*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.29 2002/09/26 11:38:43 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.36 2003/04/01 10:22:21 markus Exp $");
#include <openssl/dh.h>
int mm_answer_pam_start(int, Buffer *);
#endif
+#ifdef KRB4
+int mm_answer_krb4(int, Buffer *);
+#endif
+#ifdef KRB5
+int mm_answer_krb5(int, Buffer *);
+#endif
+
#ifdef GSSAPI
int mm_answer_gss_setup_ctx(int, Buffer *);
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_localname(int, Buffer *);
int mm_answer_gss_sign(int, Buffer *);
+int mm_answer_gss_error(int, Buffer *);
int mm_answer_gss_indicate_mechs(int, Buffer *);
-int mm_answer_gss_display_status(int, Buffer *);
+int mm_answer_gss_localname(int, Buffer *);
#endif
#ifdef GSI
int mm_answer_gsi_gridmap(int, Buffer *);
#endif
-#ifdef KRB4
-int mm_answer_krb4(int, Buffer *);
-#endif
-#ifdef KRB5
-int mm_answer_krb5(int, Buffer *);
-#endif
-
static Authctxt *authctxt;
static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */
{MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
+ {MONITOR_REQ_GSSERR, MON_ISAUTH | MON_ONCE, mm_answer_gss_error},
{MONITOR_REQ_GSSMECHS, MON_ISAUTH, mm_answer_gss_indicate_mechs},
- {MONITOR_REQ_GSSSTAT, MON_ISAUTH, mm_answer_gss_display_status},
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
- {MONITOR_REQ_GSSLOCALNAME, MON_AUTH, mm_answer_gss_localname},
+ {MONITOR_REQ_GSSLOCALNAME, MON_ISAUTH, mm_answer_gss_localname},
#endif
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
{MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx},
{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+ {MONITOR_REQ_GSSERR, 0, mm_answer_gss_error},
{MONITOR_REQ_GSSMECHS, 0, mm_answer_gss_indicate_mechs},
- {MONITOR_REQ_GSSSTAT, 0, mm_answer_gss_display_status},
#endif
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
{MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSMECHS, MON_ISAUTH, mm_answer_gss_indicate_mechs},
- {MONITOR_REQ_GSSSTAT, MON_ISAUTH, mm_answer_gss_display_status},
#endif
#ifdef GSI
{MONITOR_REQ_GSIGRIDMAP, MON_PERMIT, mm_answer_gsi_gridmap},
{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
{MONITOR_REQ_GSSMECHS, 0, mm_answer_gss_indicate_mechs},
- {MONITOR_REQ_GSSSTAT, 0, mm_answer_gss_display_status},
#endif
{MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
{MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
#ifdef GSSAPI
/* and for the GSSAPI key exchange */
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
- monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);
- monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSERR, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSMECHS, 1);
- monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTAT, 1);
#endif
} else {
mon_dispatch = mon_dispatch_proto15;
monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
#ifdef GSSAPI
- monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSMECHS, 1);
- monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTAT, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSERR, 1);
#endif
#ifdef GSI
monitor_permit(mon_dispatch, MONITOR_REQ_GSIGRIDMAP, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
+#ifdef GSSAPI
+ /* and for the GSSAPI key exchange */
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSMECHS,1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP,1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSERR,1);
+#endif
+
} else {
mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
}
#ifdef GSSAPI
- monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTAT, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSERR, 1);
#endif
if (!no_pty_flag) {
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
u_int numprompts;
u_int *echo_on;
char **prompts;
- int res;
+ u_int success;
- res = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
- &prompts, &echo_on);
+ success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
+ &prompts, &echo_on) < 0 ? 0 : 1;
buffer_clear(m);
- buffer_put_int(m, res);
- if (res != -1)
+ buffer_put_int(m, success);
+ if (success)
buffer_put_cstring(m, prompts[0]);
- debug3("%s: sending challenge res: %d", __func__, res);
+ debug3("%s: sending challenge success: %u", __func__, success);
mm_request_send(socket, MONITOR_ANS_BSDAUTHQUERY, m);
- if (res != -1) {
+ if (success) {
xfree(name);
xfree(infotxt);
xfree(prompts);
{
struct skey skey;
char challenge[1024];
- int res;
+ u_int success;
- res = skeychallenge(&skey, authctxt->user, challenge);
+ success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1;
buffer_clear(m);
- buffer_put_int(m, res);
- if (res != -1)
+ buffer_put_int(m, success);
+ if (success)
buffer_put_cstring(m, challenge);
- debug3("%s: sending challenge res: %d", __func__, res);
+ debug3("%s: sending challenge success: %u", __func__, success);
mm_request_send(socket, MONITOR_ANS_SKEYQUERY, m);
return (0);
fatal("%s: unknown key type %d", __func__, type);
break;
}
- key_free(key);
}
+ if (key != NULL)
+ key_free(key);
/* clear temporarily storage (used by verify) */
monitor_reset_key_state();
buffer_clear(m);
buffer_put_int(m, allowed);
+ buffer_put_int(m, forced_command != NULL);
mm_append_debug(m);
}
buffer_clear(m);
buffer_put_int(m, allowed);
+ buffer_put_int(m, forced_command != NULL);
/* clear temporarily storage (used by generate challenge) */
monitor_reset_key_state();
key_blob = blob;
key_bloblen = blen;
key_blobtype = MM_RSAUSERKEY;
- key_free(key);
}
+ if (key != NULL)
+ key_free(key);
mm_append_debug(m);
mm_request_send(socket, MONITOR_ANS_RSACHALLENGE, m);
monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
+
+ xfree(blob);
+ key_free(key);
return (0);
}
fatal("%s: received bad response to challenge", __func__);
success = auth_rsa_verify_response(key, ssh1_challenge, response);
+ xfree(blob);
key_free(key);
xfree(response);
(memcmp(kex->session_id, session_id2, session_id2_len) != 0))
fatal("mm_get_get: internal error: bad session id");
kex->we_need = buffer_get_int(m);
+ kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
+ kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+#ifdef GSSAPI
+ kex->kex[KEX_GSS_GRP1_SHA1] =kexgss_server;
+#endif
kex->server = 1;
kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m);
void *
mm_zalloc(struct mm_master *mm, u_int ncount, u_int size)
{
- size_t len = size * ncount;
+ size_t len = (size_t) size * ncount;
void *address;
if (len == 0 || ncount > SIZE_T_MAX / size)
mm_request_send(socket,MONITOR_ANS_GSSSETUP,m);
+ /* Now we have a context, enable the step and sign */
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP,1);
+
return(0);
}
gss_release_buffer(&minor, &out);
+ /* Complete - now we can do signing */
+ if (major==GSS_S_COMPLETE) {
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP,0);
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN,1);
+ }
return(0);
}
+
int
mm_answer_gss_userok(int socket, Buffer *m) {
int authenticated;
debug3("%s: sending result %d", __func__, authenticated);
mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m);
+ /* XXX - auth method could also be 'external' */
auth_method="gssapi";
/* Monitor loop will terminate if authenticated */
return(authenticated);
}
-int
-mm_answer_gss_localname(int socket, Buffer *m) {
- char *name;
-
- ssh_gssapi_localname(&name);
-
- buffer_clear(m);
- if (name) {
- buffer_put_cstring(m, name);
- debug3("%s: sending result %s", __func__, name);
- xfree(name);
- } else {
- buffer_put_cstring(m, "");
- debug3("%s: sending result \"\"", __func__);
- }
-
- mm_request_send(socket, MONITOR_ANS_GSSLOCALNAME, m);
-
- return(0);
-}
int
mm_answer_gss_sign(int socket, Buffer *m) {
return(0);
}
+int
+mm_answer_gss_error(int socket, Buffer *m) {
+ OM_uint32 major,minor;
+ char *msg;
+
+ msg=ssh_gssapi_last_error(gsscontext,&major,&minor);
+ buffer_clear(m);
+ buffer_put_int(m,major);
+ buffer_put_int(m,minor);
+ buffer_put_cstring(m,msg);
+
+ mm_request_send(socket,MONITOR_ANS_GSSERR,m);
+
+ xfree(msg);
+
+ return(0);
+}
+
int
mm_answer_gss_indicate_mechs(int socket, Buffer *m) {
OM_uint32 major,minor;
mech_set->elements[i].length);
}
+#if !defined(MECHGLUE) /* mechglue memory management bug ??? */
+ gss_release_oid_set(&minor,&mech_set);
+#endif
+
mm_request_send(socket,MONITOR_ANS_GSSMECHS,m);
return(0);
}
int
-mm_answer_gss_display_status(int socket, Buffer *m) {
- OM_uint32 major,minor,status_value,message_context;
- int status_type;
- gss_OID_desc mech_type_desc;
- gss_OID mech_type;
- gss_buffer_desc status_string;
- u_int length;
-
- status_value = buffer_get_int(m);
- status_type = buffer_get_int(m);
- mech_type_desc.elements = buffer_get_string(m, &length);
- mech_type_desc.length = length;
- if (length != 0) {
- mech_type = &mech_type_desc;
- } else if (gsscontext) {
- mech_type = gsscontext->oid;
- } else {
- mech_type = GSS_C_NO_OID;
- }
- message_context = buffer_get_int(m);
-
- major=gss_display_status(&minor, status_value, status_type, mech_type,
- &message_context, &status_string);
-
- buffer_clear(m);
- buffer_put_int(m, message_context);
- buffer_put_string(m, status_string.value, status_string.length);
+mm_answer_gss_localname(int socket, Buffer *m) {
+ char *name;
- mm_request_send(socket,MONITOR_ANS_GSSSTAT,m);
+ ssh_gssapi_localname(&name);
- if (mech_type_desc.elements) {
- xfree(mech_type_desc.elements);
+ buffer_clear(m);
+ if (name) {
+ buffer_put_cstring(m, name);
+ debug3("%s: sending result %s", __func__, name);
+ xfree(name);
+ } else {
+ buffer_put_cstring(m, "");
+ debug3("%s: sending result \"\"", __func__);
}
- return 0;
-}
+ mm_request_send(socket, MONITOR_ANS_GSSLOCALNAME, m);
+ return(0);
+}
#endif /* GSSAPI */
#ifdef GSI