int
ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
{
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
OM_uint32 major, minor;
gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
/* RFC 4462 says we MUST NOT do SPNEGO */
if (oid->length == spnego_oid.length &&
(memcmp(oid->elements, spnego_oid.elements, oid->length) == 0))
return 0; /* false */
ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
major = ssh_gssapi_import_name(*ctx, host);
if (!GSS_ERROR(major)) {
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
NULL);
gss_release_buffer(&minor, &token);
if ((*ctx)->context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&minor, &(*ctx)->context,
GSS_C_NO_BUFFER);
}
if (GSS_ERROR(major))
ssh_gssapi_delete_ctx(ctx);
return (!GSS_ERROR(major));
}
gss_OID
ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) {
int i = 0;
switch (kex_type) {
case KEX_GSS_GRP1_SHA1:
if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID))
return GSS_C_NO_OID;
name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1;
break;
case KEX_GSS_GRP14_SHA1:
if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID))
return GSS_C_NO_OID;
name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1;
break;
case KEX_GSS_GEX_SHA1:
if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID))
return GSS_C_NO_OID;
name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1;
break;
default:
return GSS_C_NO_OID;
}
while (gss_enc2oid[i].encoded != NULL &&
strcmp(name, gss_enc2oid[i].encoded) != 0)
i++;
if (gss_enc2oid[i].oid != NULL && ctx != NULL)
ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid);
return gss_enc2oid[i].oid;
}
OM_uint32
ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) {
if (*ctx)
ssh_gssapi_delete_ctx(ctx);
ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
return (ssh_gssapi_acquire_cred(*ctx));
}
int
ssh_gssapi_check_mechanism(gss_OID oid, const char *host)
{
Gssctxt * ctx = NULL;
gss_buffer_desc token;
OM_uint32 major,minor;
ssh_gssapi_build_ctx(&ctx);
ssh_gssapi_set_oid(ctx,oid);
ssh_gssapi_import_name(ctx, (char *) host);
major=ssh_gssapi_init_ctx(ctx,0, GSS_C_NO_BUFFER, &token, NULL);
gss_release_buffer(&minor,&token);
ssh_gssapi_delete_ctx(&ctx);
return(!GSS_ERROR(major));
}
gss_OID
ssh_gssapi_client_id_kex(Gssctxt *ctx, char *name) {
int i=0;
if (strncmp(name, KEX_GSS_SHA1, sizeof(KEX_GSS_SHA1)-1) !=0) {
return(NULL);
}
name+=sizeof(KEX_GSS_SHA1)-1; /* Move to the start of the ID string */
while (gss_enc2oid[i].encoded!=NULL &&
strcmp(name,gss_enc2oid[i].encoded)!=0) {
i++;
}
if (gss_enc2oid[i].oid!=NULL) {
ssh_gssapi_set_oid(ctx,gss_enc2oid[i].oid);
}
return gss_enc2oid[i].oid;
}
/*
* Export GSI credentials to disk.
*/
static void
ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client)
{
OM_uint32 major_status;
OM_uint32 minor_status;
gss_buffer_desc export_cred = GSS_C_EMPTY_BUFFER;
char * p;
if (!client || !client->creds) {
return;
}
major_status = gss_export_cred(&minor_status,
client->creds,
GSS_C_NO_OID,
1,
&export_cred);
if (GSS_ERROR(major_status) && major_status != GSS_S_UNAVAILABLE) {
Gssctxt *ctx;
ssh_gssapi_build_ctx(&ctx);
ctx->major = major_status;
ctx->minor = minor_status;
ssh_gssapi_set_oid(ctx, &gssapi_gsi_mech.oid);
ssh_gssapi_error(ctx);
ssh_gssapi_delete_ctx(&ctx);
return;
}
p = strchr((char *) export_cred.value, '=');
if (p == NULL) {
logit("Failed to parse exported credentials string '%.100s'",
(char *)export_cred.value);
gss_release_buffer(&minor_status, &export_cred);
return;
}
*p++ = '\0';
if (strcmp((char *)export_cred.value,"X509_USER_DELEG_PROXY") == 0) {
client->store.envvar = strdup("X509_USER_PROXY");
} else {
client->store.envvar = strdup((char *)export_cred.value);
}
if (access(p, R_OK) == 0) {
if (client->store.filename) {
if (rename(p, client->store.filename) < 0) {
logit("Failed to rename %s to %s: %s", p,
client->store.filename, strerror(errno));
free(client->store.filename);
client->store.filename = strdup(p);
} else {
p = client->store.filename;
}
} else {
client->store.filename = strdup(p);
}
}
client->store.envval = strdup(p);
#ifdef USE_PAM
if (options.use_pam)
do_pam_putenv(client->store.envvar, client->store.envval);
#endif
gss_release_buffer(&minor_status, &export_cred);
}
