version 1.8, 2005/08/30 22:08:05 |
version 1.8.2.2, 2006/10/06 03:19:32 |
|
|
/* $OpenBSD$ */ |
/* $OpenBSD$ */ |
|
|
/* |
/* |
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
*/ |
*/ |
|
|
#include "includes.h" |
#include <sys/types.h> |
|
|
#ifdef GSSAPI |
#ifdef GSSAPI |
|
|
#include "bufaux.h" |
#include <string.h> |
#include "compat.h" |
|
|
#include "xmalloc.h" |
|
#include "buffer.h" |
|
#include "key.h" |
|
#include "hostfile.h" |
#include "auth.h" |
#include "auth.h" |
#include "log.h" |
#include "log.h" |
#include "channels.h" |
#include "channels.h" |
#include "session.h" |
#include "session.h" |
#include "servconf.h" |
#include "misc.h" |
#include "monitor_wrap.h" |
|
#include "xmalloc.h" |
|
#include "getput.h" |
|
|
|
#include "ssh-gss.h" |
#include "ssh-gss.h" |
|
|
extern ServerOptions options; |
|
|
|
static ssh_gssapi_client gssapi_client = |
static ssh_gssapi_client gssapi_client = |
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; |
GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; |
|
|
&gssapi_null_mech, |
&gssapi_null_mech, |
}; |
}; |
|
|
/* Unpriviledged */ |
/* Unprivileged */ |
void |
void |
ssh_gssapi_supported_oids(gss_OID_set *oidset) |
ssh_gssapi_supported_oids(gss_OID_set *oidset) |
{ |
{ |
|
|
&supported_mechs[i]->oid, oidset); |
&supported_mechs[i]->oid, oidset); |
i++; |
i++; |
} |
} |
|
|
|
gss_release_oid_set(&min_status, &supported); |
} |
} |
|
|
|
|
|
|
* oid |
* oid |
* credentials (from ssh_gssapi_acquire_cred) |
* credentials (from ssh_gssapi_acquire_cred) |
*/ |
*/ |
/* Priviledged */ |
/* Privileged */ |
OM_uint32 |
OM_uint32 |
ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, |
ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok, |
gss_buffer_desc *send_tok, OM_uint32 *flags) |
gss_buffer_desc *send_tok, OM_uint32 *flags) |
|
|
OM_uint32 offset; |
OM_uint32 offset; |
OM_uint32 oidl; |
OM_uint32 oidl; |
|
|
tok=ename->value; |
tok = ename->value; |
|
|
/* |
/* |
* Check that ename is long enough for all of the fixed length |
* Check that ename is long enough for all of the fixed length |
* header, and that the initial ID bytes are correct |
* header, and that the initial ID bytes are correct |
*/ |
*/ |
|
|
if (ename->length<6 || memcmp(tok,"\x04\x01", 2)!=0) |
if (ename->length < 6 || memcmp(tok, "\x04\x01", 2) != 0) |
return GSS_S_FAILURE; |
return GSS_S_FAILURE; |
|
|
/* |
/* |
|
|
* second without. |
* second without. |
*/ |
*/ |
|
|
oidl = GET_16BIT(tok+2); /* length including next two bytes */ |
oidl = get_u16(tok+2); /* length including next two bytes */ |
oidl = oidl-2; /* turn it into the _real_ length of the variable OID */ |
oidl = oidl-2; /* turn it into the _real_ length of the variable OID */ |
|
|
/* |
/* |
|
|
*/ |
*/ |
if (tok[4] != 0x06 || tok[5] != oidl || |
if (tok[4] != 0x06 || tok[5] != oidl || |
ename->length < oidl+6 || |
ename->length < oidl+6 || |
!ssh_gssapi_check_oid(ctx,tok+6,oidl)) |
!ssh_gssapi_check_oid(ctx, tok+6, oidl)) |
return GSS_S_FAILURE; |
return GSS_S_FAILURE; |
|
|
offset = oidl+6; |
offset = oidl+6; |
|
|
if (ename->length < offset+4) |
if (ename->length < offset+4) |
return GSS_S_FAILURE; |
return GSS_S_FAILURE; |
|
|
name->length = GET_32BIT(tok+offset); |
name->length = get_u32(tok+offset); |
offset += 4; |
offset += 4; |
|
|
if (ename->length < offset+name->length) |
if (ename->length < offset+name->length) |
return GSS_S_FAILURE; |
return GSS_S_FAILURE; |
|
|
name->value = xmalloc(name->length+1); |
name->value = xmalloc(name->length+1); |
memcpy(name->value,tok+offset,name->length); |
memcpy(name->value, tok+offset, name->length); |
((char *)name->value)[name->length] = 0; |
((char *)name->value)[name->length] = 0; |
|
|
return GSS_S_COMPLETE; |
return GSS_S_COMPLETE; |
|
|
/* Extract the client details from a given context. This can only reliably |
/* Extract the client details from a given context. This can only reliably |
* be called once for a context */ |
* be called once for a context */ |
|
|
/* Priviledged (called from accept_secure_ctx) */ |
/* Privileged (called from accept_secure_ctx) */ |
OM_uint32 |
OM_uint32 |
ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
{ |
{ |
|
|
{ |
{ |
if (gssapi_client.store.filename != NULL) { |
if (gssapi_client.store.filename != NULL) { |
/* Unlink probably isn't sufficient */ |
/* Unlink probably isn't sufficient */ |
debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename); |
debug("removing gssapi cred file\"%s\"", |
|
gssapi_client.store.filename); |
unlink(gssapi_client.store.filename); |
unlink(gssapi_client.store.filename); |
} |
} |
} |
} |
|
|
|
|
if (gssapi_client.store.envvar != NULL && |
if (gssapi_client.store.envvar != NULL && |
gssapi_client.store.envval != NULL) { |
gssapi_client.store.envval != NULL) { |
|
|
debug("Setting %s to %s", gssapi_client.store.envvar, |
debug("Setting %s to %s", gssapi_client.store.envvar, |
gssapi_client.store.envval); |
gssapi_client.store.envval); |
child_set_env(envp, envsizep, gssapi_client.store.envvar, |
child_set_env(envp, envsizep, gssapi_client.store.envvar, |
gssapi_client.store.envval); |
gssapi_client.store.envval); |
} |
} |
} |
} |
|
|
/* Priviledged */ |
/* Privileged */ |
int |
int |
ssh_gssapi_userok(char *user) |
ssh_gssapi_userok(char *user) |
{ |
{ |
|
|
return (0); |
return (0); |
} |
} |
|
|
/* Priviledged */ |
/* Privileged */ |
OM_uint32 |
OM_uint32 |
ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
{ |
{ |