X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/76d45d2f37f58d1a9703830d75ce8b56feae38c6..HEAD:/openssh/sshconnect2.c

diff --git a/openssh/sshconnect2.c b/openssh/sshconnect2.c
index 1ff0ff5..c4136d5 100644
--- a/openssh/sshconnect2.c
+++ b/openssh/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.170 2008/11/04 08:22:13 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.171 2009/03/05 07:18:19 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -68,6 +68,7 @@
 #include "msg.h"
 #include "pathnames.h"
 #include "uidswap.h"
+#include "schnorr.h"
 #include "jpake.h"
 
 #ifdef GSSAPI
@@ -85,6 +86,16 @@ extern Kex *xxx_kex;
 
 extern int tty_flag;
 
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */
+
+extern int tty_flag;
+
+/* tty_flag is set in ssh.c. use this in ssh_userauth2 */
+/* if it is set then prevent the switch to the null cipher */
+
+extern int tty_flag;
+
 /*
  * SSH2 key exchange
  */
@@ -311,6 +322,7 @@ Authmethod authmethods[] = {
 #ifdef GSSAPI
 	{"gssapi-keyex",
 		userauth_gsskeyex,
+		NULL,
 		&options.gss_authentication,
 		NULL},
 	{"gssapi-with-mic",
@@ -626,12 +638,17 @@ userauth_gssapi(Authctxt *authctxt)
 	static u_int mech = 0;
 	OM_uint32 min;
 	int ok = 0;
-	const char *gss_host;
+	char *gss_host = NULL;
+
+	if (!options.gss_authentication) {
+		verbose("GSSAPI authentication disabled.");
+		return 0;
+	}
 
 	if (options.gss_trust_dns)
-		gss_host = get_canonical_hostname(1);
+		gss_host = (char *)get_canonical_hostname(1);
 	else
-		gss_host = authctxt->host;
+		gss_host = (char *)authctxt->host;
 
 	/* Try one GSSAPI method at a time, rather than sending them all at
 	 * once. */
@@ -712,7 +729,8 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
 
 	if (status == GSS_S_COMPLETE) {
 		/* send either complete or MIC, depending on mechanism */
-		if (!(flags & GSS_C_INTEG_FLAG)) {
+		if (strcmp(authctxt->method->name,"gssapi")==0 ||
+		    (!(flags & GSS_C_INTEG_FLAG))) {
 			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
 			packet_send();
 		} else {
@@ -857,6 +875,15 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
 	xfree(lang);
 }
 
+#ifdef GSI
+extern
+const gss_OID_desc * const              gss_mech_globus_gssapi_openssl;
+#define is_gsi_oid(oid) \
+  (oid->length == gss_mech_globus_gssapi_openssl->length && \
+   (memcmp(oid->elements, gss_mech_globus_gssapi_openssl->elements, \
+	   oid->length) == 0))
+#endif
+
 int
 userauth_gsskeyex(Authctxt *authctxt)
 {
@@ -874,8 +901,16 @@ userauth_gsskeyex(Authctxt *authctxt)
 		return (0);
 	}
 
-	ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
-	    "gssapi-keyex");
+#ifdef GSI
+    if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
+        ssh_gssapi_buildmic(&b, "", authctxt->service, "gssapi-keyex");
+	} else {
+#endif
+        ssh_gssapi_buildmic(&b, authctxt->server_user, authctxt->service,
+                            "gssapi-keyex");
+#ifdef GSI
+	}
+#endif
 
 	gssbuf.value = buffer_ptr(&b);
 	gssbuf.length = buffer_len(&b);
@@ -886,7 +921,15 @@ userauth_gsskeyex(Authctxt *authctxt)
 	}
 
 	packet_start(SSH2_MSG_USERAUTH_REQUEST);
+#ifdef GSI
+    if (options.implicit && is_gsi_oid(gss_kex_context->oid)) {
+        packet_put_cstring("");
+	} else {
+#endif
 	packet_put_cstring(authctxt->server_user);
+#ifdef GSI
+	}
+#endif
 	packet_put_cstring(authctxt->service);
 	packet_put_cstring(authctxt->method->name);
 	packet_put_string(mic.value, mic.length);