1/* $OpenBSD: gss-serv.c,v 1.13 2005/10/13 22:24:31 stevesk Exp $ */
2
3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
--- 13 unchanged lines hidden (view full) ---
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include "includes.h"
28
29#ifdef GSSAPI
30
31#include "bufaux.h"
32#include "auth.h"
33#include "log.h"
34#include "channels.h"
35#include "session.h"
36#include "servconf.h"
37#include "xmalloc.h"
38#include "getput.h"
39
40#include "ssh-gss.h"
41
42static ssh_gssapi_client gssapi_client =
43 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
44 GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
45
46ssh_gssapi_mech gssapi_null_mech =
--- 26 unchanged lines hidden (view full) ---
73 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
74 &supported_mechs[i]->oid, supported, &present)))
75 present = 0;
76 if (present)
77 gss_add_oid_set_member(&min_status,
78 &supported_mechs[i]->oid, oidset);
79 i++;
80 }
81}
82
83
84/* Wrapper around accept_sec_context
85 * Requires that the context contains:
86 * oid
87 * credentials (from ssh_gssapi_acquire_cred)
88 */
--- 57 unchanged lines hidden (view full) ---
146
147 /*
148 * Extract the OID, and check it. Here GSSAPI breaks with tradition
149 * and does use the OID type and length bytes. To confuse things
150 * there are two lengths - the first including these, and the
151 * second without.
152 */
153
154 oidl = GET_16BIT(tok+2); /* length including next two bytes */
155 oidl = oidl-2; /* turn it into the _real_ length of the variable OID */
156
157 /*
158 * Check the BER encoding for correct type and length, that the
159 * string is long enough and that the OID matches that in our context
160 */
161 if (tok[4] != 0x06 || tok[5] != oidl ||
162 ename->length < oidl+6 ||
163 !ssh_gssapi_check_oid(ctx, tok+6, oidl))
164 return GSS_S_FAILURE;
165
166 offset = oidl+6;
167
168 if (ename->length < offset+4)
169 return GSS_S_FAILURE;
170
171 name->length = GET_32BIT(tok+offset);
172 offset += 4;
173
174 if (ename->length < offset+name->length)
175 return GSS_S_FAILURE;
176
177 name->value = xmalloc(name->length+1);
178 memcpy(name->value, tok+offset,name->length);
179 ((char *)name->value)[name->length] = 0;
180
181 return GSS_S_COMPLETE;
182}
183
184/* Extract the client details from a given context. This can only reliably
185 * be called once for a context */
186
--- 42 unchanged lines hidden (view full) ---
229}
230
231/* As user - called on fatal/exit */
232void
233ssh_gssapi_cleanup_creds(void)
234{
235 if (gssapi_client.store.filename != NULL) {
236 /* Unlink probably isn't sufficient */
237 debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename);
238 unlink(gssapi_client.store.filename);
239 }
240}
241
242/* As user */
243void
244ssh_gssapi_storecreds(void)
245{
--- 61 unchanged lines hidden ---
2
3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
--- 13 unchanged lines hidden (view full) ---
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */
26
27#include "includes.h"
28
29#ifdef GSSAPI
30
31#include "bufaux.h"
32#include "auth.h"
33#include "log.h"
34#include "channels.h"
35#include "session.h"
36#include "servconf.h"
37#include "xmalloc.h"
38#include "getput.h"
39
40#include "ssh-gss.h"
41
42static ssh_gssapi_client gssapi_client =
43 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
44 GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
45
46ssh_gssapi_mech gssapi_null_mech =
--- 26 unchanged lines hidden (view full) ---
73 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
74 &supported_mechs[i]->oid, supported, &present)))
75 present = 0;
76 if (present)
77 gss_add_oid_set_member(&min_status,
78 &supported_mechs[i]->oid, oidset);
79 i++;
80 }
81}
82
83
84/* Wrapper around accept_sec_context
85 * Requires that the context contains:
86 * oid
87 * credentials (from ssh_gssapi_acquire_cred)
88 */
--- 57 unchanged lines hidden (view full) ---
146
147 /*
148 * Extract the OID, and check it. Here GSSAPI breaks with tradition
149 * and does use the OID type and length bytes. To confuse things
150 * there are two lengths - the first including these, and the
151 * second without.
152 */
153
154 oidl = GET_16BIT(tok+2); /* length including next two bytes */
155 oidl = oidl-2; /* turn it into the _real_ length of the variable OID */
156
157 /*
158 * Check the BER encoding for correct type and length, that the
159 * string is long enough and that the OID matches that in our context
160 */
161 if (tok[4] != 0x06 || tok[5] != oidl ||
162 ename->length < oidl+6 ||
163 !ssh_gssapi_check_oid(ctx, tok+6, oidl))
164 return GSS_S_FAILURE;
165
166 offset = oidl+6;
167
168 if (ename->length < offset+4)
169 return GSS_S_FAILURE;
170
171 name->length = GET_32BIT(tok+offset);
172 offset += 4;
173
174 if (ename->length < offset+name->length)
175 return GSS_S_FAILURE;
176
177 name->value = xmalloc(name->length+1);
178 memcpy(name->value, tok+offset,name->length);
179 ((char *)name->value)[name->length] = 0;
180
181 return GSS_S_COMPLETE;
182}
183
184/* Extract the client details from a given context. This can only reliably
185 * be called once for a context */
186
--- 42 unchanged lines hidden (view full) ---
229}
230
231/* As user - called on fatal/exit */
232void
233ssh_gssapi_cleanup_creds(void)
234{
235 if (gssapi_client.store.filename != NULL) {
236 /* Unlink probably isn't sufficient */
237 debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename);
238 unlink(gssapi_client.store.filename);
239 }
240}
241
242/* As user */
243void
244ssh_gssapi_storecreds(void)
245{
--- 61 unchanged lines hidden ---