]> andersk Git - openssh.git/blobdiff - sshconnect1.c
andersk / openssh.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
- stevesk@cvs.openbsd.org 2002/04/21 16:19:27
[openssh.git] / sshconnect1.c
diff --git a/sshconnect1.c b/sshconnect1.c
index a5fef1036d46f051fe198b3a1d05afe371dc2579..3b5c7186ff0153437f43bbd3eb0237b439af2ea2 100644 (file)
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -13,16 +13,19 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.45 2001/12/28 12:14:27 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.49 2002/03/14 15:24:27 markus Exp $");
 
 #include <openssl/bn.h>
-#include <openssl/evp.h>
+#include <openssl/md5.h>
 
 #ifdef KRB4
 #include <krb.h>
 #endif
 #ifdef KRB5
 #include <krb5.h>
+#ifndef HEIMDAL
+#define krb5_get_err_text(context,code) error_message(code)
+#endif /* !HEIMDAL */
 #endif
 #ifdef AFS
 #include <kafs.h>
@@ -67,7 +70,6 @@ try_agent_authentication(void)
        AuthenticationConnection *auth;
        u_char response[16];
        u_int i;
-       int plen, clen;
        Key *key;
        BIGNUM *challenge;
 
@@ -94,7 +96,7 @@ try_agent_authentication(void)
                packet_write_wait();
 
                /* Wait for server's response. */
-               type = packet_read(&plen);
+               type = packet_read();
 
                /* The server sends failure if it doesn\'t like our key or
                   does not support RSA authentication. */
@@ -108,7 +110,7 @@ try_agent_authentication(void)
                        packet_disconnect("Protocol error during RSA authentication: %d",
                                          type);
 
-               packet_get_bignum(challenge, &clen);
+               packet_get_bignum(challenge);
                packet_check_eom();
 
                debug("Received RSA challenge from server.");
@@ -134,7 +136,7 @@ try_agent_authentication(void)
                packet_write_wait();
 
                /* Wait for response from the server. */
-               type = packet_read(&plen);
+               type = packet_read();
 
                /* The server returns success if it accepted the authentication. */
                if (type == SSH_SMSG_SUCCESS) {
@@ -209,7 +211,7 @@ try_rsa_authentication(int idx)
        BIGNUM *challenge;
        Key *public, *private;
        char buf[300], *passphrase, *comment, *authfile;
-       int i, type, quit, plen, clen;
+       int i, type, quit;
 
        public = options.identity_keys[idx];
        authfile = options.identity_files[idx];
@@ -224,7 +226,7 @@ try_rsa_authentication(int idx)
        packet_write_wait();
 
        /* Wait for server's response. */
-       type = packet_read(&plen);
+       type = packet_read();
 
        /*
         * The server responds with failure if it doesn\'t like our key or
@@ -242,7 +244,7 @@ try_rsa_authentication(int idx)
        /* Get the challenge from the packet. */
        if ((challenge = BN_new()) == NULL)
                fatal("try_rsa_authentication: BN_new failed");
-       packet_get_bignum(challenge, &clen);
+       packet_get_bignum(challenge);
        packet_check_eom();
 
        debug("Received RSA challenge from server.");
@@ -291,7 +293,7 @@ try_rsa_authentication(int idx)
                packet_write_wait();
 
                /* Expect the server to reject it... */
-               packet_read_expect(&plen, SSH_SMSG_FAILURE);
+               packet_read_expect(SSH_SMSG_FAILURE);
                BN_clear_free(challenge);
                return 0;
        }
@@ -307,7 +309,7 @@ try_rsa_authentication(int idx)
        BN_clear_free(challenge);
 
        /* Wait for response from the server. */
-       type = packet_read(&plen);
+       type = packet_read();
        if (type == SSH_SMSG_SUCCESS) {
                debug("RSA authentication accepted by server.");
                return 1;
@@ -327,7 +329,6 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
 {
        int type;
        BIGNUM *challenge;
-       int plen, clen;
 
        debug("Trying rhosts or /etc/hosts.equiv with RSA host authentication.");
 
@@ -341,7 +342,7 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
        packet_write_wait();
 
        /* Wait for server's response. */
-       type = packet_read(&plen);
+       type = packet_read();
 
        /* The server responds with failure if it doesn't admit our
           .rhosts authentication or doesn't know our host key. */
@@ -356,7 +357,7 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
        /* Get the challenge from the packet. */
        if ((challenge = BN_new()) == NULL)
                fatal("try_rhosts_rsa_authentication: BN_new failed");
-       packet_get_bignum(challenge, &clen);
+       packet_get_bignum(challenge);
        packet_check_eom();
 
        debug("Received RSA challenge for host key from server.");
@@ -368,7 +369,7 @@ try_rhosts_rsa_authentication(const char *local_user, Key * host_key)
        BN_clear_free(challenge);
 
        /* Wait for response from the server. */
-       type = packet_read(&plen);
+       type = packet_read();
        if (type == SSH_SMSG_SUCCESS) {
                debug("Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.");
                return 1;
@@ -388,7 +389,7 @@ try_krb4_authentication(void)
        char inst[INST_SZ];
        char *realm;
        CREDENTIALS cred;
-       int r, type, plen;
+       int r, type;
        socklen_t slen;
        Key_schedule schedule;
        u_long checksum, cksum;
@@ -447,7 +448,7 @@ try_krb4_authentication(void)
                fatal_cleanup();
        }
        /* Get server reply. */
-       type = packet_read(&plen);
+       type = packet_read();
        switch (type) {
        case SSH_SMSG_FAILURE:
                /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
@@ -461,6 +462,8 @@ try_krb4_authentication(void)
 
                /* Get server's response. */
                reply = packet_get_string((u_int *) &auth.length);
+               if (auth.length >= MAX_KTXT_LEN)
+                       fatal("Kerberos v4: Malformed response from server");
                memcpy(auth.dat, reply, auth.length);
                xfree(reply);
 
@@ -509,7 +512,7 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
        krb5_ccache ccache = NULL;
        const char *remotehost;
        krb5_data ap;
-       int type, payload_len;
+       int type;
        krb5_ap_rep_enc_part *reply = NULL;
        int ret;
 
@@ -521,6 +524,23 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
                ret = 0;
                goto out;
        }
+       
+       problem = krb5_auth_con_init(*context, auth_context);
+       if (problem) {
+               debug("Kerberos v5: krb5_auth_con_init failed");
+               ret = 0;
+               goto out;
+       }
+
+#ifndef HEIMDAL
+       problem = krb5_auth_con_setflags(*context, *auth_context,
+                                        KRB5_AUTH_CONTEXT_RET_TIME);
+       if (problem) {
+               debug("Keberos v5: krb5_auth_con_setflags failed");
+               ret = 0;
+               goto out;
+       }
+#endif
 
        tkfile = krb5_cc_default_name(*context);
        if (strncmp(tkfile, "FILE:", 5) == 0)
@@ -559,7 +579,7 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
        xfree(ap.data);
        ap.length = 0;
 
-       type = packet_read(&payload_len);
+       type = packet_read();
        switch (type) {
        case SSH_SMSG_FAILURE:
                /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */
@@ -597,7 +617,11 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
        if (reply != NULL)
                krb5_free_ap_rep_enc_part(*context, reply);
        if (ap.length > 0)
+#ifdef HEIMDAL
                krb5_data_free(&ap);
+#else
+               krb5_free_data_contents(*context, &ap);
+#endif
 
        return (ret);
 }
@@ -605,12 +629,16 @@ try_krb5_authentication(krb5_context *context, krb5_auth_context *auth_context)
 static void
 send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
 {
-       int fd, type, payload_len;
+       int fd, type;
        krb5_error_code problem;
        krb5_data outbuf;
        krb5_ccache ccache = NULL;
        krb5_creds creds;
+#ifdef HEIMDAL
        krb5_kdc_flags flags;
+#else
+       int forwardable;
+#endif
        const char *remotehost;
 
        memset(&creds, 0, sizeof(creds));
@@ -618,7 +646,13 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
 
        fd = packet_get_connection_in();
 
+#ifdef HEIMDAL
        problem = krb5_auth_con_setaddrs_from_fd(context, auth_context, &fd);
+#else
+       problem = krb5_auth_con_genaddrs(context, auth_context, fd,
+                       KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR |
+                       KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR);
+#endif
        if (problem)
                goto out;
 
@@ -630,23 +664,35 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
        if (problem)
                goto out;
 
+       remotehost = get_canonical_hostname(1);
+       
+#ifdef HEIMDAL
        problem = krb5_build_principal(context, &creds.server,
            strlen(creds.client->realm), creds.client->realm,
            "krbtgt", creds.client->realm, NULL);
+#else
+       problem = krb5_build_principal(context, &creds.server,
+           creds.client->realm.length, creds.client->realm.data,
+           "host", remotehost, NULL);
+#endif
        if (problem)
                goto out;
 
        creds.times.endtime = 0;
 
+#ifdef HEIMDAL
        flags.i = 0;
        flags.b.forwarded = 1;
        flags.b.forwardable = krb5_config_get_bool(context,  NULL,
            "libdefaults", "forwardable", NULL);
-
-       remotehost = get_canonical_hostname(1);
-
        problem = krb5_get_forwarded_creds(context, auth_context,
            ccache, flags.i, remotehost, &creds, &outbuf);
+#else
+       forwardable = 1;
+       problem = krb5_fwd_tgt_creds(context, auth_context, remotehost,
+           creds.client, creds.server, ccache, forwardable, &outbuf);
+#endif
+
        if (problem)
                goto out;
 
@@ -655,7 +701,7 @@ send_krb5_tgt(krb5_context context, krb5_auth_context auth_context)
        packet_send();
        packet_write_wait();
 
-       type = packet_read(&payload_len);
+       type = packet_read();
 
        if (type == SSH_SMSG_SUCCESS) {
                char *pname;
@@ -690,7 +736,7 @@ send_krb4_tgt(void)
        CREDENTIALS *creds;
        struct stat st;
        char buffer[4096], pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ];
-       int problem, type, len;
+       int problem, type;
 
        /* Don't do anything if we don't have any tickets. */
        if (stat(tkt_string(), &st) < 0)
@@ -717,7 +763,7 @@ send_krb4_tgt(void)
        packet_send();
        packet_write_wait();
 
-       type = packet_read(&len);
+       type = packet_read();
 
        if (type == SSH_SMSG_SUCCESS)
                debug("Kerberos v4 TGT forwarded (%s%s%s@%s).",
@@ -795,7 +841,7 @@ send_afs_tokens(void)
 
                /* Roger, Roger. Clearance, Clarence. What's your vector,
                   Victor? */
-               type = packet_read(&len);
+               type = packet_read();
 
                if (type == SSH_SMSG_FAILURE)
                        debug("AFS token for cell %s rejected.", server_cell);
@@ -814,7 +860,6 @@ static int
 try_challenge_response_authentication(void)
 {
        int type, i;
-       int payload_len;
        u_int clen;
        char prompt[1024];
        char *challenge, *response;
@@ -827,7 +872,7 @@ try_challenge_response_authentication(void)
                packet_send();
                packet_write_wait();
 
-               type = packet_read(&payload_len);
+               type = packet_read();
                if (type != SSH_SMSG_FAILURE &&
                    type != SSH_SMSG_AUTH_TIS_CHALLENGE) {
                        packet_disconnect("Protocol error: got %d in response "
@@ -858,7 +903,7 @@ try_challenge_response_authentication(void)
                xfree(response);
                packet_send();
                packet_write_wait();
-               type = packet_read(&payload_len);
+               type = packet_read();
                if (type == SSH_SMSG_SUCCESS)
                        return 1;
                if (type != SSH_SMSG_FAILURE)
@@ -875,7 +920,7 @@ try_challenge_response_authentication(void)
 static int
 try_password_authentication(char *prompt)
 {
-       int type, i, payload_len;
+       int type, i;
        char *password;
 
        debug("Doing password authentication.");
@@ -892,7 +937,7 @@ try_password_authentication(char *prompt)
                packet_send();
                packet_write_wait();
 
-               type = packet_read(&payload_len);
+               type = packet_read();
                if (type == SSH_SMSG_SUCCESS)
                        return 1;
                if (type != SSH_SMSG_FAILURE)
@@ -917,13 +962,12 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
        u_char cookie[8];
        u_int supported_ciphers;
        u_int server_flags, client_flags;
-       int payload_len, clen, sum_len = 0;
        u_int32_t rand = 0;
 
        debug("Waiting for server public key.");
 
        /* Wait for a public key packet from the server. */
-       packet_read_expect(&payload_len, SSH_SMSG_PUBLIC_KEY);
+       packet_read_expect(SSH_SMSG_PUBLIC_KEY);
 
        /* Get cookie from the packet. */
        for (i = 0; i < 8; i++)
@@ -932,10 +976,8 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
        /* Get the public key. */
        server_key = key_new(KEY_RSA1);
        bits = packet_get_int();
-       packet_get_bignum(server_key->rsa->e, &clen);
-       sum_len += clen;
-       packet_get_bignum(server_key->rsa->n, &clen);
-       sum_len += clen;
+       packet_get_bignum(server_key->rsa->e);
+       packet_get_bignum(server_key->rsa->n);
 
        rbits = BN_num_bits(server_key->rsa->n);
        if (bits != rbits) {
@@ -946,10 +988,8 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
        /* Get the host key. */
        host_key = key_new(KEY_RSA1);
        bits = packet_get_int();
-       packet_get_bignum(host_key->rsa->e, &clen);
-       sum_len += clen;
-       packet_get_bignum(host_key->rsa->n, &clen);
-       sum_len += clen;
+       packet_get_bignum(host_key->rsa->e);
+       packet_get_bignum(host_key->rsa->n);
 
        rbits = BN_num_bits(host_key->rsa->n);
        if (bits != rbits) {
@@ -1088,7 +1128,7 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
         * Expect a success message from the server.  Note that this message
         * will be received in encrypted form.
         */
-       packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
+       packet_read_expect(SSH_SMSG_SUCCESS);
 
        debug("Received encrypted confirmation.");
 }
@@ -1105,7 +1145,6 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
        krb5_auth_context auth_context = NULL;
 #endif
        int i, type;
-       int payload_len;
 
        if (supported_authentications == 0)
                fatal("ssh_userauth1: server supports no auth methods");
@@ -1121,7 +1160,7 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
         * needed (the user has no password).  Otherwise the server responds
         * with failure.
         */
-       type = packet_read(&payload_len);
+       type = packet_read();
 
        /* check whether the connection was accepted without authentication. */
        if (type == SSH_SMSG_SUCCESS)
@@ -1135,7 +1174,7 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
                debug("Trying Kerberos v5 authentication.");
 
                if (try_krb5_authentication(&context, &auth_context)) {
-                       type = packet_read(&payload_len);
+                       type = packet_read();
                        if (type == SSH_SMSG_SUCCESS)
                                goto success;
                        if (type != SSH_SMSG_FAILURE)
@@ -1150,7 +1189,7 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
                debug("Trying Kerberos v4 authentication.");
 
                if (try_krb4_authentication()) {
-                       type = packet_read(&payload_len);
+                       type = packet_read();
                        if (type == SSH_SMSG_SUCCESS)
                                goto success;
                        if (type != SSH_SMSG_FAILURE)
@@ -1172,7 +1211,7 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host,
                packet_write_wait();
 
                /* The server should respond with success or failure. */
-               type = packet_read(&payload_len);
+               type = packet_read();
                if (type == SSH_SMSG_SUCCESS)
                        goto success;
                if (type != SSH_SMSG_FAILURE)
git-cvsimport mirror of OpenSSH
This page took 0.059277 seconds and 4 git commands to generate.