View | Details | Raw Unified | Return to bug 2107 | Differences between
and this patch

Collapse All | Expand All

(-)auth2-gss.c (-1 / +1 lines)
Lines 77-83 userauth_gssapi(Authctxt *authctxt) Link Here
77
		return (0);
77
		return (0);
78
	}
78
	}
79
79
80
	ssh_gssapi_supported_oids(&supported);
80
	PRIVSEP(ssh_gssapi_supported_oids(&supported));
81
	do {
81
	do {
82
		mechs--;
82
		mechs--;
83
83
(-)monitor.c (+24 lines)
Lines 176-181 int mm_answer_pam_free_ctx(int, Buffer * Link Here
176
#endif
176
#endif
177
177
178
#ifdef GSSAPI
178
#ifdef GSSAPI
179
int mm_answer_gss_supported_oids(int, Buffer *);
179
int mm_answer_gss_setup_ctx(int, Buffer *);
180
int mm_answer_gss_setup_ctx(int, Buffer *);
180
int mm_answer_gss_accept_ctx(int, Buffer *);
181
int mm_answer_gss_accept_ctx(int, Buffer *);
181
int mm_answer_gss_userok(int, Buffer *);
182
int mm_answer_gss_userok(int, Buffer *);
Lines 248-253 struct mon_table mon_dispatch_proto20[] Link Here
248
    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
249
    {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
249
    {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
250
    {MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
250
#ifdef GSSAPI
251
#ifdef GSSAPI
252
    {MONITOR_REQ_GSSSUPPORTEDOIDS, MON_ISAUTH, mm_answer_gss_supported_oids},
251
    {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
253
    {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
252
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
254
    {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
253
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
255
    {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
Lines 2051-2056 monitor_reinit(struct monitor *mon) Link Here
2051
2053
2052
#ifdef GSSAPI
2054
#ifdef GSSAPI
2053
int
2055
int
2056
mm_answer_gss_supported_oids(int sock, Buffer *m)
2057
{
2058
	gss_OID_set oidset;
2059
	size_t i;
2060
	OM_uint32 min_status;
2061
2062
	ssh_gssapi_supported_oids(&oidset);
2063
2064
	buffer_clear(m);
2065
	buffer_put_int(m, (u_int)oidset->count);
2066
	for (i = 0; i < oidset->count; i++)
2067
		buffer_put_string(m, oidset->elements[i].elements,
2068
				  oidset->elements[i].length);
2069
2070
	gss_release_oid_set(&min_status, &oidset);
2071
2072
	mm_request_send(sock, MONITOR_ANS_GSSSUPPORTEDOIDS, m);
2073
2074
	return (0);
2075
}
2076
2077
int
2054
mm_answer_gss_setup_ctx(int sock, Buffer *m)
2078
mm_answer_gss_setup_ctx(int sock, Buffer *m)
2055
{
2079
{
2056
	gss_OID_desc goid;
2080
	gss_OID_desc goid;
(-)monitor.h (-10 / +11 lines)
Lines 51-66 enum monitor_reqtype { Link Here
51
	MONITOR_REQ_RSAKEYALLOWED = 36, MONITOR_ANS_RSAKEYALLOWED = 37,
51
	MONITOR_REQ_RSAKEYALLOWED = 36, MONITOR_ANS_RSAKEYALLOWED = 37,
52
	MONITOR_REQ_RSACHALLENGE = 38, MONITOR_ANS_RSACHALLENGE = 39,
52
	MONITOR_REQ_RSACHALLENGE = 38, MONITOR_ANS_RSACHALLENGE = 39,
53
	MONITOR_REQ_RSARESPONSE = 40, MONITOR_ANS_RSARESPONSE = 41,
53
	MONITOR_REQ_RSARESPONSE = 40, MONITOR_ANS_RSARESPONSE = 41,
54
	MONITOR_REQ_GSSSETUP = 42, MONITOR_ANS_GSSSETUP = 43,
54
	MONITOR_REQ_GSSSUPPORTEDOIDS = 42, MONITOR_ANS_GSSSUPPORTEDOIDS = 43,
55
	MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45,
55
	MONITOR_REQ_GSSSETUP = 44, MONITOR_ANS_GSSSETUP = 45,
56
	MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47,
56
	MONITOR_REQ_GSSSTEP = 46, MONITOR_ANS_GSSSTEP = 47,
57
	MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
57
	MONITOR_REQ_GSSUSEROK = 48, MONITOR_ANS_GSSUSEROK = 49,
58
	MONITOR_REQ_TERM = 50,
58
	MONITOR_REQ_GSSCHECKMIC = 50, MONITOR_ANS_GSSCHECKMIC = 51,
59
	MONITOR_REQ_JPAKE_STEP1 = 52, MONITOR_ANS_JPAKE_STEP1 = 53,
59
	MONITOR_REQ_TERM = 52,
60
	MONITOR_REQ_JPAKE_GET_PWDATA = 54, MONITOR_ANS_JPAKE_GET_PWDATA = 55,
60
	MONITOR_REQ_JPAKE_STEP1 = 54, MONITOR_ANS_JPAKE_STEP1 = 55,
61
	MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
61
	MONITOR_REQ_JPAKE_GET_PWDATA = 56, MONITOR_ANS_JPAKE_GET_PWDATA = 57,
62
	MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
62
	MONITOR_REQ_JPAKE_STEP2 = 58, MONITOR_ANS_JPAKE_STEP2 = 59,
63
	MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
63
	MONITOR_REQ_JPAKE_KEY_CONFIRM = 60, MONITOR_ANS_JPAKE_KEY_CONFIRM = 61,
64
	MONITOR_REQ_JPAKE_CHECK_CONFIRM = 62, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 63,
64
65
65
	MONITOR_REQ_PAM_START = 100,
66
	MONITOR_REQ_PAM_START = 100,
66
	MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
67
	MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
(-)monitor_wrap.c (+26 lines)
Lines 1207-1212 mm_audit_run_command(const char *command Link Here
1207
#endif /* SSH_AUDIT_EVENTS */
1207
#endif /* SSH_AUDIT_EVENTS */
1208
1208
1209
#ifdef GSSAPI
1209
#ifdef GSSAPI
1210
void
1211
mm_ssh_gssapi_supported_oids(gss_OID_set *oidset)
1212
{
1213
	Buffer m;
1214
	gss_OID_set oids;
1215
	size_t i;
1216
	u_int len;
1217
1218
	buffer_init(&m);
1219
1220
	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSUPPORTEDOIDS, &m);
1221
	mm_request_receive_expect(pmonitor->m_recvfd,
1222
				  MONITOR_ANS_GSSSUPPORTEDOIDS, &m);
1223
1224
	*oidset = xcalloc(1, sizeof(**oidset));
1225
	oids = *oidset;
1226
	oids->count = buffer_get_int(&m);
1227
	oids->elements = xcalloc(oids->count, sizeof(*oids->elements));
1228
	for (i = 0; i < oids->count; i++) {
1229
		oids->elements[i].elements = buffer_get_string(&m, &len);
1230
		oids->elements[i].length = len;
1231
	}
1232
1233
	buffer_free(&m);
1234
}
1235
1210
OM_uint32
1236
OM_uint32
1211
mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
1237
mm_ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID goid)
1212
{
1238
{
(-)monitor_wrap.h (+1 lines)
Lines 55-60 int mm_auth_rsa_verify_response(Key *, B Link Here
55
BIGNUM *mm_auth_rsa_generate_challenge(Key *);
55
BIGNUM *mm_auth_rsa_generate_challenge(Key *);
56
56
57
#ifdef GSSAPI
57
#ifdef GSSAPI
58
void mm_ssh_gssapi_supported_oids(gss_OID_set *);
58
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
59
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
59
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
60
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
60
   gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
61
   gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
(-)regress/connect-privsep.sh (+17 lines)
Lines 24-29 for p in 1 2; do Link Here
24
	fi
24
	fi
25
done
25
done
26
26
27
cp $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
28
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
29
echo 'GSSAPIAuthentication yes' >> $OBJ/ssh_proxy
30
echo 'GSSAPIAuthentication yes' >> $OBJ/sshd_proxy
31
32
for p in 1 2; do
33
	${SSH} -vvv -$p -F $OBJ/ssh_proxy 999.999.999.999 true
34
	if [ $? -ne 0 ]; then
35
		# XXX replace this with fail once sandbox has stabilised
36
		warn "ssh privsep/sandbox+proxyconnect+gssapiauth protocol $p failed"
37
	fi
38
done
39
exit 0
40
41
cp $OBJ/ssh_proxy.orig $OBJ/ssh_proxy
42
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
43
27
# Because sandbox is sensitive to changes in libc, especially malloc, retest
44
# Because sandbox is sensitive to changes in libc, especially malloc, retest
28
# with every malloc.conf option (and none).
45
# with every malloc.conf option (and none).
29
for m in '' A F G H J P R S X Z '<' '>'; do
46
for m in '' A F G H J P R S X Z '<' '>'; do

Return to bug 2107