[gssapi-openssh.git] / openssh / gss-serv.c

/*	$OpenBSD: gss-serv.c,v 1.3 2003/08/31 13:31:57 markus Exp $	*/

/*
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"

#ifdef GSSAPI

#include "ssh.h"
#include "ssh2.h"
#include "buffer.h"
#include "bufaux.h"
#include "packet.h"
#include "compat.h"
#include <openssl/evp.h>
#include "cipher.h"
#include "kex.h"
#include "auth.h"
#include "log.h"
#include "channels.h"
#include "session.h"
#include "dispatch.h"
#include "servconf.h"
#include "compat.h"
#include "monitor_wrap.h"
#include "xmalloc.h"
#include "getput.h"

#include "ssh-gss.h"

extern ServerOptions options;
extern u_char *session_id2;
extern int session_id2_len;

static ssh_gssapi_client gssapi_client =
    { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};

ssh_gssapi_mech gssapi_null_mech =
    { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};

#ifdef KRB5
extern ssh_gssapi_mech gssapi_kerberos_mech;
extern ssh_gssapi_mech gssapi_kerberos_mech_old;
#endif
#ifdef GSI
extern ssh_gssapi_mech gssapi_gsi_mech;
extern ssh_gssapi_mech gssapi_gsi_mech_old;
#endif

ssh_gssapi_mech* supported_mechs[]= {
#ifdef KRB5
	&gssapi_kerberos_mech,
	&gssapi_kerberos_mech_old, /* Support for legacy clients */
#endif
#ifdef GSI
	&gssapi_gsi_mech,
	&gssapi_gsi_mech_old,	/* Support for legacy clients */
#endif
	&gssapi_null_mech,
};

/* Unpriviledged */
void
ssh_gssapi_supported_oids(gss_OID_set *oidset)
{
	int i = 0;
	OM_uint32 min_status;
	int present;
	gss_OID_set supported;

	gss_create_empty_oid_set(&min_status, oidset);
	gss_indicate_mechs(&min_status, &supported);

	while (supported_mechs[i]->name != NULL) {
		if (GSS_ERROR(gss_test_oid_set_member(&min_status,
		    &supported_mechs[i]->oid, supported, &present)))
			present = 0;
		if (present)
			gss_add_oid_set_member(&min_status,
			    &supported_mechs[i]->oid, oidset);
		i++;
	}
}


/* Wrapper around accept_sec_context
 * Requires that the context contains:
 *    oid
 *    credentials	(from ssh_gssapi_acquire_cred)
 */
/* Priviledged */
OM_uint32
ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
    gss_buffer_desc *send_tok, OM_uint32 *flags)
{
	OM_uint32 status;
	gss_OID mech;

	ctx->major = gss_accept_sec_context(&ctx->minor,
	    &ctx->context, ctx->creds, recv_tok,
	    GSS_C_NO_CHANNEL_BINDINGS, &ctx->client, &mech,
	    send_tok, flags, NULL, &ctx->client_creds);

	if (GSS_ERROR(ctx->major))
		ssh_gssapi_error(ctx);

	if (ctx->client_creds)
		debug("Received some client credentials");
	else
		debug("Got no client credentials");

	status = ctx->major;

	/* Now, if we're complete and we have the right flags, then
	 * we flag the user as also having been authenticated
	 */

	if (((flags == NULL) || ((*flags & GSS_C_MUTUAL_FLAG) &&
	    (*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
		if (ssh_gssapi_getclient(ctx, &gssapi_client))
			fatal("Couldn't convert client name");
	}

	return (status);
}

/*
 * This parses an exported name, extracting the mechanism specific portion
 * to use for ACL checking. It verifies that the name belongs the mechanism
 * originally selected.
 */
static OM_uint32
ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
{
	char *tok;
	OM_uint32 offset;
	OM_uint32 oidl;

	tok=ename->value;

#ifdef GSI /* GSI gss_export_name() is broken. */
	if ((ctx->oid->length == gssapi_gsi_mech.oid.length) &&
	    (memcmp(ctx->oid->elements, gssapi_gsi_mech.oid.elements,
		    gssapi_gsi_mech.oid.length) == 0)) {
	    name->length = ename->length;
	    name->value = xmalloc(ename->length+1);
	    memcpy(name->value, ename->value, ename->length);
	    return GSS_S_COMPLETE;
	}
#endif

	/*
	 * Check that ename is long enough for all of the fixed length
	 * header, and that the initial ID bytes are correct
	 */

	if (ename->length<6 || memcmp(tok,"\x04\x01", 2)!=0)
		return GSS_S_FAILURE;

	/*
	 * Extract the OID, and check it. Here GSSAPI breaks with tradition
	 * and does use the OID type and length bytes. To confuse things
	 * there are two lengths - the first including these, and the
	 * second without.
	 */

	oidl = GET_16BIT(tok+2); /* length including next two bytes */
	oidl = oidl-2; /* turn it into the _real_ length of the variable OID */

	/*
	 * Check the BER encoding for correct type and length, that the
	 * string is long enough and that the OID matches that in our context
	 */
	if (tok[4] != 0x06 || tok[5] != oidl ||
	    ename->length < oidl+6 ||
	   !ssh_gssapi_check_oid(ctx,tok+6,oidl))
		return GSS_S_FAILURE;

	offset = oidl+6;

	if (ename->length < offset+4)
		return GSS_S_FAILURE;

	name->length = GET_32BIT(tok+offset);
	offset += 4;

	if (ename->length < offset+name->length)
		return GSS_S_FAILURE;

	name->value = xmalloc(name->length+1);
	memcpy(name->value,tok+offset,name->length);
	((char *)name->value)[name->length] = 0;

	return GSS_S_COMPLETE;
}

/* Extract the client details from a given context. This can only reliably
 * be called once for a context */

/* Priviledged (called from accept_secure_ctx) */
OM_uint32
ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
{
	int i = 0;

	gss_buffer_desc ename;

	client->mech = NULL;

	while (supported_mechs[i]->name != NULL) {
		if (supported_mechs[i]->oid.length == ctx->oid->length &&
		    (memcmp(supported_mechs[i]->oid.elements,
		    ctx->oid->elements, ctx->oid->length) == 0))
			client->mech = supported_mechs[i];
		i++;
	}

	if (client->mech == NULL)
		return GSS_S_FAILURE;

	if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
	    &client->displayname, NULL))) {
		ssh_gssapi_error(ctx);
		return (ctx->major);
	}

	if ((ctx->major = gss_export_name(&ctx->minor, ctx->client,
	    &ename))) {
		ssh_gssapi_error(ctx);
		return (ctx->major);
	}

	if ((ctx->major = ssh_gssapi_parse_ename(ctx,&ename,
	    &client->exportedname))) {
		return (ctx->major);
	}

	/* We can't copy this structure, so we just move the pointer to it */
	client->creds = ctx->client_creds;
	ctx->client_creds = GSS_C_NO_CREDENTIAL;
	return (ctx->major);
}

/* As user - called through fatal cleanup hook */
void
ssh_gssapi_cleanup_creds(void *ignored)
{
	if (gssapi_client.store.filename != NULL) {
		/* Unlink probably isn't sufficient */
		debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename);
		unlink(gssapi_client.store.filename);
	}
}

/* As user */
void
ssh_gssapi_storecreds(void)
{
	if (gssapi_client.mech && gssapi_client.mech->storecreds) {
		(*gssapi_client.mech->storecreds)(&gssapi_client);
		if (options.gss_cleanup_creds)
			fatal_add_cleanup(ssh_gssapi_cleanup_creds, NULL);
	} else
		debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
}

/* This allows GSSAPI methods to do things to the childs environment based
 * on the passed authentication process and credentials.
 */
/* As user */
void
ssh_gssapi_do_child(char ***envp, u_int *envsizep)
{

	if (gssapi_client.store.envvar != NULL &&
	    gssapi_client.store.envval != NULL) {

		debug("Setting %s to %s", gssapi_client.store.envvar,
		gssapi_client.store.envval);
		child_set_env(envp, envsizep, gssapi_client.store.envvar,
		     gssapi_client.store.envval);
	}
}

/* Priviledged */
int
ssh_gssapi_userok(char *user)
{
	if (gssapi_client.exportedname.length == 0 ||
	    gssapi_client.exportedname.value == NULL) {
		debug("No suitable client data");
		return 0;
	}
	if (gssapi_client.mech && gssapi_client.mech->userok)
		return ((*gssapi_client.mech->userok)(&gssapi_client, user));
	else
		debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
	return (0);
}

/* Return a list of the gss-group1-sha1-x mechanisms supported by this
 * program.
 *
 * We only support the mechanisms that we've indicated in the list above,
 * but we check that they're supported by the GSSAPI mechanism on the 
 * machine. We also check, before including them in the list, that
 * we have the necesary information in order to carry out the key exchange
 * (that is, that the user has credentials, the server's creds are accessible,
 * etc)
 *
 * The way that this is done is fairly nasty, as we do a lot of work that
 * is then thrown away. This should possibly be implemented with a cache
 * that stores the results (in an expanded Gssctxt structure), which are
 * then used by the first calls if that key exchange mechanism is chosen.
 */

/* Unpriviledged */ 
char * 
ssh_gssapi_server_mechanisms() {
	gss_OID_set 	supported;
	Gssctxt		*ctx = NULL;
	OM_uint32	maj_status, min_status;
	Buffer		buf;
	int 		i = 0;
	int		first = 0;
	int		present;
	char *		mechs;

	if (datafellows & SSH_OLD_GSSAPI) return NULL;
	
	ssh_gssapi_supported_oids(&supported);
	
	buffer_init(&buf);

	while(supported_mechs[i]->name != NULL) {
		if ((maj_status=gss_test_oid_set_member(&min_status,
						   	&supported_mechs[i]->oid,
						   	supported,
						   	&present))) {
			present=0;
		}

		if (present) {
		    if (!GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx,
					   &supported_mechs[i]->oid)))) {
			/* Append gss_group1_sha1_x to our list */
			if (first++!=0)
				buffer_put_char(&buf,',');
			buffer_append(&buf, KEX_GSS_SHA1,
				      sizeof(KEX_GSS_SHA1)-1);
	        	buffer_append(&buf, 
	        		      supported_mechs[i]->enc_name,
        	      		      strlen(supported_mechs[i]->enc_name));
			debug("GSSAPI mechanism %s (%s%s) supported",
			      supported_mechs[i]->name, KEX_GSS_SHA1,
			      supported_mechs[i]->enc_name);
		    } else {
			debug("no credentials for GSSAPI mechanism %s",
			      supported_mechs[i]->name);
		    }
        	} else {
		    debug("GSSAPI mechanism %s not supported",
			  supported_mechs[i]->name);
		}
        	ssh_gssapi_delete_ctx(&ctx);
        	i++;
	}
	
	buffer_put_char(&buf,'\0');
	
	mechs=xmalloc(buffer_len(&buf));
	buffer_get(&buf,mechs,buffer_len(&buf));
	buffer_free(&buf);
	if (strlen(mechs)==0)
	   return(NULL);
	else
	   return(mechs);
}

/* Return the OID that corresponds to the given context name */
 
/* Unpriviledged */
gss_OID 
ssh_gssapi_server_id_kex(char *name) {
  int i=0;
  
  if (strncmp(name, KEX_GSS_SHA1, sizeof(KEX_GSS_SHA1)-1) !=0) {
     return(NULL);
  }
  
  name+=sizeof(KEX_GSS_SHA1)-1; /* Move to the start of the MIME string */
  
  while (supported_mechs[i]->name!=NULL &&
  	 strcmp(name,supported_mechs[i]->enc_name)!=0) {
  	i++;
  }

  if (supported_mechs[i]->name==NULL)
     return (NULL);

  debug("using GSSAPI mechanism %s (%s%s)", supported_mechs[i]->name,
	KEX_GSS_SHA1, supported_mechs[i]->enc_name);

  return &supported_mechs[i]->oid;
}

/* Priviledged */
int
ssh_gssapi_localname(char **user)
{
    	*user = NULL;
	if (gssapi_client.displayname.length==0 || 
	    gssapi_client.displayname.value==NULL) {
		debug("No suitable client data");
		return(0);;
	}
	if (gssapi_client.mech && gssapi_client.mech->localname) {
		return((*gssapi_client.mech->localname)(&gssapi_client,user));
	} else {
		debug("Unknown client authentication type");
	}
	return(0);
}
#endif
Commit	Line	Data
70791e56	1	/* $OpenBSD: gss-serv.c,v 1.3 2003/08/31 13:31:57 markus Exp $ */
70791e56	2
5598e598	3	/*
88928908	4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
5598e598	5	*
	6	* Redistribution and use in source and binary forms, with or without
	7	* modification, are permitted provided that the following conditions
	8	* are met:
	9	* 1. Redistributions of source code must retain the above copyright
	10	* notice, this list of conditions and the following disclaimer.
	11	* 2. Redistributions in binary form must reproduce the above copyright
	12	* notice, this list of conditions and the following disclaimer in the
	13	* documentation and/or other materials provided with the distribution.
	14	*
	15	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
	16	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	17	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	18	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	19	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	20	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	21	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	22	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	23	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	24	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	25	*/
	26
	27	#include "includes.h"
	28
	29	#ifdef GSSAPI
	30
	31	#include "ssh.h"
	32	#include "ssh2.h"
5598e598	33	#include "buffer.h"
	34	#include "bufaux.h"
	35	#include "packet.h"
	36	#include "compat.h"
	37	#include <openssl/evp.h>
	38	#include "cipher.h"
	39	#include "kex.h"
	40	#include "auth.h"
	41	#include "log.h"
1e608e42	42	#include "channels.h"
5598e598	43	#include "session.h"
	44	#include "dispatch.h"
	45	#include "servconf.h"
1e608e42	46	#include "compat.h"
ff2d7a98	47	#include "monitor_wrap.h"
70791e56	48	#include "xmalloc.h"
70791e56	49	#include "getput.h"
5598e598	50
	51	#include "ssh-gss.h"
	52
	53	extern ServerOptions options;
	54	extern u_char *session_id2;
	55	extern int session_id2_len;
	56
88928908	57	static ssh_gssapi_client gssapi_client =
70791e56	58	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
70791e56	59	GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
5598e598	60
70791e56	61	ssh_gssapi_mech gssapi_null_mech =
70791e56	62	{ NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
ff2d7a98	63
5598e598	64	#ifdef KRB5
88928908	65	extern ssh_gssapi_mech gssapi_kerberos_mech;
88928908	66	extern ssh_gssapi_mech gssapi_kerberos_mech_old;
c2397a66	67	#endif
5598e598	68	#ifdef GSI
88928908	69	extern ssh_gssapi_mech gssapi_gsi_mech;
88928908	70	extern ssh_gssapi_mech gssapi_gsi_mech_old;
f2fd21a2	71	#endif
f2fd21a2	72
88928908	73	ssh_gssapi_mech* supported_mechs[]= {
5598e598	74	#ifdef KRB5
70791e56	75	&gssapi_kerberos_mech,
70791e56	76	&gssapi_kerberos_mech_old, /* Support for legacy clients */
5598e598	77	#endif
5598e598	78	#ifdef GSI
70791e56	79	&gssapi_gsi_mech,
70791e56	80	&gssapi_gsi_mech_old, /* Support for legacy clients */
67e2750c	81	#endif
70791e56	82	&gssapi_null_mech,
88928908	83	};
5598e598	84
70791e56	85	/* Unpriviledged */
	86	void
	87	ssh_gssapi_supported_oids(gss_OID_set *oidset)
	88	{
	89	int i = 0;
	90	OM_uint32 min_status;
	91	int present;
	92	gss_OID_set supported;
	93
	94	gss_create_empty_oid_set(&min_status, oidset);
	95	gss_indicate_mechs(&min_status, &supported);
	96
	97	while (supported_mechs[i]->name != NULL) {
	98	if (GSS_ERROR(gss_test_oid_set_member(&min_status,
	99	&supported_mechs[i]->oid, supported, &present)))
	100	present = 0;
	101	if (present)
	102	gss_add_oid_set_member(&min_status,
	103	&supported_mechs[i]->oid, oidset);
	104	i++;
	105	}
	106	}
	107
	108
	109	/* Wrapper around accept_sec_context
	110	* Requires that the context contains:
	111	* oid
	112	* credentials (from ssh_gssapi_acquire_cred)
	113	*/
	114	/* Priviledged */
	115	OM_uint32
	116	ssh_gssapi_accept_ctx(Gssctxt ctx, gss_buffer_desc recv_tok,
	117	gss_buffer_desc send_tok, OM_uint32 flags)
	118	{
	119	OM_uint32 status;
	120	gss_OID mech;
	121
	122	ctx->major = gss_accept_sec_context(&ctx->minor,
	123	&ctx->context, ctx->creds, recv_tok,
	124	GSS_C_NO_CHANNEL_BINDINGS, &ctx->client, &mech,
	125	send_tok, flags, NULL, &ctx->client_creds);
	126
	127	if (GSS_ERROR(ctx->major))
	128	ssh_gssapi_error(ctx);
	129
	130	if (ctx->client_creds)
	131	debug("Received some client credentials");
	132	else
	133	debug("Got no client credentials");
	134
	135	status = ctx->major;
	136
	137	/* Now, if we're complete and we have the right flags, then
	138	* we flag the user as also having been authenticated
	139	*/
	140
	141	if (((flags == NULL) \|\| ((*flags & GSS_C_MUTUAL_FLAG) &&
	142	(*flags & GSS_C_INTEG_FLAG))) && (ctx->major == GSS_S_COMPLETE)) {
	143	if (ssh_gssapi_getclient(ctx, &gssapi_client))
	144	fatal("Couldn't convert client name");
	145	}
	146
	147	return (status);
	148	}
149
150	/*
151	* This parses an exported name, extracting the mechanism specific portion
152	* to use for ACL checking. It verifies that the name belongs the mechanism
153	* originally selected.
154	*/
155	static OM_uint32
156	ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
157	{
158	char *tok;
159	OM_uint32 offset;
160	OM_uint32 oidl;
161
162	tok=ename->value;
163
164	#ifdef GSI /* GSI gss_export_name() is broken. */
165	if ((ctx->oid->length == gssapi_gsi_mech.oid.length) &&
166	(memcmp(ctx->oid->elements, gssapi_gsi_mech.oid.elements,
167	gssapi_gsi_mech.oid.length) == 0)) {
168	name->length = ename->length;
169	name->value = xmalloc(ename->length+1);
170	memcpy(name->value, ename->value, ename->length);
171	return GSS_S_COMPLETE;
172	}
173	#endif
174
175	/*
176	* Check that ename is long enough for all of the fixed length
177	* header, and that the initial ID bytes are correct
178	*/
179
180	if (ename->length<6 \|\| memcmp(tok,"\x04\x01", 2)!=0)
181	return GSS_S_FAILURE;
182
183	/*
184	* Extract the OID, and check it. Here GSSAPI breaks with tradition
185	* and does use the OID type and length bytes. To confuse things
186	* there are two lengths - the first including these, and the
187	* second without.
188	*/
189
190	oidl = GET_16BIT(tok+2); /* length including next two bytes */
191	oidl = oidl-2; /* turn it into the _real_ length of the variable OID */
192
193	/*
194	* Check the BER encoding for correct type and length, that the
195	* string is long enough and that the OID matches that in our context
196	*/
197	if (tok[4] != 0x06 \|\| tok[5] != oidl \|\|
198	ename->length < oidl+6 \|\|
199	!ssh_gssapi_check_oid(ctx,tok+6,oidl))
200	return GSS_S_FAILURE;
201
202	offset = oidl+6;
203
204	if (ename->length < offset+4)
205	return GSS_S_FAILURE;
206
207	name->length = GET_32BIT(tok+offset);
208	offset += 4;
209
210	if (ename->length < offset+name->length)
211	return GSS_S_FAILURE;
212
213	name->value = xmalloc(name->length+1);
214	memcpy(name->value,tok+offset,name->length);
215	((char *)name->value)[name->length] = 0;
216
217	return GSS_S_COMPLETE;
218	}
219
220	/* Extract the client details from a given context. This can only reliably
221	* be called once for a context */
222
223	/* Priviledged (called from accept_secure_ctx) */
224	OM_uint32
225	ssh_gssapi_getclient(Gssctxt ctx, ssh_gssapi_client client)
226	{
227	int i = 0;
228
229	gss_buffer_desc ename;
230
231	client->mech = NULL;
232
233	while (supported_mechs[i]->name != NULL) {
234	if (supported_mechs[i]->oid.length == ctx->oid->length &&
235	(memcmp(supported_mechs[i]->oid.elements,
236	ctx->oid->elements, ctx->oid->length) == 0))
237	client->mech = supported_mechs[i];
238	i++;
239	}
240
241	if (client->mech == NULL)
242	return GSS_S_FAILURE;
243
244	if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
245	&client->displayname, NULL))) {
246	ssh_gssapi_error(ctx);
247	return (ctx->major);
248	}
249
250	if ((ctx->major = gss_export_name(&ctx->minor, ctx->client,
251	&ename))) {
252	ssh_gssapi_error(ctx);
253	return (ctx->major);
254	}
255
256	if ((ctx->major = ssh_gssapi_parse_ename(ctx,&ename,
257	&client->exportedname))) {
258	return (ctx->major);
259	}
260
261	/* We can't copy this structure, so we just move the pointer to it */
262	client->creds = ctx->client_creds;
263	ctx->client_creds = GSS_C_NO_CREDENTIAL;
264	return (ctx->major);
265	}
266
267	/* As user - called through fatal cleanup hook */
268	void
269	ssh_gssapi_cleanup_creds(void *ignored)
270	{
271	if (gssapi_client.store.filename != NULL) {
272	/* Unlink probably isn't sufficient */
273	debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename);
274	unlink(gssapi_client.store.filename);
275	}
276	}
277
278	/* As user */
279	void
280	ssh_gssapi_storecreds(void)
281	{
282	if (gssapi_client.mech && gssapi_client.mech->storecreds) {
283	(*gssapi_client.mech->storecreds)(&gssapi_client);
284	if (options.gss_cleanup_creds)
285	fatal_add_cleanup(ssh_gssapi_cleanup_creds, NULL);
286	} else
287	debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
288	}
289
290	/* This allows GSSAPI methods to do things to the childs environment based
291	* on the passed authentication process and credentials.
292	*/
293	/* As user */
294	void
295	ssh_gssapi_do_child(char **envp, u_int envsizep)
296	{
297
298	if (gssapi_client.store.envvar != NULL &&
299	gssapi_client.store.envval != NULL) {
300
301	debug("Setting %s to %s", gssapi_client.store.envvar,
302	gssapi_client.store.envval);
303	child_set_env(envp, envsizep, gssapi_client.store.envvar,
304	gssapi_client.store.envval);
305	}
306	}
307
308	/* Priviledged */
309	int
310	ssh_gssapi_userok(char *user)
311	{
312	if (gssapi_client.exportedname.length == 0 \|\|
313	gssapi_client.exportedname.value == NULL) {
314	debug("No suitable client data");
315	return 0;
316	}
317	if (gssapi_client.mech && gssapi_client.mech->userok)
318	return ((*gssapi_client.mech->userok)(&gssapi_client, user));
319	else
320	debug("ssh_gssapi_userok: Unknown GSSAPI mechanism");
321	return (0);
322	}
323
88928908	324	/* Return a list of the gss-group1-sha1-x mechanisms supported by this
88928908	325	* program.
5598e598	326	*
88928908	327	* We only support the mechanisms that we've indicated in the list above,
	328	* but we check that they're supported by the GSSAPI mechanism on the
	329	* machine. We also check, before including them in the list, that
	330	* we have the necesary information in order to carry out the key exchange
	331	* (that is, that the user has credentials, the server's creds are accessible,
	332	* etc)
	333	*
	334	* The way that this is done is fairly nasty, as we do a lot of work that
	335	* is then thrown away. This should possibly be implemented with a cache
	336	* that stores the results (in an expanded Gssctxt structure), which are
	337	* then used by the first calls if that key exchange mechanism is chosen.
6a8bca29	338	*/
6a8bca29	339
88928908	340	/* Unpriviledged */
1c14df9e	341	char *
88928908	342	ssh_gssapi_server_mechanisms() {
1c14df9e	343	gss_OID_set supported;
88928908	344	Gssctxt *ctx = NULL;
1c14df9e	345	OM_uint32 maj_status, min_status;
	346	Buffer buf;
	347	int i = 0;
88928908	348	int first = 0;
1c14df9e	349	int present;
1c14df9e	350	char * mechs;
1c14df9e	351
	352	if (datafellows & SSH_OLD_GSSAPI) return NULL;
	353
88928908	354	ssh_gssapi_supported_oids(&supported);
1c14df9e	355
88928908	356	buffer_init(&buf);
1c14df9e	357
88928908	358	while(supported_mechs[i]->name != NULL) {
1c14df9e	359	if ((maj_status=gss_test_oid_set_member(&min_status,
88928908	360	&supported_mechs[i]->oid,
1c14df9e	361	supported,
	362	&present))) {
	363	present=0;
	364	}
88928908	365
1c14df9e	366	if (present) {
88928908	367	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx,
	368	&supported_mechs[i]->oid)))) {
	369	/* Append gss_group1_sha1_x to our list */
	370	if (first++!=0)
	371	buffer_put_char(&buf,',');
	372	buffer_append(&buf, KEX_GSS_SHA1,
	373	sizeof(KEX_GSS_SHA1)-1);
	374	buffer_append(&buf,
	375	supported_mechs[i]->enc_name,
	376	strlen(supported_mechs[i]->enc_name));
	377	debug("GSSAPI mechanism %s (%s%s) supported",
	378	supported_mechs[i]->name, KEX_GSS_SHA1,
	379	supported_mechs[i]->enc_name);
	380	} else {
	381	debug("no credentials for GSSAPI mechanism %s",
	382	supported_mechs[i]->name);
	383	}
	384	} else {
1c14df9e	385	debug("GSSAPI mechanism %s not supported",
88928908	386	supported_mechs[i]->name);
1c14df9e	387	}
88928908	388	ssh_gssapi_delete_ctx(&ctx);
	389	i++;
	390	}
1c14df9e	391
	392	buffer_put_char(&buf,'\0');
	393
	394	mechs=xmalloc(buffer_len(&buf));
	395	buffer_get(&buf,mechs,buffer_len(&buf));
	396	buffer_free(&buf);
	397	if (strlen(mechs)==0)
	398	return(NULL);
	399	else
	400	return(mechs);
	401	}
	402
88928908	403	/* Return the OID that corresponds to the given context name */
	404
	405	/* Unpriviledged */
	406	gss_OID
	407	ssh_gssapi_server_id_kex(char *name) {
	408	int i=0;
	409
	410	if (strncmp(name, KEX_GSS_SHA1, sizeof(KEX_GSS_SHA1)-1) !=0) {
	411	return(NULL);
	412	}
	413
	414	name+=sizeof(KEX_GSS_SHA1)-1; /* Move to the start of the MIME string */
	415
	416	while (supported_mechs[i]->name!=NULL &&
	417	strcmp(name,supported_mechs[i]->enc_name)!=0) {
	418	i++;
	419	}
	420
	421	if (supported_mechs[i]->name==NULL)
	422	return (NULL);
	423
	424	debug("using GSSAPI mechanism %s (%s%s)", supported_mechs[i]->name,
	425	KEX_GSS_SHA1, supported_mechs[i]->enc_name);
	426
	427	return &supported_mechs[i]->oid;
	428	}
	429
88928908	430	/* Priviledged */
	431	int
	432	ssh_gssapi_localname(char **user)
	433	{
	434	*user = NULL;
70791e56	435	if (gssapi_client.displayname.length==0 \|\|
70791e56	436	gssapi_client.displayname.value==NULL) {
88928908	437	debug("No suitable client data");
	438	return(0);;
	439	}
	440	if (gssapi_client.mech && gssapi_client.mech->localname) {
	441	return((*gssapi_client.mech->localname)(&gssapi_client,user));
	442	} else {
	443	debug("Unknown client authentication type");
	444	}
	445	return(0);
	446	}
	447	#endif