int ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) { gss_buffer_desc token = GSS_C_EMPTY_BUFFER; OM_uint32 major, minor; gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"}; /* RFC 4462 says we MUST NOT do SPNEGO */ if (oid->length == spnego_oid.length && (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0)) return 0; /* false */ ssh_gssapi_build_ctx(ctx); ssh_gssapi_set_oid(*ctx, oid); major = ssh_gssapi_import_name(*ctx, host); if (!GSS_ERROR(major)) { major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, NULL); gss_release_buffer(&minor, &token); if ((*ctx)->context != GSS_C_NO_CONTEXT) gss_delete_sec_context(&minor, &(*ctx)->context, GSS_C_NO_BUFFER); } if (GSS_ERROR(major)) ssh_gssapi_delete_ctx(ctx); return (!GSS_ERROR(major)); }
gss_OID ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) { int i = 0; switch (kex_type) { case KEX_GSS_GRP1_SHA1: if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID)) return GSS_C_NO_OID; name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1; break; case KEX_GSS_GRP14_SHA1: if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID)) return GSS_C_NO_OID; name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1; break; case KEX_GSS_GEX_SHA1: if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID)) return GSS_C_NO_OID; name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1; break; default: return GSS_C_NO_OID; } while (gss_enc2oid[i].encoded != NULL && strcmp(name, gss_enc2oid[i].encoded) != 0) i++; if (gss_enc2oid[i].oid != NULL && ctx != NULL) ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid); return gss_enc2oid[i].oid; }
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) { if (*ctx) ssh_gssapi_delete_ctx(ctx); ssh_gssapi_build_ctx(ctx); ssh_gssapi_set_oid(*ctx, oid); return (ssh_gssapi_acquire_cred(*ctx)); }
int ssh_gssapi_check_mechanism(gss_OID oid, const char *host) { Gssctxt * ctx = NULL; gss_buffer_desc token; OM_uint32 major,minor; ssh_gssapi_build_ctx(&ctx); ssh_gssapi_set_oid(ctx,oid); ssh_gssapi_import_name(ctx, (char *) host); major=ssh_gssapi_init_ctx(ctx,0, GSS_C_NO_BUFFER, &token, NULL); gss_release_buffer(&minor,&token); ssh_gssapi_delete_ctx(&ctx); return(!GSS_ERROR(major)); }
gss_OID ssh_gssapi_client_id_kex(Gssctxt *ctx, char *name) { int i=0; if (strncmp(name, KEX_GSS_SHA1, sizeof(KEX_GSS_SHA1)-1) !=0) { return(NULL); } name+=sizeof(KEX_GSS_SHA1)-1; /* Move to the start of the ID string */ while (gss_enc2oid[i].encoded!=NULL && strcmp(name,gss_enc2oid[i].encoded)!=0) { i++; } if (gss_enc2oid[i].oid!=NULL) { ssh_gssapi_set_oid(ctx,gss_enc2oid[i].oid); } return gss_enc2oid[i].oid; }
/* * Export GSI credentials to disk. */ static void ssh_gssapi_gsi_storecreds(ssh_gssapi_client *client) { OM_uint32 major_status; OM_uint32 minor_status; gss_buffer_desc export_cred = GSS_C_EMPTY_BUFFER; char * p; if (!client || !client->creds) { return; } major_status = gss_export_cred(&minor_status, client->creds, GSS_C_NO_OID, 1, &export_cred); if (GSS_ERROR(major_status) && major_status != GSS_S_UNAVAILABLE) { Gssctxt *ctx; ssh_gssapi_build_ctx(&ctx); ctx->major = major_status; ctx->minor = minor_status; ssh_gssapi_set_oid(ctx, &gssapi_gsi_mech.oid); ssh_gssapi_error(ctx); ssh_gssapi_delete_ctx(&ctx); return; } p = strchr((char *) export_cred.value, '='); if (p == NULL) { logit("Failed to parse exported credentials string '%.100s'", (char *)export_cred.value); gss_release_buffer(&minor_status, &export_cred); return; } *p++ = '\0'; if (strcmp((char *)export_cred.value,"X509_USER_DELEG_PROXY") == 0) { client->store.envvar = strdup("X509_USER_PROXY"); } else { client->store.envvar = strdup((char *)export_cred.value); } if (access(p, R_OK) == 0) { if (client->store.filename) { if (rename(p, client->store.filename) < 0) { logit("Failed to rename %s to %s: %s", p, client->store.filename, strerror(errno)); free(client->store.filename); client->store.filename = strdup(p); } else { p = client->store.filename; } } else { client->store.filename = strdup(p); } } client->store.envval = strdup(p); #ifdef USE_PAM if (options.use_pam) do_pam_putenv(client->store.envvar, client->store.envval); #endif gss_release_buffer(&minor_status, &export_cred); }