diff options
| author | Colin Watson <cjwatson@debian.org> | 2009-12-29 21:32:03 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2009-12-29 21:32:03 +0000 |
| commit | 04942aa41fa94ec6f2c3ce1d348f600f31bb7c78 (patch) | |
| tree | af8e928bd79d3f2d0219bb5b2c78b573ec31d94c /sshconnect2.c | |
| parent | 9ad7b718d42e43f3a285fcbc8f91193931fce324 (diff) | |
| parent | 16704d57999d987fb8d9ba53379841a79f016d67 (diff) | |
import openssh-4.2p1-gsskex-20050926-2.patch
Diffstat (limited to 'sshconnect2.c')
| -rw-r--r-- | sshconnect2.c | 46 |
1 files changed, 31 insertions, 15 deletions
diff --git a/sshconnect2.c b/sshconnect2.c index b69602c0c..aa0b6ec59 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
| @@ -23,7 +23,7 @@ | |||
| 23 | */ | 23 | */ |
| 24 | 24 | ||
| 25 | #include "includes.h" | 25 | #include "includes.h" |
| 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.138 2004/06/13 12:53:24 djm Exp $"); | 26 | RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $"); |
| 27 | 27 | ||
| 28 | #include "openbsd-compat/sys-queue.h" | 28 | #include "openbsd-compat/sys-queue.h" |
| 29 | 29 | ||
| @@ -87,16 +87,24 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
| 87 | #ifdef GSSAPI | 87 | #ifdef GSSAPI |
| 88 | char *orig, *gss; | 88 | char *orig, *gss; |
| 89 | int len; | 89 | int len; |
| 90 | char *gss_host; | ||
| 90 | #endif | 91 | #endif |
| 91 | 92 | ||
| 92 | xxx_host = host; | 93 | xxx_host = host; |
| 93 | xxx_hostaddr = hostaddr; | 94 | xxx_hostaddr = hostaddr; |
| 94 | 95 | ||
| 95 | #ifdef GSSAPI | 96 | #ifdef GSSAPI |
| 97 | /* Add the GSSAPI mechanisms currently supported on this client to | ||
| 98 | * the key exchange algorithm proposal */ | ||
| 96 | orig = myproposal[PROPOSAL_KEX_ALGS]; | 99 | orig = myproposal[PROPOSAL_KEX_ALGS]; |
| 97 | gss = ssh_gssapi_client_mechanisms(get_canonical_hostname(1)); | 100 | if (options.gss_trust_dns) |
| 98 | debug("Offering GSSAPI proposal: %s",gss); | 101 | gss_host = (char *)get_canonical_hostname(1); |
| 102 | else | ||
| 103 | gss_host = host; | ||
| 104 | |||
| 105 | gss = ssh_gssapi_client_mechanisms(gss_host); | ||
| 99 | if (gss) { | 106 | if (gss) { |
| 107 | debug("Offering GSSAPI proposal: %s", gss); | ||
| 100 | len = strlen(orig) + strlen(gss) + 2; | 108 | len = strlen(orig) + strlen(gss) + 2; |
| 101 | myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len); | 109 | myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len); |
| 102 | snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", gss, | 110 | snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s", gss, |
| @@ -118,10 +126,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
| 118 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); | 126 | compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); |
| 119 | if (options.compression) { | 127 | if (options.compression) { |
| 120 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 128 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
| 121 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib,none"; | 129 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none"; |
| 122 | } else { | 130 | } else { |
| 123 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = | 131 | myproposal[PROPOSAL_COMP_ALGS_CTOS] = |
| 124 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib"; | 132 | myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib"; |
| 125 | } | 133 | } |
| 126 | if (options.macs != NULL) { | 134 | if (options.macs != NULL) { |
| 127 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = | 135 | myproposal[PROPOSAL_MAC_ALGS_CTOS] = |
| @@ -132,6 +140,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
| 132 | options.hostkeyalgorithms; | 140 | options.hostkeyalgorithms; |
| 133 | 141 | ||
| 134 | #ifdef GSSAPI | 142 | #ifdef GSSAPI |
| 143 | /* If we've got GSSAPI algorithms, then we also support the | ||
| 144 | * 'null' hostkey, as a last resort */ | ||
| 135 | if (gss) { | 145 | if (gss) { |
| 136 | orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; | 146 | orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; |
| 137 | len = strlen(orig) + sizeof(",null"); | 147 | len = strlen(orig) + sizeof(",null"); |
| @@ -151,6 +161,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
| 151 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | 161 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; |
| 152 | #ifdef GSSAPI | 162 | #ifdef GSSAPI |
| 153 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; | 163 | kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; |
| 164 | kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; | ||
| 154 | #endif | 165 | #endif |
| 155 | kex->client_version_string=client_version_string; | 166 | kex->client_version_string=client_version_string; |
| 156 | kex->server_version_string=server_version_string; | 167 | kex->server_version_string=server_version_string; |
| @@ -158,6 +169,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) | |||
| 158 | 169 | ||
| 159 | #ifdef GSSAPI | 170 | #ifdef GSSAPI |
| 160 | kex->gss_deleg_creds = options.gss_deleg_creds; | 171 | kex->gss_deleg_creds = options.gss_deleg_creds; |
| 172 | kex->gss_trust_dns = options.gss_trust_dns; | ||
| 173 | kex->gss_host = gss_host; | ||
| 161 | #endif | 174 | #endif |
| 162 | 175 | ||
| 163 | xxx_kex = kex; | 176 | xxx_kex = kex; |
| @@ -242,7 +255,7 @@ void input_gssapi_token(int type, u_int32_t, void *); | |||
| 242 | void input_gssapi_hash(int type, u_int32_t, void *); | 255 | void input_gssapi_hash(int type, u_int32_t, void *); |
| 243 | void input_gssapi_error(int, u_int32_t, void *); | 256 | void input_gssapi_error(int, u_int32_t, void *); |
| 244 | void input_gssapi_errtok(int, u_int32_t, void *); | 257 | void input_gssapi_errtok(int, u_int32_t, void *); |
| 245 | int userauth_gsskeyx(Authctxt *authctxt); | 258 | int userauth_gsskeyex(Authctxt *authctxt); |
| 246 | #endif | 259 | #endif |
| 247 | 260 | ||
| 248 | void userauth(Authctxt *, char *); | 261 | void userauth(Authctxt *, char *); |
| @@ -258,8 +271,8 @@ static char *authmethods_get(void); | |||
| 258 | 271 | ||
| 259 | Authmethod authmethods[] = { | 272 | Authmethod authmethods[] = { |
| 260 | #ifdef GSSAPI | 273 | #ifdef GSSAPI |
| 261 | {"gssapi-keyx", | 274 | {"gssapi-keyex", |
| 262 | userauth_gsskeyx, | 275 | userauth_gsskeyex, |
| 263 | &options.gss_authentication, | 276 | &options.gss_authentication, |
| 264 | NULL}, | 277 | NULL}, |
| 265 | {"gssapi-with-mic", | 278 | {"gssapi-with-mic", |
| @@ -391,7 +404,7 @@ void | |||
| 391 | input_userauth_error(int type, u_int32_t seq, void *ctxt) | 404 | input_userauth_error(int type, u_int32_t seq, void *ctxt) |
| 392 | { | 405 | { |
| 393 | fatal("input_userauth_error: bad message during authentication: " | 406 | fatal("input_userauth_error: bad message during authentication: " |
| 394 | "type %d", type); | 407 | "type %d", type); |
| 395 | } | 408 | } |
| 396 | 409 | ||
| 397 | void | 410 | void |
| @@ -521,7 +534,7 @@ userauth_gssapi(Authctxt *authctxt) | |||
| 521 | { | 534 | { |
| 522 | Gssctxt *gssctxt = NULL; | 535 | Gssctxt *gssctxt = NULL; |
| 523 | static gss_OID_set gss_supported = NULL; | 536 | static gss_OID_set gss_supported = NULL; |
| 524 | static int mech = 0; | 537 | static u_int mech = 0; |
| 525 | OM_uint32 min; | 538 | OM_uint32 min; |
| 526 | int ok = 0; | 539 | int ok = 0; |
| 527 | 540 | ||
| @@ -548,7 +561,8 @@ userauth_gssapi(Authctxt *authctxt) | |||
| 548 | } | 561 | } |
| 549 | } | 562 | } |
| 550 | 563 | ||
| 551 | if (!ok) return 0; | 564 | if (!ok) |
| 565 | return 0; | ||
| 552 | 566 | ||
| 553 | authctxt->methoddata=(void *)gssctxt; | 567 | authctxt->methoddata=(void *)gssctxt; |
| 554 | 568 | ||
| @@ -583,7 +597,8 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) | |||
| 583 | Authctxt *authctxt = ctxt; | 597 | Authctxt *authctxt = ctxt; |
| 584 | Gssctxt *gssctxt = authctxt->methoddata; | 598 | Gssctxt *gssctxt = authctxt->methoddata; |
| 585 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | 599 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
| 586 | gss_buffer_desc gssbuf, mic; | 600 | gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; |
| 601 | gss_buffer_desc gssbuf; | ||
| 587 | OM_uint32 status, ms, flags; | 602 | OM_uint32 status, ms, flags; |
| 588 | Buffer b; | 603 | Buffer b; |
| 589 | 604 | ||
| @@ -717,7 +732,7 @@ input_gssapi_errtok(int type, u_int32_t plen, void *ctxt) | |||
| 717 | 732 | ||
| 718 | /* Stick it into GSSAPI and see what it says */ | 733 | /* Stick it into GSSAPI and see what it says */ |
| 719 | status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, | 734 | status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, |
| 720 | &recv_tok, &send_tok, NULL); | 735 | &recv_tok, &send_tok, NULL); |
| 721 | 736 | ||
| 722 | xfree(recv_tok.value); | 737 | xfree(recv_tok.value); |
| 723 | gss_release_buffer(&ms, &send_tok); | 738 | gss_release_buffer(&ms, &send_tok); |
| @@ -745,10 +760,11 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | |||
| 745 | } | 760 | } |
| 746 | 761 | ||
| 747 | int | 762 | int |
| 748 | userauth_gsskeyx(Authctxt *authctxt) | 763 | userauth_gsskeyex(Authctxt *authctxt) |
| 749 | { | 764 | { |
| 750 | Buffer b; | 765 | Buffer b; |
| 751 | gss_buffer_desc gssbuf, mic; | 766 | gss_buffer_desc gssbuf; |
| 767 | gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; | ||
| 752 | OM_uint32 ms; | 768 | OM_uint32 ms; |
| 753 | 769 | ||
| 754 | static int attempt = 0; | 770 | static int attempt = 0; |