X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/d8d9afd062d31e7f4f836ab22893109badfff769..822015dda8008714e520ca557865c28023adbc83:/sshconnect2.c

diff --git a/sshconnect2.c b/sshconnect2.c
index f991f81d..68d56d02 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.129 2003/11/02 11:01:03 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.138 2004/06/13 12:53:24 djm Exp $");
 
 #include "openbsd-compat/sys-queue.h"
 
@@ -43,7 +43,7 @@ RCSID("$OpenBSD: sshconnect2.c,v 1.129 2003/11/02 11:01:03 markus Exp $");
 #include "authfd.h"
 #include "log.h"
 #include "readconf.h"
-#include "readpass.h"
+#include "misc.h"
 #include "match.h"
 #include "dispatch.h"
 #include "canohost.h"
@@ -120,6 +120,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
 	/* start key exchange */
 	kex = kex_setup(myproposal);
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
+	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
 	kex->client_version_string=client_version_string;
 	kex->server_version_string=server_version_string;
@@ -222,7 +223,7 @@ static char *authmethods_get(void);
 
 Authmethod authmethods[] = {
 #ifdef GSSAPI
-	{"gssapi",
+	{"gssapi-with-mic",
 		userauth_gssapi,
 		&options.gss_authentication,
 		NULL},
@@ -458,7 +459,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
 	 * moved to the end of the queue.  this also avoids confusion by
 	 * duplicate keys
 	 */
-	TAILQ_FOREACH_REVERSE(id, &authctxt->keys, next, idlist) {
+	TAILQ_FOREACH_REVERSE(id, &authctxt->keys, idlist, next) {
 		if (key_equal(key, id->key)) {
 			sent = sign_and_send_pubkey(authctxt, id);
 			break;
@@ -476,7 +477,7 @@ done:
 }
 
 #ifdef GSSAPI
-int 
+int
 userauth_gssapi(Authctxt *authctxt)
 {
 	Gssctxt *gssctxt = NULL;
@@ -537,15 +538,66 @@ userauth_gssapi(Authctxt *authctxt)
 	return 1;
 }
 
+static OM_uint32
+process_gssapi_token(void *ctxt, gss_buffer_t recv_tok)
+{
+	Authctxt *authctxt = ctxt;
+	Gssctxt *gssctxt = authctxt->methoddata;
+	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+	gss_buffer_desc gssbuf, mic;
+	OM_uint32 status, ms, flags;
+	Buffer b;
+
+	status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
+	    recv_tok, &send_tok, &flags);
+
+	if (send_tok.length > 0) {
+		if (GSS_ERROR(status))
+			packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
+		else
+			packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
+
+		packet_put_string(send_tok.value, send_tok.length);
+		packet_send();
+		gss_release_buffer(&ms, &send_tok);
+	}
+
+	if (status == GSS_S_COMPLETE) {
+		/* send either complete or MIC, depending on mechanism */
+		if (!(flags & GSS_C_INTEG_FLAG)) {
+			packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
+			packet_send();
+		} else {
+			ssh_gssapi_buildmic(&b, authctxt->server_user,
+			    authctxt->service, "gssapi-with-mic");
+
+			gssbuf.value = buffer_ptr(&b);
+			gssbuf.length = buffer_len(&b);
+
+			status = ssh_gssapi_sign(gssctxt, &gssbuf, &mic);
+
+			if (!GSS_ERROR(status)) {
+				packet_start(SSH2_MSG_USERAUTH_GSSAPI_MIC);
+				packet_put_string(mic.value, mic.length);
+
+				packet_send();
+			}
+
+			buffer_free(&b);
+			gss_release_buffer(&ms, &mic);
+		}
+	}
+
+	return status;
+}
+
 void
 input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 {
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
-	OM_uint32 status, ms;
 	int oidlen;
 	char *oidv;
-	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 
 	if (authctxt == NULL)
 		fatal("input_gssapi_response: no authentication context");
@@ -557,9 +609,9 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 	if (oidlen <= 2 ||
 	    oidv[0] != SSH_GSS_OIDTYPE ||
 	    oidv[1] != oidlen - 2) {
+		xfree(oidv);
 		debug("Badly encoded mechanism OID received");
 		userauth(authctxt, NULL);
-		xfree(oidv);
 		return;
 	}
 
@@ -570,76 +622,39 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
 
 	xfree(oidv);
 
-	status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
-	    GSS_C_NO_BUFFER, &send_tok, NULL);
-	if (GSS_ERROR(status)) {
-		if (send_tok.length > 0) {
-			packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
-			packet_put_string(send_tok.value, send_tok.length);
-			packet_send();
-			gss_release_buffer(&ms, &send_tok);
-		}
+	if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) {
 		/* Start again with next method on list */
 		debug("Trying to start again");
 		userauth(authctxt, NULL);
 		return;
 	}
-
-	/* We must have data to send */
-	packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
-	packet_put_string(send_tok.value, send_tok.length);
-	packet_send();
-	gss_release_buffer(&ms, &send_tok);
 }
 
 void
 input_gssapi_token(int type, u_int32_t plen, void *ctxt)
 {
 	Authctxt *authctxt = ctxt;
-	Gssctxt *gssctxt;
-	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
 	gss_buffer_desc recv_tok;
-	OM_uint32 status, ms;
+	OM_uint32 status;
 	u_int slen;
 
 	if (authctxt == NULL)
 		fatal("input_gssapi_response: no authentication context");
-	gssctxt = authctxt->methoddata;
 
 	recv_tok.value = packet_get_string(&slen);
 	recv_tok.length = slen;	/* safe typecast */
 
 	packet_check_eom();
 
-	status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds,
-	    &recv_tok, &send_tok, NULL);
+	status = process_gssapi_token(ctxt, &recv_tok);
 
 	xfree(recv_tok.value);
 
 	if (GSS_ERROR(status)) {
-		if (send_tok.length > 0) {
-			packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
-			packet_put_string(send_tok.value, send_tok.length);
-			packet_send();
-			gss_release_buffer(&ms, &send_tok);
-		}
 		/* Start again with the next method in the list */
 		userauth(authctxt, NULL);
 		return;
 	}
-
-	if (send_tok.length > 0) {
-		packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
-		packet_put_string(send_tok.value, send_tok.length);
-		packet_send();
-		gss_release_buffer(&ms, &send_tok);
-	}
-
-	if (status == GSS_S_COMPLETE) {
-		/* If that succeeded, send a exchange complete message */
-		packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE);
-		packet_send();
-	}
 }
 
 void
@@ -1019,7 +1034,7 @@ pubkey_prepare(Authctxt *authctxt)
 		    key = ssh_get_next_identity(ac, &comment, 2)) {
 			found = 0;
 			TAILQ_FOREACH(id, &files, next) {
-				/* agent keys from the config file are preferred */ 
+				/* agent keys from the config file are preferred */
 				if (key_equal(key, id->key)) {
 					key_free(key);
 					xfree(comment);
@@ -1030,7 +1045,7 @@ pubkey_prepare(Authctxt *authctxt)
 					break;
 				}
 			}
-			if (!found) {
+			if (!found && !options.identities_only) {
 				id = xmalloc(sizeof(*id));
 				memset(id, 0, sizeof(*id));
 				id->key = key;
@@ -1248,11 +1263,12 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
 	buffer_init(&b);
 	buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */
 	buffer_put_string(&b, data, datalen);
-	ssh_msg_send(to[1], version, &b);
+	if (ssh_msg_send(to[1], version, &b) == -1)
+		fatal("ssh_keysign: couldn't send request");
 
 	if (ssh_msg_recv(from[0], &b) < 0) {
 		error("ssh_keysign: no reply");
-		buffer_clear(&b);
+		buffer_free(&b);
 		return -1;
 	}
 	close(from[0]);
@@ -1264,11 +1280,11 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp,
 
 	if (buffer_get_char(&b) != version) {
 		error("ssh_keysign: bad version");
-		buffer_clear(&b);
+		buffer_free(&b);
 		return -1;
 	}
 	*sigp = buffer_get_string(&b, lenp);
-	buffer_clear(&b);
+	buffer_free(&b);
 
 	return 0;
 }