diff options
| author | jp161948 <none@none> | 2008-02-26 06:10:09 -0800 |
|---|---|---|
| committer | jp161948 <none@none> | 2008-02-26 06:10:09 -0800 |
| commit | c15e4e4b931f60f7af37864eb58a2cb72782abeb (patch) | |
| tree | eb5fa0273d633b3aa36478ef1c7e2805392957f2 /usr/src/cmd/ssh/libssh/common/kexgssc.c | |
| parent | 709bb9d7e51d9eb1a54651e14434668097805c75 (diff) | |
| download | illumos-gate-c15e4e4b931f60f7af37864eb58a2cb72782abeb.tar.gz | |
6627886 make SunSSH's GSS-API code cstyle clean
Diffstat (limited to 'usr/src/cmd/ssh/libssh/common/kexgssc.c')
| -rw-r--r-- | usr/src/cmd/ssh/libssh/common/kexgssc.c | 250 |
1 files changed, 124 insertions, 126 deletions
diff --git a/usr/src/cmd/ssh/libssh/common/kexgssc.c b/usr/src/cmd/ssh/libssh/common/kexgssc.c index 815044733d..60c91ed57b 100644 --- a/usr/src/cmd/ssh/libssh/common/kexgssc.c +++ b/usr/src/cmd/ssh/libssh/common/kexgssc.c @@ -22,11 +22,11 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" +#pragma ident "%Z%%M% %I% %E% SMI" #include "includes.h" @@ -56,15 +56,15 @@ static void kexgss_verbose_cleanup(void *arg); void kexgss_client(Kex *kex) { - gss_buffer_desc gssbuf,send_tok,recv_tok, msg_tok; + gss_buffer_desc gssbuf, send_tok, recv_tok, msg_tok; gss_buffer_t token_ptr; gss_OID mech = GSS_C_NULL_OID; Gssctxt *ctxt = NULL; OM_uint32 maj_status, min_status, smaj_status, smin_status; unsigned int klen, kout; - DH *dh; + DH *dh; BIGNUM *dh_server_pub = 0; - BIGNUM *shared_secret = 0; + BIGNUM *shared_secret = 0; Key *server_host_key = NULL; unsigned char *kbuf; unsigned char *hash; @@ -72,10 +72,10 @@ kexgss_client(Kex *kex) char *msg, *lang; int type = 0; int first = 1; - u_int sbloblen = 0; - u_int strlen; - - /* Map the negotiated kex name to a mech OID*/ + uint_t sbloblen = 0; + uint_t strlen; + + /* Map the negotiated kex name to a mech OID */ ssh_gssapi_oid_of_kexname(kex->name, &mech); if (mech == GSS_C_NULL_OID) fatal("Couldn't match the negotiated GSS key exchange"); @@ -83,37 +83,34 @@ kexgss_client(Kex *kex) ssh_gssapi_build_ctx(&ctxt, 1, mech); /* This code should match that in ssh_dh1_client */ - + /* Step 1 - e is dh->pub_key */ dh = dh_new_group1(); dh_gen_key(dh, kex->we_need * 8); /* This is f, we initialise it now to make life easier */ - dh_server_pub = BN_new(); - if (dh_server_pub == NULL) { - fatal("dh_server_pub == NULL"); - } - + dh_server_pub = BN_new(); + if (dh_server_pub == NULL) { + fatal("dh_server_pub == NULL"); + } + token_ptr = GSS_C_NO_BUFFER; - - recv_tok.value=NULL; - recv_tok.length=0; + + recv_tok.value = NULL; + recv_tok.length = 0; do { debug("Calling gss_init_sec_context"); - - maj_status=ssh_gssapi_init_ctx(ctxt, - xxx_host, - kex->options.gss_deleg_creds, - token_ptr, - &send_tok); + + maj_status = ssh_gssapi_init_ctx(ctxt, xxx_host, + kex->options.gss_deleg_creds, token_ptr, &send_tok); if (GSS_ERROR(maj_status)) { ssh_gssapi_error(ctxt, "performing GSS-API protected " - "SSHv2 key exchange"); + "SSHv2 key exchange"); (void) gss_release_buffer(&min_status, &send_tok); packet_disconnect("A GSS-API error occurred during " - "GSS-API protected SSHv2 key exchange\n"); + "GSS-API protected SSHv2 key exchange\n"); } /* If we've got an old receive buffer get rid of it */ @@ -124,7 +121,7 @@ kexgss_client(Kex *kex) recv_tok.length = 0; token_ptr = GSS_C_NO_BUFFER; } - + if (maj_status == GSS_S_COMPLETE) { /* If mutual state flag is not true, kex fails */ if (!(ctxt->flags & GSS_C_MUTUAL_FLAG)) { @@ -135,29 +132,33 @@ kexgss_client(Kex *kex) fatal("Integrity check failed"); } } - - /* If we have data to send, then the last message that we - * received cannot have been a 'complete'. */ - if (send_tok.length !=0) { + + /* + * If we have data to send, then the last message that we + * received cannot have been a 'complete'. + */ + if (send_tok.length != 0) { if (first) { packet_start(SSH2_MSG_KEXGSS_INIT); packet_put_string(send_tok.value, - send_tok.length); + send_tok.length); packet_put_bignum2(dh->pub_key); - first=0; + first = 0; } else { packet_start(SSH2_MSG_KEXGSS_CONTINUE); packet_put_string(send_tok.value, - send_tok.length); + send_tok.length); } (void) gss_release_buffer(&min_status, &send_tok); packet_send(); packet_write_wait(); - - /* If we've sent them data, they'd better be polite - * and reply. */ - + + /* + * If we've sent them data, they'd better be polite and + * reply. + */ + next_packet: /* * We need to catch connection closing w/o error @@ -175,141 +176,138 @@ next_packet: case SSH2_MSG_KEXGSS_HOSTKEY: debug("Received KEXGSS_HOSTKEY"); server_host_key_blob = - packet_get_string(&sbloblen); + packet_get_string(&sbloblen); server_host_key = - key_from_blob(server_host_key_blob, - sbloblen); + key_from_blob(server_host_key_blob, + sbloblen); goto next_packet; /* there MUSt be another */ break; case SSH2_MSG_KEXGSS_CONTINUE: debug("Received GSSAPI_CONTINUE"); - if (maj_status == GSS_S_COMPLETE) + if (maj_status == GSS_S_COMPLETE) packet_disconnect("Protocol error: " - "received GSS-API context token" - " though the context was already" - " established"); - recv_tok.value=packet_get_string(&strlen); - recv_tok.length=strlen; /* u_int vs. size_t */ + "received GSS-API context token " + "though the context was already " + "established"); + recv_tok.value = packet_get_string(&strlen); + recv_tok.length = strlen; /* u_int vs. size_t */ break; case SSH2_MSG_KEXGSS_COMPLETE: debug("Received GSSAPI_COMPLETE"); - packet_get_bignum2(dh_server_pub); - msg_tok.value=packet_get_string(&strlen); - msg_tok.length=strlen; /* u_int vs. size_t */ + packet_get_bignum2(dh_server_pub); + msg_tok.value = packet_get_string(&strlen); + msg_tok.length = strlen; /* u_int vs. size_t */ /* Is there a token included? */ if (packet_get_char()) { - recv_tok.value= + recv_tok.value = packet_get_string(&strlen); - recv_tok.length=strlen; /*u_int/size_t*/ + /* u_int/size_t */ + recv_tok.length = strlen; } if (recv_tok.length > 0 && maj_status == GSS_S_COMPLETE) { packet_disconnect("Protocol error: " - "received GSS-API context token" - " though the context was already" - " established"); + "received GSS-API context token " + "though the context was already " + "established"); } else if (recv_tok.length == 0 && - maj_status == GSS_S_CONTINUE_NEEDED) { - /* No token included */ + maj_status == GSS_S_CONTINUE_NEEDED) { + /* No token included */ packet_disconnect("Protocol error: " - "did not receive expected " - "GSS-API context token"); + "did not receive expected " + "GSS-API context token"); } break; case SSH2_MSG_KEXGSS_ERROR: - smaj_status=packet_get_int(); - smin_status=packet_get_int(); + smaj_status = packet_get_int(); + smin_status = packet_get_int(); msg = packet_get_string(NULL); lang = packet_get_string(NULL); xfree(lang); error("Server had a GSS-API error; the " - "connection will close (%d/%d):\n%s", - smaj_status, smin_status, msg); + "connection will close (%d/%d):\n%s", + smaj_status, smin_status, msg); error("Use the GssKeyEx option to disable " - "GSS-API key exchange and try again."); + "GSS-API key exchange and try again."); packet_disconnect("The server had a GSS-API " - "error during GSS-API protected SSHv2 " - "key exchange\n"); + "error during GSS-API protected SSHv2 " + "key exchange\n"); break; default: packet_disconnect("Protocol error: " - "didn't expect packet type %d", type); + "didn't expect packet type %d", type); } if (recv_tok.value) - token_ptr=&recv_tok; + token_ptr = &recv_tok; } else { /* No data, and not complete */ if (maj_status != GSS_S_COMPLETE) { fatal("Not complete, and no token output"); } } - } while (maj_status == GSS_S_CONTINUE_NEEDED); - - /* We _must_ have received a COMPLETE message in reply from the - * server, which will have set dh_server_pub and msg_tok */ - - if (type != SSH2_MSG_KEXGSS_COMPLETE) - fatal("Expected SSH2_MSG_KEXGSS_COMPLETE never arrived"); - if (maj_status != GSS_S_COMPLETE) - fatal("Internal error in GSS-API protected SSHv2 key exchange"); - + } while (maj_status == GSS_S_CONTINUE_NEEDED); + + /* + * We _must_ have received a COMPLETE message in reply from the + * server, which will have set dh_server_pub and msg_tok. + */ + if (type != SSH2_MSG_KEXGSS_COMPLETE) + fatal("Expected SSH2_MSG_KEXGSS_COMPLETE never arrived"); + if (maj_status != GSS_S_COMPLETE) + fatal("Internal error in GSS-API protected SSHv2 key exchange"); + /* Check f in range [1, p-1] */ - if (!dh_pub_is_valid(dh, dh_server_pub)) - packet_disconnect("bad server public DH value"); - - /* compute K=f^x mod p */ - klen = DH_size(dh); - kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_server_pub, dh); - - shared_secret = BN_new(); - BN_bin2bn(kbuf,kout, shared_secret); - (void) memset(kbuf, 0, klen); - xfree(kbuf); - - /* The GSS hash is identical to the DH one */ - hash = kex_dh_hash( - kex->client_version_string, - kex->server_version_string, - buffer_ptr(&kex->my), buffer_len(&kex->my), - buffer_ptr(&kex->peer), buffer_len(&kex->peer), - server_host_key_blob, sbloblen, /* server host key */ - dh->pub_key, /* e */ - dh_server_pub, /* f */ - shared_secret /* K */ - ); - - gssbuf.value=hash; - gssbuf.length=20; - - /* Verify that H matches the token we just got. */ - if ((maj_status = gss_verify_mic(&min_status, - ctxt->context, - &gssbuf, - &msg_tok, - NULL))) { + if (!dh_pub_is_valid(dh, dh_server_pub)) + packet_disconnect("bad server public DH value"); + + /* compute K=f^x mod p */ + klen = DH_size(dh); + kbuf = xmalloc(klen); + kout = DH_compute_key(kbuf, dh_server_pub, dh); + + shared_secret = BN_new(); + BN_bin2bn(kbuf, kout, shared_secret); + (void) memset(kbuf, 0, klen); + xfree(kbuf); + /* The GSS hash is identical to the DH one */ + hash = kex_dh_hash( + kex->client_version_string, + kex->server_version_string, + buffer_ptr(&kex->my), buffer_len(&kex->my), + buffer_ptr(&kex->peer), buffer_len(&kex->peer), + server_host_key_blob, sbloblen, /* server host key */ + dh->pub_key, /* e */ + dh_server_pub, /* f */ + shared_secret); /* K */ + + gssbuf.value = hash; + gssbuf.length = 20; + + /* Verify that H matches the token we just got. */ + if ((maj_status = gss_verify_mic(&min_status, ctxt->context, &gssbuf, + &msg_tok, NULL))) { packet_disconnect("Hash's MIC didn't verify"); - } + } if (server_host_key && kex->accept_host_key != NULL) (void) kex->accept_host_key(server_host_key); - - DH_free(dh); + + DH_free(dh); xxx_gssctxt = ctxt; /* for gss keyex w/ mic userauth */ - /* save session id */ - if (kex->session_id == NULL) { - kex->session_id_len = 20; - kex->session_id = xmalloc(kex->session_id_len); - (void) memcpy(kex->session_id, hash, kex->session_id_len); - } - + /* save session id */ + if (kex->session_id == NULL) { + kex->session_id_len = 20; + kex->session_id = xmalloc(kex->session_id_len); + (void) memcpy(kex->session_id, hash, kex->session_id_len); + } + kex_derive_keys(kex, hash, shared_secret); BN_clear_free(shared_secret); - kex_finish(kex); + kex_finish(kex); } /* ARGSUSED */ @@ -318,10 +316,10 @@ void kexgss_verbose_cleanup(void *arg) { error("The GSS-API protected key exchange has failed without " - "indication\nfrom the server, possibly due to misconfiguration " - "of the server."); + "indication\nfrom the server, possibly due to misconfiguration " + "of the server."); error("Use the GssKeyEx option to disable GSS-API key exchange " - "and try again."); + "and try again."); } #endif /* GSSAPI */ |