diff options
Diffstat (limited to 'auth2-gss.c')
-rw-r--r-- | auth2-gss.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/auth2-gss.c b/auth2-gss.c index 1f12bb113..d6446c0cf 100644 --- a/auth2-gss.c +++ b/auth2-gss.c | |||
@@ -54,7 +54,7 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh); | |||
54 | static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh); | 54 | static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh); |
55 | static int input_gssapi_errtok(int, u_int32_t, struct ssh *); | 55 | static int input_gssapi_errtok(int, u_int32_t, struct ssh *); |
56 | 56 | ||
57 | /* | 57 | /* |
58 | * The 'gssapi_keyex' userauth mechanism. | 58 | * The 'gssapi_keyex' userauth mechanism. |
59 | */ | 59 | */ |
60 | static int | 60 | static int |
@@ -62,7 +62,7 @@ userauth_gsskeyex(struct ssh *ssh) | |||
62 | { | 62 | { |
63 | Authctxt *authctxt = ssh->authctxt; | 63 | Authctxt *authctxt = ssh->authctxt; |
64 | int r, authenticated = 0; | 64 | int r, authenticated = 0; |
65 | struct sshbuf *b; | 65 | struct sshbuf *b = NULL; |
66 | gss_buffer_desc mic, gssbuf; | 66 | gss_buffer_desc mic, gssbuf; |
67 | u_char *p; | 67 | u_char *p; |
68 | size_t len; | 68 | size_t len; |
@@ -70,8 +70,10 @@ userauth_gsskeyex(struct ssh *ssh) | |||
70 | if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 || | 70 | if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 || |
71 | (r = sshpkt_get_end(ssh)) != 0) | 71 | (r = sshpkt_get_end(ssh)) != 0) |
72 | fatal("%s: %s", __func__, ssh_err(r)); | 72 | fatal("%s: %s", __func__, ssh_err(r)); |
73 | |||
73 | if ((b = sshbuf_new()) == NULL) | 74 | if ((b = sshbuf_new()) == NULL) |
74 | fatal("%s: sshbuf_new failed", __func__); | 75 | fatal("%s: sshbuf_new failed", __func__); |
76 | |||
75 | mic.value = p; | 77 | mic.value = p; |
76 | mic.length = len; | 78 | mic.length = len; |
77 | 79 | ||
@@ -83,11 +85,11 @@ userauth_gsskeyex(struct ssh *ssh) | |||
83 | gssbuf.length = sshbuf_len(b); | 85 | gssbuf.length = sshbuf_len(b); |
84 | 86 | ||
85 | /* gss_kex_context is NULL with privsep, so we can't check it here */ | 87 | /* gss_kex_context is NULL with privsep, so we can't check it here */ |
86 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, | 88 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, |
87 | &gssbuf, &mic)))) | 89 | &gssbuf, &mic)))) |
88 | authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, | 90 | authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, |
89 | authctxt->pw)); | 91 | authctxt->pw, 1)); |
90 | 92 | ||
91 | sshbuf_free(b); | 93 | sshbuf_free(b); |
92 | free(mic.value); | 94 | free(mic.value); |
93 | 95 | ||
@@ -301,7 +303,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) | |||
301 | fatal("%s: %s", __func__, ssh_err(r)); | 303 | fatal("%s: %s", __func__, ssh_err(r)); |
302 | 304 | ||
303 | authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, | 305 | authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, |
304 | authctxt->pw)); | 306 | authctxt->pw, 1)); |
305 | 307 | ||
306 | if ((!use_privsep || mm_is_monitor()) && | 308 | if ((!use_privsep || mm_is_monitor()) && |
307 | (displayname = ssh_gssapi_displayname()) != NULL) | 309 | (displayname = ssh_gssapi_displayname()) != NULL) |
@@ -347,8 +349,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) | |||
347 | gssbuf.length = sshbuf_len(b); | 349 | gssbuf.length = sshbuf_len(b); |
348 | 350 | ||
349 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) | 351 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) |
350 | authenticated = | 352 | authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, |
351 | PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw)); | 353 | authctxt->pw, 0)); |
352 | else | 354 | else |
353 | logit("GSSAPI MIC check failed"); | 355 | logit("GSSAPI MIC check failed"); |
354 | 356 | ||