diff options
| author | Damien Miller <djm@mindrot.org> | 2006-08-19 00:33:34 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2006-08-19 00:33:34 +1000 |
| commit | a1cb9f334bcc6ebd7bf2b5229b7645d995de0a15 (patch) | |
| tree | b01a3cf18b4100472c9f90e0d5599ddcf0acfba9 | |
| parent | bdf00ca0bda672d07516d65eaea999931dafdac3 (diff) | |
- djm@cvs.openbsd.org 2006/08/18 13:54:54
[gss-genr.c ssh-gss.h sshconnect2.c]
bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
ok markus@
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | gss-genr.c | 33 | ||||
| -rw-r--r-- | ssh-gss.h | 3 | ||||
| -rw-r--r-- | sshconnect2.c | 15 |
4 files changed, 42 insertions, 15 deletions
| @@ -34,6 +34,10 @@ | |||
| 34 | [misc.h] | 34 | [misc.h] |
| 35 | reorder so prototypes are sorted by the files they refer to; no | 35 | reorder so prototypes are sorted by the files they refer to; no |
| 36 | binary change | 36 | binary change |
| 37 | - djm@cvs.openbsd.org 2006/08/18 13:54:54 | ||
| 38 | [gss-genr.c ssh-gss.h sshconnect2.c] | ||
| 39 | bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk | ||
| 40 | ok markus@ | ||
| 37 | 41 | ||
| 38 | 20060817 | 42 | 20060817 |
| 39 | - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c] | 43 | - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c] |
| @@ -5255,4 +5259,4 @@ | |||
| 5255 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 5259 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
| 5256 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 5260 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
| 5257 | 5261 | ||
| 5258 | $Id: ChangeLog,v 1.4493 2006/08/18 14:33:05 djm Exp $ | 5262 | $Id: ChangeLog,v 1.4494 2006/08/18 14:33:34 djm Exp $ |
diff --git a/gss-genr.c b/gss-genr.c index da39479e1..1bb67e84f 100644 --- a/gss-genr.c +++ b/gss-genr.c | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | /* $OpenBSD: gss-genr.c,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */ | 1 | /* $OpenBSD: gss-genr.c,v 1.14 2006/08/18 13:54:54 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved. |
| 5 | * | 5 | * |
| 6 | * Redistribution and use in source and binary forms, with or without | 6 | * Redistribution and use in source and binary forms, with or without |
| 7 | * modification, are permitted provided that the following conditions | 7 | * modification, are permitted provided that the following conditions |
| @@ -291,4 +291,33 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) | |||
| 291 | return (ssh_gssapi_acquire_cred(*ctx)); | 291 | return (ssh_gssapi_acquire_cred(*ctx)); |
| 292 | } | 292 | } |
| 293 | 293 | ||
| 294 | int | ||
| 295 | ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, char *host) | ||
| 296 | { | ||
| 297 | gss_buffer_desc token = GSS_C_EMPTY_BUFFER; | ||
| 298 | OM_uint32 major, minor; | ||
| 299 | gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"}; | ||
| 300 | |||
| 301 | /* RFC 4462 says we MUST NOT do SPNEGO */ | ||
| 302 | if (oid->length == spnego_oid.length && | ||
| 303 | (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0)) | ||
| 304 | return -1; | ||
| 305 | |||
| 306 | ssh_gssapi_build_ctx(ctx); | ||
| 307 | ssh_gssapi_set_oid(*ctx, oid); | ||
| 308 | major = ssh_gssapi_import_name(*ctx, host); | ||
| 309 | if (!GSS_ERROR(major)) { | ||
| 310 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, | ||
| 311 | NULL); | ||
| 312 | gss_release_buffer(&minor, &token); | ||
| 313 | gss_delete_sec_context(&minor, &(*ctx)->context, | ||
| 314 | GSS_C_NO_BUFFER); | ||
| 315 | } | ||
| 316 | |||
| 317 | if (GSS_ERROR(major)) | ||
| 318 | ssh_gssapi_delete_ctx(ctx); | ||
| 319 | |||
| 320 | return (!GSS_ERROR(major)); | ||
| 321 | } | ||
| 322 | |||
| 294 | #endif /* GSSAPI */ | 323 | #endif /* GSSAPI */ |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-gss.h,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ | 1 | /* $OpenBSD: ssh-gss.h,v 1.8 2006/08/18 13:54:54 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 3 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
| 4 | * | 4 | * |
| @@ -118,6 +118,7 @@ void ssh_gssapi_delete_ctx(Gssctxt **); | |||
| 118 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); | 118 | OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); |
| 119 | OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); | 119 | OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); |
| 120 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); | 120 | void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); |
| 121 | int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, char *); | ||
| 121 | 122 | ||
| 122 | /* In the server */ | 123 | /* In the server */ |
| 123 | int ssh_gssapi_userok(char *name); | 124 | int ssh_gssapi_userok(char *name); |
diff --git a/sshconnect2.c b/sshconnect2.c index e58d078c4..8b2e633c0 100644 --- a/sshconnect2.c +++ b/sshconnect2.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshconnect2.c,v 1.160 2006/08/03 03:34:42 deraadt Exp $ */ | 1 | /* $OpenBSD: sshconnect2.c,v 1.161 2006/08/18 13:54:54 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -508,25 +508,18 @@ userauth_gssapi(Authctxt *authctxt) | |||
| 508 | 508 | ||
| 509 | /* Check to see if the mechanism is usable before we offer it */ | 509 | /* Check to see if the mechanism is usable before we offer it */ |
| 510 | while (mech < gss_supported->count && !ok) { | 510 | while (mech < gss_supported->count && !ok) { |
| 511 | if (gssctxt) | ||
| 512 | ssh_gssapi_delete_ctx(&gssctxt); | ||
| 513 | ssh_gssapi_build_ctx(&gssctxt); | ||
| 514 | ssh_gssapi_set_oid(gssctxt, &gss_supported->elements[mech]); | ||
| 515 | |||
| 516 | /* My DER encoding requires length<128 */ | 511 | /* My DER encoding requires length<128 */ |
| 517 | if (gss_supported->elements[mech].length < 128 && | 512 | if (gss_supported->elements[mech].length < 128 && |
| 518 | !GSS_ERROR(ssh_gssapi_import_name(gssctxt, | 513 | ssh_gssapi_check_mechanism(&gssctxt, |
| 519 | authctxt->host))) { | 514 | &gss_supported->elements[mech], authctxt->host)) { |
| 520 | ok = 1; /* Mechanism works */ | 515 | ok = 1; /* Mechanism works */ |
| 521 | } else { | 516 | } else { |
| 522 | mech++; | 517 | mech++; |
| 523 | } | 518 | } |
| 524 | } | 519 | } |
| 525 | 520 | ||
| 526 | if (!ok) { | 521 | if (!ok) |
| 527 | ssh_gssapi_delete_ctx(&gssctxt); | ||
| 528 | return 0; | 522 | return 0; |
| 529 | } | ||
| 530 | 523 | ||
| 531 | authctxt->methoddata=(void *)gssctxt; | 524 | authctxt->methoddata=(void *)gssctxt; |
| 532 | 525 | ||