merge key exchange patch without rekeying support

[openssh.git] / auth2-gss.c

diff --git a/auth2-gss.c b/auth2-gss.c
index 0e08d88..a192d28 100644 (file)
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
 
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
 static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
 static void input_gssapi_errtok(int, u_int32_t, void *);
 
+/* 
+ * The 'gssapi_keyex' userauth mechanism.
+ */
+static int
+userauth_gsskeyex(Authctxt *authctxt)
+{
+       int authenticated = 0;
+       Buffer b;
+       gss_buffer_desc mic, gssbuf;
+       u_int len;
+
+       mic.value = packet_get_string(&len);
+       mic.length = len;
+
+       packet_check_eom();
+
+       ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+           "gssapi-keyex");
+
+       gssbuf.value = buffer_ptr(&b);
+       gssbuf.length = buffer_len(&b);
+
+       /* gss_kex_context is NULL with privsep, so we can't check it here */
+       if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, 
+           &gssbuf, &mic))))
+               authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+                   authctxt->pw));
+       
+       buffer_free(&b);
+       xfree(mic.value);
+
+       return (authenticated);
+}
+
 /*
  * We only support those mechanisms that we know about (ie ones that we know
  * how to check local user kuserok and the like)
@@ -102,6 +136,7 @@ userauth_gssapi(Authctxt *authctxt)
 
        if (!present) {
                xfree(doid);
+               authctxt->server_caused_failure = 1;
                return (0);
        }
 
@@ -109,6 +144,7 @@ userauth_gssapi(Authctxt *authctxt)
                if (ctxt != NULL)
                        ssh_gssapi_delete_ctx(&ctxt);
                xfree(doid);
+               authctxt->server_caused_failure = 1;
                return (0);
        }
 
@@ -242,7 +278,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
 
        packet_check_eom();
 
-       authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+       authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
+           authctxt->pw));
 
        authctxt->postponed = 0;
        dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@@ -277,7 +314,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
        gssbuf.length = buffer_len(&b);
 
        if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
-               authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+               authenticated = 
+                   PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw));
        else
                logit("GSSAPI MIC check failed");
 
@@ -292,6 +330,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
        userauth_finish(authctxt, authenticated, "gssapi-with-mic");
 }
 
+Authmethod method_gsskeyex = {
+       "gssapi-keyex",
+       userauth_gsskeyex,
+       &options.gss_authentication
+};
+
 Authmethod method_gssapi = {
        "gssapi-with-mic",
        userauth_gssapi,