src/usr.bin/ssh/auth2-gss.c - diff

Return to auth2-gss.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/auth2-gss.c between version 1.3 and 1.3.2.2

version 1.3, 2003/09/01 20:44:54

version 1.3.2.2, 2004/08/19 22:37:30

Line 43

extern ServerOptions options;

static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);

static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);

static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);

static void input_gssapi_errtok(int, u_int32_t, void *);

Line 53

Line 54

static int

userauth_gssapi(Authctxt *authctxt)

{

gss_OID_desc oid = {0, NULL};

gss_OID_desc goid = {0, NULL};

Gssctxt *ctxt = NULL;

int mechs;

gss_OID_set supported;

Line 78

Line 79

if (doid)

xfree(doid);

present = 0;

doid = packet_get_string(&len);

if (doid[0] != SSH_GSS_OIDTYPE || doid[1] != len-2) {

if (len > 2 &&

logit("Mechanism OID received using the old encoding form");

doid[0] == SSH_GSS_OIDTYPE &&

oid.elements = doid;

doid[1] == len - 2) {

oid.length = len;

goid.elements = doid + 2;

goid.length = len - 2;

gss_test_oid_set_member(&ms, &goid, supported,

&present);

} else {

oid.elements = doid + 2;

logit("Badly formed OID received");

oid.length = len - 2;

}

gss_test_oid_set_member(&ms, &oid, supported, &present);

} while (mechs > 0 && !present);

gss_release_oid_set(&ms, &supported);

Line 98

Line 101

return (0);

}

if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &oid)))) {

if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {

xfree(doid);

return (0);

}

Line 107

Line 110

packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);

/* Return OID in same format as we received it*/

/* Return the OID that we received */

packet_put_string(doid, len);

packet_send();

Line 127

Line 130

Gssctxt *gssctxt;

gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;

gss_buffer_desc recv_tok;

OM_uint32 maj_status, min_status;

OM_uint32 maj_status, min_status, flags;

u_int len;

if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))

Line 140

Line 143

packet_check_eom();

maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,

&send_tok, NULL));

&send_tok, &flags));

xfree(recv_tok.value);

Line 152

Line 155

}

authctxt->postponed = 0;

dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);

userauth_finish(authctxt, 0, "gssapi");

userauth_finish(authctxt, 0, "gssapi-with-mic");

} else {

if (send_tok.length != 0) {

packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);

Line 161

Line 164

}

if (maj_status == GSS_S_COMPLETE) {

dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);

dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,

if (flags & GSS_C_INTEG_FLAG)

&input_gssapi_exchange_complete);

dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC,

&input_gssapi_mic);

else

dispatch_set(

SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,

&input_gssapi_exchange_complete);

}

Line 222

Line 230

gssctxt = authctxt->methoddata;

* We don't need to check the status, because the stored credentials

* We don't need to check the status, because we're only enabled in

* which userok uses are only populated once the context init step

* the dispatcher once the exchange is complete

* has returned complete.

packet_check_eom();

Line 234

Line 241

authctxt->postponed = 0;

dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);

dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);

dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);

dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);

userauth_finish(authctxt, authenticated, "gssapi");

userauth_finish(authctxt, authenticated, "gssapi-with-mic");

}

static void

input_gssapi_mic(int type, u_int32_t plen, void *ctxt)

{

Authctxt *authctxt = ctxt;

Gssctxt *gssctxt;

int authenticated = 0;

Buffer b;

gss_buffer_desc mic, gssbuf;

u_int len;

if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))

fatal("No authentication or GSSAPI context");

gssctxt = authctxt->methoddata;

mic.value = packet_get_string(&len);

mic.length = len;

ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,

"gssapi-with-mic");

gssbuf.value = buffer_ptr(&b);

gssbuf.length = buffer_len(&b);

if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))

authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));

else

logit("GSSAPI MIC check failed");

buffer_free(&b);

xfree(mic.value);

authctxt->postponed = 0;

dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);

dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);

dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);

dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);

userauth_finish(authctxt, authenticated, "gssapi-with-mic");

}

Authmethod method_gssapi = {

"gssapi",

"gssapi-with-mic",

userauth_gssapi,

&options.gss_authentication

};