diff options
| author | Damien Miller <djm@mindrot.org> | 2003-11-17 22:18:21 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2003-11-17 22:18:21 +1100 |
| commit | 0425d40194f36c57423c014b0730a9d344dbe019 (patch) | |
| tree | 537527b6d0092152ee9f0c4ad01ea4bb41d8c271 /auth2-gss.c | |
| parent | c756e9b56e5b4649f120c417eb9bc99cf23db10f (diff) | |
- markus@cvs.openbsd.org 2003/11/17 11:06:07
[auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h monitor_wrap.c]
[monitor_wrap.h sshconnect2.c ssh-gss.h]
replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson;
test + ok jakob.
Diffstat (limited to 'auth2-gss.c')
| -rw-r--r-- | auth2-gss.c | 68 |
1 files changed, 57 insertions, 11 deletions
diff --git a/auth2-gss.c b/auth2-gss.c index 84fb384f9..220862dc8 100644 --- a/auth2-gss.c +++ b/auth2-gss.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-gss.c,v 1.5 2003/11/02 11:01:03 markus Exp $ */ | 1 | /* $OpenBSD: auth2-gss.c,v 1.6 2003/11/17 11:06:07 markus Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
| @@ -43,6 +43,7 @@ | |||
| 43 | extern ServerOptions options; | 43 | extern ServerOptions options; |
| 44 | 44 | ||
| 45 | static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); | 45 | static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); |
| 46 | static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); | ||
| 46 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | 47 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
| 47 | static void input_gssapi_errtok(int, u_int32_t, void *); | 48 | static void input_gssapi_errtok(int, u_int32_t, void *); |
| 48 | 49 | ||
| @@ -129,7 +130,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
| 129 | Gssctxt *gssctxt; | 130 | Gssctxt *gssctxt; |
| 130 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | 131 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
| 131 | gss_buffer_desc recv_tok; | 132 | gss_buffer_desc recv_tok; |
| 132 | OM_uint32 maj_status, min_status; | 133 | OM_uint32 maj_status, min_status, flags; |
| 133 | u_int len; | 134 | u_int len; |
| 134 | 135 | ||
| 135 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) | 136 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) |
| @@ -142,7 +143,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
| 142 | packet_check_eom(); | 143 | packet_check_eom(); |
| 143 | 144 | ||
| 144 | maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, | 145 | maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, |
| 145 | &send_tok, NULL)); | 146 | &send_tok, &flags)); |
| 146 | 147 | ||
| 147 | xfree(recv_tok.value); | 148 | xfree(recv_tok.value); |
| 148 | 149 | ||
| @@ -154,7 +155,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
| 154 | } | 155 | } |
| 155 | authctxt->postponed = 0; | 156 | authctxt->postponed = 0; |
| 156 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 157 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
| 157 | userauth_finish(authctxt, 0, "gssapi"); | 158 | userauth_finish(authctxt, 0, "gssapi-with-mic"); |
| 158 | } else { | 159 | } else { |
| 159 | if (send_tok.length != 0) { | 160 | if (send_tok.length != 0) { |
| 160 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); | 161 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); |
| @@ -163,8 +164,13 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
| 163 | } | 164 | } |
| 164 | if (maj_status == GSS_S_COMPLETE) { | 165 | if (maj_status == GSS_S_COMPLETE) { |
| 165 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 166 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
| 166 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, | 167 | if (flags & GSS_C_INTEG_FLAG) |
| 167 | &input_gssapi_exchange_complete); | 168 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, |
| 169 | &input_gssapi_mic); | ||
| 170 | else | ||
| 171 | dispatch_set( | ||
| 172 | SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, | ||
| 173 | &input_gssapi_exchange_complete); | ||
| 168 | } | 174 | } |
| 169 | } | 175 | } |
| 170 | 176 | ||
| @@ -224,9 +230,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | |||
| 224 | gssctxt = authctxt->methoddata; | 230 | gssctxt = authctxt->methoddata; |
| 225 | 231 | ||
| 226 | /* | 232 | /* |
| 227 | * We don't need to check the status, because the stored credentials | 233 | * We don't need to check the status, because we're only enabled in |
| 228 | * which userok uses are only populated once the context init step | 234 | * the dispatcher once the exchange is complete |
| 229 | * has returned complete. | ||
| 230 | */ | 235 | */ |
| 231 | 236 | ||
| 232 | packet_check_eom(); | 237 | packet_check_eom(); |
| @@ -236,12 +241,53 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | |||
| 236 | authctxt->postponed = 0; | 241 | authctxt->postponed = 0; |
| 237 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 242 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
| 238 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | 243 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
| 244 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); | ||
| 245 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | ||
| 246 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); | ||
| 247 | } | ||
| 248 | |||
| 249 | static void | ||
| 250 | input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | ||
| 251 | { | ||
| 252 | Authctxt *authctxt = ctxt; | ||
| 253 | Gssctxt *gssctxt; | ||
| 254 | int authenticated = 0; | ||
| 255 | Buffer b; | ||
| 256 | gss_buffer_desc mic, gssbuf; | ||
| 257 | u_int len; | ||
| 258 | |||
| 259 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) | ||
| 260 | fatal("No authentication or GSSAPI context"); | ||
| 261 | |||
| 262 | gssctxt = authctxt->methoddata; | ||
| 263 | |||
| 264 | mic.value = packet_get_string(&len); | ||
| 265 | mic.length = len; | ||
| 266 | |||
| 267 | ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, | ||
| 268 | "gssapi-with-mic"); | ||
| 269 | |||
| 270 | gssbuf.value = buffer_ptr(&b); | ||
| 271 | gssbuf.length = buffer_len(&b); | ||
| 272 | |||
| 273 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) | ||
| 274 | authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); | ||
| 275 | else | ||
| 276 | logit("GSSAPI MIC check failed"); | ||
| 277 | |||
| 278 | buffer_free(&b); | ||
| 279 | xfree(mic.value); | ||
| 280 | |||
| 281 | authctxt->postponed = 0; | ||
| 282 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | ||
| 283 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | ||
| 284 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); | ||
| 239 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | 285 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
| 240 | userauth_finish(authctxt, authenticated, "gssapi"); | 286 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); |
| 241 | } | 287 | } |
| 242 | 288 | ||
| 243 | Authmethod method_gssapi = { | 289 | Authmethod method_gssapi = { |
| 244 | "gssapi", | 290 | "gssapi-with-mic", |
| 245 | userauth_gssapi, | 291 | userauth_gssapi, |
| 246 | &options.gss_authentication | 292 | &options.gss_authentication |
| 247 | }; | 293 | }; |