summaryrefslogtreecommitdiff
path: root/gss-serv.c
diff options
context:
space:
mode:
Diffstat (limited to 'gss-serv.c')
-rw-r--r--gss-serv.c87
1 files changed, 75 insertions, 12 deletions
diff --git a/gss-serv.c b/gss-serv.c
index 190f56fc0..841d8bb2f 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,7 +1,7 @@
1/* $OpenBSD: gss-serv.c,v 1.13 2005/10/13 22:24:31 stevesk Exp $ */ 1/* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
5 * 5 *
6 * Redistribution and use in source and binary forms, with or without 6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions 7 * modification, are permitted provided that the following conditions
@@ -28,17 +28,27 @@
28 28
29#ifdef GSSAPI 29#ifdef GSSAPI
30 30
31#include "bufaux.h" 31#include <sys/types.h>
32
33#include <stdarg.h>
34#include <string.h>
35#include <unistd.h>
36
37#include "xmalloc.h"
38#include "buffer.h"
39#include "key.h"
40#include "hostfile.h"
32#include "auth.h" 41#include "auth.h"
33#include "log.h" 42#include "log.h"
34#include "channels.h" 43#include "channels.h"
35#include "session.h" 44#include "session.h"
45#include "misc.h"
36#include "servconf.h" 46#include "servconf.h"
37#include "xmalloc.h"
38#include "getput.h"
39#include "monitor_wrap.h"
40 47
41#include "ssh-gss.h" 48#include "ssh-gss.h"
49#include "monitor_wrap.h"
50
51extern ServerOptions options;
42 52
43static ssh_gssapi_client gssapi_client = 53static ssh_gssapi_client gssapi_client =
44 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, 54 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
@@ -70,8 +80,8 @@ ssh_gssapi_server_mechanisms() {
70 80
71/* Unprivileged */ 81/* Unprivileged */
72int 82int
73ssh_gssapi_server_check_mech(gss_OID oid, void *data) { 83ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data) {
74 Gssctxt * ctx = NULL; 84 Gssctxt *ctx = NULL;
75 int res; 85 int res;
76 86
77 res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid))); 87 res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
@@ -101,6 +111,58 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
101 &supported_mechs[i]->oid, oidset); 111 &supported_mechs[i]->oid, oidset);
102 i++; 112 i++;
103 } 113 }
114
115 gss_release_oid_set(&min_status, &supported);
116}
117
118OM_uint32
119ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
120{
121 if (*ctx)
122 ssh_gssapi_delete_ctx(ctx);
123 ssh_gssapi_build_ctx(ctx);
124 ssh_gssapi_set_oid(*ctx, oid);
125 return (ssh_gssapi_acquire_cred(*ctx));
126}
127
128/* Acquire credentials for a server running on the current host.
129 * Requires that the context structure contains a valid OID
130 */
131
132/* Returns a GSSAPI error code */
133OM_uint32
134ssh_gssapi_acquire_cred(Gssctxt *ctx)
135{
136 OM_uint32 status;
137 char lname[MAXHOSTNAMELEN];
138 gss_OID_set oidset;
139
140 if (options.gss_strict_acceptor) {
141 gss_create_empty_oid_set(&status, &oidset);
142 gss_add_oid_set_member(&status, ctx->oid, &oidset);
143
144 if (gethostname(lname, MAXHOSTNAMELEN)) {
145 gss_release_oid_set(&status, &oidset);
146 return (-1);
147 }
148
149 if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
150 gss_release_oid_set(&status, &oidset);
151 return (ctx->major);
152 }
153
154 if ((ctx->major = gss_acquire_cred(&ctx->minor,
155 ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
156 NULL, NULL)))
157 ssh_gssapi_error(ctx);
158
159 gss_release_oid_set(&status, &oidset);
160 return (ctx->major);
161 } else {
162 ctx->name = GSS_C_NO_NAME;
163 ctx->creds = GSS_C_NO_CREDENTIAL;
164 }
165 return GSS_S_COMPLETE;
104} 166}
105 167
106 168
@@ -174,7 +236,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
174 * second without. 236 * second without.
175 */ 237 */
176 238
177 oidl = GET_16BIT(tok+2); /* length including next two bytes */ 239 oidl = get_u16(tok+2); /* length including next two bytes */
178 oidl = oidl-2; /* turn it into the _real_ length of the variable OID */ 240 oidl = oidl-2; /* turn it into the _real_ length of the variable OID */
179 241
180 /* 242 /*
@@ -191,14 +253,14 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
191 if (ename->length < offset+4) 253 if (ename->length < offset+4)
192 return GSS_S_FAILURE; 254 return GSS_S_FAILURE;
193 255
194 name->length = GET_32BIT(tok+offset); 256 name->length = get_u32(tok+offset);
195 offset += 4; 257 offset += 4;
196 258
197 if (ename->length < offset+name->length) 259 if (ename->length < offset+name->length)
198 return GSS_S_FAILURE; 260 return GSS_S_FAILURE;
199 261
200 name->value = xmalloc(name->length+1); 262 name->value = xmalloc(name->length+1);
201 memcpy(name->value, tok+offset,name->length); 263 memcpy(name->value, tok+offset, name->length);
202 ((char *)name->value)[name->length] = 0; 264 ((char *)name->value)[name->length] = 0;
203 265
204 return GSS_S_COMPLETE; 266 return GSS_S_COMPLETE;
@@ -257,7 +319,8 @@ ssh_gssapi_cleanup_creds(void)
257{ 319{
258 if (gssapi_client.store.filename != NULL) { 320 if (gssapi_client.store.filename != NULL) {
259 /* Unlink probably isn't sufficient */ 321 /* Unlink probably isn't sufficient */
260 debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename); 322 debug("removing gssapi cred file\"%s\"",
323 gssapi_client.store.filename);
261 unlink(gssapi_client.store.filename); 324 unlink(gssapi_client.store.filename);
262 } 325 }
263} 326}