Backport from Simon Wilkinson's GSSAPI key exchange patch for 5.0p1:

- Add code to actually implement GSSAPIStrictAcceptorCheck, which had somehow been omitted from a previous version of this patch (closes: #474246).
author: Colin Watson <cjwatson@debian.org> 2008-04-06 11:33:11 +0000
committer: Colin Watson <cjwatson@debian.org> 2008-04-06 11:33:11 +0000
commit: 67ea3adb44bee62822f589acaf9784b59b63f71a (patch)
tree: 5d3072696df4a1c6f90609cf90d6f645ad50ca44 /gss-serv.c
parent: 37e3f89e39ae93043339658d7d718f8e9fc4c12f (diff)
1 files changed, 22 insertions, 15 deletions
diff --git a/gss-serv.c b/gss-serv.c
index e157ec515..3908d6378 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv.c,v 1.21 2007/06/12 08:20:00 djm Exp $ */
 /*
- * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2008 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -84,25 +84,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
        char lname[MAXHOSTNAMELEN];
        gss_OID_set oidset;
-        gss_create_empty_oid_set(&status, &oidset);
+        if (options.gss_strict_acceptor) {
-        gss_add_oid_set_member(&status, ctx->oid, &oidset);
+                gss_create_empty_oid_set(&status, &oidset);
+                gss_add_oid_set_member(&status, ctx->oid, &oidset);
-        if (gethostname(lname, MAXHOSTNAMELEN)) {
+                if (gethostname(lname, MAXHOSTNAMELEN)) {
-                gss_release_oid_set(&status, &oidset);
+                        gss_release_oid_set(&status, &oidset);
-                return (-1);
+                        return (-1);
-        }
+                }
+                if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+                        gss_release_oid_set(&status, &oidset);
+                        return (ctx->major);
+                }
+                if ((ctx->major = gss_acquire_cred(&ctx->minor,
+                    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, 
+                    NULL, NULL)))
+                        ssh_gssapi_error(ctx);
-        if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
                gss_release_oid_set(&status, &oidset);
                return (ctx->major);
+        } else {
+                ctx->name = GSS_C_NO_NAME;
+                ctx->creds = GSS_C_NO_CREDENTIAL;
        }
+        return GSS_S_COMPLETE;
-        if ((ctx->major = gss_acquire_cred(&ctx->minor,
-            ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
-                ssh_gssapi_error(ctx);
-        gss_release_oid_set(&status, &oidset);
-        return (ctx->major);
 }
 /* Privileged */
author	Colin Watson <cjwatson@debian.org>	2008-04-06 11:33:11 +0000
committer	Colin Watson <cjwatson@debian.org>	2008-04-06 11:33:11 +0000
commit	67ea3adb44bee62822f589acaf9784b59b63f71a (patch)
tree	5d3072696df4a1c6f90609cf90d6f645ad50ca44 /gss-serv.c
parent	37e3f89e39ae93043339658d7d718f8e9fc4c12f (diff)

diff --git a/gss-serv.c b/gss-serv.c index e157ec515..3908d6378 100644 --- a/gss-serv.c +++ b/gss-serv.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: gss-serv.c,v 1.21 2007/06/12 08:20:00 djm Exp $ */	1	/* $OpenBSD: gss-serv.c,v 1.21 2007/06/12 08:20:00 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2008 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -84,25 +84,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
84	char lname[MAXHOSTNAMELEN];	84	char lname[MAXHOSTNAMELEN];
85	gss_OID_set oidset;	85	gss_OID_set oidset;
86		86
87	gss_create_empty_oid_set(&status, &oidset);	87	if (options.gss_strict_acceptor) {
88	gss_add_oid_set_member(&status, ctx->oid, &oidset);	88	gss_create_empty_oid_set(&status, &oidset);
		89	gss_add_oid_set_member(&status, ctx->oid, &oidset);
89		90
90	if (gethostname(lname, MAXHOSTNAMELEN)) {	91	if (gethostname(lname, MAXHOSTNAMELEN)) {
91	gss_release_oid_set(&status, &oidset);	92	gss_release_oid_set(&status, &oidset);
92	return (-1);	93	return (-1);
93	}	94	}
		95
		96	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
		97	gss_release_oid_set(&status, &oidset);
		98	return (ctx->major);
		99	}
		100
		101	if ((ctx->major = gss_acquire_cred(&ctx->minor,
		102	ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
		103	NULL, NULL)))
		104	ssh_gssapi_error(ctx);
94		105
95	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
96	gss_release_oid_set(&status, &oidset);	106	gss_release_oid_set(&status, &oidset);
97	return (ctx->major);	107	return (ctx->major);
		108	} else {
		109	ctx->name = GSS_C_NO_NAME;
		110	ctx->creds = GSS_C_NO_CREDENTIAL;
98	}	111	}
99		112	return GSS_S_COMPLETE;
100	if ((ctx->major = gss_acquire_cred(&ctx->minor,
101	ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
102	ssh_gssapi_error(ctx);
103
104	gss_release_oid_set(&status, &oidset);
105	return (ctx->major);
106	}	113	}
107		114
108	/* Privileged */	115	/* Privileged */