/*
- * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
#include "dh.h"
#include "ssh-gss.h"
#include "monitor_wrap.h"
+#include "servconf.h"
static void kex_gss_send_error(Gssctxt *ctxt);
+extern ServerOptions options;
void
kexgss_server(Kex *kex)
BIGNUM *dh_client_pub = NULL;
int type = 0;
gss_OID oid;
+ char *mechs;
/* Initialise GSSAPI */
* into life
*/
if (!ssh_gssapi_oid_table_ok())
- ssh_gssapi_server_mechanisms();
+ if ((mechs = ssh_gssapi_server_mechanisms()))
+ xfree(mechs);
debug2("%s: Identifying %s", __func__, kex->name);
oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
if (maj_status & GSS_S_CONTINUE_NEEDED) {
debug("Sending GSSAPI_CONTINUE");
packet_start(SSH2_MSG_KEXGSS_CONTINUE);
- packet_put_string(send_tok.value, send_tok.length);
+ packet_put_string((char *)send_tok.value, send_tok.length);
packet_send();
gss_release_buffer(&min_status, &send_tok);
}
kex_gss_send_error(ctxt);
if (send_tok.length > 0) {
packet_start(SSH2_MSG_KEXGSS_CONTINUE);
- packet_put_string(send_tok.value, send_tok.length);
+ packet_put_string((char *)send_tok.value, send_tok.length);
packet_send();
}
packet_disconnect("GSSAPI Key Exchange handshake failed");
klen = DH_size(dh);
kbuf = xmalloc(klen);
kout = DH_compute_key(kbuf, dh_client_pub, dh);
+ if (kout < 0)
+ fatal("DH_compute_key: failed");
shared_secret = BN_new();
- BN_bin2bn(kbuf, kout, shared_secret);
+ if (shared_secret == NULL)
+ fatal("kexgss_server: BN_new failed");
+
+ if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
+ fatal("kexgss_server: BN_bin2bn failed");
+
memset(kbuf, 0, klen);
xfree(kbuf);
fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
}
- BN_free(dh_client_pub);
+ BN_clear_free(dh_client_pub);
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
+
+ /* If this was a rekey, then save out any delegated credentials we
+ * just exchanged. */
+ if (options.gss_store_rekey)
+ ssh_gssapi_rekey_creds();
}
static void