X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/4b6461229af2336119cd827121a902e8f3e30482..e23e524cb4bcb3853db010acf44ddedd419fe244:/openssh/monitor.c diff --git a/openssh/monitor.c b/openssh/monitor.c index 582f0ca..95b67b8 100644 --- a/openssh/monitor.c +++ b/openssh/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.18 2002/06/26 13:20:57 deraadt Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.36 2003/04/01 10:22:21 markus Exp $"); #include @@ -125,12 +125,22 @@ int mm_answer_sessid(int, Buffer *); int mm_answer_pam_start(int, Buffer *); #endif +#ifdef KRB4 +int mm_answer_krb4(int, Buffer *); +#endif +#ifdef KRB5 +int mm_answer_krb5(int, Buffer *); +#endif + #ifdef GSSAPI int mm_answer_gss_setup_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_localname(int, Buffer *); int mm_answer_gss_sign(int, Buffer *); +int mm_answer_gss_error(int, Buffer *); +int mm_answer_gss_indicate_mechs(int, Buffer *); +int mm_answer_gss_localname(int, Buffer *); #endif #ifdef GSI @@ -144,8 +154,8 @@ static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ static u_char *key_blob = NULL; static u_int key_bloblen = 0; static int key_blobtype = MM_NOKEY; -static u_char *hostbased_cuser = NULL; -static u_char *hostbased_chost = NULL; +static char *hostbased_cuser = NULL; +static char *hostbased_chost = NULL; static char *auth_method = "unknown"; static int session_id2_len = 0; static u_char *session_id2 = NULL; @@ -186,8 +196,10 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, + {MONITOR_REQ_GSSERR, MON_ISAUTH | MON_ONCE, mm_answer_gss_error}, + {MONITOR_REQ_GSSMECHS, MON_ISAUTH, mm_answer_gss_indicate_mechs}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, - {MONITOR_REQ_GSSLOCALNAME, MON_AUTH, mm_answer_gss_localname}, + {MONITOR_REQ_GSSLOCALNAME, MON_ISAUTH, mm_answer_gss_localname}, #endif {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, @@ -199,6 +211,8 @@ struct mon_table mon_dispatch_postauth20[] = { {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, + {MONITOR_REQ_GSSERR, 0, mm_answer_gss_error}, + {MONITOR_REQ_GSSMECHS, 0, mm_answer_gss_indicate_mechs}, #endif {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, {MONITOR_REQ_SIGN, 0, mm_answer_sign}, @@ -230,12 +244,19 @@ struct mon_table mon_dispatch_proto15[] = { {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, + {MONITOR_REQ_GSSMECHS, MON_ISAUTH, mm_answer_gss_indicate_mechs}, #endif #ifdef GSI {MONITOR_REQ_GSIGRIDMAP, MON_PERMIT, mm_answer_gsi_gridmap}, #endif #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start}, +#endif +#ifdef KRB4 + {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4}, +#endif +#ifdef KRB5 + {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, #endif {0, 0, NULL} }; @@ -245,6 +266,7 @@ struct mon_table mon_dispatch_postauth15[] = { {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, + {MONITOR_REQ_GSSMECHS, 0, mm_answer_gss_indicate_mechs}, #endif {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, @@ -300,15 +322,16 @@ monitor_child_preauth(struct monitor *pmonitor) #ifdef GSSAPI /* and for the GSSAPI key exchange */ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSERR, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSMECHS, 1); #endif } else { mon_dispatch = mon_dispatch_proto15; monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1); #ifdef GSSAPI - monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSMECHS, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSERR, 1); #endif #ifdef GSI monitor_permit(mon_dispatch, MONITOR_REQ_GSIGRIDMAP, 1); @@ -363,10 +386,20 @@ monitor_child_postauth(struct monitor *pmonitor) monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); +#ifdef GSSAPI + /* and for the GSSAPI key exchange */ + monitor_permit(mon_dispatch, MONITOR_REQ_GSSMECHS,1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP,1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSERR,1); +#endif + } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); } +#ifdef GSSAPI + monitor_permit(mon_dispatch, MONITOR_REQ_GSSERR, 1); +#endif if (!no_pty_flag) { monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); @@ -510,7 +543,7 @@ mm_answer_sign(int socket, Buffer *m) p = buffer_get_string(m, &datlen); if (datlen != 20) - fatal("%s: data length incorrect: %d", __func__, datlen); + fatal("%s: data length incorrect: %u", __func__, datlen); /* save session id, it will be passed on the first call */ if (session_id2_len == 0) { @@ -524,7 +557,7 @@ mm_answer_sign(int socket, Buffer *m) if (key_sign(key, &signature, &siglen, p, datlen) < 0) fatal("%s: key_sign failed", __func__); - debug3("%s: signature %p(%d)", __func__, signature, siglen); + debug3("%s: signature %p(%u)", __func__, signature, siglen); buffer_clear(m); buffer_put_string(m, signature, siglen); @@ -612,7 +645,7 @@ int mm_answer_auth2_read_banner(int socket, Buffer *m) mm_request_send(socket, MONITOR_ANS_AUTH2_READ_BANNER, m); if (banner != NULL) - free(banner); + xfree(banner); return (0); } @@ -640,7 +673,8 @@ mm_answer_authpassword(int socket, Buffer *m) { static int call_count; char *passwd; - int authenticated, plen; + int authenticated; + u_int plen; passwd = buffer_get_string(m, &plen); /* Only authenticate if the context is valid */ @@ -673,20 +707,20 @@ mm_answer_bsdauthquery(int socket, Buffer *m) u_int numprompts; u_int *echo_on; char **prompts; - int res; + u_int success; - res = bsdauth_query(authctxt, &name, &infotxt, &numprompts, - &prompts, &echo_on); + success = bsdauth_query(authctxt, &name, &infotxt, &numprompts, + &prompts, &echo_on) < 0 ? 0 : 1; buffer_clear(m); - buffer_put_int(m, res); - if (res != -1) + buffer_put_int(m, success); + if (success) buffer_put_cstring(m, prompts[0]); - debug3("%s: sending challenge res: %d", __func__, res); + debug3("%s: sending challenge success: %u", __func__, success); mm_request_send(socket, MONITOR_ANS_BSDAUTHQUERY, m); - if (res != -1) { + if (success) { xfree(name); xfree(infotxt); xfree(prompts); @@ -730,16 +764,16 @@ mm_answer_skeyquery(int socket, Buffer *m) { struct skey skey; char challenge[1024]; - int res; + u_int success; - res = skeychallenge(&skey, authctxt->user, challenge); + success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1; buffer_clear(m); - buffer_put_int(m, res); - if (res != -1) + buffer_put_int(m, success); + if (success) buffer_put_cstring(m, challenge); - debug3("%s: sending challenge res: %d", __func__, res); + debug3("%s: sending challenge success: %u", __func__, success); mm_request_send(socket, MONITOR_ANS_SKEYQUERY, m); return (0); @@ -803,7 +837,8 @@ int mm_answer_keyallowed(int socket, Buffer *m) { Key *key; - u_char *cuser, *chost, *blob; + char *cuser, *chost; + u_char *blob; u_int bloblen; enum mm_keytype type = 0; int allowed = 0; @@ -844,8 +879,9 @@ mm_answer_keyallowed(int socket, Buffer *m) fatal("%s: unknown key type %d", __func__, type); break; } - key_free(key); } + if (key != NULL) + key_free(key); /* clear temporarily storage (used by verify) */ monitor_reset_key_state(); @@ -864,6 +900,7 @@ mm_answer_keyallowed(int socket, Buffer *m) buffer_clear(m); buffer_put_int(m, allowed); + buffer_put_int(m, forced_command != NULL); mm_append_debug(m); @@ -879,7 +916,7 @@ static int monitor_valid_userblob(u_char *data, u_int datalen) { Buffer b; - u_char *p; + char *p; u_int len; int fail = 0; @@ -932,11 +969,11 @@ monitor_valid_userblob(u_char *data, u_int datalen) } static int -monitor_valid_hostbasedblob(u_char *data, u_int datalen, u_char *cuser, - u_char *chost) +monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, + char *chost) { Buffer b; - u_char *p; + char *p; u_int len; int fail = 0; @@ -1054,8 +1091,8 @@ mm_record_login(Session *s, struct passwd *pw) * the address be 0.0.0.0. */ memset(&from, 0, sizeof(from)); + fromlen = sizeof(from); if (packet_connection_is_on_socket()) { - fromlen = sizeof(from); if (getpeername(packet_get_connection_in(), (struct sockaddr *) & from, &fromlen) < 0) { debug("getpeername: %.100s", strerror(errno)); @@ -1065,7 +1102,7 @@ mm_record_login(Session *s, struct passwd *pw) /* Record that there was a login on that tty from the remote host. */ record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid, get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping), - (struct sockaddr *)&from); + (struct sockaddr *)&from, fromlen); } static void @@ -1226,6 +1263,7 @@ mm_answer_rsa_keyallowed(int socket, Buffer *m) } buffer_clear(m); buffer_put_int(m, allowed); + buffer_put_int(m, forced_command != NULL); /* clear temporarily storage (used by generate challenge) */ monitor_reset_key_state(); @@ -1240,8 +1278,9 @@ mm_answer_rsa_keyallowed(int socket, Buffer *m) key_blob = blob; key_bloblen = blen; key_blobtype = MM_RSAUSERKEY; - key_free(key); } + if (key != NULL) + key_free(key); mm_append_debug(m); @@ -1282,6 +1321,9 @@ mm_answer_rsa_challenge(int socket, Buffer *m) mm_request_send(socket, MONITOR_ANS_RSACHALLENGE, m); monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1); + + xfree(blob); + key_free(key); return (0); } @@ -1312,6 +1354,7 @@ mm_answer_rsa_response(int socket, Buffer *m) fatal("%s: received bad response to challenge", __func__); success = auth_rsa_verify_response(key, ssh1_challenge, response); + xfree(blob); key_free(key); xfree(response); @@ -1329,6 +1372,89 @@ mm_answer_rsa_response(int socket, Buffer *m) return (success); } +#ifdef KRB4 +int +mm_answer_krb4(int socket, Buffer *m) +{ + KTEXT_ST auth, reply; + char *client, *p; + int success; + u_int alen; + + reply.length = auth.length = 0; + + p = buffer_get_string(m, &alen); + if (alen >= MAX_KTXT_LEN) + fatal("%s: auth too large", __func__); + memcpy(auth.dat, p, alen); + auth.length = alen; + memset(p, 0, alen); + xfree(p); + + success = options.kerberos_authentication && + authctxt->valid && + auth_krb4(authctxt, &auth, &client, &reply); + + memset(auth.dat, 0, alen); + buffer_clear(m); + buffer_put_int(m, success); + + if (success) { + buffer_put_cstring(m, client); + buffer_put_string(m, reply.dat, reply.length); + if (client) + xfree(client); + if (reply.length) + memset(reply.dat, 0, reply.length); + } + + debug3("%s: sending result %d", __func__, success); + mm_request_send(socket, MONITOR_ANS_KRB4, m); + + auth_method = "kerberos"; + + /* Causes monitor loop to terminate if authenticated */ + return (success); +} +#endif + +#ifdef KRB5 +int +mm_answer_krb5(int socket, Buffer *m) +{ + krb5_data tkt, reply; + char *client_user; + u_int len; + int success; + + /* use temporary var to avoid size issues on 64bit arch */ + tkt.data = buffer_get_string(m, &len); + tkt.length = len; + + success = options.kerberos_authentication && + authctxt->valid && + auth_krb5(authctxt, &tkt, &client_user, &reply); + + if (tkt.length) + xfree(tkt.data); + + buffer_clear(m); + buffer_put_int(m, success); + + if (success) { + buffer_put_cstring(m, client_user); + buffer_put_string(m, reply.data, reply.length); + if (client_user) + xfree(client_user); + if (reply.length) + xfree(reply.data); + } + mm_request_send(socket, MONITOR_ANS_KRB5, m); + + return success; +} +#endif + int mm_answer_term(int socket, Buffer *req) { @@ -1413,6 +1539,11 @@ mm_get_kex(Buffer *m) (memcmp(kex->session_id, session_id2, session_id2_len) != 0)) fatal("mm_get_get: internal error: bad session id"); kex->we_need = buffer_get_int(m); + kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; + kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; +#ifdef GSSAPI + kex->kex[KEX_GSS_GRP1_SHA1] =kexgss_server; +#endif kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); @@ -1506,10 +1637,10 @@ mm_get_keystate(struct monitor *pmonitor) void * mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) { - int len = size * ncount; + size_t len = (size_t) size * ncount; void *address; - if (len <= 0) + if (len == 0 || ncount > SIZE_T_MAX / size) fatal("%s: mm_zalloc(%u, %u)", __func__, ncount, size); address = mm_malloc(mm, len); @@ -1614,6 +1745,9 @@ mm_answer_gss_setup_ctx(int socket, Buffer *m) { mm_request_send(socket,MONITOR_ANS_GSSSETUP,m); + /* Now we have a context, enable the step and sign */ + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP,1); + return(0); } @@ -1635,8 +1769,14 @@ mm_answer_gss_accept_ctx(int socket, Buffer *m) { gss_release_buffer(&minor, &out); + /* Complete - now we can do signing */ + if (major==GSS_S_COMPLETE) { + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP,0); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN,1); + } return(0); } + int mm_answer_gss_userok(int socket, Buffer *m) { int authenticated; @@ -1649,31 +1789,12 @@ mm_answer_gss_userok(int socket, Buffer *m) { debug3("%s: sending result %d", __func__, authenticated); mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m); + /* XXX - auth method could also be 'external' */ auth_method="gssapi"; /* Monitor loop will terminate if authenticated */ return(authenticated); } -int -mm_answer_gss_localname(int socket, Buffer *m) { - char *name; - - ssh_gssapi_localname(&name); - - buffer_clear(m); - if (name) { - buffer_put_cstring(m, name); - debug3("%s: sending result %s", __func__, name); - xfree(name); - } else { - buffer_put_cstring(m, ""); - debug3("%s: sending result \"\"", __func__); - } - - mm_request_send(socket, MONITOR_ANS_GSSLOCALNAME, m); - - return(0); -} int mm_answer_gss_sign(int socket, Buffer *m) { @@ -1710,6 +1831,69 @@ mm_answer_gss_sign(int socket, Buffer *m) { return(0); } +int +mm_answer_gss_error(int socket, Buffer *m) { + OM_uint32 major,minor; + char *msg; + + msg=ssh_gssapi_last_error(gsscontext,&major,&minor); + buffer_clear(m); + buffer_put_int(m,major); + buffer_put_int(m,minor); + buffer_put_cstring(m,msg); + + mm_request_send(socket,MONITOR_ANS_GSSERR,m); + + xfree(msg); + + return(0); +} + +int +mm_answer_gss_indicate_mechs(int socket, Buffer *m) { + OM_uint32 major,minor; + gss_OID_set mech_set; + int i; + + major=gss_indicate_mechs(&minor, &mech_set); + + buffer_clear(m); + buffer_put_int(m, major); + buffer_put_int(m, mech_set->count); + for (i=0; i < mech_set->count; i++) { + buffer_put_string(m, mech_set->elements[i].elements, + mech_set->elements[i].length); + } + +#if !defined(MECHGLUE) /* mechglue memory management bug ??? */ + gss_release_oid_set(&minor,&mech_set); +#endif + + mm_request_send(socket,MONITOR_ANS_GSSMECHS,m); + + return(0); +} + +int +mm_answer_gss_localname(int socket, Buffer *m) { + char *name; + + ssh_gssapi_localname(&name); + + buffer_clear(m); + if (name) { + buffer_put_cstring(m, name); + debug3("%s: sending result %s", __func__, name); + xfree(name); + } else { + buffer_put_cstring(m, ""); + debug3("%s: sending result \"\"", __func__); + } + + mm_request_send(socket, MONITOR_ANS_GSSLOCALNAME, m); + + return(0); +} #endif /* GSSAPI */ #ifdef GSI