1 files changed, 77 insertions, 11 deletions
diff --git a/gss-serv.c b/gss-serv.c
index e8191a859..841d8bb2f 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -43,8 +43,12 @@
 #include "channels.h"
 #include "session.h"
 #include "misc.h"
+#include "servconf.h"
 #include "ssh-gss.h"
+#include "monitor_wrap.h"
+extern ServerOptions options;
 static ssh_gssapi_client gssapi_client =
    { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
@@ -65,6 +69,28 @@ ssh_gssapi_mech* supported_mechs[]= {
 };
 /* Unprivileged */
+char *
+ssh_gssapi_server_mechanisms() {
+        gss_OID_set     supported;
+        ssh_gssapi_supported_oids(&supported);
+        return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
+            NULL));
+}
+/* Unprivileged */
+int
+ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data) {
+        Gssctxt *ctx = NULL;
+        int res;
+ 
+        res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
+        ssh_gssapi_delete_ctx(&ctx);
+        return (res);
+}
+/* Unprivileged */
 void
 ssh_gssapi_supported_oids(gss_OID_set *oidset)
 {
@@ -89,6 +115,56 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
        gss_release_oid_set(&min_status, &supported);
 }
+OM_uint32
+ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+{
+        if (*ctx)
+                ssh_gssapi_delete_ctx(ctx);
+        ssh_gssapi_build_ctx(ctx);
+        ssh_gssapi_set_oid(*ctx, oid);
+        return (ssh_gssapi_acquire_cred(*ctx));
+}
+/* Acquire credentials for a server running on the current host.
+ * Requires that the context structure contains a valid OID
+ */
+/* Returns a GSSAPI error code */
+OM_uint32
+ssh_gssapi_acquire_cred(Gssctxt *ctx)
+{
+        OM_uint32 status;
+        char lname[MAXHOSTNAMELEN];
+        gss_OID_set oidset;
+        if (options.gss_strict_acceptor) {
+                gss_create_empty_oid_set(&status, &oidset);
+                gss_add_oid_set_member(&status, ctx->oid, &oidset);
+                if (gethostname(lname, MAXHOSTNAMELEN)) {
+                        gss_release_oid_set(&status, &oidset);
+                        return (-1);
+                }
+                if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+                        gss_release_oid_set(&status, &oidset);
+                        return (ctx->major);
+                }
+                if ((ctx->major = gss_acquire_cred(&ctx->minor,
+                    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, 
+                    NULL, NULL)))
+                        ssh_gssapi_error(ctx);
+                gss_release_oid_set(&status, &oidset);
+                return (ctx->major);
+        } else {
+                ctx->name = GSS_C_NO_NAME;
+                ctx->creds = GSS_C_NO_CREDENTIAL;
+        }
+        return GSS_S_COMPLETE;
+}
 /* Wrapper around accept_sec_context
 * Requires that the context contains:
@@ -303,14 +379,4 @@ ssh_gssapi_userok(char *user)
        return (0);
 }
-/* Privileged */
-OM_uint32
-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
-{
-        ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
-            gssbuf, gssmic, NULL);
-        return (ctx->major);
-}
 #endif

diff --git a/gss-serv.c b/gss-serv.c index e8191a859..841d8bb2f 100644 --- a/gss-serv.c +++ b/gss-serv.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */	1	/* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -43,8 +43,12 @@
43	#include "channels.h"	43	#include "channels.h"
44	#include "session.h"	44	#include "session.h"
45	#include "misc.h"	45	#include "misc.h"
		46	#include "servconf.h"
46		47
47	#include "ssh-gss.h"	48	#include "ssh-gss.h"
		49	#include "monitor_wrap.h"
		50
		51	extern ServerOptions options;
48		52
49	static ssh_gssapi_client gssapi_client =	53	static ssh_gssapi_client gssapi_client =
50	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,	54	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
@@ -65,6 +69,28 @@ ssh_gssapi_mech* supported_mechs[]= {
65	};	69	};
66		70
67	/* Unprivileged */	71	/* Unprivileged */
		72	char *
		73	ssh_gssapi_server_mechanisms() {
		74	gss_OID_set supported;
		75
		76	ssh_gssapi_supported_oids(&supported);
		77	return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
		78	NULL));
		79	}
		80
		81	/* Unprivileged */
		82	int
		83	ssh_gssapi_server_check_mech(Gssctxt *dum, gss_OID oid, const char data) {
		84	Gssctxt *ctx = NULL;
		85	int res;
		86
		87	res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
		88	ssh_gssapi_delete_ctx(&ctx);
		89
		90	return (res);
		91	}
		92
		93	/* Unprivileged */
68	void	94	void
69	ssh_gssapi_supported_oids(gss_OID_set *oidset)	95	ssh_gssapi_supported_oids(gss_OID_set *oidset)
70	{	96	{
@@ -89,6 +115,56 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
89	gss_release_oid_set(&min_status, &supported);	115	gss_release_oid_set(&min_status, &supported);
90	}	116	}
91		117
		118	OM_uint32
		119	ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
		120	{
		121	if (*ctx)
		122	ssh_gssapi_delete_ctx(ctx);
		123	ssh_gssapi_build_ctx(ctx);
		124	ssh_gssapi_set_oid(*ctx, oid);
		125	return (ssh_gssapi_acquire_cred(*ctx));
		126	}
		127
		128	/* Acquire credentials for a server running on the current host.
		129	* Requires that the context structure contains a valid OID
		130	*/
		131
		132	/* Returns a GSSAPI error code */
		133	OM_uint32
		134	ssh_gssapi_acquire_cred(Gssctxt *ctx)
		135	{
		136	OM_uint32 status;
		137	char lname[MAXHOSTNAMELEN];
		138	gss_OID_set oidset;
		139
		140	if (options.gss_strict_acceptor) {
		141	gss_create_empty_oid_set(&status, &oidset);
		142	gss_add_oid_set_member(&status, ctx->oid, &oidset);
		143
		144	if (gethostname(lname, MAXHOSTNAMELEN)) {
		145	gss_release_oid_set(&status, &oidset);
		146	return (-1);
		147	}
		148
		149	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
		150	gss_release_oid_set(&status, &oidset);
		151	return (ctx->major);
		152	}
		153
		154	if ((ctx->major = gss_acquire_cred(&ctx->minor,
		155	ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
		156	NULL, NULL)))
		157	ssh_gssapi_error(ctx);
		158
		159	gss_release_oid_set(&status, &oidset);
		160	return (ctx->major);
		161	} else {
		162	ctx->name = GSS_C_NO_NAME;
		163	ctx->creds = GSS_C_NO_CREDENTIAL;
		164	}
		165	return GSS_S_COMPLETE;
		166	}
		167
92		168
93	/* Wrapper around accept_sec_context	169	/* Wrapper around accept_sec_context
94	* Requires that the context contains:	170	* Requires that the context contains:
@@ -303,14 +379,4 @@ ssh_gssapi_userok(char *user)
303	return (0);	379	return (0);
304	}	380	}
305		381
306	/* Privileged */
307	OM_uint32
308	ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
309	{
310	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
311	gssbuf, gssmic, NULL);
312
313	return (ctx->major);
314	}
315
316	#endif	382	#endif