Attachment 1174 Details for Bug 1218 – Fix to prevent OpenSSH offering SPENGO to a server

[patch] Fix to prevent OpenSSH offering SPENGO to a server

openssh-no-spnego.patch (text/plain), 3.16 KB, created by Simon Wilkinson on 2006-08-18 04:33:16 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Simon Wilkinson

Created: 2006-08-18 04:33:16 AEST

Size: 3.16 KB

patch

obsolete

>Index: gss-genr.c
>===================================================================
>RCS file: /cvs/openssh/gss-genr.c,v
>retrieving revision 1.15
>diff -u -r1.15 gss-genr.c
>--- gss-genr.c	5 Aug 2006 02:39:40 -0000	1.15
>+++ gss-genr.c	17 Aug 2006 18:27:46 -0000
>@@ -1,7 +1,7 @@
> /* $OpenBSD: gss-genr.c,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */
> 
> /*
>- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
>+ * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
>  *
>  * Redistribution and use in source and binary forms, with or without
>  * modification, are permitted provided that the following conditions
>@@ -289,6 +289,35 @@
> 	ssh_gssapi_build_ctx(ctx);
> 	ssh_gssapi_set_oid(*ctx, oid);
> 	return (ssh_gssapi_acquire_cred(*ctx));
>+}
>+
>+int
>+ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, char *host)
>+{
>+	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
>+	OM_uint32 major, minor;
>+	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
>+
>+	/* RFC 4462 says we MUST NOT do SPNEGO */
>+	if (oid->length == spnego_oid.length && 
>+	    (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0))
>+		return -1;
>+
>+	ssh_gssapi_build_ctx(ctx);
>+	ssh_gssapi_set_oid(*ctx, oid);
>+	major = ssh_gssapi_import_name(*ctx, host);
>+	if (!GSS_ERROR(major)) {
>+		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
>+		    NULL);
>+		gss_release_buffer(&minor, &token);
>+		gss_delete_sec_context(&minor, &(*ctx)->context, 
>+		    GSS_C_NO_BUFFER);
>+	}
>+
>+	if (GSS_ERROR(major)) 
>+		ssh_gssapi_delete_ctx(ctx);
>+
>+	return (!GSS_ERROR(major));
> }
> 
> #endif /* GSSAPI */
>Index: ssh-gss.h
>===================================================================
>RCS file: /cvs/openssh/ssh-gss.h,v
>retrieving revision 1.9
>diff -u -r1.9 ssh-gss.h
>--- ssh-gss.h	5 Aug 2006 02:39:40 -0000	1.9
>+++ ssh-gss.h	17 Aug 2006 18:27:46 -0000
>@@ -118,6 +118,7 @@
> OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
> OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
> void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
>+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, char *);
> 
> /* In the server */
> int ssh_gssapi_userok(char *name);
>Index: sshconnect2.c
>===================================================================
>RCS file: /cvs/openssh/sshconnect2.c,v
>retrieving revision 1.150
>diff -u -r1.150 sshconnect2.c
>--- sshconnect2.c	5 Aug 2006 02:39:41 -0000	1.150
>+++ sshconnect2.c	17 Aug 2006 18:27:46 -0000
>@@ -508,25 +508,18 @@
> 
> 	/* Check to see if the mechanism is usable before we offer it */
> 	while (mech < gss_supported->count && !ok) {
>-		if (gssctxt)
>-			ssh_gssapi_delete_ctx(&gssctxt);
>-		ssh_gssapi_build_ctx(&gssctxt);
>-		ssh_gssapi_set_oid(gssctxt, &gss_supported->elements[mech]);
>-
> 		/* My DER encoding requires length<128 */
> 		if (gss_supported->elements[mech].length < 128 &&
>-		    !GSS_ERROR(ssh_gssapi_import_name(gssctxt,
>-		    authctxt->host))) {
>+		    ssh_gssapi_check_mechanism(&gssctxt, 
>+		    &gss_supported->elements[mech], authctxt->host)) {
> 			ok = 1; /* Mechanism works */
> 		} else {
> 			mech++;
> 		}
> 	}
> 
>-	if (!ok) {
>-		ssh_gssapi_delete_ctx(&gssctxt);
>+	if (!ok)
> 		return 0;
>-	}
> 
> 	authctxt->methoddata=(void *)gssctxt;
>

Actions: View | Diff

Attachments on bug 1218: 1174 | 1175