1 files changed, 51 insertions, 3 deletions
diff --git a/auth2-gss.c b/auth2-gss.c
index 9351e0428..1f12bb113 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -54,6 +54,46 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
 static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);
 static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
+/* 
+ * The 'gssapi_keyex' userauth mechanism.
+ */
+static int
+userauth_gsskeyex(struct ssh *ssh)
+{
+        Authctxt *authctxt = ssh->authctxt;
+        int r, authenticated = 0;
+        struct sshbuf *b;
+        gss_buffer_desc mic, gssbuf;
+        u_char *p;
+        size_t len;
+        if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
+            (r = sshpkt_get_end(ssh)) != 0)
+                fatal("%s: %s", __func__, ssh_err(r));
+        if ((b = sshbuf_new()) == NULL)
+                fatal("%s: sshbuf_new failed", __func__);
+        mic.value = p;
+        mic.length = len;
+        ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
+            "gssapi-keyex");
+        if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
+                fatal("%s: sshbuf_mutable_ptr failed", __func__);
+        gssbuf.length = sshbuf_len(b);
+        /* gss_kex_context is NULL with privsep, so we can't check it here */
+        if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 
+            &gssbuf, &mic))))
+                authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+                    authctxt->pw));
+        
+        sshbuf_free(b);
+        free(mic.value);
+        return (authenticated);
+}
 /*
 * We only support those mechanisms that we know about (ie ones that we know
 * how to check local user kuserok and the like)
@@ -260,7 +300,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
        if ((r = sshpkt_get_end(ssh)) != 0)
                fatal("%s: %s", __func__, ssh_err(r));
-        authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+        authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+            authctxt->pw));
        if ((!use_privsep || mm_is_monitor()) &&
            (displayname = ssh_gssapi_displayname()) != NULL)
@@ -306,7 +347,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
        gssbuf.length = sshbuf_len(b);
        if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
-                authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+                authenticated = 
+                    PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
        else
                logit("GSSAPI MIC check failed");
@@ -326,6 +368,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
        return 0;
 }
+Authmethod method_gsskeyex = {
+        "gssapi-keyex",
+        userauth_gsskeyex,
+        &options.gss_authentication
+};
 Authmethod method_gssapi = {
        "gssapi-with-mic",
        userauth_gssapi,

diff --git a/auth2-gss.c b/auth2-gss.c index 9351e0428..1f12bb113 100644 --- a/auth2-gss.c +++ b/auth2-gss.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */	1	/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -54,6 +54,46 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
54	static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);	54	static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);
55	static int input_gssapi_errtok(int, u_int32_t, struct ssh *);	55	static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
56		56
		57	/*
		58	* The 'gssapi_keyex' userauth mechanism.
		59	*/
		60	static int
		61	userauth_gsskeyex(struct ssh *ssh)
		62	{
		63	Authctxt *authctxt = ssh->authctxt;
		64	int r, authenticated = 0;
		65	struct sshbuf *b;
		66	gss_buffer_desc mic, gssbuf;
		67	u_char *p;
		68	size_t len;
		69
		70	if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 \|\|
		71	(r = sshpkt_get_end(ssh)) != 0)
		72	fatal("%s: %s", __func__, ssh_err(r));
		73	if ((b = sshbuf_new()) == NULL)
		74	fatal("%s: sshbuf_new failed", __func__);
		75	mic.value = p;
		76	mic.length = len;
		77
		78	ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
		79	"gssapi-keyex");
		80
		81	if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
		82	fatal("%s: sshbuf_mutable_ptr failed", __func__);
		83	gssbuf.length = sshbuf_len(b);
		84
		85	/* gss_kex_context is NULL with privsep, so we can't check it here */
		86	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context,
		87	&gssbuf, &mic))))
		88	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
		89	authctxt->pw));
		90
		91	sshbuf_free(b);
		92	free(mic.value);
		93
		94	return (authenticated);
		95	}
		96
57	/*	97	/*
58	* We only support those mechanisms that we know about (ie ones that we know	98	* We only support those mechanisms that we know about (ie ones that we know
59	* how to check local user kuserok and the like)	99	* how to check local user kuserok and the like)
@@ -260,7 +300,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
260	if ((r = sshpkt_get_end(ssh)) != 0)	300	if ((r = sshpkt_get_end(ssh)) != 0)
261	fatal("%s: %s", __func__, ssh_err(r));	301	fatal("%s: %s", __func__, ssh_err(r));
262		302
263	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));	303	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
		304	authctxt->pw));
264		305
265	if ((!use_privsep \|\| mm_is_monitor()) &&	306	if ((!use_privsep \|\| mm_is_monitor()) &&
266	(displayname = ssh_gssapi_displayname()) != NULL)	307	(displayname = ssh_gssapi_displayname()) != NULL)
@@ -306,7 +347,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
306	gssbuf.length = sshbuf_len(b);	347	gssbuf.length = sshbuf_len(b);
307		348
308	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))	349	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
309	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));	350	authenticated =
		351	PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
310	else	352	else
311	logit("GSSAPI MIC check failed");	353	logit("GSSAPI MIC check failed");
312		354
@@ -326,6 +368,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
326	return 0;	368	return 0;
327	}	369	}
328		370
		371	Authmethod method_gsskeyex = {
		372	"gssapi-keyex",
		373	userauth_gsskeyex,
		374	&options.gss_authentication
		375	};
		376
329	Authmethod method_gssapi = {	377	Authmethod method_gssapi = {
330	"gssapi-with-mic",	378	"gssapi-with-mic",
331	userauth_gssapi,	379	userauth_gssapi,