merging OPENSSH_5_2P1_SIMON_20090726_HPN13V6 to trunk:

[gssapi-openssh.git] / openssh / kexgsss.c

diff --git a/openssh/kexgsss.c b/openssh/kexgsss.c
index 0c3eeaa6339b101c65fba69086a0d4aea725c9f6..3e5205c43505c0f61ccab36684461d5bcf4ac944 100644 (file)
--- a/openssh/kexgsss.c
+++ b/openssh/kexgsss.c
@@ -44,6 +44,7 @@
 #include "monitor_wrap.h"
 #include "servconf.h"
 
+static void kex_gss_send_error(Gssctxt *ctxt);
 extern ServerOptions options;
 
 void
@@ -89,8 +90,10 @@ kexgss_server(Kex *kex)
 
        debug2("%s: Acquiring credentials", __func__);
 
-       if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
+       if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) {
+               kex_gss_send_error(ctxt);
                fatal("Unable to acquire credentials for the server");
+    }
 
        switch (kex->kex_type) {
        case KEX_GSS_GRP1_SHA1:
@@ -169,19 +172,20 @@ kexgss_server(Kex *kex)
                if (maj_status & GSS_S_CONTINUE_NEEDED) {
                        debug("Sending GSSAPI_CONTINUE");
                        packet_start(SSH2_MSG_KEXGSS_CONTINUE);
-                       packet_put_string(send_tok.value, send_tok.length);
+                       packet_put_string((char *)send_tok.value, send_tok.length);
                        packet_send();
                        gss_release_buffer(&min_status, &send_tok);
                }
        } while (maj_status & GSS_S_CONTINUE_NEEDED);
 
        if (GSS_ERROR(maj_status)) {
+               kex_gss_send_error(ctxt);
                if (send_tok.length > 0) {
                        packet_start(SSH2_MSG_KEXGSS_CONTINUE);
-                       packet_put_string(send_tok.value, send_tok.length);
+                       packet_put_string((char *)send_tok.value, send_tok.length);
                        packet_send();
                }
-               fatal("accept_ctx died");
+               packet_disconnect("GSSAPI Key Exchange handshake failed");
        }
 
        if (!(ret_flags & GSS_C_MUTUAL_FLAG))
@@ -256,11 +260,11 @@ kexgss_server(Kex *kex)
 
        packet_start(SSH2_MSG_KEXGSS_COMPLETE);
        packet_put_bignum2(dh->pub_key);
-       packet_put_string(msg_tok.value,msg_tok.length);
+       packet_put_string((char *)msg_tok.value,msg_tok.length);
 
        if (send_tok.length != 0) {
                packet_put_char(1); /* true */
-               packet_put_string(send_tok.value, send_tok.length);
+               packet_put_string((char *)send_tok.value, send_tok.length);
        } else {
                packet_put_char(0); /* false */
        }
@@ -285,4 +289,23 @@ kexgss_server(Kex *kex)
        if (options.gss_store_rekey)
                ssh_gssapi_rekey_creds();
 }
+
+static void 
+kex_gss_send_error(Gssctxt *ctxt) {
+       char *errstr;
+       OM_uint32 maj,min;
+               
+       errstr=PRIVSEP(ssh_gssapi_last_error(ctxt,&maj,&min));
+       if (errstr) {
+               packet_start(SSH2_MSG_KEXGSS_ERROR);
+               packet_put_int(maj);
+               packet_put_int(min);
+               packet_put_cstring(errstr);
+               packet_put_cstring("");
+               packet_send();
+               packet_write_wait();
+               /* XXX - We should probably log the error locally here */
+               xfree(errstr);
+       }
+}
 #endif /* GSSAPI */