diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2006-08-18 13:54:55 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2006-08-18 13:54:55 +0000 |
| commit | 42f1255968a42b16ae782cb1569bbcff9745603e (patch) | |
| tree | f73b4736838474d35fc308aca68ebf9ca0b0e85f /usr.bin/ssh | |
| parent | bb200cebe6afdd7e7c2c75409ac3d8d1f287234d (diff) | |
bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
ok markus@
Diffstat (limited to 'usr.bin/ssh')
| -rw-r--r-- | usr.bin/ssh/gss-genr.c | 33 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-gss.h | 3 | ||||
| -rw-r--r-- | usr.bin/ssh/sshconnect2.c | 15 |
3 files changed, 37 insertions, 14 deletions
diff --git a/usr.bin/ssh/gss-genr.c b/usr.bin/ssh/gss-genr.c index e434e9f5be2..5f0d6357714 100644 --- a/usr.bin/ssh/gss-genr.c +++ b/usr.bin/ssh/gss-genr.c @@ -1,7 +1,7 @@ -/* $OpenBSD: gss-genr.c,v 1.13 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: gss-genr.c,v 1.14 2006/08/18 13:54:54 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -287,4 +287,33 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) return (ssh_gssapi_acquire_cred(*ctx)); } +int +ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, char *host) +{ + gss_buffer_desc token = GSS_C_EMPTY_BUFFER; + OM_uint32 major, minor; + gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"}; + + /* RFC 4462 says we MUST NOT do SPNEGO */ + if (oid->length == spnego_oid.length && + (memcmp(oid->elements, spnego_oid.elements, oid->length) == 0)) + return -1; + + ssh_gssapi_build_ctx(ctx); + ssh_gssapi_set_oid(*ctx, oid); + major = ssh_gssapi_import_name(*ctx, host); + if (!GSS_ERROR(major)) { + major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, + NULL); + gss_release_buffer(&minor, &token); + gss_delete_sec_context(&minor, &(*ctx)->context, + GSS_C_NO_BUFFER); + } + + if (GSS_ERROR(major)) + ssh_gssapi_delete_ctx(ctx); + + return (!GSS_ERROR(major)); +} + #endif /* GSSAPI */ diff --git a/usr.bin/ssh/ssh-gss.h b/usr.bin/ssh/ssh-gss.h index a307de4bc8d..6b0d940d2a2 100644 --- a/usr.bin/ssh/ssh-gss.h +++ b/usr.bin/ssh/ssh-gss.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-gss.h,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: ssh-gss.h,v 1.8 2006/08/18 13:54:54 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. * @@ -98,6 +98,7 @@ void ssh_gssapi_delete_ctx(Gssctxt **); OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); +int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, char *); /* In the server */ int ssh_gssapi_userok(char *name); diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index b6b1bad5a63..57f4b26b628 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.160 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.161 2006/08/18 13:54:54 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -505,25 +505,18 @@ userauth_gssapi(Authctxt *authctxt) /* Check to see if the mechanism is usable before we offer it */ while (mech < gss_supported->count && !ok) { - if (gssctxt) - ssh_gssapi_delete_ctx(&gssctxt); - ssh_gssapi_build_ctx(&gssctxt); - ssh_gssapi_set_oid(gssctxt, &gss_supported->elements[mech]); - /* My DER encoding requires length<128 */ if (gss_supported->elements[mech].length < 128 && - !GSS_ERROR(ssh_gssapi_import_name(gssctxt, - authctxt->host))) { + ssh_gssapi_check_mechanism(&gssctxt, + &gss_supported->elements[mech], authctxt->host)) { ok = 1; /* Mechanism works */ } else { mech++; } } - if (!ok) { - ssh_gssapi_delete_ctx(&gssctxt); + if (!ok) return 0; - } authctxt->methoddata=(void *)gssctxt; |