/* All this effort to report an error ... */
void
ssh_gssapi_error(Gssctxt *ctxt)
{
char *s;
s = ssh_gssapi_last_error(ctxt, NULL, NULL);
debug("%s", s);
free(s);
}
void
input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
{
OM_uint32 min_status;
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
gss_buffer_desc send_tok, recv_tok;
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
gssctxt = authctxt->methoddata;
recv_tok.value=packet_get_string(&recv_tok.length);
/* Stick it into GSSAPI and see what it says */
(void) ssh_gssapi_init_ctx(gssctxt, authctxt->host,
options.gss_deleg_creds,
&recv_tok, &send_tok);
xfree(recv_tok.value);
(void) gss_release_buffer(&min_status, &send_tok);
debug("Server sent a GSS-API error token during GSS userauth -- %s",
ssh_gssapi_last_error(gssctxt, NULL, NULL));
packet_check_eom();
/* We can't send a packet to the server */
/* The draft says that we should wait for the server to fail
* before starting the next authentication. So, we clear the
* state, but don't do anything else
*/
clear_auth_state(authctxt);
return;
}
/* All this effort to report an error ... */
void
ssh_gssapi_error(Gssctxt *ctxt)
{
debug("%s", ssh_gssapi_last_error(ctxt, NULL, NULL));
}
void
ssh_gssapi_client_mechs(const char *server_host, gss_OID_set *mechs)
{
gss_OID_set indicated = GSS_C_NULL_OID_SET;
gss_OID_set acquired, supported;
gss_OID mech;
gss_cred_id_t creds;
Gssctxt *ctxt = NULL;
gss_buffer_desc tok;
OM_uint32 maj, min;
int i;
char *errmsg;
if (!mechs)
return;
*mechs = GSS_C_NULL_OID_SET;
maj = gss_indicate_mechs(&min, &indicated);
if (GSS_ERROR(maj)) {
debug("No GSS-API mechanisms are installed");
return;
}
maj = gss_create_empty_oid_set(&min, &supported);
if (GSS_ERROR(maj)) {
errmsg = ssh_gssapi_last_error(NULL, &maj, &min);
debug("Failed to allocate resources (%s) for GSS-API", errmsg);
xfree(errmsg);
(void) gss_release_oid_set(&min, &indicated);
return;
}
maj = gss_acquire_cred(&min, GSS_C_NO_NAME, 0, indicated,
GSS_C_INITIATE, &creds, &acquired, NULL);
if (GSS_ERROR(maj)) {
errmsg = ssh_gssapi_last_error(NULL, &maj, &min);
debug("Failed to acquire GSS-API credentials for any "
"mechanisms (%s)", errmsg);
xfree(errmsg);
(void) gss_release_oid_set(&min, &indicated);
(void) gss_release_oid_set(&min, &supported);
return;
}
(void) gss_release_cred(&min, &creds);
for (i = 0; i < acquired->count; i++) {
mech = &acquired->elements[i];
if (ssh_gssapi_is_spnego(mech))
continue;
ssh_gssapi_build_ctx(&ctxt, 1, mech);
if (!ctxt)
continue;
/*
* This is useful for mechs like Kerberos, which can
* detect unknown target princs here, but not for
* mechs like SPKM, which cannot detect unknown princs
* until context tokens are actually exchanged.
*
* 'Twould be useful to have a test that could save us
* the bother of trying this for SPKM and the such...
*/
maj = ssh_gssapi_init_ctx(ctxt, server_host, 0, NULL, &tok);
if (GSS_ERROR(maj)) {
errmsg = ssh_gssapi_last_error(ctxt, NULL, NULL);
debug("Skipping GSS-API mechanism %s (%s)",
ssh_gssapi_oid_to_name(mech), errmsg);
xfree(errmsg);
continue;
}
(void) gss_release_buffer(&min, &tok);
maj = gss_add_oid_set_member(&min, mech, &supported);
if (GSS_ERROR(maj)) {
errmsg = ssh_gssapi_last_error(NULL, &maj, &min);
debug("Failed to allocate resources (%s) for GSS-API",
errmsg);
xfree(errmsg);
}
}
*mechs = supported;
}
