |
64 | ||
65 | static ssh_gss_kex_mapping *gss_enc2oid = NULL; | |
66 | ||
67 | int | |
68 | ssh_gssapi_oid_table_ok() { | |
69 | return (gss_enc2oid != NULL); | |
70 | } | |
71 | ||
72 | /* | |
73 | * Return a list of the gss-group1-sha1 mechanisms supported by this program | |
5598e598 | 74 | * |
fe4ad273 | 75 | * We test mechanisms to ensure that we can use them, to avoid starting |
76 | * a key exchange with a bad mechanism | |
5598e598 | 77 | */ |
23987cb8 | 78 | |
fe4ad273 | 79 | char * |
f97edba6 | 80 | ssh_gssapi_client_mechanisms(const char *host, const char *client) { |
fe4ad273 | 81 | gss_OID_set gss_supported; |
82 | OM_uint32 min_status; | |
83 | ||
f97edba6 | 84 | if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported))) |
85 | return NULL; | |
23987cb8 | 86 | |
fe4ad273 | 87 | return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism, |
f97edba6 | 88 | host, client)); |
fe4ad273 | 89 | } |
90 | ||
91 | char * | |
92 | ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check, | |
f97edba6 | 93 | const char *host, const char *client) { |
fe4ad273 | 94 | Buffer buf; |
95 | size_t i; | |
96 | int oidpos, enclen; | |
97 | char *mechs, *encoded; | |
f472818d | 98 | u_char digest[EVP_MAX_MD_SIZE]; |
fe4ad273 | 99 | char deroid[2]; |
100 | const EVP_MD *evp_md = EVP_md5(); | |
101 | EVP_MD_CTX md; | |
102 | ||
103 | if (gss_enc2oid != NULL) { | |
f713db99 | 104 | for (i = 0; gss_enc2oid[i].encoded != NULL; i++) |
fe4ad273 | 105 | xfree(gss_enc2oid[i].encoded); |
106 | xfree(gss_enc2oid); | |
107 | } | |
108 | ||
9c0efabd | 109 | gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * |
f713db99 | 110 | (gss_supported->count + 1)); |
fe4ad273 | 111 | |
112 | buffer_init(&buf); | |
113 | ||
114 | oidpos = 0; | |
f713db99 | 115 | for (i = 0; i < gss_supported->count; i++) { |
fe4ad273 | 116 | if (gss_supported->elements[i].length < 128 && |
f97edba6 | 117 | (*check)(NULL, &(gss_supported->elements[i]), host, client)) { |
9c0efabd | 118 | |
fe4ad273 | 119 | deroid[0] = SSH_GSS_OIDTYPE; |
120 | deroid[1] = gss_supported->elements[i].length; | |
23987cb8 | 121 | |
122 | EVP_DigestInit(&md, evp_md); | |
fe4ad273 | 123 | EVP_DigestUpdate(&md, deroid, 2); |
23987cb8 | 124 | EVP_DigestUpdate(&md, |
fe4ad273 | 125 | gss_supported->elements[i].elements, |
126 | gss_supported->elements[i].length); | |
23987cb8 | 127 | EVP_DigestFinal(&md, digest, NULL); |
23987cb8 | 128 | |
f713db99 | 129 | encoded = xmalloc(EVP_MD_size(evp_md) * 2); |
fe4ad273 | 130 | enclen = __b64_ntop(digest, EVP_MD_size(evp_md), |
f713db99 | 131 | encoded, EVP_MD_size(evp_md) * 2); |
23987cb8 | 132 | |
fe4ad273 | 133 | if (oidpos != 0) |
f713db99 | 134 | buffer_put_char(&buf, ','); |
fe4ad273 | 135 | |
136 | buffer_append(&buf, KEX_GSS_GEX_SHA1_ID, | |
f713db99 | 137 | sizeof(KEX_GSS_GEX_SHA1_ID) - 1); |
fe4ad273 | 138 | buffer_append(&buf, encoded, enclen); |
f713db99 | 139 | buffer_put_char(&buf, ','); |
fe4ad273 | 140 | buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, |
f713db99 | 141 | sizeof(KEX_GSS_GRP1_SHA1_ID) - 1); |
142 | buffer_append(&buf, encoded, enclen); | |
143 | buffer_put_char(&buf, ','); | |
144 | buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID, | |
145 | sizeof(KEX_GSS_GRP14_SHA1_ID) - 1); | |
fe4ad273 | 146 | buffer_append(&buf, encoded, enclen); |
147 | ||
148 | gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]); | |
149 | gss_enc2oid[oidpos].encoded = encoded; | |
23987cb8 | 150 | oidpos++; |
d4ab470d | 151 | } |
23987cb8 | 152 | } |
fe4ad273 | 153 | gss_enc2oid[oidpos].oid = NULL; |
154 | gss_enc2oid[oidpos].encoded = NULL; | |
155 | ||
156 | buffer_put_char(&buf, '\0'); | |
157 | ||
158 | mechs = xmalloc(buffer_len(&buf)); | |
159 | buffer_get(&buf, mechs, buffer_len(&buf)); | |
5598e598 | 160 | buffer_free(&buf); |
23987cb8 | 161 | |
fe4ad273 | 162 | if (strlen(mechs) == 0) { |
163 | xfree(mechs); | |
164 | mechs = NULL; | |
23987cb8 | 165 | } |
166 | ||
fe4ad273 | 167 | return (mechs); |
168 | } | |
169 | ||
170 | gss_OID | |
f713db99 | 171 | ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) { |
fe4ad273 | 172 | int i = 0; |
f713db99 | 173 | |
174 | switch (kex_type) { | |
175 | case KEX_GSS_GRP1_SHA1: | |
f97edba6 | 176 | if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID)) |
177 | return GSS_C_NO_OID; | |
f713db99 | 178 | name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1; |
179 | break; | |
180 | case KEX_GSS_GRP14_SHA1: | |
f97edba6 | 181 | if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID)) |
182 | return GSS_C_NO_OID; | |
f713db99 | 183 | name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1; |
184 | break; | |
185 | case KEX_GSS_GEX_SHA1: | |
f97edba6 | 186 | if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID)) |
187 | return GSS_C_NO_OID; | |
f713db99 | 188 | name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1; |
189 | break; | |
190 | default: | |
191 | return GSS_C_NO_OID; | |
23987cb8 | 192 | } |
fe4ad273 | 193 | |
194 | while (gss_enc2oid[i].encoded != NULL && | |
f713db99 | 195 | strcmp(name, gss_enc2oid[i].encoded) != 0) |
fe4ad273 | 196 | i++; |
23987cb8 | 197 | |
fe4ad273 | 198 | if (gss_enc2oid[i].oid != NULL && ctx != NULL) |
199 | ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid); | |
200 | ||
23987cb8 | 201 | return gss_enc2oid[i].oid; |
5598e598 | 202 | } |
203 | ||
23987cb8 | 204 | /* Check that the OID in a data stream matches that in the context */ |
7cac2b65 | 205 | int |
206 | ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) | |
207 | { | |
208 | return (ctx != NULL && ctx->oid != GSS_C_NO_OID && | |
209 | ctx->oid->length == len && | |
210 | memcmp(ctx->oid->elements, data, len) == 0); | |
23987cb8 | 211 | } |
7cac2b65 | 212 | |
5598e598 | 213 | /* Set the contexts OID from a data stream */ |
7cac2b65 | 214 | void |
215 | ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len) | |
216 | { | |
217 | if (ctx->oid != GSS_C_NO_OID) { | |
218 | xfree(ctx->oid->elements); | |
219 | xfree(ctx->oid); | |
220 | } | |
221 | ctx->oid = xmalloc(sizeof(gss_OID_desc)); | |
222 | ctx->oid->length = len; | |
223 | ctx->oid->elements = xmalloc(len); | |
224 | memcpy(ctx->oid->elements, data, len); | |
5598e598 | 225 | } |
226 | ||
227 | /* Set the contexts OID */ | |
7cac2b65 | 228 | void |
229 | ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid) | |
230 | { | |
231 | ssh_gssapi_set_oid_data(ctx, oid->elements, oid->length); | |
5598e598 | 232 | } |
233 | ||
23987cb8 | 234 | /* All this effort to report an error ... */ |
23987cb8 | 235 | void |
7cac2b65 | 236 | ssh_gssapi_error(Gssctxt *ctxt) |
237 | { | |
30460aeb | 238 | char *s; |
239 | ||
240 | s = ssh_gssapi_last_error(ctxt, NULL, NULL); | |
241 | debug("%s", s); | |
242 | xfree(s); | |
5598e598 | 243 | } |
244 | ||
23987cb8 | 245 | char * |
2ce0bfe4 | 246 | ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status, |
247 | OM_uint32 *minor_status) | |
7cac2b65 | 248 | { |
23987cb8 | 249 | OM_uint32 lmin; |
7cac2b65 | 250 | gss_buffer_desc msg = GSS_C_EMPTY_BUFFER; |
251 | OM_uint32 ctx; | |
252 | Buffer b; | |
253 | char *ret; | |
254 | ||
255 | buffer_init(&b); | |
256 | ||
257 | if (major_status != NULL) | |
258 | *major_status = ctxt->major; | |
259 | if (minor_status != NULL) | |
260 | *minor_status = ctxt->minor; | |
261 | ||
262 | ctx = 0; | |
5598e598 | 263 | /* The GSSAPI error */ |
7cac2b65 | 264 | do { |
265 | gss_display_status(&lmin, ctxt->major, | |
266 | GSS_C_GSS_CODE, ctxt->oid, &ctx, &msg); | |
267 | ||
268 | buffer_append(&b, msg.value, msg.length); | |
269 | buffer_put_char(&b, '\n'); | |
270 | ||
271 | gss_release_buffer(&lmin, &msg); | |
272 | } while (ctx != 0); | |
273 | ||
274 | /* The mechanism specific error */ | |
275 | do { | |
276 | gss_display_status(&lmin, ctxt->minor, | |
277 | GSS_C_MECH_CODE, ctxt->oid, &ctx, &msg); | |
278 | ||
279 | buffer_append(&b, msg.value, msg.length); | |
280 | buffer_put_char(&b, '\n'); | |
281 | ||
282 | gss_release_buffer(&lmin, &msg); | |
283 | } while (ctx != 0); | |
284 | ||
285 | buffer_put_char(&b, '\0'); | |
286 | ret = xmalloc(buffer_len(&b)); | |
287 | buffer_get(&b, ret, buffer_len(&b)); | |
288 | buffer_free(&b); | |
289 | return (ret); | |
5598e598 | 290 | } |
291 | ||
7cac2b65 | 292 | /* |
293 | * Initialise our GSSAPI context. We use this opaque structure to contain all | |
5598e598 | 294 | * of the data which both the client and server need to persist across |
295 | * {accept,init}_sec_context calls, so that when we do it from the userauth | |
296 | * stuff life is a little easier | |
297 | */ | |
298 | void | |
b59afbfe | 299 | ssh_gssapi_build_ctx(Gssctxt **ctx) |
5598e598 | 300 | { |
30460aeb | 301 | *ctx = xcalloc(1, sizeof (Gssctxt)); |
7cac2b65 | 302 | (*ctx)->context = GSS_C_NO_CONTEXT; |
303 | (*ctx)->name = GSS_C_NO_NAME; | |
304 | (*ctx)->oid = GSS_C_NO_OID; | |
305 | (*ctx)->creds = GSS_C_NO_CREDENTIAL; | |
306 | (*ctx)->client = GSS_C_NO_NAME; | |
307 | (*ctx)->client_creds = GSS_C_NO_CREDENTIAL; | |
5598e598 | 308 | } |
309 | ||
310 | /* Delete our context, providing it has been built correctly */ | |
311 | void | |
b59afbfe | 312 | ssh_gssapi_delete_ctx(Gssctxt **ctx) |
5598e598 | 313 | { |
9eeaa28e | 314 | #if !defined(MECHGLUE) |
5598e598 | 315 | OM_uint32 ms; |
9eeaa28e | 316 | #endif |
7cac2b65 | 317 | |
318 | if ((*ctx) == NULL) | |
b59afbfe | 319 | return; |
d4ab470d | 320 | #if !defined(MECHGLUE) /* mechglue has some memory management issues */ |
7cac2b65 | 321 | if ((*ctx)->context != GSS_C_NO_CONTEXT) |
322 | gss_delete_sec_context(&ms, &(*ctx)->context, GSS_C_NO_BUFFER); | |
b59afbfe | 323 | if ((*ctx)->name != GSS_C_NO_NAME) |
7cac2b65 | 324 | gss_release_name(&ms, &(*ctx)->name); |
b59afbfe | 325 | if ((*ctx)->oid != GSS_C_NO_OID) { |
326 | xfree((*ctx)->oid->elements); | |
327 | xfree((*ctx)->oid); | |
328 | (*ctx)->oid = GSS_C_NO_OID; | |
5598e598 | 329 | } |
b59afbfe | 330 | if ((*ctx)->creds != GSS_C_NO_CREDENTIAL) |
7cac2b65 | 331 | gss_release_cred(&ms, &(*ctx)->creds); |
b59afbfe | 332 | if ((*ctx)->client != GSS_C_NO_NAME) |
7cac2b65 | 333 | gss_release_name(&ms, &(*ctx)->client); |
b59afbfe | 334 | if ((*ctx)->client_creds != GSS_C_NO_CREDENTIAL) |
7cac2b65 | 335 | gss_release_cred(&ms, &(*ctx)->client_creds); |
d4ab470d | 336 | #endif |
7cac2b65 | 337 | |
b59afbfe | 338 | xfree(*ctx); |
7cac2b65 | 339 | *ctx = NULL; |
5598e598 | 340 | } |
341 | ||
7cac2b65 | 342 | /* |
343 | * Wrapper to init_sec_context | |
5598e598 | 344 | * Requires that the context contains: |
345 | * oid | |
7cac2b65 | 346 | * server name (from ssh_gssapi_import_name) |
5598e598 | 347 | */ |
7cac2b65 | 348 | OM_uint32 |
5598e598 | 349 | ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, |
7cac2b65 | 350 | gss_buffer_desc* send_tok, OM_uint32 *flags) |
5598e598 | 351 | { |
5598e598 | 352 | int deleg_flag = 0; |
7cac2b65 | 353 | |
5598e598 | 354 | if (deleg_creds) { |
7cac2b65 | 355 | deleg_flag = GSS_C_DELEG_FLAG; |
5598e598 | 356 | debug("Delegating credentials"); |
357 | } | |
7cac2b65 | 358 | |
359 | ctx->major = gss_init_sec_context(&ctx->minor, | |
f97edba6 | 360 | ctx->client_creds, &ctx->context, ctx->name, ctx->oid, |
7cac2b65 | 361 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, |
362 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); | |
363 | ||
364 | if (GSS_ERROR(ctx->major)) | |
365 | ssh_gssapi_error(ctx); | |
366 | ||
367 | return (ctx->major); | |
5598e598 | 368 | } |
369 | ||
5598e598 | 370 | /* Create a service name for the given host */ |
371 | OM_uint32 | |
7cac2b65 | 372 | ssh_gssapi_import_name(Gssctxt *ctx, const char *host) |
373 | { | |
23987cb8 | 374 | gss_buffer_desc gssbuf; |
4dd35ca9 | 375 | char *xhost; |
30460aeb | 376 | char *val; |
7cac2b65 | 377 | |
5598e598 | 378 | /* Make a copy of the host name, in case it was returned by a |
e23e524c | 379 | * previous call to gethostbyname(). */ |
5598e598 | 380 | xhost = xstrdup(host); |
381 | ||
23987cb8 | 382 | /* Make sure we have the FQDN. Some GSSAPI implementations don't do |
e23e524c | 383 | * this for us themselves */ |
1df48666 | 384 | resolve_localhost(&xhost); |
23987cb8 | 385 | |
30460aeb | 386 | xasprintf(&val, "host@%s", xhost); |
387 | gssbuf.value = val; | |
388 | gssbuf.length = strlen(gssbuf.value); | |
7cac2b65 | 389 | |
390 | if ((ctx->major = gss_import_name(&ctx->minor, | |
391 | &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) | |
23987cb8 | 392 | ssh_gssapi_error(ctx); |
7cac2b65 | 393 | |
1c828c5c | 394 | xfree(xhost); |
5598e598 | 395 | xfree(gssbuf.value); |
7cac2b65 | 396 | return (ctx->major); |
5598e598 | 397 | } |
398 | ||
f97edba6 | 399 | OM_uint32 |
400 | ssh_gssapi_client_identity(Gssctxt *ctx, const char *name) | |
401 | { | |
402 | gss_buffer_desc gssbuf; | |
403 | gss_name_t gssname; | |
404 | OM_uint32 status; | |
405 | gss_OID_set oidset; | |
406 | ||
407 | gssbuf.value = (void *) name; | |
408 | gssbuf.length = strlen(gssbuf.value); | |
409 | ||
410 | gss_create_empty_oid_set(&status, &oidset); | |
411 | gss_add_oid_set_member(&status, ctx->oid, &oidset); | |
412 | ||
413 | ctx->major = gss_import_name(&ctx->minor, &gssbuf, | |
414 | GSS_C_NT_USER_NAME, &gssname); | |
415 | ||
416 | if (!ctx->major) | |
417 | ctx->major = gss_acquire_cred(&ctx->minor, | |
418 | gssname, 0, oidset, GSS_C_INITIATE, | |
419 | &ctx->client_creds, NULL, NULL); | |
420 | ||
421 | gss_release_name(&status, &gssname); | |
422 | gss_release_oid_set(&status, &oidset); | |
423 | ||
424 | if (ctx->major) | |
425 | ssh_gssapi_error(ctx); | |
426 | ||
427 | return(ctx->major); | |
428 | } | |
429 | ||
540d72c3 | 430 | OM_uint32 |
431 | ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) | |
432 | { | |
f97edba6 | 433 | if (ctx == NULL) |
434 | return -1; | |
435 | ||
540d72c3 | 436 | if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, |
437 | GSS_C_QOP_DEFAULT, buffer, hash))) | |
438 | ssh_gssapi_error(ctx); | |
439 | ||
440 | return (ctx->major); | |
441 | } | |
442 | ||
fe4ad273 | 443 | /* Priviledged when used by server */ |
444 | OM_uint32 | |
445 | ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | |
446 | { | |
f97edba6 | 447 | if (ctx == NULL) |
448 | return -1; | |
fe4ad273 | 449 | |
f97edba6 | 450 | ctx->major = gss_verify_mic(&ctx->minor, ctx->context, |
451 | gssbuf, gssmic, NULL); | |
fe4ad273 | 452 | |
f97edba6 | 453 | return (ctx->major); |
fe4ad273 | 454 | } |
455 | ||
540d72c3 | 456 | void |
457 | ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, | |
458 | const char *context) | |
459 | { | |
460 | buffer_init(b); | |
461 | buffer_put_string(b, session_id2, session_id2_len); | |
462 | buffer_put_char(b, SSH2_MSG_USERAUTH_REQUEST); | |
463 | buffer_put_cstring(b, user); | |
464 | buffer_put_cstring(b, service); | |
465 | buffer_put_cstring(b, context); | |
466 | } | |
467 | ||
23987cb8 | 468 | int |
f97edba6 | 469 | ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host, |
470 | const char *client) | |
30460aeb | 471 | { |
fe4ad273 | 472 | gss_buffer_desc token = GSS_C_EMPTY_BUFFER; |
473 | OM_uint32 major, minor; | |
30460aeb | 474 | gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"}; |
f713db99 | 475 | Gssctxt *intctx = NULL; |
476 | ||
477 | if (ctx == NULL) | |
478 | ctx = &intctx; | |
30460aeb | 479 | |
480 | /* RFC 4462 says we MUST NOT do SPNEGO */ | |
481 | if (oid->length == spnego_oid.length && | |
482 | (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0)) | |
483 | return 0; /* false */ | |
484 | ||
485 | ssh_gssapi_build_ctx(ctx); | |
486 | ssh_gssapi_set_oid(*ctx, oid); | |
487 | major = ssh_gssapi_import_name(*ctx, host); | |
f97edba6 | 488 | |
489 | if (!GSS_ERROR(major) && client) | |
490 | major = ssh_gssapi_client_identity(*ctx, client); | |
491 | ||
30460aeb | 492 | if (!GSS_ERROR(major)) { |
493 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, | |
494 | NULL); | |
495 | gss_release_buffer(&minor, &token); | |
496 | if ((*ctx)->context != GSS_C_NO_CONTEXT) | |
497 | gss_delete_sec_context(&minor, &(*ctx)->context, | |
498 | GSS_C_NO_BUFFER); | |
499 | } | |
500 | ||
f713db99 | 501 | if (GSS_ERROR(major) || intctx != NULL) |
30460aeb | 502 | ssh_gssapi_delete_ctx(ctx); |
503 | ||
fe4ad273 | 504 | return (!GSS_ERROR(major)); |
b59afbfe | 505 | } |
f001f132 | 506 | |
f97edba6 | 507 | int |
508 | ssh_gssapi_credentials_updated(Gssctxt *ctxt) { | |
509 | static gss_name_t saved_name = GSS_C_NO_NAME; | |
510 | static OM_uint32 saved_lifetime = 0; | |
511 | static gss_OID saved_mech = GSS_C_NO_OID; | |
512 | static gss_name_t name; | |
513 | static OM_uint32 last_call = 0; | |
514 | OM_uint32 lifetime, now, major, minor; | |
515 | int equal; | |
f97edba6 | 516 | |
517 | now = time(NULL); | |
518 | ||
519 | if (ctxt) { | |
520 | debug("Rekey has happened - updating saved versions"); | |
521 | ||
522 | if (saved_name != GSS_C_NO_NAME) | |
523 | gss_release_name(&minor, &saved_name); | |
524 | ||
525 | major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, | |
526 | &saved_name, &saved_lifetime, NULL, NULL); | |
527 | ||
528 | if (!GSS_ERROR(major)) { | |
529 | saved_mech = ctxt->oid; | |
530 | saved_lifetime+= now; | |
531 | } else { | |
532 | /* Handle the error */ | |
533 | } | |
534 | return 0; | |
535 | } | |
536 | ||
537 | if (now - last_call < 10) | |
538 | return 0; | |
539 | ||
540 | last_call = now; | |
541 | ||
542 | if (saved_mech == GSS_C_NO_OID) | |
543 | return 0; | |
544 | ||
545 | major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, | |
546 | &name, &lifetime, NULL, NULL); | |
547 | if (major == GSS_S_CREDENTIALS_EXPIRED) | |
548 | return 0; | |
549 | else if (GSS_ERROR(major)) | |
550 | return 0; | |
551 | ||
552 | major = gss_compare_name(&minor, saved_name, name, &equal); | |
553 | gss_release_name(&minor, &name); | |
554 | if (GSS_ERROR(major)) | |
555 | return 0; | |
556 | ||
557 | if (equal && (saved_lifetime < lifetime + now - 10)) | |
558 | return 1; | |
559 | ||
560 | return 0; | |
561 | } | |
562 | ||
5598e598 | 563 | #endif /* GSSAPI */ |