diff options
| author | Damien Miller <djm@mindrot.org> | 2006-08-19 00:33:34 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2006-08-19 00:33:34 +1000 |
| commit | a1cb9f334bcc6ebd7bf2b5229b7645d995de0a15 (patch) | |
| tree | b01a3cf18b4100472c9f90e0d5599ddcf0acfba9 | |
| parent | bdf00ca0bda672d07516d65eaea999931dafdac3 (diff) | |
- djm@cvs.openbsd.org 2006/08/18 13:54:54
[gss-genr.c ssh-gss.h sshconnect2.c]
bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
ok markus@
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | gss-genr.c | 33 | ||||
| -rw-r--r-- | ssh-gss.h | 3 | ||||
| -rw-r--r-- | sshconnect2.c | 15 |
4 files changed, 42 insertions, 15 deletions
@@ -34,6 +34,10 @@ [misc.h] reorder so prototypes are sorted by the files they refer to; no binary change + - djm@cvs.openbsd.org 2006/08/18 13:54:54 + [gss-genr.c ssh-gss.h sshconnect2.c] + bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk + ok markus@ 20060817 - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c] @@ -5255,4 +5259,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4493 2006/08/18 14:33:05 djm Exp $ +$Id: ChangeLog,v 1.4494 2006/08/18 14:33:34 djm Exp $ @@ -1,7 +1,7 @@ -/* $OpenBSD: gss-genr.c,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: gss-genr.c,v 1.14 2006/08/18 13:54:54 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -291,4 +291,33 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) return (ssh_gssapi_acquire_cred(*ctx)); } +int +ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, char *host) +{ + gss_buffer_desc token = GSS_C_EMPTY_BUFFER; + OM_uint32 major, minor; + gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"}; + + /* RFC 4462 says we MUST NOT do SPNEGO */ + if (oid->length == spnego_oid.length && + (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0)) + return -1; + + ssh_gssapi_build_ctx(ctx); + ssh_gssapi_set_oid(*ctx, oid); + major = ssh_gssapi_import_name(*ctx, host); + if (!GSS_ERROR(major)) { + major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, + NULL); + gss_release_buffer(&minor, &token); + gss_delete_sec_context(&minor, &(*ctx)->context, + GSS_C_NO_BUFFER); + } + + if (GSS_ERROR(major)) + ssh_gssapi_delete_ctx(ctx); + + return (!GSS_ERROR(major)); +} + #endif /* GSSAPI */ @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-gss.h,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: ssh-gss.h,v 1.8 2006/08/18 13:54:54 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. * @@ -118,6 +118,7 @@ void ssh_gssapi_delete_ctx(Gssctxt **); OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); +int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, char *); /* In the server */ int ssh_gssapi_userok(char *name); diff --git a/sshconnect2.c b/sshconnect2.c index e58d078c..8b2e633c 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.160 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.161 2006/08/18 13:54:54 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -508,25 +508,18 @@ userauth_gssapi(Authctxt *authctxt) /* Check to see if the mechanism is usable before we offer it */ while (mech < gss_supported->count && !ok) { - if (gssctxt) - ssh_gssapi_delete_ctx(&gssctxt); - ssh_gssapi_build_ctx(&gssctxt); - ssh_gssapi_set_oid(gssctxt, &gss_supported->elements[mech]); - /* My DER encoding requires length<128 */ if (gss_supported->elements[mech].length < 128 && - !GSS_ERROR(ssh_gssapi_import_name(gssctxt, - authctxt->host))) { + ssh_gssapi_check_mechanism(&gssctxt, + &gss_supported->elements[mech], authctxt->host)) { ok = 1; /* Mechanism works */ } else { mech++; } } - if (!ok) { - ssh_gssapi_delete_ctx(&gssctxt); + if (!ok) return 0; - } authctxt->methoddata=(void *)gssctxt; |