diff options
Diffstat (limited to 'gss-genr.c')
-rw-r--r-- | gss-genr.c | 68 |
1 files changed, 56 insertions, 12 deletions
diff --git a/gss-genr.c b/gss-genr.c index c2b4f2dd8..57f12a2dc 100644 --- a/gss-genr.c +++ b/gss-genr.c | |||
@@ -1,7 +1,7 @@ | |||
1 | /* $OpenBSD: gss-genr.c,v 1.6 2005/10/13 22:24:31 stevesk Exp $ */ | 1 | /* $OpenBSD: gss-genr.c,v 1.17 2006/08/29 12:02:30 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved. |
5 | * | 5 | * |
6 | * Redistribution and use in source and binary forms, with or without | 6 | * Redistribution and use in source and binary forms, with or without |
7 | * modification, are permitted provided that the following conditions | 7 | * modification, are permitted provided that the following conditions |
@@ -28,8 +28,15 @@ | |||
28 | 28 | ||
29 | #ifdef GSSAPI | 29 | #ifdef GSSAPI |
30 | 30 | ||
31 | #include <sys/types.h> | ||
32 | #include <sys/param.h> | ||
33 | |||
34 | #include <stdarg.h> | ||
35 | #include <string.h> | ||
36 | #include <unistd.h> | ||
37 | |||
31 | #include "xmalloc.h" | 38 | #include "xmalloc.h" |
32 | #include "bufaux.h" | 39 | #include "buffer.h" |
33 | #include "log.h" | 40 | #include "log.h" |
34 | #include "ssh2.h" | 41 | #include "ssh2.h" |
35 | 42 | ||
@@ -72,7 +79,11 @@ ssh_gssapi_set_oid(Gssctxt *ctx, gss_OID oid) | |||
72 | void | 79 | void |
73 | ssh_gssapi_error(Gssctxt *ctxt) | 80 | ssh_gssapi_error(Gssctxt *ctxt) |
74 | { | 81 | { |
75 | debug("%s", ssh_gssapi_last_error(ctxt, NULL, NULL)); | 82 | char *s; |
83 | |||
84 | s = ssh_gssapi_last_error(ctxt, NULL, NULL); | ||
85 | debug("%s", s); | ||
86 | xfree(s); | ||
76 | } | 87 | } |
77 | 88 | ||
78 | char * | 89 | char * |
@@ -131,9 +142,7 @@ ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *major_status, | |||
131 | void | 142 | void |
132 | ssh_gssapi_build_ctx(Gssctxt **ctx) | 143 | ssh_gssapi_build_ctx(Gssctxt **ctx) |
133 | { | 144 | { |
134 | *ctx = xmalloc(sizeof (Gssctxt)); | 145 | *ctx = xcalloc(1, sizeof (Gssctxt)); |
135 | (*ctx)->major = 0; | ||
136 | (*ctx)->minor = 0; | ||
137 | (*ctx)->context = GSS_C_NO_CONTEXT; | 146 | (*ctx)->context = GSS_C_NO_CONTEXT; |
138 | (*ctx)->name = GSS_C_NO_NAME; | 147 | (*ctx)->name = GSS_C_NO_NAME; |
139 | (*ctx)->oid = GSS_C_NO_OID; | 148 | (*ctx)->oid = GSS_C_NO_OID; |
@@ -203,10 +212,11 @@ OM_uint32 | |||
203 | ssh_gssapi_import_name(Gssctxt *ctx, const char *host) | 212 | ssh_gssapi_import_name(Gssctxt *ctx, const char *host) |
204 | { | 213 | { |
205 | gss_buffer_desc gssbuf; | 214 | gss_buffer_desc gssbuf; |
215 | char *val; | ||
206 | 216 | ||
207 | gssbuf.length = sizeof("host@") + strlen(host); | 217 | xasprintf(&val, "host@%s", host); |
208 | gssbuf.value = xmalloc(gssbuf.length); | 218 | gssbuf.value = val; |
209 | snprintf(gssbuf.value, gssbuf.length, "host@%s", host); | 219 | gssbuf.length = strlen(gssbuf.value); |
210 | 220 | ||
211 | if ((ctx->major = gss_import_name(&ctx->minor, | 221 | if ((ctx->major = gss_import_name(&ctx->minor, |
212 | &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) | 222 | &gssbuf, GSS_C_NT_HOSTBASED_SERVICE, &ctx->name))) |
@@ -231,11 +241,15 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) | |||
231 | gss_create_empty_oid_set(&status, &oidset); | 241 | gss_create_empty_oid_set(&status, &oidset); |
232 | gss_add_oid_set_member(&status, ctx->oid, &oidset); | 242 | gss_add_oid_set_member(&status, ctx->oid, &oidset); |
233 | 243 | ||
234 | if (gethostname(lname, MAXHOSTNAMELEN)) | 244 | if (gethostname(lname, MAXHOSTNAMELEN)) { |
245 | gss_release_oid_set(&status, &oidset); | ||
235 | return (-1); | 246 | return (-1); |
247 | } | ||
236 | 248 | ||
237 | if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) | 249 | if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { |
250 | gss_release_oid_set(&status, &oidset); | ||
238 | return (ctx->major); | 251 | return (ctx->major); |
252 | } | ||
239 | 253 | ||
240 | if ((ctx->major = gss_acquire_cred(&ctx->minor, | 254 | if ((ctx->major = gss_acquire_cred(&ctx->minor, |
241 | ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) | 255 | ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) |
@@ -277,4 +291,34 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) | |||
277 | return (ssh_gssapi_acquire_cred(*ctx)); | 291 | return (ssh_gssapi_acquire_cred(*ctx)); |
278 | } | 292 | } |
279 | 293 | ||
294 | int | ||
295 | ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) | ||
296 | { | ||
297 | gss_buffer_desc token = GSS_C_EMPTY_BUFFER; | ||
298 | OM_uint32 major, minor; | ||
299 | gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"}; | ||
300 | |||
301 | /* RFC 4462 says we MUST NOT do SPNEGO */ | ||
302 | if (oid->length == spnego_oid.length && | ||
303 | (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0)) | ||
304 | return 0; /* false */ | ||
305 | |||
306 | ssh_gssapi_build_ctx(ctx); | ||
307 | ssh_gssapi_set_oid(*ctx, oid); | ||
308 | major = ssh_gssapi_import_name(*ctx, host); | ||
309 | if (!GSS_ERROR(major)) { | ||
310 | major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, | ||
311 | NULL); | ||
312 | gss_release_buffer(&minor, &token); | ||
313 | if ((*ctx)->context != GSS_C_NO_CONTEXT) | ||
314 | gss_delete_sec_context(&minor, &(*ctx)->context, | ||
315 | GSS_C_NO_BUFFER); | ||
316 | } | ||
317 | |||
318 | if (GSS_ERROR(major)) | ||
319 | ssh_gssapi_delete_ctx(ctx); | ||
320 | |||
321 | return (!GSS_ERROR(major)); | ||
322 | } | ||
323 | |||
280 | #endif /* GSSAPI */ | 324 | #endif /* GSSAPI */ |