-/* $OpenBSD: gss-genr.c,v 1.1 2003/08/22 10:56:09 markus Exp $ */
+/* $OpenBSD: gss-genr.c,v 1.3 2003/11/21 11:57:03 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
#ifdef GSSAPI
-#include "ssh.h"
-#include "ssh2.h"
#include "xmalloc.h"
#include "buffer.h"
#include "bufaux.h"
-#include "packet.h"
#include "compat.h"
#include <openssl/evp.h>
-#include "cipher.h"
#include "kex.h"
#include "log.h"
-#include "compat.h"
#include "monitor_wrap.h"
#include "canohost.h"
-
-#include <netdb.h>
+#include "ssh2.h"
#include "ssh-gss.h"
+extern u_char *session_id2;
+extern u_int session_id2_len;
+
typedef struct {
char *encoded;
gss_OID oid;
EVP_MD_CTX md;
int oidpos=0;
- if (datafellows & SSH_OLD_GSSAPI) return NULL;
-
gss_indicate_mechs(&min_status,&supported);
- if (datafellows & SSH_BUG_GSSAPI_BER) {
- gss_enc2oid=xmalloc(sizeof(ssh_gss_kex_mapping)
- *((supported->count*2)+1));
- } else {
- gss_enc2oid=xmalloc(sizeof(ssh_gss_kex_mapping)
- *(supported->count+1));
- }
+ gss_enc2oid=xmalloc(sizeof(ssh_gss_kex_mapping)
+ *(supported->count+1));
buffer_init(&buf);
-
for (i=0;i<supported->count;i++) {
gss_enc2oid[oidpos].encoded=NULL;
if (supported->elements[i].length<128 &&
ssh_gssapi_check_mechanism(&(supported->elements[i]),host)) {
- /* Earlier versions of this code interpreted the
- * spec incorrectly with regard to OID encoding. They
- * also mis-encoded the krb5 OID. The following
- * _temporary_ code interfaces with these broken
- * servers */
-
- if (datafellows & SSH_BUG_GSSAPI_BER) {
- char *bodge=NULL;
- gss_OID_desc krb5oid={9, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02"};
- gss_OID_desc gsioid={9, "\x2B\x06\x01\x04\x01\x9B\x50\x01\x01"};
-
- if (supported->elements[i].length==krb5oid.length &&
- memcmp(supported->elements[i].elements,
- krb5oid.elements, krb5oid.length)==0) {
- bodge="Se3H81ismmOC3OE+FwYCiQ==";
- }
-
- if (supported->elements[i].length==gsioid.length &&
- memcmp(supported->elements[i].elements,
- gsioid.elements, gsioid.length)==0) {
- bodge="N3+k7/4wGxHyuP8Yxi4RhA==";
- }
-
- if (bodge) {
- if (oidpos!=0) {
- buffer_put_char(&buf,',');
- }
-
- buffer_append(&buf, KEX_GSS_SHA1, sizeof(KEX_GSS_SHA1)-1);
- buffer_append(&buf, bodge, strlen(bodge));
-
- gss_enc2oid[oidpos].oid=&(supported->elements[i]);
- gss_enc2oid[oidpos].encoded=bodge;
-
- oidpos++;
- }
- }
-
/* Add the required DER encoding octets and MD5 hash */
deroid[0]=0x06; /* Object Identifier */
deroid[1]=supported->elements[i].length;
gssbuf.length = sizeof("host@") + strlen(xhost);
gssbuf.value = xmalloc(gssbuf.length);
- snprintf(gssbuf.value, gssbuf.length, "host@%s", host);
+ snprintf(gssbuf.value, gssbuf.length, "host@%s", xhost);
if ((ctx->major = gss_import_name(&ctx->minor,
&gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name)))
return (ctx->major);
}
+OM_uint32
+ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
+{
+ if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
+ GSS_C_QOP_DEFAULT, buffer, hash)))
+ ssh_gssapi_error(ctx);
+
+ return (ctx->major);
+}
+
+void
+ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
+ const char *context)
+{
+ buffer_init(b);
+ buffer_put_string(b, session_id2, session_id2_len);
+ buffer_put_char(b, SSH2_MSG_USERAUTH_REQUEST);
+ buffer_put_cstring(b, user);
+ buffer_put_cstring(b, service);
+ buffer_put_cstring(b, context);
+}
+
OM_uint32
ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) {
if (*ctx)
return (ssh_gssapi_acquire_cred(*ctx));
}
-OM_uint32
-ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *buffer, gss_buffer_desc *hash) {
-
- if ((ctx->major=gss_get_mic(&ctx->minor,ctx->context,
- GSS_C_QOP_DEFAULT, buffer, hash))) {
- ssh_gssapi_error(ctx);
- }
-
- return(ctx->major);
-}
-
int
-ssh_gssapi_check_mechanism(gss_OID oid, char *host) {
+ssh_gssapi_check_mechanism(gss_OID oid, const char *host) {
Gssctxt * ctx = NULL;
gss_buffer_desc token;
OM_uint32 major,minor;