diff options
Diffstat (limited to 'gss-serv.c')
-rw-r--r-- | gss-serv.c | 73 |
1 files changed, 48 insertions, 25 deletions
diff --git a/gss-serv.c b/gss-serv.c index 2ec7ea19c..9227b797c 100644 --- a/gss-serv.c +++ b/gss-serv.c | |||
@@ -1,7 +1,7 @@ | |||
1 | /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ | 1 | /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2008 Simon Wilkinson. All rights reserved. |
5 | * | 5 | * |
6 | * Redistribution and use in source and binary forms, with or without | 6 | * Redistribution and use in source and binary forms, with or without |
7 | * modification, are permitted provided that the following conditions | 7 | * modification, are permitted provided that the following conditions |
@@ -45,8 +45,12 @@ | |||
45 | #include "channels.h" | 45 | #include "channels.h" |
46 | #include "session.h" | 46 | #include "session.h" |
47 | #include "misc.h" | 47 | #include "misc.h" |
48 | #include "servconf.h" | ||
48 | 49 | ||
49 | #include "ssh-gss.h" | 50 | #include "ssh-gss.h" |
51 | #include "monitor_wrap.h" | ||
52 | |||
53 | extern ServerOptions options; | ||
50 | 54 | ||
51 | static ssh_gssapi_client gssapi_client = | 55 | static ssh_gssapi_client gssapi_client = |
52 | { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, | 56 | { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, |
@@ -81,25 +85,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) | |||
81 | char lname[MAXHOSTNAMELEN]; | 85 | char lname[MAXHOSTNAMELEN]; |
82 | gss_OID_set oidset; | 86 | gss_OID_set oidset; |
83 | 87 | ||
84 | gss_create_empty_oid_set(&status, &oidset); | 88 | if (options.gss_strict_acceptor) { |
85 | gss_add_oid_set_member(&status, ctx->oid, &oidset); | 89 | gss_create_empty_oid_set(&status, &oidset); |
90 | gss_add_oid_set_member(&status, ctx->oid, &oidset); | ||
86 | 91 | ||
87 | if (gethostname(lname, MAXHOSTNAMELEN)) { | 92 | if (gethostname(lname, MAXHOSTNAMELEN)) { |
88 | gss_release_oid_set(&status, &oidset); | 93 | gss_release_oid_set(&status, &oidset); |
89 | return (-1); | 94 | return (-1); |
90 | } | 95 | } |
96 | |||
97 | if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
98 | gss_release_oid_set(&status, &oidset); | ||
99 | return (ctx->major); | ||
100 | } | ||
101 | |||
102 | if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
103 | ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, | ||
104 | NULL, NULL))) | ||
105 | ssh_gssapi_error(ctx); | ||
91 | 106 | ||
92 | if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { | ||
93 | gss_release_oid_set(&status, &oidset); | 107 | gss_release_oid_set(&status, &oidset); |
94 | return (ctx->major); | 108 | return (ctx->major); |
109 | } else { | ||
110 | ctx->name = GSS_C_NO_NAME; | ||
111 | ctx->creds = GSS_C_NO_CREDENTIAL; | ||
95 | } | 112 | } |
96 | 113 | return GSS_S_COMPLETE; | |
97 | if ((ctx->major = gss_acquire_cred(&ctx->minor, | ||
98 | ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) | ||
99 | ssh_gssapi_error(ctx); | ||
100 | |||
101 | gss_release_oid_set(&status, &oidset); | ||
102 | return (ctx->major); | ||
103 | } | 114 | } |
104 | 115 | ||
105 | /* Privileged */ | 116 | /* Privileged */ |
@@ -114,6 +125,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) | |||
114 | } | 125 | } |
115 | 126 | ||
116 | /* Unprivileged */ | 127 | /* Unprivileged */ |
128 | char * | ||
129 | ssh_gssapi_server_mechanisms() { | ||
130 | gss_OID_set supported; | ||
131 | |||
132 | ssh_gssapi_supported_oids(&supported); | ||
133 | return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech, | ||
134 | NULL)); | ||
135 | } | ||
136 | |||
137 | /* Unprivileged */ | ||
138 | int | ||
139 | ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data) { | ||
140 | Gssctxt *ctx = NULL; | ||
141 | int res; | ||
142 | |||
143 | res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid))); | ||
144 | ssh_gssapi_delete_ctx(&ctx); | ||
145 | |||
146 | return (res); | ||
147 | } | ||
148 | |||
149 | /* Unprivileged */ | ||
117 | void | 150 | void |
118 | ssh_gssapi_supported_oids(gss_OID_set *oidset) | 151 | ssh_gssapi_supported_oids(gss_OID_set *oidset) |
119 | { | 152 | { |
@@ -352,14 +385,4 @@ ssh_gssapi_userok(char *user) | |||
352 | return (0); | 385 | return (0); |
353 | } | 386 | } |
354 | 387 | ||
355 | /* Privileged */ | ||
356 | OM_uint32 | ||
357 | ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | ||
358 | { | ||
359 | ctx->major = gss_verify_mic(&ctx->minor, ctx->context, | ||
360 | gssbuf, gssmic, NULL); | ||
361 | |||
362 | return (ctx->major); | ||
363 | } | ||
364 | |||
365 | #endif | 388 | #endif |