diff options
| author | jp161948 <none@none> | 2008-02-26 06:10:09 -0800 |
|---|---|---|
| committer | jp161948 <none@none> | 2008-02-26 06:10:09 -0800 |
| commit | c15e4e4b931f60f7af37864eb58a2cb72782abeb (patch) | |
| tree | eb5fa0273d633b3aa36478ef1c7e2805392957f2 /usr/src/cmd/ssh/libssh/common | |
| parent | 709bb9d7e51d9eb1a54651e14434668097805c75 (diff) | |
| download | illumos-gate-c15e4e4b931f60f7af37864eb58a2cb72782abeb.tar.gz | |
6627886 make SunSSH's GSS-API code cstyle clean
Diffstat (limited to 'usr/src/cmd/ssh/libssh/common')
| -rw-r--r-- | usr/src/cmd/ssh/libssh/common/kexgssc.c | 250 | ||||
| -rw-r--r-- | usr/src/cmd/ssh/libssh/common/kexgsss.c | 100 | ||||
| -rw-r--r-- | usr/src/cmd/ssh/libssh/common/ssh-gss.c | 289 |
3 files changed, 323 insertions, 316 deletions
diff --git a/usr/src/cmd/ssh/libssh/common/kexgssc.c b/usr/src/cmd/ssh/libssh/common/kexgssc.c index 815044733d..60c91ed57b 100644 --- a/usr/src/cmd/ssh/libssh/common/kexgssc.c +++ b/usr/src/cmd/ssh/libssh/common/kexgssc.c @@ -22,11 +22,11 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" +#pragma ident "%Z%%M% %I% %E% SMI" #include "includes.h" @@ -56,15 +56,15 @@ static void kexgss_verbose_cleanup(void *arg); void kexgss_client(Kex *kex) { - gss_buffer_desc gssbuf,send_tok,recv_tok, msg_tok; + gss_buffer_desc gssbuf, send_tok, recv_tok, msg_tok; gss_buffer_t token_ptr; gss_OID mech = GSS_C_NULL_OID; Gssctxt *ctxt = NULL; OM_uint32 maj_status, min_status, smaj_status, smin_status; unsigned int klen, kout; - DH *dh; + DH *dh; BIGNUM *dh_server_pub = 0; - BIGNUM *shared_secret = 0; + BIGNUM *shared_secret = 0; Key *server_host_key = NULL; unsigned char *kbuf; unsigned char *hash; @@ -72,10 +72,10 @@ kexgss_client(Kex *kex) char *msg, *lang; int type = 0; int first = 1; - u_int sbloblen = 0; - u_int strlen; - - /* Map the negotiated kex name to a mech OID*/ + uint_t sbloblen = 0; + uint_t strlen; + + /* Map the negotiated kex name to a mech OID */ ssh_gssapi_oid_of_kexname(kex->name, &mech); if (mech == GSS_C_NULL_OID) fatal("Couldn't match the negotiated GSS key exchange"); @@ -83,37 +83,34 @@ kexgss_client(Kex *kex) ssh_gssapi_build_ctx(&ctxt, 1, mech); /* This code should match that in ssh_dh1_client */ - + /* Step 1 - e is dh->pub_key */ dh = dh_new_group1(); dh_gen_key(dh, kex->we_need * 8); /* This is f, we initialise it now to make life easier */ - dh_server_pub = BN_new(); - if (dh_server_pub == NULL) { - fatal("dh_server_pub == NULL"); - } - + dh_server_pub = BN_new(); + if (dh_server_pub == NULL) { + fatal("dh_server_pub == NULL"); + } + token_ptr = GSS_C_NO_BUFFER; - - recv_tok.value=NULL; - recv_tok.length=0; + + recv_tok.value = NULL; + recv_tok.length = 0; do { debug("Calling gss_init_sec_context"); - - maj_status=ssh_gssapi_init_ctx(ctxt, - xxx_host, - kex->options.gss_deleg_creds, - token_ptr, - &send_tok); + + maj_status = ssh_gssapi_init_ctx(ctxt, xxx_host, + kex->options.gss_deleg_creds, token_ptr, &send_tok); if (GSS_ERROR(maj_status)) { ssh_gssapi_error(ctxt, "performing GSS-API protected " - "SSHv2 key exchange"); + "SSHv2 key exchange"); (void) gss_release_buffer(&min_status, &send_tok); packet_disconnect("A GSS-API error occurred during " - "GSS-API protected SSHv2 key exchange\n"); + "GSS-API protected SSHv2 key exchange\n"); } /* If we've got an old receive buffer get rid of it */ @@ -124,7 +121,7 @@ kexgss_client(Kex *kex) recv_tok.length = 0; token_ptr = GSS_C_NO_BUFFER; } - + if (maj_status == GSS_S_COMPLETE) { /* If mutual state flag is not true, kex fails */ if (!(ctxt->flags & GSS_C_MUTUAL_FLAG)) { @@ -135,29 +132,33 @@ kexgss_client(Kex *kex) fatal("Integrity check failed"); } } - - /* If we have data to send, then the last message that we - * received cannot have been a 'complete'. */ - if (send_tok.length !=0) { + + /* + * If we have data to send, then the last message that we + * received cannot have been a 'complete'. + */ + if (send_tok.length != 0) { if (first) { packet_start(SSH2_MSG_KEXGSS_INIT); packet_put_string(send_tok.value, - send_tok.length); + send_tok.length); packet_put_bignum2(dh->pub_key); - first=0; + first = 0; } else { packet_start(SSH2_MSG_KEXGSS_CONTINUE); packet_put_string(send_tok.value, - send_tok.length); + send_tok.length); } (void) gss_release_buffer(&min_status, &send_tok); packet_send(); packet_write_wait(); - - /* If we've sent them data, they'd better be polite - * and reply. */ - + + /* + * If we've sent them data, they'd better be polite and + * reply. + */ + next_packet: /* * We need to catch connection closing w/o error @@ -175,141 +176,138 @@ next_packet: case SSH2_MSG_KEXGSS_HOSTKEY: debug("Received KEXGSS_HOSTKEY"); server_host_key_blob = - packet_get_string(&sbloblen); + packet_get_string(&sbloblen); server_host_key = - key_from_blob(server_host_key_blob, - sbloblen); + key_from_blob(server_host_key_blob, + sbloblen); goto next_packet; /* there MUSt be another */ break; case SSH2_MSG_KEXGSS_CONTINUE: debug("Received GSSAPI_CONTINUE"); - if (maj_status == GSS_S_COMPLETE) + if (maj_status == GSS_S_COMPLETE) packet_disconnect("Protocol error: " - "received GSS-API context token" - " though the context was already" - " established"); - recv_tok.value=packet_get_string(&strlen); - recv_tok.length=strlen; /* u_int vs. size_t */ + "received GSS-API context token " + "though the context was already " + "established"); + recv_tok.value = packet_get_string(&strlen); + recv_tok.length = strlen; /* u_int vs. size_t */ break; case SSH2_MSG_KEXGSS_COMPLETE: debug("Received GSSAPI_COMPLETE"); - packet_get_bignum2(dh_server_pub); - msg_tok.value=packet_get_string(&strlen); - msg_tok.length=strlen; /* u_int vs. size_t */ + packet_get_bignum2(dh_server_pub); + msg_tok.value = packet_get_string(&strlen); + msg_tok.length = strlen; /* u_int vs. size_t */ /* Is there a token included? */ if (packet_get_char()) { - recv_tok.value= + recv_tok.value = packet_get_string(&strlen); - recv_tok.length=strlen; /*u_int/size_t*/ + /* u_int/size_t */ + recv_tok.length = strlen; } if (recv_tok.length > 0 && maj_status == GSS_S_COMPLETE) { packet_disconnect("Protocol error: " - "received GSS-API context token" - " though the context was already" - " established"); + "received GSS-API context token " + "though the context was already " + "established"); } else if (recv_tok.length == 0 && - maj_status == GSS_S_CONTINUE_NEEDED) { - /* No token included */ + maj_status == GSS_S_CONTINUE_NEEDED) { + /* No token included */ packet_disconnect("Protocol error: " - "did not receive expected " - "GSS-API context token"); + "did not receive expected " + "GSS-API context token"); } break; case SSH2_MSG_KEXGSS_ERROR: - smaj_status=packet_get_int(); - smin_status=packet_get_int(); + smaj_status = packet_get_int(); + smin_status = packet_get_int(); msg = packet_get_string(NULL); lang = packet_get_string(NULL); xfree(lang); error("Server had a GSS-API error; the " - "connection will close (%d/%d):\n%s", - smaj_status, smin_status, msg); + "connection will close (%d/%d):\n%s", + smaj_status, smin_status, msg); error("Use the GssKeyEx option to disable " - "GSS-API key exchange and try again."); + "GSS-API key exchange and try again."); packet_disconnect("The server had a GSS-API " - "error during GSS-API protected SSHv2 " - "key exchange\n"); + "error during GSS-API protected SSHv2 " + "key exchange\n"); break; default: packet_disconnect("Protocol error: " - "didn't expect packet type %d", type); + "didn't expect packet type %d", type); } if (recv_tok.value) - token_ptr=&recv_tok; + token_ptr = &recv_tok; } else { /* No data, and not complete */ if (maj_status != GSS_S_COMPLETE) { fatal("Not complete, and no token output"); } } - } while (maj_status == GSS_S_CONTINUE_NEEDED); - - /* We _must_ have received a COMPLETE message in reply from the - * server, which will have set dh_server_pub and msg_tok */ - - if (type != SSH2_MSG_KEXGSS_COMPLETE) - fatal("Expected SSH2_MSG_KEXGSS_COMPLETE never arrived"); - if (maj_status != GSS_S_COMPLETE) - fatal("Internal error in GSS-API protected SSHv2 key exchange"); - + } while (maj_status == GSS_S_CONTINUE_NEEDED); + + /* + * We _must_ have received a COMPLETE message in reply from the + * server, which will have set dh_server_pub and msg_tok. + */ + if (type != SSH2_MSG_KEXGSS_COMPLETE) + fatal("Expected SSH2_MSG_KEXGSS_COMPLETE never arrived"); + if (maj_status != GSS_S_COMPLETE) + fatal("Internal error in GSS-API protected SSHv2 key exchange"); + /* Check f in range [1, p-1] */ - if (!dh_pub_is_valid(dh, dh_server_pub)) - packet_disconnect("bad server public DH value"); - - /* compute K=f^x mod p */ - klen = DH_size(dh); - kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_server_pub, dh); - - shared_secret = BN_new(); - BN_bin2bn(kbuf,kout, shared_secret); - (void) memset(kbuf, 0, klen); - xfree(kbuf); - - /* The GSS hash is identical to the DH one */ - hash = kex_dh_hash( - kex->client_version_string, - kex->server_version_string, - buffer_ptr(&kex->my), buffer_len(&kex->my), - buffer_ptr(&kex->peer), buffer_len(&kex->peer), - server_host_key_blob, sbloblen, /* server host key */ - dh->pub_key, /* e */ - dh_server_pub, /* f */ - shared_secret /* K */ - ); - - gssbuf.value=hash; - gssbuf.length=20; - - /* Verify that H matches the token we just got. */ - if ((maj_status = gss_verify_mic(&min_status, - ctxt->context, - &gssbuf, - &msg_tok, - NULL))) { + if (!dh_pub_is_valid(dh, dh_server_pub)) + packet_disconnect("bad server public DH value"); + + /* compute K=f^x mod p */ + klen = DH_size(dh); + kbuf = xmalloc(klen); + kout = DH_compute_key(kbuf, dh_server_pub, dh); + + shared_secret = BN_new(); + BN_bin2bn(kbuf, kout, shared_secret); + (void) memset(kbuf, 0, klen); + xfree(kbuf); + /* The GSS hash is identical to the DH one */ + hash = kex_dh_hash( + kex->client_version_string, + kex->server_version_string, + buffer_ptr(&kex->my), buffer_len(&kex->my), + buffer_ptr(&kex->peer), buffer_len(&kex->peer), + server_host_key_blob, sbloblen, /* server host key */ + dh->pub_key, /* e */ + dh_server_pub, /* f */ + shared_secret); /* K */ + + gssbuf.value = hash; + gssbuf.length = 20; + + /* Verify that H matches the token we just got. */ + if ((maj_status = gss_verify_mic(&min_status, ctxt->context, &gssbuf, + &msg_tok, NULL))) { packet_disconnect("Hash's MIC didn't verify"); - } + } if (server_host_key && kex->accept_host_key != NULL) (void) kex->accept_host_key(server_host_key); - - DH_free(dh); + + DH_free(dh); xxx_gssctxt = ctxt; /* for gss keyex w/ mic userauth */ - /* save session id */ - if (kex->session_id == NULL) { - kex->session_id_len = 20; - kex->session_id = xmalloc(kex->session_id_len); - (void) memcpy(kex->session_id, hash, kex->session_id_len); - } - + /* save session id */ + if (kex->session_id == NULL) { + kex->session_id_len = 20; + kex->session_id = xmalloc(kex->session_id_len); + (void) memcpy(kex->session_id, hash, kex->session_id_len); + } + kex_derive_keys(kex, hash, shared_secret); BN_clear_free(shared_secret); - kex_finish(kex); + kex_finish(kex); } /* ARGSUSED */ @@ -318,10 +316,10 @@ void kexgss_verbose_cleanup(void *arg) { error("The GSS-API protected key exchange has failed without " - "indication\nfrom the server, possibly due to misconfiguration " - "of the server."); + "indication\nfrom the server, possibly due to misconfiguration " + "of the server."); error("Use the GssKeyEx option to disable GSS-API key exchange " - "and try again."); + "and try again."); } #endif /* GSSAPI */ diff --git a/usr/src/cmd/ssh/libssh/common/kexgsss.c b/usr/src/cmd/ssh/libssh/common/kexgsss.c index 61f3fb70f1..9ee8b630bb 100644 --- a/usr/src/cmd/ssh/libssh/common/kexgsss.c +++ b/usr/src/cmd/ssh/libssh/common/kexgsss.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -58,16 +58,16 @@ kexgss_server(Kex *kex) OM_uint32 maj_status, min_status; gss_buffer_desc gssbuf, send_tok, recv_tok, msg_tok; Gssctxt *ctxt = NULL; - unsigned int klen, kout; - unsigned int sbloblen = 0; - unsigned char *kbuf, *hash; + unsigned int klen, kout; + unsigned int sbloblen = 0; + unsigned char *kbuf, *hash; unsigned char *server_host_key_blob = NULL; - DH *dh; + DH *dh; Key *server_host_key = NULL; - BIGNUM *shared_secret = NULL; - BIGNUM *dh_client_pub = NULL; - int type =0; - u_int slen; + BIGNUM *shared_secret = NULL; + BIGNUM *dh_client_pub = NULL; + int type = 0; + uint_t slen; gss_OID oid; /* @@ -96,37 +96,39 @@ kexgss_server(Kex *kex) do { debug("Wait SSH2_MSG_GSSAPI_INIT"); type = packet_read(); - switch(type) { + switch (type) { case SSH2_MSG_KEXGSS_INIT: - if (dh_client_pub!=NULL) - fatal("Received KEXGSS_INIT after initialising"); - recv_tok.value=packet_get_string(&slen); - recv_tok.length=slen; /* int vs. size_t */ + if (dh_client_pub != NULL) + fatal("Received KEXGSS_INIT after " + "initialising"); + recv_tok.value = packet_get_string(&slen); + recv_tok.length = slen; /* int vs. size_t */ - dh_client_pub = BN_new(); + dh_client_pub = BN_new(); - if (dh_client_pub == NULL) - fatal("dh_client_pub == NULL"); - packet_get_bignum2(dh_client_pub); + if (dh_client_pub == NULL) + fatal("dh_client_pub == NULL"); + packet_get_bignum2(dh_client_pub); - /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */ + /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */ if (sbloblen) { packet_start(SSH2_MSG_KEXGSS_HOSTKEY); - packet_put_string(server_host_key_blob, sbloblen); + packet_put_string(server_host_key_blob, + sbloblen); packet_send(); packet_write_wait(); } break; case SSH2_MSG_KEXGSS_CONTINUE: - recv_tok.value=packet_get_string(&slen); - recv_tok.length=slen; /* int vs. size_t */ + recv_tok.value = packet_get_string(&slen); + recv_tok.length = slen; /* int vs. size_t */ break; default: - packet_disconnect("Protocol error: didn't expect packet type %d", - type); + packet_disconnect("Protocol error: didn't expect " + "packet type %d", type); } - maj_status = ssh_gssapi_accept_ctx(ctxt,&recv_tok, &send_tok); + maj_status = ssh_gssapi_accept_ctx(ctxt, &recv_tok, &send_tok); xfree(recv_tok.value); /* We allocated this, not gss */ @@ -136,7 +138,7 @@ kexgss_server(Kex *kex) if (maj_status == GSS_S_CONTINUE_NEEDED) { debug("Sending GSSAPI_CONTINUE"); packet_start(SSH2_MSG_KEXGSS_CONTINUE); - packet_put_string(send_tok.value,send_tok.length); + packet_put_string(send_tok.value, send_tok.length); packet_send(); packet_write_wait(); (void) gss_release_buffer(&min_status, &send_tok); @@ -145,9 +147,9 @@ kexgss_server(Kex *kex) if (GSS_ERROR(maj_status)) { kex_gss_send_error(ctxt); - if (send_tok.length>0) { + if (send_tok.length > 0) { packet_start(SSH2_MSG_KEXGSS_CONTINUE); - packet_put_string(send_tok.value,send_tok.length); + packet_put_string(send_tok.value, send_tok.length); packet_send(); packet_write_wait(); (void) gss_release_buffer(&min_status, &send_tok); @@ -165,12 +167,12 @@ kexgss_server(Kex *kex) dh = dh_new_group1(); dh_gen_key(dh, kex->we_need * 8); - if (!dh_pub_is_valid(dh, dh_client_pub)) - packet_disconnect("bad client public DH value"); + if (!dh_pub_is_valid(dh, dh_client_pub)) + packet_disconnect("bad client public DH value"); - klen = DH_size(dh); - kbuf = xmalloc(klen); - kout = DH_compute_key(kbuf, dh_client_pub, dh); + klen = DH_size(dh); + kbuf = xmalloc(klen); + kout = DH_compute_key(kbuf, dh_client_pub, dh); shared_secret = BN_new(); BN_bin2bn(kbuf, kout, shared_secret); @@ -178,16 +180,16 @@ kexgss_server(Kex *kex) xfree(kbuf); /* The GSSAPI hash is identical to the Diffie Helman one */ - hash = kex_dh_hash( - kex->client_version_string, - kex->server_version_string, - buffer_ptr(&kex->peer), buffer_len(&kex->peer), - buffer_ptr(&kex->my), buffer_len(&kex->my), - server_host_key_blob, sbloblen, - dh_client_pub, - dh->pub_key, - shared_secret - ); + hash = kex_dh_hash( + kex->client_version_string, + kex->server_version_string, + buffer_ptr(&kex->peer), buffer_len(&kex->peer), + buffer_ptr(&kex->my), buffer_len(&kex->my), + server_host_key_blob, sbloblen, + dh_client_pub, + dh->pub_key, + shared_secret); + BN_free(dh_client_pub); if (kex->session_id == NULL) { @@ -202,24 +204,24 @@ kexgss_server(Kex *kex) gssbuf.length = 20; /* yes, it's always 20 (SHA-1) */ gssbuf.value = hash; /* and it's static constant storage */ - if (GSS_ERROR(ssh_gssapi_get_mic(ctxt,&gssbuf,&msg_tok))) { + if (GSS_ERROR(ssh_gssapi_get_mic(ctxt, &gssbuf, &msg_tok))) { kex_gss_send_error(ctxt); fatal("Couldn't get MIC"); } packet_start(SSH2_MSG_KEXGSS_COMPLETE); packet_put_bignum2(dh->pub_key); - packet_put_string((char *)msg_tok.value,msg_tok.length); + packet_put_string((char *)msg_tok.value, msg_tok.length); (void) gss_release_buffer(&min_status, &msg_tok); if (send_tok.length != 0) { packet_put_char(1); /* true */ - packet_put_string((char *)send_tok.value,send_tok.length); + packet_put_string((char *)send_tok.value, send_tok.length); (void) gss_release_buffer(&min_status, &send_tok); } else { packet_put_char(0); /* false */ } - packet_send(); + packet_send(); packet_write_wait(); DH_free(dh); @@ -232,9 +234,9 @@ kexgss_server(Kex *kex) static void kex_gss_send_error(Gssctxt *ctxt) { char *errstr; - OM_uint32 maj,min; + OM_uint32 maj, min; - errstr = ssh_gssapi_last_error(ctxt,&maj,&min); + errstr = ssh_gssapi_last_error(ctxt, &maj, &min); if (errstr) { packet_start(SSH2_MSG_KEXGSS_ERROR); packet_put_int(maj); diff --git a/usr/src/cmd/ssh/libssh/common/ssh-gss.c b/usr/src/cmd/ssh/libssh/common/ssh-gss.c index fcf8e11b51..c784426e90 100644 --- a/usr/src/cmd/ssh/libssh/common/ssh-gss.c +++ b/usr/src/cmd/ssh/libssh/common/ssh-gss.c @@ -21,7 +21,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -62,7 +62,7 @@ static ssh_gss_kex_mapping **gss_enc2oid = NULL; static void ssh_gssapi_encode_oid_for_kex(const gss_OID oid, char **enc_name); static char *ssh_gssapi_make_kexalgs_list(gss_OID_set mechs, - const char *old_kexalgs); + const char *old_kexalgs); /* * Populate gss_enc2oid table and return list of kexnames. @@ -83,7 +83,7 @@ ssh_gssapi_mech_oids_to_kexnames(const gss_OID_set mechs, char **kexname_list) if (mechs != GSS_C_NULL_OID_SET || kexname_list == NULL) { /* Cleanup gss_enc2oid table */ - for (p = gss_enc2oid ; p != NULL && *p != NULL ; p++) { + for (p = gss_enc2oid; p != NULL && *p != NULL; p++) { if ((*p)->encoded) xfree((*p)->encoded); ssh_gssapi_release_oid(&(*p)->oid); @@ -99,24 +99,24 @@ ssh_gssapi_mech_oids_to_kexnames(const gss_OID_set mechs, char **kexname_list) if (mechs) { gss_OID mech; /* Populate gss_enc2oid table */ - new_gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping *) * - (mechs->count + 1)); + new_gss_enc2oid = xmalloc(sizeof (ssh_gss_kex_mapping *) * + (mechs->count + 1)); memset(new_gss_enc2oid, 0, - sizeof(ssh_gss_kex_mapping *) * (mechs->count + 1)); + sizeof (ssh_gss_kex_mapping *) * (mechs->count + 1)); - for (i = 0 ; i < mechs->count ; i++) { + for (i = 0; i < mechs->count; i++) { mech = &mechs->elements[i]; ssh_gssapi_encode_oid_for_kex((const gss_OID)mech, - &enc_name); + &enc_name); if (!enc_name) continue; new_gss_enc2oid[i] = - xmalloc(sizeof(ssh_gss_kex_mapping)); + xmalloc(sizeof (ssh_gss_kex_mapping)); (new_gss_enc2oid[i])->encoded = enc_name; (new_gss_enc2oid[i])->oid = - ssh_gssapi_dup_oid(&mechs->elements[i]); + ssh_gssapi_dup_oid(&mechs->elements[i]); } /* Do this last to avoid run-ins with fatal_cleanups */ @@ -128,8 +128,8 @@ ssh_gssapi_mech_oids_to_kexnames(const gss_OID_set mechs, char **kexname_list) /* Make kex name list */ buffer_init(&buf); - for (p = gss_enc2oid ; p && *p ; p++) { - buffer_put_char(&buf,','); + for (p = gss_enc2oid; p && *p; p++) { + buffer_put_char(&buf, ','); buffer_append(&buf, (*p)->encoded, strlen((*p)->encoded)); } @@ -139,7 +139,7 @@ ssh_gssapi_mech_oids_to_kexnames(const gss_OID_set mechs, char **kexname_list) } buffer_consume(&buf, 1); /* consume leading ',' */ - buffer_put_char(&buf,'\0'); + buffer_put_char(&buf, '\0'); *kexname_list = xstrdup(buffer_ptr(&buf)); buffer_free(&buf); @@ -155,10 +155,10 @@ ssh_gssapi_mech_oid_to_kexname(const gss_OID mech, char **kexname) *kexname = NULL; /* default to not found */ if (gss_enc2oid) { - for (p = gss_enc2oid ; p && *p ; p++) { + for (p = gss_enc2oid; p && *p; p++) { if (mech->length == (*p)->oid->length && memcmp(mech->elements, (*p)->oid->elements, - mech->length) == 0) + mech->length) == 0) *kexname = xstrdup((*p)->encoded); } } @@ -182,7 +182,7 @@ ssh_gssapi_oid_of_kexname(const char *kexname, gss_OID *mech) if (!gss_enc2oid) return; - for (p = gss_enc2oid ; p && *p ; p++) { + for (p = gss_enc2oid; p && *p; p++) { if (strcmp(kexname, (*p)->encoded) == 0) { *mech = (*p)->oid; return; @@ -194,13 +194,13 @@ static void ssh_gssapi_encode_oid_for_kex(const gss_OID oid, char **enc_name) { - Buffer buf; - OM_uint32 oidlen; - u_int enclen; - const EVP_MD *evp_md = EVP_md5(); - EVP_MD_CTX md; - u_char digest[EVP_MAX_MD_SIZE]; - char *encoded; + Buffer buf; + OM_uint32 oidlen; + uint_t enclen; + const EVP_MD *evp_md = EVP_md5(); + EVP_MD_CTX md; + uchar_t digest[EVP_MAX_MD_SIZE]; + char *encoded; if (oid == GSS_C_NULL_OID || !enc_name) return; @@ -237,22 +237,21 @@ ssh_gssapi_encode_oid_for_kex(const gss_OID oid, char **enc_name) buffer_free(&buf); /* Base 64 encoding */ - encoded=xmalloc(EVP_MD_size(evp_md)*2); - enclen=__b64_ntop(digest, EVP_MD_size(evp_md), - encoded,EVP_MD_size(evp_md)*2); + encoded = xmalloc(EVP_MD_size(evp_md)*2); + enclen = __b64_ntop(digest, EVP_MD_size(evp_md), + encoded, EVP_MD_size(evp_md) * 2); buffer_init(&buf); - buffer_append(&buf, KEX_GSS_SHA1, sizeof(KEX_GSS_SHA1)-1); + buffer_append(&buf, KEX_GSS_SHA1, sizeof (KEX_GSS_SHA1) - 1); buffer_append(&buf, encoded, enclen); buffer_put_char(&buf, '\0'); - - debug2("GSS-API Mechanism encoded as %s",encoded); + + debug2("GSS-API Mechanism encoded as %s", encoded); *enc_name = xstrdup(buffer_ptr(&buf)); buffer_free(&buf); } -static -char * +static char * ssh_gssapi_make_kexalgs_list(gss_OID_set mechs, const char *old_kexalgs) { char *gss_kexalgs, *new_kexalgs; @@ -303,10 +302,9 @@ ssh_gssapi_modify_kex(Kex *kex, gss_OID_set mechs, char **proposal) if (kex->mechs->count == mechs->count) { int present, matches = 0; - for ( i = 0 ; i < mechs->count ; i++ ) { + for (i = 0; i < mechs->count; i++) { maj = gss_test_oid_set_member(&min, - &kex->mechs->elements[i], mechs, - &present); + &kex->mechs->elements[i], mechs, &present); if (GSS_ERROR(maj)) { mechs = GSS_C_NULL_OID_SET; @@ -329,7 +327,7 @@ mod_offer: */ p = kexalgs = orig_kexalgs = proposal[PROPOSAL_KEX_ALGS]; while (p != NULL && *p != '\0' && - strncmp(p, KEX_GSS_SHA1, strlen(KEX_GSS_SHA1)) == 0) { + strncmp(p, KEX_GSS_SHA1, strlen(KEX_GSS_SHA1)) == 0) { if ((p = strchr(p, ',')) == NULL) break; @@ -350,9 +348,9 @@ mod_offer: maj = gss_create_empty_oid_set(&min, &dup_mechs); if (GSS_ERROR(maj)) return; - for ( i = 0 ; i < mechs->count ; i++ ) { + for (i = 0; i < mechs->count; i++) { maj = gss_add_oid_set_member(&min, &mechs->elements[i], - &dup_mechs); + &dup_mechs); if (GSS_ERROR(maj)) { (void) gss_release_oid_set(&min, &dup_mechs); @@ -361,7 +359,8 @@ mod_offer: } /* Add mechs to kexalgs ... */ - proposal[PROPOSAL_KEX_ALGS] = ssh_gssapi_make_kexalgs_list(mechs, kexalgs); + proposal[PROPOSAL_KEX_ALGS] = ssh_gssapi_make_kexalgs_list(mechs, + kexalgs); kex->mechs = dup_mechs; /* remember what we offer now */ /* @@ -375,7 +374,7 @@ mod_offer: proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = xstrdup("null"); } else if (!kex->server) { hostalgs = xsplit(orig_hostalgs, ','); - for ( hostalg = hostalgs ; *hostalg != NULL ; hostalg++ ) { + for (hostalg = hostalgs; *hostalg != NULL; hostalg++) { if (strcmp(*hostalg, "null") == 0) { xfree_split_list(hostalgs); return; @@ -386,10 +385,10 @@ mod_offer: if (kex->mechs != GSS_C_NULL_OID_SET) { int len; - len = strlen(orig_hostalgs) + sizeof(",null"); + len = strlen(orig_hostalgs) + sizeof (",null"); new_hostalgs = xmalloc(len); (void) snprintf(new_hostalgs, len, "%s,null", - orig_hostalgs); + orig_hostalgs); proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = new_hostalgs; } @@ -427,46 +426,44 @@ int ssh_gssapi_is_spnego(gss_OID oid) { return (oid->length == 6 && - memcmp("\053\006\001\005\005\002", - oid->elements, 6) == 0); + memcmp("\053\006\001\005\005\002", oid->elements, 6) == 0); } int ssh_gssapi_is_krb5(gss_OID oid) { return (oid->length == 9 && - memcmp("\x2A\x86\x48\x86\xF7\x12\x01\x02\x02", - oid->elements, 9) == 0); + memcmp("\x2A\x86\x48\x86\xF7\x12\x01\x02\x02", + oid->elements, 9) == 0); } int ssh_gssapi_is_dh(gss_OID oid) { return (oid->length == 9 && - memcmp("\053\006\004\001\052\002\032\002\005", - oid->elements, 9) == 0); + memcmp("\053\006\004\001\052\002\032\002\005", + oid->elements, 9) == 0); } int ssh_gssapi_is_gsi(gss_OID oid) { return (oid->length == 9 && - memcmp("\x2B\x06\x01\x04\x01\x9B\x50\x01\x01", - oid->elements, 9) == 0); + memcmp("\x2B\x06\x01\x04\x01\x9B\x50\x01\x01", + oid->elements, 9) == 0); } -const -char * +const char * ssh_gssapi_oid_to_name(gss_OID oid) { #ifdef HAVE_GSS_OID_TO_MECH - return __gss_oid_to_mech(oid); + return (__gss_oid_to_mech(oid)); #else if (ssh_gssapi_is_krb5(oid)) - return "Kerberos"; + return ("Kerberos"); if (ssh_gssapi_is_gsi(oid)) - return "GSI"; - return "(unknown)"; + return ("GSI"); + return ("(unknown)"); #endif /* HAVE_GSS_OID_TO_MECH */ } @@ -481,42 +478,48 @@ ssh_gssapi_oid_to_str(gss_OID oid) maj = gss_oid_to_str(&min, oid, &str_buf); if (GSS_ERROR(maj)) - return xstrdup("<gss_oid_to_str() failed>"); + return (xstrdup("<gss_oid_to_str() failed>")); str = xmalloc(str_buf.length + 1); memset(str, 0, str_buf.length + 1); strlcpy(str, str_buf.value, str_buf.length + 1); (void) gss_release_buffer(&min, &str_buf); - return str; + return (str); #else - return xstrdup("<gss_oid_to_str() unsupported>"); + return (xstrdup("<gss_oid_to_str() unsupported>")); #endif /* HAVE_GSS_OID_TO_STR */ } /* Check that the OID in a data stream matches that in the context */ -int ssh_gssapi_check_mech_oid(Gssctxt *ctx, void *data, size_t len) { +int +ssh_gssapi_check_mech_oid(Gssctxt *ctx, void *data, size_t len) +{ - return (ctx!=NULL && ctx->desired_mech != GSS_C_NULL_OID && - ctx->desired_mech->length == len && - memcmp(ctx->desired_mech->elements,data,len)==0); + return (ctx != NULL && ctx->desired_mech != GSS_C_NULL_OID && + ctx->desired_mech->length == len && + memcmp(ctx->desired_mech->elements, data, len) == 0); } /* Set the contexts OID from a data stream */ -void ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len) { - if (ctx->actual_mech != GSS_C_NULL_OID) { - xfree(ctx->actual_mech->elements); - xfree(ctx->actual_mech); - } - ctx->actual_mech=xmalloc(sizeof(gss_OID_desc)); - ctx->actual_mech->length=len; - ctx->actual_mech->elements=xmalloc(len); - memcpy(ctx->actual_mech->elements,data,len); +void +ssh_gssapi_set_oid_data(Gssctxt *ctx, void *data, size_t len) +{ + if (ctx->actual_mech != GSS_C_NULL_OID) { + xfree(ctx->actual_mech->elements); + xfree(ctx->actual_mech); + } + ctx->actual_mech = xmalloc(sizeof (gss_OID_desc)); + ctx->actual_mech->length = len; + ctx->actual_mech->elements = xmalloc(len); + memcpy(ctx->actual_mech->elements, data, len); } /* Set the contexts OID */ -void ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid) { - ssh_gssapi_set_oid_data(ctx,oid->elements,oid->length); +void +ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid) +{ + ssh_gssapi_set_oid_data(ctx, oid->elements, oid->length); } /* All this effort to report an error ... */ @@ -536,16 +539,17 @@ ssh_gssapi_error(Gssctxt *ctxt, const char *where) } char * -ssh_gssapi_last_error(Gssctxt *ctxt, - OM_uint32 *major_status, OM_uint32 *minor_status) { +ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status, + OM_uint32 *minor_status) +{ OM_uint32 lmin, more; OM_uint32 maj, min; gss_OID mech = GSS_C_NULL_OID; - gss_buffer_desc msg; - Buffer b; - char *ret; + gss_buffer_desc msg; + Buffer b; + char *ret; - buffer_init(&b); + buffer_init(&b); if (ctxt) { /* Get status codes from the Gssctxt */ @@ -558,7 +562,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, *minor_status = min; /* Get mechanism for minor status display */ mech = (ctxt->actual_mech != GSS_C_NULL_OID) ? - ctxt->actual_mech : ctxt->desired_mech; + ctxt->actual_mech : ctxt->desired_mech; } else if (major_status && minor_status) { maj = *major_status; min = *major_status; @@ -567,43 +571,42 @@ ssh_gssapi_last_error(Gssctxt *ctxt, min = 0; } - more = 0; + more = 0; /* The GSSAPI error */ - do { - gss_display_status(&lmin, maj, - GSS_C_GSS_CODE, GSS_C_NULL_OID, - &more, &msg); - - buffer_append(&b,msg.value,msg.length); - buffer_put_char(&b,'\n'); - gss_release_buffer(&lmin, &msg); - } while (more!=0); - - /* The mechanism specific error */ - do { + do { + gss_display_status(&lmin, maj, GSS_C_GSS_CODE, + GSS_C_NULL_OID, &more, &msg); + + buffer_append(&b, msg.value, msg.length); + buffer_put_char(&b, '\n'); + gss_release_buffer(&lmin, &msg); + } while (more != 0); + + /* The mechanism specific error */ + do { /* * If mech == GSS_C_NULL_OID we may get the default * mechanism, whatever that is, and that may not be * useful. */ - gss_display_status(&lmin, min, - GSS_C_MECH_CODE, mech, - &more, &msg); + gss_display_status(&lmin, min, GSS_C_MECH_CODE, mech, &more, + &msg); - buffer_append(&b,msg.value,msg.length); - buffer_put_char(&b,'\n'); + buffer_append(&b, msg.value, msg.length); + buffer_put_char(&b, '\n'); - gss_release_buffer(&lmin, &msg); - } while (more!=0); + gss_release_buffer(&lmin, &msg); + } while (more != 0); - buffer_put_char(&b,'\0'); - ret=xstrdup(buffer_ptr(&b)); - buffer_free(&b); + buffer_put_char(&b, '\0'); + ret = xstrdup(buffer_ptr(&b)); + buffer_free(&b); - return (ret); + return (ret); } -/* Initialise our GSSAPI context. We use this opaque structure to contain all +/* + * Initialise our GSSAPI context. We use this opaque structure to contain all * of the data which both the client and server need to persist across * {accept,init}_sec_context calls, so that when we do it from the userauth * stuff life is a little easier @@ -615,12 +618,12 @@ ssh_gssapi_build_ctx(Gssctxt **ctx, int client, gss_OID mech) newctx = (Gssctxt*)xmalloc(sizeof (Gssctxt)); - memset(newctx, 0, sizeof(Gssctxt)); + memset(newctx, 0, sizeof (Gssctxt)); newctx->local = client; newctx->desired_mech = ssh_gssapi_dup_oid(mech); - + /* This happens to be redundant given the memset() above */ newctx->major = GSS_S_COMPLETE; newctx->context = GSS_C_NO_CONTEXT; @@ -643,7 +646,7 @@ ssh_gssapi_dup_oid(gss_OID oid) { gss_OID new_oid; - new_oid = xmalloc(sizeof(gss_OID_desc)); + new_oid = xmalloc(sizeof (gss_OID_desc)); new_oid->elements = xmalloc(oid->length); new_oid->length = oid->length; @@ -681,10 +684,10 @@ ssh_gssapi_release_oid(gss_OID *oid) } struct gss_name { - gss_OID name_type; - gss_buffer_t external_name; - gss_OID mech_type; - void *mech_name; + gss_OID name_type; + gss_buffer_t external_name; + gss_OID mech_type; + void *mech_name; }; /* Delete our context, providing it has been built correctly */ @@ -697,24 +700,29 @@ ssh_gssapi_delete_ctx(Gssctxt **ctx) return; if ((*ctx)->context != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&ms,&(*ctx)->context,GSS_C_NO_BUFFER); - /* XXX if ((*ctx)->desired_mech != GSS_C_NULL_OID) - ssh_gssapi_release_oid(&(*ctx)->desired_mech);*/ + gss_delete_sec_context(&ms, &(*ctx)->context, GSS_C_NO_BUFFER); +#if 0 + /* XXX */ + if ((*ctx)->desired_mech != GSS_C_NULL_OID) + ssh_gssapi_release_oid(&(*ctx)->desired_mech); +#endif if ((*ctx)->actual_mech != GSS_C_NULL_OID) (void) ssh_gssapi_release_oid(&(*ctx)->actual_mech); if ((*ctx)->desired_name != GSS_C_NO_NAME) - gss_release_name(&ms,&(*ctx)->desired_name); - /* if ((*ctx)->src_name != GSS_C_NO_NAME) - gss_release_name(&ms,&(*ctx)->src_name); */ + gss_release_name(&ms, &(*ctx)->desired_name); +#if 0 + if ((*ctx)->src_name != GSS_C_NO_NAME) + gss_release_name(&ms, &(*ctx)->src_name); +#endif if ((*ctx)->dst_name != GSS_C_NO_NAME) - gss_release_name(&ms,&(*ctx)->dst_name); + gss_release_name(&ms, &(*ctx)->dst_name); if ((*ctx)->creds != GSS_C_NO_CREDENTIAL) - gss_release_cred(&ms,&(*ctx)->creds); + gss_release_cred(&ms, &(*ctx)->creds); if ((*ctx)->deleg_creds != GSS_C_NO_CREDENTIAL) - gss_release_cred(&ms,&(*ctx)->deleg_creds); + gss_release_cred(&ms, &(*ctx)->deleg_creds); xfree(*ctx); - *ctx=NULL; + *ctx = NULL; } /* Create a GSS hostbased service principal name for a given server hostname */ @@ -725,50 +733,49 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *server_host) int ret; /* Build target principal */ - - /* Non-portable but very neat code relying on SUSv3: - name_buf.length = snprintf(NULL, 0, "%s@%S", - SSH_GSS_HOSTBASED_SERVICE, server_host); - */ - name_buf.length = strlen(SSH_GSS_HOSTBASED_SERVICE) + - strlen(server_host) + 1; /* +1 for '@' */ + strlen(server_host) + 1; /* +1 for '@' */ name_buf.value = xmalloc(name_buf.length + 1); /* +1 for NUL */ ret = snprintf(name_buf.value, name_buf.length + 1, "%s@%s", - SSH_GSS_HOSTBASED_SERVICE, server_host); + SSH_GSS_HOSTBASED_SERVICE, server_host); - debug3("%s: snprintf() returned %d, expected %d", __func__, ret, name_buf.length + 1); + debug3("%s: snprintf() returned %d, expected %d", __func__, ret, + name_buf.length + 1); ctx->major = gss_import_name(&ctx->minor, &name_buf, - GSS_C_NT_HOSTBASED_SERVICE, &ctx->desired_name); + GSS_C_NT_HOSTBASED_SERVICE, &ctx->desired_name); if (GSS_ERROR(ctx->major)) { ssh_gssapi_error(ctx, "calling GSS_Import_name()"); - return 0; + return (0); } xfree(name_buf.value); - return 1; + return (1); } OM_uint32 -ssh_gssapi_get_mic(Gssctxt *ctx, gss_buffer_desc *buffer, gss_buffer_desc *hash) { +ssh_gssapi_get_mic(Gssctxt *ctx, gss_buffer_desc *buffer, gss_buffer_desc *hash) +{ - ctx->major=gss_get_mic(&ctx->minor,ctx->context, - GSS_C_QOP_DEFAULT, buffer, hash); + ctx->major = gss_get_mic(&ctx->minor, ctx->context, + GSS_C_QOP_DEFAULT, buffer, hash); if (GSS_ERROR(ctx->major)) ssh_gssapi_error(ctx, "while getting MIC"); - return(ctx->major); + return (ctx->major); } OM_uint32 -ssh_gssapi_verify_mic(Gssctxt *ctx, gss_buffer_desc *buffer, gss_buffer_desc *hash) { +ssh_gssapi_verify_mic(Gssctxt *ctx, gss_buffer_desc *buffer, + gss_buffer_desc *hash) +{ gss_qop_t qop; - ctx->major=gss_verify_mic(&ctx->minor,ctx->context, buffer, hash, &qop); + ctx->major = gss_verify_mic(&ctx->minor, ctx->context, buffer, + hash, &qop); if (GSS_ERROR(ctx->major)) ssh_gssapi_error(ctx, "while verifying MIC"); - return(ctx->major); + return (ctx->major); } #endif /* GSSAPI */ |