1 files changed, 48 insertions, 25 deletions
diff --git a/gss-serv.c b/gss-serv.c
index 2ec7ea19c..9227b797c 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,7 +1,7 @@
 /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
 /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2008 Simon Wilkinson. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -45,8 +45,12 @@
 #include "channels.h"
 #include "session.h"
 #include "misc.h"
+#include "servconf.h"
 #include "ssh-gss.h"
+#include "monitor_wrap.h"
+extern ServerOptions options;
 static ssh_gssapi_client gssapi_client =
    { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
@@ -81,25 +85,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
        char lname[MAXHOSTNAMELEN];
        gss_OID_set oidset;
-        gss_create_empty_oid_set(&status, &oidset);
+        if (options.gss_strict_acceptor) {
-        gss_add_oid_set_member(&status, ctx->oid, &oidset);
+                gss_create_empty_oid_set(&status, &oidset);
+                gss_add_oid_set_member(&status, ctx->oid, &oidset);
-        if (gethostname(lname, MAXHOSTNAMELEN)) {
+                if (gethostname(lname, MAXHOSTNAMELEN)) {
-                gss_release_oid_set(&status, &oidset);
+                        gss_release_oid_set(&status, &oidset);
-                return (-1);
+                        return (-1);
-        }
+                }
+                if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+                        gss_release_oid_set(&status, &oidset);
+                        return (ctx->major);
+                }
+                if ((ctx->major = gss_acquire_cred(&ctx->minor,
+                    ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, 
+                    NULL, NULL)))
+                        ssh_gssapi_error(ctx);
-        if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
                gss_release_oid_set(&status, &oidset);
                return (ctx->major);
+        } else {
+                ctx->name = GSS_C_NO_NAME;
+                ctx->creds = GSS_C_NO_CREDENTIAL;
        }
+        return GSS_S_COMPLETE;
-        if ((ctx->major = gss_acquire_cred(&ctx->minor,
-            ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
-                ssh_gssapi_error(ctx);
-        gss_release_oid_set(&status, &oidset);
-        return (ctx->major);
 }
 /* Privileged */
@@ -114,6 +125,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
 }
 /* Unprivileged */
+char *
+ssh_gssapi_server_mechanisms() {
+        gss_OID_set     supported;
+        ssh_gssapi_supported_oids(&supported);
+        return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
+            NULL));
+}
+/* Unprivileged */
+int
+ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data) {
+        Gssctxt *ctx = NULL;
+        int res;
+ 
+        res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
+        ssh_gssapi_delete_ctx(&ctx);
+        return (res);
+}
+/* Unprivileged */
 void
 ssh_gssapi_supported_oids(gss_OID_set *oidset)
 {
@@ -352,14 +385,4 @@ ssh_gssapi_userok(char *user)
        return (0);
 }
-/* Privileged */
-OM_uint32
-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
-{
-        ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
-            gssbuf, gssmic, NULL);
-        return (ctx->major);
-}
 #endif

diff --git a/gss-serv.c b/gss-serv.c index 2ec7ea19c..9227b797c 100644 --- a/gss-serv.c +++ b/gss-serv.c
@@ -1,7 +1,7 @@
1	/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */	1	/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2008 Simon Wilkinson. All rights reserved.
5	*	5	*
6	* Redistribution and use in source and binary forms, with or without	6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions	7	* modification, are permitted provided that the following conditions
@@ -45,8 +45,12 @@
45	#include "channels.h"	45	#include "channels.h"
46	#include "session.h"	46	#include "session.h"
47	#include "misc.h"	47	#include "misc.h"
		48	#include "servconf.h"
48		49
49	#include "ssh-gss.h"	50	#include "ssh-gss.h"
		51	#include "monitor_wrap.h"
		52
		53	extern ServerOptions options;
50		54
51	static ssh_gssapi_client gssapi_client =	55	static ssh_gssapi_client gssapi_client =
52	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,	56	{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
@@ -81,25 +85,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
81	char lname[MAXHOSTNAMELEN];	85	char lname[MAXHOSTNAMELEN];
82	gss_OID_set oidset;	86	gss_OID_set oidset;
83		87
84	gss_create_empty_oid_set(&status, &oidset);	88	if (options.gss_strict_acceptor) {
85	gss_add_oid_set_member(&status, ctx->oid, &oidset);	89	gss_create_empty_oid_set(&status, &oidset);
		90	gss_add_oid_set_member(&status, ctx->oid, &oidset);
86		91
87	if (gethostname(lname, MAXHOSTNAMELEN)) {	92	if (gethostname(lname, MAXHOSTNAMELEN)) {
88	gss_release_oid_set(&status, &oidset);	93	gss_release_oid_set(&status, &oidset);
89	return (-1);	94	return (-1);
90	}	95	}
		96
		97	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
		98	gss_release_oid_set(&status, &oidset);
		99	return (ctx->major);
		100	}
		101
		102	if ((ctx->major = gss_acquire_cred(&ctx->minor,
		103	ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
		104	NULL, NULL)))
		105	ssh_gssapi_error(ctx);
91		106
92	if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
93	gss_release_oid_set(&status, &oidset);	107	gss_release_oid_set(&status, &oidset);
94	return (ctx->major);	108	return (ctx->major);
		109	} else {
		110	ctx->name = GSS_C_NO_NAME;
		111	ctx->creds = GSS_C_NO_CREDENTIAL;
95	}	112	}
96		113	return GSS_S_COMPLETE;
97	if ((ctx->major = gss_acquire_cred(&ctx->minor,
98	ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
99	ssh_gssapi_error(ctx);
100
101	gss_release_oid_set(&status, &oidset);
102	return (ctx->major);
103	}	114	}
104		115
105	/* Privileged */	116	/* Privileged */
@@ -114,6 +125,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
114	}	125	}
115		126
116	/* Unprivileged */	127	/* Unprivileged */
		128	char *
		129	ssh_gssapi_server_mechanisms() {
		130	gss_OID_set supported;
		131
		132	ssh_gssapi_supported_oids(&supported);
		133	return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
		134	NULL));
		135	}
		136
		137	/* Unprivileged */
		138	int
		139	ssh_gssapi_server_check_mech(Gssctxt *dum, gss_OID oid, const char data) {
		140	Gssctxt *ctx = NULL;
		141	int res;
		142
		143	res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid)));
		144	ssh_gssapi_delete_ctx(&ctx);
		145
		146	return (res);
		147	}
		148
		149	/* Unprivileged */
117	void	150	void
118	ssh_gssapi_supported_oids(gss_OID_set *oidset)	151	ssh_gssapi_supported_oids(gss_OID_set *oidset)
119	{	152	{
@@ -352,14 +385,4 @@ ssh_gssapi_userok(char *user)
352	return (0);	385	return (0);
353	}	386	}
354		387
355	/* Privileged */
356	OM_uint32
357	ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
358	{
359	ctx->major = gss_verify_mic(&ctx->minor, ctx->context,
360	gssbuf, gssmic, NULL);
361
362	return (ctx->major);
363	}
364
365	#endif	388	#endif