diff options
Diffstat (limited to 'auth2-gss.c')
-rw-r--r-- | auth2-gss.c | 68 |
1 files changed, 57 insertions, 11 deletions
diff --git a/auth2-gss.c b/auth2-gss.c index 84fb384f9..220862dc8 100644 --- a/auth2-gss.c +++ b/auth2-gss.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2-gss.c,v 1.5 2003/11/02 11:01:03 markus Exp $ */ | 1 | /* $OpenBSD: auth2-gss.c,v 1.6 2003/11/17 11:06:07 markus Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -43,6 +43,7 @@ | |||
43 | extern ServerOptions options; | 43 | extern ServerOptions options; |
44 | 44 | ||
45 | static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); | 45 | static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); |
46 | static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); | ||
46 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | 47 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
47 | static void input_gssapi_errtok(int, u_int32_t, void *); | 48 | static void input_gssapi_errtok(int, u_int32_t, void *); |
48 | 49 | ||
@@ -129,7 +130,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
129 | Gssctxt *gssctxt; | 130 | Gssctxt *gssctxt; |
130 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; | 131 | gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; |
131 | gss_buffer_desc recv_tok; | 132 | gss_buffer_desc recv_tok; |
132 | OM_uint32 maj_status, min_status; | 133 | OM_uint32 maj_status, min_status, flags; |
133 | u_int len; | 134 | u_int len; |
134 | 135 | ||
135 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) | 136 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) |
@@ -142,7 +143,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
142 | packet_check_eom(); | 143 | packet_check_eom(); |
143 | 144 | ||
144 | maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, | 145 | maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, |
145 | &send_tok, NULL)); | 146 | &send_tok, &flags)); |
146 | 147 | ||
147 | xfree(recv_tok.value); | 148 | xfree(recv_tok.value); |
148 | 149 | ||
@@ -154,7 +155,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
154 | } | 155 | } |
155 | authctxt->postponed = 0; | 156 | authctxt->postponed = 0; |
156 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 157 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
157 | userauth_finish(authctxt, 0, "gssapi"); | 158 | userauth_finish(authctxt, 0, "gssapi-with-mic"); |
158 | } else { | 159 | } else { |
159 | if (send_tok.length != 0) { | 160 | if (send_tok.length != 0) { |
160 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); | 161 | packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); |
@@ -163,8 +164,13 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) | |||
163 | } | 164 | } |
164 | if (maj_status == GSS_S_COMPLETE) { | 165 | if (maj_status == GSS_S_COMPLETE) { |
165 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 166 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
166 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, | 167 | if (flags & GSS_C_INTEG_FLAG) |
167 | &input_gssapi_exchange_complete); | 168 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, |
169 | &input_gssapi_mic); | ||
170 | else | ||
171 | dispatch_set( | ||
172 | SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, | ||
173 | &input_gssapi_exchange_complete); | ||
168 | } | 174 | } |
169 | } | 175 | } |
170 | 176 | ||
@@ -224,9 +230,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | |||
224 | gssctxt = authctxt->methoddata; | 230 | gssctxt = authctxt->methoddata; |
225 | 231 | ||
226 | /* | 232 | /* |
227 | * We don't need to check the status, because the stored credentials | 233 | * We don't need to check the status, because we're only enabled in |
228 | * which userok uses are only populated once the context init step | 234 | * the dispatcher once the exchange is complete |
229 | * has returned complete. | ||
230 | */ | 235 | */ |
231 | 236 | ||
232 | packet_check_eom(); | 237 | packet_check_eom(); |
@@ -236,12 +241,53 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | |||
236 | authctxt->postponed = 0; | 241 | authctxt->postponed = 0; |
237 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 242 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
238 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | 243 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); |
244 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); | ||
245 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | ||
246 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); | ||
247 | } | ||
248 | |||
249 | static void | ||
250 | input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | ||
251 | { | ||
252 | Authctxt *authctxt = ctxt; | ||
253 | Gssctxt *gssctxt; | ||
254 | int authenticated = 0; | ||
255 | Buffer b; | ||
256 | gss_buffer_desc mic, gssbuf; | ||
257 | u_int len; | ||
258 | |||
259 | if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) | ||
260 | fatal("No authentication or GSSAPI context"); | ||
261 | |||
262 | gssctxt = authctxt->methoddata; | ||
263 | |||
264 | mic.value = packet_get_string(&len); | ||
265 | mic.length = len; | ||
266 | |||
267 | ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, | ||
268 | "gssapi-with-mic"); | ||
269 | |||
270 | gssbuf.value = buffer_ptr(&b); | ||
271 | gssbuf.length = buffer_len(&b); | ||
272 | |||
273 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) | ||
274 | authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); | ||
275 | else | ||
276 | logit("GSSAPI MIC check failed"); | ||
277 | |||
278 | buffer_free(&b); | ||
279 | xfree(mic.value); | ||
280 | |||
281 | authctxt->postponed = 0; | ||
282 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | ||
283 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); | ||
284 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); | ||
239 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); | 285 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); |
240 | userauth_finish(authctxt, authenticated, "gssapi"); | 286 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); |
241 | } | 287 | } |
242 | 288 | ||
243 | Authmethod method_gssapi = { | 289 | Authmethod method_gssapi = { |
244 | "gssapi", | 290 | "gssapi-with-mic", |
245 | userauth_gssapi, | 291 | userauth_gssapi, |
246 | &options.gss_authentication | 292 | &options.gss_authentication |
247 | }; | 293 | }; |