View | Details | Raw Unified | Return to bug 1218 | Differences between
and this patch

Collapse All | Expand All

(-)gss-genr.c (-1 / +30 lines)
Lines 1-7 Link Here
1
/* $OpenBSD: gss-genr.c,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */
1
/* $OpenBSD: gss-genr.c,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */
2
2
3
/*
3
/*
4
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
4
 * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
5
 *
5
 *
6
 * Redistribution and use in source and binary forms, with or without
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
7
 * modification, are permitted provided that the following conditions
Lines 289-294 Link Here
289
	ssh_gssapi_build_ctx(ctx);
289
	ssh_gssapi_build_ctx(ctx);
290
	ssh_gssapi_set_oid(*ctx, oid);
290
	ssh_gssapi_set_oid(*ctx, oid);
291
	return (ssh_gssapi_acquire_cred(*ctx));
291
	return (ssh_gssapi_acquire_cred(*ctx));
292
}
293
294
int
295
ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, char *host)
296
{
297
	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
298
	OM_uint32 major, minor;
299
	gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"};
300
301
	/* RFC 4462 says we MUST NOT do SPNEGO */
302
	if (oid->length == spnego_oid.length && 
303
	    (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0))
304
		return -1;
305
306
	ssh_gssapi_build_ctx(ctx);
307
	ssh_gssapi_set_oid(*ctx, oid);
308
	major = ssh_gssapi_import_name(*ctx, host);
309
	if (!GSS_ERROR(major)) {
310
		major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, 
311
		    NULL);
312
		gss_release_buffer(&minor, &token);
313
		gss_delete_sec_context(&minor, &(*ctx)->context, 
314
		    GSS_C_NO_BUFFER);
315
	}
316
317
	if (GSS_ERROR(major)) 
318
		ssh_gssapi_delete_ctx(ctx);
319
320
	return (!GSS_ERROR(major));
292
}
321
}
293
322
294
#endif /* GSSAPI */
323
#endif /* GSSAPI */
(-)ssh-gss.h (+1 lines)
Lines 118-123 Link Here
118
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
118
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
119
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
119
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
120
void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
120
void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
121
int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, char *);
121
122
122
/* In the server */
123
/* In the server */
123
int ssh_gssapi_userok(char *name);
124
int ssh_gssapi_userok(char *name);
(-)sshconnect2.c (-10 / +3 lines)
Lines 508-532 Link Here
508
508
509
	/* Check to see if the mechanism is usable before we offer it */
509
	/* Check to see if the mechanism is usable before we offer it */
510
	while (mech < gss_supported->count && !ok) {
510
	while (mech < gss_supported->count && !ok) {
511
		if (gssctxt)
512
			ssh_gssapi_delete_ctx(&gssctxt);
513
		ssh_gssapi_build_ctx(&gssctxt);
514
		ssh_gssapi_set_oid(gssctxt, &gss_supported->elements[mech]);
515
516
		/* My DER encoding requires length<128 */
511
		/* My DER encoding requires length<128 */
517
		if (gss_supported->elements[mech].length < 128 &&
512
		if (gss_supported->elements[mech].length < 128 &&
518
		    !GSS_ERROR(ssh_gssapi_import_name(gssctxt,
513
		    ssh_gssapi_check_mechanism(&gssctxt, 
519
		    authctxt->host))) {
514
		    &gss_supported->elements[mech], authctxt->host)) {
520
			ok = 1; /* Mechanism works */
515
			ok = 1; /* Mechanism works */
521
		} else {
516
		} else {
522
			mech++;
517
			mech++;
523
		}
518
		}
524
	}
519
	}
525
520
526
	if (!ok) {
521
	if (!ok)
527
		ssh_gssapi_delete_ctx(&gssctxt);
528
		return 0;
522
		return 0;
529
	}
530
523
531
	authctxt->methoddata=(void *)gssctxt;
524
	authctxt->methoddata=(void *)gssctxt;
532
525

Return to bug 1218