diff options
author | Colin Watson <cjwatson@debian.org> | 2017-10-04 11:23:58 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-10-04 11:23:58 +0100 |
commit | 62f54f20bf351468e0124f63cc2902ee40d9b0e9 (patch) | |
tree | 3e090f2711b94ca5029d3fa3e8047b1ed1448b1f /auth2-gss.c | |
parent | 6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 (diff) | |
parent | 66bf74a92131b7effe49fb0eefe5225151869dc5 (diff) |
Import openssh_7.6p1.orig.tar.gz
Diffstat (limited to 'auth2-gss.c')
-rw-r--r-- | auth2-gss.c | 77 |
1 files changed, 44 insertions, 33 deletions
diff --git a/auth2-gss.c b/auth2-gss.c index 1ca835773..589283b72 100644 --- a/auth2-gss.c +++ b/auth2-gss.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */ | 1 | /* $OpenBSD: auth2-gss.c,v 1.26 2017/06/24 06:34:38 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -48,18 +48,19 @@ | |||
48 | 48 | ||
49 | extern ServerOptions options; | 49 | extern ServerOptions options; |
50 | 50 | ||
51 | static int input_gssapi_token(int type, u_int32_t plen, void *ctxt); | 51 | static int input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh); |
52 | static int input_gssapi_mic(int type, u_int32_t plen, void *ctxt); | 52 | static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh); |
53 | static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | 53 | static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh); |
54 | static int input_gssapi_errtok(int, u_int32_t, void *); | 54 | static int input_gssapi_errtok(int, u_int32_t, struct ssh *); |
55 | 55 | ||
56 | /* | 56 | /* |
57 | * We only support those mechanisms that we know about (ie ones that we know | 57 | * We only support those mechanisms that we know about (ie ones that we know |
58 | * how to check local user kuserok and the like) | 58 | * how to check local user kuserok and the like) |
59 | */ | 59 | */ |
60 | static int | 60 | static int |
61 | userauth_gssapi(Authctxt *authctxt) | 61 | userauth_gssapi(struct ssh *ssh) |
62 | { | 62 | { |
63 | Authctxt *authctxt = ssh->authctxt; | ||
63 | gss_OID_desc goid = {0, NULL}; | 64 | gss_OID_desc goid = {0, NULL}; |
64 | Gssctxt *ctxt = NULL; | 65 | Gssctxt *ctxt = NULL; |
65 | int mechs; | 66 | int mechs; |
@@ -119,17 +120,17 @@ userauth_gssapi(Authctxt *authctxt) | |||
119 | packet_send(); | 120 | packet_send(); |
120 | free(doid); | 121 | free(doid); |
121 | 122 | ||
122 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); | 123 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token); |
123 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); | 124 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok); |
124 | authctxt->postponed = 1; | 125 | authctxt->postponed = 1; |
125 | 126 | ||
126 | return (0); | 127 | return (0); |
127 | } | 128 | } |
128 | 129 | ||
129 | static int | 130 | static int |
130 | input_gssapi_token(int type, u_int32_t plen, void *ctxt) | 131 | input_gssapi_token(int type, u_int32_t plen, struct ssh *ssh) |
131 | { | 132 | { |
132 | Authctxt *authctxt = ctxt; | 133 | Authctxt *authctxt = ssh->authctxt; |
133 | Gssctxt *gssctxt; | 134 | Gssctxt *gssctxt; |
134 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | 135 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
135 | gss_buffer_desc recv_tok; | 136 | gss_buffer_desc recv_tok; |
@@ -157,8 +158,8 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
157 | packet_send(); | 158 | packet_send(); |
158 | } | 159 | } |
159 | authctxt->postponed = 0; | 160 | authctxt->postponed = 0; |
160 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 161 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
161 | userauth_finish(authctxt, 0, "gssapi-with-mic", NULL); | 162 | userauth_finish(ssh, 0, "gssapi-with-mic", NULL); |
162 | } else { | 163 | } else { |
163 | if (send_tok.length != 0) { | 164 | if (send_tok.length != 0) { |
164 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); | 165 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); |
@@ -166,12 +167,12 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
166 | packet_send(); | 167 | packet_send(); |
167 | } | 168 | } |
168 | if (maj_status == GSS_S_COMPLETE) { | 169 | if (maj_status == GSS_S_COMPLETE) { |
169 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 170 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
170 | if (flags & GSS_C_INTEG_FLAG) | 171 | if (flags & GSS_C_INTEG_FLAG) |
171 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, | 172 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC, |
172 | &input_gssapi_mic); | 173 | &input_gssapi_mic); |
173 | else | 174 | else |
174 | dispatch_set( | 175 | ssh_dispatch_set(ssh, |
175 | SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, | 176 | SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, |
176 | &input_gssapi_exchange_complete); | 177 | &input_gssapi_exchange_complete); |
177 | } | 178 | } |
@@ -182,9 +183,9 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
182 | } | 183 | } |
183 | 184 | ||
184 | static int | 185 | static int |
185 | input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) | 186 | input_gssapi_errtok(int type, u_int32_t plen, struct ssh *ssh) |
186 | { | 187 | { |
187 | Authctxt *authctxt = ctxt; | 188 | Authctxt *authctxt = ssh->authctxt; |
188 | Gssctxt *gssctxt; | 189 | Gssctxt *gssctxt; |
189 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | 190 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
190 | gss_buffer_desc recv_tok; | 191 | gss_buffer_desc recv_tok; |
@@ -207,8 +208,8 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) | |||
207 | free(recv_tok.value); | 208 | free(recv_tok.value); |
208 | 209 | ||
209 | /* We can't return anything to the client, even if we wanted to */ | 210 | /* We can't return anything to the client, even if we wanted to */ |
210 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 211 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
211 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | 212 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
212 | 213 | ||
213 | /* The client will have already moved on to the next auth */ | 214 | /* The client will have already moved on to the next auth */ |
214 | 215 | ||
@@ -223,10 +224,11 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) | |||
223 | */ | 224 | */ |
224 | 225 | ||
225 | static int | 226 | static int |
226 | input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | 227 | input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) |
227 | { | 228 | { |
228 | Authctxt *authctxt = ctxt; | 229 | Authctxt *authctxt = ssh->authctxt; |
229 | int authenticated; | 230 | int authenticated; |
231 | const char *displayname; | ||
230 | 232 | ||
231 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) | 233 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) |
232 | fatal("No authentication or GSSAPI context"); | 234 | fatal("No authentication or GSSAPI context"); |
@@ -240,24 +242,29 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | |||
240 | 242 | ||
241 | authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); | 243 | authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); |
242 | 244 | ||
245 | if ((!use_privsep || mm_is_monitor()) && | ||
246 | (displayname = ssh_gssapi_displayname()) != NULL) | ||
247 | auth2_record_info(authctxt, "%s", displayname); | ||
248 | |||
243 | authctxt->postponed = 0; | 249 | authctxt->postponed = 0; |
244 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 250 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
245 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | 251 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
246 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); | 252 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); |
247 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | 253 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
248 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); | 254 | userauth_finish(ssh, authenticated, "gssapi-with-mic", NULL); |
249 | return 0; | 255 | return 0; |
250 | } | 256 | } |
251 | 257 | ||
252 | static int | 258 | static int |
253 | input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 259 | input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) |
254 | { | 260 | { |
255 | Authctxt *authctxt = ctxt; | 261 | Authctxt *authctxt = ssh->authctxt; |
256 | Gssctxt *gssctxt; | 262 | Gssctxt *gssctxt; |
257 | int authenticated = 0; | 263 | int authenticated = 0; |
258 | Buffer b; | 264 | Buffer b; |
259 | gss_buffer_desc mic, gssbuf; | 265 | gss_buffer_desc mic, gssbuf; |
260 | u_int len; | 266 | u_int len; |
267 | const char *displayname; | ||
261 | 268 | ||
262 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) | 269 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) |
263 | fatal("No authentication or GSSAPI context"); | 270 | fatal("No authentication or GSSAPI context"); |
@@ -281,12 +288,16 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | |||
281 | buffer_free(&b); | 288 | buffer_free(&b); |
282 | free(mic.value); | 289 | free(mic.value); |
283 | 290 | ||
291 | if ((!use_privsep || mm_is_monitor()) && | ||
292 | (displayname = ssh_gssapi_displayname()) != NULL) | ||
293 | auth2_record_info(authctxt, "%s", displayname); | ||
294 | |||
284 | authctxt->postponed = 0; | 295 | authctxt->postponed = 0; |
285 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 296 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
286 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | 297 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
287 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); | 298 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); |
288 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | 299 | ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
289 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); | 300 | userauth_finish(ssh, authenticated, "gssapi-with-mic", NULL); |
290 | return 0; | 301 | return 0; |
291 | } | 302 | } |
292 | 303 | ||