update missing from merge of Simon's 20061220 patch

[gssapi-openssh.git] / openssh / auth2-gss.c

diff --git a/openssh/auth2-gss.c b/openssh/auth2-gss.c
index a238e6d4f2fe815edd994ec3367fd73d9a878b08..fab7cc239964b6c759f26f64558638763a5c023a 100644 (file)
--- a/openssh/auth2-gss.c
+++ b/openssh/auth2-gss.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: auth2-gss.c,v 1.8 2004/06/21 17:36:31 avsm Exp $      */
+/* $OpenBSD: auth2-gss.c,v 1.15 2006/08/03 03:34:41 deraadt Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -28,17 +28,22 @@
 
 #ifdef GSSAPI
 
+#include <sys/types.h>
+
+#include <stdarg.h>
+
+#include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "ssh2.h"
-#include "xmalloc.h"
 #include "log.h"
 #include "dispatch.h"
+#include "buffer.h"
 #include "servconf.h"
-#include "compat.h"
 #include "packet.h"
-#include "monitor_wrap.h"
-
 #include "ssh-gss.h"
+#include "monitor_wrap.h"
 
 extern ServerOptions options;
 
@@ -62,9 +67,55 @@ userauth_external(Authctxt *authctxt)
        return 0;
 }
 
+/* 
+ * The 'gssapi_keyex' userauth mechanism.
+ */
+static int
+userauth_gsskeyex(Authctxt *authctxt)
+{
+       int authenticated = 0;
+       Buffer b, b2;
+       gss_buffer_desc mic, gssbuf, gssbuf2;
+       u_int len;
+
+       mic.value = packet_get_string(&len);
+       mic.length = len;
+
+       packet_check_eom();
+
+       ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+           "gssapi-keyex");
+
+       gssbuf.value = buffer_ptr(&b);
+       gssbuf.length = buffer_len(&b);
+
+       /* client may have used empty username to determine target
+          name from GSSAPI context */
+       ssh_gssapi_buildmic(&b2, "", authctxt->service, "gssapi-keyex");
+
+       gssbuf2.value = buffer_ptr(&b2);
+       gssbuf2.length = buffer_len(&b2);
+
+       /* gss_kex_context is NULL with privsep, so we can't check it here */
+       if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 
+                                                  &gssbuf, &mic))) ||
+           !GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 
+                                                  &gssbuf2, &mic)))) {
+           if (authctxt->valid && authctxt->user && authctxt->user[0]) {
+               authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+           }
+       }
+       
+       buffer_free(&b);
+       buffer_free(&b2);
+       xfree(mic.value);
+
+       return (authenticated);
+}
+
 /*
  * We only support those mechanisms that we know about (ie ones that we know
- * how to check local user kuserok and the like
+ * how to check local user kuserok and the like)
  */
 static int
 userauth_gssapi(Authctxt *authctxt)
@@ -76,7 +127,7 @@ userauth_gssapi(Authctxt *authctxt)
        int present;
        OM_uint32 ms;
        u_int len;
-       char *doid = NULL;
+       u_char *doid = NULL;
 
        /* authctxt->valid may be 0 if we haven't yet determined
           username from gssapi context. */
@@ -100,30 +151,34 @@ userauth_gssapi(Authctxt *authctxt)
                present = 0;
                doid = packet_get_string(&len);
 
-               if (doid[0] != SSH_GSS_OIDTYPE || doid[1] != len-2) {
-                       logit("Mechanism OID received using the old encoding form");
-                       goid.elements = doid;
-                       goid.length = len;
-               } else {
+               if (len > 2 && doid[0] == SSH_GSS_OIDTYPE &&
+                   doid[1] == len - 2) {
                        goid.elements = doid + 2;
                        goid.length   = len - 2;
+                       gss_test_oid_set_member(&ms, &goid, supported,
+                           &present);
+               } else {
+                       logit("Badly formed OID received");
                }
-               gss_test_oid_set_member(&ms, &goid, supported, &present);
        } while (mechs > 0 && !present);
 
        gss_release_oid_set(&ms, &supported);
 
        if (!present) {
                xfree(doid);
+               authctxt->server_caused_failure = 1;
                return (0);
        }
 
        if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
+               if (ctxt != NULL)
+                       ssh_gssapi_delete_ctx(&ctxt);
                xfree(doid);
+               authctxt->server_caused_failure = 1;
                return (0);
        }
 
-       authctxt->methoddata=(void *)ctxt;
+       authctxt->methoddata = (void *)ctxt;
 
        packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
 
@@ -247,6 +302,7 @@ gssapi_set_implicit_username(Authctxt *authctxt)
            }
        } else {
            debug("failed to set username from gssapi context");
+           packet_send_debug("failed to set username from gssapi context");
        }
     }
     if (authctxt->pw) {
@@ -383,6 +439,12 @@ Authmethod method_external = {
        &options.gss_authentication
 };
        
+Authmethod method_gsskeyex = {
+       "gssapi-keyex",
+       userauth_gsskeyex,
+       &options.gss_authentication
+};
+
 Authmethod method_gssapi = {
        "gssapi-with-mic",
        userauth_gssapi_with_mic,