X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/d03f42626b290c7c9839e1ecb27dfb069e76a396..e23e524cb4bcb3853db010acf44ddedd419fe244:/openssh/monitor.c diff --git a/openssh/monitor.c b/openssh/monitor.c index bf5f0e6..95b67b8 100644 --- a/openssh/monitor.c +++ b/openssh/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.29 2002/09/26 11:38:43 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.36 2003/04/01 10:22:21 markus Exp $"); #include @@ -125,27 +125,28 @@ int mm_answer_sessid(int, Buffer *); int mm_answer_pam_start(int, Buffer *); #endif +#ifdef KRB4 +int mm_answer_krb4(int, Buffer *); +#endif +#ifdef KRB5 +int mm_answer_krb5(int, Buffer *); +#endif + #ifdef GSSAPI int mm_answer_gss_setup_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_localname(int, Buffer *); int mm_answer_gss_sign(int, Buffer *); +int mm_answer_gss_error(int, Buffer *); int mm_answer_gss_indicate_mechs(int, Buffer *); -int mm_answer_gss_display_status(int, Buffer *); +int mm_answer_gss_localname(int, Buffer *); #endif #ifdef GSI int mm_answer_gsi_gridmap(int, Buffer *); #endif -#ifdef KRB4 -int mm_answer_krb4(int, Buffer *); -#endif -#ifdef KRB5 -int mm_answer_krb5(int, Buffer *); -#endif - static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -195,10 +196,10 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, + {MONITOR_REQ_GSSERR, MON_ISAUTH | MON_ONCE, mm_answer_gss_error}, {MONITOR_REQ_GSSMECHS, MON_ISAUTH, mm_answer_gss_indicate_mechs}, - {MONITOR_REQ_GSSSTAT, MON_ISAUTH, mm_answer_gss_display_status}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, - {MONITOR_REQ_GSSLOCALNAME, MON_AUTH, mm_answer_gss_localname}, + {MONITOR_REQ_GSSLOCALNAME, MON_ISAUTH, mm_answer_gss_localname}, #endif {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify}, @@ -210,8 +211,8 @@ struct mon_table mon_dispatch_postauth20[] = { {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, + {MONITOR_REQ_GSSERR, 0, mm_answer_gss_error}, {MONITOR_REQ_GSSMECHS, 0, mm_answer_gss_indicate_mechs}, - {MONITOR_REQ_GSSSTAT, 0, mm_answer_gss_display_status}, #endif {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, {MONITOR_REQ_SIGN, 0, mm_answer_sign}, @@ -244,7 +245,6 @@ struct mon_table mon_dispatch_proto15[] = { {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSMECHS, MON_ISAUTH, mm_answer_gss_indicate_mechs}, - {MONITOR_REQ_GSSSTAT, MON_ISAUTH, mm_answer_gss_display_status}, #endif #ifdef GSI {MONITOR_REQ_GSIGRIDMAP, MON_PERMIT, mm_answer_gsi_gridmap}, @@ -267,7 +267,6 @@ struct mon_table mon_dispatch_postauth15[] = { {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, {MONITOR_REQ_GSSMECHS, 0, mm_answer_gss_indicate_mechs}, - {MONITOR_REQ_GSSSTAT, 0, mm_answer_gss_display_status}, #endif {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty}, {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup}, @@ -323,19 +322,16 @@ monitor_child_preauth(struct monitor *pmonitor) #ifdef GSSAPI /* and for the GSSAPI key exchange */ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSERR, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSMECHS, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTAT, 1); #endif } else { mon_dispatch = mon_dispatch_proto15; monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1); #ifdef GSSAPI - monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSMECHS, 1); - monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTAT, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSERR, 1); #endif #ifdef GSI monitor_permit(mon_dispatch, MONITOR_REQ_GSIGRIDMAP, 1); @@ -390,12 +386,19 @@ monitor_child_postauth(struct monitor *pmonitor) monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); +#ifdef GSSAPI + /* and for the GSSAPI key exchange */ + monitor_permit(mon_dispatch, MONITOR_REQ_GSSMECHS,1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP,1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSERR,1); +#endif + } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); } #ifdef GSSAPI - monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTAT, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSERR, 1); #endif if (!no_pty_flag) { monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); @@ -704,20 +707,20 @@ mm_answer_bsdauthquery(int socket, Buffer *m) u_int numprompts; u_int *echo_on; char **prompts; - int res; + u_int success; - res = bsdauth_query(authctxt, &name, &infotxt, &numprompts, - &prompts, &echo_on); + success = bsdauth_query(authctxt, &name, &infotxt, &numprompts, + &prompts, &echo_on) < 0 ? 0 : 1; buffer_clear(m); - buffer_put_int(m, res); - if (res != -1) + buffer_put_int(m, success); + if (success) buffer_put_cstring(m, prompts[0]); - debug3("%s: sending challenge res: %d", __func__, res); + debug3("%s: sending challenge success: %u", __func__, success); mm_request_send(socket, MONITOR_ANS_BSDAUTHQUERY, m); - if (res != -1) { + if (success) { xfree(name); xfree(infotxt); xfree(prompts); @@ -761,16 +764,16 @@ mm_answer_skeyquery(int socket, Buffer *m) { struct skey skey; char challenge[1024]; - int res; + u_int success; - res = skeychallenge(&skey, authctxt->user, challenge); + success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1; buffer_clear(m); - buffer_put_int(m, res); - if (res != -1) + buffer_put_int(m, success); + if (success) buffer_put_cstring(m, challenge); - debug3("%s: sending challenge res: %d", __func__, res); + debug3("%s: sending challenge success: %u", __func__, success); mm_request_send(socket, MONITOR_ANS_SKEYQUERY, m); return (0); @@ -876,8 +879,9 @@ mm_answer_keyallowed(int socket, Buffer *m) fatal("%s: unknown key type %d", __func__, type); break; } - key_free(key); } + if (key != NULL) + key_free(key); /* clear temporarily storage (used by verify) */ monitor_reset_key_state(); @@ -896,6 +900,7 @@ mm_answer_keyallowed(int socket, Buffer *m) buffer_clear(m); buffer_put_int(m, allowed); + buffer_put_int(m, forced_command != NULL); mm_append_debug(m); @@ -1258,6 +1263,7 @@ mm_answer_rsa_keyallowed(int socket, Buffer *m) } buffer_clear(m); buffer_put_int(m, allowed); + buffer_put_int(m, forced_command != NULL); /* clear temporarily storage (used by generate challenge) */ monitor_reset_key_state(); @@ -1272,8 +1278,9 @@ mm_answer_rsa_keyallowed(int socket, Buffer *m) key_blob = blob; key_bloblen = blen; key_blobtype = MM_RSAUSERKEY; - key_free(key); } + if (key != NULL) + key_free(key); mm_append_debug(m); @@ -1314,6 +1321,9 @@ mm_answer_rsa_challenge(int socket, Buffer *m) mm_request_send(socket, MONITOR_ANS_RSACHALLENGE, m); monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1); + + xfree(blob); + key_free(key); return (0); } @@ -1344,6 +1354,7 @@ mm_answer_rsa_response(int socket, Buffer *m) fatal("%s: received bad response to challenge", __func__); success = auth_rsa_verify_response(key, ssh1_challenge, response); + xfree(blob); key_free(key); xfree(response); @@ -1528,6 +1539,11 @@ mm_get_kex(Buffer *m) (memcmp(kex->session_id, session_id2, session_id2_len) != 0)) fatal("mm_get_get: internal error: bad session id"); kex->we_need = buffer_get_int(m); + kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; + kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; +#ifdef GSSAPI + kex->kex[KEX_GSS_GRP1_SHA1] =kexgss_server; +#endif kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); @@ -1621,7 +1637,7 @@ mm_get_keystate(struct monitor *pmonitor) void * mm_zalloc(struct mm_master *mm, u_int ncount, u_int size) { - size_t len = size * ncount; + size_t len = (size_t) size * ncount; void *address; if (len == 0 || ncount > SIZE_T_MAX / size) @@ -1729,6 +1745,9 @@ mm_answer_gss_setup_ctx(int socket, Buffer *m) { mm_request_send(socket,MONITOR_ANS_GSSSETUP,m); + /* Now we have a context, enable the step and sign */ + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP,1); + return(0); } @@ -1750,8 +1769,14 @@ mm_answer_gss_accept_ctx(int socket, Buffer *m) { gss_release_buffer(&minor, &out); + /* Complete - now we can do signing */ + if (major==GSS_S_COMPLETE) { + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP,0); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN,1); + } return(0); } + int mm_answer_gss_userok(int socket, Buffer *m) { int authenticated; @@ -1764,31 +1789,12 @@ mm_answer_gss_userok(int socket, Buffer *m) { debug3("%s: sending result %d", __func__, authenticated); mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m); + /* XXX - auth method could also be 'external' */ auth_method="gssapi"; /* Monitor loop will terminate if authenticated */ return(authenticated); } -int -mm_answer_gss_localname(int socket, Buffer *m) { - char *name; - - ssh_gssapi_localname(&name); - - buffer_clear(m); - if (name) { - buffer_put_cstring(m, name); - debug3("%s: sending result %s", __func__, name); - xfree(name); - } else { - buffer_put_cstring(m, ""); - debug3("%s: sending result \"\"", __func__); - } - - mm_request_send(socket, MONITOR_ANS_GSSLOCALNAME, m); - - return(0); -} int mm_answer_gss_sign(int socket, Buffer *m) { @@ -1825,6 +1831,24 @@ mm_answer_gss_sign(int socket, Buffer *m) { return(0); } +int +mm_answer_gss_error(int socket, Buffer *m) { + OM_uint32 major,minor; + char *msg; + + msg=ssh_gssapi_last_error(gsscontext,&major,&minor); + buffer_clear(m); + buffer_put_int(m,major); + buffer_put_int(m,minor); + buffer_put_cstring(m,msg); + + mm_request_send(socket,MONITOR_ANS_GSSERR,m); + + xfree(msg); + + return(0); +} + int mm_answer_gss_indicate_mechs(int socket, Buffer *m) { OM_uint32 major,minor; @@ -1841,49 +1865,35 @@ mm_answer_gss_indicate_mechs(int socket, Buffer *m) { mech_set->elements[i].length); } +#if !defined(MECHGLUE) /* mechglue memory management bug ??? */ + gss_release_oid_set(&minor,&mech_set); +#endif + mm_request_send(socket,MONITOR_ANS_GSSMECHS,m); return(0); } int -mm_answer_gss_display_status(int socket, Buffer *m) { - OM_uint32 major,minor,status_value,message_context; - int status_type; - gss_OID_desc mech_type_desc; - gss_OID mech_type; - gss_buffer_desc status_string; - u_int length; - - status_value = buffer_get_int(m); - status_type = buffer_get_int(m); - mech_type_desc.elements = buffer_get_string(m, &length); - mech_type_desc.length = length; - if (length != 0) { - mech_type = &mech_type_desc; - } else if (gsscontext) { - mech_type = gsscontext->oid; - } else { - mech_type = GSS_C_NO_OID; - } - message_context = buffer_get_int(m); - - major=gss_display_status(&minor, status_value, status_type, mech_type, - &message_context, &status_string); - - buffer_clear(m); - buffer_put_int(m, message_context); - buffer_put_string(m, status_string.value, status_string.length); +mm_answer_gss_localname(int socket, Buffer *m) { + char *name; - mm_request_send(socket,MONITOR_ANS_GSSSTAT,m); + ssh_gssapi_localname(&name); - if (mech_type_desc.elements) { - xfree(mech_type_desc.elements); + buffer_clear(m); + if (name) { + buffer_put_cstring(m, name); + debug3("%s: sending result %s", __func__, name); + xfree(name); + } else { + buffer_put_cstring(m, ""); + debug3("%s: sending result \"\"", __func__); } - return 0; -} + mm_request_send(socket, MONITOR_ANS_GSSLOCALNAME, m); + return(0); +} #endif /* GSSAPI */ #ifdef GSI