| gss-serv.c (157016) | gss-serv.c (162852) |
|---|---|
| 1/* $OpenBSD: gss-serv.c,v 1.13 2005/10/13 22:24:31 stevesk Exp $ */ | 1/* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */ |
| 2 3/* 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright --- 13 unchanged lines hidden (view full) --- 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27#include "includes.h" 28 29#ifdef GSSAPI 30 | 2 3/* 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright --- 13 unchanged lines hidden (view full) --- 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27#include "includes.h" 28 29#ifdef GSSAPI 30 |
| 31#include "bufaux.h" | 31#include <sys/types.h> 32 33#include <stdarg.h> 34#include <string.h> 35#include <unistd.h> 36 37#include "xmalloc.h" 38#include "buffer.h" 39#include "key.h" 40#include "hostfile.h" |
| 32#include "auth.h" 33#include "log.h" 34#include "channels.h" 35#include "session.h" | 41#include "auth.h" 42#include "log.h" 43#include "channels.h" 44#include "session.h" |
| 36#include "servconf.h" 37#include "xmalloc.h" 38#include "getput.h" | 45#include "misc.h" |
| 39 40#include "ssh-gss.h" 41 42static ssh_gssapi_client gssapi_client = 43 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, 44 GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; 45 46ssh_gssapi_mech gssapi_null_mech = --- 26 unchanged lines hidden (view full) --- 73 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 74 &supported_mechs[i]->oid, supported, &present))) 75 present = 0; 76 if (present) 77 gss_add_oid_set_member(&min_status, 78 &supported_mechs[i]->oid, oidset); 79 i++; 80 } | 46 47#include "ssh-gss.h" 48 49static ssh_gssapi_client gssapi_client = 50 { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, 51 GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; 52 53ssh_gssapi_mech gssapi_null_mech = --- 26 unchanged lines hidden (view full) --- 80 if (GSS_ERROR(gss_test_oid_set_member(&min_status, 81 &supported_mechs[i]->oid, supported, &present))) 82 present = 0; 83 if (present) 84 gss_add_oid_set_member(&min_status, 85 &supported_mechs[i]->oid, oidset); 86 i++; 87 } |
| 88 89 gss_release_oid_set(&min_status, &supported); |
|
| 81} 82 83 84/* Wrapper around accept_sec_context 85 * Requires that the context contains: 86 * oid 87 * credentials (from ssh_gssapi_acquire_cred) 88 */ --- 57 unchanged lines hidden (view full) --- 146 147 /* 148 * Extract the OID, and check it. Here GSSAPI breaks with tradition 149 * and does use the OID type and length bytes. To confuse things 150 * there are two lengths - the first including these, and the 151 * second without. 152 */ 153 | 90} 91 92 93/* Wrapper around accept_sec_context 94 * Requires that the context contains: 95 * oid 96 * credentials (from ssh_gssapi_acquire_cred) 97 */ --- 57 unchanged lines hidden (view full) --- 155 156 /* 157 * Extract the OID, and check it. Here GSSAPI breaks with tradition 158 * and does use the OID type and length bytes. To confuse things 159 * there are two lengths - the first including these, and the 160 * second without. 161 */ 162 |
| 154 oidl = GET_16BIT(tok+2); /* length including next two bytes */ | 163 oidl = get_u16(tok+2); /* length including next two bytes */ |
| 155 oidl = oidl-2; /* turn it into the _real_ length of the variable OID */ 156 157 /* 158 * Check the BER encoding for correct type and length, that the 159 * string is long enough and that the OID matches that in our context 160 */ 161 if (tok[4] != 0x06 || tok[5] != oidl || 162 ename->length < oidl+6 || 163 !ssh_gssapi_check_oid(ctx, tok+6, oidl)) 164 return GSS_S_FAILURE; 165 166 offset = oidl+6; 167 168 if (ename->length < offset+4) 169 return GSS_S_FAILURE; 170 | 164 oidl = oidl-2; /* turn it into the _real_ length of the variable OID */ 165 166 /* 167 * Check the BER encoding for correct type and length, that the 168 * string is long enough and that the OID matches that in our context 169 */ 170 if (tok[4] != 0x06 || tok[5] != oidl || 171 ename->length < oidl+6 || 172 !ssh_gssapi_check_oid(ctx, tok+6, oidl)) 173 return GSS_S_FAILURE; 174 175 offset = oidl+6; 176 177 if (ename->length < offset+4) 178 return GSS_S_FAILURE; 179 |
| 171 name->length = GET_32BIT(tok+offset); | 180 name->length = get_u32(tok+offset); |
| 172 offset += 4; 173 174 if (ename->length < offset+name->length) 175 return GSS_S_FAILURE; 176 177 name->value = xmalloc(name->length+1); | 181 offset += 4; 182 183 if (ename->length < offset+name->length) 184 return GSS_S_FAILURE; 185 186 name->value = xmalloc(name->length+1); |
| 178 memcpy(name->value, tok+offset,name->length); | 187 memcpy(name->value, tok+offset, name->length); |
| 179 ((char *)name->value)[name->length] = 0; 180 181 return GSS_S_COMPLETE; 182} 183 184/* Extract the client details from a given context. This can only reliably 185 * be called once for a context */ 186 --- 42 unchanged lines hidden (view full) --- 229} 230 231/* As user - called on fatal/exit */ 232void 233ssh_gssapi_cleanup_creds(void) 234{ 235 if (gssapi_client.store.filename != NULL) { 236 /* Unlink probably isn't sufficient */ | 188 ((char *)name->value)[name->length] = 0; 189 190 return GSS_S_COMPLETE; 191} 192 193/* Extract the client details from a given context. This can only reliably 194 * be called once for a context */ 195 --- 42 unchanged lines hidden (view full) --- 238} 239 240/* As user - called on fatal/exit */ 241void 242ssh_gssapi_cleanup_creds(void) 243{ 244 if (gssapi_client.store.filename != NULL) { 245 /* Unlink probably isn't sufficient */ |
| 237 debug("removing gssapi cred file\"%s\"", gssapi_client.store.filename); | 246 debug("removing gssapi cred file\"%s\"", 247 gssapi_client.store.filename); |
| 238 unlink(gssapi_client.store.filename); 239 } 240} 241 242/* As user */ 243void 244ssh_gssapi_storecreds(void) 245{ --- 61 unchanged lines hidden --- | 248 unlink(gssapi_client.store.filename); 249 } 250} 251 252/* As user */ 253void 254ssh_gssapi_storecreds(void) 255{ --- 61 unchanged lines hidden --- |