← Back to branch summary

~ubuntu-branches/ubuntu/dapper/openssh/dapper

« back to all changes in this revision

Viewing changes to sshconnect2.c

  • Committer: Bazaar Package Importer
  • Author(s): Colin Watson
  • Date: 2005-10-31 07:46:44 UTC
  • mfrom: (1.1.3 upstream)
  • Revision ID: james.westby@ubuntu.com-20051031074644-poik7e4un4723tr4
Tags: 1:4.2p1-5ubuntu1
Resynchronise with Debian.

Show diffs side-by-side

added added

removed removed

Lines of Context:
sshconnect2.c
23
23
 */
24
24
 
25
25
#include "includes.h"
26
 
RCSID("$OpenBSD: sshconnect2.c,v 1.138 2004/06/13 12:53:24 djm Exp $");
 
26
RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $");
27
27
 
28
28
#include "openbsd-compat/sys-queue.h"
29
29
 
84
84
{
85
85
        Kex *kex;
86
86
 
 
87
#ifdef GSSAPI
 
88
        char *orig, *gss = NULL;
 
89
        int len;
 
90
#endif
 
91
 
87
92
        xxx_host = host;
88
93
        xxx_hostaddr = hostaddr;
89
94
 
 
95
#ifdef GSSAPI
 
96
        if (options.gss_authentication) {
 
97
                orig = myproposal[PROPOSAL_KEX_ALGS];
 
98
                gss = ssh_gssapi_client_mechanisms(get_canonical_hostname(1));
 
99
                debug("Offering GSSAPI proposal: %s",gss);
 
100
                if (gss) {
 
101
                        len = strlen(orig) + strlen(gss) + 2;
 
102
                        myproposal[PROPOSAL_KEX_ALGS] = xmalloc(len);
 
103
                        snprintf(myproposal[PROPOSAL_KEX_ALGS], len, "%s,%s",
 
104
                            gss, orig);
 
105
                }
 
106
        }
 
107
#endif
 
108
 
90
109
        if (options.ciphers == (char *)-1) {
91
110
                logit("No valid ciphers for protocol version 2 given, using defaults.");
92
111
                options.ciphers = NULL;
101
120
            compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
102
121
        if (options.compression) {
103
122
                myproposal[PROPOSAL_COMP_ALGS_CTOS] =
104
 
                myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib,none";
 
123
                myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
105
124
        } else {
106
125
                myproposal[PROPOSAL_COMP_ALGS_CTOS] =
107
 
                myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib";
 
126
                myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
108
127
        }
109
128
        if (options.macs != NULL) {
110
129
                myproposal[PROPOSAL_MAC_ALGS_CTOS] =
114
133
                myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
115
134
                    options.hostkeyalgorithms;
116
135
 
 
136
#ifdef GSSAPI
 
137
        if (gss) {
 
138
                orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
 
139
                len = strlen(orig) + sizeof(",null");
 
140
                myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = xmalloc(len);
 
141
                snprintf(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], len, 
 
142
                    "%s,null", orig);
 
143
        }
 
144
#endif
 
145
 
117
146
        if (options.rekey_limit)
118
147
                packet_set_rekey_limit(options.rekey_limit);
119
148
 
122
151
        kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
123
152
        kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
124
153
        kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
 
154
#ifdef GSSAPI
 
155
        if (options.gss_authentication)
 
156
                kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
 
157
#endif
125
158
        kex->client_version_string=client_version_string;
126
159
        kex->server_version_string=server_version_string;
127
160
        kex->verify_host_key=&verify_host_key_callback;
128
161
 
 
162
#ifdef GSSAPI
 
163
        kex->gss_deleg_creds = options.gss_deleg_creds;
 
164
#endif
 
165
 
129
166
        xxx_kex = kex;
130
167
 
131
168
        dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
208
245
void    input_gssapi_hash(int type, u_int32_t, void *);
209
246
void    input_gssapi_error(int, u_int32_t, void *);
210
247
void    input_gssapi_errtok(int, u_int32_t, void *);
 
248
int     userauth_gsskeyx(Authctxt *authctxt);
211
249
#endif
212
250
 
213
251
void    userauth(Authctxt *, char *);
223
261
 
224
262
Authmethod authmethods[] = {
225
263
#ifdef GSSAPI
 
264
        {"gssapi-keyx",
 
265
                userauth_gsskeyx,
 
266
                &options.gss_authentication,
 
267
                NULL},
226
268
        {"gssapi-with-mic",
227
269
                userauth_gssapi,
228
270
                &options.gss_authentication,
229
271
                NULL},
 
272
        {"gssapi",
 
273
                userauth_gssapi,
 
274
                &options.gss_authentication,
 
275
                NULL},
230
276
#endif
231
277
        {"hostbased",
232
278
                userauth_hostbased,
352
398
input_userauth_error(int type, u_int32_t seq, void *ctxt)
353
399
{
354
400
        fatal("input_userauth_error: bad message during authentication: "
355
 
           "type %d", type);
 
401
            "type %d", type);
356
402
}
357
403
 
358
404
void
482
528
{
483
529
        Gssctxt *gssctxt = NULL;
484
530
        static gss_OID_set gss_supported = NULL;
485
 
        static int mech = 0;
 
531
        static u_int mech = 0;
486
532
        OM_uint32 min;
487
533
        int ok = 0;
 
534
        int old_gssapi_method;
488
535
 
489
536
        /* Try one GSSAPI method at a time, rather than sending them all at
490
537
         * once. */
509
556
                }
510
557
        }
511
558
 
512
 
        if (!ok) return 0;
 
559
        if (!ok)
 
560
                return 0;
513
561
 
514
562
        authctxt->methoddata=(void *)gssctxt;
515
563
 
518
566
        packet_put_cstring(authctxt->service);
519
567
        packet_put_cstring(authctxt->method->name);
520
568
 
521
 
        packet_put_int(1);
 
569
        old_gssapi_method = !strcmp(authctxt->method->name, "gssapi");
 
570
 
 
571
        /* Versions of Debian ssh-krb5 prior to 3.8.1p1-1 don't expect
 
572
         * tagged OIDs.  As such we include both tagged and untagged oids
 
573
         * for the old gssapi method.
 
574
         * We only include tagged oids for the new gssapi-with-mic method.
 
575
         */
 
576
        packet_put_int(old_gssapi_method?2:1);
522
577
 
523
578
        packet_put_int((gss_supported->elements[mech].length) + 2);
524
579
        packet_put_char(SSH_GSS_OIDTYPE);
525
580
        packet_put_char(gss_supported->elements[mech].length);
526
581
        packet_put_raw(gss_supported->elements[mech].elements,
527
582
            gss_supported->elements[mech].length);
 
583
        if (old_gssapi_method) {
 
584
                packet_put_int((gss_supported->elements[mech].length));
 
585
                packet_put_raw(gss_supported->elements[mech].elements,
 
586
                               gss_supported->elements[mech].length);
 
587
        }
528
588
 
529
589
        packet_send();
530
590
 
564
624
        }
565
625
 
566
626
        if (status == GSS_S_COMPLETE) {
 
627
                int old_gssapi_method = !strcmp(authctxt->method->name,
 
628
                                                "gssapi");
567
629
                /* send either complete or MIC, depending on mechanism */
568
 
                if (!(flags & GSS_C_INTEG_FLAG)) {
 
630
                if (old_gssapi_method || !(flags & GSS_C_INTEG_FLAG)) {
569
631
                        packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
570
632
                        packet_send();
571
633
                } else {
598
660
        Authctxt *authctxt = ctxt;
599
661
        Gssctxt *gssctxt;
600
662
        int oidlen;
601
 
        char *oidv;
 
663
        char *oidv, *oidv_free;
602
664
 
603
665
        if (authctxt == NULL)
604
666
                fatal("input_gssapi_response: no authentication context");
606
668
 
607
669
        /* Setup our OID */
608
670
        oidv = packet_get_string(&oidlen);
 
671
        oidv_free = oidv;
609
672
 
610
673
        if (oidlen <= 2 ||
611
674
            oidv[0] != SSH_GSS_OIDTYPE ||
612
675
            oidv[1] != oidlen - 2) {
613
 
                xfree(oidv);
614
676
                debug("Badly encoded mechanism OID received");
615
 
                userauth(authctxt, NULL);
616
 
                return;
 
677
                if (oidlen < 2) {
 
678
                        xfree(oidv_free);
 
679
                        userauth(authctxt, NULL);
 
680
                        return;
 
681
                }
 
682
        } else {
 
683
                oidlen -= 2;
 
684
                oidv += 2;
617
685
        }
618
686
 
619
 
        if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2))
 
687
        if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen))
620
688
                fatal("Server returned different OID than expected");
621
689
 
622
690
        packet_check_eom();
623
691
 
624
 
        xfree(oidv);
 
692
        xfree(oidv_free);
625
693
 
626
694
        if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
627
695
                /* Start again with next method on list */
679
747
 
680
748
        /* Stick it into GSSAPI and see what it says */
681
749
        status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
682
 
                                     &recv_tok, &send_tok, NULL);
 
750
            &recv_tok, &send_tok, NULL);
683
751
 
684
752
        xfree(recv_tok.value);
685
753
        gss_release_buffer(&ms, &send_tok);
705
773
        xfree(msg);
706
774
        xfree(lang);
707
775
}
 
776
 
 
777
int
 
778
userauth_gsskeyx(Authctxt *authctxt)
 
779
{
 
780
        Buffer b;
 
781
        gss_buffer_desc gssbuf, mic;
 
782
        OM_uint32 ms;
 
783
 
 
784
        static int attempt = 0;
 
785
        if (attempt++ >= 1)
 
786
                return (0);
 
787
 
 
788
        if (gss_kex_context == NULL) {
 
789
                debug("No valid Key exchange context"); 
 
790
                return (0);
 
791
        }
 
792
 
 
793
        ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
 
794
            "gssapi-keyex");
 
795
 
 
796
        gssbuf.value = buffer_ptr(&b);
 
797
        gssbuf.length = buffer_len(&b);
 
798
 
 
799
        if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
 
800
                buffer_free(&b);
 
801
                return (0);
 
802
        }
 
803
 
 
804
        packet_start(SSH2_MSG_USERAUTH_REQUEST);
 
805
        packet_put_cstring(authctxt->server_user);
 
806
        packet_put_cstring(authctxt->service);
 
807
        packet_put_cstring(authctxt->method->name);
 
808
        packet_put_string(mic.value, mic.length);
 
809
        packet_send();
 
810
 
 
811
        buffer_free(&b);
 
812
        gss_release_buffer(&ms, &mic);
 
813
 
 
814
        return (1);
 
815
}
 
816
 
708
817
#endif /* GSSAPI */
709
818
 
710
819
int